What CAMP is

CAMP stands for Capability And Maturity Prioritization. It is the baseline assessment model that organizes your program and feeds every score Forest produces.

The 12 domains

CAMP groups capabilities into 12 domains so coverage is easy to see across the whole program:

• Identity & Access Management

• Endpoint & Device Security

• Network Security

• Cloud Security

• Application Security

• Data Protection

• Compliance & Risk

• Security Operations

• Asset & Configuration Management

• AI/ML Security

• Third-Party & Supply Chain Security

• Physical & Environmental Security

Maturity and criticality

Each capability gets a maturity score from 0 to 5, from None up to Optimized. You also set a target maturity, the level you intend to reach. For the full scale, see Understanding maturity levels.

Criticality rates how important a capability is to your organization:

• 1, nice-to-have

• 2, core

• 3, compliance-required

How priority is calculated

Priority comes from a simple formula:

Priority = (target maturity − current maturity) × criticality

A wide gap on a compliance-required capability rises to the top. A small gap on a nice-to-have stays low. Because the math is fixed, two people assessing the same inputs reach the same priorities.

CAMP keeps attention on what is both weak and important, not just whatever is loudest in the moment.

With the model understood, move on to Completing your first baseline.