This paper presents a formal model for continuous evidence-based cybersecurity maturity assessment. We introduce three novel mechanisms—temporal freshness decay, temporal spread classification, and dual-evidence attestation gates—that compose into a scoring function addressing evidence staleness, the existence-vs-effectiveness distinction, and the attestation-vs-evidence convergence problem in existing maturity models (CMMI, CMMC, NIST CSF, C2M2). The model has been implemented and deployed in a production SaaS platform. We prove three properties: scores degrade naturally without new evidence, batch evidence submission cannot game the system, and neither attestation nor automated evidence alone achieves full implementation status.
Yolonda Smith (Sat,) studied this question.