SAMM Scoring: Percentage to Target and Percent to Date Metrics
SAMM Scoring: Percentage to Target and Percent to Date Metrics Introduction: the “not applicable” answer A common question among SAMM users is whether specific activities, streams, or entire practices can be marked as not applicable. This seems reasonable—some security activities might not fit an organization’s current reality. For example, the Supplier Security stream focuses on supply-chain risks in outsourced development. If your organization doesn’t outsource, it might seem irrelevant. The SAMM core team acknowledges this, but emphasizes future readiness.