The Systems Security Engineering Capability Maturity Model (SSE-CMM) is a tool for appraising and improving an organization's security engineering practices, and for augmenting existing assurance methods. The SSE-CMM was developed through a government-industry collaboration involving the nation's leading providers of security systems, products, and services. It does not specify how a particular process should be performed, but identifies practices generally accepted by industry. The SSE-CMM can also be used to examine the practice of security engineering within the context of systems engineering.This paper describes the principles upon which the SSE-CMM is based, the structure of the model, and its use in appraisals. Issues in model development, application, and adoption are presented.