Standard : Platform services enforce safe defaults (e.g. identity, encryption, alerting)
Purpose and Strategic Importance
This standard ensures that platform services and infrastructure components come with built-in, opinionated defaults for identity, security, observability, and compliance. By embedding safe defaults into the platform, engineering teams can move quickly without compromising on essential safeguards.
It directly supports the policy “Prioritise Safety Before Productivity” by preventing unsafe configurations from entering production and reducing the cognitive load on developers to secure every component manually. Without this standard, teams risk inconsistent practices, fragile configurations, and security or reliability vulnerabilities.
Strategic Impact
- Reduces risk of misconfiguration through consistent, proven defaults
- Enables secure and compliant delivery by default across teams
- Accelerates adoption of best practices without the need for deep expertise
- Promotes consistency and predictability in service behaviour
- Frees developers to focus on business logic, not plumbing and controls
Risks of Not Having This Standard
- Insecure or non-compliant configurations make it to production unnoticed
- Inconsistent behaviours across teams or environments cause reliability issues
- Teams spend excess time building solutions that should be provided as platform capabilities
- Compliance and security reviews become manual and reactive
- Trust in platform reliability and maturity is diminished
CMMI Maturity Model
Level 1 – Initial
| Category |
Description |
| People & Culture |
- Platform is optional or ad hoc, with little trust or shared usage.
- Teams implement controls manually. |
| Process & Governance |
- No standardised defaults or enforcement exists for identity, logging, or security. |
| Technology & Tools |
- Each team selects its own tools and settings for basic platform needs. |
| Measurement & Metrics |
- No visibility into how many services use safe configurations. |
Level 2 – Managed
| Category |
Description |
| People & Culture |
- Platform services are starting to be adopted, but customisation is common. |
| Process & Governance |
- Some controls (e.g. TLS, role-based access) are enforced through templates or scripts. |
| Technology & Tools |
- Basic scaffolds or examples are available, but teams must tailor and integrate them. |
| Measurement & Metrics |
- Adoption of platform tools is tracked but not enforced. |
Level 3 – Defined
| Category |
Description |
| People & Culture |
- Teams expect the platform to provide guardrails and trust its defaults. |
| Process & Governance |
- Safe defaults are defined, documented, and applied consistently to new services. |
| Technology & Tools |
- Platform scaffolding, templates, and golden paths are used by default. |
| Measurement & Metrics |
- Adoption of defaults and variance from golden paths are measured and reviewed. |
Level 4 – Quantitatively Managed
| Category |
Description |
| People & Culture |
- Teams participate in shaping platform defaults based on real-world experience and improvement data. |
| Process & Governance |
- Deviation from defaults requires justification and approval. |
| Technology & Tools |
- Automated enforcement of defaults via policy-as-code and continuous compliance checks. |
| Measurement & Metrics |
- Metrics track the impact of defaults on incidents, vulnerabilities, and service health. |
Level 5 – Optimising
| Category |
Description |
| People & Culture |
- Platform services evolve based on feedback, usage trends, and emerging risks. |
| Process & Governance |
- Defaults are continuously refined and versioned for transparency and control. |
| Technology & Tools |
- Defaults are embedded in self-service workflows, CI/CD pipelines, and runtime environments. |
| Measurement & Metrics |
- Continuous improvement loops close the gap between platform design and team adoption outcomes. |
Key Measures
- Percentage of services using platform golden paths and scaffolds
- Number of policy violations caught and remediated via platform controls
- Time saved per team due to pre-built defaults and automation
- Reduction in misconfigured deployments due to enforced standards
- Number of incidents or vulnerabilities prevented by platform defaults
- Adoption rate of platform services across engineering teams