Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model (C2M2) can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience.
The C2M2 focuses on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and the environments in which they operate. The model can be used to:
A self-evaluation using the C2M2 can be completed by most organizations in one day, but the model could also be adapted for a more rigorous self-evaluation effort. The C2M2 is designed to guide the development of a new cybersecurity program or for use with a self-evaluation methodology to enable an organization to measure and improve an existing cybersecurity program.
The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so it can be interpreted by organizations of various types, structures, sizes, and industries.
The C2M2 enables organizations to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity investments. The model can be used by any organization, regardless of ownership, structure, size, or industry. Within an organization, various stakeholders may benefit from familiarity with the model. This document specifically targets people in the following organizational roles:
A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline.
A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods, and set goals and priorities for improvement. Also, when a model is widely used in a particular industry, and self-evaluation results are anonymized and shared, organizations can benchmark their performance against its sector partners. An industry can determine how well it is performing overall by examining the capability of its member organizations.
Users of C2M2 Version 2.1 may download a standalone PDF version of the tool or use an online (HTML-based) version that offers enhanced usability and data analytics. The PDF- and HMTL-based tools are fully interoperable. Self-evaluation data can be saved and loaded into either tool. In other words, you can save a self-evaluation performed using the PDF-based tool and upload it into the HTML-based tool and vice versa.
The security and privacy of user data was a requirement established by C2M2 users at the onset of the development of the original version of the C2M2 and that requirement has been a fundamental tenet of the model in all its versions, including the C2M2’s online tools. Data input into C2M2 online tools are never communicated to the C2M2 webserver; instead, instructions from the tool direct the user’s computer to process and store whatever data the user has input. Similarly, instructions from the C2M2 are used to generate and store model output on the user’s computer; model results are never communicated to the webserver. The time required to generate an output report will vary from user to user because processing is performed on the user’s computer. Those with faster computers can generate an output report in a few seconds; those with slower computers may require several tens of seconds to generate their output report. Again, user input data and model output are unavailable to C2M2 developers, the C2M2 website’s operators, or the U.S. Department of Energy.
C2M2 Version 2.1 aligns with recent strategic guidance to strengthen and improve the nation’s cybersecurity posture and capabilities and to reinforce the need for action towards systematic security and resilience. C2M2 Version 2.1 incorporates other enhancements to better align model domains and practices with internationally recognized cybersecurity standards and best practices, including the NIST Cybersecurity Framework Version 1.1 released in April 2018.
C2M2 Version 2.1 builds upon initial development activities and is enhanced through the following approach:
The model is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The domains in the C2M2 are:
The practices within a domain are grouped by objective—target achievements that support the domain. Within each objective, the practices are ordered by maturity indicator level (MIL). This is illustrated in Figure 1.
For each domain, the model provides a purpose statement, which is a high-level summary of the intent of the domain, followed by introductory notes providing more context and introducing the practices. An example scenario is included in a sidebar. The purpose statement, introductory notes, and example are provided to help interpret the practices in the domain.
The purpose statement for each of the 10 domains follows in the order in which the domains appear in the model. Next to each of the domain names, a short name is provided that is used throughout the model.
Asset, Change, and Configuration Management (ASSET)
Manage the organization’s IT and OT assets, including both hardware and software, and information assets commensurate with the risk to critical infrastructure and organizational objectives.
Threat and Vulnerability Management (THREAT)
Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (such as critical, IT, and operational) and organizational objectives.
Risk Management (RISK)
Establish, operate, and maintain an enterprise cyber risk management program to identify, analyze, and respond to cyber risk the organization is subject to, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.
Identity and Access Management (ACCESS)
Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.
Situational Awareness (SITUATION)
Establish and maintain activities and technologies to collect, monitor, analyze, alarm, report, and use operational, security, and threat information, including status and summary information from the other model domains, to establish situational awareness for both the organization’s operational state and cybersecurity state.
Event and Incident Response, Continuity of Operations (RESPONSE)
Establish and maintain plans, procedures, and technologies to detect, analyze, mitigate, respond to, and recover from cybersecurity events and incidents and to sustain operations during cybersecurity incidents, commensurate with the risk to critical infrastructure and organizational objectives.
Third-Party Risk Management (THIRD-PARTIES)
Establish and maintain controls to manage the cyber risks arising from suppliers and other third parties, commensurate with the risk to critical infrastructure and organizational objectives.
Workforce Management (WORKFORCE)
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.
Cybersecurity Architecture (ARCHITECTURE)
Establish and maintain the structure and behavior of the organization’s cybersecurity architecture, including controls, processes, technologies, and other elements, commensurate with the risk to critical infrastructure and organizational objectives.
Cybersecurity Program Management (PROGRAM)
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with both the organization’s strategic objectives and the risk to critical infrastructure.
Each domain has two or more objectives. Within each objective, a series of practices are defined at one MIL. The model defines four MILs (MIL0 through MIL3) that define a dual progression of maturity: an approach progression and a management progression.
The maturity indicator levels apply independently to each domain. As a result, an organization using the model may be operating at different MIL ratings in different domains. MILs are cumulative within each domain. To earn a MIL in a given domain, an organization must perform all of the practices in that level and its predecessor levels. For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization must perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3. Establishing a target MIL for each domain is an effective strategy for using the model to guide cybersecurity program improvement.
All the practices defined at a given maturity level, and at all lower maturity levels, must be largely or fully implemented for the entity to achieve that maturity level for the given objective. All the objectives in the domain must achieve a given maturity level for the domain to achieve that maturity level.
A printable C2M2 self-evaluation report may be generated by the tool following completion of a self-evaluation.
The self-evaluation report begins with a detailed introduction of the C2M2. That is followed by information about the model architecture, a summary of self-evaluation results, detailed self-evaluation results, information about practically using the self-evaluation results, a table presenting all of the self-evaluation notes, and a summary of partially and not implemented practices. The following figures present examples of the MIL Achievement by Domain, Practice Implementation by Domain, and detailed evaluation results.