US DOE: Cybersecurity, Energy Security, and Emergency Response
Pacific Northwest National Laboratory
Welcome to Version 2.1! Note: The Version 2.0 HTML-Based Tool is still offered as an option on the Tools menu to support full access to existing self-evaluations generated using Version 2.0.

About

Introduction

Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model (C2M2) can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience.

The C2M2 focuses on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and the environments in which they operate. The model can be used to:

  • Strengthen organizations’ cybersecurity capabilities
  • Enable organizations to effectively and consistently evaluate and benchmark their cybersecurity capabilities
  • Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
  • Enable organizations to prioritize actions and investments to improve cybersecurity capabilities

A self-evaluation using the C2M2 can be completed by most organizations in one day, but the model could also be adapted for a more rigorous self-evaluation effort. The C2M2 is designed to guide the development of a new cybersecurity program or for use with a self-evaluation methodology to enable an organization to measure and improve an existing cybersecurity program.

The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so it can be interpreted by organizations of various types, structures, sizes, and industries.

Intended Audience

The C2M2 enables organizations to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity investments. The model can be used by any organization, regardless of ownership, structure, size, or industry. Within an organization, various stakeholders may benefit from familiarity with the model. This document specifically targets people in the following organizational roles:

  • Decision makers (executives) who control the allocation of resources and the management of risk in organizations; these are typically senior leaders
  • Leaders with responsibility for managing organizational resources and operations associated with the domains of this model. This may include facility managers, program managers, project managers, and system owners
  • Practitioners with responsibility for supporting the organization in the use of this model or its results (planning and managing changes in the organization based on the model). This may include, but not be limited to, system operators, IT personnel, and cybersecurity specialists.
  • Facilitators with responsibility for leading a self-evaluation of the organization based on this model and the associated tools and analyzing the self-evaluation results.

Maturity Models

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline.

A maturity model thus provides a benchmark against which an organization can evaluate the current level of capability of its practices, processes, and methods, and set goals and priorities for improvement. Also, when a model is widely used in a particular industry, and self-evaluation results are anonymized and shared, organizations can benchmark their performance against its sector partners. An industry can determine how well it is performing overall by examining the capability of its member organizations.

Security, Privacy, and Interoperability

Users of C2M2 Version 2.1 may download a standalone PDF version of the tool or use an online (HTML-based) version that offers enhanced usability and data analytics. The PDF- and HMTL-based tools are fully interoperable. Self-evaluation data can be saved and loaded into either tool. In other words, you can save a self-evaluation performed using the PDF-based tool and upload it into the HTML-based tool and vice versa.

The security and privacy of user data was a requirement established by C2M2 users at the onset of the development of the original version of the C2M2 and that requirement has been a fundamental tenet of the model in all its versions, including the C2M2’s online tools. Data input into C2M2 online tools are never communicated to the C2M2 webserver; instead, instructions from the tool direct the user’s computer to process and store whatever data the user has input. Similarly, instructions from the C2M2 are used to generate and store model output on the user’s computer; model results are never communicated to the webserver. The time required to generate an output report will vary from user to user because processing is performed on the user’s computer. Those with faster computers can generate an output report in a few seconds; those with slower computers may require several tens of seconds to generate their output report. Again, user input data and model output are unavailable to C2M2 developers, the C2M2 website’s operators, or the U.S. Department of Energy.

Model Background and Development Approach

C2M2 Version 2.1 aligns with recent strategic guidance to strengthen and improve the nation’s cybersecurity posture and capabilities and to reinforce the need for action towards systematic security and resilience. C2M2 Version 2.1 incorporates other enhancements to better align model domains and practices with internationally recognized cybersecurity standards and best practices, including the NIST Cybersecurity Framework Version 1.1 released in April 2018.

C2M2 Version 2.1 builds upon initial development activities and is enhanced through the following approach:

  • Public–private partnership: Numerous government and industry partners participated in the development of this version, bringing a broad range of knowledge, skills, and experience to the team. The initial version of the model was developed collaboratively with an industry advisory group through a series of working sessions, and the new version was revised based on feedback from more than 60 industry experts.
  • Best practices and sector alignment: The model builds upon and ties together a number of existing cybersecurity resources and initiatives and was informed by a review of emerging cyber threats to the energy sector. Leveraging related works helped to ensure that the model would be relevant and beneficial to the sector.
  • Descriptive, not prescriptive: This model was developed to provide descriptive, not prescriptive, guidance to help organizations develop and improve their cybersecurity capabilities. As a result, model practices tend to be abstract so that they can be interpreted for organizations of various structures, functions, and sizes.

Structure of the C2M2

The model is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The domains in the C2M2 are:

  • Asset, Change, and Configuration Management (ASSET)
  • Threat and Vulnerability Management (THREAT)
  • Risk Management (RISK)
  • Identity and Access Management (ACCESS)
  • Situational Awareness (SITUATION)
  • Event and Incident Response, Continuity of Operations (RESPONSE)
  • Third-Party Risk Management (THIRD-PARTIES)
  • Workforce Management (WORKFORCE)
  • Cybersecurity Architecture (ARCHITECTURE)
  • Cybersecurity Program Management (PROGRAM)

The practices within a domain are grouped by objective—target achievements that support the domain. Within each objective, the practices are ordered by maturity indicator level (MIL). This is illustrated in Figure 1.

Model ArchitectureFigure 1: Model and Domain Elements. A graphic representation of the Model, Domain and Objective hierarchy and associated Maturity Indicator Levels. Model contains 10 domains. Each domain contains Approach Objectives, one or more, unique to each domain. Approach Objectives are supported by a progression of practices that are unique to the domain. Each domain contains a Management Objective and this is similar in each domain. Each Management Objective is supported by a progression of practices that are similar in each domain and describe institutionalization activities.ModelDomainApproach ObjectivesPractices at MIL1Practices at MIL2Practices at MIL3Management ObjectivesPractices at MIL2Practices at MIL3Model contains 10 domains (one or more per domain) Unique to each domain Approach objectives are supported by a progression ofpractices that are unique tothe domain (one per domain) Similar in each domain Each management objective is supported by a progressionof practices that are similar ineach domain and describeinstitutionalization activities
Figure 1: The structure of the C2M2

For each domain, the model provides a purpose statement, which is a high-level summary of the intent of the domain, followed by introductory notes providing more context and introducing the practices. An example scenario is included in a sidebar. The purpose statement, introductory notes, and example are provided to help interpret the practices in the domain.

The purpose statement for each of the 10 domains follows in the order in which the domains appear in the model. Next to each of the domain names, a short name is provided that is used throughout the model.

Asset, Change, and Configuration Management (ASSET)
Manage the organization’s IT and OT assets, including both hardware and software, and information assets commensurate with the risk to critical infrastructure and organizational objectives.

Threat and Vulnerability Management (THREAT)
Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (such as critical, IT, and operational) and organizational objectives.

Risk Management (RISK)
Establish, operate, and maintain an enterprise cyber risk management program to identify, analyze, and respond to cyber risk the organization is subject to, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.

Identity and Access Management (ACCESS)
Create and manage identities for entities that may be granted logical or physical access to the organization’s assets. Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational objectives.

Situational Awareness (SITUATION)
Establish and maintain activities and technologies to collect, monitor, analyze, alarm, report, and use operational, security, and threat information, including status and summary information from the other model domains, to establish situational awareness for both the organization’s operational state and cybersecurity state.

Event and Incident Response, Continuity of Operations (RESPONSE)
Establish and maintain plans, procedures, and technologies to detect, analyze, mitigate, respond to, and recover from cybersecurity events and incidents and to sustain operations during cybersecurity incidents, commensurate with the risk to critical infrastructure and organizational objectives.

Third-Party Risk Management (THIRD-PARTIES)
Establish and maintain controls to manage the cyber risks arising from suppliers and other third parties, commensurate with the risk to critical infrastructure and organizational objectives.

Workforce Management (WORKFORCE)
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.

Cybersecurity Architecture (ARCHITECTURE)
Establish and maintain the structure and behavior of the organization’s cybersecurity architecture, including controls, processes, technologies, and other elements, commensurate with the risk to critical infrastructure and organizational objectives.

Cybersecurity Program Management (PROGRAM)
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with both the organization’s strategic objectives and the risk to critical infrastructure.

Each domain has two or more objectives. Within each objective, a series of practices are defined at one MIL. The model defines four MILs (MIL0 through MIL3) that define a dual progression of maturity: an approach progression and a management progression.

  • MIL1: Initial practices are performed but may be ad hoc
  • MIL2: Management characteristics:
      • Practices are documented
      • Adequate resources are provided to support the process
    • Approach characteristic:
      • Practices are more complete or advanced than at MIL1
  • MIL3: Management characteristics:
      • Activities are guided by policies (or other organizational directives)
      • Responsibility, accountability, and authority for performing the practices are assigned
      • Personnel performing the practices have adequate skills and knowledge
      • The effectiveness of activities is evaluated and tracked
    • Approach characteristic:
      • Practices are more complete or advanced than at MIL2
  • MIL0: Practices are not performed

The maturity indicator levels apply independently to each domain. As a result, an organization using the model may be operating at different MIL ratings in different domains. MILs are cumulative within each domain. To earn a MIL in a given domain, an organization must perform all of the practices in that level and its predecessor levels. For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization must perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3. Establishing a target MIL for each domain is an effective strategy for using the model to guide cybersecurity program improvement.

The implementation of each practice is evaluated with a four-point scale:
response scales

All the practices defined at a given maturity level, and at all lower maturity levels, must be largely or fully implemented for the entity to achieve that maturity level for the given objective. All the objectives in the domain must achieve a given maturity level for the domain to achieve that maturity level.

C2M2 Self-Evaluation Report

A printable C2M2 self-evaluation report may be generated by the tool following completion of a self-evaluation.

The self-evaluation report begins with a detailed introduction of the C2M2. That is followed by information about the model architecture, a summary of self-evaluation results, detailed self-evaluation results, information about practically using the self-evaluation results, a table presenting all of the self-evaluation notes, and a summary of partially and not implemented practices. The following figures present examples of the MIL Achievement by Domain, Practice Implementation by Domain, and detailed evaluation results.

report overview
Figure 2: Example of the MIL achieved for each C2M2 domain
report overview
Figure 3: Example of the summarized implementation level responses for each C2M2 practice, grouped by domain
report overview
Figure 4: Example of the detailed evaluation results