Cybersecurity Capability Maturity Model (C2M2)

The Cybersecurity Capability Maturity Model (C2M2) is a framework designed to assess and enhance the cybersecurity capabilities of organizations. Its focus is on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and environments.

Definition and purpose

The primary purpose of the C2M2 is to assist organizations in assessing and improving their cybersecurity capabilities. It offers a structured framework that helps organizations understand their current state of cybersecurity maturity, establish goals for improvement, and prioritize actions to strengthen their cybersecurity defenses.

The C2M2 can be used as a guide for developing a new cybersecurity program or paired with the C2M2 self-evaluation tool to measure and improve an existing one.

Governing Body

The C2M2 is managed by the U.S. Department of Energy (DOE). It was initially developed through a collaborative effort between public- and private-sector organizations, sponsored by the DOE as well the Electricity Subsector Coordinating Council (ESCC) and the Oil and Natural Gas Subsector Coordinating Council (ONG SCC).

Last updated

The most recent version of the C2M2 — version 2.1 — was released in June 2022. 

This version incorporates guidance from cybersecurity practitioners in the energy sector to address new attack vectors and risk and improve alignment with internationally recognized cyber standards and best practices, including NIST 800-53 and the NIST CSF.

Applies to

While the US energy industry spearheaded its development and adoption, the C2M2 is applicable to organizations of all sectors, types, and sizes. It is particularly relevant for organizations that operate in sectors where the protection of critical assets and infrastructure is essential to national security and public safety, such as energy, transportation, and healthcare.

Controls and requirements

The C2M2 model was developed to provide descriptive, not prescriptive, guidance. So rather than provide a list of controls or requirements, it includes 356 cybersecurity practices, which are grouped into 10 domains based on key objectives. 

The 10 domains are listed below, with some context and practices introduced:

  • Asset, Change, and Configuration Management (ASSET): This domain evaluates an organization's practices related to identifying, tracking, and managing its information assets, changes, and configurations. Effective management of assets helps in protecting critical data and systems.
  • Threat and Vulnerability Management (THREAT): This domain evaluates an organization’s plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (such as critical, IT, and operational) and organizational objectives.
  • Risk Management (RISK): This domain assesses an organization's ability to identify and manage cybersecurity risks effectively. It includes activities such as risk assessment, risk mitigation, and risk monitoring.
  • Identity and Access Management (ACCESS): This domain assesses how well an organization controls user access to its systems and data. It includes authentication, authorization, and access control measures to ensure that only authorized individuals can access sensitive information.
  • Situational Awareness (SITUATION): This domain focuses on an organization's ability to monitor and detect cybersecurity threats and incidents in real-time. It involves security monitoring, threat intelligence, and incident response capabilities.
  • Event and Incident Response, Continuity of Operations (RESPONSE): This domain focuses on an organization's ability to respond to cybersecurity incidents, maintain business continuity, and recover from disruptions. 
  • Third-Party Risk Management (THIRD-PARTIES): This domain evaluates an organization’s controls for managing the cyber risks arising from suppliers and other third parties.
  • Workforce Management (WORKFORCE): This domain assesses an organization’s plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel.
  • Cybersecurity Architecture (ARCHITECTURE): This domain focuses on the structure and behavior of an organization’s cybersecurity architecture, including controls, processes, technologies, and other elements.
  • Cybersecurity Program Management (PROGRAM): This domain evaluates an organization’s cybersecurity program that provides governance, strategic planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with both the organization’s strategic objectives and the risk to critical infrastructure.

Please refer to the official C2M2 documentation for a detailed list of the cybersecurity practices that are grouped into each domain. 

Audit type, frequency, and duration

The C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities.  This is typically done by performing a self-evaluation using one of the free C2M2 self-evaluation tools available from the DOE. This type of self-evaluation can be completed in one day. However, the model could also be adapted for a more rigorous self-evaluation effort using another tool. 

Reevaluations should take place periodically, like on an annual basis, or sooner if in response to major changes in business, technology, market, or threat environments.

Get compliant using Secureframe Custom Frameworks