The Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership effort that was established as a result of the Administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The C2M2 helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities.
The model focuses on the implementation and management of cybersecurity practices associated with the operation and use of information technology and operational technology assets and the environments in which they operate. The goal is to support ongoing development and measurement of cybersecurity capabilities within any organization by:
- Strengthening organizations’ cybersecurity capabilities;
- Enabling organizations to effectively and consistently evaluate and benchmark their cybersecurity capabilities;
- Sharing knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities;
- Enabling organizations to prioritize actions and investments to improve cybersecurity; and
- Supporting adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The C2M2 program is comprised of three cybersecurity capability maturity models: