The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It was developed in 2012 by the U.S. energy sector and the Department of Energy (DOE). The C2M2 is managed by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) Cybersecurity for Energy Delivery Systems (CEDS) division. CESER’s CEDS division advances research, development, and deployment of innovative technologies, tools, and techniques to reduce risk to the Nation’s energy infrastructure.

A logo for C2M2 which is three blue bars in a graph shape. It reads C2M2, Cybersecurity capability maturity model
four icons in a row with the label C2M2 goals. The four icons are labeled enhance cyber posture, consistently measure cyber capabilities, share knowledge, prioritize actions and investments

The purpose of the C2M2 is to help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. The C2M2 focuses on the implementation and management of cybersecurity practices associated with information technology (IT) and operations technology (OT) assets and the environments in which they operate.

A rising three bar graph. the bars are labeled crawl, walk, and run and each bar has a figure in each stage of movement.

A maturity model is:

  • An organized way to convey a path of experience, wisdom, perfection, or acculturation
  • The subject of a maturity model can be characteristics, practices, or processes

C2M2 Version 2.0 Tools and Resources

Download the latest version (July 2021) of the Cybersecurity Capability Maturity Model (C2M2).

Get the C2M2 self-evaluation tools:

What’s New in C2M2 Version 2.0?

The Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (V2.0) was released in July of 2021. The update addresses emerging technologies and the evolving cyber threat landscape. The update was guided by the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 organizations. The group was formed as a collaborative effort through the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.

As part of this update, DOE and the Working Group also partnered with the National Institute of Standards and Technology (NIST) to ensure C2M2 V2.0 aligns with NIST’s Cybersecurity Framework (CSF).

The C2M2 V2.0 update includes the following improvements:

  • Establishment of a Cybersecurity Architecture domain
  • Enhancements to cybersecurity practices across the model
  • Significant changes to the Risk Management and Third-Party Risk Management domains
  • Integration of information sharing activities into the Threat and Vulnerability Management and Situational Awareness domains
  • Addition of a physical access objective to the Identity and Access Management domain
  • Streamlining of cybersecurity management practices
  • Increased usage of common language throughout the model

C2M2 User Community

Since 2012, DOE has responded to more than 2,200 requests for the C2M2 tool. C2M2 has been broadly adopted by organizations across the nation, including owners and operators across all critical infrastructure sectors. The graphics below illustrate the distribution of C2M2 requests across US critical infrastructure sectors as of May 2021. The number of C2M2 tool requests suggests increasing interest in measuring and improving cybersecurity capabilities.

This is a graph labeled C2M2 Tool requests by sector. A pie chart outlines the top five sectors: (40.4%) energy, (33.4%) information technology, (7.2%) government facilities, (5.2%) financial services, and (4.2%) communications.

In addition to domestic users, international partners are also adopting the C2M2. Over 650 of the total requests for the C2M2 tool have been made by international entities.

History of the C2M2 Model

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Version 1.0 was developed in 2012 in support of a White House initiative led by the Department of Energy (DOE), in partnership with the Department of Homeland Security (DHS), and in collaboration with industry, private- sector, and public-sector experts. The model was developed collaboratively with an industry advisory group through a series of working sessions and revised based on feedback from industry experts and pilot evaluations. The advisory group for the initiative included representatives from industry associations, utilities, and government. Additionally, more than 40 subject matter experts (SMEs) from industry participated in development of the model.

Minor updates were released in 2014, including ES-C2M2 Version 1.1, the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) Version 1.1, and the Cybersecurity Capability Maturity Model (C2M2) Version 1.1.

Components of the C2M2

The C2M2 comprises domains, objectives, practices, and MILs (maturity indicator levels). Each component is discussed in the following sections.

Domains

A domain is a list of cybersecurity practices focused on a specific subject area. Each of the model’s 10 domains contains a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability in the domain. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature cyber risk management capability. 

This is a list c2m2 domains. This list is as follows: Asset change and confirmation management (asset), Cybersecurity architecture (Architecture), cybersecurity program management (program), event and incident response continuity of operations (response), identity and access management (access), risk management (risk), situation awareness (situation), third-party risk management (third-parties), threat and vulnerability management (threat), workforce management (workforce)

Objectives

The practices within each domain are organized into objectives, which represent cybersecurity achievements that may be accomplished by implementing the practices in the domain. For example, the Risk Management domain comprises five objectives:

  1. Establish and Maintain Cyber Risk Management Strategy and Program
  2. Identify Cyber Risk
  3. Analyze Cyber Risk
  4. Respond to Cyber Risk
  5. Management Activities

Practices

Practices are the most fundamental component of the C2M2. Each practice is a brief statement describing a cybersecurity activity that may be performed by an organization. The purpose of these activities is to achieve and sustain an appropriate level of cybersecurity, commensurate with the risk to critical infrastructure and organizational objectives. Practices within each domain are organized to progress along a maturity scale.

Maturity Indicator Levels (MILs)

To measure progression, the C2M2 uses a 1-3 scale of maturity indicator levels. Each level represents maturity attributes, which are described in the table below. Organizations that implement the cybersecurity practices within each MIL achieve that level. Having measurable transition states between the levels enables an organization to use the scale to define current and a more mature future state; and identify the capabilities it must attain to reach that future state.

This is a graphic outlining the three maturity indicator levels (MILs). Mil 1 is the initiated level, Mil 2 is the performed level, and Mil 3 is the Managed level.

Facilitated Self-Evaluation

The C2M2 is designed for use with a self-evaluation methodology and tool (available by sending a request to C2M2@hq.doe.gov or by downloading here). A self-evaluation using the tool can be completed in as little as one day.

Additionally, if requested, DOE can facilitate a free C2M2 self-evaluation for U.S. energy sector organizations. Email us at C2M2@hq.doe.gov for more information.

Supplemental Materials

NIST Cybersecurity Framework

Energy Sector Cybersecurity Framework Implementation Guidance (PDF)

News and Updates