The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It was developed in 2012 by the U.S. energy sector and the Department of Energy (DOE). The C2M2 is managed by the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) Cybersecurity for Energy Delivery Systems (CEDS) division. CESER’s CEDS division advances research, development, and deployment of innovative technologies, tools, and techniques to reduce risk to the Nation’s energy infrastructure.
The purpose of the C2M2 is to help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. The C2M2 focuses on the implementation and management of cybersecurity practices associated with information technology (IT) and operations technology (OT) assets and the environments in which they operate.
A maturity model is:
- An organized way to convey a path of experience, wisdom, perfection, or acculturation
- The subject of a maturity model can be characteristics, practices, or processes
C2M2 Version 2.0 Tools and Resources
Download the latest version (July 2021) of the Cybersecurity Capability Maturity Model (C2M2).
Get the C2M2 self-evaluation tools:
What’s New in C2M2 Version 2.0?
The Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (V2.0) was released in July of 2021. The update addresses emerging technologies and the evolving cyber threat landscape. The update was guided by the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 organizations. The group was formed as a collaborative effort through the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.
As part of this update, DOE and the Working Group also partnered with the National Institute of Standards and Technology (NIST) to ensure C2M2 V2.0 aligns with NIST’s Cybersecurity Framework (CSF).
The C2M2 V2.0 update includes the following improvements:
- Establishment of a Cybersecurity Architecture domain
- Enhancements to cybersecurity practices across the model
- Significant changes to the Risk Management and Third-Party Risk Management domains
- Integration of information sharing activities into the Threat and Vulnerability Management and Situational Awareness domains
- Addition of a physical access objective to the Identity and Access Management domain
- Streamlining of cybersecurity management practices
- Increased usage of common language throughout the model
C2M2 User Community
Since 2012, DOE has responded to more than 2,200 requests for the C2M2 tool. C2M2 has been broadly adopted by organizations across the nation, including owners and operators across all critical infrastructure sectors. The graphics below illustrate the distribution of C2M2 requests across US critical infrastructure sectors as of May 2021. The number of C2M2 tool requests suggests increasing interest in measuring and improving cybersecurity capabilities.
In addition to domestic users, international partners are also adopting the C2M2. Over 650 of the total requests for the C2M2 tool have been made by international entities.
History of the C2M2 Model
The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Version 1.0 was developed in 2012 in support of a White House initiative led by the Department of Energy (DOE), in partnership with the Department of Homeland Security (DHS), and in collaboration with industry, private- sector, and public-sector experts. The model was developed collaboratively with an industry advisory group through a series of working sessions and revised based on feedback from industry experts and pilot evaluations. The advisory group for the initiative included representatives from industry associations, utilities, and government. Additionally, more than 40 subject matter experts (SMEs) from industry participated in development of the model.
Minor updates were released in 2014, including ES-C2M2 Version 1.1, the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) Version 1.1, and the Cybersecurity Capability Maturity Model (C2M2) Version 1.1.
Components of the C2M2
The C2M2 comprises domains, objectives, practices, and MILs (maturity indicator levels). Each component is discussed in the following sections.
A domain is a list of cybersecurity practices focused on a specific subject area. Each of the model’s 10 domains contains a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability in the domain. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature cyber risk management capability.
The practices within each domain are organized into objectives, which represent cybersecurity achievements that may be accomplished by implementing the practices in the domain. For example, the Risk Management domain comprises five objectives:
- Establish and Maintain Cyber Risk Management Strategy and Program
- Identify Cyber Risk
- Analyze Cyber Risk
- Respond to Cyber Risk
- Management Activities
Practices are the most fundamental component of the C2M2. Each practice is a brief statement describing a cybersecurity activity that may be performed by an organization. The purpose of these activities is to achieve and sustain an appropriate level of cybersecurity, commensurate with the risk to critical infrastructure and organizational objectives. Practices within each domain are organized to progress along a maturity scale.
Maturity Indicator Levels (MILs)
To measure progression, the C2M2 uses a 1-3 scale of maturity indicator levels. Each level represents maturity attributes, which are described in the table below. Organizations that implement the cybersecurity practices within each MIL achieve that level. Having measurable transition states between the levels enables an organization to use the scale to define current and a more mature future state; and identify the capabilities it must attain to reach that future state.
The C2M2 is designed for use with a self-evaluation methodology and tool (available by sending a request to C2M2@hq.doe.gov or by downloading here). A self-evaluation using the tool can be completed in as little as one day.
Additionally, if requested, DOE can facilitate a free C2M2 self-evaluation for U.S. energy sector organizations. Email us at C2M2@hq.doe.gov for more information.