The C2M2 was developed collaboratively by the U.S. Department of Energy (DOE), private- and public-sector experts, and representatives of asset owners and operators within the energy sector. Since its release in 2012, C2M2 has been widely used to support self-evaluations in the energy sector and other sectors. Two additional versions were released prior to the launch of Version 2.1 in June 2022.
The Cybersecurity Capability Maturity Model (C2M2) enables organizations to evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments. According to a statement on the C2M2 website, the Department of Energy promotes its adoption regardless of size, type, or industry-noting the benefit of using the model to evaluate, prioritize, and improve cybersecurity capabilities.
The SureShield platform simplifies C2M2 compliance by automating technical controls and guiding you through operational controls. SureShield’s automation will reduce your overall C2M2 compliance cost by up to 90% when compared to traditional, labor-intensive compliance methods. For organizations requiring compliance to multiple frameworks, crosswalk automation drives cost savings up toward 90%.
Effectively and consistently measure and benchmark cybersecurity capabilities.
Prioritize actions and investments to improve cybersecurity.
Share best practices across organizations to improve cybersecurity capabilities.
C2M2 Version 2.1 aligns with recent strategic guidance to strengthen and improve the nation’s cybersecurity posture and capabilities and to reinforce the need for action towards systematic security and resilience. Version 2.1 incorporates additional improvements to align with internationally recognized cybersecurity standards and best practices, including the NIST Cybersecurity Framework.
The C2M2 model is organized into 10 domains defined as logical groupings of cybersecurity practices. The practices within a domain are grouped by objective and within each objective, the practices are ordered by maturity level. The domains in the C2M2 are:
To summarize, the C2M2 is designed to guide the development of a new cybersecurity program or for use with a self-evaluation methodology to enable an organization to measure and improve an existing cybersecurity program.
Activate C2M2 framework
Install scanner for compliance evidence gathering
Review baseline evidence to score compliance control status
Close compliance gaps
Ongoing compliance and gap surveillance
Enforced maintenance of compliance readiness
Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.