C2M2 has been widely used to support self-evaluations in the energy sector


Framework Snapshot

The C2M2 was developed collaboratively by the U.S. Department of Energy (DOE), private- and public-sector experts, and representatives of asset owners and operators within the energy sector. Since its release in 2012, C2M2 has been widely used to support self-evaluations in the energy sector and other sectors. Two additional versions were released prior to the launch of Version 2.1 in June 2022.

The Cybersecurity Capability Maturity Model (C2M2) enables organizations to evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments. According to a statement on the C2M2 website, the Department of Energy promotes its adoption regardless of size, type, or industry-noting the benefit of using the model to evaluate, prioritize, and improve cybersecurity capabilities.

C2M2 Automation: Compliance for Less

The SureShield platform simplifies C2M2 compliance by automating technical controls and guiding you through operational controls.  SureShield’s automation will reduce your overall C2M2 compliance cost by up to 90% when compared to traditional, labor-intensive compliance methods.  For organizations requiring compliance to multiple frameworks, crosswalk automation drives cost savings up toward 90%.

Authorization Process


    *Required fields

    Benefits Of C2M2 Compliance

    Measure Capabilities

    Effectively and consistently measure and benchmark cybersecurity capabilities.

    Prioritize Actions

    Prioritize actions and investments to improve cybersecurity.

    Share Knowledge

    Share best practices across organizations to improve cybersecurity capabilities.

    C2M2 Version 2.1 aligns with recent strategic guidance to strengthen and improve the nation’s cybersecurity posture and capabilities and to reinforce the need for action towards systematic security and resilience. Version 2.1 incorporates additional improvements to align with internationally recognized cybersecurity standards and best practices, including the NIST Cybersecurity Framework.

    The C2M2 model is organized into 10 domains defined as logical groupings of cybersecurity practices. The practices within a domain are grouped by objective and within each objective, the practices are ordered by maturity level. The domains in the C2M2 are:

    1. Asset, Change, and Configuration Management (ASSET)
    2. Threat and Vulnerability Management (THREAT)
    3. Risk Management (RISK)
    4. Identity and Access Management (ACCESS)
    5. Situational Awareness (SITUATION)
    6. Event and Incident Response, Continuity of Operations (RESPONSE)
    7. Third-Party Risk Management (THIRD-PARTIES)
    8. Workforce Management (WORKFORCE)
    9. Cybersecurity Architecture (ARCHITECTURE)
    10. Cybersecurity Program Management (PROGRAM)


    To summarize, the C2M2 is designed to guide the development of a new cybersecurity program or for use with a self-evaluation methodology to enable an organization to measure and improve an existing cybersecurity program.


    Activate C2M2 framework


    Install scanner for compliance evidence gathering


    Review baseline evidence to score compliance control status


    Close compliance gaps


    Ongoing compliance and gap surveillance


    Enforced maintenance of compliance readiness

    Free COMPLiANCE Assessment

    Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.