Introduction: The Cybersecurity Capability Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model, universally abbreviated as C2M2, is a voluntary self-evaluation instrument developed and stewarded by the United States Department of Energy (US DOE) in partnership with the Department of Homeland Security and hundreds of public- and private-sector participants. First released in 2012 as the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), it was rapidly generalised into a sector-agnostic model. The current version at the time of writing is C2M2 Version 2.1 (released June 2022), which supersedes v2.0 (2021) and the earlier v1.1 (2014). It remains one of the most widely adopted maturity models for operational technology (OT) and information technology (IT) environments, particularly among energy, utilities, oil and gas, and critical-infrastructure operators globally.
C2M2 is fundamentally different from a prescriptive control standard such as ISO/IEC 27001 or the PCI DSS. It does not certify an organisation and it does not mandate specific technologies. Instead, it measures the maturity of an organisation's cybersecurity capabilities across ten domains, expressing each practice at one of four Maturity Indicator Levels (MIL0 through MIL3). This gives boards, CISOs and regulators a defensible, repeatable and benchmarkable picture of where cyber-capability is strong, where it is nascent, and where investment should be prioritised. It is deliberately technology-neutral, threat-informed and scalable from a single facility to an enterprise portfolio of assets.
What is C2M2?
C2M2 is a maturity model: a structured collection of cybersecurity practices, organised into logical domains, arranged in a progression from foundational to advanced. An organisation uses the model to perform a facilitated self-assessment, honestly rating whether each practice is fully implemented, largely implemented, partially implemented, or not implemented. The aggregated result is a maturity profile that reveals the organisation's true capability rather than a paper compliance status.
The model is built on three foundational concepts. First, the Maturity Indicator Level (MIL) — a four-point scale (MIL0 to MIL3) applied independently to each of the ten domains. Second, the domain — a logical grouping of related cybersecurity practices (there are ten). Third, the practice — a discrete, assessable statement of a capability an organisation should demonstrate. Practices within a domain are grouped by Objective, and each practice is tagged with the lowest MIL at which it is expected.
Crucially, C2M2 measures two dimensions of maturity in parallel. Approach maturity captures the completeness, sophistication and repeatability of the practices themselves (are they ad-hoc, documented, managed?). Management maturity (also called institutionalisation) captures the degree to which practices are governed — sponsored, resourced, assigned, standardised and improved over time. Both must advance together; a practice performed heroically by one engineer but never documented or resourced cannot claim a high MIL.
- Voluntary, free, and self-administered — no external certification body is required.
- Descriptive and diagnostic rather than prescriptive — it tells you your maturity, not which product to buy.
- Applicable to both IT and OT / industrial control system (ICS) environments — a key differentiator from IT-only frameworks.
- Scalable — usable by a small utility co-operative or a multinational energy major.
- Threat-informed and risk-based — practices are framed around managing cyber risk to function.
- Benchmarkable — results can be trended over time and (anonymously) compared across peers.
Who Must Comply / Scope of Applicability
C2M2 is voluntary; strictly speaking no organisation is legally compelled to use it. However, it has become a de facto expectation and, in several regulatory and contractual contexts, a recommended or referenced framework. It is most heavily used by critical-infrastructure sectors, and increasingly by any organisation operating significant OT estates. The following table summarises the primary populations that adopt or are steered towards C2M2.
| Sector / population | Nature of applicability | Typical driver |
|---|---|---|
| Electricity generation, transmission and distribution | De facto standard (origin sector) | DOE programmes, RRAP, board assurance, NERC CIP alignment |
| Oil and natural gas (pipelines, midstream, LNG) | Strongly recommended | TSA Security Directives, ONG-C2M2 variant, OT risk management |
| Water and wastewater utilities | Recommended / adopted | AWWA guidance, critical-infrastructure protection |
| Manufacturing and industrial (OT-heavy) | Voluntary but common | OT/ICS risk visibility, insurer expectations |
| Federal / government energy programmes | Frequently mandated by policy | Agency cyber directives, procurement clauses |
| Critical-infrastructure operators (global) | Voluntary benchmarking | National critical-infra schemes, supply-chain assurance |
| Vendors and suppliers to the above | Contractual flow-down | Third-party / supply-chain risk requirements |
Structure of C2M2
C2M2 v2.1 is organised into ten domains. Each domain contains a set of Objectives, and each Objective contains a set of Practices. Practices are assigned to Maturity Indicator Levels MIL1, MIL2 or MIL3. Every domain additionally contains a set of institutionalisation (Management Activities) practices that describe how the domain is governed. The ten domains and their standard two-to-four-letter abbreviations are shown below.
| # | Domain | Abbrev. | Purpose (paraphrased) |
|---|---|---|---|
| 1 | Asset, Change, and Configuration Management | ASSET | Manage IT and OT assets, including their configuration and changes, commensurate with risk. |
| 2 | Threat and Vulnerability Management | THREAT | Establish and maintain plans, procedures and technologies to detect, identify, analyse and respond to threats and vulnerabilities. |
| 3 | Risk Management | RISK | Establish, operate and maintain an enterprise cyber-risk management programme aligned to organisational risk tolerance. |
| 4 | Identity and Access Management | ACCESS | Create and manage identities and control logical and physical access for personnel and entities. |
| 5 | Situational Awareness | SITUATION | Establish and maintain activities to gather, analyse, alarm and report on the cybersecurity operating state. |
| 6 | Event and Incident Response, Continuity of Operations | RESPONSE | Detect, analyse, respond to and recover from cybersecurity events and incidents; sustain operations. |
| 7 | Third-Party Risk Management | THIRD-PARTIES | Manage cyber risk arising from suppliers, vendors and other external dependencies. |
| 8 | Workforce Management | WORKFORCE | Create a culture of cybersecurity and ensure a skilled, accountable and vetted workforce. |
| 9 | Cybersecurity Architecture | ARCHITECTURE | Establish and maintain the structure and behaviour of the organisation's cybersecurity architecture. |
| 10 | Cybersecurity Program Management | PROGRAM | Establish and maintain an enterprise cybersecurity programme providing governance, strategy and sponsorship. |
Across the ten domains, C2M2 v2.1 contains 356 practices in total. Each practice is a single assessable statement rated on the four-point implementation scale. The Maturity Indicator Levels are cumulative: to claim MIL2 in a domain the organisation must have achieved all MIL1 practices AND all MIL2 practices in that domain; to claim MIL3 it must additionally achieve all MIL3 practices. MIL0 is the default state indicating that not all MIL1 practices are met.
Master Assessment Checklist
This is the operational heart of the guide. Below, every one of the ten domains is enumerated with its representative Objectives and the key verification points an auditor should test, alongside the typical evidence an implementer should be prepared to produce. The checklists are framed to cover MIL1 (foundational), MIL2 (documented and managed) and MIL3 (measured and improving) expectations. No domain is omitted.
Domain 1 — Asset, Change, and Configuration Management (ASSET)
Objectives: (1) Manage IT and OT Asset Inventory; (2) Manage Information Asset Inventory; (3) Manage IT and OT Asset Configuration; (4) Manage Changes to IT and OT Assets; (5) Management Activities.
| What to verify | Typical evidence |
|---|---|
| A prioritised inventory of IT and OT assets exists and is maintained at the risk-driven level of detail | Asset register / CMDB export, OT asset discovery reports, inventory update policy |
| Information assets (data) are inventoried and prioritised by importance to function | Data inventory, data classification scheme, information asset owners list |
| Configuration baselines are established for assets and deviations are managed | Hardening baselines (CIS/vendor), configuration standards, drift-detection reports |
| A change-management process governs changes to IT and OT assets, including emergency changes | Change management policy, change tickets/CAB minutes, emergency change records |
| Inventory and configuration data are current, and de-provisioning of retired assets occurs | Asset lifecycle records, decommissioning logs, reconciliation reports |
| Practices are governed: sponsored, staffed, documented, resourced, and reviewed for improvement (MIL2/3) | Domain procedures, RACI, budget lines, periodic review minutes, metrics |
Domain 2 — Threat and Vulnerability Management (THREAT)
Objectives: (1) Reduce Cybersecurity Vulnerabilities; (2) Respond to Threats and Share Threat Information; (3) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Vulnerabilities are identified (scanning, feeds, assessments) across IT and OT | Vulnerability scan reports, OT-safe assessment methodology, coverage matrix |
| Vulnerabilities are analysed, prioritised and remediated or mitigated within defined timeframes | Remediation SLAs, risk-based prioritisation, patch and mitigation records |
| Cyber threat information is gathered, analysed and used to inform defences | Threat intel subscriptions (E-ISAC/ISAC), analyst briefings, IOC feeds |
| Threat information is shared with appropriate internal and external parties | Information-sharing agreements, submissions to ISAC/CISA, sharing logs |
| Threat and vulnerability activities are documented, resourced and continuously improved (MIL2/3) | TVM programme document, tooling budget, effectiveness metrics, review records |
Domain 3 — Risk Management (RISK)
Objectives: (1) Establish and Maintain Cyber Risk Management Strategy and Program; (2) Manage Cyber Risk; (3) Management Activities.
| What to verify | Typical evidence |
|---|---|
| A documented cyber-risk management strategy exists, aligned to enterprise risk and risk tolerance | Risk management strategy, risk appetite/tolerance statement, board approval |
| Risk is identified, analysed, prioritised and treated using a defined methodology | Risk register, risk assessment methodology, treatment plans, residual-risk sign-off |
| Risk criteria (impact, likelihood) are defined and applied consistently | Risk scoring matrix, calibration guidance, worked examples |
| Risk is monitored and reported to governance, and the register is kept current | Risk reports to board/committee, review cadence records, KRIs |
| Risk management is institutionalised — sponsored, staffed and improved (MIL2/3) | Programme charter, risk-owner assignments, maturity review of the process |
Domain 4 — Identity and Access Management (ACCESS)
Objectives: (1) Establish and Maintain Identities; (2) Control Logical Access; (3) Control Physical Access; (4) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Identities are provisioned, maintained and de-provisioned for people, devices and services | Joiner-mover-leaver process, identity lifecycle records, service-account inventory |
| Logical access is granted on least-privilege and separation-of-duties principles | Access policy, RBAC matrix, privileged-access management (PAM) records |
| Access is periodically reviewed and revoked when no longer required | Access recertification reports, revocation tickets, orphan-account reviews |
| Multi-factor / strong authentication is enforced commensurate with risk (esp. remote/privileged) | MFA configuration evidence, remote-access policy, VPN/PAM logs |
| Physical access to assets (including OT facilities) is controlled and logged | Badge system records, visitor logs, physical zone definitions |
| IAM is governed, documented, resourced and improved (MIL2/3) | IAM procedures, ownership, access metrics, review minutes |
Domain 5 — Situational Awareness (SITUATION)
Objectives: (1) Perform Logging; (2) Perform Monitoring; (3) Establish and Maintain a Common Operating Picture; (4) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Logging is performed across IT and OT assets at a risk-appropriate level | Logging standard, log-source inventory, retention configuration |
| Monitoring detects anomalous and adversarial activity and generates alarms | SIEM/monitoring architecture, use-case/detection list, alert samples |
| Logs and alerts are correlated into a common operating picture (COP) for cyber state | COP dashboards, correlation rules, SOC shift reports |
| Monitoring covers both IT and OT with appropriate tooling and expertise | OT monitoring tooling (passive), coverage matrix, analyst competencies |
| Situational-awareness capability is governed, staffed and improved (MIL2/3) | SOC/monitoring programme doc, staffing plan, MTTD/coverage metrics |
Domain 6 — Event and Incident Response, Continuity of Operations (RESPONSE)
Objectives: (1) Detect Cybersecurity Events; (2) Analyse Cybersecurity Events and Declare Incidents; (3) Respond to and Recover from Incidents; (4) Plan for Continuity; (5) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Cybersecurity events are detected, logged, reported and triaged | Event intake process, ticketing records, escalation criteria |
| Events are analysed and formally declared as incidents against defined criteria | Incident declaration criteria, severity matrix, declared-incident log |
| An incident response plan defines roles, procedures and external notification | IR plan, playbooks, notification/regulatory reporting procedures |
| Incidents are contained, eradicated, recovered and post-incident reviews performed | IR tickets, containment records, lessons-learned / after-action reports |
| Continuity and disaster-recovery plans exist and are tested (incl. OT) | BCP/DR plans, RTO/RPO definitions, exercise reports, backup restoration tests |
| Response and continuity capability is governed, resourced and improved (MIL2/3) | IR programme charter, exercise cadence, response metrics (MTTR) |
Domain 7 — Third-Party Risk Management (THIRD-PARTIES)
Objectives: (1) Identify and Prioritise Third Parties; (2) Manage Third-Party Risks; (3) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Third parties (suppliers, vendors, service providers) are identified and prioritised by risk | Third-party inventory, criticality tiering, dependency mapping |
| Cyber requirements are flowed down to third parties via contracts and agreements | Contract security clauses, SLAs, security addenda, right-to-audit terms |
| Third-party cyber risk is assessed before onboarding and periodically thereafter | Vendor assessments/questionnaires, SOC 2 reports, re-assessment records |
| Third-party access and dependencies are monitored and managed through the relationship | Access controls for vendors, continuous monitoring, offboarding records |
| TPRM is governed, staffed and continuously improved (MIL2/3) | TPRM programme doc, ownership, coverage metrics, review minutes |
Domain 8 — Workforce Management (WORKFORCE)
Objectives: (1) Implement Workforce Controls; (2) Increase Cybersecurity Awareness; (3) Train the Workforce; (4) Manage Cybersecurity Workforce; (5) Management Activities.
| What to verify | Typical evidence |
|---|---|
| Personnel security controls (vetting, screening, agreements) are applied | Background-check policy, screening records, acceptable-use agreements |
| A cybersecurity awareness programme reaches all personnel | Awareness content, completion records, phishing-simulation results |
| Role-based cybersecurity training is delivered to those with security responsibilities | Training matrix by role, certification records, OT-specific training |
| Cybersecurity roles, responsibilities and staffing needs are defined and filled | Org chart, role descriptions, staffing/gap analysis, succession plans |
| Workforce management is governed, resourced and improved (MIL2/3) | Workforce programme doc, competency framework, training metrics |
Domain 9 — Cybersecurity Architecture (ARCHITECTURE)
Objectives: (1) Establish and Maintain Cybersecurity Architecture Strategy and Program; (2) Implement Network Protections as an Element of the Cybersecurity Architecture; (3) Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture; (4) Implement Software Security as an Element of the Cybersecurity Architecture; (5) Implement Data Security as an Element of the Cybersecurity Architecture; (6) Management Activities.
| What to verify | Typical evidence |
|---|---|
| A cybersecurity architecture strategy and programme guide the design of defences | Architecture strategy, reference architectures, design principles, standards |
| Network segmentation and protections (esp. IT/OT boundary) are implemented | Network diagrams, segmentation/DMZ design, firewall rules, IT-OT zone model |
| Host and asset security controls (endpoint, hardening) are implemented | Endpoint protection config, hardening evidence, allow-listing on OT |
| Software security is addressed across the development and acquisition lifecycle | Secure SDLC policy, code-review/SAST records, secure-configuration standards |
| Data security controls (encryption in transit/at rest, integrity) are implemented | Encryption standards, key-management records, DLP configuration |
| Architecture practices are governed, resourced and improved (MIL2/3) | Architecture governance board, standards library, exception process, metrics |
Domain 10 — Cybersecurity Program Management (PROGRAM)
Objectives: (1) Establish Cybersecurity Program Strategy; (2) Establish and Maintain Cybersecurity Program; (3) Management Activities.
| What to verify | Typical evidence |
|---|---|
| A cybersecurity programme strategy aligned to business objectives and risk is established | Programme strategy document, roadmap, alignment to enterprise strategy |
| Executive sponsorship, governance and adequate resourcing exist for the programme | Executive sponsor appointment, governance charter, approved budget |
| The programme provides oversight, policy and direction across all domains | Policy framework, steering-committee minutes, programme reporting |
| The programme is monitored for effectiveness and adjusted over time | Programme KPIs, maturity trend reports, strategy review records |
| Programme management is institutionalised and continuously improved (MIL2/3) | Programme charter, improvement plan, board-level reporting cadence |
Scoping and Materiality / Tiering
Before performing a C2M2 self-evaluation, the organisation must define the function under assessment — a discrete business or operational function whose supporting IT and OT assets bound the assessment. Scoping is critical because C2M2 maturity is meaningful only relative to a defined function and its risk profile.
- Define the function: for example, 'electricity distribution operations for Region X' or 'natural-gas transmission SCADA'. Do not attempt to boil the ocean in a single evaluation.
- Identify supporting assets: enumerate the IT and OT assets, information assets, networks and third parties that enable the function.
- Determine target maturity by risk: higher-consequence functions should target MIL2 or MIL3; lower-consequence functions may reasonably target MIL1 in some domains.
- Apply materiality: focus assessment rigour and evidence collection on the assets and practices most material to safe, reliable operation of the function.
- Segment IT vs OT deliberately: practices often differ in feasibility between IT and OT (e.g. patching cadence), and C2M2 explicitly accommodates this.
| Function consequence tier | Suggested target MIL | Assessment rigour |
|---|---|---|
| Critical / safety-impacting (e.g. bulk electric system, pipeline SCADA) | MIL3 in core domains | Facilitated multi-stakeholder, evidence-backed, annual |
| High (major service function) | MIL2 across all domains | Facilitated, sampled evidence, annual/biennial |
| Moderate (supporting function) | MIL1-MIL2 | Workshop-based self-assessment |
| Low (non-critical) | MIL1 baseline | Lightweight self-assessment |
Implementation Approach
A C2M2 initiative is best run as a phased programme. The following five phases take an organisation from first assessment to sustained improvement.
Phase 1 — Prepare and Scope
- Activities: appoint an executive sponsor; identify the function to assess; assemble a cross-functional team (IT, OT/engineering, risk, security, operations); download the current DOE C2M2 v2.1 toolkit; agree target MILs by domain.
- Deliverables: assessment charter, defined scope statement, stakeholder RACI, project plan and schedule.
Phase 2 — Conduct the Self-Evaluation
- Activities: run facilitated workshops per domain; for each of the 356 practices, rate implementation as Fully / Largely / Partially / Not Implemented; capture rationale and evidence pointers; avoid grade inflation through evidence challenge.
- Deliverables: completed C2M2 scoring workbook, evidence log, domain-by-domain MIL scores, donut/heatmap of results.
Phase 3 — Analyse Gaps and Prioritise
- Activities: compare achieved MILs against target MILs; identify gap practices; assess each gap for risk, effort and dependency; prioritise using risk-versus-effort; align with enterprise risk register.
- Deliverables: gap analysis report, prioritised remediation backlog, business case for investment.
Phase 4 — Remediate and Uplift
- Activities: execute remediation projects (process, technology, people); document procedures to move from ad-hoc to managed; assign owners; institutionalise (sponsor, resource, standardise) to lift management maturity.
- Deliverables: implemented controls, updated policies/procedures, training completed, updated architecture.
Phase 5 — Sustain, Re-assess and Improve
- Activities: embed C2M2 into governance; re-run the self-evaluation periodically (typically annually) to trend maturity; feed results into board reporting; benchmark against peers.
- Deliverables: maturity trend dashboard, updated roadmap, board assurance reporting, continuous-improvement cycle.
Maturity / Capability Model
C2M2 uses a four-level Maturity Indicator Level scale applied per domain. Levels are cumulative and dual-natured (approach and management maturity advance together). The table below describes each level.
| Level | Name / character | Approach maturity | Management (institutionalisation) maturity |
|---|---|---|---|
| MIL0 | Baseline / incomplete | One or more MIL1 practices are not fully performed | Practices are ad-hoc, undocumented, unmanaged |
| MIL1 | Initial | All MIL1 (foundational) practices in the domain are performed, even if ad-hoc | Practices may be performed but are not yet formally managed |
| MIL2 | Performed and managed | MIL1 + MIL2 practices performed; practices are more complete and consistent | Practices are documented, resourced, and stakeholders are assigned |
| MIL3 | Managed and measured | MIL1 + MIL2 + MIL3 practices performed; practices are advanced and integrated | Practices are governed by policy, adequately resourced, reviewed, and improved; performance is measured |
Assessment and Audit Approach
- Confirm scope and the function under assessment, and validate the target MIL for each domain against risk.
- Assemble the cross-functional evaluation team, ensuring OT/engineering, IT, risk and operations are all represented.
- Prepare by gathering existing policies, registers, architecture diagrams and prior assessment results as evidence.
- Facilitate domain workshops sequentially, walking through each Objective and its practices.
- Rate each practice on the four-point implementation scale, recording justification and pointing to evidence.
- Challenge optimistic ratings — require evidence before accepting 'Fully Implemented', especially for management-activity practices.
- Compute the MIL for each domain by applying the cumulative rule (all lower practices must be met).
- Produce the maturity profile (heatmap/donut) and a written gap analysis against target MILs.
- Validate findings with stakeholders and executive sponsor; agree the prioritised remediation roadmap.
- Baseline the results and schedule periodic re-assessment (annually) to enable maturity trending and benchmarking.
Evidence Request List
- Governance and programme: cybersecurity programme strategy, charter, executive sponsor appointment, policy framework, steering-committee minutes, approved budget.
- Risk management: risk management strategy, risk appetite/tolerance statement, risk register, risk methodology, board risk reports.
- Asset and configuration: IT/OT asset inventory (CMDB), information/data inventory and classification, configuration baselines, change-management records.
- Threat and vulnerability: vulnerability scan reports, patch/mitigation records, threat-intel subscriptions, ISAC sharing logs.
- Identity and access: JML process, RBAC/PAM records, access recertification reports, MFA configuration, physical access logs.
- Situational awareness: logging standard and log-source inventory, SIEM/monitoring architecture, detection use-cases, SOC reports, COP dashboards.
- Incident response and continuity: IR plan and playbooks, incident log, after-action reports, BCP/DR plans, RTO/RPO, exercise and backup-restore evidence.
- Third-party risk: third-party inventory and tiering, contract security clauses, vendor assessments, offboarding records.
- Workforce: screening policy and records, awareness completion and phishing results, role-based training matrix, competency framework.
- Architecture: architecture strategy and reference designs, network/segmentation diagrams (IT-OT boundary), hardening standards, secure SDLC records, encryption and key-management standards.
Roles and Responsibilities
| Role | Responsibility in the C2M2 programme |
|---|---|
| Executive Sponsor (CISO / CIO / COO) | Owns the initiative, secures resourcing, sets target MILs, accepts residual risk |
| C2M2 Programme / Assessment Lead | Plans and runs the self-evaluation, facilitates workshops, compiles results |
| OT / Engineering / Operations lead | Provides OT context, validates feasibility of practices in the ICS environment |
| IT / Infrastructure lead | Provides IT asset, network and configuration evidence |
| Cyber Risk Manager | Aligns C2M2 gaps with the enterprise risk register and treatment plans |
| Domain Owners (per domain) | Own remediation for their domain and sustain the practices |
| Internal Audit / Assurance | Independently challenges ratings and validates evidence |
| Board / Risk Committee | Receives maturity reporting and approves strategy and investment |
KPIs / Metrics to Track
- MIL achieved versus target MIL, per domain (the primary programme metric).
- Number of practices at Fully / Largely / Partially / Not Implemented, trended over time.
- Percentage of gap practices remediated against the roadmap.
- Maturity trend (delta) between successive annual assessments per domain.
- Mean time to detect (MTTD) and mean time to respond (MTTR) for incidents (Situational Awareness / Response).
- Vulnerability remediation SLA adherence (Threat and Vulnerability Management).
- Access recertification completion rate and orphaned-account count (Identity and Access).
- Third-party assessment coverage of tiered vendors (Third-Party Risk).
- Awareness training completion and phishing-simulation failure rate (Workforce).
- Percentage of critical assets under configuration baseline and change control (Asset).
- Number of institutionalisation (management-activity) practices met — indicator of sustainability.
Readiness Checklist
- Executive sponsor appointed and target MILs agreed per domain.
- Function under assessment and asset scope clearly defined.
- Cross-functional team (IT, OT, risk, operations, security) assembled.
- Current DOE C2M2 v2.1 toolkit downloaded and understood.
- Existing policies, registers and diagrams gathered as evidence.
- Asset and information inventories current for the scoped function.
- Risk management strategy and register in place.
- Identity, access and MFA controls documented.
- Logging, monitoring and incident-response capabilities evidenced.
- Third-party inventory and assessment records available.
- Workforce awareness and role-based training records available.
- IT-OT network segmentation and architecture documented.
- Self-evaluation workshops scheduled per domain.
- Governance route defined for reporting results to the board.
- Re-assessment cadence (annual) and benchmarking plan established.
Common Gaps and Findings
- Grade inflation — practices rated 'Fully Implemented' without supporting evidence, especially for management-activity practices.
- OT blind spots — asset inventory, monitoring and vulnerability management strong for IT but weak or absent across OT/ICS.
- Weak institutionalisation — practices performed informally by individuals but undocumented, unresourced and unsustainable, capping management maturity.
- IT-OT boundary weaknesses — flat networks, inadequate segmentation and unmanaged remote access into OT.
- Incomplete third-party programme — no tiering, no contractual flow-down of security requirements, no periodic re-assessment.
- Untested continuity plans — BCP/DR documented but never exercised; backups never restore-tested for OT.
- Stale asset and configuration data — inventories not reconciled, configuration drift undetected.
- Risk register disconnected from C2M2 gaps — assessment findings never feed enterprise risk treatment.
- One-off assessment — C2M2 run once for a report but never repeated, so no maturity trend or improvement demonstrated.
- Scope too broad — attempting the whole enterprise in one evaluation, producing shallow, unactionable results.
C2M2 Mapped to Other Frameworks
C2M2 is designed to be complementary to, not competitive with, prescriptive frameworks. The DOE publishes crosswalks (notably to the NIST Cybersecurity Framework). The table below indicates practical alignment for teams that must reconcile multiple frameworks.
| Framework | Relationship to C2M2 | Practical mapping notes |
|---|---|---|
| NIST Cybersecurity Framework (CSF 2.0) | Direct crosswalk published by DOE | C2M2 domains map to CSF Functions (Govern, Identify, Protect, Detect, Respond, Recover); C2M2 adds maturity depth |
| NIST SP 800-53 / 800-82 (OT) | Complementary control catalogue | C2M2 measures maturity; 800-53/800-82 supply the detailed control implementations |
| ISO/IEC 27001 / 27002 | Complementary; management-system vs maturity | C2M2 institutionalisation practices align with ISMS clauses; 27002 controls satisfy many domain practices |
| NERC CIP | Regulatory overlap (electricity) | C2M2 practices support and evidence CIP compliance; C2M2 is broader and voluntary |
| IEC 62443 (IACS security) | Complementary for OT | 62443 zones/conduits and security levels operationalise C2M2 Architecture and Asset domains |
| CIS Critical Security Controls | Complementary safeguards | CIS Controls provide concrete safeguards that raise maturity in Asset, Access, Threat domains |
| CISA Cross-Sector Cybersecurity Performance Goals (CPGs) | Aligned baseline | CPGs offer a prioritised baseline; C2M2 measures depth and maturity beyond the baseline |
Frequently asked questions
Need help with C2M2?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
