Knowledge Center / C2M2
US DOE · Global

Cybersecurity Capability Maturity Model (C2M2)

Maturity model to evaluate and improve cyber capabilities.

Introduction: The Cybersecurity Capability Maturity Model (C2M2)

The Cybersecurity Capability Maturity Model, universally abbreviated as C2M2, is a voluntary self-evaluation instrument developed and stewarded by the United States Department of Energy (US DOE) in partnership with the Department of Homeland Security and hundreds of public- and private-sector participants. First released in 2012 as the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), it was rapidly generalised into a sector-agnostic model. The current version at the time of writing is C2M2 Version 2.1 (released June 2022), which supersedes v2.0 (2021) and the earlier v1.1 (2014). It remains one of the most widely adopted maturity models for operational technology (OT) and information technology (IT) environments, particularly among energy, utilities, oil and gas, and critical-infrastructure operators globally.

C2M2 is fundamentally different from a prescriptive control standard such as ISO/IEC 27001 or the PCI DSS. It does not certify an organisation and it does not mandate specific technologies. Instead, it measures the maturity of an organisation's cybersecurity capabilities across ten domains, expressing each practice at one of four Maturity Indicator Levels (MIL0 through MIL3). This gives boards, CISOs and regulators a defensible, repeatable and benchmarkable picture of where cyber-capability is strong, where it is nascent, and where investment should be prioritised. It is deliberately technology-neutral, threat-informed and scalable from a single facility to an enterprise portfolio of assets.

Copyright and licensing note
C2M2 is published by the US Department of Energy and is available at no cost. The model documentation, the free downloadable HTML/PDF self-evaluation toolkit and the C2M2 name are US Government / DOE materials; the model itself is provided for public benefit and may be used freely for self-assessment. This CyberSigma guide is original explanatory content written by our CERT-In empanelled and PCI QSA auditors. It paraphrases, interprets and operationalises the model for practitioners and does NOT reproduce the copyrighted or trademarked text of the official DOE C2M2 model document. Always download and rely upon the authoritative current release (v2.1) directly from the US DOE for scoring and formal use.

What is C2M2?

C2M2 is a maturity model: a structured collection of cybersecurity practices, organised into logical domains, arranged in a progression from foundational to advanced. An organisation uses the model to perform a facilitated self-assessment, honestly rating whether each practice is fully implemented, largely implemented, partially implemented, or not implemented. The aggregated result is a maturity profile that reveals the organisation's true capability rather than a paper compliance status.

The model is built on three foundational concepts. First, the Maturity Indicator Level (MIL) — a four-point scale (MIL0 to MIL3) applied independently to each of the ten domains. Second, the domain — a logical grouping of related cybersecurity practices (there are ten). Third, the practice — a discrete, assessable statement of a capability an organisation should demonstrate. Practices within a domain are grouped by Objective, and each practice is tagged with the lowest MIL at which it is expected.

Crucially, C2M2 measures two dimensions of maturity in parallel. Approach maturity captures the completeness, sophistication and repeatability of the practices themselves (are they ad-hoc, documented, managed?). Management maturity (also called institutionalisation) captures the degree to which practices are governed — sponsored, resourced, assigned, standardised and improved over time. Both must advance together; a practice performed heroically by one engineer but never documented or resourced cannot claim a high MIL.

  • Voluntary, free, and self-administered — no external certification body is required.
  • Descriptive and diagnostic rather than prescriptive — it tells you your maturity, not which product to buy.
  • Applicable to both IT and OT / industrial control system (ICS) environments — a key differentiator from IT-only frameworks.
  • Scalable — usable by a small utility co-operative or a multinational energy major.
  • Threat-informed and risk-based — practices are framed around managing cyber risk to function.
  • Benchmarkable — results can be trended over time and (anonymously) compared across peers.

Who Must Comply / Scope of Applicability

C2M2 is voluntary; strictly speaking no organisation is legally compelled to use it. However, it has become a de facto expectation and, in several regulatory and contractual contexts, a recommended or referenced framework. It is most heavily used by critical-infrastructure sectors, and increasingly by any organisation operating significant OT estates. The following table summarises the primary populations that adopt or are steered towards C2M2.

Sector / populationNature of applicabilityTypical driver
Electricity generation, transmission and distributionDe facto standard (origin sector)DOE programmes, RRAP, board assurance, NERC CIP alignment
Oil and natural gas (pipelines, midstream, LNG)Strongly recommendedTSA Security Directives, ONG-C2M2 variant, OT risk management
Water and wastewater utilitiesRecommended / adoptedAWWA guidance, critical-infrastructure protection
Manufacturing and industrial (OT-heavy)Voluntary but commonOT/ICS risk visibility, insurer expectations
Federal / government energy programmesFrequently mandated by policyAgency cyber directives, procurement clauses
Critical-infrastructure operators (global)Voluntary benchmarkingNational critical-infra schemes, supply-chain assurance
Vendors and suppliers to the aboveContractual flow-downThird-party / supply-chain risk requirements
Voluntary but consequential
Although C2M2 imposes no statutory deadline or penalty of its own, poor maturity revealed by a C2M2 self-assessment frequently becomes evidence in regulatory examinations (for example NERC CIP audits), cyber-insurance underwriting, M&A due diligence, and board risk reporting. Treat it as a governance instrument, not merely a checklist.

Structure of C2M2

C2M2 v2.1 is organised into ten domains. Each domain contains a set of Objectives, and each Objective contains a set of Practices. Practices are assigned to Maturity Indicator Levels MIL1, MIL2 or MIL3. Every domain additionally contains a set of institutionalisation (Management Activities) practices that describe how the domain is governed. The ten domains and their standard two-to-four-letter abbreviations are shown below.

#DomainAbbrev.Purpose (paraphrased)
1Asset, Change, and Configuration ManagementASSETManage IT and OT assets, including their configuration and changes, commensurate with risk.
2Threat and Vulnerability ManagementTHREATEstablish and maintain plans, procedures and technologies to detect, identify, analyse and respond to threats and vulnerabilities.
3Risk ManagementRISKEstablish, operate and maintain an enterprise cyber-risk management programme aligned to organisational risk tolerance.
4Identity and Access ManagementACCESSCreate and manage identities and control logical and physical access for personnel and entities.
5Situational AwarenessSITUATIONEstablish and maintain activities to gather, analyse, alarm and report on the cybersecurity operating state.
6Event and Incident Response, Continuity of OperationsRESPONSEDetect, analyse, respond to and recover from cybersecurity events and incidents; sustain operations.
7Third-Party Risk ManagementTHIRD-PARTIESManage cyber risk arising from suppliers, vendors and other external dependencies.
8Workforce ManagementWORKFORCECreate a culture of cybersecurity and ensure a skilled, accountable and vetted workforce.
9Cybersecurity ArchitectureARCHITECTUREEstablish and maintain the structure and behaviour of the organisation's cybersecurity architecture.
10Cybersecurity Program ManagementPROGRAMEstablish and maintain an enterprise cybersecurity programme providing governance, strategy and sponsorship.

Across the ten domains, C2M2 v2.1 contains 356 practices in total. Each practice is a single assessable statement rated on the four-point implementation scale. The Maturity Indicator Levels are cumulative: to claim MIL2 in a domain the organisation must have achieved all MIL1 practices AND all MIL2 practices in that domain; to claim MIL3 it must additionally achieve all MIL3 practices. MIL0 is the default state indicating that not all MIL1 practices are met.

Master Assessment Checklist

This is the operational heart of the guide. Below, every one of the ten domains is enumerated with its representative Objectives and the key verification points an auditor should test, alongside the typical evidence an implementer should be prepared to produce. The checklists are framed to cover MIL1 (foundational), MIL2 (documented and managed) and MIL3 (measured and improving) expectations. No domain is omitted.

Domain 1 — Asset, Change, and Configuration Management (ASSET)

Objectives: (1) Manage IT and OT Asset Inventory; (2) Manage Information Asset Inventory; (3) Manage IT and OT Asset Configuration; (4) Manage Changes to IT and OT Assets; (5) Management Activities.

What to verifyTypical evidence
A prioritised inventory of IT and OT assets exists and is maintained at the risk-driven level of detailAsset register / CMDB export, OT asset discovery reports, inventory update policy
Information assets (data) are inventoried and prioritised by importance to functionData inventory, data classification scheme, information asset owners list
Configuration baselines are established for assets and deviations are managedHardening baselines (CIS/vendor), configuration standards, drift-detection reports
A change-management process governs changes to IT and OT assets, including emergency changesChange management policy, change tickets/CAB minutes, emergency change records
Inventory and configuration data are current, and de-provisioning of retired assets occursAsset lifecycle records, decommissioning logs, reconciliation reports
Practices are governed: sponsored, staffed, documented, resourced, and reviewed for improvement (MIL2/3)Domain procedures, RACI, budget lines, periodic review minutes, metrics

Domain 2 — Threat and Vulnerability Management (THREAT)

Objectives: (1) Reduce Cybersecurity Vulnerabilities; (2) Respond to Threats and Share Threat Information; (3) Management Activities.

What to verifyTypical evidence
Vulnerabilities are identified (scanning, feeds, assessments) across IT and OTVulnerability scan reports, OT-safe assessment methodology, coverage matrix
Vulnerabilities are analysed, prioritised and remediated or mitigated within defined timeframesRemediation SLAs, risk-based prioritisation, patch and mitigation records
Cyber threat information is gathered, analysed and used to inform defencesThreat intel subscriptions (E-ISAC/ISAC), analyst briefings, IOC feeds
Threat information is shared with appropriate internal and external partiesInformation-sharing agreements, submissions to ISAC/CISA, sharing logs
Threat and vulnerability activities are documented, resourced and continuously improved (MIL2/3)TVM programme document, tooling budget, effectiveness metrics, review records

Domain 3 — Risk Management (RISK)

Objectives: (1) Establish and Maintain Cyber Risk Management Strategy and Program; (2) Manage Cyber Risk; (3) Management Activities.

What to verifyTypical evidence
A documented cyber-risk management strategy exists, aligned to enterprise risk and risk toleranceRisk management strategy, risk appetite/tolerance statement, board approval
Risk is identified, analysed, prioritised and treated using a defined methodologyRisk register, risk assessment methodology, treatment plans, residual-risk sign-off
Risk criteria (impact, likelihood) are defined and applied consistentlyRisk scoring matrix, calibration guidance, worked examples
Risk is monitored and reported to governance, and the register is kept currentRisk reports to board/committee, review cadence records, KRIs
Risk management is institutionalised — sponsored, staffed and improved (MIL2/3)Programme charter, risk-owner assignments, maturity review of the process

Domain 4 — Identity and Access Management (ACCESS)

Objectives: (1) Establish and Maintain Identities; (2) Control Logical Access; (3) Control Physical Access; (4) Management Activities.

What to verifyTypical evidence
Identities are provisioned, maintained and de-provisioned for people, devices and servicesJoiner-mover-leaver process, identity lifecycle records, service-account inventory
Logical access is granted on least-privilege and separation-of-duties principlesAccess policy, RBAC matrix, privileged-access management (PAM) records
Access is periodically reviewed and revoked when no longer requiredAccess recertification reports, revocation tickets, orphan-account reviews
Multi-factor / strong authentication is enforced commensurate with risk (esp. remote/privileged)MFA configuration evidence, remote-access policy, VPN/PAM logs
Physical access to assets (including OT facilities) is controlled and loggedBadge system records, visitor logs, physical zone definitions
IAM is governed, documented, resourced and improved (MIL2/3)IAM procedures, ownership, access metrics, review minutes

Domain 5 — Situational Awareness (SITUATION)

Objectives: (1) Perform Logging; (2) Perform Monitoring; (3) Establish and Maintain a Common Operating Picture; (4) Management Activities.

What to verifyTypical evidence
Logging is performed across IT and OT assets at a risk-appropriate levelLogging standard, log-source inventory, retention configuration
Monitoring detects anomalous and adversarial activity and generates alarmsSIEM/monitoring architecture, use-case/detection list, alert samples
Logs and alerts are correlated into a common operating picture (COP) for cyber stateCOP dashboards, correlation rules, SOC shift reports
Monitoring covers both IT and OT with appropriate tooling and expertiseOT monitoring tooling (passive), coverage matrix, analyst competencies
Situational-awareness capability is governed, staffed and improved (MIL2/3)SOC/monitoring programme doc, staffing plan, MTTD/coverage metrics

Domain 6 — Event and Incident Response, Continuity of Operations (RESPONSE)

Objectives: (1) Detect Cybersecurity Events; (2) Analyse Cybersecurity Events and Declare Incidents; (3) Respond to and Recover from Incidents; (4) Plan for Continuity; (5) Management Activities.

What to verifyTypical evidence
Cybersecurity events are detected, logged, reported and triagedEvent intake process, ticketing records, escalation criteria
Events are analysed and formally declared as incidents against defined criteriaIncident declaration criteria, severity matrix, declared-incident log
An incident response plan defines roles, procedures and external notificationIR plan, playbooks, notification/regulatory reporting procedures
Incidents are contained, eradicated, recovered and post-incident reviews performedIR tickets, containment records, lessons-learned / after-action reports
Continuity and disaster-recovery plans exist and are tested (incl. OT)BCP/DR plans, RTO/RPO definitions, exercise reports, backup restoration tests
Response and continuity capability is governed, resourced and improved (MIL2/3)IR programme charter, exercise cadence, response metrics (MTTR)

Domain 7 — Third-Party Risk Management (THIRD-PARTIES)

Objectives: (1) Identify and Prioritise Third Parties; (2) Manage Third-Party Risks; (3) Management Activities.

What to verifyTypical evidence
Third parties (suppliers, vendors, service providers) are identified and prioritised by riskThird-party inventory, criticality tiering, dependency mapping
Cyber requirements are flowed down to third parties via contracts and agreementsContract security clauses, SLAs, security addenda, right-to-audit terms
Third-party cyber risk is assessed before onboarding and periodically thereafterVendor assessments/questionnaires, SOC 2 reports, re-assessment records
Third-party access and dependencies are monitored and managed through the relationshipAccess controls for vendors, continuous monitoring, offboarding records
TPRM is governed, staffed and continuously improved (MIL2/3)TPRM programme doc, ownership, coverage metrics, review minutes

Domain 8 — Workforce Management (WORKFORCE)

Objectives: (1) Implement Workforce Controls; (2) Increase Cybersecurity Awareness; (3) Train the Workforce; (4) Manage Cybersecurity Workforce; (5) Management Activities.

What to verifyTypical evidence
Personnel security controls (vetting, screening, agreements) are appliedBackground-check policy, screening records, acceptable-use agreements
A cybersecurity awareness programme reaches all personnelAwareness content, completion records, phishing-simulation results
Role-based cybersecurity training is delivered to those with security responsibilitiesTraining matrix by role, certification records, OT-specific training
Cybersecurity roles, responsibilities and staffing needs are defined and filledOrg chart, role descriptions, staffing/gap analysis, succession plans
Workforce management is governed, resourced and improved (MIL2/3)Workforce programme doc, competency framework, training metrics

Domain 9 — Cybersecurity Architecture (ARCHITECTURE)

Objectives: (1) Establish and Maintain Cybersecurity Architecture Strategy and Program; (2) Implement Network Protections as an Element of the Cybersecurity Architecture; (3) Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture; (4) Implement Software Security as an Element of the Cybersecurity Architecture; (5) Implement Data Security as an Element of the Cybersecurity Architecture; (6) Management Activities.

What to verifyTypical evidence
A cybersecurity architecture strategy and programme guide the design of defencesArchitecture strategy, reference architectures, design principles, standards
Network segmentation and protections (esp. IT/OT boundary) are implementedNetwork diagrams, segmentation/DMZ design, firewall rules, IT-OT zone model
Host and asset security controls (endpoint, hardening) are implementedEndpoint protection config, hardening evidence, allow-listing on OT
Software security is addressed across the development and acquisition lifecycleSecure SDLC policy, code-review/SAST records, secure-configuration standards
Data security controls (encryption in transit/at rest, integrity) are implementedEncryption standards, key-management records, DLP configuration
Architecture practices are governed, resourced and improved (MIL2/3)Architecture governance board, standards library, exception process, metrics

Domain 10 — Cybersecurity Program Management (PROGRAM)

Objectives: (1) Establish Cybersecurity Program Strategy; (2) Establish and Maintain Cybersecurity Program; (3) Management Activities.

What to verifyTypical evidence
A cybersecurity programme strategy aligned to business objectives and risk is establishedProgramme strategy document, roadmap, alignment to enterprise strategy
Executive sponsorship, governance and adequate resourcing exist for the programmeExecutive sponsor appointment, governance charter, approved budget
The programme provides oversight, policy and direction across all domainsPolicy framework, steering-committee minutes, programme reporting
The programme is monitored for effectiveness and adjusted over timeProgramme KPIs, maturity trend reports, strategy review records
Programme management is institutionalised and continuously improved (MIL2/3)Programme charter, improvement plan, board-level reporting cadence

Scoping and Materiality / Tiering

Before performing a C2M2 self-evaluation, the organisation must define the function under assessment — a discrete business or operational function whose supporting IT and OT assets bound the assessment. Scoping is critical because C2M2 maturity is meaningful only relative to a defined function and its risk profile.

  • Define the function: for example, 'electricity distribution operations for Region X' or 'natural-gas transmission SCADA'. Do not attempt to boil the ocean in a single evaluation.
  • Identify supporting assets: enumerate the IT and OT assets, information assets, networks and third parties that enable the function.
  • Determine target maturity by risk: higher-consequence functions should target MIL2 or MIL3; lower-consequence functions may reasonably target MIL1 in some domains.
  • Apply materiality: focus assessment rigour and evidence collection on the assets and practices most material to safe, reliable operation of the function.
  • Segment IT vs OT deliberately: practices often differ in feasibility between IT and OT (e.g. patching cadence), and C2M2 explicitly accommodates this.
Function consequence tierSuggested target MILAssessment rigour
Critical / safety-impacting (e.g. bulk electric system, pipeline SCADA)MIL3 in core domainsFacilitated multi-stakeholder, evidence-backed, annual
High (major service function)MIL2 across all domainsFacilitated, sampled evidence, annual/biennial
Moderate (supporting function)MIL1-MIL2Workshop-based self-assessment
Low (non-critical)MIL1 baselineLightweight self-assessment

Implementation Approach

A C2M2 initiative is best run as a phased programme. The following five phases take an organisation from first assessment to sustained improvement.

Phase 1 — Prepare and Scope

  • Activities: appoint an executive sponsor; identify the function to assess; assemble a cross-functional team (IT, OT/engineering, risk, security, operations); download the current DOE C2M2 v2.1 toolkit; agree target MILs by domain.
  • Deliverables: assessment charter, defined scope statement, stakeholder RACI, project plan and schedule.

Phase 2 — Conduct the Self-Evaluation

  • Activities: run facilitated workshops per domain; for each of the 356 practices, rate implementation as Fully / Largely / Partially / Not Implemented; capture rationale and evidence pointers; avoid grade inflation through evidence challenge.
  • Deliverables: completed C2M2 scoring workbook, evidence log, domain-by-domain MIL scores, donut/heatmap of results.

Phase 3 — Analyse Gaps and Prioritise

  • Activities: compare achieved MILs against target MILs; identify gap practices; assess each gap for risk, effort and dependency; prioritise using risk-versus-effort; align with enterprise risk register.
  • Deliverables: gap analysis report, prioritised remediation backlog, business case for investment.

Phase 4 — Remediate and Uplift

  • Activities: execute remediation projects (process, technology, people); document procedures to move from ad-hoc to managed; assign owners; institutionalise (sponsor, resource, standardise) to lift management maturity.
  • Deliverables: implemented controls, updated policies/procedures, training completed, updated architecture.

Phase 5 — Sustain, Re-assess and Improve

  • Activities: embed C2M2 into governance; re-run the self-evaluation periodically (typically annually) to trend maturity; feed results into board reporting; benchmark against peers.
  • Deliverables: maturity trend dashboard, updated roadmap, board assurance reporting, continuous-improvement cycle.

Maturity / Capability Model

C2M2 uses a four-level Maturity Indicator Level scale applied per domain. Levels are cumulative and dual-natured (approach and management maturity advance together). The table below describes each level.

LevelName / characterApproach maturityManagement (institutionalisation) maturity
MIL0Baseline / incompleteOne or more MIL1 practices are not fully performedPractices are ad-hoc, undocumented, unmanaged
MIL1InitialAll MIL1 (foundational) practices in the domain are performed, even if ad-hocPractices may be performed but are not yet formally managed
MIL2Performed and managedMIL1 + MIL2 practices performed; practices are more complete and consistentPractices are documented, resourced, and stakeholders are assigned
MIL3Managed and measuredMIL1 + MIL2 + MIL3 practices performed; practices are advanced and integratedPractices are governed by policy, adequately resourced, reviewed, and improved; performance is measured
Cumulative and per-domain
An organisation does not receive a single overall C2M2 score. It receives a MIL rating for each of the ten domains. Because levels are cumulative, one unmet MIL1 practice in a domain caps that domain at MIL0 regardless of how many higher practices are met. This deliberately prevents cherry-picking advanced capabilities while neglecting fundamentals.

Assessment and Audit Approach

  1. Confirm scope and the function under assessment, and validate the target MIL for each domain against risk.
  2. Assemble the cross-functional evaluation team, ensuring OT/engineering, IT, risk and operations are all represented.
  3. Prepare by gathering existing policies, registers, architecture diagrams and prior assessment results as evidence.
  4. Facilitate domain workshops sequentially, walking through each Objective and its practices.
  5. Rate each practice on the four-point implementation scale, recording justification and pointing to evidence.
  6. Challenge optimistic ratings — require evidence before accepting 'Fully Implemented', especially for management-activity practices.
  7. Compute the MIL for each domain by applying the cumulative rule (all lower practices must be met).
  8. Produce the maturity profile (heatmap/donut) and a written gap analysis against target MILs.
  9. Validate findings with stakeholders and executive sponsor; agree the prioritised remediation roadmap.
  10. Baseline the results and schedule periodic re-assessment (annually) to enable maturity trending and benchmarking.

Evidence Request List

  • Governance and programme: cybersecurity programme strategy, charter, executive sponsor appointment, policy framework, steering-committee minutes, approved budget.
  • Risk management: risk management strategy, risk appetite/tolerance statement, risk register, risk methodology, board risk reports.
  • Asset and configuration: IT/OT asset inventory (CMDB), information/data inventory and classification, configuration baselines, change-management records.
  • Threat and vulnerability: vulnerability scan reports, patch/mitigation records, threat-intel subscriptions, ISAC sharing logs.
  • Identity and access: JML process, RBAC/PAM records, access recertification reports, MFA configuration, physical access logs.
  • Situational awareness: logging standard and log-source inventory, SIEM/monitoring architecture, detection use-cases, SOC reports, COP dashboards.
  • Incident response and continuity: IR plan and playbooks, incident log, after-action reports, BCP/DR plans, RTO/RPO, exercise and backup-restore evidence.
  • Third-party risk: third-party inventory and tiering, contract security clauses, vendor assessments, offboarding records.
  • Workforce: screening policy and records, awareness completion and phishing results, role-based training matrix, competency framework.
  • Architecture: architecture strategy and reference designs, network/segmentation diagrams (IT-OT boundary), hardening standards, secure SDLC records, encryption and key-management standards.

Roles and Responsibilities

RoleResponsibility in the C2M2 programme
Executive Sponsor (CISO / CIO / COO)Owns the initiative, secures resourcing, sets target MILs, accepts residual risk
C2M2 Programme / Assessment LeadPlans and runs the self-evaluation, facilitates workshops, compiles results
OT / Engineering / Operations leadProvides OT context, validates feasibility of practices in the ICS environment
IT / Infrastructure leadProvides IT asset, network and configuration evidence
Cyber Risk ManagerAligns C2M2 gaps with the enterprise risk register and treatment plans
Domain Owners (per domain)Own remediation for their domain and sustain the practices
Internal Audit / AssuranceIndependently challenges ratings and validates evidence
Board / Risk CommitteeReceives maturity reporting and approves strategy and investment

KPIs / Metrics to Track

  • MIL achieved versus target MIL, per domain (the primary programme metric).
  • Number of practices at Fully / Largely / Partially / Not Implemented, trended over time.
  • Percentage of gap practices remediated against the roadmap.
  • Maturity trend (delta) between successive annual assessments per domain.
  • Mean time to detect (MTTD) and mean time to respond (MTTR) for incidents (Situational Awareness / Response).
  • Vulnerability remediation SLA adherence (Threat and Vulnerability Management).
  • Access recertification completion rate and orphaned-account count (Identity and Access).
  • Third-party assessment coverage of tiered vendors (Third-Party Risk).
  • Awareness training completion and phishing-simulation failure rate (Workforce).
  • Percentage of critical assets under configuration baseline and change control (Asset).
  • Number of institutionalisation (management-activity) practices met — indicator of sustainability.

Readiness Checklist

  • Executive sponsor appointed and target MILs agreed per domain.
  • Function under assessment and asset scope clearly defined.
  • Cross-functional team (IT, OT, risk, operations, security) assembled.
  • Current DOE C2M2 v2.1 toolkit downloaded and understood.
  • Existing policies, registers and diagrams gathered as evidence.
  • Asset and information inventories current for the scoped function.
  • Risk management strategy and register in place.
  • Identity, access and MFA controls documented.
  • Logging, monitoring and incident-response capabilities evidenced.
  • Third-party inventory and assessment records available.
  • Workforce awareness and role-based training records available.
  • IT-OT network segmentation and architecture documented.
  • Self-evaluation workshops scheduled per domain.
  • Governance route defined for reporting results to the board.
  • Re-assessment cadence (annual) and benchmarking plan established.

Common Gaps and Findings

  • Grade inflation — practices rated 'Fully Implemented' without supporting evidence, especially for management-activity practices.
  • OT blind spots — asset inventory, monitoring and vulnerability management strong for IT but weak or absent across OT/ICS.
  • Weak institutionalisation — practices performed informally by individuals but undocumented, unresourced and unsustainable, capping management maturity.
  • IT-OT boundary weaknesses — flat networks, inadequate segmentation and unmanaged remote access into OT.
  • Incomplete third-party programme — no tiering, no contractual flow-down of security requirements, no periodic re-assessment.
  • Untested continuity plans — BCP/DR documented but never exercised; backups never restore-tested for OT.
  • Stale asset and configuration data — inventories not reconciled, configuration drift undetected.
  • Risk register disconnected from C2M2 gaps — assessment findings never feed enterprise risk treatment.
  • One-off assessment — C2M2 run once for a report but never repeated, so no maturity trend or improvement demonstrated.
  • Scope too broad — attempting the whole enterprise in one evaluation, producing shallow, unactionable results.

C2M2 Mapped to Other Frameworks

C2M2 is designed to be complementary to, not competitive with, prescriptive frameworks. The DOE publishes crosswalks (notably to the NIST Cybersecurity Framework). The table below indicates practical alignment for teams that must reconcile multiple frameworks.

FrameworkRelationship to C2M2Practical mapping notes
NIST Cybersecurity Framework (CSF 2.0)Direct crosswalk published by DOEC2M2 domains map to CSF Functions (Govern, Identify, Protect, Detect, Respond, Recover); C2M2 adds maturity depth
NIST SP 800-53 / 800-82 (OT)Complementary control catalogueC2M2 measures maturity; 800-53/800-82 supply the detailed control implementations
ISO/IEC 27001 / 27002Complementary; management-system vs maturityC2M2 institutionalisation practices align with ISMS clauses; 27002 controls satisfy many domain practices
NERC CIPRegulatory overlap (electricity)C2M2 practices support and evidence CIP compliance; C2M2 is broader and voluntary
IEC 62443 (IACS security)Complementary for OT62443 zones/conduits and security levels operationalise C2M2 Architecture and Asset domains
CIS Critical Security ControlsComplementary safeguardsCIS Controls provide concrete safeguards that raise maturity in Asset, Access, Threat domains
CISA Cross-Sector Cybersecurity Performance Goals (CPGs)Aligned baselineCPGs offer a prioritised baseline; C2M2 measures depth and maturity beyond the baseline
How CyberSigma helps
CyberSigma's CERT-In empanelled and PCI QSA-led OT/ICS practice runs end-to-end C2M2 engagements: scoping the right function, facilitating evidence-backed self-evaluations across all ten domains, producing a defensible maturity heatmap, and building a risk-prioritised remediation roadmap that lifts you from MIL1 to your target MIL. We integrate C2M2 with NIST CSF 2.0, IEC 62443 and NERC CIP so a single assessment satisfies multiple stakeholders, and we embed annual re-assessment and board-ready maturity trending so improvement is demonstrable. Talk to CyberSigma to move from an honest maturity baseline to sustained, evidenced cyber-capability across your IT and OT estate.

Frequently asked questions

Is C2M2 only for the energy sector?
No — though DOE-developed for energy, C2M2 is sector-agnostic and used broadly to measure cybersecurity maturity.
Official documents

Need help with C2M2?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.