The Cybersecurity Capability Maturity Model (C2M2) is a free tool to help organizations evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments.  

Logo for the Cybersecurity Capability Maturity Model

While the U.S. energy industry led development of the C2M2 and championed its adoption, any organization—regardless of size, type, or industry—can use the model to evaluate, prioritize, and improve their cybersecurity capabilities.

Model Document

 

Self-Evaluation Tools

The tool, available on two platforms, offers interactive features and help text, allows users to securely record results, and automatically generates a detailed, graphical report. Results from either version can be saved and loaded into the other platform.  

An organization can complete a self-evaluation using the C2M2 tools in as little as one day. If requested, DOE can also facilitate a free C2M2 self-evaluation for U.S. energy sector organizations. Email us at C2M2@hq.doe.gov for more information.

Download the C2M2 Version 2.1Latest version, released June 2022

 

HTML-based Self-Evaluation Tool: Access the tool at c2m2.doe.gov

PDF-based Self-Evaluation Tool: Send a request to C2M2@hq.doe.gov

In both tools, all user data remains only on user devices.

Additional Resources

Self-Evaluation GuideGuides users to plan and facilitate a self-evaluation workshop with key participants in their organization
Self-Evaluation Workshop Kickoff PresentationSupports planning for a self-evaluation workshop
HTML-based Tool User GuideStep-by-step guide to using the HTML-Based Self-Evaluation Tool
PDF-based Tool User GuideStep-by-step guide to using the Self-Evaluation Tool
C2M2 Model Practices (Excel file)Provides C2M2 practices and help text in a spreadsheet format
C2M2 Overview PresentationIntroduces C2M2 to key decision makers
Self-Evaluation Cheat SheetOffers a placemat-style reference guide for participants during a self-evaluation
C2M2 to CSF MappingsBi-directional mappings between the NIST Cybersecurity Framework V1.1 and the C2M2 (V2.1 and V2.0) practices, demonstrating strong alignment between the frameworks
C2M2 Legacy Mapping: V1.1 to V2.1Maps model practices in V1.1 to V2.1 to aid in updating self-evaluations
C2M2 Legacy Mapping: V2.0 to V2.1Maps model practices in V2.0 to V2.1 to aid in updating self-evaluations
C2M2-CMMC Supplemental GuidanceSupplemental guidance for C2M2 users subject to the Department of Defense Cybersecurity Maturity Model Certification (CMMC)
 Sample Threat Profile (coming soon)Offers an example of an organization’s threat profile, referenced by multiple C2M2 practices

Read the Version 2.1 announcement to see what’s new in this version and how the model was updated.

A rising three bar graph. the bars are labeled crawl, walk, and run and each bar has a figure in each stage of movement.

What is a Maturity Model?

  • A Crawl/Walk/Run-style set of characteristics, practices, or processes that represent the progression of capabilities in a particular discipline
  • A tool to benchmark current capabilities and identify goals and priorities for improvement

Organizations can use the C2M2 to consistently measure their cybersecurity capabilities over time, identify target maturity levels based on risk, and prioritize the actions and investments that allow them to meet their targets.

four icons in a row with the label C2M2 goals. The four icons are labeled enhance cyber posture, consistently measure cyber capabilities, share knowledge, prioritize actions and investments

C2M2 User Community

U.S. energy organizations have been using the C2M2 to evaluate and improve their cybersecurity capabilities for more than a decade. Since 2012, DOE has responded to more than 2,400 requests for the C2M2 PDF-based Tool from owners and operators in U.S. critical infrastructure sectors and international partners that are adopting the model. Increasing tool requests suggests a growing adoption of the C2M2 across the globe.

This is a graph labeled C2M2 Tool requests by sector. A pie chart outlines the top five sectors: (40.4%) energy, (33.4%) information technology, (7.2%) government facilities, (5.2%) financial services, and (4.2%) communications.

History of the C2M2

DOE developed the C2M2 in 2012 with energy and cybersecurity industry experts, in support of a White House initiative focused on assessing the security posture of the electricity industry. Hundreds of energy sector stakeholders have participated in subsequent model updates.

Version 1.1, released in 2014, included three versions targeting users in the electricity sector, oil and natural gas sector, and all sectors. Version 2.0, released July 2021, unified the model into one version tailored for the energy sector and made significant updates to reflect changing technology, threats, and security approaches. Version 2.1 – the latest release from June 2022 – made further refinements to the model and tools.

Components of the C2M2

The model contains more than 350 cybersecurity practices, which are grouped by objective into 10 logical domains. Each practice is assigned a maturity indicator level (MIL) that indicates the progression of practices within a domain.

Domains

A domain contains a structured set of cybersecurity practices focused on a specific subject area. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature its cyber risk management capability. 

This is a list c2m2 domains. This list is as follows: Asset change and confirmation management (asset), Cybersecurity architecture (Architecture), cybersecurity program management (program), event and incident response continuity of operations (response), identity and access management (access), risk management (risk), situation awareness (situation), third-party risk management (third-parties), threat and vulnerability management (threat), workforce management (workforce)

Objectives

Practices within each domain are organized into objectives that can be achieved by implementing the practices in the domain. For example, the Risk Management domain comprises five objectives:

  1. Establish and Maintain Cyber Risk Management Strategy and Program
  2. Identify Cyber Risk
  3. Analyze Cyber Risk
  4. Respond to Cyber Risk
  5. Management Activities

Practices

Practices are the most fundamental component of the C2M2. Each practice is a brief statement describing a cybersecurity activity that may be performed by an organization. Practices within each domain are organized to progress along a maturity scale.

Maturity Indicator Levels (MILs)

To measure progression, the C2M2 uses a scale of maturity indicator levels, each representing maturity attributes described in the table below. Organizations that implement the cybersecurity practices within each MIL achieve that level.

This is a graphic outlining the three maturity indicator levels (MILs). Mil 1 is the initiated level, Mil 2 is the performed level, and Mil 3 is the Managed level.

News and Updates