Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats.
The Cybersecurity Capability Maturity Model can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience.
The C2M2 focuses on the implementation and management of cybersecurity practices associated with IT, OT, and information assets and the environments in which they operate.
The model can be used to:
strengthen organizations’ cybersecurity capabilities
enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
enable organizations to prioritize actions and investments to improve cybersecurity capabilities
The C2M2 is designed to guide the development of a new cybersecurity program or for use with a self-evaluation methodology to enable an organization to measure and improve an existing cybersecurity program. Two C2M2 self-evaluation tools are available for free to any organization. These include a PDF-based tool and an HTML-based tool. Both tools may be obtained by visiting the DOE’s C2M2 webpage.2 Both tools maintain all data on users’ local machines. A self-evaluation using one of the tools can be completed in one day, but the model could also be adapted for a more rigorous self-evaluation effort.
The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so that it can be applied by organizations of various types, structures, sizes, and industries. Broad use of the model by a sector can support benchmarking of the sector’s cybersecurity capabilities. These attributes also make the C2M2 an easily scalable tool for implementing the NIST Cybersecurity Framework [NIST CSF].
Intended Audience
The C2M2 enables organizations to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity investments.
The model was developed with asset owners and operators in the electricity, oil, and natural 2 The C2M2 self-evaluation tools may be obtained by sending a request to C2M2@hq.doe.gov or by visiting https://www.energy.gov/C2M2.
Cybersecurity Capability Maturity Model, Version 2.1 INTRODUCTION
gas industries, and can be used by organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. Within an organization, various stakeholders may benefit from familiarity with the model. This document specifically targets people in the following organizational roles:
Decision makers (executives) who control the allocation of resources and the management of risk in organizations; these are typically senior leaders
Leaders with responsibility for managing organizational resources and operations associated with the domains of this model (See Section 4.1 for more information on the content of each C2M2 domain.)
Practitioners with responsibility for supporting the organization in the use of the model (planning and managing changes in the organization based on the model)
Facilitators with responsibility for leading a self-evaluation of the organization based on the model and an evaluation tool and analyzing the self-evaluation results3
Views: 16
