C2M2: The government's free model for assessing your cybersecurity protocols

C2M2: The government's free model for assessing your cybersecurity protocols
Mar 29, 2019

Global cyber threats want access to critical infrastructure and data. Organizations are instituting the federal government’s free Cybersecurity Capability Maturity Model to protect themselves.

Cybersecurity is among most serious national and economic challenges confronting the United States today. From private institutions to government agencies, the consequences of unprotected data have rattled organizations to their core. Now, leaders at both private and public institutions are using the federal government’s open source Cybersecurity Capability Maturity Model (C2M2) to prevent cyber attacks and enhance resilience.

Protecting critical infrastructure from cyber threats

The C2M2 program under the U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability enhances the security and resilience of the nation's critical cyber infrastructure. The DOE chose to make C2M2 open source so that outside institutions may effectively protect their systems from hacker penetration.

In essence, C2M2 helps organizations to evaluate and enhance cybersecurity to keep their valuable data from getting hijacked using easily-accessible, free toolkits and resources.

Established in 2012, the original model was dubbed ES-C2M2 and was the result of a White House initiative for the electricity subsector. The effort was led by the DOE in partnership with the U.S. Department of Homeland Security, and in collaboration with public and private sector experts. In February 2014, the DOE published the first version of the model.

The program is comprised of three key components:

  • Electricity Subsector-Cybersecurity Capability Maturity Model (ES-C2M2)
  • Oil and Natural Gas Subsector-Cybersecurity Capability Maturity Model (ONG-C2M2)
  • Cybersecurity Capability Maturity Model (C2M2)

The current C2M2 is designed to be an easily replicable framework that measures a set of defined characteristics for strengths and vulnerabilities in any organization, regardless of its industry or size. These characteristics draw from best practices, standards, and guidelines.

How the C2M2 works

An organization that intends to rollout C2M2 typically starts the process with a day-long collaborative session to evaluate their current security measures. Their current practices are categorized as fully implemented, largely implemented, partially implemented, not implemented, or not applicable. The answers are then recorded in the C2M2 toolkit.

C2M2 model graphic

The model looks at 10 domains of cybersecurity in this evaluation phase:

  • Risk management
  • Asset, change, and configuration management
  • Identity and access management
  • Threat and vulnerability management
  • Situational awareness
  • Information sharing and communications
  • Event and incident response, continuity of operations
  • Supply chain and external dependencies management
  • Workforce management
  • Cybersecurity program management

The toolkit processes the answers and generates a detailed summary of holes and gaps. We rank the domains within the organization at a Maturity Indicator Level (MIL), from MIL0 to MIL3.

Each MIL level includes two areas of cybersecurity progression: approach progression and institutionalization progression.

Approach progression refers to the completeness, thoroughness, or level of development of an activity in a domain. Institutionalization progression describes the extent to which a practice or activity is ingrained in an organization’s operations.

The more deeply ingrained an activity, the more likely the organization will continue to perform the practice over time, under pressure, and in a consistent and reliable manner.

The MILs apply independently to each domain. For example, an organization could be operating at MIL3 in the asset, change, and configuration management domain, MIL1 in the supply chain and external dependencies management domain, and MIL0 in a third domain.

MILs are also cumulative within each domain. In the above example to earn a MIL3 in the asset, change, and configuration management domain, the organization must perform all the practices in the MIL1, MIL2, and MIL3 levels.

C2M2 graphic of the 4 levels of maturity indicators

Subscribe to get our latest insights

Source: Energy.gov

However, the C2M2 does not suggest every organization should attempt to achieve the highest MILs. Rather, an organization’s business objectives, cybersecurity strategy, financial capabilities, and other independent factors direct which MILs should be strategized and emphasized within the different domains.

When employed correctly, the C2M2 should help an organization:

  • Effectively and consistently measure and benchmark cybersecurity capabilities.
  • Prioritize actions and investments to improve cybersecurity.
  • Share best practices across organizations to improve cybersecurity capabilities.

The explosive growth in organizations relying on cybersecurity to harbor their company’s data and information has necessitated the development of a standardized program for regular cyber-safety inspections. This C2M2 cybersecurity maturity model is among the best available for a free program with a formalized process.

ICF’s cybersecurity experts participated in the development of the ES-C2M2 and its derivative models, in addition to supporting DOE in C2M2 program management activities. Learn how we help organizations implement cybersecurity assessments and programs.

File Under