What to collect per domain to support a C2M2 self-evaluation or independent evaluation
For each domain, this guide lists the evidence types most commonly needed to demonstrate practice implementation at each MIL level. Evidence at MIL 2 and MIL 3 must build on MIL 1 evidence — assessors look for artifacts showing that practices are not only performed, but planned, tracked, reviewed, and improved.
| MIL | Evidence Type | Description / Examples | Owner |
|---|---|---|---|
| MIL 1 | IT Asset Inventory | Spreadsheet, CMDB, or tool export listing all IT hardware and software assets | IT Admin |
| MIL 1 | OT Asset Inventory | ICS/SCADA device list, PLC inventory, or OT network diagram with device listing | OT/ICS Team |
| MIL 1 | Change Records | Ticket records, email threads, or change logs showing changes were reviewed and tested | Change Manager |
| MIL 1 | Baseline Configuration Docs | System hardening guides, CIS Benchmarks applied, group policy exports | IT Admin |
| MIL 2 | Asset Management Policy | Documented policy defining who owns asset inventory, how often it's updated, and prioritization criteria | ISSO |
| MIL 2 | Change Management Procedure | Formal change control process document with approval workflow and rollback plan | Change Manager |
| MIL 2 | Configuration Management Plan | Written CM plan with baseline definitions, deviation tracking, and exception process | IT Admin |
| MIL 3 | Asset Program Review Records | Meeting minutes, after-action reports, or memos showing periodic review of asset management program | CISO / Leadership |
| MIL 3 | Lessons Learned Documentation | Change post-mortems, CM improvement tracking, updated procedures based on past issues | Change Manager |
| MIL | Evidence Type | Description / Examples | Owner |
|---|---|---|---|
| MIL 1 | Vulnerability Scan Reports | Output from Nessus, Qualys, OpenVAS, or similar tools showing scan was performed | IT Security |
| MIL 1 | Threat Intelligence Subscriptions | ICS-CERT alerts, AIS feeds, MS-ISAC or E-ISAC membership records | Security Analyst |
| MIL 1 | Vulnerability Remediation Records | Patching records, ticket closures, or configuration changes made to address findings | IT Admin |
| MIL 2 | Vulnerability Management Policy/Procedure | Written policy defining scanning schedule, risk rating methodology, and remediation SLAs | ISSO |
| MIL 2 | Vulnerability Tracking Register | Spreadsheet or ticketing system showing open/closed vulnerabilities with target remediation dates | Security Analyst |
| MIL 2 | Threat Analysis Records | Documented threat assessments, risk-ranked threat lists, or threat model outputs | Security Team |
| MIL 3 | Program Review Minutes | Periodic vulnerability and threat program reviews with leadership, showing continuous improvement actions | CISO |
| MIL 3 | Threat Intelligence Sharing Records | Evidence of bi-directional sharing with sector ISACs, peer organizations, or government partners | Security Team |
| MIL | Evidence Type | Description / Examples | Owner |
|---|---|---|---|
| MIL 1 | User Account List | AD/LDAP export or user directory showing active accounts with assigned roles | IT Admin |
| MIL 1 | Access Revocation Records | Terminated employee offboarding checklists showing accounts were disabled | HR / IT Admin |
| MIL 1 | Privileged Account List | List of accounts with admin/root/service privileges and their justification | IT Admin |
| MIL 2 | IAM Policy | Documented access control policy defining least privilege, MFA requirements, and review schedule | ISSO |
| MIL 2 | MFA Configuration Records | Screenshots or policy exports showing MFA is enforced on privileged and remote access accounts | IT Admin |
| MIL 2 | Access Review Records | Periodic access certification records showing who reviewed accounts and what was approved/revoked | IT Admin / ISSO |
| MIL 3 | IAM Program Review Records | Leadership-level review of access management program, improvement tracking, metrics | CISO |
| MIL | Evidence Type | Description / Examples | Owner |
|---|---|---|---|
| MIL 1 | Incident Log | Log or ticketing system records showing past incidents were documented and addressed | Security Team |
| MIL 1 | Backup Records | Backup completion logs, cloud backup configurations, or tape rotation schedules | IT Admin |
| MIL 2 | Incident Response Plan (IRP) | Written IRP with detection, escalation, containment, eradication, and recovery procedures | ISSO / Security Team |
| MIL 2 | IRP Training Records | Training completion certificates, tabletop exercise attendance records | HR / Security Team |
| MIL 2 | Continuity of Operations Plan (COOP) | Written COOP or BCP identifying critical functions and recovery time objectives (RTOs) | Business Continuity |
| MIL 2 | Backup Restore Test Records | Records showing backups were tested and recovery was successful | IT Admin |
| MIL 3 | Post-Incident Review Reports | After-action reports from real incidents or exercises documenting lessons learned and improvements made | ISSO / CISO |
| MIL 3 | COOP Exercise Results | Full-scale or tabletop exercise results with gaps identified and improvement plan | Business Continuity |
| MIL | Evidence Type | Description / Examples | Owner |
|---|---|---|---|
| MIL 1 | Security Awareness Training Records | LMS completion records, KnowBe4/Proofpoint reports, sign-in sheets for in-person training | HR / Security |
| MIL 1 | Role Assignment Records | Job descriptions, responsibility matrices (RACI), or org charts showing cybersecurity role assignments | HR / CISO |
| MIL 1 | Personnel Screening Records | Background check completion logs, signed AUPs, or reference check documentation | HR |
| MIL 2 | Workforce Management Policy | Written policy covering hiring, training, roles, and termination in a cybersecurity context | HR / ISSO |
| MIL 2 | Training Plan | Annual training calendar, course catalog with role assignments, training completion tracking | HR / Security |
| MIL 3 | Training Effectiveness Reports | Phishing simulation results, quiz scores, post-training assessments with improvement tracking | Security Team |
| MIL 3 | Workforce Program Review | Annual review of workforce cybersecurity program with leadership, showing improvements made | CISO / HR |