C2M2 Program Portal

🏛️

Cybersecurity Domains

📋

Cybersecurity Practices

📊

Maturity Indicator Levels

🏭

Critical Infrastructure Sectors

📅

2022

Current Version (v2.1)

Quick Jump — C2M2 Domains

ASSET 🗂️ Asset & Config Mgmt THREAT 🛡️ Threat & Vuln Mgmt RISK ⚖️ Risk Management ACCESS 🔑 Identity & Access Mgmt SITUATE 👁️ Situational Awareness RESPONSE 🚨 Incident Response 3RD-PTY 🤝 Third-Party Risk WORK 👷 Workforce Mgmt ARCH 🏗️ Cyber Architecture PROGRAM 📋 Program Mgmt

Portal Sections

🏛️

C2M2 Framework Overview

Understand the Cybersecurity Capability Maturity Model, its DOE sponsorship, target sectors, version history, and how the self-evaluation process works.

START HERE

📊

Maturity Indicator Levels (MIL)

Deep dive into MIL 0–3 definitions, what it takes to achieve each level, and how MIL attainment is determined — with real-world examples.

KEY CONCEPTS

📚

Domains & Practice Reference

Complete interactive reference for all 10 C2M2 domains. Search practices, filter by MIL level, and expand domain details on demand.

INTERACTIVE

🔍

C2M2 Self-Assessment Tool

Interactive self-evaluation tool to score your organization across all 10 domains and all MIL levels. Generates a live domain heatmap and summary statistics.

TOOL

📁

Evidence Collection Guide

Domain-by-domain guidance on artifacts, policies, logs, and configs to collect for a C2M2 self-evaluation or independent evaluation — covering all 10 domains.

ALL 10 DOMAINS

👥

Roles & Responsibilities

Define organizational roles for the C2M2 program — facilitators, executive sponsors, domain owners, IT/OT staff, HR, and third-party managers with a full RACI matrix.

GOVERNANCE

🔗

CMMC / NIST 800-171 Crosswalk

Side-by-side mapping between C2M2 practices and CMMC 2.0 / NIST SP 800-171 controls — coverage, gaps, and how efforts in one framework support the other.

CROSSWALK

📋

Resources & References

Official C2M2 v2.1 model, DOE CESER toolkit, NIST publications, sector ISACs, training resources, and related cybersecurity frameworks.

REFERENCES

Case Studies

C2M2 Training Case Studies

Sector-specific fictional organizations built for hands-on C2M2 training exercises. Each case study provides a complete organizational profile, IT and OT asset inventories, network architecture diagrams, security control gaps, third-party risk exposure, and C2M2 domain assessments — giving students realistic data to practice scoring, gap analysis, and remediation planning. Case studies are being developed for each of the eight critical infrastructure sectors covered in the C2M2 framework.

C2M2 Reports

C2M2 Assessment Reports

Structured reports are the documentary backbone of a C2M2 implementation. They translate raw assessment data into actionable evidence — capturing asset inventories, access control posture, vulnerability findings, maintenance status, and identified gaps. Each report maps directly to one or more C2M2 domains and MIL levels, providing the audit trail required to validate maturity claims, prioritize remediation, and communicate risk to leadership. Together they form a complete picture of your organization's cybersecurity posture against the C2M2 framework.