C2M2 Maturity Indicator Levels (MIL)

What are Maturity Indicator Levels?

In C2M2, each of the ten domains is scored using Maturity Indicator Levels (MILs). MILs indicate how systematically and rigorously cybersecurity practices are implemented within a domain. There are four levels: MIL 0 through MIL 3.

Unlike compliance frameworks, C2M2 MIL levels are not a pass/fail — they describe the quality of management around cybersecurity practices, not just whether those practices exist.

⚠️ A domain achieves a MIL only when ALL practices at that level AND all lower levels are fully implemented. Partial implementation does not count toward MIL attainment.

MIL 0

Not Performed

Practices in the domain are not performed, or are performed only sporadically with no consistent approach.

No defined process
Ad hoc or absent
No evidence available

MIL 1

Performed

Practices are initiated and completed, but may not be planned, tracked, or documented consistently.

Work gets done
May be informal or undocumented
Individual-dependent
Not yet resourced or planned

MIL 2

Managed

Practices are planned, resourced, and tracked. Staff have the skills and knowledge to perform the work.

Documented policies/procedures
Assigned ownership
Resources allocated
Progress tracked

MIL 3

Optimized

Practices are periodically reviewed, results are communicated, and improvements are made based on lessons learned.

Periodic review cycles
Results shared with leadership
Continuous improvement
Lessons learned feed back

MIL Progression Requirements

The following table summarizes what an organization must demonstrate to attain each MIL level. MIL levels are cumulative — MIL 2 requires all MIL 1 practices plus MIL 2 management practices.

MIL Level	Practice Execution	Planning	Resources	Tracking	Review & Improvement
MIL 0	Not performed	❌	❌	❌	❌
MIL 1	Performed (may be informal)	❌ Not required	❌ Not required	❌ Not required	❌ Not required
MIL 2	Performed consistently	✅ Documented plan	✅ Allocated	✅ Tracked against plan	❌ Not required
MIL 3	Performed consistently	✅ Documented plan	✅ Allocated	✅ Tracked against plan	✅ Periodic review & improvement

The MIL-Management Distinction

One of the most important concepts in C2M2 is the difference between performing a practice and managing the performance of a practice. This is what separates MIL 1 from MIL 2.

Example: Vulnerability Scanning

MIL 1: The IT team runs vulnerability scans when they remember to, or when a problem is suspected. Scans happen but are not scheduled or documented.
MIL 2: Vulnerability scanning is documented in a policy. Scans are scheduled quarterly, assigned to a specific team, and results are tracked in a ticketing system.
MIL 3: In addition to MIL 2, the scanning program is reviewed annually. Findings from past scans inform improvements to scanning frequency and tool configuration. Results are reported to leadership.

💡 Many organizations find that they perform practices at MIL 1 but cannot demonstrate MIL 2 because planning and tracking artifacts don't exist. This is the most common gap in C2M2 evaluations.

Recommended MIL Targets by Organization Type

Organization Profile	Recommended Target	Rationale
Small utility / startup	MIL 1 across all domains	Establish baseline — ensure all practices are at least performed
Mid-size organization	MIL 2 in high-risk domains	Focus on RISK, ACCESS, THREAT, RESPONSE first
Large utility / operator	MIL 2 all domains, MIL 3 in critical	Mature management across the board; optimize highest-impact domains
Regulated critical infrastructure	MIL 3 in key domains	Regulatory drivers (NERC CIP, TSA directives) require optimized management

📊 Maturity Indicator Levels (MIL)

What are Maturity Indicator Levels?

MIL Progression Requirements

The MIL-Management Distinction

Example: Vulnerability Scanning

Recommended MIL Targets by Organization Type