C2M2 Framework Overview

📖 What is C2M2?

The Cybersecurity Capability Maturity Model (C2M2) is a voluntary framework developed by the U.S. Department of Energy (DOE) to help organizations evaluate and improve their cybersecurity capabilities. It provides a structured way to measure the maturity of cybersecurity practices across ten domains using a three-level maturity scale.

C2M2 is designed to be sector-agnostic but is especially relevant to electricity, oil and natural gas, and other critical infrastructure sectors. Unlike compliance frameworks that define a binary pass/fail, C2M2 acknowledges that cybersecurity is a continuous journey and helps organizations identify where they are and prioritize where to go next.

Cybersecurity Domains

356+

Cybersecurity Practices

Maturity Indicator Levels

v2.1

Current Version (2022)

🏢 Who Should Use C2M2?

C2M2 is applicable to any organization that operates or relies on technology to deliver critical services. Click any sector below to learn about its unique cybersecurity landscape, regulatory environment, and how C2M2 applies.

⚡ Electric Utilities Click to learn more →

🛢️ Oil & Natural Gas Click to learn more →

💧 Water Systems Click to learn more →

🏭 Industrial / OT Click to learn more →

🏥 Healthcare Click to learn more →

🏦 Financial Services Click to learn more →

🏛️ Government Click to learn more →

🔭 Research Institutions Click to learn more →

🗂️ How C2M2 is Structured

C2M2 organizes cybersecurity activities into ten domains, each representing a functional area of cybersecurity management. Within each domain, practices are grouped into objectives and assigned to Maturity Indicator Levels (MIL 1–3). Click any domain below to expand its description.

Identifies and manages IT and OT assets throughout their lifecycle. Practices cover inventory maintenance, configuration baselines, change management processes, and software/hardware lifecycle controls. A foundational domain — without knowing what you have, you cannot protect it.

Addresses the identification, analysis, and remediation of threats and vulnerabilities. Covers vulnerability scanning, threat intelligence consumption, patch management, and penetration testing. Directly ties to tools like Nessus, Tenable, and CISA's Known Exploited Vulnerabilities (KEV) catalog.

Establishes the organization's risk management strategy and processes. Includes risk identification, analysis, response planning, and risk acceptance criteria. Ties cybersecurity risk into enterprise risk management frameworks and executive decision-making.

Governs who can access which systems and under what conditions. Covers user provisioning/deprovisioning, privileged access management (PAM), multi-factor authentication (MFA), remote access controls, and OT device credentials. A top ransomware entry-point domain.

Ensures the organization can detect, log, and understand cybersecurity events across IT and OT environments. Encompasses SIEM deployment, log management, network monitoring, and anomaly detection. Critical for both early threat detection and post-incident forensics.

Covers the organization's ability to respond to and recover from cybersecurity events. Includes incident response plans, playbooks, communication trees, tabletop exercises, disaster recovery, and business continuity planning (BCP/COOP). Ties to NIST SP 800-61.

Manages cybersecurity risks introduced by vendors, contractors, and service providers. Covers supplier risk assessments, contractual cybersecurity requirements, remote access controls for vendors, and supply chain integrity — a growing attack surface highlighted by incidents like SolarWinds.

Ensures that people with cybersecurity responsibilities are identified, trained, and held accountable. Covers role-based security awareness training, background checks, cybersecurity staffing, performance metrics, and insider threat programs.

Addresses the design and implementation of technical security controls across IT and OT networks. Covers network segmentation, IT/OT demarcation (DMZ, firewalls), encryption, secure remote access architecture, and Zero Trust principles. New in C2M2 v2.0.

Focuses on the governance and management structure of the overall cybersecurity program. Includes policy framework, executive sponsorship, cybersecurity budget, performance metrics, audit and review processes, and alignment of the cybersecurity program with business objectives.

MIL Progression

Each domain can independently achieve MIL 0 (not performed) through MIL 3 (optimized). Achieving a MIL level in one domain does not require achieving the same level in other domains — organizations can have uneven maturity profiles.

🔍 Self-Evaluation vs. Independent Evaluation

C2M2 supports two evaluation modes. Both produce a maturity profile rather than a pass/fail result.

🏢 Self-Evaluation

Conducted internally by subject matter experts
Uses DOE-provided toolkits and facilitation guides
Results are internal — used to guide improvement planning
Lower cost; faster to complete
Ideal for initial baseline assessments
May have unconscious bias toward over-scoring

🔎 Independent Evaluation

Conducted by a qualified third-party evaluator
Involves evidence review, staff interviews, and site observation
Results are objective and externally validated
May be required by regulators or contractual agreements
Higher cost; requires preparation and evidence collection
Produces a defensible maturity score for stakeholders

Neither evaluation type results in a pass/fail. Both are point-in-time assessments — organizations should repeat them periodically to track improvement.

📅 C2M2 Version History

2012

C2M2 v1.0 — Original model released by DOE, initially targeting the electricity subsector as a voluntary self-evaluation tool.

2014

ES-C2M2 / ONG-C2M2 — Separate sector-specific supplements released for the Electricity Subsector (ES-C2M2) and Oil & Natural Gas subsector (ONG-C2M2), reflecting distinct OT threat landscapes.

2019

C2M2 v1.1 — Minor revision incorporating clarifications, editorial updates, and improved alignment with the NIST Cybersecurity Framework (CSF) 1.0.

2022

C2M2 v2.0 / v2.1 — Major revision consolidating the sector supplements into a single cross-sector model, expanding to 10 domains (adding Supply Chain / Third-Party and Cybersecurity Architecture), aligning with NIST CSF 1.1 and NERC CIP, and significantly expanding OT-specific practices.

🏛️ C2M2 Framework Overview