Structured audit reports that document your organization's cybersecurity posture across key C2M2 domains — providing the evidence base for maturity scoring, gap identification, and remediation planning.
Reports are the evidentiary core of any C2M2 self-evaluation. While the framework defines what good cybersecurity practice looks like, reports capture where your organization stands today. Each report translates operational data — asset inventories, user access logs, vulnerability scan results, patch records — into structured evidence aligned with specific C2M2 domains and MIL levels. They enable evaluators to validate maturity claims with documented proof, help leadership understand current risk exposure, and provide the baseline from which gap analysis and remediation planning flow. Without well-maintained reports, MIL attainment scores remain assertions rather than defensible findings.
A complete inventory of MVEC's IT and OT assets with system categorization, FIPS-199 Confidentiality / Integrity / Availability impact ratings, end-of-life and end-of-support flags, and a categorization summary. Supports C2M2 ACM-1 through ACM-3 practice evidence and provides the foundation for all other domain assessments. Editable, printable, and exportable.
📄 Open ReportMVEC's full user account inventory and system access rights matrix covering IT systems, OT/SCADA platforms, and cloud services. Documents privileged and shared accounts, vendor remote access sessions, OT device default credentials, and multi-factor authentication coverage. Includes a C2M2 ACCESS domain MIL 1–3 practice assessment with evidence mappings and identified gaps.
📄 Open ReportCombines Nessus credentialed IT scan results with a manual OT/ICS vulnerability review: 9 Critical and 18 High findings, CISA Known Exploited Vulnerability (KEV) catalog exposure analysis, OT-specific vulnerabilities including insecure DNP3 configuration, end-of-life SCADA software, and default device passwords. Includes a C2M2 THREAT domain MIL assessment and prioritized remediation guidance.
📄 Open ReportDocuments MVEC's IT and OT patch currency, firmware version tracking, end-of-life and end-of-support asset register with risk ratings, vendor maintenance SLA compliance, and the 2025 maintenance calendar. Maps patch and lifecycle management activities against C2M2 ASSET domain ACM practices to produce a MIL-level assessment with evidence status and open findings.
📄 Open ReportCross-domain gap analysis comparing current MIL attainment scores against target maturity levels across all 10 C2M2 domains. Identifies unmet practices, ranks gaps by risk impact, and populates a Plan of Action & Milestones (POA&M) tracker with ownership assignments, resource estimates, and target completion dates. The central planning artifact for a C2M2 remediation program.
📄 Open Report