C2M2 Resources & References

← Back to C2M2 Portal

Official C2M2 Documents (DOE)

📘

C2M2 Version 2.1 Model Document

The authoritative source for all C2M2 domains, objectives, practices, and MIL definitions. Published by U.S. Department of Energy CESER.

DOEFree
energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2
🔧

C2M2 Self-Evaluation Tool (SET)

Excel-based toolkit from DOE that guides organizations through the self-evaluation process with scoring worksheets, heatmap outputs, and report generation.

DOEToolFree
energy.gov/ceser — Download from C2M2 Toolkit section
📋

C2M2 Facilitation Guide

Step-by-step guide for C2M2 facilitators on how to run a self-evaluation session: preparation, facilitation techniques, scoring, and reporting.

DOEFree
energy.gov/ceser
📊

C2M2 Program Overview Presentation

Official DOE slide deck providing an introduction to C2M2 concepts, use cases, and the self-evaluation process. Useful for executive briefings.

DOEFree
energy.gov/ceser

Related NIST Publications

📖

NIST Cybersecurity Framework (CSF) 2.0

The NIST CSF provides the Identify, Protect, Detect, Respond, Recover functions that underpin many C2M2 domain objectives. C2M2 v2.1 aligns to CSF 1.1; CSF 2.0 adds a Govern function.

NISTFree
nist.gov/cyberframework
📖

NIST SP 800-82 Rev 3 — OT Security Guide

Guide for Industrial Control System (ICS) security. Essential companion for C2M2 ASSET and ARCHITECTURE domain practices relating to OT environments.

NISTFree
csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
📖

NIST SP 800-53 Rev 5 — Security Controls

Comprehensive control catalog. Useful for mapping C2M2 practices to specific security controls when building your SSP or evidence package.

NISTFree
csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
📖

NIST SP 800-30 — Risk Assessment Guide

Guidance for conducting risk assessments. Directly supports C2M2 RISK domain practices at MIL 1 and MIL 2.

NISTFree
csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Sector ISACs and Information Sharing Resources

⚡

E-ISAC — Electricity Information Sharing and Analysis Center

The E-ISAC provides cybersecurity information sharing, analysis, and situational awareness for the electricity sector. Membership supports C2M2 SITUATION and THREAT domain MIL 3 practices.

E-ISAC
eisac.com
🛢️

ONG-ISAC — Oil and Natural Gas ISAC

Threat intelligence and information sharing for the oil and natural gas sector. Key resource for organizations pursuing C2M2 in the ONG subsector.

ONG-ISAC
ongisac.org
🏛️

CISA — Cybersecurity and Infrastructure Security Agency

Free cybersecurity resources, advisories, vulnerability alerts, and the Known Exploited Vulnerabilities (KEV) catalog. Supports THREAT domain practices.

Free
cisa.gov
🏛️

ICS-CERT Advisories

CISA's ICS-CERT provides advisories and alerts specific to industrial control systems. Essential for OT-focused threat and vulnerability management.

Free
cisa.gov/ics-cert

C2M2 Training Resources

🎓

DOE C2M2 Facilitator Training

DOE CESER offers training for organizations that want to prepare their own C2M2 facilitators. Check the CESER website for current course offerings and schedules.

DOE
energy.gov/ceser
🎓

Idaho National Laboratory (INL) — Cybersecurity Training

INL supports DOE energy sector cybersecurity programs and offers training resources including C2M2-aligned content for OT/ICS environments.

DOE / INL
inl.gov/core-capabilities/national-homeland-security
🎓

SANS ICS / OT Security Training

SANS offers ICS410, ICS515, and other courses that build skills directly relevant to C2M2 ASSET, ARCHITECTURE, RESPONSE, and SITUATION domains.

Paid
sans.org/ics

Other Pages in This Portal