← Back to C2M2 Portal

👥 Roles & Responsibilities

Organizational roles for a successful C2M2 self-evaluation and program

C2M2 Program Roles

A successful C2M2 evaluation requires participation from across the organization. The following roles are typically involved in the self-evaluation process and ongoing cybersecurity program management.

🏛️ Executive Sponsor

C-Suite / Board Level
  • Champions the C2M2 program at the executive level
  • Ensures resources and budget are allocated
  • Reviews high-level maturity results and approves target MIL goals
  • Integrates cybersecurity into enterprise risk oversight
  • Receives MIL 3 reporting on program performance

🔐 CISO / Cybersecurity Program Lead

Chief Information Security Officer
  • Owns the C2M2 program strategy and roadmap
  • Assigns domain owners and coordinates cross-domain activities
  • Reviews overall maturity profile and gap analysis results
  • Presents findings and improvement plans to executive sponsor
  • Ensures alignment between C2M2 and other frameworks (NERC CIP, NIST CSF)

📋 C2M2 Facilitator

Evaluation Lead
  • Leads the self-evaluation process using DOE toolkit
  • Coordinates logistics: scheduling, participant preparation, evidence collection
  • Guides domain discussions and practice scoring sessions
  • Synthesizes results into domain heatmaps and summary reports
  • Should be trained in C2M2 facilitation methods (DOE training available)

🗂️ Domain Owners

Subject Matter Experts per Domain
  • One owner per C2M2 domain (may overlap for smaller orgs)
  • Responsible for collecting evidence for their domain
  • Participates in evaluation sessions to discuss current practices
  • Accountable for remediating gaps in their domain
  • Tracks POA&M items for their assigned domain

💻 IT Staff

Network, Systems, Security Administrators
  • Provides evidence for ASSET, ACCESS, SITUATION, ARCHITECTURE domains
  • Manages technical implementation of security controls
  • Supports vulnerability scanning, patching, log collection
  • Implements technical remediation actions from gap analysis

⚙️ OT / ICS Staff

Operations Technology / Industrial Control Systems
  • Provides evidence for OT-specific practices (ASSET-1b, SITUATION-1b, etc.)
  • Coordinates ICS/SCADA asset inventory and configuration management
  • Ensures cybersecurity controls don't disrupt operational continuity
  • Supports OT-specific incident response planning

👤 Human Resources

HR Department
  • Supports WORKFORCE domain — training records, personnel practices
  • Provides evidence for screening, onboarding, and offboarding procedures
  • Coordinates security awareness training completion tracking
  • Updates policies to include cybersecurity workforce requirements

📦 Vendor / Supply Chain Manager

Procurement / Contracts
  • Supports THIRD-PARTIES domain — vendor risk, contract review
  • Maintains vendor inventory and cybersecurity requirement tracking
  • Ensures third-party agreements include cybersecurity clauses
  • Coordinates vendor security assessments and monitoring

RACI Matrix — C2M2 Self-Evaluation Activities

R = Responsible | A = Accountable | C = Consulted | I = Informed

Activity Exec Sponsor CISO Facilitator Domain Owners IT Staff OT Staff HR
Set MIL targets and evaluation scopeARCCIII
Schedule and coordinate evaluation sessionsIARCIII
Collect domain-level evidenceIACRRRR
Score practices in each domainICRRCCC
Develop gap analysis and POA&MIARRCCC
Present results to executive leadershipIRCCIII
Implement POA&M remediation actionsIACRRRR
Conduct annual program review (MIL 3)CRRCIII
R = Responsible (does the work) A = Accountable (owns the outcome) C = Consulted (provides input) I = Informed (kept in the loop)

C2M2 Roles & Responsibilities | C2M2 Version 2.1

Role assignments should be adapted to match your organization's structure and size.