The C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure the maturity of an organization’s cybersecurity capabilities. The C2M2 is designed to measure both the sophistication and sustainment of a cyber security program.
The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations.
The goal of the C2M2 is to develop a logical understanding and measurement of the policies, processes, and procedures involved in the development of an organization’s cyber security posture. The model provides maturity indicator levels (MILs) designed to discuss an organization’s operational capabilities and management of cybersecurity risk during both normal operations and times of crisis.
The C2M2 seeks to understand the cybersecurity capabilities across an organization’s mission by focusing on practices within ten key domains that contribute to the overall cyber security posture of an organization. These domains are:
- Asset, Change, and Configuration Management (ASSET)
- Threat and Vulnerability Management (THREAT)
- Risk Management (RISK)
- Identity and Access Management (ACCESS)
- Situational Awareness (SITUATION)
- Event and Incident Response, Continuity of Operations (RESPONSE)
- Third-Party Risk Management (THIRD-PARTIES)
- Workforce Management (WORKFORCE)
- Cybersecurity Architecture (ARCHITECTURE)
- Cybersecurity Program Management (PROGRAM)
C2M2’s Maturity Model
The C2M2 is a maturity model, that is, it is “a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.”
In C2M2, progress is represented by maturity indicator levels (MILs). MILs provide a structure for the attainment of increasing completeness, technical sophistication, and institutionalization of cybersecurity practices. The MILs are cumulative within each domain in that to attain a MIL in a given domain, all of the practices in that level must be fully implemented, and to move up a level, all of the practices in lower levels must be attained.
These are the four MILs in C2M2:
- MIL0 means that the practices at MIL1 have not been implemented. All of the MIL1 practices in a domain must be implemented to achieve MIL1 in that domain; therefore, as long as even one of the domain’s MIL1 practices has not yet been implemented, the organization is at MIL0 in the domain.
- MIL1 represents the basic cybersecurity activities that any organization should perform.
- MIL2 practices are progressively more complete, advanced, and ingrained in the way the organization operates. These are the model’s intermediate practices.
- MIL3 practices are more complete, advanced, and ingrained than MIL2 practices; MIL3 practices are also tightly connected to the organization’s risk management program. These are the model’s advanced practices.
How to Implement C2M2?
Rabbon has developed a methodology which is a recommended process for using the model that involves five steps, as shown in the Figure below
Identify: The organisation’s plan to become c2M2 compliant starts by identifying the scope of the C2M2 implementation. plans for the model’s effective and efficient implementation. The identification includes selecting the function and scope against which to apply the model, choosing the most appropriate stakeholders related to the function being evaluated, selecting an evaluation facilitator knowledgeable about the C2M2 and the selected function, scheduling the evaluation, and informing and preparing the participants.
Evaluate: The organisation conducts the evaluation to identify maturity indicator levels of cybersecurity practices, discuss successes and gaps related to the practices, and record decisions and associated discussion. Best approaches to performing the evaluation include setting up the location, conducting the evaluation, and presenting and discussing initial results and next steps. The organisation must review the results of the evaluation to identify gaps between where the organization currently stands in cybersecurity maturity and the desired level of maturity. The organisation must assess the maturity gaps to determine their priority (i.e., the order in which gaps should be mitigated) and develops a mitigation plan.
Implement: The organisation must enact the Gap Mitigation Plan to address prioritized gaps and periodically reevaluate the plan to maintain C2M2 focus and relevance. Best approaches to implementation include leveraging established strategic planning processes—or adopting suggested processes—to allocate resources to the mitigation actions, clearly define the scope of the actions, manage the implementation, and track progress based on established metrics and timelines. Once the identified gaps are filled new gap assessment is highly recommended to reevaluate the Gap Mitigation Plan.
Cybersecurity is what we do
Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber Security Consultants, we help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone“
You can contact our Cyber Security Consultants for an obligation free consultation.
Email: [email protected]