Cybersecurity Capability Maturity Model (C2M2)

What is the Cybersecurity Capability Maturity Model?

The Cybersecurity Capability Maturity Model (C2M2) is a framework developed by the United States Department of Energy. It was initially published in 2012 and most recently updated in 2022. It is a voluntary framework designed to help organizations evaluate their cybersecurity capabilities and optimize security investments. C2M2 defines practices across 10 cybersecurity domains and measures progression within each domain using maturity level indicators.

Who is the intended audience?

The C2M2 model was developed by the Department of Energy alongside asset owners and operators in the electricity, oil, and natural gas industries. However, it is intended for organizations across all sectors and is leveraged today within the energy, manufacturing, healthcare, financial services, and other sectors.

Where can I find more information?

The following resources can be found on the U.S. Department of Energy website:

How can runZero help me with these controls?

The following illustrates how runZero aligns with each of the 10 domains of C2M2 v2.1. Where Strong alignment is noted, runZero can play a significant role in helping an organization implement safeguards. Where Partial alignment is noted, runZero can play a complementary role in helping an organization implement safeguards.

Domains	Strong alignment	Partial alignment
Asset, Change, and Confirmation Management (ASSET)	✔
Threat and Vulnerability Management (THREAT)		✔
Risk Management (RISK)		✔
Identity and Access Management (ACCESS)
Situational Awareness (SITUATION)
Event and Incident Response, Continuity of Operations (RESPONSE)
Third-Party Risk Management (THIRD-PARTIES)
Workforce Management (WORKFORCE)
Cybersecurity Architecture (ARCHITECTURE)		✔
Cybersecurity Program Management (PROGRAM)

Updated February 22, 2024

Previous: CISA Binding Operational Directive (BOD) 23-01 Next: Cybersecurity Maturity Model Certification (CMMC)