🤖 Ready for Sovereignty 2026: Australian Insights Report. Get your copy
MarketplaceCybersecurityC2M2
CybersecurityFramework

C2M2

Cybersecurity Capability Maturity Model

The Cybersecurity Capability Maturity Model (C2M2) is a tool developed by the U.S. Department of Energy to help organizations evaluate and enhance their cybersecurity capabilities. It focuses on both IT and OT environments, offering a structured framework of over 350 practices organized into 10 domains.

Book your strategy callView source ↗

Overview

The C2M2 was initiated by the U.S. Department of Energy in collaboration with energy and cybersecurity industry stakeholders to address cybersecurity risks in critical infrastructure, including the energy sector. The model offers a maturity-based approach, with practices organized into domains, objectives, and maturity indicator levels (MILs). Initially targeted at the energy sector, it has been adopted across industries worldwide. Version 2.1, released in June 2022, features improvements in technology alignment, threat relevance, and usability. Supplemental tools, such as self-evaluation platforms and mapping guides, enhance user accessibility and simplify adoption. The model is designed to measure and improve cybersecurity over time, aiding organizations in prioritizing security investments and achieving targeted maturity levels.

Related in Cybersecurity

CybersecurityStandard

ISM CCM — Information Security Manual Cloud Controls Matrix Template

The Cloud Controls Matrix (CCM) Template is a comprehensive framework for mapping cloud security controls to industry standards and compliance requirements. It helps organizations assess, implement, and demonstrate effective cloud security practices across diverse environments.

Australian Government • Australia • vJune 2026

View details
CybersecurityRegulation

ISM SSP — Information Security Manual System Security Plan Annex Template

The System Security Plan (SSP) Annex Template is a structured document used to capture detailed information about an organization’s cyber security controls and implementation. It supports accreditation processes by providing evidence of compliance, risk management, and system-specific security measures.

Australian Government • Australia • vJune 2026

View details
CybersecurityRegulation

RFFR ISM SoA — Right Fit for Risk Information Security Manual Statement of Applicability

The Right Fit for Risk (RFFR) Statement of Applicability (SoA) is a structured template used to document how organizations meet cyber security accreditation requirements. It outlines applicable controls, their implementation status, and provides assurance of compliance with the RFFR framework.

Australian Government • Australia • vJune 2026

View details
CybersecurityRegulation

ISM — Information Security Manual

The Australian ISM is the nationally recognized cybersecurity framework developed by the Australian Signals Directorate. It provides organizations with structured guidance to safeguard information and operational technology systems against evolving cyber threats.

Australian Government • Australia • vJune 2026

View details

Ready to manage these frameworks?

6clicks maps regulations to controls, evidence and risks — automatically.

Book your strategy call