⚙️Build trust faster with streamlined custody and AI-driven assurance. Register now
MarketplaceCybersecurity
CybersecurityFrameworkIn 6clicks App

C2M2Cybersecurity Capability Maturity Model

The Cybersecurity Capability Maturity Model (C2M2) is a tool developed by the U.S. Department of Energy to help organizations evaluate and enhance their cybersecurity capabilities. It focuses on both IT and OT environments, offering a structured framework of over 350 practices organized into 10 domains.

Talk to a GRC ExpertView source ↗
The C2M2 was initiated by the U.S. Department of Energy in collaboration with energy and cybersecurity industry stakeholders to address cybersecurity risks in critical infrastructure, including the energy sector. The model offers a maturity-based approach, with practices organized into domains, objectives, and maturity indicator levels (MILs). Initially targeted at the energy sector, it has been adopted across industries worldwide. Version 2.1, released in June 2022, features improvements in technology alignment, threat relevance, and usability. Supplemental tools, such as self-evaluation platforms and mapping guides, enhance user accessibility and simplify adoption. The model is designed to measure and improve cybersecurity over time, aiding organizations in prioritizing security investments and achieving targeted maturity levels.
#cybersecurity#maturity model#critical infrastructure#energy#self evaluation#risk management

Related in Cybersecurity

CybersecurityGuidelineIn 6clicks App

CISA ZTMM V2 — CISA Zero Trust Maturity Model V2

The CISA Zero Trust Maturity Model V2 provides a structured roadmap for organizations implementing a zero trust architecture. It outlines five key pillars and associated maturity levels to guide strategies and execution.

Issuer
US Department of Homeland Security (DHS)
Jurisdiction
United States
Version
2
Updated
Apr 2023
View detailszero trust · cybersecurity
CybersecurityGuidelineIn 6clicks App

Guidelines on ICT and Security Risk Management

The EBA Guidelines establish requirements for credit institutions, investment firms, and payment service providers on mitigating and managing information and communication technology (ICT) risks. They aim to ensure a consistent and robust approach to ICT and security risk management across the EU financial sector.

Issuer
European Banking Authority (EBA)
Jurisdiction
European Union
Version
2025 update
Updated
Jul 2025
View detailsict risk · security management
CybersecurityControl setIn 6clicks App

ECC 2-2024 — Essential Cybersecurity Controls

The Essential Cybersecurity Controls (ECC 2-2024) aim to enhance cybersecurity at the national level in Saudi Arabia. They provide policies and controls to protect the information and technological assets of national entities.

Issuer
National Cybersecurity Authority
Jurisdiction
Kingdom of Saudi Arabia
Version
2-2024
Updated
Apr 2026
View detailscybersecurity · controls