Cybersecurity Capability Maturity Model (C2M2) Version 2.0

This download includes the Cybersecurity Capability Maturity Model (C2M2) version 2.0. There are no mapped questions. Use this download if you just want the provisions and want to create your own question set.

The C2M2 focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The model can be used to:

• strengthen organizations’ cybersecurity capabilities
• enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
• share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
• enable organizations to prioritize actions and investments to improve cybersecurity capabilities

The C2M2 is designed for use with a self-evaluation methodology and tool (available by request) for an organization to measure and improve its cybersecurity program. A self-evaluation using the tool can be completed in one day, but the tool could be adapted for more rigorous evaluation effort. Additionally, the C2M2 can be used to guide the development
of a new cybersecurity program.

The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so that it can be interpreted by organizations of various types, structures, sizes, and industries. Broad use of the model by a sector can support benchmarking of the sector’s cybersecurity capabilities. These attributes also make the C2M2 an easily scalable tool for implementing the NIST Cybersecurity Framework [NIST CSF]

Intended Audience:

The C2M2 enables organizations to evaluate cybersecurity capabilities consistently,communicate capability levels in meaningful terms, and prioritize cybersecurity investments.The model can be used by any organization, regardless of ownership, structure, size, or industry. Within an organization, various stakeholders may benefit from familiarity with the
model. This document specifically targets people in the following organizational roles:

• Decision makers (executives) who control the allocation of resources and the management of risk in organizations; these are typically senior leaders.
• Leaders with responsibility for managing organizational resources and operationsassociated with the domains of this model (See Section 4.1 for more information on the content of each C2M2 domain.)
• Practitioners with responsibility for supporting the organization in the use of this model (planning and managing changes in the organization based on the model)
• Facilitators with responsibility for leading a self-evaluation of the organization based on this model and an evaluation tool and analyzing the self-evaluation results.