Cybersecurity Capability Maturity Model (C2M2) Version 2.

1 Cheat Sheet
Domains, Maturity Indicator Level (MIL) definitions, and evaluation tool answer scale for the C2M2 Initiative
Domain
DOMAIN NAME DOMAIN DESCRIPTION
Asset, Change, and Configuration Manage the organization’s IT and OT Assets, including both hardware and software, and information assets
Management (ASSET) commensurate with the risk to critical infrastructure and organizational objectives.
Threat and Vulnerability Management Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to
(THREAT) cybersecurity threats and vulnerabilities, commensurate with the risk to the organization’s infrastructure (such as
critical, IT, and operational) and organizational objectives.
Risk Management (RISK) Establish, operate, and maintain an enterprise cyber risk management program to identify, analyze, and respond to
cyber risk the organization is subject to, including its business units, subsidiaries, related interconnected
infrastructure, and stakeholders.
Identity and Access Management Create and manage identities for entities that may be granted logical or physical access to the organization’s assets.
(ACCESS) Control access to the organization’s assets, commensurate with the risk to critical infrastructure and organizational
objectives.
Situational Awareness (SITUATION) Establish and maintain activities and technologies to collect, monitor, analyze, alarm, report, and use operational,
security, and threat information, including status and summary information from the other model domains, to
establish situational awareness for both the organization’s operational state and cybersecurity state.
Event and Incident Response, Continuity Establish and maintain plans, procedures, and technologies to detect, analyze, mitigate, respond to, and recover
of Operations (RESPONSE) from cybersecurity events and incidents and to sustain operations during cybersecurity incidents, commensurate
with the risk to critical infrastructure and organizational objectives.
Third-Party Risk Management (THIRD- Establish and maintain controls to manage the cyber risks arising from suppliers and other third parties,
PARTIES) commensurate with the risk to critical infrastructure and organizational objectives.
Workforce Management Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to
(WORKFORCE) ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure
and organizational objectives.
Cybersecurity Architecture Establish and maintain the structure and behavior of the organization’s cybersecurity architecture, including
(ARCHITECTURE) controls, processes, technologies, and other elements, commensurate with the risk to critical infrastructure and
organizational objectives.
Cybersecurity Program Management Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and
(PROGRAM) sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity objectives with both
the organization’s strategic objectives and the risk to critical infrastructure.
Maturity Indicate Levels (MILs) Definitions: Defining a Progression of Maturity
MIL # DEFINITIONS

MIL 0 Practices are not performed. Performance at MIL0 simply means that MIL1 in a given domain or objective has not been achieved.
MIL 1 Practices at this level may be performed in an informal or ad hoc manner. This may depend on the initiative and experience of an individual or
team, without much organizational guidance in the form of a prescribed plan, policy, or training. Documentation is not required.
Management characteristics:
MIL 2
• Practices are documented
• Adequate resources are provided to support the process
Approach characteristic:
• Practices are more complete or advanced than at MIL1
MIL 3 Management characteristics:
• Activities are guided by policies (or other organizational directives)
• Responsibility, accountability, and authority for performing the practices are assigned
• Personnel performing the practices have adequate skills and knowledge
• The effectiveness of activities is evaluated and tracked
Approach characteristic:
• Practices are more complete or advanced than at MIL2

Practice Implementation Scores

4-point answer scale The organization’s performance of the practice described in the model is …

Fully implemented Complete

Largely Implemented Complete, but with a recognized opportunity for improvement

Partially Implemented Incomplete, there are multiple opportunities for improvement

Not Implemented Absent, the practice is not performed by the organization

Note: The distinction between largely implemented and partially implemented is important and depends on how much work is necessary for the practice to be fully
implemented. If there is more than one significant action, the practice should be scored as partially implemented. If only one action is required, or the actions are considered as
minor, the practice should be scored as largely implemented.