• C2M2 Cybersecurity Maturity Model

  • The C2M2 capability maturity model is a framework for measuring the maturity level of your security program. Another popular approach is the CMMI (Capability Maturity Model Integration).

    The CMMI measure 5 levels of maturity on a scale of 1-5. CMMI defines the following maturity levels for processes: Initial, Managed, Defined, Quantitatively Managed, and Optimizing. This approach was originally for software development, but has been adapted processes in information security.

    CMMI Maturity levels.

    The CMMI maturity model is often used in conjunction with the NIST Cybersecurity Framework to measure the maturity of these five functions:

    • Identify
    • Protect
    • Detect
    • Respond
    • Recover

    Context also needs to be applied to the maturity assessment to determine the level of maturity.

    The appropriate context includes considerations such as:

    • Industry
    • Criticality of the data
    • Previous breaches
    • Competitor and peer positions
    • Geographical location

    The resulting maturity assessment is typically visualized in a bar graph like this:

    CMMI maturity visualized.

    C2M2 Maturity Model

     The C2M2 is a voluntary evaluation framework utilizing industry-standard cybersecurity approaches that can be used to measure the maturity of an organization’s cybersecurity capabilities. The C2M2 is designed to measure the sophistication and sustainment of a cyber security program. The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations. 

    The C2M2 starts with a self-evaluation toolkit that takes approximately on day to complete. You can utilize the C2M2 model in advanced security programs as well as newly started security programs.

    The intent of the C2M2 maturity model is stated as follows:

    • Strengthen organizations’ cybersecurity capabilities
    • Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
    • Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
    • Enable organizations to prioritize actions and investments to improve cybersecurity

    While the CMMI is used with the NIST CSF five functions, the C2M2 maturity model focuses on these ten domains:

    • Risk Management
    • Asset, change, and configuration management
    • Identity and access management
    • Threat and vulnerability management
    • Situational Awareness
    • Information sharing and communications
    • Event and incident response, continuity of operations
    • Supply chain and external dependencies management
    • Workforce management
    • Cybersecurity program management

    C2M2 Maturity Level Indicators

    The C2M2 measures 4 maturity levels of MIL0-MIL3 (MIL: Maturity Level Indicator). The MILs apply independently to each domain in the model. This means you can have domains operating at different levels os maturity simultaneously.

    The MILs are cumulative within each domain; to advance a MIL in a given domain, an organization must perform all of the practices in that level and its previous level(s). For example, if your organization wants to achieve MIL3 in the Risk Management Domain, you must meet all the criteria for MIL1, MIL2, and not just the criteria for MIL3.

    The characteristics of the C2M2 Maturity model are as follows:

    C2M2 maturity levels

    This is a better approach than the CMMI maturity model since it takes a more wholistic approach to information security. This is also a descriptive framework which means your organization can adapt the framework to meet the organizational context, constraints, and budget.

    Security Maturity Assessments

    Performing a maturity assessment is part of the strategic planning process for security. The goal is to identify the maturity of your security program and what steps to take going forward. The assessment process naturally leads to a gap analysis that provides a roadmap for the security maturity process.

    Crossroads Information Security provides security maturity assessments complete with a gap analysis, and a three year roadmap for your security program. The benefits of our approach to maturity assessments include:

    • An objective approach to the assessment
    • Industry standard frameworks are utilized
    • Technical and executive level reporting
    • Trained staff with the tools and frameworks for strategic planning

    We also perform specific maturity assessments that evaluate the maturity of specific areas of information security program such as:

    • Incident Response maturity assessment
    • Incident Response capability assessments
    • Vendor Management
    • Security Metrics