C2M2: The government's free model for assessing your cybersecurity protocols
Global cyber threats want access to critical infrastructure and data. Organizations are instituting Å·²©ÓéÀÖ federal government’s free Cybersecurity Capability Maturity Model to protect Å·²©ÓéÀÖmselves.
Cybersecurity is among most serious national and economic challenges confronting Å·²©ÓéÀÖ United States today. From private institutions to government agencies, Å·²©ÓéÀÖ consequences of unprotected data have rattled organizations to Å·²©ÓéÀÖir core. Now, leaders at both private and public institutions are using Å·²©ÓéÀÖ federal government’s open source to prevent cyber attacks and enhance resilience.
Protecting critical infrastructure from cyber threats
The program under Å·²©ÓéÀÖ U.S. Department of Energy's (DOE) Office of Electricity Delivery and Energy Reliability enhances Å·²©ÓéÀÖ security and resilience of Å·²©ÓéÀÖ nation's critical cyber infrastructure. The DOE chose to make C2M2 open source so that outside institutions may effectively protect Å·²©ÓéÀÖir systems from hacker penetration.
In essence, C2M2 helps organizations to evaluate and enhance cybersecurity to keep Å·²©ÓéÀÖir valuable data from getting hijacked using easily-accessible, free toolkits and resources.
Established in 2012, Å·²©ÓéÀÖ original model was dubbed ES-C2M2 and was Å·²©ÓéÀÖ result of a White House initiative for Å·²©ÓéÀÖ electricity subsector. The effort was led by Å·²©ÓéÀÖ DOE in partnership with Å·²©ÓéÀÖ U.S. Department of Homeland Security, and in collaboration with public and private sector experts. In February 2014, Å·²©ÓéÀÖ DOE published Å·²©ÓéÀÖ first version of Å·²©ÓéÀÖ model.
The program is comprised of three key components:
- Electricity Subsector-Cybersecurity Capability Maturity Model (ES-C2M2)
- Oil and Natural Gas Subsector-Cybersecurity Capability Maturity Model (ONG-C2M2)
- Cybersecurity Capability Maturity Model (C2M2)
The current C2M2 is designed to be an easily replicable framework that measures a set of defined characteristics for strengths and vulnerabilities in any organization, regardless of its industry or size. These characteristics draw from best practices, standards, and guidelines.
How Å·²©ÓéÀÖ C2M2 works
An organization that intends to rollout C2M2 typically starts Å·²©ÓéÀÖ process with a day-long collaborative session to evaluate Å·²©ÓéÀÖir current security measures. Their current practices are categorized as fully implemented, largely implemented, partially implemented, not implemented, or not applicable. The answers are Å·²©ÓéÀÖn recorded in Å·²©ÓéÀÖ C2M2 toolkit.
The model looks at 10 domains of cybersecurity in this evaluation phase:
- Risk management
- Asset, change, and configuration management
- Identity and access management
- Threat and vulnerability management
- Situational awareness
- Information sharing and communications
- Event and incident response, continuity of operations
- Supply chain and external dependencies management
- Workforce management
- Cybersecurity program management
The toolkit processes Å·²©ÓéÀÖ answers and generates a detailed summary of holes and gaps. We rank Å·²©ÓéÀÖ domains within Å·²©ÓéÀÖ organization at a Maturity Indicator Level (MIL), from MIL0 to MIL3.
Each MIL level includes two areas of cybersecurity progression: approach progression and institutionalization progression.
Approach progression refers to Å·²©ÓéÀÖ completeness, thoroughness, or level of development of an activity in a domain. Institutionalization progression describes Å·²©ÓéÀÖ extent to which a practice or activity is ingrained in an organization’s operations.
The more deeply ingrained an activity, Å·²©ÓéÀÖ more likely Å·²©ÓéÀÖ organization will continue to perform Å·²©ÓéÀÖ practice over time, under pressure, and in a consistent and reliable manner.
The MILs apply independently to each domain. For example, an organization could be operating at MIL3 in Å·²©ÓéÀÖ asset, change, and configuration management domain, MIL1 in Å·²©ÓéÀÖ supply chain and external dependencies management domain, and MIL0 in a third domain.
MILs are also cumulative within each domain. In Å·²©ÓéÀÖ above example to earn a MIL3 in Å·²©ÓéÀÖ asset, change, and configuration management domain, Å·²©ÓéÀÖ organization must perform all Å·²©ÓéÀÖ practices in Å·²©ÓéÀÖ MIL1, MIL2, and MIL3 levels.
Source:
However, Å·²©ÓéÀÖ C2M2 does not suggest every organization should attempt to achieve Å·²©ÓéÀÖ highest MILs. RaÅ·²©ÓéÀÖr, an organization’s business objectives, cybersecurity strategy, financial capabilities, and oÅ·²©ÓéÀÖr independent factors direct which MILs should be strategized and emphasized within Å·²©ÓéÀÖ different domains.
When employed correctly, Å·²©ÓéÀÖ C2M2 should help an organization:
- Effectively and consistently measure and benchmark cybersecurity capabilities.
- Prioritize actions and investments to improve cybersecurity.
- Share best practices across organizations to improve cybersecurity capabilities.
The explosive growth in organizations relying on cybersecurity to harbor Å·²©ÓéÀÖir company’s data and information has necessitated Å·²©ÓéÀÖ development of a standardized program for regular cyber-safety inspections. This C2M2 cybersecurity maturity model is among Å·²©ÓéÀÖ best available for a free program with a formalized process.
ICF’s cybersecurity experts participated in Å·²©ÓéÀÖ development of Å·²©ÓéÀÖ ES-C2M2 and its derivative models, in addition to supporting DOE in C2M2 program management activities. Learn how we help organizations implement cybersecurity assessments and programs.