To address new threats facing the industry, the new C2M2 v2.0 framework includes updates to clarify guidelines and adds an additional domain – Cybersecurity Architecture. This domain is to help ensure that organizations take appropriate measures to protect networks and data. The C2M2 v2.0 framework can be used across all subsectors, replacing the older versions adapted to the electricity and oil and gas subsectors.
The Cybersecurity Capability Maturity Model (C2M2) C2M2 framework is just one of many maturity model tools that can be used by organizations to measure and improve their cybersecurity programs. The US Department of Energy (DOE) released the C2M2 model in 2012 to help energy companies measure the progress of their cybersecurity programs in a consistent way.
Over time, the DOE has recognized the need to update the framework in response to major changes in the industry, including an increase in significant threats to the energy sector.
Why Use the C2M2 v2.0 Framework and What’s Different
In general, the framework is easier to use and helps you understand the maturity of your program in light of newer threats.
One of the more significant updates is that the C2M2 v2.0 framework can be used across all subsectors. There are no longer separate versions of the frameworks adapted specifically to the electricity and oil and gas subsectors.
And, while it’s not a requirement, it’s a good idea to use the updated framework because it can help organizations understand the progress of their cybersecurity program using best practices.
As far as differences go, changes were made to address new threats including enhancements to the cybersecurity practices across the model, and changes to the Risk Management and Third-Party Risk Management domains.
The updated version of the C2M2 framework also includes a newly added domain – Cybersecurity Architecture. This domain is to help ensure that organizations take appropriate measures to protect networks and data.
How Maturity is Measured Under the C2M2 v2.0 Framework
Like most other maturity models, the C2M2 2.0 framework uses a tier system to categorize maturity.
The C2M2 framework calls these tiers maturity indicator levels, which range from 0 to 3. This is the same category system used by the previous version of the framework, so there are no surprise changes here. Below is a quick summary of what each maturity indicator level, or MIL, means:
- MIL 0: practices are not performed
- MIL 1: Initial practices are performed but may be ad-hoc
- MIL 2: Management practices are documented and resources are provided. Approach to practices are more complete or advanced than MIL 1.
- MIL 3: Management activities are guided by policies or organizational directives. Effectiveness of activities is evaluated and tracked. Approach to practices are more complete or advanced than MIL 2.
How to Conduct a C2M2 v2.0 Assessment
The Department of Energy has both the PDF version of the C2M2 v2.0 framework and a free online tool to help you conduct an assessment which can be found on their website here. However, there is a more efficient way to conduct an assessment and track progress using the C2M2 v2.0 framework.
Top US energy producers rely on the platform from SecurityGate.io to conduct their framework-based assessments and gain the insights they need to confidently make improvements that matter. SecurityGate.io has the updated C2M2 v2.0 framework ready for you to use as soon as you get started in the platform. Assessment questions can be sent securely to other stakeholders at your organization so your team can quickly get the responses from appropriate team members and be on your way to evaluating overall maturity.
Reduce Assessment Headaches with SecurityGate.io
All the changes made to the C2M2 framework are available in the SecurityGate.io platform. Ditch the spreadsheets and PDFs for a modern software tool. Built for consultants and internal cybersecurity teams, SecurityGate.io’s cloud-based platform serves as a central repository for all data and can immediately provide insights, giving executive leadership an accurate understanding of where the company is in its cybersecurity journey. Contact our team today to see how SecurityGate.io can change the way your company manages OT/ICS risk.