Cybersecurity Capability Maturity Model (C2M2)

https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2

Cybersecurity Capability Maturity Model (C2M2)

 

The Cybersecurity Capability Maturity Model (C2M2) is a free tool to help organizations evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments.  

While the U.S. energy industry led development of the C2M2 and championed its adoption, any organization—regardless of size, type, or industry—can use the model to evaluate, prioritize, and improve their cybersecurity capabilities.

 

What is a Maturity Model?

• A Crawl/Walk/Run-style set of characteristics, practices, or processes that represent the progression of capabilities in a particular discipline
• A tool to benchmark current capabilities and identify goals and priorities for improvement

Organizations can use the C2M2 to consistently measure their cybersecurity capabilities over time, identify target maturity levels based on risk, and prioritize the actions and investments that allow them to meet their targets.

 

C2M2 User Community

U.S. energy organizations have been using the C2M2 to evaluate and improve their cybersecurity capabilities for more than a decade. Since 2012, DOE has responded to more than 2,400 requests for the C2M2 PDF-based Tool from owners and operators in U.S. critical infrastructure sectors and international partners that are adopting the model. Increasing tool requests suggests a growing adoption of the C2M2 across the globe.

 

History of the C2M2

DOE developed the C2M2 in 2012 with energy and cybersecurity industry experts, in support of a White House initiative focused on assessing the security posture of the electricity industry. Hundreds of energy sector stakeholders have participated in subsequent model updates.

Version 1.1, released in 2014, included three versions targeting users in the electricity sector, oil and natural gas sector, and all sectors. Version 2.0, released July 2021, unified the model into one version tailored for the energy sector and made significant updates to reflect changing technology, threats, and security approaches. Version 2.1 – the latest release from June 2022 – made further refinements to the model and tools.

Components of the C2M2

The model contains more than 350 cybersecurity practices, which are grouped by objective into 10 logical domains. Each practice is assigned a maturity indicator level (MIL) that indicates the progression of practices within a domain.

Practices

Practices are the most fundamental component of the C2M2. Each practice is a brief statement describing a cybersecurity activity that may be performed by an organization. Practices within each domain are organized to progress along a maturity scale.

Maturity Indicator Levels (MILs)

To measure progression, the C2M2 uses a scale of maturity indicator levels, each representing maturity attributes described in the table below. Organizations that implement the cybersecurity practices within each MIL achieve that level.

 

 

 

---

사이버 보안 역량 성숙도 모델(C2M2)은 조직들이 그들의 사이버 보안 역량을 평가하고 보안 투자를 최적화하는 것을 돕기 위한 자유로운 도구이다. 그것은 정보 기술(IT)과 운영 기술(OT) 자산 및 환경 모두에 초점을 맞춘 업계에서 갈망하는 일련의 사이버 보안 관행을 사용한다.  
미국 에너지 산업이 C2M2의 개발을 주도하고 채택을 옹호한 반면, 규모, 유형 또는 산업에 관계없이 모든 조직은 이 모델을 사용하여 사이버 보안 능력을 평가하고 우선 순위를 정하고 개선할 수 있다.

성숙도 모델이란?
- 특정 분야에서 능력의 발전을 나타내는 특징, 관행 또는 프로세스의 크롤/워크/런 스타일 집합
- 현재의 기능을 벤치마킹하고 개선 목표와 우선순위를 파악하는 도구
조직은 C2M2를 사용하여 사이버 보안 능력을 시간이 지남에 따라 일관되게 측정하고 위험에 따라 목표 성숙 수준을 파악하며 목표를 달성할 수 있는 조치와 투자의 우선 순위를 정할 수 있다.

C2M2 사용자 커뮤니티
미국 에너지 기관들은 10년 이상 C2M2를 사용하여 사이버 보안 능력을 평가하고 향상시켜 왔다. 2012년부터 DOE는 미국의 중요한 인프라 분야의 소유자와 사업자, 그리고 이 모델을 채택하고 있는 국제 파트너들로부터 C2M2 PDF 기반 Tool에 대한 2,400개 이상의 요청에 응답했다. 전 세계적으로 증가하는 툴 요청은 C2M2의 채택이 증가하고 있음을 시사한다.

C2M2의 역사
DOE는 2012년 에너지 및 사이버 보안 산업 전문가들과 함께 전력 산업의 보안 태세를 평가하는 데 중점을 둔 백악관 계획을 지지하기 위해 C2M2를 개발했다. 이후 수백 명의 에너지 부문 이해 관계자들이 모델 업데이트에 참여했다.

2014년에 출시된 버전 1.1은 전력 부문, 석유 및 천연가스 부문 및 모든 부문의 사용자를 대상으로 하는 3가지 버전을 포함하였다. 2021년 7월에 출시된 버전 2.0은 에너지 부문에 맞게 모델을 하나의 버전으로 통합하고 변화하는 기술, 위협 및 보안 접근 방식을 반영하기 위해 상당한 업데이트를 수행하였다. 버전 2.1 – 2022년 6월에 출시된 최신 버전 – 모델과 도구를 더욱 개선하였다.

C2M2의 Components
모델에는 350개 이상의 사이버 보안 관행이 포함되어 있으며, 이들은 목적에 따라 10개의 논리 도메인으로 그룹화된다. 각 관행에는 도메인 내 관행의 진행을 나타내는 성숙 지표 수준(MIL)이 할당된다.

Practice
관행은 C2M2의 가장 기본적인 구성 요소이다. 각각의 관행은 조직에 의해 수행될 수 있는 사이버 보안 활동을 기술하는 간략한 진술이다. 각 도메인 내의 관행은 성숙 척도를 따라 진행되도록 구성된다.

성숙도 지표 수준(MIL)
진행률을 측정하기 위해 C2M2는 각각 아래 표에 설명된 만기 속성을 나타내는 만기 지표 수준의 척도를 사용한다.