Cybersecurity Capability Maturity Model (C2M2) Version 2.0

Abstract

Repeated cyber intrusions into organizations of all types demonstrate the need for improved cybersecurity. Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model (C2M2) can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. The C2M2 focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The model can be used to: Strengthen organizations' cybersecurity capabilities; Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities; Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities; Enable organizations to prioritize actions and investments to improve cybersecurity. The C2M2 is designed for use with a self-evaluation methodology and toolkit (available by request) for an organization to measure and improve its cybersecurity program. A self-evaluation using the toolkit can be completed in one day, but the toolkit could be adapted for a more rigorous evaluation effort. Additionally, the C2M2 can be used to guide the development of a new cybersecurity program. The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so it can be interpreted by organizations of various types, structures, sizes, and industries. Broad use of the model by a sector can support benchmarking of the sector's cybersecurity capabilities.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2019
Accession Number
AD1078768

Entities

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Business Administration
  • Computer Programming
  • Computer Security Techniques
  • Computers
  • Cyber Threats
  • Cyberattacks
  • Cybersecurity
  • Information Security
  • Information Systems
  • International Organizations
  • Malware
  • National Security
  • Organizational Structure
  • Risk Analysis
  • Security Personnel
  • Situational Awareness
  • Software Development

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Systems Analysis and Design

Technology Areas

  • Cyber