Industrial Internet Security Framework v 1.0 | Page 135

Security Framework

Annex B: Cyber security Capability Maturity Model (C2M2)

Annex B CYBER SECURITY CAPABILITY MATURITY MODEL (C2M2)
The Cyber Security Capability Maturity Model (C2M2) evaluates the maturity of an organization’s
security posture and processes. The model allows for:
•
•
•

assessment of the existing state of the security posture of the organization and its
products,
establishment of a target security profile, which states what security goals are to be
achieved given the current state, existing risks, and business strategies and
prioritization of the gaps identified between the current state and the target profile and
identification of required security activities for addressing those gaps.

The model presents a holistic approach to securing Industrial Internet of Things systems and their
components throughout their lifetime, from early design to implementation, deployment,
maintenance and retirement. It includes evaluation of specific security technologies and the
managerial and business context in which they are used. Such context is absolutely necessary to
identify threats and manage risks to IIoT systems.
C2M2 was developed by the U.S. Department of Energy in conjunction with industry
representatives. Interested readers can refer to the C2M2 framework [ENER-C2M2] for more
detailed information. The model is summarized here because it is this model the Industrial
Internet Consortium uses as part of the IIC testbed process.
The C2M2 maturity model is a set of characteristics, indicators or patterns that represent
capability and progression of behaviors, practices and processes in a particular discipline. An
associated assessment methodology defines best-practice activities, typically grouped into
practice areas. Each requirement is given a score corresponding to a discrete maturity level that
rates the extent to which a best practice is repeatable, practiced and its effectiveness measured.
Each practice area has its own score, as an averaged score is not useful in guiding corrective
actions.

B.1

LOGICAL GROUPINGS

The C2M2 model comprises ten logical groupings of security activities (domains). Each domain 1
has a number of objectives, each of which has a progression of practices at different levels of
maturity—a Maturity Indicator Level (MIL). For example, the Supply Chain and External
Dependencies Management domain is a group of practices that an organization can perform to
manage the risks associated with services and assets that are dependent on external entities.
This domain includes the following objectives: identify dependencies, manage dependency risk
and management activities. The first objective in this domain includes practices such as
identification of Information Technology (IT) and Operational Technology (OT) supplier
dependencies, identification of customer dependencies, and prioritization of dependencies. Each
1

In the IIRA domains are used to segment functionality in the IIoT. In the C2M2 they are used to segment
security activities.

IIC:PUB:G4:V1.0:PB:20160926

- 135 -