Industrial Internet Security Framework v 1.0 | Page 137

Security Framework B.2 Annex B: Cyber security Capability Maturity Model (C2M2) ASSESSMENT PROCESS Assessors are responsible for leading security evaluations. Such assessors are referred to as facilitators in C2M2 model. Details about how facilitators should use C2M2 can be found in C2M2 Facilitator guide [ENER-C2M2]. An assessment has assessors and participants. Assessors score and document their observations clearly and objectively; it is not their role to set priorities or dictate implementation details. Multiple assessors can compare notes and reconcile scoring discrepancies; they should be familiar with the content of the model and its artifacts. Participants are stakeholders in the organizational, system definition, development and maintenance functions. A single participant acts as the primary point of contact with the assessors and takes responsibility for preparation, execution and follow-up. Participants may include product managers, systems and software architects, field service engineers, network engineers, security engineers, software managers and engineers, quality process managers and those involved in testing, validation, deployment and incident response. The assessors describe the current security posture of the system by generating a scoring report. The scores identify gaps in the performance of model practices. A scoring report can be generated using a Microsoft Excel sheet 1, a scoring report with an example file 2 is shown in Figure B-1. Numbers in the white circles indicate total number of activities for a given domain and MIL level. Numbers in dark green, light green, light red, and dark red represent fully implemented, largely implemented, partially implemented and not implemented activities for each domain at each MIL level. Figure B-1: A Sample C2M2 Score Report The next step is to determine whether the gaps are important for the organization to address. Note that achieving the highest maturity level for every domain in the assessment might not be 1 2 See [NRECA-Tmpl] See [NRECA-Smpl] IIC:PUB:G4:V1.0:PB:20160926 - 137 -