Skip to main content

C2M2

logo

Summary

The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The version used in this section is C2M2 v2.1, June 2022.

Definitions

DefinitionRequirements
1_1_h. Manage IT and OT asset inventory
183. Delete sensitive data securely
1_2_h. Manage IT and OT asset inventory
360. Remove unnecessary sensitive information
1_4_e. Manage changes to IT and OT assets
353. Schedule firmware updates
1_4_i. Manage changes to IT and OT assets
075. Record exceptional events in logs
2_1_d. Reduce cybersecurity vulnerabilities
062. Define standard configurations
2_1_j. Reduce cybersecurity vulnerabilities
376. Register severity level
2_3_d. Management activities for the THREAT domain
095. Define users with privileges
3_2_k. Identify cyber risk
262. Verify third-party components
3_5_d. Management activities for the RISK domain
095. Define users with privileges
4_1_a. Establish identities and manage authentication
264. Request authentication
4_1_b. Establish identities and manage authentication
229. Request access credentials
4_1_c. Establish identities and manage authentication
144. Remove inactive accounts periodically
4_1_d. Establish identities and manage authentication
126. Set a password regeneration mechanism
127. Store hashed passwords
130. Limit password lifespan
133. Passwords with at least 20 characters
134. Store passwords with salt
4_1_f. Establish identities and manage authentication
144. Remove inactive accounts periodically
4_1_g. Establish identities and manage authentication
096. Set user's required privileges
4_1_h. Establish identities and manage authentication
095. Define users with privileges
362. Assign MFA mechanisms to a single account
4_1_i. Establish identities and manage authentication
362. Assign MFA mechanisms to a single account
4_1_j. Establish identities and manage authentication
144. Remove inactive accounts periodically
4_2_i. Control logical access
075. Record exceptional events in logs
5_2_c. Perform monitoring
079. Record exact occurrence time of events
5_2_d. Perform monitoring
376. Register severity level
5_2_e. Perform monitoring
075. Record exceptional events in logs
6_1_c. Detect cybersecurity events
377. Store logs based on valid regulation
6_1_f. Detect cybersecurity events
075. Record exceptional events in logs
7_1_c. Identify and prioritize third parties
262. Verify third-party components
7_2_a. Manage third-party risk
262. Verify third-party components
7_2_b. Manage third-party risk
262. Verify third-party components
7_2_c. Manage third-party risk
161. Define secure default options
8_3_c. Assign cybersecurity responsibilities
096. Set user's required privileges
8_3_e. Assign cybersecurity responsibilities
301. Notify configuration changes
9_2_b. Implement network protections for cybersecurity architecture
259. Segment the organization network
9_2_c. Implement network protections for cybersecurity architecture
249. Locate access points
250. Manage access points
251. Change access point IP
253. Restrict network access
255. Allow access only to the necessary ports
9_2_e. Implement network protections for cybersecurity architecture
186. Use the principle of least privilege
9_2_f. Implement network protections for cybersecurity architecture
273. Define a fixed security suite
9_2_g. Implement network protections for cybersecurity architecture
258. Filter website content
356. Verify sub-domain names
9_2_k. Implement network protections for cybersecurity architecture
257. Access based on user credentials
9_2_l. Implement network protections for cybersecurity architecture
374. Use of isolation methods in running applications
9_3_b. Implement IT and OT asset security for cybersecurity architecture
062. Define standard configurations
373. Use certificate pinning
9_3_c. Implement IT and OT asset security for cybersecurity architecture
186. Use the principle of least privilege
9_3_d. Implement IT and OT asset security for cybersecurity architecture
221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
284. Define maximum number of connections
9_3_e. Implement IT and OT asset security for cybersecurity architecture
062. Define standard configurations
9_3_f. Implement IT and OT asset security for cybersecurity architecture
273. Define a fixed security suite
9_3_l. Implement IT and OT asset security for cybersecurity architecture
353. Schedule firmware updates
354. Prevent firmware downgrades
9_3_m. Implement IT and OT asset security for cybersecurity architecture
344. Avoid dynamic code execution
9_4_a. Implement software security for cybersecurity architecture
266. Disable insecure functionalities
9_4_b. Implement software security for cybersecurity architecture
330. Verify Subresource Integrity
9_4_c. Implement software security for cybersecurity architecture
062. Define standard configurations
266. Disable insecure functionalities
9_4_d. Implement software security for cybersecurity architecture
154. Eliminate backdoors
155. Application free of malicious code
158. Use a secure programming language
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
173. Discard unsafe inputs
302. Declare dependencies explicitly
9_4_g. Implement software security for cybersecurity architecture
330. Verify Subresource Integrity
9_5_a. Implement data security for cybersecurity architecture
176. Restrict system objects
9_5_b. Implement data security for cybersecurity architecture
062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
9_5_c. Implement data security for cybersecurity architecture
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
9_5_d. Implement data security for cybersecurity architecture
147. Use pre-existent mechanisms
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
9_5_e. Implement data security for cybersecurity architecture
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
361. Replace cryptographic keys
9_5_h. Implement data security for cybersecurity architecture
035. Manage privilege modifications
095. Define users with privileges
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.