Skip to main content

C2M2

logo

Summary

The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The version used in this section is C2M2 v2.1, June 2022.

Definitions

DefinitionRequirements
1_1_h. Manage IT and OT asset inventory183. Delete sensitive data securely
1_2_h. Manage IT and OT asset inventory360. Remove unnecessary sensitive information
1_4_e. Manage changes to IT and OT assets353. Schedule firmware updates
1_4_i. Manage changes to IT and OT assets075. Record exceptional events in logs
2_1_d. Reduce cybersecurity vulnerabilities062. Define standard configurations
2_1_j. Reduce cybersecurity vulnerabilities376. Register severity level
2_3_d. Management activities for the THREAT domain095. Define users with privileges
3_2_k. Identify cyber risk262. Verify third-party components
3_5_d. Management activities for the RISK domain095. Define users with privileges
4_1_a. Establish identities and manage authentication264. Request authentication
4_1_b. Establish identities and manage authentication229. Request access credentials
4_1_c. Establish identities and manage authentication144. Remove inactive accounts periodically
4_1_d. Establish identities and manage authentication126. Set a password regeneration mechanism
127. Store hashed passwords
130. Limit password lifespan
133. Passwords with at least 20 characters
134. Store passwords with salt
4_1_f. Establish identities and manage authentication144. Remove inactive accounts periodically
4_1_g. Establish identities and manage authentication096. Set user's required privileges
4_1_h. Establish identities and manage authentication095. Define users with privileges
362. Assign MFA mechanisms to a single account
4_1_i. Establish identities and manage authentication362. Assign MFA mechanisms to a single account
4_1_j. Establish identities and manage authentication144. Remove inactive accounts periodically
4_2_i. Control logical access075. Record exceptional events in logs
5_2_c. Perform monitoring079. Record exact occurrence time of events
5_2_d. Perform monitoring376. Register severity level
5_2_e. Perform monitoring075. Record exceptional events in logs
6_1_c. Detect cybersecurity events377. Store logs based on valid regulation
6_1_f. Detect cybersecurity events075. Record exceptional events in logs
7_1_c. Identify and prioritize third parties262. Verify third-party components
7_2_a. Manage third-party risk262. Verify third-party components
7_2_b. Manage third-party risk262. Verify third-party components
7_2_c. Manage third-party risk161. Define secure default options
8_3_c. Assign cybersecurity responsibilities096. Set user's required privileges
8_3_e. Assign cybersecurity responsibilities301. Notify configuration changes
9_2_b. Implement network protections for cybersecurity architecture259. Segment the organization network
9_2_c. Implement network protections for cybersecurity architecture249. Locate access points
250. Manage access points
251. Change access point IP
253. Restrict network access
255. Allow access only to the necessary ports
9_2_e. Implement network protections for cybersecurity architecture186. Use the principle of least privilege
9_2_f. Implement network protections for cybersecurity architecture273. Define a fixed security suite
9_2_g. Implement network protections for cybersecurity architecture258. Filter website content
356. Verify sub-domain names
9_2_k. Implement network protections for cybersecurity architecture257. Access based on user credentials
9_2_l. Implement network protections for cybersecurity architecture374. Use of isolation methods in running applications
9_3_b. Implement IT and OT asset security for cybersecurity architecture062. Define standard configurations
373. Use certificate pinning
9_3_c. Implement IT and OT asset security for cybersecurity architecture186. Use the principle of least privilege
9_3_d. Implement IT and OT asset security for cybersecurity architecture221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
284. Define maximum number of connections
9_3_e. Implement IT and OT asset security for cybersecurity architecture062. Define standard configurations
9_3_f. Implement IT and OT asset security for cybersecurity architecture273. Define a fixed security suite
9_3_l. Implement IT and OT asset security for cybersecurity architecture353. Schedule firmware updates
354. Prevent firmware downgrades
9_3_m. Implement IT and OT asset security for cybersecurity architecture344. Avoid dynamic code execution
9_4_a. Implement software security for cybersecurity architecture266. Disable insecure functionalities
9_4_b. Implement software security for cybersecurity architecture330. Verify Subresource Integrity
9_4_c. Implement software security for cybersecurity architecture062. Define standard configurations
266. Disable insecure functionalities
9_4_d. Implement software security for cybersecurity architecture154. Eliminate backdoors
155. Application free of malicious code
158. Use a secure programming language
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
173. Discard unsafe inputs
302. Declare dependencies explicitly
9_4_g. Implement software security for cybersecurity architecture330. Verify Subresource Integrity
9_5_a. Implement data security for cybersecurity architecture176. Restrict system objects
9_5_b. Implement data security for cybersecurity architecture062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
9_5_c. Implement data security for cybersecurity architecture181. Transmit data using secure protocols
338. Implement perfect forward secrecy
9_5_d. Implement data security for cybersecurity architecture147. Use pre-existent mechanisms
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
9_5_e. Implement data security for cybersecurity architecture145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
361. Replace cryptographic keys
9_5_h. Implement data security for cybersecurity architecture035. Manage privilege modifications
095. Define users with privileges