Achieve compliance to C2M2
The Cyber security Capability Maturity Model (C2M2) was established in 2012 to improve the North American electricity subsector cyber security capabilities, and to understand the cyber-security posture of the grid. Since then, the model has been promoted to help organisations – regardless of size, type, or industry – evaluate, prioritise and improve their cyber resilience.
The C2M2 model focuses on the implementation and management of cyber security practices associated with the operation and use of information technology and operational technology assets and the environments in which they operate. The goal is to support continuous improvement and measurement of an organisation’s cyber security capabilities by effectively and consistently evaluating and benchmarking performance.
How the C2M2 Model works
The C2M2 model includes ten groups of cybersecurity practices, known as ‘Domains’. An organisation’s capabilities within each of these ‘Domains’ is evaluated and mapped to one of the four defined ‘Maturity Indicator Levels’ (MILs) from which a plan of priorities is created and then implemented, as required.
C2M2 Maturity Model
This easy to understand infographic give an overview of the C2M2 Model, download here
Does the C2M2 model apply to your organisation?
The C2M2 model is not a legal imperative for any organisation. However, it was established to improve the North American utilities sector cyber resilience, consequently it is very relevant to critical infrastructure organisations regardless of jurisdiction.
What other security controls models are available?
Australian Energy Sector Cyber Security Framework
The Australian Energy Sector Cyber Security Framework (AESCSF) is a cyber security capability maturity model that has been based on C2M2. The Framework aligns with existing Australian Privacy Principles and ACSC Essential Eight Strategies to Mitigate Cyber Security Incidents. Further information can be found here.
United Kingdom Security Controls Model
The UK government is going through the process of implementing the EU Network and Information Systems Directive (NIS Directive) which became law in 2016; Member States must identify operators of essential services.
The operators of essential services and digital service providers are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur. Further information can be found here.
How Huntsman Security can help you align with C2M2
Huntsman Security’s technology supports compliance monitoring across the C2M2 model domains. Key areas of capability sit within the following domains:
- Perform logging
- Perform monitoring
- Establish and maintain a common operating picture
- Management activities
Event and Incident Response, Continuity of Operations
- Detect cyber security events
- Escalate cyber security events and declare incidents
- Respond to incidents and escalated cyber security events
- Plan for continuity
- Management activities
Huntsman Security’s expertise in Critical Infrastructure
Huntsman Security’s cyber security solutions operate in the most mission-critical environments. Our client base comprises critical infrastructure organisations and Government departments that include defence, intelligence and law enforcement. Our Security Analytics solution is recommended for large organisations in The Forrester Wave™ 2018 for Security Analytics platforms.
Find out more about C2M2 compliance