C2M2 Compliance

C2M2 Compliance

What is C2M2?

The Cybersecurity Capability Maturity Model (C2M2) was established in 2012 to improve the North American electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. Since then, the model has been promoted to help organisations – regardless of size, type, or industry – evaluate, prioritise and improve their cyber resilience.


The C2M2 model focuses on the implementation and management of cybersecurity practices associated with the operation and use of information technology and operational technology assets and the environments in which they operate.  The goal is to support continuous improvement and measurement of an organisation’s cybersecurity capabilities by effectively and consistently evaluating and benchmarking performance.


How the C2M2 Model works

The C2M2 model includes ten groups of cybersecurity practices, known as ‘Domains’. An organisation’s capabilities within each of these ‘Domains’ is evaluated and mapped to one of the four defined ‘Maturity Indicator Levels’ (MILs) from which a plan of priorities is created and then implemented, as required.

 C2M2 Maturity Model Architecture

C2M2 Maturity Model


This easy to understand infographic give an overview of the C2M2 Model, download here

Infographic giving an overview of the C2M2 Maturity Model


Does the C2M2 model apply to your organisation?

The C2M2 model is not a legal imperative for any organisation.  However, it was established to improve the North American utilities sector cyber resilience, consequently it is very relevant to critical infrastructure organisations regardless of jurisdiction.


What other security controls models area available?

Australian Security Controls Model

The Australian Signals Directorate’s (ASD) Essential Eight mitigation controls is a model that is used by Australian Government departments to improve their cyber resilience (the Top 4 are mandatory for federal government departments).  As per the C2M2 model, the Essential Eight model offers maturity levels for organisations to benchmark their security posture. Further information can be found here.


United Kingdom Security Controls Model

The UK government is going through the process of implementing the EU Network and Information Systems Directive (NIS Directive) which became law in 2016; Member States must identify operators of essential services by 9 November 2018.

The operators of essential services and digital service providers are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur.  Further information can be found here.


How Huntsman Security can help you align with C2M2 

Huntsman Security’s technology supports compliance monitoring across the C2M2 model domains. Key areas of capability sit within the following domains:

Situational Awareness

  • Perform Logging
  • Perform Monitoring
  • Establish and Maintain a Common Operating Picture
  • Management Activities

Event and Incident Response, Continuity of Operations

  • Detect Cybersecurity Events
  • Escalate Cybersecurity Events and Declare Incidents
  • Respond to Incidents and Escalated Cybersecurity Events
  • Plan for Continuity
  • Management Activities


Huntsman Security’s expertise in Critical Infrastructure

Huntsman Security’s cyber security solutions operate in the most mission-critical environments.  Our client base comprises critical infrastructure organisations and Government departments that include defence, intelligence and law enforcement. Our Security Analytics solution is recommended for large organisations in The Forrester Wave™ 2018 for Security Analytics platforms.