C2M2

Summary

The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The version used in this section is C2M2 v2.1, June 2022.

Definitions

Definition	Requirements
C2M2-1_1_h. Manage IT and OT asset inventory	183. Delete sensitive data securely
C2M2-1_2_h. Manage IT and OT asset inventory	360. Remove unnecessary sensitive information
C2M2-1_4_e. Manage changes to IT and OT assets	353. Schedule firmware updates
C2M2-1_4_i. Manage changes to IT and OT assets	075. Record exceptional events in logs
C2M2-2_1_d. Reduce cybersecurity vulnerabilities	062. Define standard configurations
C2M2-2_1_j. Reduce cybersecurity vulnerabilities	376. Register severity level
C2M2-2_3_d. Management activities for the THREAT domain	095. Define users with privileges
C2M2-3_2_k. Identify cyber risk	262. Verify third-party components
C2M2-3_5_d. Management activities for the RISK domain	095. Define users with privileges
C2M2-4_1_a. Establish identities and manage authentication	264. Request authentication
C2M2-4_1_b. Establish identities and manage authentication	229. Request access credentials
C2M2-4_1_c. Establish identities and manage authentication	144. Remove inactive accounts periodically
C2M2-4_1_d. Establish identities and manage authentication	126. Set a password regeneration mechanism 127. Store hashed passwords 130. Limit password lifespan 133. Passwords with at least 20 characters 134. Store passwords with salt
C2M2-4_1_f. Establish identities and manage authentication	144. Remove inactive accounts periodically
C2M2-4_1_g. Establish identities and manage authentication	096. Set user's required privileges
C2M2-4_1_h. Establish identities and manage authentication	362. Assign MFA mechanisms to a single account 095. Define users with privileges
C2M2-4_1_i. Establish identities and manage authentication	362. Assign MFA mechanisms to a single account
C2M2-4_1_j. Establish identities and manage authentication	144. Remove inactive accounts periodically
C2M2-4_2_i. Control logical access	075. Record exceptional events in logs
C2M2-5_2_c. Perform monitoring	079. Record exact occurrence time of events
C2M2-5_2_d. Perform monitoring	376. Register severity level
C2M2-5_2_e. Perform monitoring	075. Record exceptional events in logs
C2M2-6_1_c. Detect cybersecurity events	377. Store logs based on valid regulation
C2M2-6_1_f. Detect cybersecurity events	075. Record exceptional events in logs
C2M2-7_1_c. Identify and prioritize third parties	262. Verify third-party components
C2M2-7_2_a. Manage third-party risk	262. Verify third-party components
C2M2-7_2_b. Manage third-party risk	262. Verify third-party components
C2M2-7_2_c. Manage third-party risk	161. Define secure default options
C2M2-8_3_c. Assign cybersecurity responsibilities	096. Set user's required privileges
C2M2-8_3_e. Assign cybersecurity responsibilities	301. Notify configuration changes
C2M2-9_2_b. Implement network protections for cybersecurity architecture	259. Segment the organization network
C2M2-9_2_c. Implement network protections for cybersecurity architecture	249. Locate access points 250. Manage access points 251. Change access point IP 253. Restrict network access 255. Allow access only to the necessary ports
C2M2-9_2_e. Implement network protections for cybersecurity architecture	186. Use the principle of least privilege
C2M2-9_2_f. Implement network protections for cybersecurity architecture	273. Define a fixed security suite
C2M2-9_2_g. Implement network protections for cybersecurity architecture	258. Filter website content 356. Verify sub-domain names
C2M2-9_2_k. Implement network protections for cybersecurity architecture	257. Access based on user credentials
C2M2-9_2_l. Implement network protections for cybersecurity architecture	374. Use of isolation methods in running applications
C2M2-9_3_b. Implement IT and OT asset security for cybersecurity architecture	373. Use certificate pinning 062. Define standard configurations
C2M2-9_3_c. Implement IT and OT asset security for cybersecurity architecture	186. Use the principle of least privilege
C2M2-9_3_d. Implement IT and OT asset security for cybersecurity architecture	221. Disconnect unnecessary input devices 255. Allow access only to the necessary ports 284. Define maximum number of connections
C2M2-9_3_e. Implement IT and OT asset security for cybersecurity architecture	062. Define standard configurations
C2M2-9_3_f. Implement IT and OT asset security for cybersecurity architecture	273. Define a fixed security suite
C2M2-9_3_l. Implement IT and OT asset security for cybersecurity architecture	353. Schedule firmware updates 354. Prevent firmware downgrades
C2M2-9_3_m. Implement IT and OT asset security for cybersecurity architecture	344. Avoid dynamic code execution
C2M2-9_4_a. Implement software security for cybersecurity architecture	266. Disable insecure functionalities
C2M2-9_4_b. Implement software security for cybersecurity architecture	330. Verify Subresource Integrity
C2M2-9_4_c. Implement software security for cybersecurity architecture	266. Disable insecure functionalities 062. Define standard configurations
C2M2-9_4_d. Implement software security for cybersecurity architecture	154. Eliminate backdoors 155. Application free of malicious code 158. Use a secure programming language 164. Use optimized structures 168. Initialize variables explicitly 171. Remove commented-out code 173. Discard unsafe inputs 302. Declare dependencies explicitly
C2M2-9_4_g. Implement software security for cybersecurity architecture	330. Verify Subresource Integrity
C2M2-9_5_a. Implement data security for cybersecurity architecture	176. Restrict system objects
C2M2-9_5_b. Implement data security for cybersecurity architecture	176. Restrict system objects 329. Keep client-side storage without sensitive data 062. Define standard configurations
C2M2-9_5_c. Implement data security for cybersecurity architecture	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
C2M2-9_5_d. Implement data security for cybersecurity architecture	147. Use pre-existent mechanisms 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms
C2M2-9_5_e. Implement data security for cybersecurity architecture	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 151. Separate keys for encryption and signatures 252. Configure key encryption 351. Assign unique keys to each device 361. Replace cryptographic keys
C2M2-9_5_h. Implement data security for cybersecurity architecture	035. Manage privilege modifications 095. Define users with privileges

Last updated

2023/09/18