Fluid Attacks Database

C2M2

Last updated: 2023/09/18

The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The version used in this section is C2M2 v2.1, June 2022.

Control-Requirement Mapping

Definition	Requirements
1_1_h. Manage IT and OT asset inventory	183. Delete sensitive data securely
1_2_h. Manage IT and OT asset inventory	360. Remove unnecessary sensitive information
1_4_e. Manage changes to IT and OT assets	353. Schedule firmware updates
1_4_i. Manage changes to IT and OT assets	075. Record exceptional events in logs
2_1_d. Reduce cybersecurity vulnerabilities	062. Define standard configurations
2_1_j. Reduce cybersecurity vulnerabilities	376. Register severity level
2_3_d. Management activities for the THREAT domain	095. Define users with privileges
3_2_k. Identify cyber risk	262. Verify third-party components
3_5_d. Management activities for the RISK domain	095. Define users with privileges
4_1_a. Establish identities and manage authentication	264. Request authentication
4_1_b. Establish identities and manage authentication	229. Request access credentials
4_1_c. Establish identities and manage authentication	144. Remove inactive accounts periodically
4_1_d. Establish identities and manage authentication	126. Set a password regeneration mechanism 127. Store hashed passwords 130. Limit password lifespan 133. Passwords with at least 20 characters 134. Store passwords with salt
4_1_f. Establish identities and manage authentication	144. Remove inactive accounts periodically
4_1_g. Establish identities and manage authentication	096. Set user's required privileges
4_1_h. Establish identities and manage authentication	362. Assign MFA mechanisms to a single account 095. Define users with privileges
4_1_i. Establish identities and manage authentication	362. Assign MFA mechanisms to a single account
4_1_j. Establish identities and manage authentication	144. Remove inactive accounts periodically
4_2_i. Control logical access	075. Record exceptional events in logs
5_2_c. Perform monitoring	079. Record exact occurrence time of events
5_2_d. Perform monitoring	376. Register severity level
5_2_e. Perform monitoring	075. Record exceptional events in logs
6_1_c. Detect cybersecurity events	377. Store logs based on valid regulation
6_1_f. Detect cybersecurity events	075. Record exceptional events in logs
7_1_c. Identify and prioritize third parties	262. Verify third-party components
7_2_a. Manage third-party risk	262. Verify third-party components
7_2_b. Manage third-party risk	262. Verify third-party components
7_2_c. Manage third-party risk	161. Define secure default options
8_3_c. Assign cybersecurity responsibilities	096. Set user's required privileges
8_3_e. Assign cybersecurity responsibilities	301. Notify configuration changes
9_2_b. Implement network protections for cybersecurity architecture	259. Segment the organization network
9_2_c. Implement network protections for cybersecurity architecture	249. Locate access points 250. Manage access points 251. Change access point IP 253. Restrict network access 255. Allow access only to the necessary ports
9_2_e. Implement network protections for cybersecurity architecture	186. Use the principle of least privilege
9_2_f. Implement network protections for cybersecurity architecture	273. Define a fixed security suite
9_2_g. Implement network protections for cybersecurity architecture	258. Filter website content 356. Verify sub-domain names
9_2_k. Implement network protections for cybersecurity architecture	257. Access based on user credentials
9_2_l. Implement network protections for cybersecurity architecture	374. Use of isolation methods in running applications
9_3_b. Implement IT and OT asset security for cybersecurity architecture	373. Use certificate pinning 062. Define standard configurations
9_3_c. Implement IT and OT asset security for cybersecurity architecture	186. Use the principle of least privilege
9_3_d. Implement IT and OT asset security for cybersecurity architecture	221. Disconnect unnecessary input devices 255. Allow access only to the necessary ports 284. Define maximum number of connections
9_3_e. Implement IT and OT asset security for cybersecurity architecture	062. Define standard configurations
9_3_f. Implement IT and OT asset security for cybersecurity architecture	273. Define a fixed security suite
9_3_l. Implement IT and OT asset security for cybersecurity architecture	353. Schedule firmware updates 354. Prevent firmware downgrades
9_3_m. Implement IT and OT asset security for cybersecurity architecture	344. Avoid dynamic code execution
9_4_a. Implement software security for cybersecurity architecture	266. Disable insecure functionalities
9_4_b. Implement software security for cybersecurity architecture	330. Verify Subresource Integrity
9_4_c. Implement software security for cybersecurity architecture	266. Disable insecure functionalities 062. Define standard configurations
9_4_d. Implement software security for cybersecurity architecture	154. Eliminate backdoors 155. Application free of malicious code 158. Use a secure programming language 164. Use optimized structures 168. Initialize variables explicitly 171. Remove commented-out code 173. Discard unsafe inputs 302. Declare dependencies explicitly
9_4_g. Implement software security for cybersecurity architecture	330. Verify Subresource Integrity
9_5_a. Implement data security for cybersecurity architecture	176. Restrict system objects
9_5_b. Implement data security for cybersecurity architecture	176. Restrict system objects 329. Keep client-side storage without sensitive data 062. Define standard configurations
9_5_c. Implement data security for cybersecurity architecture	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
9_5_d. Implement data security for cybersecurity architecture	147. Use pre-existent mechanisms 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms
9_5_e. Implement data security for cybersecurity architecture	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 151. Separate keys for encryption and signatures 252. Configure key encryption 351. Assign unique keys to each device 361. Replace cryptographic keys
9_5_h. Implement data security for cybersecurity architecture	035. Manage privilege modifications 095. Define users with privileges

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.