C2M2
Cybersecurity Capability Maturity Model for energy sector
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (10)
C2M2 Domain: Asset, Change and Configuration Management (ASSET)
| Code | Title |
|---|---|
| ASSET-1 | Manage IT and OT Asset Inventory |
| ASSET-2 | Manage Asset Configuration and Changes |
C2M2 Domain: Cybersecurity Architecture (ARCHITECTURE)
| Code | Title |
|---|---|
| ARCH-1 | Establish a Cybersecurity Architecture Strategy |
| ARCH-2 | Implement Network Protections |
| ARCH-3 | Implement Data Security |
C2M2 Domain: Cybersecurity Program Management (PROGRAM)
| Code | Title |
|---|---|
| PROGRAM-1 | Establish and Maintain the Cybersecurity Program |
C2M2 Domain: Event and Incident Response, Continuity of Operations (RESPONSE)
| Code | Title |
|---|---|
| RESPONSE-1 | Detect and Analyze Cybersecurity Events |
| RESPONSE-2 | Respond to and Recover from Cybersecurity Incidents |
| RESPONSE-3 | Plan for Continuity of Operations |
C2M2 Domain: Identity and Access Management (ACCESS)
| Code | Title |
|---|---|
| ACCESS-1 | Establish and Maintain Identities |
| ACCESS-2 | Control Logical and Physical Access |
C2M2 Domain: Risk Management (RISK)
| Code | Title |
|---|---|
| RISK-1 | Establish a Cyber Risk Management Strategy and Program |
| RISK-2 | Identify and Analyze Cyber Risk |
| RISK-3 | Manage and Respond to Cyber Risk |
C2M2 Domain: Situational Awareness (SITUATION)
| Code | Title |
|---|---|
| SITUATION-1 | Perform Logging and Monitoring |
| SITUATION-2 | Establish and Maintain a Common Operating Picture |
C2M2 Domain: Third-Party Risk Management (THIRD-PARTIES)
| Code | Title |
|---|---|
| THIRD-1 | Identify and Manage Third-Party Risk |
| THIRD-2 | Manage Supplier Relationships and Incident Notification |
C2M2 Domain: Threat and Vulnerability Management (THREAT)
| Code | Title |
|---|---|
| THREAT-1 | Identify and Respond to Cyber Threats |
| THREAT-2 | Reduce Cybersecurity Vulnerabilities |
C2M2 Domain: Workforce Management (WORKFORCE)
| Code | Title |
|---|---|
| WORKFORCE-1 | Establish Cybersecurity Responsibilities and Workforce |
| WORKFORCE-2 | Develop Cybersecurity Workforce and Awareness |
Maps to 1 other framework
Frequently Asked Questions
What is C2M2?
C2M2 is a compliance framework from United States with 10 domains and 22 controls. Cybersecurity Capability Maturity Model for energy sector It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does C2M2 have?
C2M2 has 22 controls organised across 10 domains. The largest domains are C2M2 Domain: Cybersecurity Architecture (ARCHITECTURE) (3 controls), C2M2 Domain: Event and Incident Response, Continuity of Operations (RESPONSE) (3 controls), C2M2 Domain: Risk Management (RISK) (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does C2M2 map to?
C2M2 maps to 1 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (100% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with C2M2 compliance?
Start your C2M2 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about C2M2 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required