Achieve compliance to C2M2

The Cyber security Capability Maturity Model (C2M2) was established in 2012 to improve the North American electricity subsector cyber security capabilities, and to understand the cyber-security posture of the grid. Since then, the model has been promoted to help organisations – regardless of size, type, or industry – evaluate, prioritise and improve their cyber resilience.

After the initial release in 2012 and a minor update in 2014, the latest version 2.0 was released in July 2021.

The C2M2 model focuses on the implementation and management of cyber security practices associated with the operation and use of information technology and operational technology assets and the environments in which they operate. The goal is to support continuous improvement and measurement of an organisation’s cyber security capabilities by effectively and consistently evaluating and benchmarking performance.

How the C2M2 Model works

The C2M2 model includes ten groups of cyber security practices, known as ‘Domains’. An organisation’s capabilities within each of these ‘Domains’ is evaluated and mapped to one of the four defined (cumulative) ‘Maturity Indicator Levels’ (MILs) from which a plan of priorities is created and then implemented, as required. In each Domain there are a number of cyber security practices, 342 in total, spread across the 10 Domains. The practices themselves correspond to Management Objectives or Approach Objectives.

This easy to understand infographic gives an overview of the C2M2 Model, download here

C2M2 Maturity Model

Does the C2M2 model apply to your organisation?

The C2M2 model is not a legal imperative for any organisation. However, it was established to improve the North American utilities sector cyber resilience, consequently it is very relevant to critical infrastructure organisations regardless of jurisdiction.

What other security controls models are available?

Australian Energy Sector Cyber Security Framework

The Australian Energy Sector Cyber Security Framework (AESCSF) is a cyber security capability maturity model that has been based on C2M2. It aligns with existing Australian Privacy Principles and ACSC Essential Eight Strategies to Mitigate Cyber Security Incidents. Further information can be found here.

United Kingdom Security Controls Model

The EU Network and Information Systems Directive (NIS Directive) became law in the UK in May 2018 via the NIS Regulations. They form the basis of the NCSC Cyber Assessment Framework (CAF), which provides guidance for organisations responsible for “vitally important services and activities”.

The operators of essential services and digital service providers in the UK are required to keep their networks and information secure and to notify security incidents to “competent authorities” when they occur. Further information about NIS Directive Compliance for Cyber Security can be found here.


How Huntsman Security can help you align with C2M2

Huntsman Security’s technology supports compliance monitoring across the C2M2 model domains. Key areas of capability sit within the following Domains:

Situational Awareness

  • Perform logging
  • Perform monitoring
  • Establish and maintain situational awareness
  • Management activities

Event and Incident Response, Continuity of Operations

  • Detect cyber security events
  • Analyse cyber security events and declare incidents
  • Respond to cyber security events and incidents
  • Address cyber security in continuity of operations
  • Management activities


Huntsman Security’s expertise in Critical Infrastructure

Huntsman Security’s cyber security solutions operate in the most mission-critical environments. Our client base comprises critical infrastructure organisations and government departments that include defence, intelligence and law enforcement. 


To find out more about C2M2 compliance


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.