A maturity assessment answers a question a compliance checklist cannot: is the cybersecurity program built to last?
The Cybersecurity Capability Maturity Model (C2M2) evaluates whether an organization's cybersecurity capabilities are established, repeatable, governed, and sustainable rather than dependent on a few individuals. I provide independent facilitated C2M2 assessments covering both IT and OT capabilities, delivered onsite, with executive level findings and a prioritized cybersecurity investment roadmap. The work suits industrial, infrastructure, maritime, and operational organizations that need a clear and honest picture of where their program actually stands.
What C2M2 is, and what it is not.
The Cybersecurity Capability Maturity Model is a free, voluntary model published by the U.S. Department of Energy and developed through sustained public and private collaboration, with the energy industry leading its development and adoption. First released in 2012 and now in Version 2.1, the model organizes 356 cybersecurity practices into 10 domains and addresses both information technology and operational technology environments. Although the model originated in the energy sector, it is written so that any organization, regardless of size, type, or industry, can use it to evaluate, prioritize, and improve its cybersecurity capabilities.
The model's central idea is maturity. Two organizations can operate the same firewall, run the same backup job, and hold the same incident response plan, yet differ completely in whether those capabilities survive a departure, a reorganization, a budget cycle, or a bad quarter. C2M2 measures that difference. It asks not only whether a practice is performed, but whether it is documented, resourced, assigned, measured, and governed by the organization itself.
A capability that lives in one person's head is a risk. A capability the organization owns, funds, and reviews is an asset. C2M2 is the most direct instrument I know of for telling the two apart.
The output of a C2M2 assessment is a maturity profile: a domain by domain picture of where capabilities stand today, where management wants them to be based on risk, and which gaps matter most. That profile becomes the basis for prioritizing cybersecurity investment, which is the model's practical purpose. Organizations can also repeat the assessment over time to measure whether the program is actually improving.
C2M2 is not a certification, an audit standard, a regulatory requirement, or a pass and fail assessment. There is no C2M2 certificate, no accredited assessor ecosystem, and no score that a customer or regulator demands. It is a self-evaluation model that an organization applies to itself, on its own initiative, because management wants an accurate answer. That is precisely what makes the results useful: the model serves the organization rather than an external audience.
How the model measures progression.
Each practice in the model is assigned a maturity indicator level (MIL). The levels describe a progression along two dimensions: the completeness of the practices themselves, and the degree to which the organization has institutionalized them through documentation, resources, assigned responsibility, and governance. An organization scores each domain at the level its practices actually support.
Not performed
The practices at MIL1 are not yet fully performed. The capability may exist in fragments, but the organization cannot rely on it.
Initiated
Initial practices are performed, though they may be ad hoc. The capability exists and produces results, but it depends heavily on the initiative and knowledge of individuals.
Performed and documented
Practices are more complete and are documented. Adequate resources are provided, and the organization begins to manage the capability deliberately rather than informally.
Managed and governed
Practices are guided by policy and governance, responsibilities are assigned, personnel are qualified, and the activities are reviewed for effectiveness. The organization, not any individual, owns the capability.
Where the model looks.
The 356 practices are grouped into 10 domains, each addressing a distinct capability area. Together they cover the management, technical, human, and third party dimensions of a cybersecurity program across both IT and OT environments.
Asset, Change, and Configuration Management
Whether the organization knows what IT and OT assets it has, manages changes to them deliberately, and controls their configurations.
Threat and Vulnerability Management
How the organization identifies, analyzes, and responds to threats and vulnerabilities relevant to its environment and operations.
Risk Management
Whether cyber risk is identified, analyzed, and managed within a program that leadership sponsors, funds, and reviews.
Identity and Access Management
How identities are created and managed, and how logical and physical access to assets is granted, controlled, and revoked.
Situational Awareness
Whether the organization collects, monitors, and communicates the operational and security information needed to understand its current state.
Event and Incident Response, Continuity of Operations
How the organization detects, declares, and responds to events and incidents, and how it sustains operations through disruption.
Third-Party Risk Management
How cyber risks arising from suppliers, vendors, service providers, and other external parties are identified and managed.
Workforce Management
Whether responsibilities are assigned, personnel are vetted and trained, and the organization builds and sustains a workforce with the needed cybersecurity competencies.
Cybersecurity Architecture
Whether the structure and behavior of the organization's cybersecurity controls, networks, and systems reflect a deliberate, maintained architecture.
Cybersecurity Program Management
Whether the cybersecurity program itself has a strategy, sponsorship, resources, and governance that sustain all of the other domains.
The model is free. The honest answer is the hard part.
The Department of Energy publishes the model and its self-evaluation tools at no cost, and a motivated organization can run a self-evaluation on its own. In my experience, the quality of the result depends far less on the tool than on how the evaluation is conducted. An independent facilitated assessment addresses the four problems that most often undermine a self-scored result.
01 Self-scoring optimism
People score the systems they built and the processes they run. Without an independent facilitator asking for the evidence behind each answer, scores drift toward how the program is supposed to work rather than how it works. A maturity profile built on optimism produces an investment roadmap aimed at the wrong gaps.
02 The gap between IT and OT
In industrial, maritime, and infrastructure environments, the people who understand the business systems and the people who understand the operational equipment are usually different people with different vocabularies. Facilitation brings both into the same workshop and resolves the answers that differ depending on who is asked.
03 Evidence and observation
A workshop answer of yes carries more weight when it can be checked against the environment. Conducting the assessment onsite allows answers about asset inventories, access practices, physical controls, and operational dependencies to be compared with what the facility actually shows.
04 Translation for leadership
The raw output of a C2M2 evaluation is detailed and practice level. Leadership does not need 356 data points. It needs to know which capability gaps carry operational consequence, what closing them costs, and in what order the work should proceed. Producing that translation is the core of the engagement.
How a facilitated C2M2 assessment proceeds.
The engagement follows the same three phase discipline used across the practice. The scope and duration are set by the size of the organization, the complexity of the IT and OT environment, and the depth of review management wants.
Discovery and Scope
Confirm objectives with leadership, define which parts of the organization and which IT and OT environments the assessment will cover, review available documentation, and identify the participants whose knowledge the workshop requires. The output of this phase is a workshop plan that fits the organization rather than a generic agenda.
Onsite Facilitated Assessment
A structured workshop with the responsible IT, OT, operations, and management personnel, working through the model domain by domain. Answers are tested against evidence and, where useful, against direct observation of the facility, systems, and practices. Disagreements between participants are resolved in the room rather than averaged away.
Findings and Roadmap
Executive level findings that identify the gaps with real operational consequence, target maturity levels proposed for management decision, and a prioritized investment roadmap with ownership and sequencing. Where the organization wants continuity, the assessment can be repeated periodically to measure actual progress.
A maturity model is not a compliance program, and that is the point.
Organizations subject to regulatory or contractual cybersecurity requirements sometimes ask where C2M2 fits alongside frameworks such as NIST SP 800-171, CMMC, or applicable maritime cybersecurity obligations. The answer is that they measure different things. A compliance framework asks whether specific required safeguards are implemented and supported by evidence. C2M2 asks whether the organization behind those safeguards can sustain them.
The two perspectives reinforce each other in practice. An organization with mature capabilities in areas such as asset management, access management, and program governance implements compliance requirements faster and sustains them at lower cost, because the requirements land on an organization that already manages its cybersecurity deliberately. Conversely, a compliance program built on immature capabilities tends to decay between assessments, which is how organizations end up rebuilding the same program every few years.
For organizations in the Defense Industrial Base, the CMMC practice on this site addresses the contractual requirements directly. For covered maritime operators, the maritime cybersecurity practice addresses applicable vessel and facility obligations. A C2M2 assessment can precede either engagement, follow it, or stand entirely on its own for organizations with no compliance driver at all.
Sources
The Cybersecurity Capability Maturity Model, Version 2.1, its self-evaluation tools, and its supporting guides are published by the U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response and are available at no cost from the Department of Energy C2M2 program page. The descriptions of the model on this page are a practitioner summary. For formal use, rely on the current model documentation from the Department of Energy directly. David Koran & Associates Inc. is an independent advisory practice and is not affiliated with, endorsed by, or certified by the Department of Energy.
Discuss a C2M2 Assessment
A first conversation usually covers the size and structure of the organization, the IT and OT environments in play, and what management wants the assessment to answer. Call, email, or send a note. I respond personally to every inquiry, usually within one business day.
Discuss an Assessment
Whether you are considering a first maturity assessment, comparing your program against where it needs to be, or looking for an independent facilitator for an evaluation you have already decided to run, the first conversation carries no commitment and no pitch.
Discuss an Assessment →