Accession Number:



Cybersecurity Capability Maturity Model (C2M2) Version 2.0

Descriptive Note:

Technical Report

Corporate Author:

Carnegie Mellon University Software Engineering Institute Pittsburgh United States

Personal Author(s):

Report Date:


Pagination or Media Count:



Repeated cyber intrusions into organizations of all types demonstrate the need for improved cybersecurity. Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations. National security and economic vitality depend on the reliable functioning of critical infrastructure and the sustained operation of organizations of all types in the face of such threats. The Cybersecurity Capability Maturity Model C2M2 can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience. The C2M2 focuses on the implementation and management of cybersecurity practices associated with information, information technology IT, and operations technology OT assets and the environments in which they operate. The model can be used to Strengthen organizations cybersecurity capabilities Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities Enable organizations to prioritize actions and investments to improve cybersecurity. The C2M2 is designed for use with a self-evaluation methodology and toolkit available by request for an organization to measure and improve its cybersecurity program. A self-evaluation using the toolkit can be completed in one day, but the toolkit could be adapted for a more rigorous evaluation effort. Additionally, the C2M2 can be used to guide the development of a new cybersecurity program. The C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high level of abstraction so it can be interpreted by organizations of various types, structures, sizes, and industries. Broad use of the model by a sector can support benchmarking of the sectors cybersecurity capabilities.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement: