Lesson 3E – The Cybersecurity Capability Maturity Models (*-C2M2)

This lesson explains how to use the Cybersecurity Capability Maturity Model (C2M2) family as a quick self-assessment tool. Although developed for critical infrastructure, it can be applied in any industry.

Learning Objectives
  • Describe what C2M2 is, and what it is used for
  • Explain how C2M2 is administered and scored
  • Identify the 10 domains common to all C2M2
  • Apply C2M2 principles to conduct an organizational assessment
  • Interpret scores and subscores from a C2M2 audit
Files
Lesson 3E – The Cybersecurity Capability Maturity Models (*-C2M2) Lesson Plan
CPI_Module3_Lesson3E_Presentation.pptx

Log In
to download materials

* NICE Cybersecurity Workforce Framework KSAs Addressed
  • K0002: * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0008: Knowledge of applicable business processes and operations of customer organizations.
  • K0027: Knowledge of organization's enterprise information security architecture system.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements.
  • K0053: Knowledge of measures or indicators of system performance and availability.
  • K0054: Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
  • K0084: Knowledge of structured analysis principles and methods.
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0149: Knowledge of organization's risk tolerance and/or risk management approach.
  • K0150: Knowledge of enterprise incident response program, roles, and responsibilities.
  • K0169: Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).
  • K0258: Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)).
  • K0612: Knowledge of what constitutes a “threat” to a network.
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0359: Skill to use critical thinking to analyze organizational patterns and relationships.
  • A0106: Ability to think critically.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.

* Most courseware content maps to NIST NICE Cybersecurity Workforce Framework (NCWF) Knowledge, Skills, and Abilities (KSAs) and/or NSA/DHS CAE Knowledge Units (KUs). For more information on KSAs and KUs, please visit:

KSAs: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

KUs: https://www.iad.gov/NIETP/documents/Requirements/CAE-CD_Knowledge_Units.pdf