In today’s digital world, securing critical infrastructure and organizational IT environments is more important than ever. One framework that helps organisations assess and improve their cybersecurity posture is the Cybersecurity Capability Maturity Model (C2M2). Within this model, C2M3 properties refer to the structured characteristics and components used to evaluate the maturity of an organisation’s cybersecurity capabilities.
Whether you’re a security professional, IT manager, or executive responsible for managing risk, understanding C2M3 properties can help you better assess your current state and identify practical steps toward stronger resilience.
What is the C2M2 Model?
The Cybersecurity Capability Maturity Model (C2M2) was developed by the U.S. Department of Energy and is widely adopted across industries, particularly those managing critical infrastructure like energy, transportation, and manufacturing. The model helps organisations:
- Evaluate their current cybersecurity practices
- Identify strengths and weaknesses
- Prioritize improvement efforts
- Communicate capability maturity across the business
The model is designed to be flexible and scalable, making it suitable for both small organisations and large enterprises.
What Are C2M3 Properties?
C2M3 properties refer to the key elements and structured features of the model that define how cybersecurity practices are organised and assessed. These properties include:
1. Domains
The C2M2 model is organized into several functional domains. Each domain represents a major area of cybersecurity activity, such as:
- Risk Management
- Asset, Change, and Configuration Management
- Identity and Access Management
- Threat and Vulnerability Management
- Situational Awareness
- Response and Recovery
Each domain includes specific objectives that contribute to overall cybersecurity maturity.
2. Objectives
Each domain is broken down into objectives, which define the goals or outcomes an organisation should aim to achieve. These objectives represent what good cybersecurity practices look like in that particular domain.
For example, under the Threat and Vulnerability Management domain, an objective might be to “establish and maintain a threat monitoring process.”
3. Practices
The practices are the actionable items or activities that support each objective. They describe what needs to be done to achieve the objective and improve maturity. Practices are often incremental and build upon each other as maturity increases.
C2M3 practices are not one-size-fits-all; they’re designed to reflect the varying capabilities and resources of different organisations.
4. Maturity Indicator Levels (MILs)
C2M3 uses Maturity Indicator Levels (MILs) to assess how well cybersecurity practices are institutionalized across an organisation. There are four MILs:
- MIL0: Incomplete (no practices implemented)
- MIL1: Initiated (basic implementation)
- MIL2: Performed (repeatable and documented)
- MIL3: Managed (practices are proactive and integrated into organisational processes)
These levels help organisations track progress over time and understand where their cybersecurity efforts stand relative to best practices.
5. Progression and Institutionalisation
One of the defining C2M3 properties is its focus on institutionalising cybersecurity—that is, making sure cybersecurity practices are not just one-time efforts, but consistent, repeatable, and embedded into the culture and daily operations of the business.
The model promotes gradual progression through maturity levels, encouraging long-term planning and continuous improvement.
Why Do C2M3 Properties Matter?
Understanding and applying C2M3 properties helps organisations create a clear roadmap for cybersecurity development. By evaluating each domain through maturity levels, organisations can:
- Prioritise resource allocation
- Justify investment in cybersecurity improvements
- Meet regulatory and compliance requirements
- Build trust with stakeholders and customers
- Reduce risks and improve resilience
Getting Started with C2M3
To begin applying the C2M3 model and its properties, organisations typically conduct a self-assessment or engage with a qualified consultant. The results offer a clear picture of where the organisation stands, and where it should focus next. Tools and templates are available from the Department of Energy and other industry sources to help guide the process.
Final Thoughts
C2M3 properties form the backbone of a powerful, structured approach to improving cybersecurity maturity. By understanding the model’s domains, objectives, practices, and maturity levels, organisations can take control of their cybersecurity journey and build a strong foundation for future growth.