C2M2

Here's what

C2M2

requires and how to comply.

Below you'll find all of the requirements of this framework. In Cyberday, we map all requirement to global tasks, making multi-compliance management easy. Do it once, and see the progress across all frameworks!

Requirements

ARCHITECTURE-3: Implement IT and OT Asset Security as an Element of the Cybersecurity Architecture

MIL1 requirements
a. Logical and physical access controls are implemented to protect assets that are important to the delivery of the function, where feasible, at least in an ad hoc manner
b. Endpoint protections (such as secure configuration, security applications, and host monitoring) are implemented to protect assets that are important to the delivery of the function, where feasible, at least in an ad hoc manner

MIL2 requirements
c. The principle of least privilege (for example, limiting administrative access for users and service accounts) is enforced
d. The principle of least functionality (for example, limiting services, limiting applications, limiting ports, limiting connected devices) is enforced
e. Secure configurations are established and maintained as part of the asset deployment process where feasible
f. Security applications are required as an element of device configuration where feasible (for example, endpoint detection and response, host-based firewalls)
g. The use of removeable media is controlled (for example, limiting the use of USB devices, managing external hard drives)
h. Cybersecurity controls are implemented for all assets within the function either at the asset level or as compensating controls where asset-level controls are not feasible
i. Maintenance and capacity management activities are performed for all assets within the function
j. The physical operating environment is controlled to protect the operation of assets within the function
k. More rigorous cybersecurity controls are implemented for higher priority assets

MIL3 requirements
l. Configuration of and changes to firmware are controlled throughout the asset lifecycle
m. Controls (such as allowlists, blocklists, and configuration settings) are implemented to prevent the execution of unauthorized code

Related tasks

Endpoint security management system

Critical

High

Normal

Low

Mobile device management

Listing and monitoring allowed applications on endpoints

Critical

High

Normal

Low

Mobile device management

Software firewall on endpoint devices

Critical

High

Normal

Low

Mobile device management

Continuous monitoring of physical access to critical facilities

Critical

High

Normal

Low

Property security

A strategy for cyber security architecture

Critical

High

Normal

Low

Cyber security management

Requirement details

ARCHITECTURE-4: Implement Software Security as an Element of the Cybersecurity Architecture

MIL2 requirements
a. Software developed in-house for deployment on higher priority assets is developed using secure software development practices
b. The selection of procured software for deployment on higher priority assets includes consideration of the vendor’s secure software development practices
c. Secure software configurations are required as part of the software deployment process for both procured software and software developed in-house

MIL3 requirements
d. All software developed in-house is developed using secure software development practices
e. The selection of all procured software includes consideration of the vendor’s secure software development practices
f. The architecture review process evaluates the security of new and revised applications prior to deployment
g. The authenticity of all software and firmware is validated prior to deployment
h. Security testing (for example, static testing, dynamic testing, fuzz testing, penetration testing) is performed for in-house-developed and in-house-tailored applications periodically and according to defined triggers, such as system changes and external events

Related tasks

A strategy for cyber security architecture

Critical

High

Normal

Low

Cyber security management

Requirement details

ARCHITECTURE-5: Implement Data Security as an Element of the Cybersecurity Architecture

MIL1 requirements
a. Sensitive data is protected at rest, at least in an ad hoc manner

MIL2 requirements
b. All data at rest is protected for selected data categories
c. All data in transit is protected for selected data categories
d. Cryptographic controls are implemented for data at rest and data in transit for selected data categories
e. Key management infrastructure (that is, key generation, key storage, key destruction, key update, and key revocation) is implemented to support cryptographic controls
f. Controls to restrict the exfiltration of data (for example, data loss prevention tools) are implemented

MIL3 requirements
g. The cybersecurity architecture includes protections (such as full disk encryption) for data that is stored on assets that may be lost or stolen
h. The cybersecurity architecture includes protections against unauthorized changes to software, firmware, and data

Related tasks

A strategy for cyber security architecture

Critical

High

Normal

Low

Cyber security management

Requirement details

PROGRAM-1: Establish Cybersecurity Program Strategy

MIL1 requirements
a. The organization has a cybersecurity program strategy, which may be developed and managed in an ad hoc manner

MIL2 requirements
b. The cybersecurity program strategy defines goals and objectives for the organization’s cybersecurity activities
c. The cybersecurity program strategy and priorities are documented and aligned with the organization’s mission, strategic objectives, and risk to critical infrastructure
d. The cybersecurity program strategy defines the organization’s approach to provide program oversight and governance for cybersecurity activities
e. The cybersecurity program strategy defines the structure and organization of the cybersecurity program
f. The cybersecurity program strategy identifies standards and guidelines intended to be followed by the program
g. The cybersecurity program strategy identifies any applicable compliance requirements that must be satisfied by the program (for example, NERC CIP, TSA Pipeline Security Guidelines, PCI DSS, ISO, DoD CMMC)

MIL3 requirements
h. The cybersecurity program strategy is updated periodically and according to defined triggers, such as business changes, changes in the operating environment, and changes in the threat profile (THREAT-2e)

Related tasks

Strategy for cyber security program

Critical

High

Normal

Low

Cyber security management

Requirement details

10.2: Establish and Maintain Cybersecurity Program

Related tasks

Information security policy -report publishing, informing and maintenance

Critical

High

Normal

Low

Cyber security management

Defining and documenting security objectives

Critical

High

Normal

Low

Cyber security management

Management commitment to cyber security management and management system

Critical

High

Normal

Low

Cyber security management

ISMS description and maintenance

Critical

High

Normal

Low

Cyber security management

Requirement details

PROGRAM-2: Establish and Maintain Cybersecurity Program

MIL1 requirements
a. Senior management with proper authority provides support for the cybersecurity program, at least in an ad hoc manner

MIL2 requirements
b. The cybersecurity program is established according to the cybersecurity program strategy
c. Senior management sponsorship for the cybersecurity program is visible and active
d. Senior management sponsorship is provided for the development, maintenance, and enforcement of cybersecurity policies
e. Responsibility for the cybersecurity program is assigned to a role with sufficient authority
f. Stakeholders for cybersecurity program management activities are identified and involved

MIL3 requirements
g. Cybersecurity program activities are periodically reviewed to ensure that they align with the cybersecurity program strategy
h. Cybersecurity activities are independently reviewed to ensure conformance with cybersecurity policies and procedures, periodically and according to defined triggers, such as process changes
i. The cybersecurity program addresses and enables the achievement of legal and regulatory compliance, as appropriate
j. The organization collaborates with external entities to contribute to the development and implementation of cybersecurity standards, guidelines, leading practices, lessons learned, and emerging technologies

Related tasks

Information security policy -report publishing, informing and maintenance

Critical

High

Normal

Low

Cyber security management

Defining and documenting security objectives

Critical

High

Normal

Low

Cyber security management

Management commitment to cyber security management and management system

Critical

High

Normal

Low

Cyber security management

ISMS description and maintenance

Critical

High

Normal

Low

Cyber security management

Establishing and maintaining a cyber security program

Critical

High

Normal

Low

Cyber security management

Requirement details

3 / 3

The ISMS component hierachy

Framework

Requirements

Tasks

Policies

Never duplicate effort. Do it once - improve compliance across frameworks.

Start your compliance journey

How it works?

Use cases

Resources

Contact us

C2M2

The ISMS component hierachy

Framework

Requirements

Tasks

Policies

Never duplicate effort. Do it once - improve compliance across frameworks.

Stay up-to-date on cyber security

Subscribe for our free, weekly newsletter

* Your email won't be sold nor disclosed forward. Confirmation has more info. Learn more

Start your compliance journey

Pysy kärryillä digiturvasta

Tilaa Digiturvauutiset sähköpostiisi

* Osoitetta ei myydä tai luovuteta eteenpäin. Vahvistusviestissä lisätietoja. Lue lisää

How it works?

Use cases

Resources

Contact us