Industrial Internet Security Framework v 1.0 | Page 137
Security Framework
B.2
Annex B: Cyber security Capability Maturity Model (C2M2)
ASSESSMENT PROCESS
Assessors are responsible for leading security evaluations. Such assessors are referred to as
facilitators in C2M2 model. Details about how facilitators should use C2M2 can be found in C2M2
Facilitator guide [ENER-C2M2].
An assessment has assessors and participants. Assessors score and document their observations
clearly and objectively; it is not their role to set priorities or dictate implementation details.
Multiple assessors can compare notes and reconcile scoring discrepancies; they should be
familiar with the content of the model and its artifacts.
Participants are stakeholders in the organizational, system definition, development and
maintenance functions. A single participant acts as the primary point of contact with the
assessors and takes responsibility for preparation, execution and follow-up. Participants may
include product managers, systems and software architects, field service engineers, network
engineers, security engineers, software managers and engineers, quality process managers and
those involved in testing, validation, deployment and incident response.
The assessors describe the current security posture of the system by generating a scoring report.
The scores identify gaps in the performance of model practices. A scoring report can be
generated using a Microsoft Excel sheet 1, a scoring report with an example file 2 is shown in Figure
B-1. Numbers in the white circles indicate total number of activities for a given domain and MIL
level. Numbers in dark green, light green, light red, and dark red represent fully implemented,
largely implemented, partially implemented and not implemented activities for each domain at
each MIL level.
Figure B-1: A Sample C2M2 Score Report
The next step is to determine whether the gaps are important for the organization to address.
Note that achieving the highest maturity level for every domain in the assessment might not be
1
2
See [NRECA-Tmpl]
See [NRECA-Smpl]
IIC:PUB:G4:V1.0:PB:20160926
- 137 -