C2M2

Processing principles and accountability

ASSET-1: Manage IT and OT Asset Inventory

MIL1 requirements
a. IT and OT assets that are important to the delivery of the function are inventoried, at least in an ad hoc manner

MIL2 requirements
b. The IT and OT asset inventory includes assets within the function that may be leveraged to achieve a threat objective
c. Inventoried IT and OT assets are prioritized based on defined criteria that include importance to the delivery of the function
d. Prioritization criteria include consideration of the degree to which an asset within the function may be leveraged to achieve a threat objective
e. The IT and OT inventory includes attributes that support cybersecurity activities (for example, location, asset priority, asset owner, operating system, and firmware versions)

MIL3 requirements
f. The IT and OT asset inventory is complete (the inventory includes all assets within the function)
g. The IT and OT asset inventory is current, that is, it is updated periodically and according to defined triggers, such as system changes
h. Data is destroyed or securely removed from IT and OT assets prior to redeployment and at end of life

Related tasks

Data store listing and owner assignment

Critical

High

Normal

Low

Data system listing and owner assignment

Critical

High

Normal

Low

Data system management

Documentation of data sets for data stores

Critical

High

Normal

Low

Management of data sets

Documentation of other protected assets

Critical

High

Normal

Low

Equipment maintenance and safety

Applying original security measures to copies and translations

Critical

High

Normal

Low

Non-electronic data and copies

Identifying critical functions and related assets

Critical

High

Normal

Low

Continuity management

Processing principles and accountability

1.2: Manage Information Asset Inventory

Related tasks

Data store listing and owner assignment

Critical

High

Normal

Low

Documentation of data sets for data stores

Critical

High

Normal

Low

Management of data sets

Processing principles and accountability

ASSET-2: Manage Information Asset Inventory

MIL1 requirements
a. Information assets that are important to the delivery of the function (for example, SCADA set points and customer information) are inventoried, at least in an ad hoc manner

MIL2 requirements
b. The information asset inventory includes information assets within the function that may be leveraged to achieve a threat objective
c. Inventoried information assets are categorized based on defined criteria that includes importance to the delivery of the function
d. Categorization criteria include consideration of the degree to which an asset within the function may be leveraged to achieve a threat objective
e. The information asset inventory includes attributes that support cybersecurity activities (for example, asset category, backup locations and frequencies, storage locations, asset owner, cybersecurity requirements)

MIL3 requirements
f. The information asset inventory is complete (the inventory includes all assets within the function)
g. The information asset inventory is current, that is, it is updated periodically and according to defined triggers, such as system changes
h. Information assets are sanitized or destroyed at end of life using techniques appropriate to their cybersecurity requirements

Related tasks

Data store listing and owner assignment

Critical

High

Normal

Low

Data system listing and owner assignment

Critical

High

Normal

Low

Data system management

Documentation of data sets for data stores

Critical

High

Normal

Low

Management of data sets

ASSET-3: Manage IT and OT Asset Configuration

MIL1 requirements
a. Configuration baselines are established, at least in an ad hoc manner

MIL2 requirements
b. Configuration baselines are used to configure assets at deployment and restoration
c. Configuration baselines incorporate applicable requirements from the cybersecurity architecture (ARCHITECTURE-1f)
d. Configuration baselines are reviewed and updated periodically and according to defined triggers, such as system changes and changes to the cybersecurity architecture

MIL3 requirements
e. Asset configurations are monitored for consistency with baselines throughout the assets’ lifecycles

Related tasks

Defining standard templates for secure configurations

Critical

High

Normal

Low

Network security

ASSET-4: Manage Changes to IT and OT Assets

MIL1 requirements
a. Changes to assets are evaluated and approved before being implemented, at least in an ad hoc manner
b. Changes to assets are documented, at least in an ad hoc manner

MIL2 requirements
c. Documentation requirements for asset changes are established and maintained
d. Changes to higher priority assets are tested prior to being deployed
e. Changes and updates are implemented in a secure manner
f. The capability to reverse changes is established and maintained for assets that are important to the delivery of the function
g. Change management practices address the full lifecycle of assets (for example, acquisition, deployment, operation, retirement)

MIL3 requirements
h. Changes to higher priority assets are tested for cybersecurity impact prior to being deployed
i. Change logs include information about modifications that impact the cybersecurity requirements of assets

Related tasks

Evaluation process and documentation of significant security-related changes

Critical

High

Normal

Low

THREAT-1: Reduce Cybersecurity Vulnerabilities

MIL1 requirements
a. Information sources to support cybersecurity vulnerability discovery are identified, at least in an ad hoc manner
b. Cybersecurity vulnerability information is gathered and interpreted for the function, at least in an ad hoc manner
c. Cybersecurity vulnerability assessments are performed, at least in an ad hoc manner
d. Cybersecurity vulnerabilities that are relevant to the delivery of the function are mitigated, at least in an ad hoc manner

MIL2 requirements
e. Cybersecurity vulnerability information sources that collectively address higher priority assets are monitored
f. Cybersecurity vulnerability assessments are performed periodically and according to defined triggers, such as system changes and external events
g. Identified cybersecurity vulnerabilities are analyzed and prioritized, and are addressed accordingly
h. Operational impact to the function is evaluated prior to deploying patches or other mitigations
i. Information on discovered cybersecurity vulnerabilities is shared with organizationdefined stakeholders

MIL3 requirements
j. Cybersecurity vulnerability information sources that collectively address all IT and OT assets within the function are monitored
k. Cybersecurity vulnerability assessments are performed by parties that are independent of the operations of the function
l. Vulnerability monitoring activities include review to confirm that actions taken in response to cybersecurity vulnerabilities were effective m. Mechanisms are established and maintained to receive and respond to reports from the public or external parties of potential vulnerabilities related to the organization’s IT and OT assets, such as public-facing websites or mobile applications

Related tasks

Process for managing technical vulnerabilities

Critical

High

Normal

Low

Monitoring of technical vulnerability communications

Critical

High

Normal

Low

THREAT-2: Respond to Threats and Share Threat Information

MIL1 requirements
a. Internal and external information sources to support threat management activities are identified, at least in an ad hoc manner
b. Information about cybersecurity threats is gathered and interpreted for the function, at least in an ad hoc manner
c. Threat objectives for the function are identified, at least in an ad hoc manner
d. Threats that are relevant to the delivery of the function are addressed, at least in an ad hoc manner

MIL2 requirements
e. A threat profile for the function is established that includes threat objectives and additional threat characteristics (for example, threat actor types, motives, capabilities, and targets)
f. Threat information sources that collectively address all components of the threat profile are prioritized and monitored
g. Identified threats are analyzed and prioritized and are addressed accordingly
h. Threat information is exchanged with stakeholders (for example, executives, operations staff, government, connected organizations, vendors, sector organizations, regulators, Information Sharing and Analysis Centers [ISACs])

MIL3 requirements
i. The threat profile for the function is updated periodically and according to defined triggers, such as system changes and external events
j. Threat monitoring and response activities leverage and trigger predefined states of operation (SITUATION-3g)
k. Secure, near-real-time methods are used for receiving and sharing threat information to enable rapid analysis and action

Related tasks

Regular analysis and utilization of information related to information security threats

Critical

High

Normal

Low

Sharing threat intelligence

Critical

High

Normal

Low

RISK-1: Establish and Maintain Cyber Risk Management Strategy and Program

MIL1 requirements
a. The organization has a strategy for cyber risk management, which may be developed and managed in an ad hoc manner

MIL2 requirements
b. A strategy for cyber risk management is established and maintained in alignment with the organization’s cybersecurity program strategy (PROGRAM-1b) and enterprise architecture
c. The cyber risk management program is established and maintained to perform cyber risk management activities according to the cyber risk management strategy
d. Information from RISK domain activities is communicated to relevant stakeholders
e. Governance for the cyber risk management program is established and maintained
f. Senior management sponsorship for the cyber risk management program is visible and active

MIL3 requirements
g. The cyber risk management program aligns with the organization's mission and objectives
h. The cyber risk management program is coordinated with the organization’s enterprisewide risk management program

Related tasks

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

Risk level accepted by the organization

Critical

High

Normal

Low

RISK-2: Identify Cyber Risk

MIL1 requirements
a. Cyber risks are identified, at least in an ad hoc manner

MIL2 requirements
b. A defined method is used to identify cyber risks c. Stakeholders from appropriate operations and business areas participate in the identification of cyber risks
d. Identified cyber risks are consolidated into categories (for example, data breaches, insider mistakes, ransomware, OT control takeover) to facilitate management at the category level
e. Cyber risk categories and cyber risks are documented in a risk register or other artifact
f. Cyber risk categories and cyber risks are assigned to risk owners
g. Cyber risk identification activities are performed periodically and according to defined triggers, such as system changes and external events

MIL3 requirements
h. Cyber risk identification activities leverage asset inventory and prioritization information from the ASSET domain, such as IT and OT asset end of support, single points of failure, information asset risk of disclosure, tampering, or destruction
i. Vulnerability management information from THREAT domain activities is used to update cyber risks and identify new risks (such as risks arising from vulnerabilities that pose an ongoing risk to the organization or newly identified vulnerabilities)
j. Threat management information from THREAT domain activities is used to update cyber risks and identify new risks
k. Information from THIRD-PARTIES domain activities is used to update cyber risks and identify new risks
l. Information from ARCHITECTURE domain activities (such as unmitigated architectural conformance gaps) is used to update cyber risks and identify new risks m. Cyber risk identification considers risks that may arise from or impact critical infrastructure or other interdependent organizations

Related tasks

Identification and documentation of cyber security risks

Critical

High

Normal

Low

RISK-3: Analyze Cyber Risk

MIL1 requirements
a. Cyber risks are prioritized based on estimated impact, at least in an ad hoc manner

MIL2 requirements
b. Defined criteria are used to prioritize cyber risks (for example, impact to the organization, impact to the community, likelihood, susceptibility, risk tolerance)
c. A defined method is used to estimate impact for higher priority cyber risks (for example, comparison to actual events, risk quantification)
d. Defined methods are used to analyze higher priority cyber risks (for example, analyzing the prevalence of types of attacks to estimate likelihood, using the results of controls assessments to estimate susceptibility)
e. Organizational stakeholders from appropriate operations and business functions participate in the analysis of higher priority cyber risks
f. Cyber risks are removed from the risk register or other artifact used to document and manage identified risks when they no longer require tracking or response

MIL3 requirements
g. Cyber risk analyses are updated periodically and according to defined triggers, such as system changes, external events, and information from other model domains

Related tasks

Risk management procedure -report publishing and maintenance

Critical

High

Normal

Low

RISK-4: Respond to Cyber Risk

MIL1 requirements
a. Risk responses (such as mitigate, accept, avoid, or transfer) are implemented to address cyber risks, at least in an ad hoc manner

MIL2 requirements
b. A defined method is used to select and implement risk responses based on analysis and prioritization

MIL3 requirements
c. Cybersecurity controls are evaluated to determine whether they are designed appropriately and are operating as intended to mitigate identified cyber risks
d. Results from cyber risk impact analyses and cybersecurity control evaluations are reviewed together by enterprise leadership to determine whether cyber risks are sufficiently mitigated, and risk tolerances are not exceeded
e. Risk responses (such as mitigate, accept, avoid, or transfer) are reviewed periodically by leadership to determine whether they are still appropriate

Related tasks

Identification and documentation of cyber security risks

Critical

High

Normal

Low

Evaluation of the information security measures defined in the risk management phase

Critical

High

Normal

Low

ACCESS-1: Establish Identities and Manage Authentication

MIL1 requirements
a. Identities are provisioned, at least in an ad hoc manner, for personnel and other entities such as services and devices that require access to assets (note that this does not preclude shared identities)
b. Credentials (such as passwords, smartcards, certificates, and keys) are issued for personnel and other entities that require access to assets, at least in an ad hoc manner
c. Identities are deprovisioned, at least in an ad hoc manner, when no longer required

MIL2 requirements
d. Password strength and reuse restrictions are defined and enforced
e. Identity repositories are reviewed and updated periodically and according to defined triggers, such as system changes and changes to organizational structure
f. Identities are deprovisioned within organization-defined time thresholds when no longer required
g. The use of privileged credentials is limited to processes for which they are required
h. Stronger credentials, multifactor authentication, or single use credentials are required for higher risk access (such as privileged accounts, service accounts, shared accounts, and remote access)

MIL3 requirements
i. Multifactor authentication is required for all access, where feasible
j. Identities are disabled after a defined period of inactivity, where feasible

Related tasks

Avoiding and documenting shared user accounts

Critical

High

Normal

Low

Descriptions of different access rights management processes

Critical

High

Normal

Low

Authentication of identities and binding to user data

Critical

High

Normal

Low

Changes in employment relationships

ACCESS-2: Control Logical Access

MIL1 requirements
a. Logical access controls are implemented, at least in an ad hoc manner
b. Logical access privileges are revoked when no longer needed, at least in an ad hoc manner

MIL2 requirements
c. Logical access requirements are established and maintained (for example, rules for which types of entities are allowed to access an asset, limits of allowed access, constraints on remote access, authentication parameters)
d. Logical access requirements incorporate the principle of least privilege
e. Logical access requirements incorporate the principle of separation of duties
f. Logical access requests are reviewed and approved by the asset owner
g. Logical access privileges that pose higher risk to the function receive additional scrutiny and monitoring

MIL3 requirements
h. Logical access privileges are reviewed and updated to ensure conformance with access requirements periodically and according to defined triggers, such as changes to organizational structure, and after any temporary elevation of privileges
i. Anomalous logical access attempts are monitored as indicators of cybersecurity events

Related tasks

Review of access right for changed employee roles

Critical

High

Normal

Low

Defining and documenting access roles

Critical

High

Normal

Low

Management of secure areas

ACCESS-3: Control Physical Access

MIL1 requirements
a. Physical access controls (such as fences, locks, and signage) are implemented, at least in an ad hoc manner
b. Physical access privileges are revoked when no longer needed, at least in an ad hoc manner
c. Physical access logs are maintained, at least in an ad hoc manner

MIL2 requirements
d. Physical access requirements are established and maintained (for example, rules for who is allowed to access an asset, how access is granted, limits of allowed access)
e. Physical access requirements incorporate the principle of least privilege
f. Physical access requirements incorporate the principle of separation of duties
g. Physical access requests are reviewed and approved by the asset owner
h. Physical access privileges that pose higher risk to the function receive additional scrutiny and monitoring

MIL3 requirements
i. Physical access privileges are reviewed and updated
j. Physical access is monitored to identify potential cybersecurity events

Related tasks

Physical access control to building, offices and other premises

Critical

High

Normal

Low

Property security

Principle of layered protection

Critical

High

Normal

Low

Property security

Key management and access control procedures of secure areas

Critical

High

Normal

Low

Security systems and logging

SITUATION-1: Perform Logging

MIL1 requirements
a. Logging is occurring for assets that are important to the delivery of the function, at least in an ad hoc manner

MIL2 requirements
b. Logging is occurring for assets within the function that may be leveraged to achieve a threat objective, wherever feasible
c. Logging requirements are established and maintained for IT and OT assets that are important to the delivery of the function and assets within the function that may be leveraged to achieve a threat objective
d. Logging requirements are established and maintained for network and host monitoring infrastructure (for example, web gateways, endpoint detection and response software, intrusion detection and prevention systems)
e. Log data are being aggregated within the function

MIL3 requirements
f. More rigorous logging is performed for higher priority assets

Related tasks

Documentation of system logs for self-maintained data systems

Critical

High

Normal

Low