At BinaryShield, it is our philosophy that custom-tailored, proactive solutions that align with best security practices and regulatory frameworks are the best methods to address people, technologies, and facilities to provide actionable cybersecurity strategies. One such framework, which has garnered significant attention due to its complexity and transformative nature, is the Cybersecurity Capability Maturity Model (C2M2).

C2M2 is the United States government’s (USG) solution to improve regulatory compliance with NIST SP 800-171. Since the original announcement of this framework, revisions have been implemented as applicability and implementation considerations have been raised and addressed.

In this advisory C2M2 series, BinaryShield will address C2M2’s scope — particularly asset categories and the associated requirements for Defense Industrial Base (DIB) contractors — along with who and what the framework impacts and what it means for you.

Asset Type

Asset Description

DIB Contractor Requirements

C2M2 Assessment Requirements

Controlled Unclassified Information (CUI) Assets that process, store, or transmit CUI
  • Contain asset inventory of sources of CUI
  • Possesses documentation within System Security Plan
  • Contains a network diagram
  • Contractor contains documentation for C2M2 assessment
  • Assess against C2M2 level required
Security Protection Assets Assets that enable security controls to DIB Contractor’s C2M2 Scope — regardless of if the asset processes, stores, or transmits CUI
  • Contain asset inventory of sources of CUI
  • Possesses documentation within System Security Plan
  • Contains a network diagram
  • Contractor contains documentation for C2M2 assessment
  • Assess against C2M2 level required
Contractor Risk Managed Assets Assets that can—but are not intended to—process, store, or transmit CUI, as well as those that are not required to be separated physically or logically from assets that do
  • Document in asset inventory
  • Document in SSP
  • Document in Network Diagram
  • Ensure assets are documented
  • Assessors may require spot checks to identify risk
  • Clients should expect spot checks are limited in scope and will not increase cost/duration of assessment
Specialized Assets
  • Non-traditional assets such as IoT devices, OT, Restricted Information Systems, and Testing Equipment that may not process, store, or transmit CUI
  • Document in asset inventory
  • Document in SSP
  • Document in Network Diagram
  • Ensure assets are documented
  • Assessors may require spot checks to identify risk
  • Clients should expect spot checks are limited in scope and will not increase cost/duration of assessment

Stay tuned for the upcoming parts of our series on C2M2 guidance, which will include defining assets, data types, and expectations within the scope of C2M2 applicability.

BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.

About the author

Sergio Orellana
Sergio OrellanaChief Cybersecurity Officer

Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.

Learn more about Sergio here.