C2M2 | Compliance | Fluid Attacks Help

C2M2

logo

Summary

The Cybersecurity Capability Maturity Model (C2M2) is a tool for evaluating and improving cybersecurity. It focuses on the implementation and management of cybersecurity practices associated with information, information technology (IT), and operations technology (OT) assets and the environments in which they operate. The version used in this section is C2M2 v2.1, June 2022.

Definitions

Definition Requirements
1_1_h. Manage IT and OT asset inventory 183. Delete sensitive data securely
1_2_h. Manage IT and OT asset inventory 360. Remove unnecessary sensitive information
1_4_e. Manage changes to IT and OT assets 353. Schedule firmware updates
1_4_i. Manage changes to IT and OT assets 075. Record exceptional events in logs
2_1_d. Reduce cybersecurity vulnerabilities 062. Define standard configurations
2_1_j. Reduce cybersecurity vulnerabilities 376. Register severity level
2_3_d. Management activities for the THREAT domain 095. Define users with privileges
3_2_k. Identify cyber risk 262. Verify third-party components
3_5_d. Management activities for the RISK domain 095. Define users with privileges
4_1_a. Establish identities and manage authentication 264. Request authentication
4_1_b. Establish identities and manage authentication 229. Request access credentials
4_1_c. Establish identities and manage authentication 144. Remove inactive accounts periodically
4_1_d. Establish identities and manage authentication 126. Set a password regeneration mechanism
127. Store hashed passwords
130. Limit password lifespan
133. Passwords with at least 20 characters
134. Store passwords with salt
4_1_f. Establish identities and manage authentication 144. Remove inactive accounts periodically
4_1_g. Establish identities and manage authentication 096. Set user's required privileges
4_1_h. Establish identities and manage authentication 095. Define users with privileges
362. Assign MFA mechanisms to a single account
4_1_i. Establish identities and manage authentication 362. Assign MFA mechanisms to a single account
4_1_j. Establish identities and manage authentication 144. Remove inactive accounts periodically
4_2_i. Control logical access 075. Record exceptional events in logs
5_2_c. Perform monitoring 079. Record exact occurrence time of events
5_2_d. Perform monitoring 376. Register severity level
5_2_e. Perform monitoring 075. Record exceptional events in logs
6_1_c. Detect cybersecurity events 377. Store logs based on valid regulation
6_1_f. Detect cybersecurity events 075. Record exceptional events in logs
7_1_c. Identify and prioritize third parties 262. Verify third-party components
7_2_a. Manage third-party risk 262. Verify third-party components
7_2_b. Manage third-party risk 262. Verify third-party components
7_2_c. Manage third-party risk 161. Define secure default options
8_3_c. Assign cybersecurity responsibilities 096. Set user's required privileges
8_3_e. Assign cybersecurity responsibilities 301. Notify configuration changes
9_2_b. Implement network protections for cybersecurity architecture 259. Segment the organization network
9_2_c. Implement network protections for cybersecurity architecture 249. Locate access points
250. Manage access points
251. Change access point IP
253. Restrict network access
255. Allow access only to the necessary ports
9_2_e. Implement network protections for cybersecurity architecture 186. Use the principle of least privilege
9_2_f. Implement network protections for cybersecurity architecture 273. Define a fixed security suite
9_2_g. Implement network protections for cybersecurity architecture 258. Filter website content
356. Verify sub-domain names
9_2_k. Implement network protections for cybersecurity architecture 257. Access based on user credentials
9_2_l. Implement network protections for cybersecurity architecture 374. Use of isolation methods in running applications
9_3_b. Implement IT and OT asset security for cybersecurity architecture 062. Define standard configurations
373. Use certificate pinning
9_3_c. Implement IT and OT asset security for cybersecurity architecture 186. Use the principle of least privilege
9_3_d. Implement IT and OT asset security for cybersecurity architecture 221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
284. Define maximum number of connections
9_3_e. Implement IT and OT asset security for cybersecurity architecture 062. Define standard configurations
9_3_f. Implement IT and OT asset security for cybersecurity architecture 273. Define a fixed security suite
9_3_l. Implement IT and OT asset security for cybersecurity architecture 353. Schedule firmware updates
354. Prevent firmware downgrades
9_3_m. Implement IT and OT asset security for cybersecurity architecture 344. Avoid dynamic code execution
9_4_a. Implement software security for cybersecurity architecture 266. Disable insecure functionalities
9_4_b. Implement software security for cybersecurity architecture 330. Verify Subresource Integrity
9_4_c. Implement software security for cybersecurity architecture 062. Define standard configurations
266. Disable insecure functionalities
9_4_d. Implement software security for cybersecurity architecture 154. Eliminate backdoors
155. Application free of malicious code
158. Use a secure programming language
164. Use optimized structures
168. Initialize variables explicitly
171. Remove commented-out code
173. Discard unsafe inputs
302. Declare dependencies explicitly
9_4_g. Implement software security for cybersecurity architecture 330. Verify Subresource Integrity
9_5_a. Implement data security for cybersecurity architecture 176. Restrict system objects
9_5_b. Implement data security for cybersecurity architecture 062. Define standard configurations
176. Restrict system objects
329. Keep client-side storage without sensitive data
9_5_c. Implement data security for cybersecurity architecture 181. Transmit data using secure protocols
338. Implement perfect forward secrecy
9_5_d. Implement data security for cybersecurity architecture 147. Use pre-existent mechanisms
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
9_5_e. Implement data security for cybersecurity architecture 145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
151. Separate keys for encryption and signatures
252. Configure key encryption
351. Assign unique keys to each device
361. Replace cryptographic keys
9_5_h. Implement data security for cybersecurity architecture 035. Manage privilege modifications
095. Define users with privileges
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.