Cybersecurity Capability Maturity Model to NIST Cybersecurity Framework Mapping

The NIST National Cybersecurity Center of Excellence (NCCoE) and the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have developed mappings between the Cybersecurity Capability Maturity Model (C2M2) and the NIST Cybersecurity Framework (CSF).

The bidirectional mappings (C2M2-to-CSF and CSF-to-C2M2) enable users of either framework to map their results in context of the other. The mappings evaluate the alignment of C2M2 practices with the Framework Categories and Subcategories in each Function. An additional mapping was developed to show the relationships between C2M2 practices and divisions of the definitions of CSF Implementation Tiers.

Development Process

The mappings were developed using CSF Version 1.1 and C2M2 Version 2.1, released June 2022. Legacy mappings were also developed using C2M2 Version 2.0 for C2M2 users who have not yet transitioned to Version 2.1.

All mappings followed the guidance found in the NIST National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers.  The mapping files contain columns that give additional context on the degree to which the outcome of the reference element fulfills the outcome of the focal element. The following list briefly describes some of the columns included in these mappings.

• Focal Document Element- The identifier of the Focal Document element being mapped
• Focal Document Element Description - The text description of the Focal Document element
• Rationale - The explanation for why a given Reference Document Element and Focal Document Element are related is attributed to one of three basic reasons: syntactic, semantic, or functional.
• Relationship - The Relationship field refers to the logical comparison between a Reference Document Element and a Focal Document Element. Relationships are described using one of five cases derived from a branch of mathematics known as set theory: subset of, intersects with, equal, superset of, or not related to.
• Reference Document Element - The identifier of the Reference Document element being mapped
• Reference Document Element Description - The text description of the Reference Document element
• Fulfilled By - Refers to the completeness of a Reference Document element in relation to a Focal Document element. Focal Document elements that are subsets of or equal to Reference Document elements SHALL be marked “Yes.” Focal Document elements which are supersets of,intersect with, or are not related to Reference Document elements SHALL be marked “No.”
• Group Identifier - The designation given to a Reference Document element when it is part of a group of Reference Document elements that has a relationship with a Focal Document element
• Strength of Relationship - The extent to which a Reference Document element and a Focal Document element are similar

For more information, refer to NIST IR 8278A, National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers. The C2M2 V2.1 to CSF V1.1 mapping and C2M2 V2.0 to CSF V1.1 mapping are both also available in the NIST OLIR Informative References Catalog and in the NIST Cybersecurity and Privacy Reference Tool.

C2M2 V2.1 Mappings

• CSF V1.1 to C2M2 V2.1 Mapping (C2M2 as the focal document)
• C2M2 V2.1 to CSF V1.1 Mapping (CSF as the focal document)
• C2M2 V2.1 to CSF V1.1 Tiers Mapping (CSF as the focal document)

C2M2 V2.0 Mappings (for Legacy Users)

• CSF V1.1 to C2M2 V2.0 Mapping (C2M2 as the focal document)
• C2M2 V2.0 to CSF V1.1 Mapping (CSF as the focal document)
• C2M2 V2.0 to CSF V1.1 Tiers Mapping (CSF as the focal document)

Questions or comments regarding these mappings can be sent to C2M2@hq.doe.gov.