Cybersecurity Capability Maturity Model to NIST Cybersecurity Framework Mapping


The NIST National Cybersecurity Center of Excellence (NCCoE) and the U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) have been working to map recent updates of the Cybersecurity Capability Maturity Model (C2M2) to the NIST Cybersecurity Framework (CSF).

The draft mappings for C2M2 Version 2.1 – which is the latest version of the C2M2 – are now complete and open for public comment. The drafts include bi-directional mappings (C2M2 to CSF and CSF to C2M2) to help users of either framework map their results in context of the other. They also include a separate mapping of C2M2 V2.1 to the CSF tiers.  


The NCCoE and CESER are seeking public comments on the draft mappings between C2M2 V2.1 and CSF.

NIST requests that all comments be submitted by 11:59 pm Eastern Time on April 10, 2023. Please submit your comments to Comments are requested on each of mapping spreadsheets:

We encourage you to submit comments using this comment template.