Cybersecurity Maturity Models: CMMC, C2M2, and SSE-CMM
Cybersecurity maturity models provide structured frameworks for measuring, benchmarking, and incrementally improving an organization's security posture across defined capability levels. Three models dominate the US professional and regulatory landscape: the Cybersecurity Maturity Model Certification (CMMC), the Cybersecurity Capability Maturity Model (C2M2), and the Systems Security Engineering Capability Maturity Model (SSE-CMM). Each targets a distinct sector or function, carries different compliance implications, and applies a different assessment methodology. The Information Security Providers on this site provide practitioner and organizational resources aligned to these frameworks.
Definition and scope
A cybersecurity maturity model maps security practices against a progression of capability levels — from ad hoc or undocumented processes at the lowest tier to fully optimized, continuously improving programs at the highest. The underlying logic derives from the Software Engineering Institute's Capability Maturity Model Integration (CMMI), which established the concept that process maturity, not just technical controls, determines program reliability.
The three major models in active US use differ by governing body, target sector, and scope:
- CMMC (Cybersecurity Maturity Model Certification) — Administered by the U.S. Department of Defense (DoD), CMMC applies to the Defense Industrial Base (DIB). Version 2.0, published in November 2021, restructured the model from 5 levels to 3 levels and aligned directly to NIST SP 800-171 for Levels 1 and 2, and NIST SP 800-172 for Level 3.
- C2M2 (Cybersecurity Capability Maturity Model) — Developed jointly by the U.S. Department of Energy (DOE) and the Department of Homeland Security, C2M2 version 2.1 organizes 356 practices across 10 domains for energy sector and critical infrastructure operators. Its Maturity Indicator Levels (MIL) run from MIL0 through MIL3.
- SSE-CMM (Systems Security Engineering Capability Maturity Model) — Standardized as ISO/IEC 21827, SSE-CMM defines 22 security engineering process areas evaluated across 6 capability levels (0–5). It targets engineering organizations building secure systems rather than operating them.
These models are not interchangeable — each addresses a distinct organizational role and regulatory obligation.
How it works
Each model structures assessment through a combination of practice domains, capability or maturity levels, and assessment methods. The mechanics differ by model:
CMMC Level Structure (Version 2.0):
- Level 1 — Foundational: 17 practices drawn from FAR 52.204-21. Annual self-assessment required. Applies to organizations handling Federal Contract Information (FCI).
- Level 2 — Advanced: 110 practices aligned to NIST SP 800-171. Applies to organizations handling Controlled Unclassified Information (CUI). Third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) required for prioritized acquisitions; self-assessment permitted for non-prioritized contracts.
- Level 3 — Expert: Practices drawn from NIST SP 800-172, assessed by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
C2M2 Assessment Process:
C2M2 evaluations are self-directed. An organization works through the 10 domains — which include Asset, Change, and Configuration Management; Identity and Access Management; and Incident Response — scoring each practice as Not Performed, Initiated, Performed, or Managed. MIL3 represents a fully governed, institutionalized practice. The DOE publishes a free self-evaluation toolkit to support this process.
SSE-CMM Appraisal Method:
SSE-CMM uses the Systems Security Engineering — Capability Maturity Model Appraisal Method (SSAM), a formal third-party appraisal structured around evidence collection. The 22 process areas span risk management, security planning, security monitoring, and trust validation, each assessed against base and generic practices.
Common scenarios
Maturity model assessments arise under four primary conditions in the US market:
Federal contracting compliance: Any organization in the DoD supply chain seeking or renewing a defense contract must demonstrate the CMMC level specified in the contract's solicitation. The DoD's phased implementation, under the CMMC final rule published in the Federal Register in October 2024, embeds CMMC requirements into Defense Federal Acquisition Regulation Supplement (DFARS) clauses. The addresses how compliance frameworks of this type are organized within the sector.
Critical infrastructure self-assessment: Electric utilities, oil and gas pipeline operators, and water system operators use C2M2 voluntarily to benchmark their programs against sector norms. The DOE's 2022 update to C2M2 expanded coverage to reflect threats to industrial control systems (ICS) and operational technology (OT) environments.
Secure systems procurement: Defense and intelligence community contractors building platforms or weapons systems use SSE-CMM/ISO 21827 to demonstrate engineering process maturity during source selection. Government program offices may specify a minimum SSE-CMM capability level in the Statement of Work.
Internal program maturation: Organizations outside regulated sectors adopt C2M2 or CMMC practice domains as internal benchmarks without pursuing formal certification, using the domain structure to identify capability gaps against NIST frameworks.
Decision boundaries
Selecting the appropriate model depends on four classification criteria:
| Criterion | CMMC | C2M2 | SSE-CMM |
|---|---|---|---|
| Primary sector | Defense Industrial Base | Energy / Critical Infrastructure | Systems engineering organizations |
| Governing obligation | DoD contract requirement (DFARS) | Voluntary (DOE-recommended) | Contractual / procurement-specified |
| Assessment type | Third-party (C3PAO) or government (DIBCAC) | Self-assessment with toolkit | Formal third-party appraisal (SSAM) |
| Data type protected | FCI / CUI | OT/ICS operational data | System design and engineering artifacts |
| Highest maturity level | Level 3 | MIL3 | Capability Level 5 |
A defense subcontractor handling CUI must pursue CMMC Level 2 — C2M2 does not satisfy DoD contractual requirements. An electric cooperative seeking to benchmark ICS security without a contractual mandate should use C2M2. An engineering firm building a secure communications platform for a federal program may face SSE-CMM requirements embedded in the contract deliverables.
Misapplying these models — for instance, substituting a C2M2 self-assessment for a required CMMC Level 2 C3PAO assessment — creates contractual non-compliance. The resource overview for this site describes how framework and practitioner providers are organized to support this type of sector navigation.