Cybersecurity Maturity Models: CMMC, C2M2, and SSE-CMM
Cybersecurity maturity models provide structured frameworks for measuring, benchmarking, and improving an organization's security posture across defined capability levels. Three models — the Cybersecurity Maturity Model Certification (CMMC), the Cybersecurity Capability Maturity Model (C2M2), and the Systems Security Engineering Capability Maturity Model (SSE-CMM) — occupy distinct regulatory and operational niches within the US security landscape. Each carries different scoping rules, assessment mechanisms, and governing bodies, making the choice between them a function of sector, contract type, and security engineering discipline rather than preference.
Definition and scope
Cybersecurity maturity models share a common structural logic: they divide security capabilities into domains or process areas, then assign those capabilities to discrete maturity levels that organizations must satisfy progressively. The three primary models differ sharply in sponsorship, applicability, and enforcement weight.
Cybersecurity Maturity Model Certification (CMMC) is a US Department of Defense (DoD) program that conditions contract eligibility on demonstrated cybersecurity maturity. CMMC 2.0, formalized under 32 CFR Part 170, collapsed the original five-level model into three levels. Level 1 covers 17 basic safeguarding practices drawn from FAR clause 52.204-21; Level 2 maps to the 110 practices of NIST SP 800-171; Level 3 incorporates a subset of controls from NIST SP 800-172 for organizations handling the most sensitive controlled unclassified information (CUI). Approximately 80,000 companies in the Defense Industrial Base (DIB) fall within CMMC's scope, according to DoD CMMC program documentation.
Cybersecurity Capability Maturity Model (C2M2) was developed by the US Department of Energy (DOE) in collaboration with the Department of Homeland Security and is maintained under the C2M2 Program. It organizes practices into 10 domains — such as Asset, Change, and Configuration Management and Threat and Vulnerability Management — across 3 Maturity Indicator Levels (MIL 0 through MIL 3). C2M2 is voluntary, self-assessment-oriented, and designed for energy sector operators and other critical infrastructure protection entities. Version 2.1, released by DOE, refined domain language but preserved the MIL progression structure.
Systems Security Engineering Capability Maturity Model (SSE-CMM), standardized as ISO/IEC 21827, addresses the engineering processes used to build and maintain secure systems rather than operational security programs. Its 11 Security Base Practices map onto 5 capability levels adapted from the Software Engineering Institute's CMM architecture. SSE-CMM is process-quality oriented — it evaluates whether security engineering practices are performed, documented, defined, managed, and optimized — making it the appropriate reference when assessing a vendor's or integrator's engineering rigor rather than an organization's operational posture.
How it works
Each model employs a distinct assessment and scoring mechanism:
CMMC Assessment Process
1. Organizations self-identify the CMMC level required by their DoD contracts.
2. Level 1 permits annual self-assessment with senior official affirmation, submitted to the Supplier Performance Risk System (SPRS).
3. Level 2 requires triennial third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) certified by the CMMC Accreditation Body (Cyber AB) for contracts involving CUI; a subset of Level 2 contracts allow self-assessment.
4. Level 3 requires government-led assessment by the Defense Contract Management Agency (DCMA).
5. Assessment results feed into SPRS scores, which contracting officers review during source selection.
C2M2 Assessment Process
C2M2 uses a facilitated self-evaluation approach. Organizations score individual practices as fully implemented, largely implemented, partially implemented, or not implemented. Scores aggregate to a MIL designation per domain rather than a single enterprise score. The model's voluntary nature means there is no third-party certification body; results are used internally or shared with sector regulators such as the Federal Energy Regulatory Commission (FERC) under NERC CIP compliance planning contexts.
SSE-CMM Assessment Process
SSE-CMM appraisals evaluate process institutionalization across 11 base practices using a structured appraisal method. Appraisers examine artifacts, interview personnel, and rate each process area against the 5-level capability scale. The ISO/IEC 21827 standard governs the appraisal methodology. SSE-CMM assessments are typically commissioned when procurement decisions require evidence that a systems integrator or security engineering firm operates defined, repeatable engineering processes — relevant in acquisition contexts under the DoD Risk Management Framework (RMF) and in supply chain security due diligence.
Common scenarios
Defense contractor seeking DoD contracts involving CUI: CMMC Level 2 certification is the operational requirement. The organization must map its environment against NIST SP 800-171's 110 practices, produce a System Security Plan (SSP), and engage a C3PAO for third-party assessment. Deficiencies in access control (identity and access management) or incident response capabilities are among the most frequently cited gaps in SPRS assessments.
Electric utility benchmarking its operational technology security: C2M2 provides a domain-level snapshot without triggering a compliance obligation. A utility operating industrial control systems can use C2M2's Asset, Change, and Configuration Management domain alongside its OT/ICS security program review to identify gaps before a NERC CIP audit cycle.
Federal system integrator competing for high-assurance engineering contracts: An SSE-CMM appraisal documents the maturity of the firm's security engineering processes. Contracting officers and prime contractors use SSE-CMM capability level evidence as part of cyber risk management assessments during proposal evaluation, particularly for programs subject to the DoD RMF's system engineering requirements.
Decision boundaries
The selection of the appropriate maturity model follows from three deterministic factors: regulatory obligation, sector affiliation, and assessment subject.
| Factor | CMMC | C2M2 | SSE-CMM |
|---|---|---|---|
| Governing body | US DoD / Cyber AB | US DOE / DHS | ISO/IEC JTC 1/SC 27 |
| Mandatory or voluntary | Mandatory (DIB contracts) | Voluntary | Voluntary / Contractual |
| Assessment subject | Organizational security program | Organizational security program | Security engineering processes |
| Primary sector | Defense Industrial Base | Energy / Critical Infrastructure | Systems engineering / Integration |
| Third-party certification | Required for most Level 2 & all Level 3 | Not required | Conducted by trained appraisers |
| Maturity levels | 3 levels | MIL 0–3 per domain | 5 capability levels |
Organizations outside the DIB but subject to federal cybersecurity compliance requirements — such as FISMA-covered agencies or critical infrastructure operators — have no CMMC obligation but may find C2M2 directly relevant to sector-specific regulatory expectations. SSE-CMM applies when the unit of analysis is an engineering team or a vendor's development and integration process rather than an enterprise security program.
CMMC and C2M2 share a significant overlap in control content: both reference NIST SP 800-171 practices. Organizations that have completed a CMMC Level 2 gap analysis will find that C2M2's Threat and Vulnerability Management and Incident Response domains map closely to controls already scoped in their CMMC assessment. The inverse is not automatic — C2M2's energy-sector-specific practices (grid resilience, physical-cyber interface controls) have no direct CMMC equivalent.
SSE-CMM stands apart from both because it measures process quality rather than control implementation. An organization can hold CMMC Level 2 certification while employing engineering practices at SSE-CMM Capability Level 1 (performed but not documented), meaning the two frameworks measure orthogonal properties. High-assurance program contexts — particularly those involving application security or embedded systems — may require both operational and engineering maturity evidence simultaneously. Practitioners navigating information security frameworks across multiple regulatory contexts should treat CMMC, C2M2, and SSE-CMM as complementary rather than interchangeable instruments.
References
- CMMC Program — US Department of Defense
- 32 CFR Part 170 — CMMC Program Rule (eCFR)
- NIST SP 800-171 Rev 2 — Protecting CUI in Nonfederal Systems
- NIST SP 800-172 — Enhanced Security Requirements for CUI
- [Cybersecurity Capability Maturity Model (C2