Comparative Analysis of Cybersecurity Maturity Frameworks: NIST-CSF and C2M2

Faishal Wafiq Zakiy; Nisa Dwi Angresti

Faishal Wafiq Zakiy Universitas Darunnajah
Nisa Dwi Angresti Universitas Andalas

Keywords: cybersecurity maturity model; NIST-CSF; C2M2

Abstract

Cybersecurity maturity assessment is crucial for organizations implementing information technology. Various methods and frameworks are currently available to facilitate such assessments. This analysis focuses on two popular frameworks published by recognized legal entities in the United States: NIST-CSF and C2M2. These frameworks were developed in collaboration with relevant stakeholders. While they share some similarities, each framework has distinct characteristics. Employing either one is preferable to not conducting a cybersecurity maturity assessment at all. Alternatively, using both frameworks together can yield more comprehensive assessment results.

References

Aminudin, A., Supriyanto, A., Semarang, U., & Artikel, R. (2024). Kematangan risiko keamanan informasi layanan TI menggunakan pendekatan NIST dan standar ISO 27001 : 2013 ( Studi kasus : Bapenda Provinsi Jawa Tengah ). 21(2), 210–229.

Christopher, J. (2021). The Cybersecurity Maturity Model: A Means To Measure And Improve Your Cybersecurity Program. FORBES. https://www.forbes.com/councils/forbestechcouncil/2018/11/01/the-cybersecurity-maturity-model-a-means-to-measure-and-improve-your-cybersecurity-program/

Christopher, J. D., Gonzalez, D., White, D. W., Stevens, J., Grundman, J., Mehravari, N., Curtis, P., & Dolan, T. (2014). Cybersecurity Capability Maturity Model (C2M2). Department of Homeland Security, February, 1–76. https://www.energy.gov/ceser/cybersecurity v2.0 06202019 DOE for Comment.p

Curtis, P. D., & Mehravari, N. (2015). Evaluating and improving cybersecurity capabilities of the energy critical infrastructure. 2015 IEEE International Symposium on Technologies for Homeland Security (HST), 1–6. https://doi.org/10.1109/THS.2015.7225323

DOE. (2014). Use of the NIST Cybersecurity Use of the NIST Framework & DOE C2M2. https://energy.gov/sites/prod/files/2014/02/f7/Use-of-NIST-Cybersecurity-Framework-DOE-C2M2.pdf

Garba, A. A., Siraj, M. M., & Othman, S. H. (2020). An explanatory review on cybersecurity capability maturity models. Advances in Science, Technology and Engineering Systems, 5(4), 762–769. https://doi.org/10.25046/AJ050490

Homeland Security. (2015). Energy Sector Cybersecurity Framework Implementation Guidance. Department of Homeland Security, 1, 40.

Jauhari, M. A., Wardijono, B. A., & Hegarini, E. (2024). Pengukuran Kematangan Keamanan Siber pada Perusahaan Teknologi Informasi dengan Framework Center for Internet Security Controls yang telah dilakukan . Perusahaan ini dalam bentuk infeksi ransomware yang menyebabkan kerugian besar termasuk mengenkripsi ata. 14(1), 72–83.

Krumay, B., Bernroider, E. W. N., & Walser, R. (2018). Evaluation of Cybersecurity Management Controls and Metrics of Critical Infrastructures: A Literature Review Considering the NIST Cybersecurity Framework (pp. 369–384). https://doi.org/10.1007/978-3-030-03638-6_23

Marican, M. N. Y., Razak, S. A., Selamat, A., & Othman, S. H. (2023). Cyber Security Maturity Assessment Framework for Technology Startups: A Systematic Literature Review. IEEE Access, 11, 5442–5452. https://doi.org/10.1109/ACCESS.2022.3229766

National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity. https://doi.org/10.6028/NIST.CSWP.04162018

NIST | NCCoE. (2023). Cybersecurity Capability Maturity Model to NIST Cybersecurity Framework Mapping. Announcements. https://www.nccoe.nist.gov/news-insights/cybersecurity-capability-maturity-model-nist-cybersecurity-framework-mapping

President, T., Critical, I., & Cybersecurity, I. (2012). Presidential Documents. Presidential Documents, 78(33), 11739–11744. https://doi.org/10.4324/9780203122273

Revision 06 Cybersecurity Capability Maturity Model (C2M2) Version 2.0 July 2021. (2021). July.

Safitri, E. H. N., & Kabetta, H. (2023). Cyber-Risk Management Planning Using NIST CSF V1.1, ISO/IEC 27005:2018, and NIST SP 800-53 Revision 5 (A Study Case to ABC Organization). 2023 IEEE International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), 332–338. https://doi.org/10.1109/ICoCICs58778.2023.10277652

Sakinah, F., & Setiawan, B. (2014). Manajemen Keamanan Layanan TI. 3(2), 2–7.

Sama, H., Licen, L., Saragi, J. S. D., Erline, M., Kelvin, K., Hartanto, Y., Winata, J., & Devalia, M. (2021). Studi Komparasi Framework Nist Dan Iso 27001 Sebagai Standar Audit Dengan Metode Deskriptif Studi Pustaka. Rabit : Jurnal Teknologi Dan Sistem Informasi Univrab, 6(2), 116–121. https://doi.org/10.36341/rabit.v6i2.1752

Sugara, V. I., Syahrial, H., & Syafrullah, M. (2019). Sistem Pemeriksa Keamanan Informasi Menggunakan National Institute of Standards and Technology (Nist) Cybersecurity Framework. Komputasi: Jurnal Ilmiah Ilmu Komputer Dan Matematika, 16(1), 203–212. https://doi.org/10.33751/komputasi.v16i1.1591

Sulistyowati, D., Handayani, F., & Suryanto, Y. (2020). Comparative Analysis and Design of Cybersecurity Maturity Assessment Methodology Using NIST CSF, COBIT, ISO/IEC 27002 and PCI DSS. JOIV : International Journal on Informatics Visualization, 4(4), 225–230. https://doi.org/10.30630/joiv.4.4.482

Tinungki, A. C. D., Sentinuwo, S. R., & Karouw, S. (2021). Analisa Tingkat Kematangan Penerapan Keamanan Informasi Pemerintah Kota Bitung Menggunakan Indeks KAMI (Studi Kasus: Dinas Komunikasi dan Informatika …. Repo.Unsrat.Ac.Id, 1–8. http://repo.unsrat.ac.id/2963/

Valavanis, S. (2024). Understanding Cybersecurity Maturity in Practice. Journal of Information Systems, 38(3), 1–5. https://doi.org/10.2308/ISYS-2024-026