Implementing the Department of Energy’s (DOE) Cybersecurity Capability Maturity Model (C2M2) with Scripts and Rhythms

This piece was written by Axio cyber risk experts Pamela Curtis, Vice President of Process Engineering and John Fry, Director of Cyber Risk Engineering.

Cybersecurity leaders can easily be consumed by the constant firefighting inherent to the cybersecurity trade—both incident-driven and project-related. You may be committed to implementing a proactive strategy for your cybersecurity program but be constantly thwarted by never-ending distractions. An effective way to quickly develop your strategy and get the wheels in motion is what’s needed to enable you to focus on what matters most and maybe even have some time to think about what’s next.

Cloud Native Now

The simple technique we present in this blog will allow you to rise above the fray and propel your cybersecurity program forward with intentional design and purpose. We will show how you can implement C2M2—the Cybersecurity Capability Maturity Model—using a planning technique called Scripts and Rhythms to quickly plan your cyber program activities and make sure those activities actually happen.

Overview of the C2M2 Cybersecurity Program Management domain

Just to be clear about what we mean by cybersecurity program, here’s C2M2’s simple definition: “A cybersecurity program is an integrated group of activities designed and managed to meet cybersecurity objectives for the organization.”[1] C2M2, like other process improvement models, is often used just for assessing cybersecurity capabilities, but its more powerful use is to guide the plan and operation of a cybersecurity program. (If you are new to C2M2, see our previous post, “Cybersecurity Capability Maturity Model (C2M2) – Overview.”[2]) C2M2 describes common cybersecurity practices—from foundational to advanced—grouped by type of activity, such as asset management, access management, incident response, and supply chain risk management. C2M2 provides you with a logical way to identify, describe, manage, and report on your cybersecurity program activities.

C2M2’s Cybersecurity Program Management (CPM) domain contains practices that guide the determination of which cybersecurity activities will be done and how to obtain necessary resources to ensure that they can be done. We will use some of those CPM practices to demonstrate the use of Scripts and Rhythms for planning cybersecurity program operations.

Implementing C2M2 with Scripts and Rhythms

Scripts and Rhythms is a technique to get activities done by specific people in a specific way and on a specific schedule (annually, quarterly, weekly, etc.). Scripts are what to do; Rhythms are when to do. Going back to the idea of getting the wheels in motion, Scripts and Rhythms are rather like a car maintenance schedule. They tell you what actions need to be taken to keep things in good running order and give you a schedule for when those actions should be done. Scripts and Rhythms build an efficient and effective operational cadence for your cybersecurity program.

Applying Scripts and Rhythms takes place in four steps:

  1. Identify the tasks that need to be accomplished.
  2. Determine the appropriate frequency (rhythm) for each task.
  3. Write the script.
  4. Schedule activities.

In the next section, we’ll demonstrate how it can be done.

Identifying the Right C2M2 Tasks and Determining Frequencies

This section will provide an example of how to identify tasks and determine frequencies. An efficient way to jumpstart this process is to identify a suitable cybersecurity framework and select appropriate practices for your organization. To demonstrate Scripts and Rhythms, we have selected the C2M2 as our framework and will focus on a subset of MIL1 and MIL2 practices from the C2M2 Cybersecurity Program Management domain. (If you are not familiar with MILs—maturity indicator levels—see our previous post, “Cybersecurity Capability Maturity Model (C2M2) – Overview.”[3])

The following table shows the practices we selected from the C2M2 along with examples of tasks and frequencies we identified to implement them.

Table 1: C2M2 practices and sample tasks and frequencies

Practice Description Task Frequency Script ID
CPM-1a. The organization has a cybersecurity program strategy The strategy describes at a high level the activities the organization will perform to protect and sustain its IT and OT assets. (For a C2M2-based program, areas of activity in the strategy could align with C2M2 domains and objectives.) The strategy also Identifies key roles in the program and how the program is to be managed. Review and update the cybersecurity program strategy Annually 1.1
Communicate the cybersecurity program strategy to stakeholders Annually 1.2
CPM-2a. Resources (people, tools, and funding) are provided to support the cybersecurity program Determine what staff, tools, and funding are needed to enable implementation of each of the cybersecurity program activities. Develop funding requests to obtain whatever resources are feasible given budget constraints. Determine projections for annual staff, tools, and funding needs 2.1
Develop funding requests Annually 2.2
Track actual spending versus budget allocation Monthly 2.3
Adjust project staffing and other spending based on ongoing needs and budget allocation Weekly 2.4
CPM-2b. Senior management provides sponsorship for the cybersecurity program The fundamental form of sponsorship is to provide resources to support the cybersecurity program. Secure the support of a senior manager who understands the importance of cybersecurity and has influence on resource decisions. Sponsorship might also involve granting authority to perform cybersecurity activities, facilitating the integration of cybersecurity activities into other organizational activities, and improving employee awareness by speaking about cybersecurity during management meetings. Review cybersecurity program management strategy with senior management sponsor and obtain approval Annually 3.1
Report on accomplishments of the cybersecurity program to the board of directors Annually 3.2
Review program activities and accomplishments with senior management sponsor Quarterly 3.3
Identify and schedule awareness and communication opportunities (speaking engagements, email, etc.) Monthly 3.4
CPM-2c. The cybersecurity program is established according to the cybersecurity program strategy The cybersecurity program plan defines at a lower level the activities, tasks, and projects that will be carried out to ensure that the objectives documented in the cybersecurity program strategy are achieved, along with the roles and responsibilities involved. Review and update the cybersecurity program plan according to updates to the cybersecurity program strategy Annually 4.1
Schedule projects to be accomplished by the cybersecurity program Quarterly 4.2
Meet with individuals responsible for implementing cybersecurity practices (access management, patching, logging and monitoring, for example) Monthly 4.3
Track and report progress of ongoing program activities and projects Weekly 4.4

Writing scripts for C2M2 practices

Scripts provide detail about how tasks will be done and who will participate. The following is a notional example of a script that could be used to implement the first task associated with Cybersecurity Program Management practice CPM-1a listed above.

Table 2: Sample cybersecurity program strategy review meeting script

Script ID 1.1
Task Review and update the cybersecurity program strategy
Activity Cybersecurity Program Strategy Review Meeting
Activity Type Workshop
Participants Cybersecurity Program Leadership Team
Duration 2 days
Agenda ·       Review meeting inputs (15 minutes per input)

·       Review and update areas of cybersecurity activity to be conducted throughout the year

·       Review and update key roles supporting the cybersecurity program

·       Identify any other needed updates to cybersecurity program strategy document

·       Determine and assign follow-up actions

Inputs ·       Previous year’s cybersecurity program strategy document and presentations

·       Budget and project planning documentation for upcoming year

·       Summary of organizational changes that may impact the cybersecurity program

·       Results of cybersecurity program assessment (control assessment, pen testing, etc.)

·       Feedback and lessons learned related to the strategy that were collected through the previous year

·       Lessons learned and other relevant documentation related to internal cybersecurity incidents

·       Recent threat alerts, vulnerability announcements, and important cybersecurity events

Outputs ·       Updated Cybersecurity Program Strategy document

·       List of follow-up actions and assignees


Scheduling activities

The final step to applying Scripts and Rhythms is scheduling activities and sending calendar invites. Scheduling activities and getting things on the calendar all at once takes a lot of the pain out of managing things over the course of the year. And it can take just a day to get everything scheduled that will keep the engine of your cybersecurity program running all year.

To get started, review each script, including the activity type, duration, and participants. Then identify an appropriate date or set of dates to conduct each activity. Draft meeting invites or other appropriate communications to set aside time on the calendars of planned participants to conduct the activities described in each script. Use the agenda section from each script as a starting point for the body of meeting invitations. When preparing for activities, refer to the script to as a reminder of inputs needed to conduct activities and as an aid for developing facilitation materials.

Putting C2M2 in motion with Scripts and Rhythms

Managing your cybersecurity program efficiently requires the application of multiple management tools and techniques. C2M2 and other cybersecurity frameworks provide standard cybersecurity management practices that you may choose from to fit your organization. Planning techniques such as Scripts and Rhythms are a force multiplier that enable you to implement a proactive strategy for your cybersecurity program.

Applying the Scripts and Rhythms technique should be done in rapid-fire sessions that focus on efficiency instead of perfection. Permitting room for error and later adjustment makes the process much more realistic and approachable. Use the examples provided here as templates and make them better, or create templates that work better for you.

Follow-through in scheduling and communication are key to this process. Getting the right meetings on team calendars sets a foundation for the activities and outputs that build your cybersecurity program. Communicating upward with sponsors and laterally with colleagues helps to bring the process to life and gives planners an opportunity to reinforce the positive impacts of a strong cybersecurity program.

Consider enlisting outside support where needed. Professional meeting facilitation can promote more engaging conversations and improve decision making. Decision support products can help bring the right information to bear on complex issues. Cybersecurity analysts can provide insight into current cybersecurity trends and transparency into how your peer organizations are addressing similar challenges.

Contact Axio today to learn how our platform may help you simplify and empower your cybersecurity program.


[1] U.S. Department of Energy, Cybersecurity Capability Maturity Model Version 1.1, Feb. 2014, pg. 46.





*** This is a Security Bloggers Network syndicated blog from Axio authored by Axio. Read the original post at:

Cloud Capabilities Poll