# Opener

Implementing the Department of Energy’s (DOE) Cybersecurity Capability Maturity Model (C2M2) with Scripts and Rhythms

Published by Axio

This piece was written by Axio cyber risk experts Pamela Curtis, Vice President of Process Engineering and John Fry, Director of Cyber Risk Engineering.

Cybersecurity leaders can easily be consumed by the constant firefighting inherent to the cybersecurity trade—both incident-driven and project-related. You may be committed to implementing a proactive strategy for your cybersecurity program but be constantly thwarted by never-ending distractions. An effective way to quickly develop your strategy and get the wheels in motion is what’s needed to enable you to focus on what matters most and maybe even have some time to think about what’s next.

The simple technique we present in this blog will allow you to rise above the fray and propel your cybersecurity program forward with intentional design and purpose. We will show how you can implement C2M2—the Cybersecurity Capability Maturity Model—using a planning technique called Scripts and Rhythms to quickly plan your cyber program activities and make sure those activities actually happen.

Overview of the C2M2 Cybersecurity Program Management domain

Just to be clear about what we mean by cybersecurity program, here’s C2M2’s simple definition: “A cybersecurity program is an integrated group of activities designed and managed to meet cybersecurity objectives for the organization.”[1] C2M2, like other process improvement models, is often used just for assessing cybersecurity capabilities, but its more powerful use is to guide the plan and operation of a cybersecurity program. (If you are new to C2M2, see our previous post, “Cybersecurity Capability Maturity Model (C2M2) – Overview.”[2]) C2M2 describes common cybersecurity practices—from foundational to advanced—grouped by type of activity, such as asset management, access management, incident response, and supply chain risk management. C2M2 provides you with a logical way to identify, describe, manage, and report on your cybersecurity program activities.

C2M2’s Cybersecurity Program Management (CPM) domain contains practices that guide the determination of which cybersecurity activities will be done and how to obtain necessary resources to ensure that they can be done. We will use some of those CPM practices to demonstrate the use of Scripts and Rhythms for planning cybersecurity program operations.

Implementing C2M2 with Scripts and Rhythms

Scripts and Rhythms is a technique to get activities done by specific people in a specific way and on a specific schedule (annually, quarterly, weekly, etc.). Scripts are what to do; Rhythms are when to do. Going back to the idea of getting the wheels in motion, Scripts and Rhythms are rather like a car maintenance schedule. They tell you what actions need to be taken to keep things in good running order and give you a schedule for when those actions should be done. Scripts and Rhythms build an efficient and effective operational cadence for your cybersecurity program.

Applying Scripts and Rhythms takes place in four steps:

  1. Identify the tasks that need to be accomplished.
  2. Determine the appropriate frequency (rhythm) for each task.
  3. Write the script.
  4. Schedule activities.

In the next section, we’ll demonstrate how it can be done.

Identifying the Right C2M2 Tasks and Determining Frequencies

This section will provide an example of how to identify tasks and determine frequencies. An efficient way to jumpstart this process is to identify a suitable cybersecurity framework and select appropriate practices for your organization. To demonstrate Scripts and Rhythms, we have selected the C2M2 as our framework and will focus on a subset of MIL1 and MIL2 practices from the C2M2 Cybersecurity Program Management domain. (If you are not familiar with MILs—maturity indicator levels—see our previous post, “Cybersecurity Capability Maturity Model (C2M2) – Overview.”[3])

The following table shows the practices we selected from the C2M2 along with examples of tasks and frequencies we identified to implement them.


Practice Description Task Frequency Script ID
CPM-1a. The organization has a cybersecurity program strategy The strategy describes at a high level the activities the organization will perform to protect and sustain its IT and OT assets. (For a C2M2-based program, areas of activity in the strategy could align with C2M2 domains and objectives.) The strategy also Identifies key roles in the program and how the program is to be managed. Review and update the cybersecurity program strategy Annually 1.1
Communicate the cybersecurity program strategy to stakeholders Annually 1.2


Download the complete table: C2M2 practices and sample tasks and frequencies.

Writing scripts for C2M2 practices

Scripts provide detail about how tasks will be done and who will participate. The following is a notional example of a script that could be used to implement the first task associated with Cybersecurity Program Management practice CPM-1a listed above.

Download the sample cybersecurity program strategy review meeting script to see how you can customize and build your own. 

Scheduling activities

The final step to applying Scripts and Rhythms is scheduling activities and sending calendar invites. Scheduling activities and getting things on the calendar all at once takes a lot of the pain out of managing things over the course of the year. And it can take just a day to get everything scheduled that will keep the engine of your cybersecurity program running all year.

To get started, review each script, including the activity type, duration, and participants. Then identify an appropriate date or set of dates to conduct each activity. Draft meeting invites or other appropriate communications to set aside time on the calendars of planned participants to conduct the activities described in each script. Use the agenda section from each script as a starting point for the body of meeting invitations. When preparing for activities, refer to the script to as a reminder of inputs needed to conduct activities and as an aid for developing facilitation materials.

Putting C2M2 in motion with Scripts and Rhythms

Managing your cybersecurity program efficiently requires the application of multiple management tools and techniques. C2M2 and other cybersecurity frameworks provide standard cybersecurity management practices that you may choose from to fit your organization. Planning techniques such as Scripts and Rhythms are a force multiplier that enable you to implement a proactive strategy for your cybersecurity program.

Applying the Scripts and Rhythms technique should be done in rapid-fire sessions that focus on efficiency instead of perfection. Permitting room for error and later adjustment makes the process much more realistic and approachable. Use the examples provided here as templates and make them better, or create templates that work better for you.

Follow-through in scheduling and communication are key to this process. Getting the right meetings on team calendars sets a foundation for the activities and outputs that build your cybersecurity program. Communicating upward with sponsors and laterally with colleagues helps to bring the process to life and gives planners an opportunity to reinforce the positive impacts of a strong cybersecurity program.

Consider enlisting outside support where needed. Professional meeting facilitation can promote more engaging conversations and improve decision making. Decision support products can help bring the right information to bear on complex issues. Cybersecurity analysts can provide insight into current cybersecurity trends and transparency into how your peer organizations are addressing similar challenges.

Contact Axio today to learn how our platform may help you simplify and empower your cybersecurity program.


[1] U.S. Department of Energy, Cybersecurity Capability Maturity Model Version 1.1, Feb. 2014, pg. 46. https://www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf

[2] https://axio.com/insights/cybersecurity-capability-maturity-model-c2m2-overview/

[3] https://axio.com/insights/cybersecurity-capability-maturity-model-c2m2-overview/