Put on your quantum suit and take an ibuprofen, because we’re about to enter the multiverse.

Meet the Department of Energy’s “Cybersecurity Capability Maturity Model” program, or “C2M2.” If that sounds a lot like “Cybersecurity Maturity Model Certification” (CMMC) it’s because someone used taxpayer dollars to come up with an algorithm to mix the letters just enough to avoid outright copyright infringement.

But wait… that’s not quite right. In fact, C2M2 pre-dated CMMC by years… a lot of years, in fact. C2M2 goes back as far as 2012, long before Katie Arrington and her former boss Ty Schieber started cooking up the CMMC scheme.

Katie Stewart

But the C2M2 is the product of cybersecurity consultant Jason Christopher, of Dragos Inc., who reined in the support of CMMC architect Katie Stewart of Carnegie Mellon and the Software Enterprise Institute. If that name is familiar, it should be: Stewart is the key author of the CMMC Model and the CMMC Assessment Guide. Which essentially makes her Patient Zero in the pandemic of redundant cybersecurity standards.

Stewart works specifically for the CERT Division of SEI, which boldly claims to the “birthplace of cybersecurity” (so, fuck you, ARPANET.) It appears Stewart has been farming out her expertise at making stunningly bad maturity models to anyone who would listen, all the while ignoring the fact that she may be single-handedly responsible for widespread government redundancy and nationwide eradication of small business.

Take a look at a quote from this article that pulls the curtain open on her efforts, and offers a terrifying vision of a future plagued by multiple, redundant models:

CERT-RMM is the parent of other SEI maturity models, such as the Smart Grid Maturity Model (SGMM) and the Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). CERT-RMM also shaped two organizational assessments developed and administered by the SEI for the Department of Homeland Security: the Cyber Resilience Review (CRR) and External Dependencies Management (EDM).

That’s a lot of redundant waste, and Stewart has her fingerprints on all of them.

Now, at some point, an adult should have stepped in and stopped The Stewart Gang from ballooning the size of government regulations and standards, and potentially bankrupting thousands upon thousands of companies. But because so few people understand cyber, there are precious few adults to say boo about it. This is what you get when you dumb down government, and elect technologically-ignorant morons.

This represents yet another black mark for the other Katie, she being Arrington, who may have hit the limit of her ability to fail upwards. It proves that she had existing DOE resources she could have leveraged to create CMMC, and specifically in a manner that didn’t result in multiple certification monstrosities. Instead, Arrington pretended she and her pals created CMMC, never once mentioning she may have ripped the thing off from DOE in the first place.

Then, Arrington — jacked up on what I hope was a lot of triple-shot ‘ccinos — boldly and repeatedly promised that CMMC would be adopted wholesale across all Federal agencies… meaning the DOE, too. None of that was ever going to happen, but it takes on a new perspective as we find out someone else already had this thing underway. Worse, Arrington and her sentient shadow, Stacy Bostjanick, started selling CMMC overseas, which raised all sorts of questions about inviting foreign influence. Despite nearly a decade’s head start, DOE never managed to get its supply chain to fully adopt C2M2, much less get it adopted by the rest of government or the entire planet; Arrington was arrogant enough to imagine she could accomplish this?

Well, as history shows, she didn’t.

For now, DOE’s C2M2 is designed for self-evaluation, but if you think consultants aren’t positioning to mimic the CMMC-AB and create an entire international consulting industry for themselves, you’ve drunk too much lighter fluid. Sure enough, the C2M2 page already drops in references to “facilitators,” who will no doubt need some sort of professional credential.

Oh, by the way, since it’s been around since 2012, I think we can safely say the DOE’s C2M2 hasn’t done shit for improving the nation’s cybersecurity.. especially since DOE itself just got hacked. We can likely expect much of the same from CMMC.

We now live in a universe where companies lucky enough to win contracts with both the DOD and DOE will have to implement two or more entirely different models. Any way you look at this, it’s a disaster for companies selling to the Federal government. It will bankrupt companies or, alternatively, it will force thousands of companies to exit the government market entirely, thus harming national security and forcing the government to buy from whoever remains. this will result in the eradication of SME suppliers, leaving only the big — and expensive — guys to play in the Federal space.

None of this will help shore up the nation’s cybersecurity posture, but it will mean a lot of consultants get paid a lot of money.

(Katie Stewart — probably smartly — continues to refuse to respond to questions on this or anything else, for that matter. Jason Christopher did not reply to a request for information on the C2M2 program.)

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation