Skip to main content Link Menu Expand (external link) Document Search Copy Copied
In this article:
  1. Supported Assessment Models
    1. Prerelease Models
    2. Deprecated Models

Supported Assessment Models

The following tables provide an overview of the Axio360 supported assessment models, current and in prerelease.

Answer scales can be substituted on models. For example, the CSF assessment can utilize a CMMI answer scale for granularity in alignment with sector-specific frameworks.

Model Summary Regulation
C2M2 v2.1 C2M2 was established by the U.S. Department of Energy to improve electricity subsector cybersecurity capabilities and to understand the cybersecurity posture of the energy sector [DOE 2014]. Axio’s David White was the principal architect of C2M2, and several other Axions have been involved in its development. The energy sector and other organizations widely use C2M2 to evaluate, prioritize, and improve cybersecurity capabilities.
The model is a common set of industry-vetted cybersecurity practices, grouped into domains, and by objectives within each domain, and arranged according to a maturity level scale of MIL0 through MIL3. Version 1.1 was released in 2014, Version 2.0 was introduced in June 2021, and Version 2.1 was launched in June 2022.
Axio360 offers v.2.1 support.
CIS Controls Formerly the SANS Critical Security Controls (SANS Top 20), these are now officially called the CIS Critical Security Controls (CIS Controls).
CIS Controls Version 8 combines and consolidates the CIS Controls by activities rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in decreased Controls from 20 to 18.
Center for Internet Security
CMMC The CMMC program includes cyber protection standards for companies in the defense industrial base (DIB). CMMC assures the Department that contractors and subcontractors meet DoD’s cybersecurity requirements by incorporating cybersecurity standards into acquisition programs. U.S. Department of Defense
CMMC V2 Model update based on latest regulation standard reflecting v2.0 U.S. Department of Defense
CRI Profile v1.2 and v2.0 The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity.” The Profile is an efficient approach to cybersecurity risk management that effectively counters the dynamic, evolving threat and provides adequate assurance to government supervisors.
The model includes the 4 tiers to offer the details needed in today’s markets:
- Tier 1 National or Global
- Tier 2 Subnational
- Tier 3 Sector-only
- Tier 4 Localized

The model also supports the CMMI format.
The Cyber Risk Institute
NIST CSF The Framework for Improving Critical Infrastructure Cybersecurity (as this is titled), a.k.a. the Cybersecurity Framework, is published by the U.S. National Institute of Standards and Technology (NIST).
The core of the Framework version 2.0 is a set of desired activities and outcomes organized into 6 Functions, 22 Categories, and 107 Subcategories (practices). Version 1.1 is organized into 5 Functions, 23 Categories, and 108 Subcategories (practices). Each Subcategory is accompanied by Informative References across multiple standards, such as NIST 800-53 and ISO/IEC 27001. The Framework also includes Implementation Tiers, which “help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices” [NIST CSF 2018, pg. 8].
CSF has gained widespread use, and many assessment tools, implementation guidance, and other supporting resources are provided for it by other organizations. An online CSF assessment is available on the Axio360 Platform.
CSF flavors available:
- CSF (CMMI): CSF model with health care sector specific answer scale.
- CSF Foundations
NIST IR 8374 (Ransomware) Ransomware is a malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand additional payment for not disclosing the information to authorities, competitors, or the public. NIST Ransomware Risk Management
NIST SP 800-53 Rev. 5 This framework provides “security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks” per Joint Task Force of the NIST Computer Security Resource Center website. NIST Security and Privacy Controls for Information Systems and Organizations
SSDF The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation.
Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences. Also, because the SSDF provides a common language for describing secure software development practices, software producers and acquirers can use it to foster their communications for procurement processes and other management activities.

The model also supports the CMMI format.

The SSDF is currently not deployed to the Canadian production environment.

Prerelease Models

Model Summary Regulation
CMMC (Alpha)    
FFIEC Part 1 (Alpha) This assessment model provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time. FFIEC
ISO 27001 Controls ISO 27001 or ISO/IEC 27001, as this is commonly called (IEC is the International Electrotechnical Commission), is an international information security standard that provides “requirements for establishing, implementing, maintaining and continually improving an information security management system.” “This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s information security requirements” [ISO/IEC 2013]. It must be purchased from ISO. ISO

Deprecated Models

  • C2M2 v2
  • C2M2 Foundations