A detailed comparison of AESCSF v2 and C2M2 v2.1, examining their shared heritage, structural differences, and how NIST CSF functions map across both frameworks for Australian energy sector organisations.
Australian energy sector organisations navigating cyber security compliance often encounter three interconnected frameworks: the Australian Energy Sector Cyber Security Framework (AESCSF), the US Department of Energy's Cybersecurity Capability Maturity Model (C2M2), and the NIST Cybersecurity Framework (CSF). Understanding how these frameworks relate to each other is essential for effective implementation and for communicating with stakeholders who may reference different frameworks. AESCSF v2 is built upon C2M2, adapting its domain-based maturity model for the Australian regulatory context. Meanwhile, both frameworks provide crosswalks to NIST CSF, which uses a function-based approach that has become a common language for cyber security discussions globally. This article provides a detailed comparison of AESCSF v2 and C2M2 v2.1, examines their structural differences, and maps how NIST CSF v2.0 functions align across both frameworks.
Understanding the origins of each framework explains their design choices and intended use cases.
C2M2 v2.1 was developed by the US Department of Energy in partnership with the Department of Homeland Security and industry stakeholders. First released in 2014 and updated to version 2.1 in 2022, C2M2 was purpose-built for the energy sector to help organisations assess and improve their cyber security capabilities. Its maturity model approach recognises that security improvement is progressive and allows organisations to benchmark their current state against defined capability levels.
AESCSF v2 was developed by the Australian Energy Market Operator (AEMO) in collaboration with the Australian Cyber Security Centre (ACSC) and energy sector participants. AEMO explicitly adopted C2M2 as the foundation for AESCSF, adapting it for Australian regulatory requirements, terminology, and the specific context of Australian electricity and gas networks. AESCSF v2 aligns with Security of Critical Infrastructure Act (SOCI Act) obligations and integrates with Australian government security guidance.
NIST CSF v2.0 takes a different approach. Rather than a maturity model, it provides a taxonomy of security outcomes organised into functions. Originally released in 2014 and significantly updated to version 2.0 in 2024, NIST CSF has become a de facto standard for discussing cyber security capabilities across industries. Its function-based structure (Govern, Identify, Protect, Detect, Respond, Recover) provides a high-level view that complements the detailed domain structures of C2M2 and AESCSF.
The most significant difference between the frameworks is their organising structure.
C2M2 v2.1 and AESCSF v2: Domain-Based Structure
Both C2M2 and AESCSF organise capabilities into ten domains, each addressing a specific aspect of cyber security management:
| Domain | Abbreviation | Focus Area |
|---|---|---|
| Asset, Change, and Configuration Management | ASSET | IT and OT asset lifecycle management |
| Threat and Vulnerability Management | THREAT | Threat detection, vulnerability identification and remediation |
| Risk Management | RISK | Enterprise cyber security risk program |
| Identity and Access Management | ACCESS | Identity lifecycle and access control |
| Situational Awareness | SITUATION | Operational and security monitoring |
| Event and Incident Response, Continuity of Operations | RESPONSE | Detection, response, and recovery capabilities |
| Third-Party Risk Management | THIRD-PARTIES | Supply chain and vendor security |
| Workforce Management | WORKFORCE | Security culture, training, and personnel security |
| Cybersecurity Architecture | ARCHITECTURE | Security design and implementation |
| Cybersecurity Program Management | PROGRAM | Governance, strategy, and program oversight |
Within each domain, both frameworks define practices at increasing maturity levels. C2M2 uses Maturity Indicator Levels (MIL) 0-3, while AESCSF uses Security Profile (SP) levels 1-3 with similar definitions.
NIST CSF v2.0: Function-Based Structure
NIST CSF v2.0 organises outcomes into six functions:
| Function | Focus Area |
|---|---|
| Govern (GV) | Cyber security risk management strategy, expectations, and policy |
| Identify (ID) | Understanding assets, risks, and improvement opportunities |
| Protect (PR) | Safeguards to manage cyber security risks |
| Detect (DE) | Finding and analysing cyber security attacks and compromises |
| Respond (RS) | Taking action regarding detected incidents |
| Recover (RC) | Restoring capabilities and services after incidents |
Each function contains categories and subcategories that describe specific outcomes. Unlike C2M2/AESCSF, NIST CSF does not prescribe maturity levels - it describes what should be achieved, not how mature the implementation should be.
NIST CSF functions do not map one-to-one with C2M2/AESCSF domains. Each function spans multiple domains, and each domain contributes to multiple functions. Understanding these mappings helps organisations translate between framework languages.
GOVERN Function Mappings
The Govern function, added in NIST CSF v2.0, addresses organisational context, risk management strategy, roles and responsibilities, policies, and oversight. It maps primarily to:
IDENTIFY Function Mappings
The Identify function covers asset management, risk assessment, and improvement. It maps to:
PROTECT Function Mappings
The Protect function addresses safeguards including access control, awareness training, data security, and protective technology. It maps to:
DETECT Function Mappings
The Detect function covers continuous monitoring, anomaly detection, and detection processes. It maps to:
RESPOND Function Mappings
The Respond function addresses incident response planning, communications, analysis, mitigation, and improvements. It maps to:
RECOVER Function Mappings
The Recover function covers recovery planning, improvements, and communications. It maps to:
While AESCSF is based on C2M2, there are meaningful differences that Australian organisations should understand.
Regulatory Alignment
AESCSF v2 explicitly aligns with Australian regulatory requirements:
C2M2 v2.1 aligns with US regulatory frameworks including NERC CIP for the electricity subsector, but these are not directly applicable in Australia.
Terminology and Context
AESCSF uses Australian terminology and references Australian energy market structures. References to regulators, reporting requirements, and compliance obligations reflect the Australian context. C2M2 uses US terminology and references US regulatory bodies.
Maturity Level Definitions
While both frameworks use similar maturity scales, the specific indicators and evidence requirements may differ:
| Level | C2M2 v2.1 | AESCSF v2 |
|---|---|---|
| 0/Not Performed | MIL 0 - Practices not performed | Not explicitly defined |
| 1/Initial | MIL 1 - Initial practices, may be ad hoc | SP 1 - Initial/ad hoc practices |
| 2/Managed | MIL 2 - Practices documented, stakeholders identified | SP 2 - Documented and managed |
| 3/Optimised | MIL 3 - Activities guided by policy, periodically reviewed | SP 3 - Optimised and continuously improving |
Assessment and Reporting
AESCSF includes specific guidance for annual self-assessments aligned with AEMO's reporting requirements. Organisations report their maturity levels across domains, with results used for sector-wide benchmarking and to demonstrate SOCI Act compliance. C2M2 assessments are self-directed without mandated reporting to regulators.
Practice Descriptions
Some practice descriptions in AESCSF have been modified from C2M2 to reflect Australian requirements or to align with ISM controls. When implementing AESCSF, always reference the AESCSF documentation rather than assuming C2M2 practices apply directly.
For Australian energy sector organisations, the question is not which framework to choose -AESCSF is the mandated approach for SOCI Act compliance. The question is how to integrate these frameworks effectively.
Primary Framework: AESCSF v2
AESCSF should be the primary framework for:
Reference Framework: C2M2 v2.1
C2M2 remains valuable as a reference for:
Communication Framework: NIST CSF v2.0
NIST CSF is useful for:
Building a Unified Control Framework
Organisations managing multiple compliance obligations benefit from a unified control framework that maps:
This unified view prevents duplication of effort and ensures controls implemented for one framework satisfy requirements across multiple frameworks where applicable.
When implementing across these frameworks, consider the following practical guidance.
Start with AESCSF Domain Assessment
Begin by assessing current maturity across all ten AESCSF domains. This provides the baseline for compliance reporting and identifies priority improvement areas. Use the AESCSF self-assessment toolkit provided by AEMO for consistency with sector benchmarks.
Map to NIST CSF for Gap Visualisation
Once you have domain-level maturity scores, map them to NIST CSF functions to identify functional gaps. Low maturity in the ASSET and RISK domains will manifest as gaps in the Identify function. Low maturity in SITUATION and THREAT domains indicates Detect function gaps. This functional view can be more intuitive for non-specialist stakeholders.
Use C2M2 Resources for Implementation Guidance
The DOE provides extensive implementation guidance for C2M2, including practice implementation guides and example evidence. Where AESCSF practices align with C2M2 (which is most cases), these resources can inform implementation approaches. Always verify applicability to AESCSF requirements before applying C2M2 guidance directly.
Consider OT-Specific Requirements
All three frameworks recognise IT and OT environments require different approaches. AESCSF and C2M2, designed for energy sector use, have stronger OT-specific guidance than generic NIST CSF. When implementing controls in OT environments, prioritise AESCSF/C2M2 practice guidance over NIST CSF subcategories.
Plan for Framework Evolution
Frameworks evolve over time. NIST CSF v2.0 added the Govern function in 2024. C2M2 v2.1 updated practices in 2022. AESCSF releases periodic updates aligned with regulatory changes. Build flexibility into compliance programs to accommodate framework updates without complete redesign.
The following summary shows how the three frameworks interrelate at a high level.
AESCSF/C2M2 Domains → NIST CSF Functions
| Domain | Primary NIST CSF Functions |
|---|---|
| ASSET | Identify, Protect |
| THREAT | Identify, Detect |
| RISK | Govern, Identify |
| ACCESS | Protect |
| SITUATION | Detect, Respond, Recover |
| RESPONSE | Respond, Recover |
| THIRD-PARTIES | Govern, Identify |
| WORKFORCE | Govern, Protect |
| ARCHITECTURE | Protect |
| PROGRAM | Govern |
NIST CSF Functions → AESCSF/C2M2 Domains
| Function | Contributing Domains |
|---|---|
| Govern | PROGRAM, RISK, WORKFORCE, THIRD-PARTIES |
| Identify | ASSET, RISK, THREAT, THIRD-PARTIES |
| Protect | ACCESS, ARCHITECTURE, WORKFORCE, ASSET |
| Detect | SITUATION, THREAT, RESPONSE |
| Respond | RESPONSE, SITUATION, PROGRAM |
| Recover | RESPONSE, PROGRAM, SITUATION |
These mappings are directional guides, not precise equivalences. Detailed control-level mapping requires analysis of specific practices and subcategories, which AEMO provides in the AESCSF documentation.
AESCSF v2, C2M2 v2.1, and NIST CSF v2.0 serve complementary purposes for Australian energy sector organisations. AESCSF provides the mandated compliance framework, built on C2M2's proven maturity model and adapted for Australian regulatory requirements. NIST CSF provides a communication layer and crosswalk to other frameworks. Understanding how these frameworks relate - the ir shared heritage, structural differences, and mapping relationships - enables organisations to implement effective cyber security programs that satisfy regulatory obligations while communicating effectively with diverse stakeholders. The key is using each framework for its strengths: AESCSF for compliance and assessment, C2M2 for implementation guidance, and NIST CSF for communication and integration with broader security programs.
Our team has deep experience implementing AESCSF, understanding its C2M2 foundations, and mapping across frameworks for Australian energy sector organisations.
Related Projects
Developed an enterprise security architecture model using ArchiMate notation to establish traceability from regulatory drivers through security principles, controls, and technical implementations. The model aligns NIST CSF, AESCSF, and ISO 27001 frameworks with organisational capabilities and threat scenarios.
Developed a comprehensive identity and access management strategy for a Queensland clean energy generator, establishing a unified approach to identity governance across corporate IT and operational technology environments. The engagement delivered an IAM relationship model, persona-based access controls, and a roadmap aligned to AESCSF and IEC 62443 requirements.
Related Reading
Navigate the Australian Energy Sector Cyber Security Framework with actionable guidance on C2M2-based domains, maturity levels, and building a sustainable compliance program aligned with the SOCI Act.
Zero trust has become a marketing term often divorced from practical implementation. Cut through the hype to understand what the ISM actually requires and how to implement zero trust principles pragmatically.
Multiple security frameworks exist, each with different strengths. Understand when to use NIST CSF, ISO 27001, or Essential Eight, and how to combine them effectively for Australian organisations.