Shortly before Thanksgiving, the U.S. Department of Energy (DOE)
issued a request for public comment on Version 2.0 of
its Cybersecurity Capability Maturity Model (C2M2), which DOE
released in July 2021 to help organizations of all sectors, types
and sizes to "evaluate and improve their cybersecurity
capabilities, considering their specific risk environment,"
and to strengthen their operational resilience. C2M2 "is a
voluntary tool, tailored specifically for the energy industry, that
enables companies to set targets, evaluate and benchmark their
cybersecurity capabilities, and use the results to prioritize
actions and investments." It is "scalable for a company
of any size" and "designed to evaluate practice in both
the information technology (IT) and operational technology (OT)
environments." Comments on Version 2.0 and any additional
information commenters wish to provide are due by Monday, December
27, 2021.
DOE first developed C2M2 in 2012 in partnership with the U.S.
Department of Homeland Security and in collaboration with industry,
private-sector and public-sector experts. 1 Version 1.1
came in 2014, with separate versions targeted for the electricity
and oil and natural gas subsectors. Version 2.0 is "designed
for use across the energy sector, and can be used by other critical
infrastructure sectors as well." It includes "input from
the Energy Sector C2M2 Working Group, which comprises 145 energy
sector cybersecurity practitioners representing 77 energy sector
and cybersecurity organizations." According to DOE, it
"better addresses new technologies like cloud, mobile, and
artificial intelligence," as well as "evolving threats
such as ransomware and supply chain risks." Since July, DOE
has been piloting Version 2.0 with energy companies and utilities
and now seeks to "obtain the broadest possible input" to
"inform the C2M2 Working Group as it develops future model
updates." In particular, DOE seeks input on:
- "The usefulness of C2M2 practices in evaluating and
improving cybersecurity program capabilities." - "The applicability of practice language to the IT and OT
environments in use by energy sector organizations." - "The readability of and ability to understand practice
language." - "The completeness of cybersecurity domains, objectives,
and practices [in] the C2M2." - "The effectiveness of guidance documentation (e.g., model
introduction sections, domain introductions, and appendices) in
conveying model concepts, architecture, and how to use the
model." - "Any other potential improvements to the C2M2
documentation or practices contained therein."
Interested entities can submit comments to C2M2@hq.doe.gov
using the Comment Submission Form available here.
Footnote
1
See
https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss