DOE first developed C2M2 in 2012 in partnership with the U.S. Department of Homeland Security and in collaboration with industry, private-sector and public-sector experts.1 Version 1.1 came in 2014, with separate versions targeted for the electricity and oil and natural gas subsectors. Version 2.0 is “designed for use across the energy sector, and can be used by other critical infrastructure sectors as well.” It includes “input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations.” According to DOE, it “better addresses new technologies like cloud, mobile, and artificial intelligence,” as well as “evolving threats such as ransomware and supply chain risks.” Since July, DOE has been piloting Version 2.0 with energy companies and utilities and now seeks to “obtain the broadest possible input” to “inform the C2M2 Working Group as it develops future model updates.” In particular, DOE seeks input on:
- “The usefulness of C2M2 practices in evaluating and improving cybersecurity program capabilities.”
- “The applicability of practice language to the IT and OT environments in use by energy sector organizations.”
- “The readability of and ability to understand practice language.”
- “The completeness of cybersecurity domains, objectives, and practices [in] the C2M2.”
- “The effectiveness of guidance documentation (e.g., model introduction sections, domain introductions, and appendices) in conveying model concepts, architecture, and how to use the model.”
- “Any other potential improvements to the C2M2 documentation or practices contained therein.”
Interested entities can submit comments to C2M2@hq.doe.gov using the Comment Submission Form available here.
1 See https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2.