C2M2 Model Update – Invitation to Participate
The C2M2 has become one of the most important tools for assessing the cybersecurity posture of organizations in the energy sector. During 2020, the C2M2 Program has been working with the energy sector to update and validate the C2M2 model, ensuring that it reflects an evolving threat landscape and the emerging security needs of energy companies. As part of this effort, the C2M2 Program has formed a C2M2 Working Group of industry partners comprising representatives of electricity, oil and gas companies, trade associations, and other cybersecurity experts—to inform technical reviews of the model and pilot the Version 2.0 draft before it is published. Before final publication, the Version 2.0 draft will be made available for public comment.
- Contact the C2M2 Team if you’d like to join the C2M2 Working Group or stay informed on the process. Any questions regarding update progress or the current model draft should be directed here.
- Share your feedback if you have performed a C2M2 evaluation.
The Cybersecurity Capability Maturity Model
The Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership effort that was established as a result of the Administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The C2M2 helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities.
The model focuses on the implementation and management of cybersecurity practices associated with the operation and use of information technology and operational technology assets and the environments in which they operate. The goal is to support ongoing development and measurement of cybersecurity capabilities within any organization by:
- Strengthening organizations’ cybersecurity capabilities;
- Enabling organizations to effectively and consistently evaluate and benchmark their cybersecurity capabilities;
- Sharing knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities;
- Enabling organizations to prioritize actions and investments to improve cybersecurity; and
- Supporting adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The C2M2 program is comprised of three cybersecurity capability maturity models:
- The Cybersecurity Capability Maturity Model (C2M2);
- The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2); and
- The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2).
CEDS Fact Sheets
CEDS 2016 Peer Review
CEDS 2014 Peer Review
CEDS 2012 Peer Review
CEDS 2010 Peer Review
Cybersecurity Procurement Language for Energy Delivery Systems (April 2014)
Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline
Roadmap to Achieve Energy Delivery Systems Cybersecurity
The Vulnerability Analysis of Energy Delivery Control Systems Report
Guidelines for Smart Grid Cyber Security (3.4 MB PDF)
A Guide to Developing a Cyber Security and Risk Mitigation Plan
Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity”
Use of the NIST Cybersecurity Framework & DOE C2M2
Cybersecurity Capability Maturity Model (C2M2) Program
Podcast - ES-C2M2
C2M2 Facilitator Guide
DHS Critical Infrastructure Cyber Community C³ Voluntary Program
Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)