The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) was established as a result of the Administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the energy sector. The ONG-C2M2 includes the core C2M2 as well as additional reference material and implementation guidance specifically tailored for the oil and natural gas subsector. The ONG-C2M2 comprises a maturity model, an evaluation tool, and DOE- facilitated self-evaluations.
The ONG-C2M2 provides a mechanism that helps organizations evaluate, prioritize, and improve cybersecurity capabilities. The model is a common set of industry-vetted cybersecurity practices, grouped into ten domains and arranged according to maturity level. The ONG-C2M2 evaluation tool allows organizations to evaluate their cybersecurity practices against ONG-C2M2 cybersecurity practices. Based on this comparison, a score is assigned for each domain. Scores can then be compared with a desired score, as determined by the organization’s risk tolerance for each domain.
Facilitated self-evaluations provide organizations with an opportunity to conduct ONG-C2M2 evaluations with the aid of experienced facilitators in a one-day structured walk-through. Facilitators guide discussions, answer questions, and clarify model concepts to increase the accuracy of an evaluation.
The model is publicly available and can be used by any organization to enhance its cybersecurity capabilities. More information is available in the FAQs. For organizations performing self-assessments, a C2M2 Facilitators Guide and C2M2 toolkit are available.
The Energy Department continues to work with public and private partners to support adoption of the C2M2. If your organization has questions about the C2M2 model or toolkit, please contact the C2M2 team at ONG-C2M2@hq.doe.gov.
CEDS Fact Sheets
CEDS 2016 Peer Review
CEDS 2014 Peer Review
CEDS 2012 Peer Review
CEDS 2010 Peer Review
Cybersecurity Procurement Language for Energy Delivery Systems (April 2014)
Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline
Roadmap to Achieve Energy Delivery Systems Cybersecurity
The Vulnerability Analysis of Energy Delivery Control Systems Report
Guidelines for Smart Grid Cyber Security (3.4 MB PDF)
A Guide to Developing a Cyber Security and Risk Mitigation Plan
Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity”
Use of the NIST Cybersecurity Framework & DOE C2M2
Cybersecurity Capability Maturity Model (C2M2) Program
Podcast - ES-C2M2
C2M2 Facilitator Guide
DHS Critical Infrastructure Cyber Community C³ Voluntary Program
Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)