Fowad Muneer
Acting Deputy Director, Risk Management Tools and Technologies
more by this author

Version 2.1 Validates Model Updates with Real-World Testing

The U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) today released Version 2.1 (V2.1) of the Cybersecurity Capability Maturity Model (C2M2), a tool designed to help companies evaluate their cybersecurity capabilities and optimize their security investments.

Though this is an iterative release, it marks the culmination of a multi-year effort by CESER and the energy industry to comprehensively review, validate, and substantively update the model from its last major release in 2014. Today’s release reflects important refinements to the model based on real-world testing and user feedback of Version 2.0, released in July 2021.

This refresh of the C2M2 included two phases that resulted in significant model updates to address maturing cybersecurity approaches, such as zero-trust principles; technology advancements, like cloud, mobile, quantum computing, and artificial intelligence; and evolving threats, such as ransomware and supply chain risks. In the first phase, CESER leveraged an industry working group to substantially update the model for the Version 2.0 release to address rapid changes in the energy sector technology and threat landscape over the last decade.

In the second phase, CESER solicited public comment, piloted the model with energy companies to validate the updates, and further refined model practices with the working group. Many long-time users of the C2M2 are anticipating the Version 2.1 release as an opportunity to refresh their self-evaluations using the updated model and accompanying tools.

An Update Co-Authored by Model Users

CESER led the revision of the model leveraging the guidance and feedback of the Energy Sector C2M2 Working Group, which included 145 cybersecurity experts representing 77 energy sector and cybersecurity organizations.

C2M2 update by the numbers graphic. This graphic outlines that 145 cybersecurity practitioners, 12 technical sweeps, 9 pilot evalations, and 100+ public comments all went into this C2M2 update

The Working Group met regularly over the past two years to identify and adjudicate model changes. Working Group members formed small teams to conduct a series of 12 technical sweeps, which involved deep-dive reviews of how emerging threats and information technology (IT)/operational technology (OT) were addressed in the model. CESER facilitated pilot C2M2 evaluations with nine Working Group member organizations, representing electricity, oil, and natural gas companies of varying sizes and ownership structures. Working Group members also reviewed and identified model changes based on pilot testing and public comment.

Extensive participation during this update from the electricity, oil, and natural gas subsectors continues the strong track record of industry support and ownership of the C2M2.

This is a transcription of a public comment from the Edison Electric Institute and American Gas Association.

Key Model Updates

While the overall structure of the model remains the same, Version 2.1 reflects several key updates since the last major release of Version 1.1 in 2014:

  • Revisions to two-thirds of model practices—including substantive changes and clarifications—along with additions, deletions, and combining of practices
  • Addition of a Cybersecurity Architecture domain focused on planning, designing, and managing the cybersecurity control environment
  • Significant updates to the Risk Management domain to incorporate leading risk management practices and enhance coordination between cyber and enterprise risk management
  • Refresh of the Dependencies domain, now called the Third-Party Risk Management domain, to ensure the model effectively addresses third-party IT and OT cybersecurity risks, like sensitive data in the cloud and vendors with privileged access, as well as build supply chain security into organizational culture
  • Integration of Information Sharing domain activities into the Threat and Vulnerability Management and Situational Awareness domains
  • Addition of help text for each practice to improve clarity and consistency in how practices are applied

Several key updates were made between Version 2.0 and the current Version 2.1 release based on real-world feedback:

  • Addition of practices to improve the comprehensiveness of cybersecurity activities addressed by the model
  • Addition of practices to form a closer alignment with the National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • Reordering and revision of practices to improve practice progression across maturity indicator levels and within objective areas
  • Clarification of language and improved consistency of concepts across the model

Free Self-Evaluation Tools

Updated HTML-based and PDF-based tools are now available to assist companies in conducting C2M2 V2.1 self-evaluations. The tools enable users to evaluate their organization’s implementation of model practices, record responses, and produce a report that summarizes results in a variety of graphical visualizations. The report helps users to communicate results to executive decisionmakers, identify and prioritize cybersecurity improvements, and demonstrate growth in maturity over time.  

The tools include many usability improvements and feature updates requested by industry partners, including the option to pre-populate the tool with results from prior model versions—enabling users to focus in on practices that have changed between versions and easily transition to the Version 2.1 release.

When requesting the self-evaluation tools, users will also receive additional resources to support a self-evaluation, including tool user guides, a Self-Evaluation Guide, and presentation materials to support facilitation of self-evaluations.

Check Out the New Model, Tools, and Resources

Visit to download the C2M2. The self-evaluation tools are available via email request at Additionally, DOE can facilitate a free C2M2 self-evaluation for U.S. energy sector organizations upon request. Email us at for more information.