Fowad Muneer
Acting Deputy Director, Risk Management Tools and Technologies
more by this author
C2M2 bar graph logo over the text: Cybersecurity Capability and Maturity Model

U.S. energy companies have been using the Cybersecurity Capability Maturity Model (C2M2) to evaluate their cybersecurity capabilities and optimize their security investments for nearly a decade. During that time, the U.S. energy infrastructure has seen rapid changes in the technology and threat landscape. These changes prompted energy sector partners and the U.S. Department of Energy (DOE) to validate and update the C2M2.

Version 2.0: Updated by Model Users to Address Evolving Cyber Risks

On July 21, 2021, the U.S. Department of Energy released Version 2.0 of the C2M2, which better addresses new technologies like cloud, mobile, and artificial intelligence and evolving threats such as ransomware and supply chain risks. The update was guided by the Energy Sector C2M2 Working Group, which included 145 information technology (IT) and operational technology (OT) cybersecurity experts representing 77 energy sector and cybersecurity organizations.

The update process involved long-time users of the C2M2, along with substantial support from the trade associations representing the electricity and oil and natural gas subsectors. This high level of engagement helped to ensure the C2M2 is tailored to the sector’s needs and remains an effective tool for measuring and improving cybersecurity capabilities.

“The American Gas Association (AGA) and its member utilities have been actively engaged with DOE and the development of the oil and natural gas version of C2M2 since 2013,” said Jim Linn, Chief Information Officer at AGA. “Nearly 90% of the nation’s natural gas distribution operations have undergone the cybersecurity program maturity assessment. We are excited to introduce this updated version at our upcoming cybersecurity workshops.”

DOE originally developed the C2M2 with electricity industry partners in 2012, and later released a version targeted for the oil and natural gas subsector. Since its development, the C2M2 has been widely adopted as one of many tools energy providers use to improve cybersecurity capabilities and manage cyber risk. This Version 2.0 update drew upon expertise from the electricity, oil, and natural gas industries, and is designed for use across the energy sector as well as by other critical infrastructure sectors.

“The Edison Electric Institute (EEI) and its member companies commend DOE for publishing the second version of its C2M2,” said Kaitlin Brennan, Director of Cyber and Infrastructure Security at EEI. “The updates and improvements to the model represent significant collaborative efforts between industry and our government partners to address the challenges of an evolving threat landscape, and further strengthen our collective cybersecurity programs and operational resilience.”

Key Model Updates and New Self-Evaluation Tools

The Energy Sector C2M2 Working Group met monthly over the past year to identify and adjudicate model changes. Working Group members formed small teams to conduct a series of 12 technical sweeps, which involved deep-dive reviews of how emerging threats and IT/OT technologies were addressed in the model, and recommended changes to the model practices or supporting materials.

While the structure of the model remains the same, this review resulted in some key updates:

  • Revisions to two-thirds of model practices—including substantive changes and clarifications—along with additions, deletions, and combining of practices
  • Addition of a Cybersecurity Architecture domain focused on planning, designing, and managing the cybersecurity control environment
  • Significant updates to the Risk Management domain to incorporate leading risk management practices and enhance coordination between cyber and enterprise risk management
  • Refresh of the Dependencies domain, now called the Third-Party Risk Management domain, to ensure the model effectively addresses third-party IT and OT cybersecurity risks, like sensitive data in the cloud and vendors with privileged access, as well as build supply chain security into organizational culture
  • Integration of Information Sharing domain activities into the Threat and Vulnerability Management and Situational Awareness domains
  • Addition of help text for each practice to improve clarity and consistency in how practices are applied

In addition, a new HTML-based and PDF-based tool are now available to assist energy companies as they conduct C2M2 V2.0 self-evaluations.

Version 2.0 Pilots and Next Steps

Nine energy companies are now pilot testing Version 2.0 of the C2M2. Any lessons learned from the pilots, together with other industry feedback, will be considered by the Energy Sector C2M2 Working Group and included in a Version 2.1 update, expected later this year.

Access C2M2 Version 2.0 to Conduct a Self-Evaluation

Visit energy.gov/C2M2 to download the C2M2. The self-evaluation tools are available via email request at C2M2@hq.doe.gov. Additionally, if requested, DOE can facilitate a free C2M2 evaluation for U.S. energy sector organizations. Email us at C2M2@hq.doe.gov for more information.