C2M2 Model v2.0 Update – Invitation to Participate

The C2M2 has become one of the most important tools for evaluating the cybersecurity posture of organizations in the energy sector. During 2020, the C2M2 Program has been working with the energy sector to update and validate the C2M2 model, ensuring that it reflects an evolving threat landscape and the emerging security needs of companies. As part of this effort, the C2M2 Program has formed a C2M2 Working Group of industry partners comprising representatives of electric utilities, oil and natural gas companies, trade associations, and other cybersecurity experts. The Working Group is conducting technical reviews of the model, and volunteers will pilot a draft of Version 2.0 before it is published. The Version 2.0 draft will also be available for public comment prior to final publication.

  • Contact the C2M2 Team if you’d like to join the C2M2 Working Group or stay informed on the process. Any questions regarding update progress or the current model draft should be directed here. 
  • Share your feedback if you have performed a C2M2 evaluation.


The Cybersecurity Capability Maturity Model

The Cybersecurity Capability Maturity Model (C2M2) is a U.S. Department of Energy (DOE) program that enables organizations to voluntarily measure the maturity of their cybersecurity capabilities in a consistent manner. No assessment data is collected by the Department.

The model is publicly available and can be downloaded now. An update to the model is currently under way. More information is available in the FAQs. For those organizations performing self-assessments, please refer to the C2M2 Facilitators Guide and request a free C2M2 toolkit by emailing C2M2@hq.doe.gov.

Electricity and Oil & Natural Gas (ONG) Versions

There are two sector-specific versions of the C2M2 model: the Electricity Subsector C2M2 (ES-C2M2) and the Oil and Natural Gas Subsector C2M2 (ONG-C2M2). Each version contains common C2M2 elements, as well as additional sector-specific reference materials and implementation guidance tailored to the operations of the electricity and oil and natural gas sectors.



maturity model infographic

The Energy Department continues to work with public and private partners to support adoption of the C2M2. If your organization has questions about the C2M2 model or toolkit, please contact the C2M2 team at C2M2@hq.doe.gov.


The C2M2 is a common set of industry-vetted cybersecurity practices, grouped into ten domains and arranged according to maturity level. The C2M2 evaluation tool allows organizations to evaluate their cybersecurity practices against C2M2 cybersecurity practices. Based on this comparison, a score is assigned for each domain. Scores can then be compared with a desired score, as determined by the organization’s risk tolerance for each domain.

Facilitated self-evaluations provide organizations with an opportunity to conduct C2M2 evaluations with the aid of experienced facilitators in a one-day structured walk-through. Facilitators guide discussions, answer questions, and clarify model concepts to increase the accuracy of an evaluation.

Supplemental Materials

C2M2 (PDF)



C2M2 Facilitator Guide (PDF)

Cybersecurity Procurement Language for Energy Delivery Systems (April 2014) (PDF)

DHS Critical Infrastructure Cyber Community C³ Voluntary Program

Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline

Energy Sector Cybersecurity Framework Implementation Guidance (January 2015) (PDF)

Guidelines for Smart Grid Cyber Security

NIST Framework

The Vulnerability Analysis of Energy Delivery Control Systems Report (PDF)

Use of the NIST Cybersecurity Framework & DOE C2M2 (PDF)