The Department of Energy (DoE) has released an updated version of its Cybersecurity Capability Maturity Model (C2M2) with updates to address the cybersecurity of critical infrastructure, DoE’s Cybersecurity, Energy Security, and Emergency Response (CESER) unit announced July 21.
The release of the updated model comes on the tail end of the DoE’s 100-day sprint to secure critical infrastructure from cyber threat actors. The DoE undertook the 100-day sprint with the help of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and focused on enhancing the cybersecurity and capabilities of electric industrial control systems (ICS).
“The Biden Administration is committed to securing our nation’s critical energy infrastructure from increasingly persistent and sophisticated cyber threats and attacks,” CESER’s Acting Principal Deputy Assistant Secretary Puesh Kumar said in the release.
“Through the release of C2M2 Version 2.0 and other activities under the 100-day ICS Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks,” Kumar added.
The C2M2 program is DoE’s version of a cybersecurity maturity program, similar to the Department of Defenses’ Cybersecurity Maturation Model Certification (CMMC) program. The program was first released in 2012 but received prior updates in 2014 and 2019.
With input from 145 cybersecurity experts across 77 organizations in the energy sector, the update addresses emerging tech, including cloud, artificial intelligence, and mobile platforms, as well as new threats like ransomware and supply chain risks, according to the release.
C2M2 2.0 also includes updates like establishing a “Cybersecurity Architecture domain,” and integrates information sharing into its Threat and Vulnerability Management and Situational Awareness portions of the program.
“C2M2 continues to be driven by public-private collaboration,” Fowad Muneer, Acting Deputy Assistant Secretary at CESER’s Cybersecurity for Energy Delivery Systems division, said. “Our electricity, oil, and natural gas industry partners played a critical role in jointly authoring the C2M2 to ensure that it is responsive to the current cyber risk landscape.”
The C2M2 resource is free to use and, unlike DoD’s CMMC, is voluntary.