U.S. Dept. of Energy Seeks Comment on Updated Cybersecurity Capability Maturity Model

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP

Shortly before Thanksgiving, the U.S. Department of Energy (DOE) issued a request for public comment on Version 2.0 of its Cybersecurity Capability Maturity Model (C2M2), which DOE released in July 2021 to help organizations of all sectors, types and sizes to “evaluate and improve their cybersecurity capabilities, considering their specific risk environment,” and to strengthen their operational resilience. C2M2 “is a voluntary tool, tailored specifically for the energy industry, that enables companies to set targets, evaluate and benchmark their cybersecurity capabilities, and use the results to prioritize actions and investments.” It is “scalable for a company of any size” and “designed to evaluate practice in both the information technology (IT) and operational technology (OT) environments.” Comments on Version 2.0 and any additional information commenters wish to provide are due by Monday, December 27, 2021.

DOE first developed C2M2 in 2012 in partnership with the U.S. Department of Homeland Security and in collaboration with industry, private-sector and public-sector experts.1 Version 1.1 came in 2014, with separate versions targeted for the electricity and oil and natural gas subsectors. Version 2.0 is “designed for use across the energy sector, and can be used by other critical infrastructure sectors as well.” It includes “input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations.” According to DOE, it “better addresses new technologies like cloud, mobile, and artificial intelligence,” as well as “evolving threats such as ransomware and supply chain risks.” Since July, DOE has been piloting Version 2.0 with energy companies and utilities and now seeks to “obtain the broadest possible input” to “inform the C2M2 Working Group as it develops future model updates.” In particular, DOE seeks input on:

  • “The usefulness of C2M2 practices in evaluating and improving cybersecurity program capabilities.”
  • “The applicability of practice language to the IT and OT environments in use by energy sector organizations.”
  • “The readability of and ability to understand practice language.”
  • “The completeness of cybersecurity domains, objectives, and practices [in] the C2M2.”
  • “The effectiveness of guidance documentation (e.g., model introduction sections, domain introductions, and appendices) in conveying model concepts, architecture, and how to use the model.”
  • “Any other potential improvements to the C2M2 documentation or practices contained therein.”

Interested entities can submit comments to C2M2@hq.doe.gov using the Comment Submission Form available here.

1 See https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.