Shortly before Thanksgiving, the U.S. Department of Energy (DOE) issued a request for public comment on Version 2.0 of its Cybersecurity Capability Maturity Model (C2M2), which DOE released in July 2021 to help organizations of all sectors, types and sizes to “evaluate and improve their cybersecurity capabilities, considering their specific risk environment,” and to strengthen their operational resilience. C2M2 “is a voluntary tool, tailored specifically for the energy industry, that enables companies to set targets, evaluate and benchmark their cybersecurity capabilities, and use the results to prioritize actions and investments.” It is “scalable for a company of any size” and “designed to evaluate practice in both the information technology (IT) and operational technology (OT) environments.” Comments on Version 2.0 and any additional information commenters wish to provide are due by Monday, December 27, 2021.

DOE first developed C2M2 in 2012 in partnership with the U.S. Department of Homeland Security and in collaboration with industry, private-sector and public-sector experts.1 Version 1.1 came in 2014, with separate versions targeted for the electricity and oil and natural gas subsectors. Version 2.0 is “designed for use across the energy sector, and can be used by other critical infrastructure sectors as well.” It includes “input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations.” According to DOE, it “better addresses new technologies like cloud, mobile, and artificial intelligence,” as well as “evolving threats such as ransomware and supply chain risks.” Since July, DOE has been piloting Version 2.0 with energy companies and utilities and now seeks to “obtain the broadest possible input” to “inform the C2M2 Working Group as it develops future model updates.” In particular, DOE seeks input on:

  • “The usefulness of C2M2 practices in evaluating and improving cybersecurity program capabilities.”
  • “The applicability of practice language to the IT and OT environments in use by energy sector organizations.”
  • “The readability of and ability to understand practice language.”
  • “The completeness of cybersecurity domains, objectives, and practices [in] the C2M2.”
  • “The effectiveness of guidance documentation (e.g., model introduction sections, domain introductions, and appendices) in conveying model concepts, architecture, and how to use the model.”
  • “Any other potential improvements to the C2M2 documentation or practices contained therein.”