The U.S. Department of Energy (DOE) released version 2.0 (v2.0) of the C2M2 model (Cybersecurity Capability Maturity Model) to meet cyber threat challenges in critical energy infrastructure. A free and voluntary resource, the C2M2 tool has been designed to evaluate and improve cybersecurity to help companies of all types and sizes evaluate and improve their cybersecurity programs and strengthen their operational resilience.
The C2M2 updates advance the U.S. administration’s 100-day plan to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security, according to a DOE statement. The updated model reflects inputs from 145 cybersecurity experts representing 77 energy sector organizations.
The C2M2 V2.0 model establishes a cybersecurity architecture domain, provides enhancements to cybersecurity practices across the model, and delivers significant changes to risk management and third-party risk management domains. It also assists with the integration of information sharing activities into threat and vulnerability management and situational awareness domains.
C2M2 v2.0 also adds a physical access objective to the Identity and Access Management (IAM) domain, streamlines cybersecurity management practices, and increases the usage of common language throughout the model.
The updates address new technologies like cloud, mobile, and artificial intelligence, and evolving threats such as ransomware and supply chain risks, and support companies in strengthening their operational resilience, the statement added.
Initially released in 2012, the C2M2 model has been configured to help energy sector organizations understand cyber risks to their IT and operational technology (OT) systems and measure the maturity of their cybersecurity capabilities. Minor updates were released in 2014, including ES-C2M2 version 1.1, the Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) version 1.1, and the Cybersecurity Capability Maturity Model (C2M2) version 1.1.
The DOE has responded to more than 2,200 requests for the C2M2 tool. C2M2 has been broadly adopted by organizations across the nation, including owners and operators across all critical infrastructure sectors. The number of C2M2 tool requests suggests increasing interest in measuring and improving cybersecurity capabilities. Apart from domestic users, international partners are also adopting the C2M2 model. Over 650 of the total requests for the C2M2 tool have been made by international entities.
“The Biden Administration is committed to securing our nation’s critical energy infrastructure from increasingly persistent and sophisticated cyber threats and attacks,” Puesh Kumar, acting principal deputy assistant secretary for DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), said in the statement. “Through the release of C2M2 Version 2.0 and other activities under the 100-day ICS Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks.”