On July 21, 2021, the Department of Energy (DOE) released Version 2 (V2.0) of their Cybersecurity Capability Maturity Model (C2M2) in an effort to address emerging technologies and the constantly evolving cyber threat landscape. This update was guided by a government and industry working group, with representatives from the electric, oil and natural gas sectors.
The C2M2 V2.0 can be used by an organization to do an internally-managed assessment of their cybersecurity maturity, or DOE can facilitate such an assessment for free. The assessment comprises domains, objectives, practices and maturity indicator levels, to assist an organization in determining which of three maturity levels they align with as highlighted below:
- Level 1 – Initiated
- Initial practices are performed, but they may be ad hoc
- Level 2 – Performed
- Practices are documented and are more complete/advanced than Level 1
- Adequate resources exist
- Level 3 – Managed
- Practices are more complete/advanced than Level 2
- Activities are guided by policy
- Personnel have the needed skills and knowledge
- Effectiveness is tracked and evaluated
The DOE press release and information for accessing C2M2 V2.0 is available here.
For more information, or to obtain assistance in understanding how DOE’s C2M2 V2.0 can be useful to your organization, please contact Kristen Connolly McCullough, Barry Lawson, or Ellen Hill.
