Request for Information on DOE's Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (July 2021)

Issuing agencies

Abstract

In July 2021, the Department of Energy (DOE) released Version 2.0 of the Cybersecurity Capability Maturity Model (C2M2), a tool that helps organizations evaluate and improve their cybersecurity capabilities, considering their specific risk environment. The update was guided by input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations. Version 2.0 updates the model from Version 1.1, released in 2014, and includes a variety of updates to the model domains and practices to better address emerging technologies and the evolving cyber threat landscape. Since the release in July, DOE has piloted the updated model with energy companies and utilities. To obtain the broadest possible input, DOE seeks public comment on the C2M2 to inform the C2M2 Working Group as it develops future model updates.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 224 (Wednesday, November 24, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 224 (Wednesday, November 24, 2021)]
[Notices]
[Pages 67038-67039]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-25669]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Request for Information on DOE's Cybersecurity Capability 
Maturity Model (C2M2) Version 2.0 (July 2021)

AGENCY: Office of Cybersecurity, Energy Security, and Emergency 
Response; Department of Energy.

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: In July 2021, the Department of Energy (DOE) released Version 
2.0 of the Cybersecurity Capability Maturity Model (C2M2), a tool that 
helps organizations evaluate and improve their cybersecurity 
capabilities, considering their specific risk environment. The update 
was guided by input from the Energy Sector C2M2 Working Group, which 
comprises 145 energy sector cybersecurity practitioners representing 77 
energy sector and cybersecurity organizations. Version 2.0 updates the 
model from Version 1.1,

[[Page 67039]]

released in 2014, and includes a variety of updates to the model 
domains and practices to better address emerging technologies and the 
evolving cyber threat landscape. Since the release in July, DOE has 
piloted the updated model with energy companies and utilities. To 
obtain the broadest possible input, DOE seeks public comment on the 
C2M2 to inform the C2M2 Working Group as it develops future model 
updates.

DATES: Comments and information must be received on or before December 
27, 2021.

ADDRESSES: To access and review the Cybersecurity Capability Maturity 
Model (C2M2), visit <a href="http://www.energy.gov/c2m2">www.energy.gov/c2m2</a>.
    Comments should be submitted by email to <a href="/cdn-cgi/l/email-protection#094a3b443b496178276d666c276e667f"><span class="__cf_email__" data-cfemail="fcbfceb1cebc948dd2989399d29b938a">[email&#160;protected]</span></a> using the 
Comment Submission Form available here: <a href="https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx">https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx</a>. Use 
the email subject line: ``C2M2 Public Comment from [name/
organization].''
    Although DOE has routinely accepted public comment submissions 
through a variety of mechanisms, including postal mail and hand 
delivery/courier, the Department has found it necessary to make 
temporary modifications to the comment submission process in light of 
the ongoing coronavirus 2019 (``COVID-19'') pandemic. DOE is currently 
suspending receipt of public comments via postal mail and hand 
delivery/courier. If a commenter finds that this change poses an undue 
hardship, please contact CESER staff at (202) 586-3057 to discuss the 
need for alternative arrangements. Once the COVID-19 pandemic health 
emergency is resolved, DOE anticipates resuming all of its regular 
options for public comment submission, including postal mail and hand 
delivery/courier.

FOR FURTHER INFORMATION CONTACT: Mr. Fowad Muneer, Acting Deputy 
Assistant Secretary for the Cybersecurity for Energy Delivery Systems 
Division, U.S. Department of Energy, Office of Cybersecurity, Energy 
Security, and Emergency Response. Tel.: (202) 586-5961. Email: 
<a href="/cdn-cgi/l/email-protection#ddbbb2aabcb9f3b0a8b3b8b8af9db5acf3b9b2b8f3bab2ab"><span class="__cf_email__" data-cfemail="aec8c1d9cfca80c3dbc0cbcbdceec6df80cac1cb80c9c1d8">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: The C2M2 helps organizations evaluate and 
improve their cybersecurity capabilities, considering their specific 
risk environment. The model is a voluntary tool, tailored specifically 
for the energy industry, that enables companies to set targets, 
evaluate and benchmark their cybersecurity capabilities, and use the 
results to prioritize actions and investments. It is scalable for a 
company of any size, and is designed to evaluate practice in both the 
information technology (IT) and operational technology (OT) 
environments.
    DOE originally developed the C2M2 with input from energy industry 
partners in 2012, and released an updated Version 1.1 in 2014, with 
separate versions targeted for the electricity and oil and natural gas 
subsectors. Version 2.0, released July 2021, is designed for use across 
the energy sector, and can be used by other critical infrastructure 
sectors as well.
    The Version 2.0 update was guided by input from the Energy Sector 
C2M2 Working Group, which DOE formed with the Electricity and Oil & 
National Gas Subsector Coordinating Councils. The update better 
addresses new technologies like cloud, mobile, and artificial 
intelligence, and evolving threats such as ransomware and supply chain 
risks.
    While the structure of the model remains the same, this update 
resulted in some key changes:

<bullet> Revisions to two-thirds of model practices--including 
substantive changes and clarifications--along with additions, 
deletions, and combining of practices
<bullet> Addition of a Cybersecurity Architecture domain focused on 
planning, designing, and managing the cybersecurity control environment
<bullet> Significant updates to the Risk Management domain to 
incorporate leading risk management practices and enhance coordination 
between cyber and enterprise risk management
<bullet> Refresh of the Dependencies domain, now called the Third-Party 
Risk Management domain, to ensure the model effectively addresses 
third-party IT and OT cybersecurity risks, like sensitive data in the 
cloud and vendors with privileged access, as well as build supply chain 
security into organizational culture
<bullet> Integration of Information Sharing domain activities into the 
Threat and Vulnerability Management and Situational Awareness domains
<bullet> Addition of help text for each practice to improve clarity and 
consistency in how practices are applied

    DOE requests public comment on the C2M2 to inform the C2M2 Working 
Group as it develops future model updates. Specifically, DOE seeks 
input on the following items:

<bullet> The usefulness of C2M2 practices in evaluating and improving 
cybersecurity program capabilities
<bullet> The applicability of practice language to the IT and OT 
environments in use by energy sector organizations
<bullet> The readability of and ability to understand practice language
<bullet> The completeness of cybersecurity domains, objectives, and 
practices included within the C2M2
<bullet> The effectiveness of guidance documentation (e.g., model 
introduction sections, domain introductions, and appendices) in 
conveying model concepts, architecture, and how to use the model
<bullet> Any other potential improvements to the C2M2 documentation or 
practices contained therein

    For more information on the C2M2, or to review the model document, 
visit <a href="http://www.energy.gov/c2m2">www.energy.gov/c2m2</a>.
    Confidential Business Information: Pursuant to 10 CFR 1004.11, any 
person submitting information that he or she believes to be 
confidential and exempt by law from public disclosure should submit via 
email two well-marked copies: One copy of the document marked 
``confidential'' including all the information believed to be 
confidential, and one copy of the document marked ``non-confidential'' 
with the information believed to be confidential deleted. DOE will make 
its own determination about the confidential status of the information 
and treat it according to its determination.

Signing Authority

    This document of the Department of Energy was signed on November 
18, 2021, by Fowad Muneer, Acting Deputy Assistant Secretary for the 
Cybersecurity for Energy Delivery Systems Division, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on November 19, 2021.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2021-25669 Filed 11-23-21; 8:45 am]
BILLING CODE 6450-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>