Request for Information: DOE's Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (July 2021); Extension

Issuing agencies

Abstract

The U.S. Department of Energy (DOE) is extending the public comment period for its Request for Information (RFI) regarding the Cybersecurity Capability Maturity Model (C2M2). DOE published the RFI in the Federal Register on November 24, 2021, establishing a 30-day public comment period that ends December 27, 2021. DOE is extending the public comment period for 45 days to February 10, 2022.

Full Text

<html>
<head>
<title>Federal Register, Volume 86 Issue 245 (Monday, December 27, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 245 (Monday, December 27, 2021)]
[Notices]
[Pages 73267-73268]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-28148]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Request for Information: DOE's Cybersecurity Capability Maturity 
Model (C2M2) Version 2.0 (July 2021); Extension

AGENCY: Office of Cybersecurity, Energy Security, and Emergency 
Response; Department of Energy.

ACTION: Extension of public comment period.

-----------------------------------------------------------------------

SUMMARY: The U.S. Department of Energy (DOE) is extending the public 
comment period for its Request for Information (RFI) regarding the 
Cybersecurity Capability Maturity Model (C2M2). DOE published the RFI 
in the Federal Register on November 24, 2021, establishing a 30-day 
public comment period that ends December 27, 2021. DOE is extending the 
public comment period for 45 days to February 10, 2022.

DATES: The comment period for the RFI published on November 24, 2021 
(86 FR 67038) is extended. DOE will accept responses regarding this RFI 
received no later than February 10, 2022.

ADDRESSES: To access and review the Cybersecurity Capability Maturity 
Model (C2M2), visit <a href="http://www.energy.gov/c2m2">www.energy.gov/c2m2</a>.
    Comments should be submitted by email to <a href="/cdn-cgi/l/email-protection#3b780976097b534a155f545e155c544d"><span class="__cf_email__" data-cfemail="5211601f60123a237c363d377c353d24">[email&#160;protected]</span></a> using the 
Comment Submission Form available here: <a href="https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx">https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx</a>. Use 
the email subject line: ``C2M2 Public Comment from [name/
organization].''
    Although DOE has routinely accepted public comment submissions 
through a variety of mechanisms, including postal mail and hand 
delivery/courier, the Department has found it necessary to make 
temporary modifications to the comment submission process in light of 
the ongoing coronavirus 2019 (``COVID-19'') pandemic. DOE is currently 
suspending receipt of public comments via postal mail and hand 
delivery/courier. If a commenter finds that this

[[Page 73268]]

change poses an undue hardship, please contact CESER staff at (202) 
586-3057 to discuss the need for alternative arrangements. Once the 
COVID-19 pandemic health emergency is resolved, DOE anticipates 
resuming all of its regular options for public comment submission, 
including postal mail and hand delivery/courier.

FOR FURTHER INFORMATION CONTACT: Mr. Fowad Muneer, Acting Deputy 
Assistant Secretary for the Cybersecurity for Energy Delivery Systems 
Division, U.S. Department of Energy, Office of Cybersecurity, Energy 
Security, and Emergency Response. Tel.: (202) 586-5961. Email: 
<a href="/cdn-cgi/l/email-protection#4b2d243c2a2f65263e252e2e390b233a652f242e652c243d"><span class="__cf_email__" data-cfemail="40262f3721246e2d352e2525320028316e242f256e272f36">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: On November 24, 2021, DOE published a notice 
of RFI to solicit public comment on Version 2.0 of the C2M2, a tool 
that helps organizations evaluate and improve their cybersecurity 
capabilities, considering their specific risk environment. DOE released 
Version 2.0 in July 2021, and the update was guided by input from the 
Energy Sector C2M2 Working Group, which comprises 145 energy sector 
cybersecurity practitioners representing 77 energy sector and 
cybersecurity organizations. Version 2.0 updates the model from Version 
1.1, released in 2014, and includes a variety of updates to the model 
domains and practices to better address emerging technologies and the 
evolving cyber threat landscape.
    To obtain the broadest possible input, DOE seeks public comment on 
the C2M2 to inform the C2M2 Working Group as it develops future model 
updates. DOE believes it is appropriate to extend the public comment 
period to allow additional time for interested parties to submit 
comments. Therefore, DOE is extending the deadline for response until 
February 10, 2022, to provide interested parties additional time to 
prepare and submit responses.
    Specifically, DOE seeks input on the following items:
    <bullet> The usefulness of C2M2 practices in evaluating and 
improving cybersecurity program capabilities.
    <bullet> The applicability of practice language to the IT and OT 
environments in use by energy sector organizations.
    <bullet> The readability of and ability to understand practice 
language.
    <bullet> The completeness of cybersecurity domains, objectives, and 
practices included within the C2M2.
    <bullet> The effectiveness of guidance documentation (e.g., model 
introduction sections, domain introductions, and appendices) in 
conveying model concepts, architecture, and how to use the model.
    <bullet> Any other potential improvements to the C2M2 documentation 
or practices contained therein.
    For more information on the C2M2, or to review the model document, 
visit <a href="http://www.energy.gov/c2m2">www.energy.gov/c2m2</a>.
    Confidential Business Information: Pursuant to 10 CFR 1004.11, any 
person submitting information that he or she believes to be 
confidential and exempt by law from public disclosure should submit via 
email two well-marked copies: One copy of the document marked 
``confidential'' including all the information believed to be 
confidential, and one copy of the document marked ``non-confidential'' 
with the information believed to be confidential deleted. DOE will make 
its own determination about the confidential status of the information 
and treat it according to its determination.

Signing Authority

    This document of the Department of Energy was signed on December 
21, 2021, by Fowad Muneer, Acting Deputy Assistant Secretary for the 
Cybersecurity for Energy Delivery Systems Division, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on December 22, 2021.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2021-28148 Filed 12-23-21; 8:45 am]
BILLING CODE 6450-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>