The Department of Energy (DoE) upgraded its Cybersecurity Capability Maturity Model (C2M2) to help measure how organizations effectively protect themselves from cyber threats.
C2M2 will focus on implementing cybersecurity practices across organizations, as well as manage those practices. The cybersecurity practices from C2M2 will be associated with information, IT, and operations technology.
The updated model will be used to:
- Strengthen cybersecurity;
- Allow for consistent evaluation and benchmarking of cybersecurity capabilities;
- Allow agencies to engage in information and best practice sharing to improve cybersecurity; and
- Enable prioritization of different actions and investments for cybersecurity improvement across agencies.
“Cyber threats continue to grow, and they represent one of the most serious operational risks facing modern organizations,” DoE wrote. “The [C2M2] can help organizations of all sectors, types, and sizes to evaluate and make improvements to their cybersecurity programs and strengthen their operational resilience.”
The first version of C2M2 was released in 2012 and received an update in 2014. That first version used the National Infrastructure Protection Plan framework as a public-private partnership mechanism to develop the model. This second version builds upon the existing framework and leverages existing best practices to adjust to new technologies, practices, and environmental practices.
“Since C2M2 was last updated, new cybersecurity standards and frameworks have been developed, existing standards have improved, and technology has evolved,” DoE wrote. IT also cited energy supply as being an increasingly popular target for malicious cyber actors as a significant reason for the update.