[Federal Register Volume 84, Number 157 (Wednesday, August 14, 2019)]
[Notices]
[Pages 40399-40400]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-17446]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Request for Comment on the DOE Cybersecurity Capability Maturity 
Model Version 2.0

AGENCY: Office of Cybersecurity, Energy Security, and Emergency 
Response; Department of Energy.

ACTION: Notice of availability; request for comment.

-----------------------------------------------------------------------

SUMMARY: Through this notice, the Department of Energy (DOE) seeks 
comments and information from the public on enhancements to the 
Cybersecurity Capability Maturity Model (C2M2) Version 2.0. C2M2 
Version 2.0 incorporates enhancements to align model domains and 
functional questions with internationally-recognized cyber standards 
and best practices, including the NIST Cybersecurity Framework Version 
1.1 released in April 2018. Since C2M2's last update, new cybersecurity 
standards have been developed and existing standards have improved. 
Both technology and threat actors have become more sophisticated, 
creating new attack vectors and introducing new risks. DOE intends to 
address these challenges in version 2.0 of C2M2.

DATES: Comments and information are requested by September 13, 2019.

ADDRESSES: Copies of the draft maturity model are available for public 
inspection at the U.S. Department of Energy, Forrestal Building, 1000 
Independence Avenue SW, Washington, DC 20585-0121. Public inspection 
can be conducted between 9:00 a.m. and 4:00 p.m., Monday through 
Friday, except Federal holidays. These documents can also be accessed 
online at http://www.energy.gov/ceser/downloads/public-comment-draft-c2m2-v2.

FOR FURTHER INFORMATION CONTACT: Mr. Timothy Kocher, Special Advisor, 
U.S. Department of Energy, Office of Cybersecurity, Energy Security, 
and Emergency Response, Forrestal Building, 1000 Independence Avenue 
SW, Washington, DC 20585-0121. Tel.: (202) 586-5281. Email: 
[email protected].

SUPPLEMENTARY INFORMATION: C2M2 Version 2.0 leverages and builds upon 
existing efforts, models, and cybersecurity best practices to advance 
the model by adjusting to new technologies, practices, and 
environmental factors. The initiative also accounts for the strategic 
guidance of E.O. 13800, Strengthening the Cybersecurity of Federal 
Networks and Critical Infrastructure, and E.O. 13636, Improving 
Critical Infrastructure Cybersecurity, aiming to strengthen and improve 
the nation's cyber posture and capabilities and to reinforce systematic 
security and resilience. As industry's use of networked technologies 
has grown, malicious actors have increasingly targeted the safe and 
reliable supply of energy. These challenges, along with the evolution 
of cyber practices, necessitated the C2M2 Version 2.0 update.
    A maturity model is a set of characteristics, attributes, 
indicators, or patterns that represent capability and progression in a 
particular discipline. Model content typically exemplifies best 
practices and may incorporate standards or other codes of practice of 
the discipline.
    A maturity model thus provides a benchmark against which an 
organization can evaluate the current level of capability of its 
practices, processes, and methods and set goals and priorities for 
improvement. Also, when a model is widely used in a particular industry 
(and assessment results are shared), organizations can benchmark their 
performance against other organizations. An industry can determine how 
well it is performing overall by examining the capability of its member 
organizations.
    The C2M2 is meant to be used by an organization to evaluate its 
cybersecurity capabilities consistently, to communicate its capability 
levels in meaningful terms, and to inform the prioritization of its 
cybersecurity investments. An organization performs an evaluation 
against the model, uses that evaluation to identify gaps in capability, 
prioritizes those gaps and develops plans to address them, and finally 
implements plans to address the gaps. As plans are implemented, 
business objectives change, and the risk environment evolves, the 
process is repeated.
    To measure progression, maturity models typically have ``levels'' 
along a scale--C2M2 uses a scale of maturity indicator levels (MILs) 0-
3, which are described in Section 4.2. A set of attributes defines each 
level. If an organization demonstrates these attributes, it has 
achieved both that level and the capabilities that the level 
represents. Having measurable transition states between the levels 
enables an organization to use the scale to:

 Define its current state
 Determine its future, more mature state
 Identify the capabilities it must attain to reach that future 
state

    The model arises from a combination of existing cybersecurity 
standards, frameworks, programs, and initiatives. The model provides 
flexible guidance to help organizations develop and improve their 
cybersecurity capabilities. As a result, the model practices tend to be 
at a high level of abstraction, so that they can be interpreted for 
organizations of various structures and sizes.
    The model is organized into 10 domains. Each domain is a logical 
grouping of cybersecurity practices. The practices within a domain are 
grouped by objective--target achievements that support the domain. 
Within each objective, the practices are ordered by MIL.
    The C2M2 Version 2.0 initiative leverages and builds upon existing 
efforts, models, and cybersecurity best practices to advance the model 
by adjusting to new technologies, practices, and environmental factors 
that have occurred since the Version 1.1 release.

Advances Between C2M2 Versions 1.1 to 2.0

    The C2M2 Version 2.0 was necessitated by advancements in 
technologies, practices, and frameworks to protect critical 
infrastructure against cyber intrusions. A comprehensive review of all 
domains and MILs conducted by teams of industry experts ensured C2M2 
Version 1.1 user concerns were addressed and revisions to domains and 
MILs were achieved in accordance with user feedback. C2M2 Version 2.0 
builds upon initial development activities and was further developed 
through the following approach:
    Public-private partnership: Numerous government, industry, and 
academic organizations participated in the development of this model, 
bringing a broad range of knowledge, skills, and experience to the 
team. The model was developed collaboratively with an industry advisory 
group through a series of working sessions, and it was revised based on 
feedback from more than 60 industry experts with extensive experience 
using Version 1.1.

[[Page 40400]]

    Best practices and sector alignment: The model builds upon and ties 
together a number of existing cybersecurity resources and initiatives 
and was informed by a review of cyber threats to the energy sector. 
Leveraging related works shortened the development schedule and helped 
to ensure that the model would be relevant and beneficial to the 
sector.
    Descriptive, not prescriptive: This model was developed to provide 
descriptive, not prescriptive, guidance to help organizations develop 
and improve their cybersecurity capabilities. As a result, the model 
practices tend to be abstract so that they can be interpreted for 
entities of various structures, functions, and sizes.
    Fast-paced development: The development effort focused on quickly 
developing a model that would provide value to the energy sector and be 
available as soon as possible. The sector has widely adopted the model 
and provided valuable feedback for improvements.
    The model has also been enhanced to account for updates made to the 
NIST Cybersecurity Framework. While aligning with the NIST Framework 
and accounting for Version 1.1 comments, the development of Version 2.0 
updates include the following:

 Establishing a Cybersecurity Architecture domain
 Separating the MILs from the Information Sharing and 
Communications domain to include sharing practices in the Threat and 
Vulnerability Management and Situational Awareness domains
 Movement of Continuity of Operations MILs from the Incident 
and Event Response to the Cybersecurity Program Management domain to 
account for continuity activities beyond response events
 Increasing the use of common language throughout the model

    A mapping of C2M2 Version 1.1 to 2.0 will be included in Appendix B 
in the final document to ensure existing users can understand 
variations from historical evaluation scoring to continue the 
maturation process with the changes to the model.

    Signed in Washington, DC, on August 7, 2019.
Timothy Kocher,
Special Advisor, Office of Cybersecurity, Energy Security, & Emergency 
Response, U.S. Department of Energy.
[FR Doc. 2019-17446 Filed 8-13-19; 8:45 am]
 BILLING CODE 6450-01-P