The Department of Energy has launched the latest version of its Cybersecurity Capability Maturity Model, a tool meant to help companies assess their cyber capabilities, to reflect key changes to the model based on user feedback and testing.
The office of cybersecurity, energy security and emergency response at DOE led the update to C2MC using feedback from a working group composed of 145 cybersecurity professionals from 77 organizations in the energy sector, the department said Thursday.
Members of the working group created small teams to carry out a dozen technical sweeps to assess how the model addresses information and operational technology and emerging threats. To test the model, CESER facilitated nine pilot assessments performed by oil, electricity and natural gas organizations.
C2MC Version 2.1 includes several modifications, including the addition of a cybersecurity architecture domain focused on designing, planning and overseeing the cybersecurity control environment and incorporation of information sharing domain activities into situational awareness and threat and vulnerability management domains.
The C2MC refresh included two phases that led to updates to the model to address zero trust and other cyber approaches; ransomware, supply chain risks and other threats; and tech advancements such as artificial intelligence, quantum computing and cloud.
The updated model comes with free PDF- and HTML-based tools meant to help organizations conduct self-evaluation.