This article was co-authored by summer associate Emily Strickland.

A recent upsurge of high-profile cyber intrusions including those on the Colonial Pipeline, SolarWinds, and the Florida water supply highlight the pervasiveness of cyber threats and as U.S. Secretary of Energy Jennifer Granholm warned, in testimony before the Senate Committee on Armed Services, are a “stark reminder of the imperative to harden the nation’s critical infrastructure[.]”

To respond to the persistent and rapidly evolving threat landscape, the Department of Energy (DOE) has updated its Cybersecurity Capability Maturity Model (C2M2) tool (Version 2.0). Originally released in 2012, C2M2 has allowed critical infrastructure firms to consider the relative maturity of their cybersecurity across information technology (IT) and operational technology (OT) systems. C2M2 is the result of efforts to combine inputs from the private and public sector into a free and voluntary resource—providing key indicators to evaluate cybersecurity practices and processes, set goals, and identify capabilities necessary to achieve them.

C2M2 functions as a model-based evaluation wholly distinct from an audit, controls assessment, or a penetration test. Its model spans ten different domains—including Threat and Vulnerability Management (THREAT), Situational Awareness (SITUATION), and Cybersecurity Program Management (PROGRAM)—each representing a set of commonly adopted practices. This self-evaluation is intended to “generate dialogue . . . and help the stakeholders understand the maturity of cybersecurity capabilities.”

“Version 2.0”

DOE introduced Version 2.0 on July 21 in an effort to better align the tool with White House guidance, address new technology areas such as cloud and artificial intelligence, and improve resilience against supply chain and ransomware threats. Among the updates are:

  • Establishing a Cybersecurity Architecture domain (ARCHITECTURE) allowing firms to benchmark measures to protect networks and data.
  • Revisions to the Risk Management domain (RISK) to shift focus away from strategy and program management to more practical categories such as identification, analysis, and risk response.
  • Revisions to the Third-Party Risk Management domain (THIRD-PARTIES) to better manage third parties in protecting critical infrastructure.
  • Integration of information sharing into the Threat and Vulnerability Management (THREAT) and  Situational Awareness domains (SITUATION).
  • Addition of physical access guidance to the Identity and Access Management domain (ACCESS).
  • Updates to the Event and Incident Response, Continuity of Operations domain (RESPONSE), including backup testing.

Implications for Industry

Currently C2M2 is “descriptive, not prescriptive,” leaving it up to individual companies to self-assess and implement proposed changes. Changes that may be recommended can range from relatively inexpensive measures (e.g., physical access credentialing, password strength requirements) to larger-scale digital transformation.

While DOE’s C2M2 remains a voluntary tool, compliance with other agency models such as the Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC) may be enforced via contractual requirements. Given the Biden Administration’s continued push for cybersecurity, adopting the commonly accepted cybersecurity benchmarks described in C2MC could become a valuable reference point for firms competing for government contracts or managing critical infrastructure. Today’s commonly accepted practices could potentially transition into tomorrow’s requirements. That is equally true in ex-post assessments of the measures in place where a company has been breached. Litigants will frequently look to potentially relevant government standards in an effort to support arguments about adequate security measures and duties of care for officers and directors in adhering to them.

Updates to the C2M2 model highlight the need to continuously review the state of cybersecurity protection—particularly in sectors such as critical infrastructure. Some reports have not only highlighted the risks associated with insufficient or aging cybersecurity protections in the energy sector, but also the potential advantages of a digital transformation such as identifying opportunities for process optimization. Vulnerability to cyber threats can also yield considerable, broader economic losses, as experienced during the Colonial Pipeline outage. Thus, accounting for and disclosing current practices, and taking the steps to modernize OT and IT security are important business issues, irrespective of legal obligations. The C2M2 is another resource for critical infrastructure owners and operators to assess the status of their efforts and the unique challenges across their sectors.