Powering Strong Communities

Department of Energy Accelerates Release Of Cybersecurity Capability Maturity Model Update

The Department of Energy (DOE) this week released an update to the Cybersecurity Capability Maturity Model (C2M2), which was originally scheduled for release at the end of this year.

The American Public Power Association (APPA), along with a number of cyber experts from public power, rural electric cooperatives and investor-owned utilities, have been working with the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) over the past two years to update the C2M2. 

Nathan Mitchell, Senior Director of Operations Programs at APPA, noted that this industry-led effort to update this voluntary cybersecurity model is in response to the continued attacks on information technology/operational technology cyber systems. “APPA wants to thank the public power representatives that have helped in this revision process,” he said.

“APPA recommends that public power utilities review the C2M2 V2.0, conduct a self-assessment of your cybersecurity program, and mitigate any risks you may find to prepare for and prevent cyber-attacks,” he said.

The new model was scheduled to be released at the end of 2021, but DOE-CESER and industry representatives agreed that accelerating the release of the new guidance and recommendations would help the electricity industry assess their cyber systems now.  

APPA also recommends that public power utility managers look at the Axio 360 for Public Power platform to help in tracking the progress of cybersecurity capability at their utility.  The C2M2 V2.0 is available on the Axio platform. Users can reach out to [email protected] with any questions.

The testing and validation of the model is ongoing and DOE welcomes any feedback based on experience using the updated model.  Email DOE at [email protected] to share feedback and lessons learned.  If changes are needed to clarify any C2M2 V2.0 model recommendations, an update will be issued at the end of the year. 

The C2M2 V2.0 is available for download at: https://www.energy.gov/ceser/cybersecurity-capability-maturity-model-c2m2

Any questions or comments on cybersecurity can be directed to APPA’s Cyber Defense Community email address at: [email protected]