The U.S. Department of Energy (DOE) released Version 2.0 (V2.0) of the Cybersecurity Capability Maturity Model (C2M2), a tool designed to help companies of all types and sizes evaluate and improve their cybersecurity capabilities. The C2M2 updates address the evolving cyber threat and technology landscape. The release of C2M2 V2.0 advances the Administration’s 100-day plan to confront cyber threats from adversaries who seek to compromise critical systems that are essential to U.S. national and economic security.

In April 2021, as part of the Biden Administration's effort to safeguard U.S. critical infrastructure, the DOE launched a 100-day coordinated initiative to enhance the cybersecurity of electric utilities’ industrial control systems (ICS). “The Biden Administration is committed to securing our nation’s critical energy infrastructure from increasingly persistent and sophisticated cyber threats and attacks,” said Puesh Kumar, Acting Principal Deputy Assistant Secretary for DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). “Through the release of C2M2 Version 2.0 and other activities under the 100-day ICS Cyber Initiative, we are taking deliberate action to protect against cyber threats and attacks.”

The C2M2, which was first released in 2012, is designed to help energy sector organizations understand cyber risks to their information technology (IT) and operational technology (OT) systems and measure the maturity of their cybersecurity capabilities. The updated model reflects inputs from 145 cybersecurity experts representing 77 energy sector organizations. Updates address new technologies like cloud, mobile, and artificial intelligence, and evolving threats such as ransomware and supply chain risks, and ultimately support companies in strengthening their operational resilience.

“C2M2 continues to be driven by public-private collaboration.” said Fowad Muneer, Acting Deputy Assistant Secretary for CESER’s Cybersecurity for Energy Delivery Systems (CEDS) division. “Our electricity, oil, and natural gas industry partners played a critical role in jointly authoring the C2M2 to ensure that it is responsive to the current cyber risk landscape.”

C2M2 is a free and voluntary resource. For information on C2M2 V2.0, visit energy.gov/c2m2 or email us at C2M2@hq.doe.gov.