The U.S. Department of Energy's Office of Cybersecurity, Energy Security and Emergency Response (CESER) has updated the Cybersecurity Capability Maturity Model (C2M2) based on real-world testing and user input.

The model serves as a form of self-assessment for energy organizations looking to improve their cybersecurity posture, according to a CESER statement. In the year since version 2.0 was released, there have been many shifts in the cyber threat landscape. In C2M2 version 2.1, CESER incorporated information on trends such as zero trust architecture, cloud and quantum computing, artificial intelligence (AI), ransomware defense and supply chain cybersecurity.

The update was developed in two phases: in phase one, a working group of 145 industry leaders revised the model from a sector-specific lens; in the second phase, CESER received over 100 public comments and began piloting the updated C2M2 model with various energy firms.

Critical updates to the model include a focus on cybersecurity architecture and managing security controls; significant enterprise risk management revisions; and the addition of information sharing best practices.