Editor’s Note: The DOE/DHS publication, Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), is attached below.
From: FierceGovernmentIT
By Molly Bernhart Walker
After five months of development, the Energy Department published May 31 the Electricity Subsector Cybersecurity Capability Maturity Model (.pdf).
The model serves as a “tool to evaluate and strengthen cybersecurity capabilities and enable utilities to prioritize their actions and their cybersecurity investments,” said White House Cybersecurity Coordinator Howard Schmidt in a White House blog post May 25.
The maturity model combines elements from existing cybersecurity efforts into a common guide that spans 10 categories of capabilities, or domains. Each of these 10 domains has objectives that an organization can fulfill in order to establish a mature capability in the domain.
The 10 domains are:
- Risk management;
- Asset, change and configuration management;
- Identity and access management;
- Threat and vulnerability management;
- Situational awareness;
- Information sharing and commuications;
- Event and incident response, continuity of operations;
- Supply chain and external dependencies management;
- Workforce management; and
- Cybersecurity program management.
The model also employs four maturity indicator levels, which apply independently to each domain. To earn an MIL in a given domain, an organization must fulfill all obejctives in a level and the preceeding level, says the document.
“For example, an organization must perform all of the domain practices in MIL1 and MIL2 to achieve MIL2 in the domain. Similarly, the organization would have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3,” explains the model.
According to the document, the draft model was piloted at 17 utilities to determine whether or not the model provides a basis for evaluation and to collect feedback for improvement.
“With a waitlist of utilities eager to employ the model beyond the pilot participants, this model promises to significantly enhance our understanding of cybersecurity capabilities across the sector,” said Schmidt in the blog post.
The pilots are already informing further model planning, as the document outlines new features that should be added to future versions of the model. The next version of the document will include more MILs, more guidance on developing cybersecurity performance metrics and measurement, and additional guidance on how organizations can implement domain practices.
For more: – download the Electricity Subsector Cybersecurity Capability Maturity Model (.pdf) – see the White House blog post
Electricity Subsector Cybersecurity Capabilities Maturity Model (ES-C2M2) – May 2012
Leave a Reply