ES-C2M2 Assessment Tool

The ES-C2M2 framework has been updated and replaced by the C2M2 v2.0 framework. The new C2M2 v2.0 framework includes updates to clarify guidelines and adds an additional domain. Read about the new C2M2 v2.0 framework here


What is ES-C2M2

With the convergence of Information Technology (IT) and Operational Technology (OT), many previously isolated critical infrastructure systems are now available online. Recognizing the potential threat this presents, the US Department of Energy (DOE) deployed the Cybersecurity Capability Maturity Model (C2M2) to help organizations assess their current cybersecurity capability and provide a consistent framework to see how it matures over time. The DOE released two different versions of the C2M2 model, one for the Electricity Subsector (ES) and one for the Oil and Natural Gas Subsector (ONG). And while the DOE doesn’t collect or require compliance from energy companies, the ES-C2M2 assessment is a tremendous asset in helping organizations see how their cybersecurity risk posture changes over time.


Why Use The ES-C2M2 Framework?

The goal of the ES-C2M2 is to provide organizations in electricity subsector organizations with a model and measurement through which current cybersecurity capabilities can be assessed, future states can be defined and the required capabilities to achieve those states can be identified. The DOE notes that many electricity subsector organizations are required to be in compliance with NERC CIP, and this ES-C2M2 framework is not designed as a replacement—however, it is assumed that the ES-C2M2 would be of benefit to them regardless. There are ten defined domains in the ES-C2M2 model that include:

  1. Risk Management

  2. Asset, Change and Configuration Management

  3. Identity and Access Management

  4. Threat and Vulnerability Management

  5. Situational Awareness

  6. Information Sharing and Communications

  7. Event and Incident Response, Continuity of Operations

  8. Supply Chain and External Dependencies Management

  9. Workforce Management

  10. Cybersecurity Program Management


How Maturity is Scored Under ES-C2M2

Across those ten domains, an electricity subsector organization is scored across four different maturity indicator levels (MIL0 to MIL3). While an organization can be highly advanced in Threat and Vulnerability Management with an MIL3 score, it could at the same time have a very low score of MIL0 in Identity and Access Management. Inside the ES-C2M2 framework, each of the ten domains provides specific controls and guidance to determine its maturity indicator level. Ultimately, the ES-C2M2 framework provides the electricity subsector organizations with a stable foundation to decrease their possible exposure, creating greater resilience in one of our country’s most critical industries.


How to Conduct an ES-C2M2 Assessment

Certainly, many electricity subsector organizations and cybersecurity consultants guiding them on the ES-C2M2 framework may choose to use the DOE’s provided PDF file for the assessment. However, at we believe there is a more efficient and consistent way to conduct an ES-C2M2 assessment. Our risk management platform has an ES-C2M2 assessment tool with tailor-made workflows for this framework that can be implemented right out of the box. And with these workflows, assessment questions can be sent across the electricity subsector organization for the right professional to answer and can nudge them if a response has not been received.


Simplify the Assessment Process with

Electricity subsector cybersecurity consultants can finally ditch spreadsheet-based assessments and upgrade to a modern software-as-a-service tool.’s cloud-based platform serves as a central repository for all data and can immediately provide insights, giving executive leadership an accurate understanding of where the company is in its cybersecurity journey. This is particularly important for consultants because it allows them to pinpoint how a company has matured in its cybersecurity capabilities and better demonstrate their value to the electricity subsector organizations.


Ready to Get Started?

If you’re a consultant looking to get out of the spreadsheet and into an easy-to-use ES-C2M2 assessment tool,  check out how can simplify your workload in this 3-minute demo, or contact our team for more details.

Matt Wilbanks

Wilbanks is responsible for global go-to-market strategy and marketing activities, and as a key member of the leadership team, developing the company's overall strategic vision. Matt brings experience in leadership, sales, and marketing from the technology space to

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on email

Recent Articles

Contact Us