The ES-C2M2 framework has been updated and replaced by the C2M2 v2.0 framework. The new C2M2 v2.0 framework includes updates to clarify guidelines and adds an additional domain. Read about the new C2M2 v2.0 framework here.
What is ES-C2M2
With the convergence of Information Technology (IT) and Operational Technology (OT), many previously isolated critical infrastructure systems are now available online. Recognizing the potential threat this presents, the US Department of Energy (DOE) deployed the Cybersecurity Capability Maturity Model (C2M2) to help organizations assess their current cybersecurity capability and provide a consistent framework to see how it matures over time. The DOE released two different versions of the C2M2 model, one for the Electricity Subsector (ES) and one for the Oil and Natural Gas Subsector (ONG). And while the DOE doesn’t collect or require compliance from energy companies, the ES-C2M2 assessment is a tremendous asset in helping organizations see how their cybersecurity risk posture changes over time.
Why Use The ES-C2M2 Framework?
The goal of the ES-C2M2 is to provide organizations in electricity subsector organizations with a model and measurement through which current cybersecurity capabilities can be assessed, future states can be defined and the required capabilities to achieve those states can be identified. The DOE notes that many electricity subsector organizations are required to be in compliance with NERC CIP, and this ES-C2M2 framework is not designed as a replacement—however, it is assumed that the ES-C2M2 would be of benefit to them regardless. There are ten defined domains in the ES-C2M2 model that include:
Risk Management
Asset, Change and Configuration Management
Identity and Access Management
Threat and Vulnerability Management
Situational Awareness
Information Sharing and Communications
Event and Incident Response, Continuity of Operations
Supply Chain and External Dependencies Management
Workforce Management
Cybersecurity Program Management
How Maturity is Scored Under ES-C2M2
Across those ten domains, an electricity subsector organization is scored across four different maturity indicator levels (MIL0 to MIL3). While an organization can be highly advanced in Threat and Vulnerability Management with an MIL3 score, it could at the same time have a very low score of MIL0 in Identity and Access Management. Inside the ES-C2M2 framework, each of the ten domains provides specific controls and guidance to determine its maturity indicator level. Ultimately, the ES-C2M2 framework provides the electricity subsector organizations with a stable foundation to decrease their possible exposure, creating greater resilience in one of our country’s most critical industries.
How to Conduct an ES-C2M2 Assessment
Certainly, many electricity subsector organizations and cybersecurity consultants guiding them on the ES-C2M2 framework may choose to use the DOE’s provided PDF file for the assessment. However, at SecurityGate.io we believe there is a more efficient and consistent way to conduct an ES-C2M2 assessment. Our risk management platform has an ES-C2M2 assessment tool with tailor-made workflows for this framework that can be implemented right out of the box. And with these workflows, assessment questions can be sent across the electricity subsector organization for the right professional to answer and can nudge them if a response has not been received.
Simplify the Assessment Process with SecurityGate.io
Electricity subsector cybersecurity consultants can finally ditch spreadsheet-based assessments and upgrade to a modern software-as-a-service tool. SecurityGate.io’s cloud-based platform serves as a central repository for all data and can immediately provide insights, giving executive leadership an accurate understanding of where the company is in its cybersecurity journey. This is particularly important for consultants because it allows them to pinpoint how a company has matured in its cybersecurity capabilities and better demonstrate their value to the electricity subsector organizations.
Ready to Get Started?
If you’re a consultant looking to get out of the spreadsheet and into an easy-to-use ES-C2M2 assessment tool, check out how SecurityGate.io can simplify your workload in this 3-minute demo, or contact our team for more details.
