The ONG-C2M2 framework has been updated and replaced by the C2M2 v2.0 framework. The new C2M2 v2.0 framework includes updates to clarify guidelines and adds an additional domain. Read about the new C2M2 v2.0 framework here.
What is ONG-C2M2?
Recognizing the need to protect our energy industries from cyber threats, the US Department of Energy (DOE) released a program called the Cybersecurity Capability Maturity Model (C2M2). The model was designed to assist energy companies in assessing their cybersecurity capabilities in a consistent way to enable them to measure their advancements over time. The DOE released two different versions of the C2M2 model, one for the Electricity Subsector (ES) and one for the Oil and Natural Gas Subsector (ONG). The DOE doesn’t collect any of the data from companies; the purpose of the ONG-C2M2 assessment is purely to help an organization better understand how they are improving their cybersecurity risk posture over time.
Why Use the ONG-C2M2 Framework?
The goal of the ONG-C2M2 is to empower organizations in the critical oil and natural gas industries to define their current cybersecurity capabilities, determine what future state they are aspiring toward and identify the particular capabilities, skills, and technology needed to attain that future state. There are ten defined domains in the model:
- Risk Management
- Asset, Change and Configuration Management
- Identity and Access Management
- Threat and Vulnerability Management
- Situational Awareness
- Information Sharing and Communications
- Event and Incident Response, Continuity of Operations
- Supply Chain and External Dependencies Management
- Workforce Management
- Cybersecurity Program Management
How Maturity is Scored Under ONG-C2M2
Within each of these ten domains, an organization is scored across four different maturity indicator levels (MIL0 to MIL3). So, an organization could be highly advanced in Situational Awareness with an MIL3 score but have a very low score of MIL0 in Risk Management. Inside the ONG-C2M2 framework, there are a number of controls for assessing the MIL score of a particular domain. And while there is not a compliance score required by the DOE, the ONG-C2M2 framework provides oil and natural gas organizations with a solid foundation to reduce their risk exposure, which ultimately helps protect two of our most critical industries.
How to Conduct an ONG-C2M2 Assessment
While many oil and gas companies and consultants may choose to use the PDF provided by the US DOE, we at SecurityGate.io believe there is a better alternative for an ONG-C2M2 assessment. Our cloud-based risk management platform has specific workflows for all domains and maturity indicator levels built into our state-of-the-art ONG-C2M2 assessment tool.
Reduce Assessment Headaches With SecurityGate.io
Oil and gas cybersecurity consultants and internal teams can leave those PDFs and spreadsheets behind, because the SecurityGate.io platform collects assessment data in a consistent way and stores it in a centralized repository. This means that your team will always have the most up-to-date information and insights into your company’s cybersecurity status. This is a particularly powerful capability for cybersecurity consultants working in the ONG-C2M2 framework, because it lets them easily compare historical data and insights with our dashboards to see how a company has matured over its lifecycle.
But the most compelling feature of SecurityGate.io is that our platform was built by people with a history in risk compliance and auditing for some of the largest oil and gas companies. That means that our ONG-C2M2 assessment tool was created and vetted by people who were in a position just like you, and we built the tool that we wish we’d had when conducting these assessments.
Ready to Get Started?
If you’re an oil and gas cybersecurity professional looking for a platform tailor-made to your needs, check out how SecurityGate.io can streamline your assessment process in this 3-minute demo, or contact our team to get started.
