This Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) was developed in support of a White House initiative led by the Department of Energy (DOE), in partnership with the Department of Homeland Security (DHS), and in collaboration with industry, privatesector, and public-sector experts.
The model was developed collaboratively with an industry advisory group through a series of working sessions and revised based on feedback from industry experts and pilot evaluations. The advisory group for the initiative included representatives from industry associations, utilities, and government.
Additionally, more than 40 subject matter experts (SMEs) from industry participated in development of the model.
This document describes the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The goal of this model is to support ongoing development and measurement of cybersecurity capabilities within the electricity subsector through the following four objectives:
- Strengthen cybersecurity capabilities in the electricity subsector.
- Enable utilities to effectively and consistently evaluate and benchmark cybersecurity capabilities.
- Share knowledge, best practices, and relevant references within the subsector as a means to improve cybersecurity capabilities.
- Enable utilities to prioritize actions and investments to improve cybersecurity.
The model was developed to apply to all electric utilities, regardless of ownership structure, size, or function. Broad use of the model is expected to support benchmarking for the subsector’s cybersecurity capabilities.
Section 2 of this document presents background information on the model and its development. Section 3 gives an overview of the U.S. electricity subsector. Section 4 contains the model itself.
It begins by describing the model’s development and architecture, and then it presents the model’s objectives and practices, organized into 10 domains. Section 5 recommends an approach for using the model.
Appendix A lists the references used for the glossary definitions, the domains, and the document in general. Appendix B gives an annotated bibliography that describes the key resources for each domain of the model.
Appendix C is a glossary that defines many of the terms used in this document. Appendix D defines the acronyms used in this document. Appendix E describes related initiatives.
The Electricity Subsector Cybersecurity Capabilities Maturity Model can be downloaded here: