The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) program is a public-private partnership effort that was established as a result of the administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The ES-C2M2 program comprises a maturity model, an evaluation tool, and DOE facilitated self-evaluations.
The ES-C2M2 maturity model provides a mechanism to evaluate, prioritize, and improve cybersecurity capabilities. The model is a common set of industry vetted cybersecurity practices, grouped into ten domains and arranged according to maturity level. The ES-C2M2 evaluation tool enables organizations to evaluate their cybersecurity practices against ES-C2M2 cybersecurity practices. Based on this comparison, a score is assigned for each domain. Scores can then be compared to a desired score – determined by the organization’s risk tolerance for each domain. ES-C2M2 facilitated self-evaluations afford an opportunity to conduct ES-C2M2 evaluations with the aid of experienced facilitators in a one-day structured walkthrough. Facilitators guide discussions, answer questions, and clarify model concepts to increase the accuracy of an evaluation.
The model is publicly available and can be used by any organization to enhance its cybersecurity capabilities. The DOE will continue to work with public and private partners to support adoption of the ES-C2M2. If your organization has questions about the ES-C2M2 model, the ES-C2M2 toolkit, or facilitated self-evaluations, contact the ES-C2M2 team at ES-C2M2@hq.doe.gov.