This Evaluation Toolkit enables an organization to evaluate the maturity of its utility system's security capabilities based on the ES-C2M2 Version 1.1.
The ES-C2M2 can be obtained from http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-v-11-february-2014,
or by emailing the Department of Energy (DOE) at C2M2@doe.gov.
The ES-C2M2 materials are furnished on an as-is basis.
The DOE makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, results obtained from this toolkit.
For further questions regarding ES-C2M2, please contact us.
| Worksheet | Link |
|---|
This report is provided "as is" for informational purposes only. The Department of Energy (DOE) does not provide any warranties of any kind regarding any information contained within. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including, but not limited to, direct, indirect, special, or consequential damages and including damages based on any negligence of the United States Government or its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of, or reliance upon the report.
DOE does not endorse any commercial product or service, including the subject of the analysis in this report. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the agencies.
The display of the DOE official seal or other visual identities on this report shall not be interpreted to provide the recipient organization authorization to use the official seal, insignia, or other visual identities of the Department. The DOE insignia or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by DOE or the United States Government. Use of the DOE seal without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DOE policies governing usage of their seal.
This report represents the results of an evaluation using the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The ES-C2M2 evaluation is designed to assist organizations in identifying specific areas to strengthen their cybersecurity program, prioritize cybersecurity actions and investments, and maintain the desired level of security throughout the IT systems life cycle
The scope defined for this evaluation includes the following:
This evaluation examined ten critical cyber domains for a federal facility with a focus on buildings controls
The results presented in this report are based on participant responses to ES-C2M2 Evaluation questions. For the purposes of this evaluation, responses to evaluation questions are considered valid and accurate. The evaluation process did not include document reviews, observation of work, or an examination of security controls in place to support the evaluated function.
The ES-C2M2 arises from a combination of existing cybersecurity standards, frameworks, programs, and initiatives. The ES-C2M2 provides flexible guidance to help organizations develop and improve their cybersecurity capabilities. As a result, the ES-C2M2 practices tend to be at a high level of abstraction, so that they can be interpreted for organizations of various structures and sizes.
The ES-C2M2 is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The practices within a domain are grouped by objective—target achievements that support the domain. Within each objective, the practices are ordered by MIL.
The following sections include additional information about the domains and the MILs.
Each of the ES-C2M2's 10 domains contains a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability in the domain. For example, the Risk Management domain is a group of practices that an organization can perform to establish and mature cybersecurity risk management capability.
For each domain, the ES-C2M2 provides a purpose statement, which is a high-level summary of the intent of the domain. The purpose statement offers context for interpreting the practices in the domain. The practices within each domain are organized into objectives, which represent achievements that support the domain. For example, the Risk Management domain comprises three objectives:
Each of the objectives in a domain comprises a set of practices, which are ordered by MIL. Figure 2.1 depticts the architecture of the ES-C2M2.
Figure 2.1: ES-C2M2 Architecture
A brief description of the 10 domains follows in the order in which they appear in the ES-C2M2.
Establish, operate, and maintain an enterprise cybersecurity risk management program to identify, analyze, and mitigate cybersecurity risk to the organization, including its business units, subsidiaries, related interconnected infrastructure, and stakeholders.
Manage the organization's information technology (IT) and operations technology (OT) assets, including both hardware and software, commensurate with the risk to critical infrastructure and organizational objectives.
Create and manage identities for entities that may be granted logical or physical access to the organization's assets. Control access to the organization's assets, commensurate with the risk to critical infrastructure and organizational objectives.
Establish and maintain plans, procedures, and technologies to detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk to the organization's infrastructure (e.g., critical, IT, operational) and organizational objectives.
Establish and maintain activities and technologies to collect, analyze, alarm, present, and use operational and cybersecurity information, including status and summary information from the other ES-C2M2 domains, to form a common operating picture (COP).
Establish and maintain relationships with internal and external entities to collect and provide cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase operational resilience, commensurate with the risk to critical infrastructure and organizational objectives.
Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to cybersecurity events and to sustain operations throughout a cybersecurity event, commensurate with the risk to critical infrastructure and organizational objectives.
Establish and maintain controls to manage the cybersecurity risks associated with services and assets that are dependent on external entities, commensurate with the risk to critical infrastructure and organizational objectives.
Establish and maintain plans, procedures, technologies, and controls to create a culture of cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with the risk to critical infrastructure and organizational objectives.
Establish and maintain an enterprise cybersecurity program that provides governance, strategic planning, and sponsorship for the organization's cybersecurity activities in a manner that aligns cybersecurity objectives with the organization's strategic objectives and the risk to critical infrastructure.
The ES-C2M2 defines four maturity indicator levels, MIL0 through MIL3, which apply independently to each domain in the ES-C2M2.
Four aspects of the MILs are important for understanding and applying the ES-C2M2:
The ES-C2M2 includes 10 domains, or logical groupings of cybersecurity practices. A description of the each domain is provided in Section 2.1. Domains. This section provides a summary of MIL scores and answer input by MIL for each of the 10 domains included in the ES-C2M2. See Appendix A: Evaluation Scoring Process for a detailed explanation of the scoring process and Section 5. Using the Evaluation Results for further detail regarding interpretation of evaluation results.
| RM | ACM | IAM | TVM | SA | ISC | IR | EDM | WM | CPM | |
|---|---|---|---|---|---|---|---|---|---|---|
| MIL3 | ||||||||||
| MIL2 | ||||||||||
| MIL1 |
| Fully Implemented | Largely Implemented | Partially Implemented | Not Implemented |
This section provides the level of implementation (i.e., Fully Implemented, Largely Implemented, Partially Implemented, and Not Implemented) input to the Evaluation Survey for each ES-C2M2 practice by domain, objective, and MIL. See Appendix A: Evaluation Scoring Process for a detailed explanation of the scoring process and Section 5. Using the Evaluation Results for further detail regarding evaluation results.
The ES-C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities consistently, to communicate its capability levels in meaningful terms, and to inform the prioritization of its cybersecurity investments. Figure 5.1 summarizes the recommended approach for using the ES-C2M2. An organization performs an evaluation against the ES-C2M2, uses that evaluation to identify gaps in capability, prioritizes those gaps and develops plans to address them, and finally implements plans to address the gaps. As plans are implemented, business objectives change, and the risk environment evolves, the process is repeated.
Figure 5.1: Recommended Approach for Using the ES-C2M2To aid in the analysis of identified gaps, survey questions that were recorded as either "Partially Implemented" or "Not Implemented" are consolidated in Section 5.1-Summary of Identified Gaps.
Table 5.1 presents a more detailed process for using evaluation results.
Table 5.1: Detailed Process for Using the Evaluation Results
Note: For further detail regarding activities in the table above, see the ES-C2M2 Version 1.1.
Evaluation scores are derived from responses entered into the ES-C2M2 Self Evaluation Toolkit. Each question includes a four-point answer scale: Fully Implemented (FI), Largely Implemented (LI), Partially Implemented (PI), and Not Implemented (NI). The answers of FI or LI are required for a practice to be considered implemented for scoring. Credit is not applied for answers of PI or NI.
The evaluation questionnaire answer options are explained in more detail in the following table:
Table A.1: Evaluation Answer Scale
Achieving a specific MIL for a given domain in the ES-C2M2 requires the following:
For example, to achieve MIL1 in a domain with four MIL1 practices, all four MIL1 practices must be in place. To achieve MIL2 in that same domain, all MIL1 and MIL2 practices must be in place.
| Fully Implemented | Largely Implemented | Partially Implemented | Not Implemented |
Table D.1: Abbreviated List of References by Domain| Domain |
|---|
| All |
| Maturity Indicator Level | |||
|---|---|---|---|
| All | MIL 1 | MIL 2 | MIL 3 |