The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) program is a public-private partnership effort that was established as a result of the U.S. administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The ES-C2M2 program comprises a maturity model, an evaluation tool, and U.S. Department of Energy (DOE) facilitated self-evaluations.
The ES-C2M2 maturity model provides a mechanism to evaluate, prioritize, and improve cybersecurity capabilities. The model is a common set of industry vetted cybersecurity practices, grouped into 10 domains and arranged according to maturity level. The ES-C2M2 evaluation tool enables organizations to evaluate their cybersecurity practices against ES-C2M2 cybersecurity practices. Based on this comparison, a score is assigned for each domain. Scores can then be compared to a desired score—determined by the organization’s risk tolerance for each domain.
In this podcast, Jason Christopher, Technical Lead for Cybersecurity Capabilities and Risk Management with the U.S. Department of Energy and Nader Mehravari, a member of CERT's Cyber Risk Management team, discuss ES-C2M2 and how it is helping electric utilities and grid operators improve the operational resilience and security of the U.S. power grid.