ELECTRICITY SUBSECTOR CYBERSECURITY CAPABILITY MATURITY MODEL (MAY 2012)

TABLE OF CONTENTS

Acknowledgments..................................................................................................................................................iii

CAUTIONARY NOTE Intended Scope and Use of This Publication..................................................................................vi

1 Introduction.....................................................................................................................................................1

2 Background.....................................................................................................................................................1

3 About the Electricity Subsector.........................................................................................................................2

4 The Model........................................................................................................................................................4

4.1 Model Development Approach..................................................................................................................4

4.2 Model Architecture..................................................................................................................................5

4.2.1 Domains...................................................................................................................................5

4.2.2 Maturity Indicator Levels.............................................................................................................9

4.3 Model Domains.....................................................................................................................................14

4.3.1 Risk Management (RISK)...........................................................................................................15

Domain-Specific Objectives and Practices..................................................................................16

Common Objective and Practices..............................................................................................17

4.3.2 Asset, Change, and Configuration Management (ASSET).............................................................18

Domain-Specific Objectives and Practices..................................................................................19

Common Objective and Practices..............................................................................................20

4.3.3 Identity and Access Management (ACCESS)...............................................................................21

Domain-Specific Objectives and Practices..................................................................................22

Common Objective and Practices..............................................................................................23

4.3.4 Threat and Vulnerability Management (THREAT).........................................................................24

Domain-Specific Objectives and Practices..................................................................................25

Common Objective and Practices..............................................................................................26

4.3.5 Situational Awareness (SITUATION)............................................................................................27

Domain-Specific Objectives and Practices..................................................................................28

Common Objective and Practices..............................................................................................29

4.3.6 Information Sharing and Communications (SHARING).................................................................30

Domain-Specific Objectives and Practices..................................................................................31

Common Objective and Practices..............................................................................................31

4.3.7 Event and Incident Response, Continuity of Operations (RESPONSE)............................................32

Domain-Specific Objectives and Practices..................................................................................33

Common Objective and Practices..............................................................................................35

4.3.8 Supply Chain and External Dependencies Management (DEPENDENCIES)....................................36

Domain-Specific Objectives and Practices..................................................................................37

Common Objective and Practices..............................................................................................38

4.3.9 Workforce Management (WORKFORCE).....................................................................................39

Domain-Specific Objectives and Practices..................................................................................40

Common Objective and Practices..............................................................................................42

4.3.10 Cybersecurity Program Management (CYBER)............................................................................43

Domain-Specific Objectives and Practices..................................................................................44

Common Objective and Practices..............................................................................................46

5 Using the Model.............................................................................................................................................47

Perform an Evaluation.....................................................................................................................................48

Analyze Identified Gaps...................................................................................................................................48

Prioritize and Plan...........................................................................................................................................49

Implement Plans and Periodically Re-evaluate....................................................................................................49

Sharing Results...............................................................................................................................................49

Appendix A: References........................................................................................................................................50

Appendix B: Annotated Bibliography......................................................................................................................60

Risk Management (RISK).................................................................................................................................60

Asset, Change, and Configuration Management (ASSET).....................................................................................60

Identity and Access Management (ACCESS).......................................................................................................61

Threat and Vulnerability Management (THREAT).................................................................................................61

Situational Awareness (SITUATION)....................................................................................................................61

Information Sharing and Communications (SHARING).........................................................................................62

Event and Incident Response, Continuity of Operations (RESPONSE)....................................................................62

Supply Chain and External Dependencies Management (DEPENDENCIES)............................................................63

Workforce Management (WORKFORCE).............................................................................................................63

Cybersecurity Program Management (CYBER)....................................................................................................64

Appendix C: Glossary............................................................................................................................................65

Appendix D: Acronyms..........................................................................................................................................79

Appendix E: Related Initiatives..............................................................................................................................81

Notices.................................................................................................................................................................84

Read more:

http://energy.gov/sites/prod/files/Electricity%20Subsector%20Cybersecurity%20Capabilities%20Maturity%20Model%20%28ES-C2M2%29%20-%20May%202012.pdf

Related articles

• Regionally-Focused VS. Domain-Focused University Tech Transfer

  ---

• Is the US Government Making Security Worse?

  ---

• T-shaped skills and more

  ---

• Domain specific programming experience

  ---

• Creativity Is More Like Expertise Than Intelligence

  ---