Request for Comment on the DOE Cybersecurity Capability Maturity Model Version 2.0, 40399-40400 [2019-17446]
Download as PDF
Federal Register / Vol. 84, No. 157 / Wednesday, August 14, 2019 / Notices
practices and excellence among
classified school employees.
Dated: August 9, 2019.
Stephanie Valentine,
PRA Coordinator, Information Collection
Clearance Program, Information Management
Branch, Office of the Chief Information
Officer.
[FR Doc. 2019–17428 Filed 8–13–19; 8:45 am]
BILLING CODE 4000–01–P
DEPARTMENT OF ENERGY
Request for Comment on the DOE
Cybersecurity Capability Maturity
Model Version 2.0
Office of Cybersecurity, Energy
Security, and Emergency Response;
Department of Energy.
ACTION: Notice of availability; request
for comment.
AGENCY:
Through this notice, the
Department of Energy (DOE) seeks
comments and information from the
public on enhancements to the
Cybersecurity Capability Maturity
Model (C2M2) Version 2.0. C2M2
Version 2.0 incorporates enhancements
to align model domains and functional
questions with internationallyrecognized cyber standards and best
practices, including the NIST
Cybersecurity Framework Version 1.1
released in April 2018. Since C2M2’s
last update, new cybersecurity
standards have been developed and
existing standards have improved. Both
technology and threat actors have
become more sophisticated, creating
new attack vectors and introducing new
risks. DOE intends to address these
challenges in version 2.0 of C2M2.
DATES: Comments and information are
requested by September 13, 2019.
ADDRESSES: Copies of the draft maturity
model are available for public
inspection at the U.S. Department of
Energy, Forrestal Building, 1000
Independence Avenue SW, Washington,
DC 20585–0121. Public inspection can
be conducted between 9:00 a.m. and
4:00 p.m., Monday through Friday,
except Federal holidays. These
documents can also be accessed online
at https://www.energy.gov/ceser/
downloads/public-comment-draft-c2m2v2.
jspears on DSK3GMQ082PROD with NOTICES
SUMMARY:
Mr.
Timothy Kocher, Special Advisor, U.S.
Department of Energy, Office of
Cybersecurity, Energy Security, and
Emergency Response, Forrestal
Building, 1000 Independence Avenue
SW, Washington, DC 20585–0121. Tel.:
FOR FURTHER INFORMATION CONTACT:
VerDate Sep<11>2014
18:56 Aug 13, 2019
Jkt 247001
(202) 586–5281. Email: timothy.kocher@
hq.doe.gov.
SUPPLEMENTARY INFORMATION: C2M2
Version 2.0 leverages and builds upon
existing efforts, models, and
cybersecurity best practices to advance
the model by adjusting to new
technologies, practices, and
environmental factors. The initiative
also accounts for the strategic guidance
of E.O. 13800, Strengthening the
Cybersecurity of Federal Networks and
Critical Infrastructure, and E.O. 13636,
Improving Critical Infrastructure
Cybersecurity, aiming to strengthen and
improve the nation’s cyber posture and
capabilities and to reinforce systematic
security and resilience. As industry’s
use of networked technologies has
grown, malicious actors have
increasingly targeted the safe and
reliable supply of energy. These
challenges, along with the evolution of
cyber practices, necessitated the C2M2
Version 2.0 update.
A maturity model is a set of
characteristics, attributes, indicators, or
patterns that represent capability and
progression in a particular discipline.
Model content typically exemplifies
best practices and may incorporate
standards or other codes of practice of
the discipline.
A maturity model thus provides a
benchmark against which an
organization can evaluate the current
level of capability of its practices,
processes, and methods and set goals
and priorities for improvement. Also,
when a model is widely used in a
particular industry (and assessment
results are shared), organizations can
benchmark their performance against
other organizations. An industry can
determine how well it is performing
overall by examining the capability of
its member organizations.
The C2M2 is meant to be used by an
organization to evaluate its
cybersecurity capabilities consistently,
to communicate its capability levels in
meaningful terms, and to inform the
prioritization of its cybersecurity
investments. An organization performs
an evaluation against the model, uses
that evaluation to identify gaps in
capability, prioritizes those gaps and
develops plans to address them, and
finally implements plans to address the
gaps. As plans are implemented,
business objectives change, and the risk
environment evolves, the process is
repeated.
To measure progression, maturity
models typically have ‘‘levels’’ along a
scale—C2M2 uses a scale of maturity
indicator levels (MILs) 0–3, which are
described in Section 4.2. A set of
PO 00000
Frm 00018
Fmt 4703
Sfmt 4703
40399
attributes defines each level. If an
organization demonstrates these
attributes, it has achieved both that level
and the capabilities that the level
represents. Having measurable
transition states between the levels
enables an organization to use the scale
to:
• Define its current state
• Determine its future, more mature
state
• Identify the capabilities it must attain
to reach that future state
The model arises from a combination
of existing cybersecurity standards,
frameworks, programs, and initiatives.
The model provides flexible guidance to
help organizations develop and improve
their cybersecurity capabilities. As a
result, the model practices tend to be at
a high level of abstraction, so that they
can be interpreted for organizations of
various structures and sizes.
The model is organized into 10
domains. Each domain is a logical
grouping of cybersecurity practices. The
practices within a domain are grouped
by objective—target achievements that
support the domain. Within each
objective, the practices are ordered by
MIL.
The C2M2 Version 2.0 initiative
leverages and builds upon existing
efforts, models, and cybersecurity best
practices to advance the model by
adjusting to new technologies, practices,
and environmental factors that have
occurred since the Version 1.1 release.
Advances Between C2M2 Versions 1.1
to 2.0
The C2M2 Version 2.0 was
necessitated by advancements in
technologies, practices, and frameworks
to protect critical infrastructure against
cyber intrusions. A comprehensive
review of all domains and MILs
conducted by teams of industry experts
ensured C2M2 Version 1.1 user
concerns were addressed and revisions
to domains and MILs were achieved in
accordance with user feedback. C2M2
Version 2.0 builds upon initial
development activities and was further
developed through the following
approach:
Public–private partnership: Numerous
government, industry, and academic
organizations participated in the
development of this model, bringing a
broad range of knowledge, skills, and
experience to the team. The model was
developed collaboratively with an
industry advisory group through a series
of working sessions, and it was revised
based on feedback from more than 60
industry experts with extensive
experience using Version 1.1.
E:\FR\FM\14AUN1.SGM
14AUN1
40400
Federal Register / Vol. 84, No. 157 / Wednesday, August 14, 2019 / Notices
Best practices and sector alignment:
The model builds upon and ties together
a number of existing cybersecurity
resources and initiatives and was
informed by a review of cyber threats to
the energy sector. Leveraging related
works shortened the development
schedule and helped to ensure that the
model would be relevant and beneficial
to the sector.
Descriptive, not prescriptive: This
model was developed to provide
descriptive, not prescriptive, guidance
to help organizations develop and
improve their cybersecurity capabilities.
As a result, the model practices tend to
be abstract so that they can be
interpreted for entities of various
structures, functions, and sizes.
Fast-paced development: The
development effort focused on quickly
developing a model that would provide
value to the energy sector and be
available as soon as possible. The sector
has widely adopted the model and
provided valuable feedback for
improvements.
The model has also been enhanced to
account for updates made to the NIST
Cybersecurity Framework. While
aligning with the NIST Framework and
accounting for Version 1.1 comments,
the development of Version 2.0 updates
include the following:
• Establishing a Cybersecurity
Architecture domain
• Separating the MILs from the
Information Sharing and
Communications domain to include
sharing practices in the Threat and
Vulnerability Management and
Situational Awareness domains
• Movement of Continuity of
Operations MILs from the Incident
and Event Response to the
Cybersecurity Program Management
domain to account for continuity
activities beyond response events
• Increasing the use of common
language throughout the model
jspears on DSK3GMQ082PROD with NOTICES
A mapping of C2M2 Version 1.1 to 2.0
will be included in Appendix B in the
final document to ensure existing users
can understand variations from
historical evaluation scoring to continue
the maturation process with the changes
to the model.
Signed in Washington, DC, on August 7,
2019.
Timothy Kocher,
Special Advisor, Office of Cybersecurity,
Energy Security, & Emergency Response, U.S.
Department of Energy.
DEPARTMENT OF ENERGY
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
Federal Energy Regulatory
Commission
[Project No. 2058–098]
Combined Notice of Filings #1
Avista Corporation; Notice of
Availability of Environmental
Assessment
In accordance with the National
Environmental Policy Act of 1969 and
the Federal Energy Regulatory
Commission’s (Commission or FERC’s)
regulations, 18 CFR part 380, the Office
of Energy Projects has reviewed Avista
Corporation’s application for an
amendment to the license for the Clark
Fork Hydroelectric Project (FERC
Project No. 2058), and have prepared an
Environmental Assessment (EA) for the
proposed amendment. The licensee
proposes to construct and operate a
permanent upstream fish passage
facility at the project’s Cabinet Gorge
development. The project is located on
the Clark Fork River in Bonner County,
Idaho and Sanders County, Montana
and occupies federal land within the
Idaho Panhandle, Lolo, and Kootenai
National Forests administered by the
U.S. Forest Service.
The EA contains Commission staff’s
analysis of the potential environmental
effects of the proposed amendment to
the license, and concludes that the
proposed amendment, with appropriate
environmental protective measures,
would not constitute a major federal
action that would significantly affect the
quality of the human environment.
A copy of the EA is available for
review at the Commission in the Public
Reference Room or may be viewed on
the Commission’s website at
www.ferc.gov using the eLibrary link.
Enter the docket number excluding the
last three digits in the docket number
field to access the document. For
assistance, contact FERC Online
Support at FERCOnlineSupport@
ferc.gov or toll-free at 1–866–208–3676,
or for TTY, 202–502–8659.
You may also register online at
www.ferc.gov/docs-filing/
esubscription.asp to be notified via
email of new filings and issuances
related to this or other pending projects.
For assistance, contact FERC Online
Support. For further information,
contact Marybeth Gay at (202) 502–
6125.
Dated: August 8, 2019.
Kimberly D. Bose,
Secretary.
[FR Doc. 2019–17446 Filed 8–13–19; 8:45 am]
[FR Doc. 2019–17396 Filed 8–13–19; 8:45 am]
BILLING CODE 6450–01–P
BILLING CODE 6717–01–P
VerDate Sep<11>2014
18:56 Aug 13, 2019
Jkt 247001
PO 00000
Frm 00019
Fmt 4703
Sfmt 4703
Take notice that the Commission
received the following electric rate
filings:
Docket Numbers: ER10–2126–005.
Applicants: Idaho Power Company.
Description: Supplement to June 21,
2019 Updated Market Power Analysis
for the Northwest Region of Idaho
Power Company.
Filed Date: 8/6/19.
Accession Number: 20190806–5165.
Comments Due: 5 p.m. ET 8/27/19.
Docket Numbers: ER10–2575–009.
Applicants: Watson Cogeneration
Company.
Description: Supplement to June 28,
2019 Updated Market Power Analysis
(Exhibits A & B, Watson Screens,
Appendix B) of Watson Cogeneration
Company.
Filed Date: 7/8/19.
Accession Number: 20190708–5147.
Comments Due: 5 p.m. ET 7/29/19.
Docket Numbers: ER10–2575–010.
Applicants: Watson Cogeneration
Company.
Description: Supplement to June 28,
2019 Notification of Change in Status
(Watson Screens) of Watson
Cogeneration Company.
Filed Date: 7/8/19.
Accession Number: 20190708–5148.
Comments Due: 5 p.m. ET 7/29/19.
Docket Numbers: ER13–1865–003.
Applicants: Tesoro Refining &
Marketing Company LLC.
Description: Supplement to June 28,
2019 Updated Market Power Analysis
(Exhibits A & B, TRMC Screens) of
Tesoro Refining & Marketing Company
LLC.
Filed Date: 7/8/19.
Accession Number: 20190708–5153.
Comments Due: 5 p.m. ET 7/29/19.
Docket Numbers: ER13–1865–004.
Applicants: Tesoro Refining &
Marketing Company LLC.
Description: Supplement to June 28,
2019 Notification of Change in Status
(TRMC Screens) of Tesoro Refining &
Marketing Company LLC.
Filed Date: 7/8/19.
Accession Number: 20190708–5146.
Comments Due: 5 p.m. ET 7/29/19.
Docket Numbers: ER19–192–001.
Applicants: Great Plains Windpark
Legacy, LLC.
Description: Notice of Non-Material
Change in Status of Great Plains
Windpark Legacy, LLC.
Filed Date: 8/7/19.
E:\FR\FM\14AUN1.SGM
14AUN1
Agencies
[Federal Register Volume 84, Number 157 (Wednesday, August 14, 2019)]
[Notices]
[Pages 40399-40400]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-17446]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Request for Comment on the DOE Cybersecurity Capability Maturity
Model Version 2.0
AGENCY: Office of Cybersecurity, Energy Security, and Emergency
Response; Department of Energy.
ACTION: Notice of availability; request for comment.
-----------------------------------------------------------------------
SUMMARY: Through this notice, the Department of Energy (DOE) seeks
comments and information from the public on enhancements to the
Cybersecurity Capability Maturity Model (C2M2) Version 2.0. C2M2
Version 2.0 incorporates enhancements to align model domains and
functional questions with internationally-recognized cyber standards
and best practices, including the NIST Cybersecurity Framework Version
1.1 released in April 2018. Since C2M2's last update, new cybersecurity
standards have been developed and existing standards have improved.
Both technology and threat actors have become more sophisticated,
creating new attack vectors and introducing new risks. DOE intends to
address these challenges in version 2.0 of C2M2.
DATES: Comments and information are requested by September 13, 2019.
ADDRESSES: Copies of the draft maturity model are available for public
inspection at the U.S. Department of Energy, Forrestal Building, 1000
Independence Avenue SW, Washington, DC 20585-0121. Public inspection
can be conducted between 9:00 a.m. and 4:00 p.m., Monday through
Friday, except Federal holidays. These documents can also be accessed
online at https://www.energy.gov/ceser/downloads/public-comment-draft-c2m2-v2.
FOR FURTHER INFORMATION CONTACT: Mr. Timothy Kocher, Special Advisor,
U.S. Department of Energy, Office of Cybersecurity, Energy Security,
and Emergency Response, Forrestal Building, 1000 Independence Avenue
SW, Washington, DC 20585-0121. Tel.: (202) 586-5281. Email:
[email protected].
SUPPLEMENTARY INFORMATION: C2M2 Version 2.0 leverages and builds upon
existing efforts, models, and cybersecurity best practices to advance
the model by adjusting to new technologies, practices, and
environmental factors. The initiative also accounts for the strategic
guidance of E.O. 13800, Strengthening the Cybersecurity of Federal
Networks and Critical Infrastructure, and E.O. 13636, Improving
Critical Infrastructure Cybersecurity, aiming to strengthen and improve
the nation's cyber posture and capabilities and to reinforce systematic
security and resilience. As industry's use of networked technologies
has grown, malicious actors have increasingly targeted the safe and
reliable supply of energy. These challenges, along with the evolution
of cyber practices, necessitated the C2M2 Version 2.0 update.
A maturity model is a set of characteristics, attributes,
indicators, or patterns that represent capability and progression in a
particular discipline. Model content typically exemplifies best
practices and may incorporate standards or other codes of practice of
the discipline.
A maturity model thus provides a benchmark against which an
organization can evaluate the current level of capability of its
practices, processes, and methods and set goals and priorities for
improvement. Also, when a model is widely used in a particular industry
(and assessment results are shared), organizations can benchmark their
performance against other organizations. An industry can determine how
well it is performing overall by examining the capability of its member
organizations.
The C2M2 is meant to be used by an organization to evaluate its
cybersecurity capabilities consistently, to communicate its capability
levels in meaningful terms, and to inform the prioritization of its
cybersecurity investments. An organization performs an evaluation
against the model, uses that evaluation to identify gaps in capability,
prioritizes those gaps and develops plans to address them, and finally
implements plans to address the gaps. As plans are implemented,
business objectives change, and the risk environment evolves, the
process is repeated.
To measure progression, maturity models typically have ``levels''
along a scale--C2M2 uses a scale of maturity indicator levels (MILs) 0-
3, which are described in Section 4.2. A set of attributes defines each
level. If an organization demonstrates these attributes, it has
achieved both that level and the capabilities that the level
represents. Having measurable transition states between the levels
enables an organization to use the scale to:
Define its current state
Determine its future, more mature state
Identify the capabilities it must attain to reach that future
state
The model arises from a combination of existing cybersecurity
standards, frameworks, programs, and initiatives. The model provides
flexible guidance to help organizations develop and improve their
cybersecurity capabilities. As a result, the model practices tend to be
at a high level of abstraction, so that they can be interpreted for
organizations of various structures and sizes.
The model is organized into 10 domains. Each domain is a logical
grouping of cybersecurity practices. The practices within a domain are
grouped by objective--target achievements that support the domain.
Within each objective, the practices are ordered by MIL.
The C2M2 Version 2.0 initiative leverages and builds upon existing
efforts, models, and cybersecurity best practices to advance the model
by adjusting to new technologies, practices, and environmental factors
that have occurred since the Version 1.1 release.
Advances Between C2M2 Versions 1.1 to 2.0
The C2M2 Version 2.0 was necessitated by advancements in
technologies, practices, and frameworks to protect critical
infrastructure against cyber intrusions. A comprehensive review of all
domains and MILs conducted by teams of industry experts ensured C2M2
Version 1.1 user concerns were addressed and revisions to domains and
MILs were achieved in accordance with user feedback. C2M2 Version 2.0
builds upon initial development activities and was further developed
through the following approach:
Public-private partnership: Numerous government, industry, and
academic organizations participated in the development of this model,
bringing a broad range of knowledge, skills, and experience to the
team. The model was developed collaboratively with an industry advisory
group through a series of working sessions, and it was revised based on
feedback from more than 60 industry experts with extensive experience
using Version 1.1.
[[Page 40400]]
Best practices and sector alignment: The model builds upon and ties
together a number of existing cybersecurity resources and initiatives
and was informed by a review of cyber threats to the energy sector.
Leveraging related works shortened the development schedule and helped
to ensure that the model would be relevant and beneficial to the
sector.
Descriptive, not prescriptive: This model was developed to provide
descriptive, not prescriptive, guidance to help organizations develop
and improve their cybersecurity capabilities. As a result, the model
practices tend to be abstract so that they can be interpreted for
entities of various structures, functions, and sizes.
Fast-paced development: The development effort focused on quickly
developing a model that would provide value to the energy sector and be
available as soon as possible. The sector has widely adopted the model
and provided valuable feedback for improvements.
The model has also been enhanced to account for updates made to the
NIST Cybersecurity Framework. While aligning with the NIST Framework
and accounting for Version 1.1 comments, the development of Version 2.0
updates include the following:
Establishing a Cybersecurity Architecture domain
Separating the MILs from the Information Sharing and
Communications domain to include sharing practices in the Threat and
Vulnerability Management and Situational Awareness domains
Movement of Continuity of Operations MILs from the Incident
and Event Response to the Cybersecurity Program Management domain to
account for continuity activities beyond response events
Increasing the use of common language throughout the model
A mapping of C2M2 Version 1.1 to 2.0 will be included in Appendix B
in the final document to ensure existing users can understand
variations from historical evaluation scoring to continue the
maturation process with the changes to the model.
Signed in Washington, DC, on August 7, 2019.
Timothy Kocher,
Special Advisor, Office of Cybersecurity, Energy Security, & Emergency
Response, U.S. Department of Energy.
[FR Doc. 2019-17446 Filed 8-13-19; 8:45 am]
BILLING CODE 6450-01-P