Request for Information on DOE's Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (July 2021), 67038-67039 [2021-25669]

Download as PDF 67038 Federal Register / Vol. 86, No. 224 / Wednesday, November 24, 2021 / Notices DEPARTMENT OF EDUCATION [Docket No. ED–2021–SCC–0095] Agency Information Collection Activities; Submission to the Office of Management and Budget for Review and Approval; Comment Request; Trends in International Mathematics and Science Study (TIMSS 2023) Field Test Data Collection and Main Study Sampling, Recruitment, and Data Collection Institute of Education Sciences (IES), Department of Education (ED). ACTION: Notice. AGENCY: In accordance with the Paperwork Reduction Act of 1995, ED is proposing a revision of a currently approved collection. DATES: Interested persons are invited to submit comments on or before December 27, 2021. ADDRESSES: Written comments and recommendations for proposed information collection requests should be sent within 30 days of publication of this notice to www.reginfo.gov/public/ do/PRAMain. Find this information collection request by selecting ‘‘Department of Education’’ under ‘‘Currently Under Review,’’ then check ‘‘Only Show ICR for Public Comment’’ checkbox. Comments may also be sent to ICDocketmgr@ed.gov. FOR FURTHER INFORMATION CONTACT: For specific questions related to collection activities, please contact Carrie Clarady, (202) 245–6347. SUPPLEMENTARY INFORMATION: The Department of Education (ED), in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3506(c)(2)(A)), provides the general public and Federal agencies with an opportunity to comment on proposed, revised, and continuing collections of information. This helps the Department assess the impact of its information collection requirements and minimize the public’s reporting burden. It also helps the public understand the Department’s information collection requirements and provide the requested data in the desired format. ED is soliciting comments on the proposed information collection request (ICR) that is described below. The Department of Education is especially interested in public comment addressing the following issues: (1) Is this collection necessary to the proper functions of the Department; (2) will this information be processed and used in a timely manner; (3) is the estimate of burden accurate; (4) how might the Department enhance the quality, utility, and clarity of the khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 17:05 Nov 23, 2021 Jkt 256001 information to be collected; and (5) how might the Department minimize the burden of this collection on the respondents, including through the use of information technology. Please note that written comments received in response to this notice will be considered public records. Title of Collection: Trends in International Mathematics and Science Study (TIMSS 2023) Field Test Data Collection and Main Study Sampling, Recruitment, and Data Collection. OMB Control Number: 1850–0695. Type of Review: Revision of a currently approved collection. Respondents/Affected Public: Individual or Households. Total Estimated Number of Annual Responses: 50,996. Total Estimated Number of Annual Burden Hours: 20,336. Abstract: The Trends in International Mathematics and Science Study (TIMSS), conducted by the National Center for Education Statistics (NCES), within the U.S. Department of Education (ED), is an international assessment of fourth and eighth grade students’ achievement in mathematics and science. Since its inception in 1995, TIMSS has continued to assess students every 4 years (1995, 1999, 2003, 2007, 2011, 2015, and 2019), with the next TIMSS assessment, TIMSS 2023, being the eighth iteration of the study. In TIMSS 2023, approximately 65 countries or education systems will participate. The United States will participate in TIMSS 2023 to continue to monitor the progress of its students compared to that of other nations and to provide data on factors that may influence student achievement. TIMSS is led by the International Association for the Evaluation of Educational Achievement (IEA), an international collective of research organizations and government agencies that create the frameworks used to develop the assessment, the survey instruments, and the study timeline. IEA decides and agrees upon a common set of standards, procedures, and timelines for collecting and reporting data, all of which must be followed by all participating countries. As a result, TIMSS is able to provide a reliable and comparable measure of student skills in participating countries. In the U.S., NCES conducts this study in collaboration with the IEA and a number of contractors to ensure proper implementation of the study and adoption of practices in adherence to the IEA’s standards. Participation in TIMSS is consistent with NCES’s mandate of acquiring and disseminating data on educational activities and PO 00000 Frm 00020 Fmt 4703 Sfmt 4703 student achievement in the United States compared with foreign nations [The Educational Sciences Reform Act of 2002 (ESRA 2002, 20 U.S.C. §9543)]. A previous request to conduct sampling and recruitment activities associated with the TIMSS 2023 field test, which will be conducted in March and April 2022, was approved by OMB in May 2021 (OMB# 1850–0695 v.16). Because TIMSS is a collaborative effort among many parties, the United States must adhere to the international schedule set forth by the IEA, including the availability of final field test and main study plans as well as draft and final questionnaires. In order to meet the international data collection schedule, to align with recruitment for other NCES studies (e.g., the National Assessment of Education Progress, NAEP), and for schools to put the TIMSS 2023 field test assessment on their Spring 2022 calendars, recruitment activities for the field test will begin in June of 2021. This package requests approval for the field test data collection materials and the main study sampling, recruiting, and data collection plans. Recruitment activities for the main study will begin in January 2022, with the data collection activities currently scheduled to begin in March 2023. Dated: November 19, 2021. Stephanie Valentine, PRA Coordinator, Strategic Collections and Clearance, Governance and Strategy Division, Office of Chief Data Officer, Office of Planning, Evaluation and Policy Development. [FR Doc. 2021–25645 Filed 11–23–21; 8:45 am] BILLING CODE 4000–01–P DEPARTMENT OF ENERGY Request for Information on DOE’s Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (July 2021) Office of Cybersecurity, Energy Security, and Emergency Response; Department of Energy. ACTION: Request for information. AGENCY: In July 2021, the Department of Energy (DOE) released Version 2.0 of the Cybersecurity Capability Maturity Model (C2M2), a tool that helps organizations evaluate and improve their cybersecurity capabilities, considering their specific risk environment. The update was guided by input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations. Version 2.0 updates the model from Version 1.1, SUMMARY: E:\FR\FM\24NON1.SGM 24NON1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 224 / Wednesday, November 24, 2021 / Notices released in 2014, and includes a variety of updates to the model domains and practices to better address emerging technologies and the evolving cyber threat landscape. Since the release in July, DOE has piloted the updated model with energy companies and utilities. To obtain the broadest possible input, DOE seeks public comment on the C2M2 to inform the C2M2 Working Group as it develops future model updates. DATES: Comments and information must be received on or before December 27, 2021. ADDRESSES: To access and review the Cybersecurity Capability Maturity Model (C2M2), visit www.energy.gov/ c2m2. Comments should be submitted by email to C2M2@hq.doe.gov using the Comment Submission Form available here: https://energy.gov/sites/default/ files/2021-11/Comment%20Submission %20Form%20-%20Cybersecurity %20Capability%20Maturity%20 Model%20%28C2M2%29.docx. Use the email subject line: ‘‘C2M2 Public Comment from [name/organization].’’ Although DOE has routinely accepted public comment submissions through a variety of mechanisms, including postal mail and hand delivery/courier, the Department has found it necessary to make temporary modifications to the comment submission process in light of the ongoing coronavirus 2019 (‘‘COVID– 19’’) pandemic. DOE is currently suspending receipt of public comments via postal mail and hand delivery/ courier. If a commenter finds that this change poses an undue hardship, please contact CESER staff at (202) 586–3057 to discuss the need for alternative arrangements. Once the COVID–19 pandemic health emergency is resolved, DOE anticipates resuming all of its regular options for public comment submission, including postal mail and hand delivery/courier. FOR FURTHER INFORMATION CONTACT: Mr. Fowad Muneer, Acting Deputy Assistant Secretary for the Cybersecurity for Energy Delivery Systems Division, U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response. Tel.: (202) 586– 5961. Email: fowad.muneer@hq.doe.gov. SUPPLEMENTARY INFORMATION: The C2M2 helps organizations evaluate and improve their cybersecurity capabilities, considering their specific risk environment. The model is a voluntary tool, tailored specifically for the energy industry, that enables companies to set targets, evaluate and benchmark their cybersecurity capabilities, and use the results to prioritize actions and VerDate Sep<11>2014 17:05 Nov 23, 2021 Jkt 256001 investments. It is scalable for a company of any size, and is designed to evaluate practice in both the information technology (IT) and operational technology (OT) environments. DOE originally developed the C2M2 with input from energy industry partners in 2012, and released an updated Version 1.1 in 2014, with separate versions targeted for the electricity and oil and natural gas subsectors. Version 2.0, released July 2021, is designed for use across the energy sector, and can be used by other critical infrastructure sectors as well. The Version 2.0 update was guided by input from the Energy Sector C2M2 Working Group, which DOE formed with the Electricity and Oil & National Gas Subsector Coordinating Councils. The update better addresses new technologies like cloud, mobile, and artificial intelligence, and evolving threats such as ransomware and supply chain risks. While the structure of the model remains the same, this update resulted in some key changes: • Revisions to two-thirds of model practices—including substantive changes and clarifications—along with additions, deletions, and combining of practices • Addition of a Cybersecurity Architecture domain focused on planning, designing, and managing the cybersecurity control environment • Significant updates to the Risk Management domain to incorporate leading risk management practices and enhance coordination between cyber and enterprise risk management • Refresh of the Dependencies domain, now called the Third-Party Risk Management domain, to ensure the model effectively addresses thirdparty IT and OT cybersecurity risks, like sensitive data in the cloud and vendors with privileged access, as well as build supply chain security into organizational culture • Integration of Information Sharing domain activities into the Threat and Vulnerability Management and Situational Awareness domains • Addition of help text for each practice to improve clarity and consistency in how practices are applied DOE requests public comment on the C2M2 to inform the C2M2 Working Group as it develops future model updates. Specifically, DOE seeks input on the following items: • The usefulness of C2M2 practices in evaluating and improving cybersecurity program capabilities • The applicability of practice language to the IT and OT environments in use by energy sector organizations PO 00000 Frm 00021 Fmt 4703 Sfmt 4703 67039 • The readability of and ability to understand practice language • The completeness of cybersecurity domains, objectives, and practices included within the C2M2 • The effectiveness of guidance documentation (e.g., model introduction sections, domain introductions, and appendices) in conveying model concepts, architecture, and how to use the model • Any other potential improvements to the C2M2 documentation or practices contained therein For more information on the C2M2, or to review the model document, visit www.energy.gov/c2m2. Confidential Business Information: Pursuant to 10 CFR 1004.11, any person submitting information that he or she believes to be confidential and exempt by law from public disclosure should submit via email two well-marked copies: One copy of the document marked ‘‘confidential’’ including all the information believed to be confidential, and one copy of the document marked ‘‘non-confidential’’ with the information believed to be confidential deleted. DOE will make its own determination about the confidential status of the information and treat it according to its determination. Signing Authority This document of the Department of Energy was signed on November 18, 2021, by Fowad Muneer, Acting Deputy Assistant Secretary for the Cybersecurity for Energy Delivery Systems Division, pursuant to delegated authority from the Secretary of Energy. That document with the original signature and date is maintained by DOE. For administrative purposes only, and in compliance with requirements of the Office of the Federal Register, the undersigned DOE Federal Register Liaison Officer has been authorized to sign and submit the document in electronic format for publication, as an official document of the Department of Energy. This administrative process in no way alters the legal effect of this document upon publication in the Federal Register. Signed in Washington, DC, on November 19, 2021. Treena V. Garrett, Federal Register Liaison Officer, U.S. Department of Energy. [FR Doc. 2021–25669 Filed 11–23–21; 8:45 am] BILLING CODE 6450–01–P E:\FR\FM\24NON1.SGM 24NON1

Agencies

[Federal Register Volume 86, Number 224 (Wednesday, November 24, 2021)]
[Notices]
[Pages 67038-67039]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25669]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY


Request for Information on DOE's Cybersecurity Capability 
Maturity Model (C2M2) Version 2.0 (July 2021)

AGENCY: Office of Cybersecurity, Energy Security, and Emergency 
Response; Department of Energy.

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: In July 2021, the Department of Energy (DOE) released Version 
2.0 of the Cybersecurity Capability Maturity Model (C2M2), a tool that 
helps organizations evaluate and improve their cybersecurity 
capabilities, considering their specific risk environment. The update 
was guided by input from the Energy Sector C2M2 Working Group, which 
comprises 145 energy sector cybersecurity practitioners representing 77 
energy sector and cybersecurity organizations. Version 2.0 updates the 
model from Version 1.1,

[[Page 67039]]

released in 2014, and includes a variety of updates to the model 
domains and practices to better address emerging technologies and the 
evolving cyber threat landscape. Since the release in July, DOE has 
piloted the updated model with energy companies and utilities. To 
obtain the broadest possible input, DOE seeks public comment on the 
C2M2 to inform the C2M2 Working Group as it develops future model 
updates.

DATES: Comments and information must be received on or before December 
27, 2021.

ADDRESSES: To access and review the Cybersecurity Capability Maturity 
Model (C2M2), visit www.energy.gov/c2m2.
    Comments should be submitted by email to [email protected] using the 
Comment Submission Form available here: https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx. Use 
the email subject line: ``C2M2 Public Comment from [name/
organization].''
    Although DOE has routinely accepted public comment submissions 
through a variety of mechanisms, including postal mail and hand 
delivery/courier, the Department has found it necessary to make 
temporary modifications to the comment submission process in light of 
the ongoing coronavirus 2019 (``COVID-19'') pandemic. DOE is currently 
suspending receipt of public comments via postal mail and hand 
delivery/courier. If a commenter finds that this change poses an undue 
hardship, please contact CESER staff at (202) 586-3057 to discuss the 
need for alternative arrangements. Once the COVID-19 pandemic health 
emergency is resolved, DOE anticipates resuming all of its regular 
options for public comment submission, including postal mail and hand 
delivery/courier.

FOR FURTHER INFORMATION CONTACT: Mr. Fowad Muneer, Acting Deputy 
Assistant Secretary for the Cybersecurity for Energy Delivery Systems 
Division, U.S. Department of Energy, Office of Cybersecurity, Energy 
Security, and Emergency Response. Tel.: (202) 586-5961. Email: 
[email protected].

SUPPLEMENTARY INFORMATION: The C2M2 helps organizations evaluate and 
improve their cybersecurity capabilities, considering their specific 
risk environment. The model is a voluntary tool, tailored specifically 
for the energy industry, that enables companies to set targets, 
evaluate and benchmark their cybersecurity capabilities, and use the 
results to prioritize actions and investments. It is scalable for a 
company of any size, and is designed to evaluate practice in both the 
information technology (IT) and operational technology (OT) 
environments.
    DOE originally developed the C2M2 with input from energy industry 
partners in 2012, and released an updated Version 1.1 in 2014, with 
separate versions targeted for the electricity and oil and natural gas 
subsectors. Version 2.0, released July 2021, is designed for use across 
the energy sector, and can be used by other critical infrastructure 
sectors as well.
    The Version 2.0 update was guided by input from the Energy Sector 
C2M2 Working Group, which DOE formed with the Electricity and Oil & 
National Gas Subsector Coordinating Councils. The update better 
addresses new technologies like cloud, mobile, and artificial 
intelligence, and evolving threats such as ransomware and supply chain 
risks.
    While the structure of the model remains the same, this update 
resulted in some key changes:

 Revisions to two-thirds of model practices--including 
substantive changes and clarifications--along with additions, 
deletions, and combining of practices
 Addition of a Cybersecurity Architecture domain focused on 
planning, designing, and managing the cybersecurity control environment
 Significant updates to the Risk Management domain to 
incorporate leading risk management practices and enhance coordination 
between cyber and enterprise risk management
 Refresh of the Dependencies domain, now called the Third-Party 
Risk Management domain, to ensure the model effectively addresses 
third-party IT and OT cybersecurity risks, like sensitive data in the 
cloud and vendors with privileged access, as well as build supply chain 
security into organizational culture
 Integration of Information Sharing domain activities into the 
Threat and Vulnerability Management and Situational Awareness domains
 Addition of help text for each practice to improve clarity and 
consistency in how practices are applied

    DOE requests public comment on the C2M2 to inform the C2M2 Working 
Group as it develops future model updates. Specifically, DOE seeks 
input on the following items:

 The usefulness of C2M2 practices in evaluating and improving 
cybersecurity program capabilities
 The applicability of practice language to the IT and OT 
environments in use by energy sector organizations
 The readability of and ability to understand practice language
 The completeness of cybersecurity domains, objectives, and 
practices included within the C2M2
 The effectiveness of guidance documentation (e.g., model 
introduction sections, domain introductions, and appendices) in 
conveying model concepts, architecture, and how to use the model
 Any other potential improvements to the C2M2 documentation or 
practices contained therein

    For more information on the C2M2, or to review the model document, 
visit www.energy.gov/c2m2.
    Confidential Business Information: Pursuant to 10 CFR 1004.11, any 
person submitting information that he or she believes to be 
confidential and exempt by law from public disclosure should submit via 
email two well-marked copies: One copy of the document marked 
``confidential'' including all the information believed to be 
confidential, and one copy of the document marked ``non-confidential'' 
with the information believed to be confidential deleted. DOE will make 
its own determination about the confidential status of the information 
and treat it according to its determination.

Signing Authority

    This document of the Department of Energy was signed on November 
18, 2021, by Fowad Muneer, Acting Deputy Assistant Secretary for the 
Cybersecurity for Energy Delivery Systems Division, pursuant to 
delegated authority from the Secretary of Energy. That document with 
the original signature and date is maintained by DOE. For 
administrative purposes only, and in compliance with requirements of 
the Office of the Federal Register, the undersigned DOE Federal 
Register Liaison Officer has been authorized to sign and submit the 
document in electronic format for publication, as an official document 
of the Department of Energy. This administrative process in no way 
alters the legal effect of this document upon publication in the 
Federal Register.

    Signed in Washington, DC, on November 19, 2021.
Treena V. Garrett,
Federal Register Liaison Officer, U.S. Department of Energy.
[FR Doc. 2021-25669 Filed 11-23-21; 8:45 am]
BILLING CODE 6450-01-P