Request for Information: DOE's Cybersecurity Capability Maturity Model (C2M2) Version 2.0 (July 2021); Extension

AGENCY:

Office of Cybersecurity, Energy Security, and Emergency Response; Department of Energy.

ACTION:

Extension of public comment period.

SUMMARY:

The U.S. Department of Energy (DOE) is extending the public comment period for its Request for Information (RFI) regarding the Cybersecurity Capability Maturity Model (C2M2). DOE published the RFI in the Federal Register on November 24, 2021, establishing a 30-day public comment period that ends December 27, 2021. DOE is extending the public comment period for 45 days to February 10, 2022.

DATES:

The comment period for the RFI published on November 24, 2021 (86 FR 67038) is extended. DOE will accept responses regarding this RFI received no later than February 10, 2022.

ADDRESSES:

To access and review the Cybersecurity Capability Maturity Model (C2M2), visit www.energy.gov/c2m2.

Comments should be submitted by email to C2M2@hq.doe.gov using the Comment Submission Form available here: https://energy.gov/sites/default/files/2021-11/Comment%20Submission%20Form%20-%20Cybersecurity%20Capability%20Maturity%20Model%20%28C2M2%29.docx. Use the email subject line: “C2M2 Public Comment from [name/organization].”

Although DOE has routinely accepted public comment submissions through a variety of mechanisms, including postal mail and hand delivery/courier, the Department has found it necessary to make temporary modifications to the comment submission process in light of the ongoing coronavirus 2019 (“COVID-19”) pandemic. DOE is currently suspending receipt of public comments via postal mail and hand delivery/courier. If a commenter finds that this change poses an undue hardship, please contact CESER staff at (202) 586-3057 to discuss the need for alternative arrangements. Once the COVID-19 pandemic health emergency is resolved, DOE anticipates resuming all of its regular options for public comment submission, including postal mail and hand delivery/courier.

FOR FURTHER INFORMATION CONTACT:

Mr. Fowad Muneer, Acting Deputy Assistant Secretary for the Cybersecurity for Energy Delivery Systems Division, U.S. Department of Energy, Office of Cybersecurity, Energy Security, and Emergency Response. Tel.: (202) 586-5961. Email: fowad.muneer@hq.doe.gov.

SUPPLEMENTARY INFORMATION:

On November 24, 2021, DOE published a notice of RFI to solicit public comment on Version 2.0 of the C2M2, a tool that helps organizations evaluate and improve their cybersecurity capabilities, considering their specific risk environment. DOE released Version 2.0 in July 2021, and the update was guided by input from the Energy Sector C2M2 Working Group, which comprises 145 energy sector cybersecurity practitioners representing 77 energy sector and cybersecurity organizations. Version 2.0 updates the model from Version 1.1, released in 2014, and includes a variety of updates to the model domains and practices to better address emerging technologies and the evolving cyber threat landscape.

To obtain the broadest possible input, DOE seeks public comment on the C2M2 to inform the C2M2 Working Group as it develops future model updates. DOE believes it is appropriate to extend the public comment period to allow additional time for interested parties to submit comments. Therefore, DOE is extending the deadline for response until February 10, 2022, to provide interested parties additional time to prepare and submit responses.

Specifically, DOE seeks input on the following items:

• The usefulness of C2M2 practices in evaluating and improving cybersecurity program capabilities.
• The applicability of practice language to the IT and OT environments in use by energy sector organizations.
• The readability of and ability to understand practice language.
• The completeness of cybersecurity domains, objectives, and practices included within the C2M2.

• The effectiveness of guidance documentation ( e.g., model introduction sections, domain introductions, and appendices) in conveying model concepts, architecture, and how to use the model.

• Any other potential improvements to the C2M2 documentation or practices contained therein.

For more information on the C2M2, or to review the model document, visit www.energy.gov/c2m2.

Confidential Business Information: Pursuant to 10 CFR 1004.11, any person submitting information that he or she believes to be confidential and exempt by law from public disclosure should submit via email two well-marked copies: One copy of the document marked “confidential” including all the information believed to be confidential, and one copy of the document marked “non-confidential” with the information believed to be confidential deleted. DOE will make its own determination about the confidential status of the information and treat it according to its determination.

Signing Authority

This document of the Department of Energy was signed on December 21, 2021, by Fowad Muneer, Acting Deputy Assistant Secretary for the Cybersecurity for Energy Delivery Systems Division, pursuant to delegated authority from the Secretary of Energy. That document with the original signature and date is maintained by DOE. For administrative purposes only, and in compliance with requirements of the Office of the Federal Register, the undersigned DOE Federal Register Liaison Officer has been authorized to sign and submit the document in electronic format for publication, as an official document of the Department of Energy. This administrative process in no way alters the legal effect of this document upon publication in the Federal Register .