Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” of February 2013 directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. The Framework aims to be flexible and repeatable, while helping asset owner and operators manage cybersecurity risk.
On January 8, 2015, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by NIST in February 2014. The Energy Sector Cybersecurity Framework Implementation Guidance discusses in detail how the Cybersecurity Capability Maturity Model (C2M2), which helps organizations evaluate, prioritize, and improve their own cybersecurity capabilities, maps to the framework. The guidance also recognizes that there are a number of other risk management tools, processes, standards, and guidelines already widely used by energy sector organizations that align well with the Cybersecurity Framework. In developing this guidance, CESER collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council, and with other Sector Specific Agency representatives and interested government stakeholders.
Related Links
- Energy Sector Cybersecurity Framework Implementation Guidance (January 2015)
- Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity”
- Cybersecurity Capability Maturity Model (C2M2) Program
- C2M2 Model
- Electricity Subsector C2M2 Model
- Podcast - Electricity Subsector C2M2 Model
- Oil and Natural Gas Subsector C2M2 Model
- C2M2 FAQs
- C2M2 Facilitator Guide
- DHS Critical Infrastructure Cyber Community C³ Voluntary Program
- Electricity Subsector Cybersecurity Risk Management Process (RMP) Guideline
- Roadmap to Achieve Energy Delivery Systems Cybersecurity
- Cross-Sector Roadmap for Cybersecurity of Control Systems (650 KB PDF)
- The Vulnerability Analysis of Energy Delivery Control Systems Report
- Guidelines for Smart Grid Cyber Security (3.4 MB PDF)
- A Guide to Developing a Cyber Security and Risk Mitigation Plan
- CEDS Fact Sheets