A maturity model enables organizations to assess where they are on the path to improving critical business processes and to determine the most effective next steps.

For example, a cybersecurity maturity model assesses the maturity of an organization’s cybersecurity program and identifies areas that could be improved to address the continually evolving cyber threat environment. This type of model helps organizations improve their cybersecurity posture, develop a roadmap that prioritizes improvements, and helps IT teams communicate effectively with senior management to obtain support for necessary investments.

PNNL scientists and researchers have developed a robust portfolio of maturity models, most of which are free and available for organizations to utilize. Most models focus on cybersecurity applications, but some focus on other programmatic issues, such as energy resilience and chemical facility security. Though the primary audience for these tools is the energy sector, and specifically the power grid, some of the tools are applicable to multiple sectors.

Many of the maturity models in PNNL’s portfolio are based on the Cybersecurity Capability Maturity Model (C2M2) framework. The C2M2 framework was developed through a public-private partnership effort sponsored by the U.S. Department of Energy. C2M2 was established to improve electricity subsector cybersecurity capabilities and to better understand the cybersecurity posture of the grid. Organizations—regardless of size, type, or industry—can evaluate, prioritize, and improve their own cybersecurity capabilities using the C2M2 framework.

We invite organizations to access and make use of our maturity models (summarized below) to assess their programmatic maturity in a variety of areas. We value user feedback on the models. You can share your feedback and comments with the PNNL cybersecurity team.

Cybersecurity Maturity Models

• C2M2 assesses a power sector organization’s cybersecurity programmatic maturity. The model can be used to identify areas where cost-effective enhancements can quickly improve cybersecurity programs. It was developed by energy industry experts from a diverse group of public agencies, private institutes, and industry.
• The Building Systems C2M2 assists building managers in evaluating the maturity cybersecurity program for their building’s digital control systems. The model is used to identify specific areas to strengthen and prioritize cybersecurity actions and investments to maintain the desired level of security throughout the building control system life cycle. The tool is applicable to a wide range of building types, including small, individual buildings and large building complexes (e.g., an office park, college campus).
• The Secure Design and Development C2M2 is designed to assist product vendors, hardware designers, software and firmware developers, and software/hardware integrators in assessing the cybersecurity maturity of their design and development processes across the organization. This assessment can be instrumental in driving approaches to improve the cybersecurity of products the organization designs and produces. For more information or access to this tool, please click on the link above and send an email to our commercialization team.
• The Facility Cybersecurity Framework (FCF) suite of maturity models provides tools to assess the cybersecurity maturity of facilities based on different standards and guidance:
  • The FCF uses the National Institute of Standards and Technology (NIST) cybersecurity framework to help facility owners and operators better manage cybersecurity risks.
  • The FCF-Risk Management Framework (RMF) Hybrid builds upon the FCF by employing both the NIST cybersecurity framework and the Risk Management Framework to evaluate facilities. This tool can perform a standard RMF assessment and generate both the FCF and RMF compliance/maturity scores.
  • The F-C2M2 Lite Assessment provides flexible guidance to help organizations assess their facility’s cybersecurity maturity using the C2M2 framework. F-C2M2 Lite is dynamic, enabling the tool’s set of questions to adapt and self-customize based on user responses.
  • The FCF-Primer enables the user to conduct a quick review of their facility’s security posture before committing resources to a full FCF assessment. The FCF-Primer can be used prior to a more comprehensive FCF assessment, or as a checklist during the post-assessment/gap-mitigation phase to track enhancements.

Other Maturity Models

• The Transmission Resiliency Maturity Model (TRMM) is a tool for electricity transmission organizations to objectively evaluate and benchmark their current transmission resiliency policies, programs, and investments. The objective is to assist the transmission organization to target and prioritize improvements and enhance the overall resilience of the power grid. This U.S. Department of Energy-sponsored model was developed through a public-private partnership that included PNNL, Electric Power Research Institution, the North American Transmission Forum, and more than a dozen transmission utilities.
• The Qualitative Risk Assessment (QRA) tool is designed to assist facility owners and operators in performing risk-based asset management. QRA enables asset owners to qualitatively define the estimated vulnerability of an asset, the potential impact if the asset is compromised, and categorizes the asset in an appropriate risk bucket: low, medium, or high.
• The Chemical Security Assessment Model is designed to assist chemical facilities and laboratories in identifying the maturity of the chemical security program, and to identify programmatic areas to strengthen and maintain a desired level of security throughout the chemical life cycle.

Training Tools

• The FCF Cybersecurity Training Game is designed for a spectrum of facility owners and operators. It provides dynamic, game-based cybersecurity training. Users pick a scenario and are then confronted with a series of real-world cyberattacks on their facility. Cybersecurity resources to thwart the attack are constrained to mimic real-world limitations. Attacks may impact both information and operational technology systems.