PNNL

Abstract

Maturity models can be used to provide government agencies, industry associations, and organizations operating nuclear facilities with the ability to quickly evaluate the maturity of their cybersecurity programs and identify areas to prioritize for improvement. The Cybersecurity Capability Maturity Model (C2M2) was developed by the U.S. Department of Energy to allow organizations in the energy sector to evaluate the programmatic capabilities of their cybersecurity programs in a consistent manner, communicate programmatic maturity information, prioritize cybersecurity investments in targeted areas of concern, and track how the maturity of their cybersecurity program evolves over time. The C2M2 is designed for use by any critical infrastructure organization regardless of ownership, structure, or size. The C2M2 can be easily fine-tuned to access the maturity of nuclear cybersecurity programs and their application at individual facilities. Built on a foundation of existing cybersecurity standards, frameworks, programs, and initiatives, the model features 10 security domains. Performance in each security domain is characterized using a structured set of cybersecurity practices that represent activities an organization can perform to improve cybersecurity in their domain. Each practice can be quickly evaluated as being either fully, largely, partially, or not implemented. Once practices are evaluated for each security domain, the model defines four maturity indicator levels that apply independently to each domain in the model. To earn a maturity level in a given domain, an organization must adequately perform all the practices for that maturity level and its predecessor level(s). A small assessment team can conduct a C2M2 assessment in a single day. A screening version of the C2M2 allows an initial look at the maturity of nuclear cybersecurity programs that could be completed in under an hour.