The Energy Department has published a guide comparing its voluntary maturity model for developing cybersecurity plans to the Pentagon's upcoming program for defense contractors who are handling sensitive government data on nonfederal systems.
DOE’s Cybersecurity Capability Maturity Model (C2M2) is focused on “the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and the environments in which they operate,” according to the guide published on Monday.
“This document is published for C2M2 users who are pursuing a CMMC certification to meet DoD contractual requirements," the guide says. The guidance in this document is intended to help C2M2 users both leverage previous C2M2 experience and identify additional activities that may be necessary to meet CMMC certification requirements. Guidance in this document is written from the perspective of CMMC Level 2 but could also apply to organizations seeking CMMC Level 1.”
The Defense Department is in the process of standing up its Cybersecurity Maturity Model Certification program. The program went through an internal review in 2021 and DOD issued the first proposed rule to implement major changes on Dec. 26.
The guide provides background on C2M2 and CMMC and details the “key similarities and differences that should be considered by users.”
Section three maps the objectives and practices in C2M2 to CMMC requirements. The guide contains an appendix that maps each control in CMMC to related C2M2 practices and provides a discussion on implementation.
A second appendix is designed to help organizations apply CMMC to C2M2 with a mapping C2M2 practices to CMMC requirements.
The guide is sponsored by DOE, the Electricity Subsector Coordinating Council and the Oil and Natural Gas Subsector Coordinating Council.