C2M278
The U.S. Department of Energy's Cybersecurity Capability Maturity Model for evaluating and improving cybersecurity posture across energy sector operations, organized by domain and maturity indicator level.
Requirements in this framework
- Access Granting and Revoking
- Access Requirements
- Access Review
- Architecture and resilience engineering
- Asset Inventory Prioritization
- Asset Management Governance
- Asset, change, and configuration management
- Change Impact Analysis
- Change Logging
- Change Management Process
- Change Rollback Procedures
- Configuration Baselines
- Configuration Monitoring
- Continuity of Operations Planning
- Continuity Plan Testing
- Cybersecurity Architecture Design
- Cybersecurity Architecture Governance
- Cybersecurity governance maturity
- Cybersecurity Program Governance
- Cybersecurity Program Improvement
- Cybersecurity Program Metrics
- Cybersecurity Program Resources
- Cybersecurity Program Sponsorship
- Cybersecurity Program Strategy
- Cybersecurity Responsibilities Assignment
- Cybersecurity State Communication
- Cybersecurity Training
- Cybersecurity workforce capability development
- Data Protection Controls
- Dependency Identification
- Event Analysis
- Event Detection
- Identity and Access Management Governance
- Identity and access management maturity
- Identity Deprovisioning
- Identity Management
- Incident Declaration
- Incident Escalation
- Incident Response
- Incident response and continuity
- Incident Response Governance
- Incident Root Cause Analysis
- Information Asset Inventory
- Information sharing and stakeholder coordination
- Information Sharing Governance
- IT and OT Asset Inventory
- Log Review and Analysis
- Logging and Monitoring
- Multifactor Authentication
- Network Segmentation
- Operational situational awareness
- Personnel Vetting
- Privileged Access Management
- Reporting Obligations
- Risk Analysis and Prioritization
- Risk Identification
- Risk Management Strategy
- Risk Register
- Risk Response
- Risk Tolerance Definition
- Secure Software Development
- Security Awareness Program
- Situational Awareness Governance
- Supplier Cybersecurity Requirements
- Supplier Risk Assessment
- Supply chain and external dependency risk
- Supply Chain Risk Management Governance
- Threat and vulnerability management
- Threat and Vulnerability Management Governance
- Threat Identification
- Threat Intelligence Sharing
- Threat Intelligence Sources
- Threat Profile Development
- Vulnerability Identification
- Vulnerability Remediation
- Vulnerability Scanning
- Workforce Management Governance
- Workforce Skills Assessment