The Energy Department is upgrading its toolkit for measuring how effectively organizations protect themselves against cyberattacks.
The department on Wednesday announced it would update the Cybersecurity Capability Maturity Model, a framework that helps federal agencies and private companies better assess the strength of their cyber defenses. The model was last revised in 2014, and the latest version reflects recent advances in both digital threats and protections, officials said in the draft update posted on the Federal Register.
“New cybersecurity standards and frameworks have been developed, existing standards have improved and technology has evolved,” they wrote. “Safe and reliable supply of energy has increasingly become a target of malicious actors as industry increases the use of networked technologies. These challenges and the evolution of cyber practices necessitated the [update].”
Created in 2012 to help safeguard the electric grid, the model serves as a measuring stick for digital security. By laying out the level of protection an organization should achieve and assessing how well their existing capabilities stack up, the model can help groups understand weaknesses in their cyber defenses. And it’s also open-source, meaning anyone in government or industry can use the model to strengthen their cyber posture.
“The [model] enables organizations to evaluate cybersecurity capabilities consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity investments,” officials wrote. “The model can be used by any organization, regardless of ownership, structure, size or industry.”
From start to finish, the whole assessment only takes about a day to complete, they said.
The department based the update on interviews with some 60 industry professionals, and added standards and best practices outlined in the most recent iteration of the National Institute of Standards and Technology’s cybersecurity framework. By focusing on rapid evaluation and improvement, officials said, the latest model is intended to allow organizations to meet the latest threats to critical infrastructure head on.
The department will accept public feedback on the changes through Sept. 13.