DOE had earlier developed a Cybersecurity Capability Maturity Model (C2M2) for the energy sector. According to the introduction to that document the C2M2 was designed to focus on “the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate” (pg 1). Like the CSF this is a high-level document that allow for the development and documentation of a cybersecurity risk management program. One major difference between the C2M2 and the CSF is that the C2M2 does not specifically tie Maturity Indicator Levels (MILs) back to established standards and practices.
DOE made an earlier attempt at tying the CSF to the C2M2. It published a two page document that highlighted the similarities between the CSF and the C2M2, but it lacked any specific guidance on how the two programs could be used to support each other.
The new guidance document is a much more detailed look at the alignment of the two cybersecurity management programs. For example, Appendix A shows each of the CSF’s Functions, Categories and Subcategories and then lists each of the C2M2 practices that support that effort at each of the MILs.
DOE is requesting detailed public feedback on the draft Guidance document. DOE is not using the Federal eRulemaking portal; responses will be emailed directly to DOE (Cyber.Framework@hq.doe.gov). To make handling of the comments easier to manage, DOE is requesting that commenters use a specific Word® format form that requires the provision of the Section, Page and Line number for each comment. This should expedite the handling of comments and ensure that each commenter’s input is considered in the appropriate review area of the Guidance.
DOE has set a very unrealistically short comment period for the review of this document. They are asking for comments to be submitted by October 14th. Most large organizations will not be able to get internal reviews conducted in that short a time frame; much less prepare detailed responses. May be that is what DOE is trying to accomplish here; fewer comments means less rewriting of the Guidance.