Yesterday the Department of Energy published the Energy Sector Cybersecurity Framework Implementation Guidance. This is the DOE’s approach to helping “the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST) in February 2014”.
I’ve had a chance to just glance through the 24 page document and it looks like it provides a pretty good summary of the Framework and looks at how the Framework can be applied to cybersecurity management under a number of DOE related security programs and processes.
The discussion about the Framework implementation using the DOE’s Cybersecurity Capability Maturity Model (C2M2) approach is quite detailed. There is a lengthy table mapping the C2M2 practices to the Framework Core and another describing how the C2M2 practices can be utilized in establishing the Framework Tier ranking.
Since DOE components have probably been looking at cybersecurity concerns longer than most any non-military agency of the US Government, it is nice to see their take on the NIST Framework. It is somewhat disheartening though that this document took almost a year to field.
BTW: Thanks to ICS-CERT for pointing at this document.