Cyber Security

OIL AND NATURAL GAS SUBSECTOR
CYBERSECURITY CAPABILITY MATURITY MODEL (ONG-C2M2)
Version 1.1
February 2014
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1
TABLE OF CONTENTS
Acknowledgments......................................................................................................................................... v
1. Introduction .............................................................................................................................................. 1
1.1 Intended Audience........................................................................................................................... 1
1.2 Document Organization ................................................................................................................... 2
2. Background ............................................................................................................................................... 3
2.1 Model Development Approach ....................................................................................................... 3
3. About the Oil and Natural Gas Subsector ..................................................................................................... 4
4. Core Concepts ........................................................................................................................................... 5
4.1 Maturity Models .............................................................................................................................. 5
4.2 Critical Infrastructure Objectives ..................................................................................................... 5
4.3 IT and OT Assets ............................................................................................................................... 5
4.4 Relationship to the Risk Management Process ............................................................................... 6
4.5 Function ........................................................................................................................................... 6
5. Model Architecture ................................................................................................................................... 8
5.1 Domains ........................................................................................................................................... 8
5.2 Maturity Indicator Levels ............................................................................................................... 10
5.2.1 Approach Progression ........................................................................................................ 11
5.2.2 Institutionalization Progression.......................................................................................... 12
5.2.3 Summary of MIL Characteristics ......................................................................................... 15
5.3 Practice Reference Notation .......................................................................................................... 16
6. Using the Model ...................................................................................................................................... 17
6.1 Prepare To Use the Model ............................................................................................................. 17
6.2 Perform an Evaluation ................................................................................................................... 18
6.3 Analyze Identified Gaps ................................................................................................................. 18
6.4 Prioritize and Plan .......................................................................................................................... 19
6.5 Implement Plans and Periodically Reevaluate............................................................................... 19
7. Model Domains ....................................................................................................................................... 21
7.1 Risk Management .......................................................................................................................... 21
7.2 Asset, Change, and Configuration Management ........................................................................... 24
7.3 Identity and Access Management ................................................................................................. 27
7.4 Threat and Vulnerability Management.......................................................................................... 29
7.5 Situational Awareness.................................................................................................................... 32
7.6 Information Sharing and Communications .................................................................................... 35
7.7 Event and Incident Response, Continuity of Operations ................................................................. 37
7.8 Supply Chain and External Dependencies Management................................................................. 41
7.9 Workforce Management ............................................................................................................... 44
7.10 Cybersecurity Program Management ............................................................................................ 48
APPENDIX A: References ............................................................................................................................. 51
iii
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 ACKNOWLEDGEMENTS
APPENDIX B: Glossary ................................................................................................................................. 61

APPENDIX C: Acronyms ............................................................................................................................... 76
Notices ........................................................................................................................................................ 77
LIST OF FIGURES
Figure 1: Critical Elements of the Oil Supply Chain ....................................................................................... 4
Figure 2: Risk Management Process ............................................................................................................. 6
Figure 3: Model and Domain Elements ........................................................................................................ 9
Figure 4: Referencing an Individual Practice, Example: RM-1a................................................................ 16
Figure 5: Recommended Approach for Using the Model ........................................................................... 17
LIST OF TABLES
Table 1: Example of Approach Progression in the Cyber Program Management Domain ........................ 12
Table 2: Mapping of Management Practices to Domain-Specific Practices ............................................... 13
Table 3: Summary of Maturity Indicator Level Characteristics................................................................... 15
Table 4: Recommended Process for Using Evaluation Results ................................................................... 20
iv
ACKNOWLEDGMENTS
The Department of Energy (DOE) developed the Oil and Natural Gas Subsector Cybersecurity
Capability Maturity Model (ONG-C2M2) as a derivative of the Electricity Subsector
Cybersecurity Capability Maturity Model (ES-C2M2) Version 1.0. The ES-C2M2 was developed in
support of a White House initiative led by the DOE, in partnership with the Department of
Homeland Security (DHS), and in collaboration with private- and public-sector experts.
The DOE acknowledges the dedication and technical expertise of all the organizations and
individuals who participated in the development of ES-C2M2 as well as the organizations and
individuals from the ONG subsector who have provided the critiques, evaluations, and
modifications in order to produce this first version of the ONG-C2M2.
Program Manager
John McIlvain
Department of Energy, Office of Electricity Delivery and Energy Reliability (DOE-OE)
Program Technical Lead

Jason D. Christopher
Department of Energy, Office of Electricity Delivery and Energy Reliability (DOE-OE)
Program Team
Cliff Glantz, Pacific Northwest National Laboratory
Fowad Muneer, ICF International
John Fry, ICF International
Laura Ritter, BCS Incorporated
Paul Skare, Pacific Northwest National Laboratory
Model Architect
Carnegie Mellon University Software Engineering Institute – CERT Division
Model Contributors
Beth Lemke Jonathan Murphy R. Peter Weaver
Dan Strachan Keith Dodrill Robert Mims
David W. White Keith H. Herndon Robert Mims
Drew Kittey Kelley Bray Scott M. Baron
Dustin Brooks Kimberly Denbow Scott vonFischer
Evon Sallee Lindsay Kishter Scott Womer
Jack Eisenhauer Lisa Kaiser Seamus Stack
Jack Whitsitt Matthew Harper Suzanne Lemieux
James W. Sample Paul Skare Tamara Lance
Jim Fisher Penny Wolter Terry Boss
John S. Townsend Peter Sindt Thomas Whitmore
v
Cautionary Note
Intended Scope and Use of This Publication
The guidance provided in this publication is intended to address only the implementation and
management of cybersecurity practices associated with information technology (IT) and
operational technology (OT) and the environments in which they operate. The guidance is not
intended to replace or subsume other cybersecurity-related activities, programs, processes, or
approaches that oil and natural gas subsector organizations have implemented or intend to
implement, including any cybersecurity activities associated with legislation, regulations,
policies, programmatic initiatives, or mission and business requirements. Additionally, this
guidance is not part of any regulatory framework and is not intended for regulatory use. Rather,
the guidance in this publication is intended to complement a comprehensive enterprise
cybersecurity program.
vi
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 INTRODUCTION
1. INTRODUCTION
Repeated cyber intrusions into organizations of all types demonstrate the need for improved
cybersecurity. Cyber threats continue to grow, and represent one of the most serious
operational risks facing modern organizations. The national and economic security of the
United States depends on the reliable functioning of the Nation’s critical infrastructure in the
face of such threats. Beyond critical infrastructure, the economic vitality of the nation depends
on the sustained operation of organizations of all types. The Oil and Natural Gas Subsector
Cybersecurity Capability Maturity Model (ONG-C2M2) can help oil and natural gas (ONG)
organizations of all types evaluate and make improvements to their cybersecurity programs.
The ONG-C2M2 is a derivative of the ES-C2M2 Version 1.0 and was developed as part of the
DOE) Cybersecurity Capability Maturity Model (C2M2) Program in order to address the
unique characteristics of the oil and natural gas subsector. The program supports ongoing
development and measurement of cybersecurity capabilities within the ONG subsector, and the
model can be used to:
 Strengthen cybersecurity capabilities in the ONG subsector.
 Enable ONG organizations to effectively and consistently evaluate and benchmark
cybersecurity capabilities.
 Share knowledge, best practices, and relevant references within the subsector as a means
to improve cybersecurity capabilities.
 Enable ONG organizations to prioritize actions and investments to improve cybersecurity
The ONG-C2M2 is designed for use with a self-evaluation methodology and toolkit (available by
request) for an organization to measure and improve its cybersecurity program. 1 A self-
evaluation using the toolkit can be completed in one day, but the toolkit could be adapted for a
more rigorous evaluation effort. Additionally, the model can inform the development of a new
The ONG-C2M2 provides descriptive rather than prescriptive industry focused guidance. The
model content is presented at a high level of abstraction so that it can be interpreted by
subsector organizations of various types, structures, and sizes. Broad use of the model is
expected to support benchmarking the subsector’s cybersecurity capabilities. These attributes
also make the ONG-C2M2 an easily scalable tool for the subsector’s implementation of the
National Institute of Standards and Technology (NIST) Cyber Security Framework.
1.1 Intended Audience

The ONG-C2M2 enables ONG subsector organizations to evaluate cybersecurity capabilities
consistently, communicate capability levels in meaningful terms, and prioritize cybersecurity
1
The ONG-C2M2 Toolkit may be obtained by sending a request to [email protected].
1
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 INTRODUCTION
investments. The model can be used by any ONG subsector organization, regardless of
ownership, structure, or size. Within the organization, various stakeholders may benefit from
familiarity with the model. This document specifically targets people in the following
organizational roles:
 Decision makers (executives) who control the allocation of resources and the management
of risk in organizations; these are typically senior leaders.2
 Leaders with responsibility for managing organizational resources and operations
associated with the domains of this model (see Section 5.1 for more information on the
content of each ONG-C2M2 domain).
 Practitioners with responsibility for supporting the organization in the use of this model
(planning and managing changes in the organization based on the model).3
 Facilitators with responsibility for leading a self-evaluation of the organization based on this
model and the associated toolkit and analyzing the self-evaluation results.4
1.2 Document Organization

This document along with several others support organizations in the effective use of the ONG-
C2M2, and introduces the model and provides the ONG-C2M2’s main structure and content.
Stakeholders may benefit by focusing on specific sections of this document, as outlined in the
table below. Despite these recommendations, all readers may benefit from reading the entire
document.
Role Recommended Document Sections

Decision makers Chapter 1 and 2
Leaders or managers Chapters 1, 2, 3, 4 and 5
Practitioners Entire document
Facilitators Entire document
Chapter 2 presents background information on the model and its development. Chapter 3
provides an overview of the U.S. oil and natural gas subsector. Chapter 4 describes several core
concepts that are important for interpreting the content and structure of the ONG-C2M2.
Chapter 5 describes the architecture of the ONG-C2M2. Chapter 6 provides guidance on how to
use the model. Chapter 7 contains the model itself- the model’s objectives and practices,
organized into 10 domains. Appendix A includes references that were either used in the
development of this document or provide further information about the practices identified
within the model. Appendix B is the Glossary. Appendix C defines the acronyms used in this
document.
2
The sponsor of the self-evaluation should be a decision maker from the organization. For more information about the sponsor role, please
refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from http://energy.gov/node/795826.
3
Subject matter experts (SMEs) for the self-evaluation should be leaders or practitioners. For more information about the SME role, please
refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from http://energy.gov/node/795826.
4
For more information about the facilitator role, please refer to the C2M2 Facilitator Guide. The Facilitator Guide may be downloaded from
http://energy.gov/node/795826.
2
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 BACKGROUND
2. BACKGROUND
This ONG-C2M2 is a derivative of the ES-C2M2 Version 1.0. The ES-C2M2 was developed in
support of a White House initiative led by the DOE, in partnership with DHS, and in
collaboration with private- and public-sector experts. The initiative used the National
Infrastructure Protection Plan framework as a public-private partnership mechanism to support
the development of the model.
The ES-C2M2 initiative leveraged and built upon existing efforts, models, and cybersecurity best
practices and is aligned with the White House’s 2010 Cyberspace Policy Review, the DOE’s
Roadmap to Achieve Energy Delivery Systems Cybersecurity, the Energy Sector-Specific Plan,
and the Industrial Control Systems Joint Working Group’s (ICSJWG) Cross-Sector Roadmap for
Cybersecurity of Control Systems.
2.1 Model Development Approach

The ONG-C2M2 was developed to address the specific needs of the ONG subsector. The
development process was centered on extensive engagement with public and private sector
experts through pilot facilitations, working sessions, and subject matter expert document
review. This resultant ONG-C2M2 applies to all ONG subsector organizations, regardless of
ownership structure, size, or functional area. The following guiding principles influenced the
development of the ONG-C2M2:
 Public-private partnership: Numerous government, industry, and academic organizations
participated in the development of the model, bringing a broad range of knowledge, skills,
and experience to the team. The model was developed collaboratively through a series of
working sessions, and it was revised based on feedback from multiple pilot evaluations with
ONG subsector entities.
 Best practices and sector alignment: The model builds upon and ties together a number of
existing cybersecurity resources and initiatives and was informed by a review of cyber
threats to the subsector. Leveraging related works shortened the development schedule
and helped to ensure that the model would be relevant and beneficial to the subsector.
 Descriptive, not prescriptive: The model was developed to provide descriptive, not
prescriptive, guidance to help organizations develop and improve their cybersecurity
capabilities. As a result, the model practices tend to be at a high level of abstraction so that
they can be interpreted for organizations of various structures, functions, and sizes.
 Pilot to test, validate, and improve: The draft model was piloted with private sector entities
to validate that it would provide valuable feedback as a basis for evaluation and to collect
feedback for improvement.
3
ABOUT THE OIL AND
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 NATURAL GAS SUBSECTOR
3. ABOUT THE OIL AND NATURAL GAS SUBSECTOR

Comprising two similar yet unique industries, the ONG subsector includes the exploration,
gathering, production, processing, storage, and transportation of petroleum liquids and natural
gas. Oil and natural gas are imported as well as produced domestically, stored throughout the
Nation, and transported over thousands of miles via pipelines, waterways, railways, and
highways.
Oil and natural gas are both made up of hydrocarbon compounds that originate in underground
reservoirs. Crude oil is a liquid that must be brought to the surface, removed of gases, water,
and other impurities, and then transported to processing facilities (petroleum refineries), where
finished products are derived. Petroleum products derived from crude oil include gasoline,
kerosene, aviation fuel, diesel fuel, heating oil, heavy fuel oil, lubricants, waxes, asphalt, and
liquefied petroleum gas as well as a number of petrochemical precursors.
Similar to crude oil, natural gas is produced, removed of liquids and other impurities, and then
transported via pipeline to gas processing facilities that separate heavier gas components,
leaving a product composed almost entirely of methane. The methane is then transported as
clean natural gas to bulk storage, industrial consumers, and individual homes. Liquefaction of
natural gas makes for a more dense concentration of natural gas and enables liquefied natural
gas (LNG) to be transported economically via oceangoing tankers instead of pipelines.
Source: American Petroleum Institute
Figure 1: Critical Elements of the Oil Supply Chain
4
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 CORE CONCEPTS
4. CORE CONCEPTS
This chapter describes several core concepts that are important for interpreting the content
and structure of the model.
4.1 Maturity Models

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent
capability and progression in a particular discipline. Model content typically exemplifies best
practices and may incorporate standards or other codes of practice of the discipline.
A maturity model thus provides a benchmark against which an organization can evaluate the
current level of capability of its practices, processes, and methods and set goals and priorities
for improvement. Also, when a model is widely used in a particular industry (and assessment
results are shared), organizations can benchmark their performance against other
organizations. An industry can determine how well it is performing overall by examining the
capability of its member organizations.
To measure progression, maturity models typically have “levels” along a scale —ONG-C2M2
uses a scale of maturity indicator levels (MILs) 0–3, which are described in Section 5.2. A set of
attributes defines each level. If an organization demonstrates these attributes, it has achieved
both that level and the capabilities that the level represents. Having measurable transition
states between the levels enables an organization to use the scale to
 Define its current state
 Determine its future, more mature state
 Identify the capabilities it must attain to reach that future state
4.2 Critical Infrastructure Objectives

The model makes regular reference to critical infrastructure objectives. These are objectives
found in the sector-specific infrastructure protection plans5 of the 16 United States critical
infrastructure sectors defined in Presidential Policy Directive 21, “Critical Infrastructure Security
and Resilience.”6 The referenced objectives serve as a reminder that many of the functions
provided by potential adopters of the model support the Nation’s critical infrastructure and
that the broader cybersecurity objectives of the sector-specific plans should be considered.
4.3 IT and OT Assets

Many ONG-C2M2 practices refer to assets. When evaluating how completely a practice is
performed, be sure to consider both traditional and emerging enterprise IT assets and any
5
http://www.dhs.gov/sector-specific-plans
6
http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
5
industrial control systems (ICS) in use, including process control systems, supervisory control
and data acquisition (SCADA) systems, and other OT.
4.4 Relationship to the Risk Management Process

The phrase “commensurate with risk to critical infrastructure and organizational objectives” is
used throughout the model. This phrase reminds the organization to tailor its implementation
of the model content to address its unique risk profile. This supports the model intent of
providing descriptive rather than prescriptive guidance. In order to effectively follow this
guidance, the organization should use the model as part of a continuous enterprise risk
management process like that depicted in Figure 2: Risk Management Process.
Risk
Framing
Risk Risk
Monitoring Assessment
Risk
Response
Figure 2: Risk Management Process
The ONG-C2M2 Risk Management domain (see Section 7.1) suggests establishing a
cybersecurity risk management strategy that aligns with the enterprise risk management
strategy. Cybersecurity risk is an important component of the overall business risk
environment. ONG-C2M2’s cybersecurity risk management activities should feed into the
enterprise risk management strategy and program, so that cybersecurity risk is considered in
and benefits from corporate decisions based on risk impact, tolerance for risk, and risk
response approaches.
The implementation of practices in the Risk Management domain provides supporting elements
used by other practices in the model as part of the overall risk management process.
Throughout the model, these Risk Management practices are referenced in related practices
using the notation described in Section 5.3.
4.5 Function
In this model, the term function is used as a scoping mechanism; it refers to the subset of the
operations of the organization that are being evaluated based on the model.
6
It is common for an organization to use the model to evaluate a subset of its operations. This
subset, or function, will often align with organizational boundaries. Therefore, common
examples of functions for evaluation include departments, lines of business, or distinct
facilities. Organizations have also successfully used the model to evaluate a specific system or
technology thread that crosses departmental boundaries.
For example, an organization uses the model to evaluate its enterprise IT services, including
email, Internet connectivity, and Voice over Internet Protocol (VoIP) telecommunication. In
the Threat and Vulnerability Management domain, practice 2b states, “Cybersecurity
vulnerability information is gathered and interpreted for the function.” When evaluating the
implementation of this practice, the organization should interpret function to mean the
operations of the enterprise IT services. In this example, the practice means that
cybersecurity vulnerability information is gathered and interpreted for the enterprise IT
services—information about vulnerabilities that would affect the enterprise email services,
network devices, and the VoIP system.
7
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 MODEL ARCHITECTURE
5. MODEL ARCHITECTURE
The model arises from a combination of existing cybersecurity standards, frameworks,
programs, and initiatives. The model provides flexible guidance to help organizations develop
and improve their cybersecurity capabilities. As a result, the model practices tend to be at a
high level of abstraction, so that they can be interpreted for organizations of various structures
and sizes.
The model is organized into 10 domains. Each domain is a logical grouping of cybersecurity
practices. The practices within a domain are grouped by objective—target achievements that
support the domain. Within each objective, the practices are ordered by MIL.
The following sections include additional information about the domains and the MILs.
5.1 Domains
Each of the model’s 10 domains contains a structured set of cybersecurity practices. Each set of
practices represents the activities an organization can perform to establish and mature
capability in the domain. For example, the Risk Management domain is a group of practices that
an organization can perform to establish and mature cybersecurity risk management capability.
For each domain, the model provides a purpose statement, which is a high-level summary of
the intent of the domain, followed by introductory notes, which give context for the domain
and introduce its practices. The purpose statement and introductory notes offer context for
interpreting the practices in the domain.
The practices within each domain are organized into objectives, which represent achievements
that support the domain. For example, the Risk Management domain comprises three
objectives:
 Establish Cybersecurity Risk Management Strategy
 Manage Cybersecurity Risk
 Management Practices
Each of the objectives in a domain comprises a set of practices, which are ordered by MIL.
Figure 3 summarizes the elements of each domain.
8
Model
Domain Model contains 10 domains
Approachz Objectives (one or more per domain)

Approach Objectives Unique to each domain
Practices at MIL1
Approach objectives are
supported by a progression of
Practices at MIL2
practices that are unique to
the domain
Practices at MIL3
(one per domain)

Management Objective Similar in each domain
Each management objective is
Practices at MIL2
supported by a progression of
practices that are similar in
Practices at MIL3 each domain and describe
institutionalization activities
Figure 3: Model and Domain Elements
A brief description of the 10 domains follows in the order in which they appear in the model.
Risk Management
Establish, operate, and maintain an enterprise cybersecurity risk management program to
identify, analyze, and mitigate cybersecurity risk to the organization, including its business
units, subsidiaries, related interconnected infrastructure, and stakeholders.
Asset, Change, and Configuration Management

Manage the organization’s OT and IT assets, including both hardware and software,
commensurate with the risk to critical infrastructure and organizational objectives.
Identity and Access Management

Create and manage identities for entities that may be granted logical or physical access to the
organization’s assets. Control access to the organization’s assets, commensurate with the risk
to critical infrastructure and organizational objectives.
Threat and Vulnerability Management

Establish and maintain plans, procedures, and technologies to detect, identify, analyze,
manage, and respond to cybersecurity threats and vulnerabilities, commensurate with the risk
to the organization’s infrastructure (e.g., critical, IT, operational) and organizational objectives.
9
Situational Awareness
Establish and maintain activities and technologies to collect, analyze, alarm, present, and use
operational and cybersecurity information, including status and summary information from the
other model domains, to form a common operating picture (COP).
Information Sharing and Communications

Establish and maintain relationships with internal and external entities to collect and provide
cybersecurity information, including threats and vulnerabilities, to reduce risks and to increase
operational resilience, commensurate with the risk to critical infrastructure and organizational
objectives.
Event and Incident Response, Continuity of Operations

Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to
cybersecurity events and to sustain operations throughout a cybersecurity event,
Supply Chain and External Dependencies Management

Establish and maintain controls to manage the cybersecurity risks associated with services and
assets that are dependent on external entities, commensurate with the risk to critical
infrastructure and organizational objectives.
Workforce Management
Establish and maintain plans, procedures, technologies, and controls to create a culture of
cybersecurity and to ensure the ongoing suitability and competence of personnel,
Cybersecurity Program Management

Establish and maintain an enterprise cybersecurity program that provides governance, strategic
planning, and sponsorship for the organization’s cybersecurity activities in a manner that aligns
cybersecurity objectives with the organization’s strategic objectives and the risk to critical
infrastructure.
5.2 Maturity Indicator Levels

The model defines four maturity indicator levels, MIL0 through MIL3, which apply
independently to each domain in the model. The MILs define a dual progression of maturity: an
approach progression and an institutionalization progression, which are explained in the
following sections.
10
Four aspects of the MILs are important for understanding and applying the model:
1. The maturity indicator levels apply independently to each domain. As a result, an
organization using the model may be operating at different MIL ratings for different
domains. For example, an organization could be operating at MIL1 in one domain, MIL2 in
another domain, and MIL3 in a third domain.
2. The MILs are cumulative within each domain; to earn a MIL in a given domain, an
organization must perform all of the practices in that level and its predecessor level(s). For
example, an organization must perform all of the domain practices in MIL1 and MIL2 to
achieve MIL2 in the domain. Similarly, the organization would have to perform all practices
in MIL1, MIL2, and MIL3 to achieve MIL3.
3. Establishing a target MIL for each domain is an effective strategy for using the model to
guide cybersecurity program improvement. Organizations shouldbecome familiar with the
practices in the model prior to determining target MILs. Gap analysis activities and
improvement efforts should then focus on achieving those target levels.
4. Practice performance and MIL achievement need to align with business objectives and the
organization’s cybersecurity strategy. Striving to achieve the highest MIL in all domains may
not be optimal. Companies should evaluate the costs of achieving a specific MIL against
potential benefits. However, the model was developed so that all companies, regardless of
size, should be able to achieve MIL1 across all domains.
5.2.1 Approach Progression

The domain-specific objectives and practices describe the progression of the approach to
cybersecurity for each domain in the model. Approach refers to the completeness,
thoroughness, or level of development of an activity in a domain. As an organization progresses
from one MIL to the next, it will have more complete or more advanced implementations of the
core activities in the domain. At MIL1, while only the initial set of practices for a domain is
expected, an organization is not precluded from performing additional practices at higher MILs.
Table 1 provides an example of the approach progression in the Cyber Program Management
domain. At MIL1, a cybersecurity program strategy exists in any form. MIL2 adds more
requirements to the strategy, including the need for defined objectives, alignment with the
overall organization’s strategy, and approval of senior management. Finally, in addition to
requiring performance of all MIL1 and MIL2 practices, MIL3 warrants that the strategy be
updated to reflect business changes, changes in the operating environment, and changes to the
threat profile (developed in the Threat and Vulnerability Management domain).
11
Table 1: Example of Approach Progression in the

Cyber Program Management Domain
MIL0
MIL1 a. The organization has a cybersecurity program strategy
MIL2 b. The cybersecurity program strategy defines objectives for the organization’s cybersecurity activities
c. The cybersecurity program strategy and priorities are documented and aligned with the
organization’s strategic objectives and risk to critical infrastructure
d. The cybersecurity program strategy defines the organization’s approach to provide program
oversight and governance for cybersecurity activities
e. The cybersecurity program strategy defines the structure and organization of the cybersecurity program
f. The cybersecurity program strategy is approved by senior management
MIL3 g. The cybersecurity program strategy is updated to reflect business changes, changes in the operating
environment, and changes in the threat profile (TVM-1d)
5.2.2 Institutionalization Progression

Institutionalization describes the extent to which a practice or activity is ingrained in an
organization’s operations. The more deeply ingrained an activity, the more likely it is that the
organization will continue to perform the practice over time, the practice will be retained
under times of stress, and the outcomes of the practice will be consistent, repeatable, and of
high quality.
The progression of institutionalization is described by a set of practices that can be performed
to institutionalize the domain-specific practices. These practices are similar across domains and
are called the Management Objective and Practices. The progression of the practices within a
domain-specific objective corresponds to the progression of the management practices, though
not necessarily practice to practice. Table 2 shows an example mapping of the management
practices to the practices in the second objective of the Risk Management domain.
12
Table 2: Mapping of Management Practices to Domain-Specific Practices
2 Manage Cybersecurity Risk Management Practices

MIL0
MIL1 a. Cybersecurity risks are identified 1. Initial practices are performed but may be
b. Identified risks are mitigated, accepted, tolerated, ad hoc
or transferred
MIL2 c. Risk assessments are performed to identify risks 1. Practices are documented
in accordance with the risk management strategy 2. Stakeholders of the practice are identified
d. Identified risks are documented and involved
e. Identified risks are analyzed to prioritize response 3. Adequate resources are provided to
activities in accordance with the risk management support the process (people, funding,
strategy and tools)
f. Identified risks are monitored in accordance with 4. Standards and/or guidelines have been
the risk management strategy identified to guide the implementation of
g. Risk analysis is supported by network (IT and/or the practices
OT) architecture
MIL3 h. The risk management program defines and 1. Activities are guided by policies (or other
operates risk management policies and organizational directives) and
procedures that implement the risk management governance
strategy 2. Policies include compliance requirements
i. A current cybersecurity architecture is used to for specified standards and/or guidelines
support risk analysis 3. Activities are periodically reviewed to
j. A risk register (a structured repository of ensure they conform to policy
identified risks) is used to support risk 4. Responsibility and authority for
management performing the practices are assigned to
personnel
5. Personnel performing the practices have
adequate skills and knowledge
A description of the management practices of each MIL can be found in the list below.
Maturity Indicator Level 0 (MIL0)

The model contains no practices for MIL0. Performance at MIL0 simply means that MIL1 in a
given domain has not been achieved.

In each domain, MIL1 contains a set of initial practices. To achieve MIL1, these initial activities
may be performed in an ad hoc manner, but they must be performed. If an organization were
to start with no capability in managing cybersecurity, it should focus initially on implementing
the MIL1 practices.
MIL1 is characterized by a single management practice:

1. Initial practices are performed but may be ad hoc. In the context of this model, ad hoc (i.e.,
an ad hoc practice) refers to performing a practice in a manner that depends largely on the
13
initiative and experience of an individual or team (and team leadership), without much in
the way of organizational guidance in the form of a prescribed plan (verbal or written),
policy, or training.
The quality of the outcome may vary significantly depending on who performs the practice,
when it is performed, and the context of the problem being addressed, the methods, tools,
and techniques used, and the priority given a particular instance of the practice. With
experienced and talented personnel, high-quality outcomes may be achieved even if
practices are ad hoc. However, at this MIL, lessons learned are typically not captured at the
organizational level, so approaches and outcomes are difficult to repeat or improve across
the organization.

Four management practices are present at MIL2, which represent an initial level of
institutionalization of the activities within a domain:
1. Practices are documented. The practices in the domain are being performed according to a
documented plan. The focus here should be on planning to ensure that the practices are
intentionally designed (or selected) to serve the organization.
2. Stakeholders of the practice are identified and involved. Stakeholders of practices are
identified and involved in the performance of the practices. This could include stakeholders
from within the function, from across the organization, or from outside the organization,
depending on how the organization implemented the practice.
3. Adequate resources are provided to support the process (people, funding, and tools).
Adequate resources are provided in the form of people, funding, and tools to ensure that
the practices can be performed as intended. The performance of this practice can be
evaluated by determining whether any desired practices have not been implemented due
to a shortage of resources. If all desired practices have been implemented as intended by
the organization, then adequate resources have been provided.
4. Standards and/or guidelines have been identified to guide the implementation of the
practices. The organization identified some standards and/or guidelines to inform the
implementation of practices in the domain. These may simply be the reference sources the
organization consulted when developing the plan for performing the practices.
Overall, the practices at MIL2 are more complete than at MIL1 and are no longer performed
irregularly or are not ad hoc in their implementation. As a result, the organization’s
performance of the practices is more stable. At MIL2, the organization can be more confident
that the performance of the domain practices will be sustained over time.

At MIL3, the activities in a domain have been further institutionalized and are now being
managed. Five management practices support this progression:
14
1. Activities are guided by policies (or other organizational directives) and governance.
Managed activities in a domain receive guidance from the organization in the form of
organizational direction, as in policies and governance. Policies are an extension of the
planning activities that are in place at MIL2.
2. Policies include compliance requirements for specified standards and/or guidelines.
3. Activities are periodically reviewed to ensure they conform to policy.
4. Responsibility and authority for performing the practices are assigned to personnel.
5. Personnel performing the practices have adequate skills and knowledge. The personnel
assigned to perform the activities have adequate domain-specific skills and knowledge to
perform their assignments.
At MIL3, the practices in a domain are further stabilized and are guided by high-level
organizational directives, such as policy. As a result, the organization should have additional
confidence in its ability to sustain the performance of the practices over time and across the
organization.
5.2.3 Summary of MIL Characteristics

Table 3 summarizes the characteristics of each MIL. At MIL2 and MIL3, the characteristic
associated with the approach progression is distinguished from the characteristics associated
with the institutionalization progression.
Table 3: Summary of Maturity Indicator Level Characteristics
Level Characteristics
MIL0 Practices are not performed
MIL1 Initial practices are performed but may be ad hoc
MIL2 Institutionalization characteristics:
Practices are documented
Stakeholders are identified and involved
Adequate resources are provided to support the process
Standards or guidelines are used to guide practice implementation
Approach characteristic:
Practices are more complete or advanced than at MIL1
MIL3 Institutionalization characteristics:
Activities are guided by policy (or other directives) and governance
Policies include compliance requirements for specified standards or guidelines
Activities are periodically reviewed for conformance to policy
Responsibility and authority for practices are assigned to personnel
Personnel performing the practice have adequate skills and knowledge
Approach characteristic:
Practices are more complete or advanced than at MIL2
15
5.3 Practice Reference Notation

A number of practices within the domains are connected to other model practices. When this
occurs, the connecting practice is referenced using a notation that begins with the domain
abbreviation, a hyphen, the objective number, and the practice letter. Figure 4 shows an
example from the Risk Management domain: the domain’s first practice, “There is a
documented cybersecurity risk management strategy,” would be referenced elsewhere in the
model using the notation “RM-1a.”
Example: RM-1a
Domain Abbreviation-Objective Number Practice Letter
1. Establish Cybersecurity Risk Management Strategy

MIL1 No practice at MIL1
MIL2 a. There is a documented cybersecurity risk management strategy

b. The strategy provides an approach for risk prioritization, including consideration of impact
MIL3 c. Organizational risk criteria tolerance for risk, and risk response approaches) are defined
d. The risk management strategy is periodically updated to reflect the current threat
environment
e. An organization-specific risk taxonomy is documented and is used in risk management
activities
Figure 4: Referencing an Individual Practice, Example: RM-1a
16
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 USING THE MODEL
6. USING THE MODEL

The ONG-C2M2 is meant to be used by an organization to evaluate its cybersecurity capabilities
consistently, to communicate its capability levels in meaningful terms, and to inform the
prioritization of its cybersecurity investments. Figure 5 summarizes the recommended
approach for using the model. An organization performs an evaluation against the model, uses
that evaluation to identify gaps in capability, prioritizes those gaps and develops plans to
address them, and finally implements plans to address the gaps. As plans are implemented,
business objectives change, and the risk environment evolves, the process is repeated. The
following sections discuss the preparation activities required to begin using the model in an
organization and provide additional details on the activities in each step of this approach.
Figure 5: Recommended Approach for Using the Model
6.1 Prepare To Use the Model

A design goal of the model was to enable organizations to complete a self-evaluation for a
single function in less than one day without extensive study or preparation. This goal is
achieved in part because the model is supported by an evaluation survey and scoring
mechanism and the evaluation survey itself is performed in a workshop setting, led by a
facilitator who is familiar with the model content. An important component of successfully
completing the self-evaluation in one day is the selection of an effective facilitator. Generally
speaking, a ONG-C2M2 facilitator is not only someone who is familiar with the model and its
supporting artifacts but also someone who is effective at helping a group of people understand
their common objectives and assisting them in planning to achieve these objectives without
taking a particular position in the discussion.
17
In addition to helping to execute the self-evaluation and interpret the results, the facilitator
helps the organization establish a scope for the model application. Though the ONG-C2M2 and
its supporting survey apply to an entire organization, the self-evaluation survey is typically
applied to a single function to maintain focus. Recall that the term function refers to the subset
of the operations of the organization that is being evaluated. The facilitator must work with the
organization to determine the survey scope—the part of the organization’s operations to which
the model and survey will be applied and the organizations supporting IT and OT. Selecting and
documenting the scope before completing the survey ensures that users of the survey results
understand to which part of the organization the results apply.
More thorough guidance on using the model, selecting a facilitator, and scoping the evaluation
can be found in the supporting C2M2 Facilitator Guide7.
6.2 Perform an Evaluation

The organization should select the appropriate personnel to evaluate the function in scope
against the model practices. Participation by a broad representation across the parts of the
organization being evaluated yields the best results and enables internal information sharing
about the model practices. Personnel selected to participate in the evaluation should include
operational personnel, management stakeholders, and any others who could provide useful
information on the organization’s performance of cybersecurity practices in the model.
Upon completion of the evaluation, a scoring report is generated that shows maturity indicator
level results for each domain. This report provides a picture of the current state of practices
relative to the model for the unit evaluated. The report should be reviewed with the evaluation
workshop participants, and any discrepancies or questions should be addressed.
6.3 Analyze Identified Gaps

The scoring report from the evaluation will identify gaps in the performance of model practices.
The first analysis step for the organization is to determine whether these gaps are meaningful
and important for the organization to address.
It is not typically optimal for an organization to strive to achieve the highest MIL in all domains.
Rather, the organization should determine the level of practice performance and MIL
achievement for each domain that best enables it to meet its business objectives and
cybersecurity strategy. The organization should identify its desired capability profile—a target
MIL rating for each domain in the model. This collection of desired capabilities is the
organization’s target profile.
For organizations using the model for the first time, a target capability profile is typically
identified after the initial evaluation. This gives the organization an opportunity to develop
more familiarity with the model. Organizations that have more experience with the model have
often identified a target capability profile before undergoing an evaluation. The appropriate
organizational stakeholders should select the desired profile. This might be a single individual
7
The C2M2 Facilitator Guide may be downloaded from http://energy.gov/node/795826.
18
with expertise in the function’s operations and management, but it is likely to be a collection of
individuals.
The desired profile can then be examined against the results from the evaluation workshop to
identify gaps that are important to the organization because they represent differences from
the desired capability profile.
6.4 Prioritize and Plan

After the gap analysis is complete, the organization should prioritize the actions needed to fully
implement the practices that enable achievement of the desired capability in specific domains.
The prioritization should be done using criteria such as how gaps affect organizational
objectives, the importance of the business objective supported by the domain, the cost of
implementing the necessary practices, and the availability of resources to implement the
practices. A cost-benefit analysis for gaps and activities can inform the prioritization of the
actions needed.
Next, a plan should be developed to address the selected gaps. These plans can span a period
of weeks, months, or years, depending on the extent of improvements needed to close the
selected gaps and achieve the desired capability.
6.5 Implement Plans and Periodically Reevaluate

Plans developed in the previous step should be implemented to address the identified gaps.
Model evaluations are particularly useful in tracking implementations and should be conducted
periodically to ensure that desired progress is achieved. Reevaluations should also be
considered in response to major changes in the business, technology, market, or threat
environments to ensure that the current profile matches the organization’s desired state.
19
Table 4 presents a more detailed outline of the ONG-C2M2 process as described in this chapter.
Table 4: Recommended Process for Using Evaluation Results
Inputs Activities Outputs

Perform 1. ONG-C2M2 Self-Evaluation 1. Conduct ONG-C2M2 Self-Evaluation ONG-C2M2
Evaluation 2. Policies and procedures Workshop with appropriate attendees Self-Evaluation
3. Understanding of Report
cybersecurity program
Analyze 1. ONG-C2M2 Self-Evaluation 1. Analyze gaps in organization’s context List of gaps
Identified Report 2. Evaluate potential consequences from and potential
2. Organizational objectives gaps consequences
Gaps
3. Impact to critical infrastructure 3. Determine which gaps need attention
Prioritize 1. List of gaps and potential 1. Identify actions to address gaps Prioritized
and Plan consequences 2. Cost-benefit analysis (CBA) on actions implementation
2. Organizational constraints 3. Prioritize actions (CBA and plan
consequences)
4. Plan to implement prioritize actions
Implement 1. Prioritized implementation 1. Track progress to plan Project tracking
Plans plan 2. Reevaluate periodically or in response data
to major change
20
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 RISK MANAGEMENT
7. MODEL DOMAINS Example: Risk Management

Anywhere Energy Inc. has developed an
enterprise risk management strategy that
7.1 Risk Management identifies its risk tolerance and strategy
for assessing, responding to, and
Purpose: Establish, operate, and maintain an enterprise monitoring cybersecurity risks. The
cybersecurity risk management program to identify, analyze, board of directors reviews this strategy
and mitigate cybersecurity risk to the organization, including its annually to ensure that it remains
business units, subsidiaries, related interconnected aligned with the strategic objectives of
the organization.
infrastructure, and stakeholders.
Within this program, risk tolerances,
Cybersecurity risk is defined as risk to organizational including compliance risk and risk to the
operations (including mission, functions, image, and delivery of essential services, are
reputation), resources, and other organizations due to the identified and documented. Identified
potential for unauthorized access, use, disclosure, disruption, risks are recorded in a risk register to
modification, or destruction of information, IT and/or OT. ensure that they are monitored and
responded to in a timely manner and to
Cybersecurity risk is one component of the overall business risk identify trends.
environment and feeds into an organization’s enterprise risk
management strategy and program. Cybersecurity risk cannot Anywhere Energy Inc. maintains a
network architecture diagram that
be completely eliminated, but it can be managed through
identifies critical assets and shows how
informed decision-making processes. they are connected and which ones are
exposed to the Internet. Resources like
The Risk Management (RM) domain comprises three
Web servers that take requests from the
objectives: Internet are considered at higher risk
than those that do not. Assets that
directly support ones with direct
2. Manage Cybersecurity Risk exposure, like the database server
behind a Web server, are in the second
3. Management Activities risk tier and so on. Anywhere Energy
Inc. augments the risk assessment
A cybersecurity risk management strategy is a high-level derived from the network architecture
strategy that provides direction for analyzing and prioritizing with its cybersecurity architecture. Since
cybersecurity risk and defines risk tolerance. The cybersecurity its network diagram includes elements
risk management strategy includes a risk assessment like firewalls and intrusion detection
methodology, risk monitoring strategy, and cybersecurity devices, an asset’s base risk is refined
governance program. This includes defining the enterprise risk depending on how it is protected by
criteria (e.g., impact thresholds, risk response approaches) that security controls.
guide the cybersecurity program discussed in the Cybersecurity Final risk for each asset is a combination
Program Management domain later in this model. The of the asset’s importance in delivering
cybersecurity risk management strategy should align with the essential services and its exposure
enterprise risk management strategy to ensure that based on the network and cybersecurity
cybersecurity risk is managed in a manner that is consistent architectures.
with the organization’s mission and business objectives.
21
Managing cybersecurity risk involves framing, identifying and assessing, responding to

(accepting, avoiding, mitigating, transferring), and monitoring risks in a manner that aligns with
the needs of the organization. Key to performing these activities is an organization-wide
understanding of the cybersecurity risk management strategy discussed above. With defined
risk criteria, organizations can consistently respond to and monitor identified risks. A risk
register—a list of identified risks and associated attributes—facilitates this process. Other
domains in this model, including Event and Incident Response, Continuity of Operations, Threat
and Vulnerability Management, and Situational Awareness, refer to the risk register and
illustrate how the practices in the model are strengthened as they connect through a
cybersecurity risk management program.
Objectives and Practices

MIL2 a. There is a documented cybersecurity risk management strategy
b. The strategy provides an approach for risk prioritization, including consideration of impact
MIL3 c. Organizational risk criteria (objective criteria that the organization uses for evaluating, categorizing,
and prioritizing operational risks based on impact, tolerance for risk, and risk response
approaches) are defined and available
d. The risk management strategy is periodically updated to reflect the current threat environment
e. An organization-specific risk taxonomy is documented and is used in risk management activities
2. Manage Cybersecurity Risk

MIL1 a. Cybersecurity risks are identified
b. Identified risks are mitigated, accepted, tolerated, or transferred
MIL2 c. Risk assessments are performed to identify risks in accordance with the risk management strategy
d. Identified risks are documented
e. Identified risks are analyzed to prioritize response activities in accordance with the risk
management strategy
f. Identified risks are monitored in accordance with the risk management strategy
g. Risk analysis is informed by network (IT and/or OT) architecture
MIL3 h. The risk management program defines and operates risk management policies and procedures
that implement the risk management strategy
i. A current cybersecurity architecture is used to inform risk analysis
j. A risk register (a structured repository of identified risks) is used to support risk management
activities
22
3. Management Activities
MIL2 a. Documented practices are followed for risk management activities
b. Stakeholders for risk management activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support risk management activities
d. Standards and/or guidelines have been identified to inform risk management activities
MIL3 e. Risk management activities are guided by documented policies or other organizational directives
f. Risk management policies include compliance requirements for specified standards and/or
guidelines
g. Risk management activities are periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of risk management activities are assigned to
personnel
i. Personnel performing risk management activities have the skills and knowledge needed to perform
their assigned responsibilities
23
ASSET, CHANGE, AND
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 CONFIGURATION MANAGEMENT
7.2 Asset, Change, and Configuration Management

Purpose: Manage the organization’s IT and OT assets, including
both hardware and software, commensurate with the risk to Example: Asset Change and
critical infrastructure and organizational objectives. Configuration Management
An asset is something of value to an organization. For the Anywhere Energy Inc. has an asset
purposes of this model, assets to be considered are IT and OT database. Within that database,
hardware and software assets, as well as information essential technology assets are identified and
to operating the function. prioritized based on importance to the
delivery of the function. The database
The Asset, Change, and Configuration Management (ACM) includes attributes that support
domain comprises four objectives: cybersecurity operations, such as
hardware and software versions,
1. Manage Asset Inventory physical location, security requirements
(business needs for the asset’s
2. Manage Asset Configuration confidentiality, integrity, and availability),
3. Manage Changes to Assets asset owner, and version of applied
configuration baseline.
Anywhere Energy Inc. uses this
An inventory of assets important to the delivery of the function information for cybersecurity risk
management activities, including
is an important resource in managing cybersecurity risk.
identifying which systems may be
Recording important information, such as software version, affected by software vulnerabilities,
physical location, asset owner, and priority, enables many prioritizing cybersecurity incident
other cybersecurity management activities. For example, a response, and planning disaster
robust asset inventory can identify the deployment location of recovery.
software that requires patching. To maintain change traceability and
consistency, Anywhere Energy Inc.’s
Managing asset configuration involves defining a configuration change management activities ensure
baseline for IT and OT assets and ensuring that assets are that the asset database remains current
configured according to the baseline. Most commonly, this as configurations change. All important
practice applies to ensuring that similar assets are configured decisions about assets are
in the same way. However, in cases where assets are either communicated to stakeholders,
unique or must have individual configurations, managing asset including the asset owner, so that
configuration involves controlling the configuration baseline of potential impacts to the function are
the asset when it is deployed for operation and ensuring that efficiently managed.
the asset remains configured according to the baseline.
Managing changes to assets includes analyzing requested changes to ensure they do not
introduce unacceptable vulnerabilities into the operating environment, ensuring all changes
follow the change management process, and identifying unauthorized changes. Change control
applies to the entire asset life cycle, including requirements definition, testing, deployment and
maintenance, and retirement from operation.
24
ASSET, CHANGE, AND
1. Manage Asset Inventory

MIL1 a. There is an inventory of OT and IT assets that are important to the delivery of the function
b. There is an inventory of information assets that are important to the delivery of the function (e.g.,
SCADA set points, customer information, financial data)
MIL2 c. Inventory attributes include information to support the cybersecurity strategy (e.g., location, asset
owner, applicable security requirements, service dependencies, service level agreements, and
conformance of assets to relevant industry standards)
d. Inventoried assets are prioritized based on their importance to the delivery of the function
MIL3 e. There is an inventory for all connected IT and OT assets related to the delivery of the function
f. The asset inventory is current (as defined by the organization)
2. Manage Asset Configuration

MIL1 a. Configuration baselines are established for inventoried assets where it is desirable to ensure that
multiple assets are configured similarly
b. Configuration baselines are used to configure assets at deployment
MIL2 c. The design of configuration baselines includes cybersecurity objectives
MIL3 d. Configuration of assets are monitored for consistency with baselines throughout the assets’ life cycle
e. Configuration baselines are reviewed and updated at an organizationally-defined frequency
3. Manage Changes to Assets

MIL1 a. Changes to inventoried assets are evaluated before being implemented
b. Changes to inventoried assets are logged
MIL2 c. Changes to assets are tested prior to being deployed, whenever possible
d. Change management practices address the full life cycle of assets (i.e., acquisition, deployment,
operation, retirement)
MIL3 e. Changes to assets are tested for cybersecurity impact prior to being deployed
f. Change logs include information about modifications that impact the cybersecurity requirements of
assets (availability, integrity, confidentiality)
25
ASSET, CHANGE, AND
MIL2 a. Documented practices are followed for asset inventory, configuration, and change management
activities
b. Stakeholders for asset inventory, configuration, and change management activities are identified
and involved
c. Adequate resources (people, funding, and tools) are provided to support asset inventory,
configuration, and change management activities
d. Standards and/or guidelines have been identified to inform asset inventory, configuration, and
change management activities
MIL3 e. Asset inventory, configuration, and change management activities are guided by documented
policies or other organizational directives
f. Asset inventory, configuration, and change management policies include compliance requirements
for specified standards and/or guidelines
g. Asset inventory, configuration, and change management activities are periodically reviewed to
ensure conformance with policy
h. Responsibility and authority for the performance of asset inventory, configuration, and change
management activities are assigned to personnel
i. Personnel performing asset inventory, configuration, and change management activities have the
skills and knowledge needed to perform their assigned responsibilities
26
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 IDENTITY AND ACCESS MANAGEMENT
7.3 Identity and Access Management

Purpose: Create and manage identities for entities that may
be granted logical or physical access to the organization’s Example: Identity and Access
assets. Control access to the organization’s assets, Management
commensurate with the risk to critical infrastructure and Anywhere Energy Inc. decides to
organizational objectives. upgrade multiple identity and access
management systems to a system that is
For the purposes of this domain, access control applies to capable of supporting multifactor
logical access to assets used in the delivery of the function, authentication. The organization believes
physical access to cyber assets relevant to the function, and that reducing the number of IAM systems
automated access control systems (logical or physical) that it manages will enable more effective
relevant to the function. Improper access management access management.
practices can lead to unauthorized use, disclosure, As Anywhere Energy Inc. prepares to
destruction, or modification, as well as unnecessary migrate legacy systems to the new IAM
exposure to cybersecurity risks. system, it discovers that some former
employees still have active accounts,
The Identity and Access Management (IAM) domain some current employees have more
comprises three objectives: access than is required for their role, and
some employees who have changed
1. Establish and Maintain Identities roles within the organization still have
2. Control Access active accounts on systems to which they
no longer require access.
3. Management Activities Anywhere Energy Inc. updates its identity
management processes to include
Establishing and maintaining identities begins with the coordination with the organization’s
provisioning and deprovisioning (removing available identities human resources processes to help
when they are no longer required) of identities to entities. ensure that whenever a user changes
Entities may include individuals (internal or external to the roles or leaves the organization, his or
organization) as well as devices, systems, or processes that her access will be reviewed and updated
require access to assets. In some cases, organizations may appropriately.
need to use shared identities. Management of shared Anywhere Energy Inc. also institutes a
identities may require compensatory measures to ensure an quarterly review to ensure that access
appropriate level of security. Maintenance of identities granted to the organization’s assets
includes traceability (ensuring that all known identities are aligns with access requirements.
valid) as well as deprovisioning.
Controlling access includes determining access requirements,
granting access to assets based on those requirements, and revoking access when it is no longer
required. Access requirements are associated with assets and provide guidance for which types
of entities are allowed to access the asset, the limits of allowed access, and authentication
parameters. For example, the access requirements for a specific asset might allow remote
access by a vendor only during specified and preplanned maintenance intervals, and might also
require multifactor authentication for such access. At higher maturity indicator levels, more
scrutiny is applied to the access being granted. Access is granted only after considering risk to
the function, and regular reviews of access are conducted.
27
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 IDENTITY AND ACCESS MANAGEMENT
1. Establish and Maintain Identities

MIL1 a. Identities are provisioned for personnel and other entities (e.g., services, devices) who require access
to assets (note that this does not preclude shared identities)
b. Credentials are issued for personnel and other entities that require access to assets (e.g., passwords,
smart cards, certificates, keys)
c. Identities are deprovisioned when no longer required
MIL2 d. Identity repositories are periodically reviewed and updated to ensure validity (i.e., to ensure that the
identities still need access)
e. Credentials are periodically reviewed to ensure that they are associated with the correct person or entity
f. Identities are deprovisioned within organizationally defined time thresholds when no longer required
MIL3 g. Requirements for credentials are informed by the organization’s risk criteria (e.g., multifactor credentials
for higher risk access) (RM-1c)
2. Control Access
MIL1 a. Access requirements, including those for remote access, are determined (access requirements are
associated with assets and provide guidance for which types of entities are allowed to access the asset,
the limits of allowed access, and authentication parameters)
b. Access is granted to identities based on requirements
c. Access is revoked when no longer required
MIL2 d. Access requirements incorporate least privilege and separation of duties principles
e. Access requests are reviewed and approved by the asset owner
f. Root privileges, administrative access, emergency access, and shared accounts receive additional
scrutiny and monitoring
MIL3 g. Access privileges are reviewed and updated to ensure validity, at an organizationally defined frequency
h. Access to assets is granted by the asset owner based on risk to the function
i. Anomalous access attempts are monitored as indicators of cybersecurity events
MIL2 a. Documented practices are followed to establish and maintain identities and control access
b. Stakeholders for access and identity management activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support access and identity
management activities
d. Standards and/or guidelines have been identified to inform access and identity management activities
MIL3 e. Access and identity management activities are guided by documented policies or other organizational
directives
f. Access and identity management policies include compliance requirements for specified standards and/or
guidelines
g. Access and identity management activities are periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of access and identity management activities are
assigned to personnel
i. Personnel performing access and identity management activities have the skills and knowledge needed to
perform their assigned responsibilities
28
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 THREAT AND VULNERABILITY MANAGEMENT
7.4 Threat and Vulnerability Management

Purpose: Establish and maintain plans, procedures, and
technologies to detect, identify, analyze, manage, and Example: Threat and Vulnerability
respond to cybersecurity threats and vulnerabilities, Management
commensurate with the risk to the organization’s
infrastructure (e.g., critical, IT, operational) and Anywhere Energy Inc. examined the types
of threats that it normally responds to,
organizational objectives.
including malicious software, denial-of-
A cybersecurity threat is defined as any circumstance or service attacks, and activist cyber attack
groups. This information has been used to
event with the potential to adversely impact organizational
develop Anywhere Energy Inc.’s
operations (including mission, functions, image, or documented threat profile. Anywhere
reputation), resources, and other organizations through IT, Energy Inc. has identified reliable sources
OT, or communications infrastructure via unauthorized of information to enable rapid threat
access, destruction, disclosure, modification of information, identification and is able to consume and
and/or denial of service. Threats to IT, OT, and analyze published threat information from
communication infrastructure assets vary and may include sources such as the US-CERT, Information
malicious actors, malware (e.g., viruses and worms), Sharing and Analysis Centers (ISACs), and
accidents, and weather emergencies. Industrial Control Systems Cyber
Emergency Response Team and begin an
A cybersecurity vulnerability is a weakness or flaw in IT, OT, effective response.
communications systems or devices, procedures, or internal When reducing cybersecurity
controls that could be exploited by a threat. vulnerabilities, Anywhere Energy Inc. uses
the Forum of Incident Response and
The Threat and Vulnerability Management (TVM) domain Security Teams (FIRST) Common
comprises three objectives: Vulnerability Scoring System (CVSS) to
better identify the potential impacts of
1. Identify and Respond to Threats known software vulnerabilities. This allows
the organization to prioritize reduction
2. Reduce Cybersecurity Vulnerabilities activities according to the importance of the
3. Management Activities vulnerabilities.
Threat identification and response begins with collecting

useful threat information from reliable sources, interpreting that information in the context of
the organization and function, and responding to threats that have the means, motive, and
opportunity to affect the delivery of functions. A threat profile includes characterization of
likely intent, capability, and target of threats to the function. The threat profile can be used to
guide the identification of specific threats, the risk analysis process described in the Risk
Management domain, and the building of the COP described in the Situational Awareness
domain.
Reducing cybersecurity vulnerabilities begins with collecting and analyzing vulnerability
information. Vulnerability discovery may be performed using automatic scanning tools, network
penetration tests, cybersecurity exercises, and audits. Vulnerability analysis should consider the
vulnerability’s local impact (the potential effect of the vulnerability on the exposed asset) as
well as the importance of the exposed asset to the delivery of the function. Vulnerabilities may
29
be addressed by implementing mitigating controls, monitoring threat status, applying

cybersecurity patches, or through other activities.
1. Identify and Respond to Threats

MIL1 a. Information sources to support threat management activities are identified (e.g., various critical
infrastructure sector ISACs, ICS-CERT, US-CERT, industry associations, vendors, federal briefings)
b. Cybersecurity threat information is gathered and interpreted for the function
c. Threats that are considered important to the function are addressed (e.g., implement mitigating
controls, monitor threat status)
MIL2 d. A threat profile for the function is established that includes characterization of likely intent, capability,
and target of threats to the function
e. Threat information sources that address all components of the threat profile are prioritized and
monitored
f. Identified threats are analyzed and prioritized
g. Threats are addressed according to the assigned priority
MIL3 h. The threat profile for the function is validated at an organization-defined frequency
i. Analysis and prioritization of threats are informed by the function’s (or organization’s) risk criteria
(RM-1c)
j. Threat information is added to the risk register (RM-2j)
2. Reduce Cybersecurity Vulnerabilities

MIL1 a. Information sources to support cybersecurity vulnerability discovery are identified (e.g., US-CERT,
various critical infrastructure sector ISACs, ICS-CERT, industry associations, vendors, federal
briefings, internal assessments)
b. Cybersecurity vulnerability information is gathered and interpreted for the function
c. Cybersecurity vulnerabilities that are considered important to the function are addressed (e.g.,
implement mitigating controls, apply cybersecurity patches)
MIL2 d. Cybersecurity vulnerability information sources that address all assets important to the function are
monitored
e. Cybersecurity vulnerability assessments are performed (e.g., architectural reviews, penetration
testing, cybersecurity exercises, vulnerability identification tools)
f. Identified cybersecurity vulnerabilities are analyzed and prioritized (e.g., NIST Common Vulnerability
Scoring System could be used for patches; internal guidelines could be used to prioritize other types
of vulnerabilities)
g. Cybersecurity vulnerabilities are addressed according to the assigned priority
h. Operational impact to the function is evaluated prior to deploying cybersecurity patches
30
2. Reduce Cybersecurity Vulnerabilities (cont.)

MIL3 i. Cybersecurity vulnerability assessments are performed for all assets important to the delivery of the
function, at an organization-defined frequency
j. Cybersecurity vulnerability assessments are informed by the function’s (or organization’s) risk
criteria (RM-1c)
k. Cybersecurity vulnerability assessments are performed by parties that are independent of the
operations of the function
l. Analysis and prioritization of cybersecurity vulnerabilities are informed by the function’s (or
organization’s) risk criteria (RM-1c)
m. Cybersecurity vulnerability information is added to the risk register (RM-2j)
n. Risk monitoring activities validate the responses to cybersecurity vulnerabilities (e.g., deployment of
patches or other activities)
MIL2 a. Documented practices are followed for threat and vulnerability management activities
b. Stakeholders for threat and vulnerability management activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support threat and vulnerability
d. Standards and/or guidelines have been identified to inform threat and vulnerability management
activities
MIL3 e. Threat and vulnerability management activities are guided by documented policies or other
organizational directives
f. Threat and vulnerability management policies include compliance requirements for specified
standards and/or guidelines
g. Threat and vulnerability management activities are periodically reviewed to ensure conformance
with policy
h. Responsibility and authority for the performance of threat and vulnerability management activities
are assigned to personnel
i. Personnel performing threat and vulnerability management activities have the skills and knowledge
needed to perform their assigned responsibilities
31
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 SITUATIONAL AWARENESS
7.5 Situational Awareness

Example: Situational Awareness
Purpose: Establish and maintain activities and technologies to
collect, analyze, alarm, present, and use operational and Anywhere Energy Inc. identified the
cybersecurity information, including status and summary assets that are essential to the delivery
information from the other model domains, to form a common of the organization’s functions.
operating picture (COP)commensurate with the risk to critical Additionally, the personnel monitor a
infrastructure and organizational objectives. number of resources that provide
reliable cybersecurity information,
Situational awareness involves developing near-real-time including its vendors and US-CERT.
knowledge of a dynamic operating environment. In part, this is Further, Anywhere Energy Inc.
accomplished through the logging and monitoring of IT, OT, determined that indicators of an
and communication infrastructure assets essential for the emerging threat often reside in different
delivery of the function. It is equally important to maintain parts of the organization. Building
knowledge of relevant, current cybersecurity events external Security tracks visitors, the Helpdesk
responds to strange laptop behavior,
to the enterprise. Once an organization develops a COP, it can
shipping knows about packages, and
align predefined states of operation to changes in the the security team monitors network
operating environment. Rapid shifts among predetermined events and external sources. Each day,
emergency operations can enable faster and more effective the security team gathers information
response to cybersecurity events. from other departments, adds their own
data, and produces a COP for the rest of
The Situational Awareness (SA) domain comprises four the organization. The COP summarizes
objectives: the current state of operations using a
color-coded scale and is posted on the
1. Perform Logging wall of the control room as well as on
2. Perform Monitoring the corporate intranet site.
When the COP suggests a need for
3. Establish and Maintain a Common Operating Picture heightened security, visitors are
4. Management Activities screened more carefully, the Helpdesk
conducts malware scans on
Logging should be enabled based on the assets’ potential misbehaving laptops, and human
impact to the function. For example, the greater the potential resources sends out reminders about
impact of a compromised asset, the more data an organization phishing. Senior management reviews
might collect about the asset. the COP and is prepared should
extraordinary action—like shutting down
The condition of assets, as discovered through monitoring, the Web site—be required. At the
contributes to an operating picture. Effectively communicating highest state of alert, they change
firewall rule sets to restrict nonessential
the operating picture to relevant decision makers is the protocols like video conferencing, delay
essence of a COP. While many implementations of a COP may all but emergency change requests, and
include visualization tools (e.g., dashboards, maps, and other put the cybersecurity incident response
graphical displays), they are not necessarily required to achieve team on standby.
the goal. Organizations may use other methods to share a
function’s current state of cybersecurity.
32
1. Perform Logging
MIL1 a. Logging is occurring for assets important to the function where possible
MIL2 b. Logging requirements have been defined for all assets important to the function (e.g., scope of
activity and coverage of assets, cybersecurity requirements [confidentiality, integrity, availability])
c. Log data are being aggregated within the function
MIL3 d. Logging requirements are based on the risk to the function
e. Log data support other business and security processes (e.g., incident response, asset management)
2. Perform Monitoring
MIL1 a. Cybersecurity monitoring activities are performed (e.g., periodic reviews of log data)
b. Operational environments are monitored for anomalous behavior that may indicate a cybersecurity
event
MIL2 c. Monitoring and analysis requirements have been defined for the function and address timely review
of event data
d. Alarms and alerts are configured to aid in the identification of cybersecurity events (IR-1b)
e. Indicators of anomalous activity have been defined and are monitored across the operational
environment
f. Monitoring activities are aligned with the function’s threat profile (TVM-1d)
MIL3 g. Monitoring requirements are based on the risk to the function
h. Monitoring is integrated with other business and security processes (e.g., incident response, asset
management)
i. Continuous monitoring is performed across the operational environment to identify anomalous activity
j. Risk register (RM-2j) content is used to identify indicators of anomalous activity
k. Alarms and alerts are configured according to indicators of anomalous activity
3. Establish and Maintain a Common Operating Picture (COP)

MIL2 a. Methods of communicating the current state of cybersecurity for the function are established and
maintained
b. Monitoring data are aggregated to provide an understanding of the operational state of the function
(i.e., a common operating picture; a COP may or may not include visualization or be presented
graphically)
c. Information from across the organization is available to enhance the common operating picture
MIL3 d. Monitoring data are aggregated to provide near-real-time understanding of the cybersecurity state
for the function to enhance the common operating picture
e. Information from outside the organization is collected to enhance the common operating picture
f. Predefined states of operation are defined and invoked (manual or automated process) based on
the common operating picture
33
MIL2 a. Documented practices are followed for logging, monitoring, and COP activities
b. Stakeholders for logging, monitoring, and COP activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support logging, monitoring, and
COP activities
d. Standards and/or guidelines have been identified to inform logging, monitoring, and COP activities
MIL3 e. Logging, monitoring, and COP activities are guided by documented policies or other organizational
directives
f. Logging, monitoring, and COP policies include compliance requirements for specified standards
and/or guidelines
g. Logging, monitoring, and COP activities are periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of logging, monitoring, and COP activities are
assigned to personnel
i. Personnel performing logging, monitoring, and COP activities have the skills and knowledge needed
to perform their assigned responsibilities
34
INFORMATION SHARING
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 AND COMMUNICATIONS
7.6 Information Sharing and Communications

Purpose: Establish and maintain relationships with internal and
external entities to collect and provide cybersecurity Example: Information Sharing and
information, including threats and vulnerabilities, to reduce Communications
risks and to increase operational resilience, commensurate with
Anywhere Energy Inc. worked with trade
the risk to critical infrastructure and organizational objectives.
groups to find and maintain informal
The objective of information sharing is to strengthen connections with other organizations.
This worked sufficiently well for a variety
cybersecurity by establishing and maintaining a framework for
of issues without critical deadlines.
interaction among organizations, as well as between However, new security and cyber-related
organizations and the government. issues with critical deadlines strained this
informal method of sharing and
The Information Sharing and Communications (ISC) domain communications.
comprises two objectives:
Recognizing the need for more
1. Share Cybersecurity Information significant relationships, the organization
decided to formalize ties to industry
2. Management Activities groups that will inform it of news and
issues; engage with vendors with whom
Sharing cybersecurity information begins with gathering they have significant investment; and
cybersecurity information relevant to the function. This participate with regional, state, and
information is available from many sources, including vendors, government organizations that advance
government entities, and peers. Secure sharing of different thought leadership and practical
types of risk-related information is essential to the well-being guidance.
of individual organizations and the subsector. As threats are As part of this effort, Anywhere Energy
responded to and vulnerabilities are discovered, organizations Inc. partners with others to establish a
should ensure that relevant data is effectively and secure, confidential information-sharing
appropriately shared so that peers may also reduce their risk environment that enables organizations
and improve sector resilience. Forums, such as the Information to share cybersecurity information
Sharing and Analysis Centers in many sectors, can facilitate this without attribution. Within this
environment, organizations are free to
sharing.
disclose cybersecurity information as
well as share technical expertise to
overcome cybersecurity challenges.
35
INFORMATION SHARING
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 AND COMMUNICATIONS
1. Share Cybersecurity Information

MIL1 a. Information is collected from and provided to selected individuals and/or organizations
b. Responsibility for cybersecurity reporting obligations are assigned to personnel (e.g., internal
reporting, ICS-CERT, law enforcement)
MIL2 c. Information-sharing stakeholders are identified based on their relevance to the continued operation
of the function (e.g., connected organizations, vendors, sector organizations, regulators, internal
entities)
d. Information is collected from and provided to identified information-sharing stakeholders
e. Technical sources are identified that can be consulted on cybersecurity issues
f. Provisions are established and maintained to enable secure sharing of sensitive or classified
information
g. Information-sharing practices address both standard operations and emergency operations
MIL3 h. Information-sharing stakeholders are identified based on shared interest in and risk to critical
infrastructure
i. The function or the organization participates with information sharing and analysis centers
j. Information-sharing requirements have been defined for the function and address timely
dissemination of cybersecurity information
k. Procedures are in place to analyze and de-conflict received information
l. A network of internal and external trust relationships (formal and/or informal) has been established
to vet and validate information about cyber events
MIL2 a. Documented practices are followed for information-sharing activities
b. Stakeholders for information-sharing activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support information-sharing
activities
d. Standards and/or guidelines have been identified to inform information-sharing activities
MIL3 e. Information-sharing activities are guided by documented policies or other organizational directives
f. Information-sharing policies include compliance requirements for specified standards and/or
guidelines
g. Information-sharing activities are periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of information-sharing activities are assigned to
personnel
i. Personnel performing information-sharing activities have the skills and knowledge needed to
j. Information-sharing policies address protected information and ethical use and sharing of
information, including sensitive and classified information as appropriate
36
EVENT AND INCIDENT RESPONSE,
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 CONTINUITY OF OPERATIONS
7.7 Event and Incident Response, Continuity of Operations

Purpose: Establish and maintain plans, procedures, and
technologies to detect, analyze, and respond to cybersecurity Example: Event and Incident
events and to sustain operations throughout a cybersecurity Response, Continuity of Operations
event, commensurate with the risk to critical infrastructure and
organizational objectives. Anywhere Energy Inc. purchased a
helpdesk tracking system to log and
A cybersecurity event in a system or network is any observable track important cybersecurity events. On
occurrence that is related to a cybersecurity requirement the wall in the helpdesk shared working
(confidentiality, integrity, or availability of assets). A area, Anywhere Energy Inc. posted a
chart that identifies criteria for escalating
cybersecurity incident is an event or series of events that cybersecurity events, which include who
significantly affects or could significantly affect critical must be notified and response time
infrastructure and/or organizational assets and services and objectives. When the organization
requires the organization (and possibly other stakeholders) to experiences a cybersecurity incident,
respond in some way to prevent or limit adverse impacts. the incident response plan requires that
the incident be logged and
The Event and Incident Response, Continuity of Operations (IR) communicated to key stakeholders. The
domain comprises five objectives: reporting process includes those
responsible for communicating the
1. Detect Cybersecurity Events common operating picture described in
the Situational Awareness domain.
2. Escalate Cybersecurity Events and Declare Incidents
Anywhere Energy Inc. tests its disaster
3. Respond to Incidents and Escalated Cybersecurity Events recovery plan annually to ensure that it
4. Plan for Continuity can continue to meet recovery time
objectives for the sector functions and
5. Management Activities that it has a good understanding of the
restoration path for its assets.
Detecting cybersecurity events includes designating a forum
for reporting events and establishing criteria for event
prioritization. These criteria should align with the cybersecurity
risk management strategy discussed in the Risk Management
domain, ensure consistent valuation of events, and provide a structure to differentiate between
cybersecurity events and cybersecurity incidents.
Escalating cybersecurity events involves applying the criteria discussed in the Detect
Cybersecurity Events objective and identifying when cybersecurity events need to be managed
according to a response plan. These escalated cybersecurity events, including incidents, may
trigger external obligations, including reporting to regulatory bodies or notifying customers.
Correlating multiple cybersecurity events and incidents and other records may uncover
systemic problems within the environment.
Responding to escalated cybersecurity events requires the organization to have a process to
limit the impact of cybersecurity events to subsector functions. The process should describe
how the organization manages all phases of the incident life cycle (e.g., triage, handling,
communication, coordination, and closure). Conducting lessons-learned reviews as a part of
37
cybersecurity event and incident response helps the organization eliminate the exploited
vulnerability that led to the incident.
Planning for continuity involves the necessary activities to sustain the subsector function in the
event of an interruption such as a severe cybersecurity incident or a disaster. Business impact
analyses enable the organization to identify essential assets and associated recovery time
objectives. Continuity plans should be tested and adjusted to ensure they remain realistic and
practicable.
1. Detect Cybersecurity Events

MIL1 a. There is a point of contact (person or role) to whom cybersecurity events could be reported
b. Detected cybersecurity events are reported
c. Cybersecurity events are logged and tracked
MIL2 d. Criteria are established for cybersecurity event detection (e.g., what constitutes an event, where to
look for events)
e. There is a repository where cybersecurity events are logged based on the established criteria
MIL3 f. Event information is correlated to support incident analysis by identifying patterns, trends, and other
common features
g. Cybersecurity event detection activities are adjusted based on information from the organization’s risk
register (RM-2j) and threat profile (TVM-1d) to help detect known threats and monitor for identified risks
h. The common operating picture for the function is monitored to support the identification of
cybersecurity events (SA-3a)
2. Escalate Cybersecurity Events and Declare Incidents

MIL1 a. Criteria for cybersecurity event escalation are established, including cybersecurity incident declaration
criteria
b. Cybersecurity events are analyzed to support escalation and the declaration of cybersecurity incidents
c. Escalated cybersecurity events and incidents are logged and tracked
MIL2 d. Criteria for cybersecurity event escalation, including cybersecurity incident criteria, are established
based on the potential impact to the function
e. Criteria for cybersecurity event escalation, including cybersecurity incident declaration criteria, are
updated at an organization-defined frequency
f. There is a repository where escalated cybersecurity events and cybersecurity incidents are logged
and tracked to closure
MIL3 g. Criteria for cybersecurity event escalation, including cybersecurity incident declaration criteria, are
adjusted according to information from the organization’s risk register (RM-2j) and threat profile (TVM-1d)
h. Escalated cybersecurity events and declared cybersecurity incidents inform the common operating
picture (SA-3a) for the function
i. Escalated cybersecurity events and declared incidents are correlated to support the discovery of
patterns, trends, and other common features
38
3. Respond to Incidents and Escalated Cybersecurity Events

MIL1 a. Cybersecurity event and incident response personnel are identified and roles are assigned
b. Responses to escalated cybersecurity events and incidents are implemented to limit impact to the
function and restore normal operations
c. Reporting of escalated cybersecurity events and incidents is performed (e.g., internal reporting, ICS-
CERT, relevant ISACs)
MIL2 d. Cybersecurity event and incident response is performed according to defined procedures that address
all phases of the incident life cycle (e.g., triage, handling, communication, coordination, and closure)
e. Cybersecurity event and incident response plans are exercised at an organization- defined frequency
f. Cybersecurity event and incident response plans address OT and IT assets important to the delivery
of the function
g. Training is conducted for cybersecurity event and incident response teams
MIL3 h. Cybersecurity event and incident root-cause analysis and lessons-learned activities are performed,
and corrective actions are taken
i. Cybersecurity event and incident responses are coordinated with law enforcement and other
government entities as appropriate, including support for evidence collection and preservation
j. Cybersecurity event and incident response personnel participate in joint cybersecurity exercises with
other organizations (e.g., table top, simulated incidents)
k. Cybersecurity event and incident response plans are reviewed and updated at an organization-defined
frequency
l. Cybersecurity event and incident response activities are coordinated with relevant external entities
m. Cybersecurity event and incident response plans are aligned with the function’s risk criteria (RM-1c)
and threat profile (TVM-1d)
n. Policy and procedures for reporting cybersecurity event and incident information to designated
authorities conform with applicable laws, regulations, and contractual agreements
o. Restored assets are configured appropriately and inventory information is updated following execution
of response plans
4. Plan for Continuity

MIL1 a. The activities necessary to sustain minimum operations of the function are identified
b. The sequence of activities necessary to return the function to normal operation is identified
c. Continuity plans are developed to sustain and restore operation of the function
MIL2 d. Business impact analyses inform the development of continuity plans
e. Recovery time objectives (RTO) and recovery point objectives (RPO) for the function are incorporated
into continuity plans
f. Continuity plans are evaluated and exercised
MIL3 g. Business impact analyses are periodically reviewed and updated
h. RTO and RPO are aligned with the function’s risk criteria (RM-1c)
i. The results of continuity plan testing and/or activation are compared to recovery objectives, and plans
are improved accordingly
j. Continuity plans are periodically reviewed and updated
k. Restored assets are configured appropriately and inventory information is updated following execution
of continuity plans
39
MIL2 a. Documented practices are followed for cybersecurity event and incident response as well as
continuity of operations activities
b. Stakeholders for cybersecurity event and incident response as well as continuity of operations
activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support cybersecurity event and
incident response as well as continuity of operations activities
d. Standards and/or guidelines have been identified to inform cybersecurity event and incident
response as well as continuity of operations activities
MIL3 e. Cybersecurity event and incident response as well as continuity of operations activities are guided
by documented policies or other organizational directives
f. Cybersecurity event and incident response as well as continuity of operations policies include
compliance requirements for specified standards and/or guidelines
g. Cybersecurity event and incident response as well as continuity of operations activities are
periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of cybersecurity event and incident response as
well as continuity of operations activities are assigned to personnel
i. Personnel performing cybersecurity event and incident response as well as continuity of operations
activities have the skills and knowledge needed to perform their assigned responsibilities
40
SUPPLY CHAIN AND
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 EXTERNAL DEPENDENCIES MANAGEMENT
7.8 Supply Chain and External Dependencies Management

Purpose: Establish and maintain controls to manage the
Example: Supply Chain and External
cybersecurity risks associated with services and assets
that are dependent on external entities, commensurate Dependencies Management
with the risk to critical infrastructure and organizational Anywhere Energy Inc. receives products and
objectives. services from multiple vendors. Recently, the
organization began to work with a new
As the interdependencies among infrastructures, vendor that, during the normal course of
operating partners, suppliers, service providers, and business, will have access to sensitive data
customers increase, establishing and maintaining a and systems.
comprehensive understanding of key relationships and Within the contract for the project, Anywhere
managing their associated cybersecurity risks is essential Energy Inc. mandated the nondisclosure of
for the secure, reliable, and resilient delivery of the sensitive data. Anywhere Energy also
function. specified cybersecurity requirements for the
handling, communication, and storage of its
This model classifies external dependencies as supplier or information, requiring that it be encrypted both
customer. Supplier dependencies are external parties on in transit and in storage. The cybersecurity
which the delivery of the function depends, including requirements also stated that passwords and
operating partners. Customer dependencies are external cryptographic keys would be properly
parties that depend on the delivery of the function, managed, and they specified strict limits and
including operating partners. controls on the vendor personnel and systems
that will have access to Anywhere Energy
Supply chain risk is a noteworthy example of a supplier Inc.’s systems and data during deployment,
dependency. The cybersecurity characteristics of products operations, and maintenance. Additionally,
Anywhere Energy Inc. conducted a review of
and services vary widely. Without proper risk
the vendor’s practices (including the vendor’s
management, they pose serious threats, including cybersecurity practices with respect to its
software of unknown provenance and counterfeit suppliers), participated in a security design
(possibly malicious) hardware. Organizations’ requests for review of the vendor’s proposed system, and
proposal often give suppliers of high-technology systems, plans to conduct periodic audits of the
devices, and services only rough specifications, which may delivered system to ensure that the vendor
lack adequate requirements for security and quality continues to meet its obligations.
assurance. The autonomy organizations often give to When the vendor supplied equipment,
their individual business units further increases the risk, Anywhere Energy Inc. carried out an
unless procurement activities are constrained by plan or inspection to verify that the hardware,
policy to include cybersecurity requirements. software, and firmware were authentic and
that initial configurations were as agreed
The Supply Chain and External Dependencies upon. To accomplish this, Anywhere Energy
Management (EDM) domain comprises three objectives: Inc. conducted random sample audits, which
included visually confirming serial numbers
1. Identify Dependencies with the hardware manufacturer (to help
detect counterfeits), verifying digital
2. Manage Dependency Risk signatures for associated software and
3. Management Activities firmware, and checking initial configuration
settings for conformance.
41
SUPPLY CHAIN AND
Identifying dependencies involves establishing and maintaining a comprehensive understanding

of the key external relationships required for the delivery of the function.
Managing dependency risk includes approaches such as independent testing, code review,
scanning for vulnerabilities, and reviewing demonstrable evidence from the vendor that a
secure software development process has been followed. Contracts binding the organization to
a relationship with a partner or vendor for products or services should be reviewed and
approved for cybersecurity risk mitigation, such as contract language that establishes vendor
responsibilities for meeting or exceeding specified cybersecurity standards or guidelines.
Service level agreements can specify monitoring and audit processes to verify that vendors and
service providers meet cybersecurity and other performance measures.
1. Identify Dependencies
MIL1 a. Important IT and OT supplier dependencies are identified (i.e., external parties on which the delivery
of the function depend, including operating partners)
b. Important customer dependencies are identified (i.e., external parties that are dependent on the
delivery of the function including operating partners)
MIL2 c. Supplier dependencies are identified according to established criteria
d. Customer dependencies are identified according to established criteria
e. Single-source and other essential dependencies are identified
f. Dependencies are prioritized
MIL3 g. Dependency prioritization and identification are based on the function’s or organization's risk criteria
(RM-1c)
2. Manage Dependency Risk

MIL1 a. Significant cybersecurity risks due to suppliers and other dependencies are identified and addressed
b. Cybersecurity requirements are considered when establishing relationships with suppliers and other
third parties
MIL2 c. Identified cybersecurity dependency risks are entered into the risk register (RM-2j)
d. Contracts and agreements with third parties incorporate sharing of cybersecurity threat information
e. Cybersecurity requirements are established for suppliers according to a defined practice, including
requirements for secure software development practices where appropriate
f. Agreements with suppliers and other external entities include cybersecurity requirements
g. Evaluation and selection of suppliers and other external entities includes consideration of their ability
to meet cybersecurity requirements
h. Agreements with suppliers require notification of cybersecurity incidents related to the delivery of the
product or service
i. Suppliers and other external entities are periodically reviewed for their ability to continually meet the
cybersecurity requirements
42
SUPPLY CHAIN AND
2. Manage Dependency Risk (cont.)

MIL3 j. Cybersecurity risks due to external dependencies are managed according to the organization’s risk
management criteria and process
k. Cybersecurity requirements are established for supplier dependencies based on the organization’s
risk criteria (RM-1c)
l. Agreements with suppliers require notification of vulnerability-inducing product defects throughout
the intended life cycle of delivered products
m. Acceptance testing of procured assets includes testing for cybersecurity requirements
n. Information sources are monitored to identify and avoid supply chain threats (e.g., counterfeit parts,
software, and services)
MIL2 a. Documented practices are followed for managing dependency risk
b. Stakeholders for managing dependency risk are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support dependency risk
d. Standards and/or guidelines have been identified to inform managing dependency risk
MIL3 e. Dependency risk management activities are guided by documented policies or other organizational
directives
f. Dependency risk management policies include compliance requirements for specified standards
and/or guidelines
g. Dependency risk management activities are periodically reviewed to ensure conformance with policy
h. Responsibility and authority for the performance of dependency risk management are assigned to
personnel
i. Personnel performing dependency risk management have the skills and knowledge needed to
43
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 WORKFORCE MANAGEMENT
7.9 Workforce Management

Purpose: Establish and maintain plans, procedures,
technologies, and controls to create a culture of cybersecurity Example: Workforce Management
and to ensure the ongoing suitability and competence of Anywhere Energy Inc. determines that it
personnel, commensurate with the risk to critical infrastructure will invest in advanced digital
and organizational objectives. technology. Part of this investment will
be a long-term program for workforce
As organizations increasingly adopt advanced digital training and management to help
technology, it is a challenge to enhance the skill sets of their personnel keep the new systems
existing workforce and hire personnel with the appropriate running efficiently and securely.
level of cybersecurity experience, education, and training. Anywhere Energy Inc. finds it much
Organizations’ reliance on advanced technology for digital harder than expected to recruit, train,
communications and control continues to grow, and workforce and retain personnel with the necessary
issues are a crucial aspect of successfully addressing skill sets, particularly personnel with
cybersecurity education and experience.
cybersecurity and risk management for these systems. Furthermore, the organization finds that
Collective bargaining agreements may challenge some aspects its brand of new digital technology has
been compromised at another company
of the practices in this domain as written, so organizations may due to poor security practices.
need to implement alternative practices that meet the intent
of the model practices and align with those agreements. Anywhere Energy Inc. analyzes this
information through a risk management
The Workforce Management (WM) domain comprises five assessment of its systems, practices,
objectives: and policies. The organization
determines that employee training is
1. Assign Cybersecurity Responsibilities paramount to addressing system and
social engineering vulnerabilities as well
2. Control the Workforce Life Cycle as insider threats to the company’s
3. Develop Cybersecurity Workforce goals and objectives. As a result,
Anywhere Energy Inc. begins investing
4. Increase Cybersecurity Awareness in technical and security training and
certification for management and
5. Management Activities personnel to instill the awareness and
skills necessary to manage and protect
An important aspect of assigning cybersecurity responsibilities
the company’s assets, which may also
is ensuring adequacy and redundancy of coverage. For contribute to the protection of
example, specific workforce roles with significant cybersecurity interconnected critical infrastructure
responsibilities are often easy to determine, but they can be external to the organization.
challenging to maintain. It is vital to develop plans for key
cybersecurity workforce roles (e.g., system administrators) to
provide appropriate training, testing, redundancy, and evaluations of performance. Of course,
cybersecurity responsibilities are not restricted to traditional IT roles; for example, some
operations engineers may have cybersecurity responsibilities.
Controlling the workforce life cycle includes personnel vetting (e.g., background checks) and
assigning risk designations to positions that have access to assets needed to deliver an
essential service. For example, system administrators (who typically have the ability to
change configuration settings, modify or delete log files, create new accounts, and change
44
passwords) on critical systems are given a higher risk designation, and specific measures are
taken to protect these systems from accidental or malicious behavior by this category of
personnel.
Developing the cybersecurity workforce includes training and recruiting to address identified
skill gaps. For example, hiring practices should ensure that recruiters and interviewers are
aware of cybersecurity workforce needs. Also, newly recruited personnel (and contractors)
should receive security awareness training to reduce their vulnerability to social engineering
and other threats.
Increasing the cybersecurity awareness of the workforce is as important as technological
approaches for improving the cybersecurity of the organization. The threat of a cyber attack to
an organization often starts with gaining some foothold into a company’s IT or OT systems —
for example by gaining the trust of an unwary employee or contractor who then introduces
media or devices into the organization’s networks. The organization should share information
with its workforce on methods and techniques to identify suspicious behavior, avoid spam or
spear phishing, and recognize social engineering attacks to avoid providing information about
the organization to potential adversaries. For example, an internal Web site could provide
information about new threats and vulnerabilities in the industry. If information on threats,
vulnerabilities, and best practices is not shared with the workforce, personnel may become
more lax about security processes and procedures.
1. Assign Cybersecurity Responsibilities

MIL1 a. Cybersecurity responsibilities for the function are identified
b. Cybersecurity responsibilities are assigned to specific people
MIL2 c. Cybersecurity responsibilities are assigned to specific roles, including external service providers
d. Cybersecurity responsibilities are documented (e.g., in position descriptions)
MIL3 e. Cybersecurity responsibilities and job requirements are reviewed and updated as appropriate
f. Cybersecurity responsibilities are included in job performance evaluation criteria
g. Assigned cybersecurity responsibilities are managed to ensure adequacy and redundancy of coverage
45
2. Control the Workforce Life Cycle

MIL1 a. Personnel vetting (e.g., background checks, drug tests) is performed at hire for positions that have
access to the assets required for delivery of the function
b. Personnel termination procedures address cybersecurity
MIL2 c. Personnel vetting is performed at an organization-defined frequency for positions that have access
to the assets required for delivery of the function
d. Personnel transfer procedures address cybersecurity
MIL3 e. Risk designations are assigned to all positions that have access to the assets required for delivery
of the function
f. Vetting is performed for all positions (including employees, vendors, and contractors) at a level
commensurate with position risk designation
g. Succession planning is performed for personnel based on risk designation
h. A formal accountability process that includes disciplinary actions is implemented for personnel who
fail to comply with established security policies and procedures
3. Develop Cybersecurity Workforce

MIL1 a. Cybersecurity training is made available to personnel with assigned cybersecurity responsibilities
MIL2 b. Cybersecurity knowledge, skill, and ability gaps are identified
c. Identified gaps are addressed through recruiting and/or training
d. Cybersecurity training is provided as a prerequisite to granting access to assets that support the
delivery of the function (e.g., new personnel training, personnel transfer training)
MIL3 e. Cybersecurity workforce management objectives that support current and future operational needs
are established and maintained
f. Recruiting and retention are aligned to support cybersecurity workforce management objectives
g. Training programs are aligned to support cybersecurity workforce management objectives
h. The effectiveness of training programs is evaluated at an organization-defined frequency and
improvements are made as appropriate
i. Training programs include continuing education and professional development opportunities for
personnel with significant cybersecurity responsibilities
4. Increase Cybersecurity Awareness

MIL1 a. Cybersecurity awareness activities occur
MIL2 b. Objectives for cybersecurity awareness activities are established and maintained
c. Cybersecurity awareness content is based on the organization’s threat profile (TVM-1d)
MIL3 d. Cybersecurity awareness activities are aligned with the predefined states of operation (SA-3f)
e. The effectiveness of cybersecurity awareness activities is evaluated at an organization-defined
frequency and improvements are made as appropriate
46
Note: In the following practices, “cybersecurity workforce management activities” refers

collectively to all of the above practices in this domain.
MIL2 a. Documented practices are followed for cybersecurity workforce management activities
b. Stakeholders for cybersecurity workforce management activities are identified and involved
c. Adequate resources (people, funding, and tools) are provided to support cybersecurity workforce
d. Standards and/or guidelines have been identified to inform cybersecurity workforce management
activities
MIL3 e. Cybersecurity workforce management activities are guided by documented policies or other
f. Cybersecurity workforce management policies include compliance requirements for specified
standards and/or guidelines
g. Cybersecurity workforce management activities are periodically reviewed to ensure conformance
with policy
h. Responsibility and authority for the performance of cybersecurity workforce management activities
are assigned to personnel
i. Personnel performing cybersecurity workforce management activities have the skills and knowledge
47
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 CYBERSECURITY PROGRAM MANAGEMENT
7.10 Cybersecurity Program Management

Purpose: Establish and maintain an enterprise cybersecurity
Example: Cybersecurity Program
program that provides governance, strategic planning, and
sponsorship for the organization’s cybersecurity activities in a Management
manner that aligns cybersecurity objectives with the Anywhere Energy Inc. decided to
organization’s strategic objectives and the risk to critical establish an enterprise cybersecurity
infrastructure. program. To begin, Anywhere Energy
has formed a board with representation
A cybersecurity program is an integrated group of activities from each of the functional areas. This
designed and managed to meet cybersecurity objectives for cybersecurity governance board will
the organization and/or the function. A cybersecurity develop a cybersecurity strategy for the
program may be implemented at either the organization or organization and recruit a new vice
the function level, but a higher level implementation and president of cybersecurity to implement
enterprise viewpoint may benefit the organization by a program based on the strategy. The
integrating activities and leveraging resource investments vice president will also report to the
board of directors and will work across
across the entire enterprise. the enterprise to engage business and
The Cybersecurity Program Management (CPM) domain technical management and personnel to
address cybersecurity.
comprises five objectives:
The new vice president’s first action will
1. Establish Cybersecurity Program Strategy be to expand and document the
cybersecurity strategy for Anywhere
2. Sponsor Cybersecurity Program Energy Inc., ensuring that it remains
3. Establish and Maintain Cybersecurity Architecture aligned to the organization’s business
strategy and addresses its risk to critical
4. Perform Secure Software Development infrastructure. Once the strategy is
5. Management Activities approved by the board, the new vice
president will begin implementing the
The cybersecurity program strategy is established as the program by reorganizing of some
foundation for the program. In its simplest form, the program existing compartmentalized
cybersecurity teams and recruiting
strategy should include a list of cybersecurity objectives and a
additional team members to address
plan to meet them. At higher levels of maturity, the program skill gaps in the organization.
strategy will be more complete and include priorities, a
governance approach, structure and organization for the The head of customer service and vice
president of accounting will depend on
program, and more involvement by senior management in the the new program to address both
design of the program. immediate and collateral damage from
potential incidents and the public
Sponsorship is important for implementing the program in relations issues that would follow. The
accordance with the strategy. The fundamental form of head of IT and the vice president for
sponsorship is to provide resources (people, tools, and engineering will expect guidance on
funding). More advanced forms of sponsorship include visible systems development and methods to
involvement by senior leaders and designation of responsibility mitigate risks.
and authority for the program. Further, sponsorship includes
organizational support for establishing and implementing
policies or other organizational directives to guide the program.
48
A cybersecurity architecture is an integral part of the enterprise architecture. It describes the

structure and behavior of an enterprise’s security processes, cybersecurity systems, personnel,
and subordinate organizations and aligns them with the organization’s mission and strategic
plans. An important element of the cybersecurity architecture is effective isolation of IT
systems from OT systems.
Performing and requiring secure software development for assets that are important to the
delivery of the function is important to help reduce vulnerability-inducing software defects.
1. Establish Cybersecurity Program Strategy

MIL1 a. The organization has a cybersecurity program strategy
MIL2 b. The cybersecurity program strategy defines objectives for the organization’s cybersecurity activities
c. The cybersecurity program strategy and priorities are documented and aligned with the organization’s
strategic objectives and risk to critical infrastructure
d. The cybersecurity program strategy defines the organization’s approach to provide program oversight
and governance for cybersecurity activities
e. The cybersecurity program strategy defines the structure and organization of the cybersecurity
program
f. The cybersecurity program strategy is approved by senior management
MIL3 g. The cybersecurity program strategy is updated to reflect business changes, changes in the operating
environment, and changes in the threat profile (TVM-1d)
2. Sponsor Cybersecurity Program

MIL1 a. Resources (people, tools, and funding) are provided to support the cybersecurity program
b. Senior management provides sponsorship for the cybersecurity program
MIL2 c. The cybersecurity program is established according to the cybersecurity program strategy
d. Adequate funding and other resources (i.e., people and tools) are provided to establish and operate a
cybersecurity program aligned with the program strategy
e. Senior management sponsorship for the cybersecurity program is visible and active (e.g., the
importance and value of cybersecurity activities is regularly communicated by senior management)
f. If the organization develops or procures software, secure software development practices are
sponsored as an element of the cybersecurity program
g. The development and maintenance of cybersecurity policies is sponsored
h. Responsibility for the cybersecurity program is assigned to a role with requisite authority
MIL3 i. The performance of the cybersecurity program is monitored to ensure it aligns with the cybersecurity
program strategy
j. The cybersecurity program is independently reviewed (i.e., by reviewers who are not in the program)
for achievement of cybersecurity program objectives
k. The cybersecurity program addresses and enables the achievement of regulatory compliance as
appropriate
l. The cybersecurity program monitors and/or participates in selected industry cybersecurity standards or
initiatives
49
3. Establish and Maintain Cybersecurity Architecture

MIL1 a. A strategy to architecturally isolate the organization’s IT systems from OT systems is implemented
MIL2 b. A cybersecurity architecture is in place to enable segmentation, isolation, and other requirements that
support the cybersecurity strategy
c. Architectural segmentation and isolation is maintained according to a documented plan
MIL3 d. Cybersecurity architecture is updated at an organization-defined frequency to keep it current
4. Perform Secure Software Development

MIL2 a. Software to be deployed on assets that are important to the delivery of the function is developed using
secure software development practices
MIL3 b. Policies require that software that is to be deployed on assets that are important to the delivery of the
function be developed using secure software development practices
MIL2 a. Documented practices are followed for cybersecurity program management activities
b. Stakeholders for cybersecurity program management activities are identified and involved
c. Standards and/or guidelines have been identified to inform cybersecurity program management activities
MIL3 d. Cybersecurity program management activities are guided by documented policies or other
e. Cybersecurity program management activities are periodically reviewed to ensure conformance with policy
f. Personnel performing cybersecurity program management activities have the skills and knowledge
50
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 REFERENCES
APPENDIX A: REFERENCES
The ONG-C2M2 was derived from the ES-C2M2. The DOE acknowledges the electricity subsector
standards, guidelines, white papers, and frameworks that informed the development of the first
iteration of the model. The reference table below shows general references that were either used in
the development of this document or may serve as a source for further information regarding the
practices identified within the model. References that informed the document more broadly have no
marker in any of the right-hand columns that represent mapping to the model domains.
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[ACC Chemical Cyber Security]
American Chemical Council. (2009). Guidance document: Guidance for
addressing cyber security in the chemical industry. Retrieved from
http://responsiblecare.americanchemistry.com/Responsible-Care- • • • • • • • • •
Program-Elements/Responsible-Care-Security-Code/PDF-Responsible-
Care-Security-Code.pdf
[AGA Report 12]
American Gas Association. (2006). AGA Report No. 12: Cryptographic
protection of SCADA communications. Part 1: Background--Policies and
test plan. Retrieved from
http://www.scadahacker.com/library/Documents/Standards/AGA%20-
• • • • • •
%20Cryptographic%20Protection%20of%20SCADA%20Communications
%20-%2012%20Part1.pdf
[API SGPI]
American Petroleum Institute. (2005). Security guidelines for the
petroleum industry (3rd ed.). Retrieved from
http://www.nj.gov/dep/rpp/brp/security/downloads/API%20Security%20G
• • • • • • • •
uidance%203rd%20Edition.pdf
[API 1164]
American Petroleum Institute. (2009). Pipeline SCADA security (API
Standard 1164).
• • • • • • • • • •
[API & NPRA Vulnerability Assessment]
American Petroleum Institute & National Petrochemical & Refiners
Association. (2004). Security vulnerability assessment methodology for
the petroleum and petrochemical industries. (2nd ed.). Retrieved from
• • • •
http://www.api.org/policy/otherissues/upload/sva_e2.pdf
51
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[API Offshore O&G Security]
American Petroleum Institute. (2003, reaffirmed: 2010). Security for
offshore oil and natural gas operations (API Recommended Practice 70). • • • • • • •
(1st ed.).
[API Recommended Practice 70I]
American Petroleum Institute. (2004). Security for worldwide offshore oil
and natural gas operations (API Recommended Practice 70I, 1st ed.).
• • • • • • •
[API Third Party Network]
American Petroleum Institute. (2007). Standard for third party network
connectivity.
• • • • • •
[CERT CSIRTs]
West Brown, M., Stikvoort, D., Kossakowski, K., Killcrece, G., Ruefle, R.,
& Zajicek, Mark. (2003). Handbook for computer security incident
response teams (CSIRTs) (CMU/SEI-2003-HB-002). Retrieved from •
Software Engineering Institute, Carnegie Mellon University website:
http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm
[CERT CSIRT FAQs]
Software Engineering Institute, Carnegie Mellon University. (2012).
CSIRT FAQ. Retrieved from http://www.cert.org/csirts/csirt_faq.html
• • •
[CERT RMM]
Caralli, R. A., Allen, J. H., & White, D. W. (2011). CERT resilience
management model: A maturity model for managing operational • • • • • • • • • • •
resilience (CERT-RMM Version 1.1). Boston, MA: Addison-Wesley.
[CERT SGMM]
The SGMM Team. (2011, version 1.2). Smart grid maturity model: Model
definition (CMU/SEI-2011-TR-025). Retrieved from Software
Engineering Institute, Carnegie Mellon University website: http://
• • • • • • •
www.sei.cmu.edu/reports/11tr025.pdf
[CERT State of the Practice of CSIRTs]
Killcrece, G., Kossakowski, K., Ruefle, R., & Zajicek, M. (2003). State of
the practice of computer security incident response teams (CSIRTs)
(CMU/SEI-2003-TR-001). Retrieved from Software Engineering Institute, •
Carnegie Mellon University website:
http://www.cert.org/archive/pdf/03tr001.pdf
[CNSSI 4009]
Committee on National Security Systems. (2010). National information
assurance (IA) glossary (CNSS Instructions No. 4009). Retrieved from • • •
https://www.cnss.gov/CNSS/issuances/Instructions.cfm
[DHS Cross-Sector Roadmap]
Industrial Control Systems Joint Working Group. (2011, revision 3.0).
Cross-sector roadmap for cybersecurity of control systems. United States • • •
Computer Emergency Readiness Team.
52
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[DHS ICS-CERT]
Department of Homeland Security. (2012, May). Industrial Control
Systems Cyber Emergency Response Team. Retrieved from • •
http://www.us-cert.gov/control_systems/ics-cert/
[DHS ICSJWG]
Department of Homeland Security. (2012, May). Industrial Control
Systems Joint Working Group. May 2012. http://www.us-cert.gov/control_ • •
systems/icsjwg/
[DHS PCII]
Department of Homeland Security. (2012, May). Who can access
Protected Critical Infrastructure Information (PCII). Retrieved from • •
http://www.dhs.gov/files/programs/gc_1193089801658.shtm
[DHS Procurement]
U.S. Department of Homeland Security, Control Systems Security
Program, National Cyber Security Division. (2009). U.S. Department of
Homeland Security: Cyber security procurement language for control
• •
systems.
[DHS Recommendations for Standards]
U.S. Department of Homeland Security, National Cyber Security Division,
Control Systems Security Program. (2011). Catalog of control systems
security: Recommendations for standards developers. Retrieved from • • • • • • • • • •
http://ics-cert.us-
cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf
[DOE 21 Steps to Improve Cyber Security of SCADA Networks]
U.S. Department of Energy and the President’s Critical Infrastructure
Protection Board. (n.d.). 21 Steps to improve cyber security of SCADA
networks. • • • •
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_
-_SCADA.pdf
[DOE Roadmap to Achieve Energy Delivery Systems Cybersecurity]
Energy Sector Control Systems Working Group. (2011). Roadmap to
achieve energy delivery systems cybersecurity. Retrieved from
Department of Energy website: • • • • • •
http://energy.gov/sites/prod/files/Energy%20Delivery%20Systems%20Cy
bersecurity%20Roadmap_finalweb.pdf
[EIA Glossary]
U.S. Energy Information Administration. (n.d.). Glossary. Retrieved from
http://www.eia.gov/tools/glossary/
•
53
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[EOPUS Policy Framework]
Executive Office of the President of the United States. (2011). A policy
framework for the 21st Century grid: Enabling our secure energy future.
Retrieved from
http://www.whitehouse.gov/sites/default/files/microsites/ostp/nstc-smart-
grid-june2011.pdf
[ES-SPP]
U.S. Department of Homeland Security and U.S. Department of Energy.
(2010). Energy sector-specific plan: An annex to the national
infrastructure protection plan. Retrived from
• • • • • •
http://www.dhs.gov/xlibrary/assets/nipp-ssp-energy-2010.pdf
[FIRST]
Forum of Incident Response and Security Teams (FIRST). (2012).
CSIRT case classification (Example for enterprise CSIRT). Retrieved
from
• • •
http://www.first.org/_assets/resources/guides/csirt_case_classification.html
[HSPD-7]
U.S. Department of Homeland Security. (n.d.). Homeland Security
Presidential Directive – 7. Retrieved from http://www.dhs.gov/homeland- • • •
security-presidential-directive-7#1
[IACCM BRM3]
International Association for Contract & Commercial Management
(IACCM). (2003). The IACCM business risk management maturity model • •
(BRM3).
[ISA 99]
International Society of Automation (ISA). (2009). Industrial automation
and control systems security: Establishing an industrial automation and
control systems security program (ANSI/ISA-99.02.01-2009).
[ISACs]
National Council of Information Sharing and Analysis Centers
(ISACs). (2012). [Home page]. Retrieved from http://www.isaccouncil.org/
• • • •
[ISO 27005:2011]
International Organization for Standardization. (2011). Information
security risk management (ISO 27005:2011)
• •
[ISO 28001:2007]
International Organization for Standardization. (n.d.). Security
management systems for the supply chain - Best practices for
implementing supply chain security, assessments and plans -
• •
Requirements and guidance (ISO/ IEC20001:2007).
54
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[ISO/IEC 21827:2008]
International Organization for Standardization. (2008). Systems Security
Engineering – Capability Maturity Model (SSE-CMM) (ISO/IEC • • • •
21827:2008).
[ISO/IEC 27001:2005]
International Organization for Standardization. (2008). Information
security management systems (ISO/IEC CD 27001:2005).
• • • • • • •
[ISO/IEC 27002:2005]
International Organization for Standardization. (2008). Code of practice
for information security management (ISO/IEC27002:2005).
• • • • • • •
[ISO/IEC 2:2004]
International Organization for Standardization. (2004). Standardization
and related activities -- General vocabulary (ISO/IEC 2:2004).
•
[MIT SCMM]
Rice, Jr., J. B., & Tenney, W. (2007). How risk management can secure
your business future. Massachusetts Institute of Technology Supply
Chain Strategy, 3(5), 1-4. Retrieved from •
http://web.mit.edu/scresponse/repository/rice_tenney_SCS_RMM_june-
july_2007.pdf
[NASA RMMM]
National Aeronautics and Space Administration. (2005). NASA RMC VI:
Continuous Risk Management Maturity Assessment (pp. 5-7). Retrieved
from • •
http://www.rmc.nasa.gov/presentations/Powell_CRM_Maturity_Assessm
ent.pdf
[National Strategy to Secure Cyberspace]
The White House. (2003). The national strategy to secure cyberspace.
Retrieved from https://www.us- • • • • • • • •
cert.gov/sites/default/files/publications/cyberspace_strategy.pdf
[NDIA ESA]
National Defense Industrial Association, System Assurance Committee.
(2008, version 1.0). Engineering for System Assurance.
• • •
[NIPP]
U.S. Department of Homeland Security. (2009). National infrastructure
protection plan: Partnering to enhance protection and resiliency. • • • • • • • • • •
Retrieved from http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf
[NIST Framework]
National Institute of Standards and Technology. (2012). NIST framework
and roadmap for smart grid interoperability standards, Release 2.0.
Retrieved from
http://www.nist.gov/smartgrid/upload/NIST_Framework_Release_2-
0_corr.pdf
55
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[NISTIR 7622]
Swanson, M., Bartol, N., & Moorthy, R. (2010). Piloting supply chain risk
management for federal information systems (Draft NISTIR 7622).
National Institute of Standards and Technology. Retrieved from
• •
http://csrc.nist.gov/publications/drafts/nistir-7622/draft-nistir-7622.pdf
[NISTIR 7628 Vol. 1]
The Smart Grid Interoperability Panel – Cyber Security Working Group.
(2010). Guidelines for smart grid cyber security: Vol. 1, smart grid cyber
security strategy, architecture, and high-level requirements (NISITIR • • • •
7628). National Institute of Standards and Technology. Retrieved from
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdf
[NISTIR 7628 Vol. 3]
The Smart Grid Interoperability Panel – Cyber Security Working Group.
(2010). Guidelines for smart grid cyber security: Vol. 3, Supportive
analyses and references (NISITIR 7628 ). National Institute of Standards • • • •
and Technology. Retrieved from
http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol3.pdf
[NIST NVD]
National Institute of Standards and Technology. (2012). National
vulnerability database. Retrieved from http://nvd.nist.gov/cvss.cfm
• • • • •
[NIST Security Considerations in SDLC]
Radack, S. (2008). Security considerations in the information system
development life cycle. National Institute of Standards and Technology. • •
Retrieved from http://www.itl.nist.gov/lab/bulletns/bltndec03.htm
[NIST SP 800-16]
Wilson, M., Stine, K., & Bowen, P. (2009). Information security training
requirements: A role- and performance-based model (NIST Special
Publication 800-16, revision 1.0). National Institute of Standards and • •
Technology. Retrieved from http://csrc.nist.gov/publications/drafts/800-
16-rev1/draft_sp800_16_rev1_2nd-draft.pdf
[NIST SP 800-37]
National Institute of Standards and Technology, Joint Task Force
Transformation Initiative. (2010). Guide for applying the risk management
framework to federal information systems (NIST Special Publication 800- • • • • •
37 ). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-
rev1/sp800-37-rev1-final.pdf
[NIST SP 800-40]
Mell, P., Bergeron, T., & Henning, D. (2005). Creating a patch
management and vulnerability management program (NIST Special
Publication 800-40, version 2.0). National Institute of Standards and • •
Technology. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-
40-Ver2/SP800-40v2.pdf
56
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[NIST SP 800-50]
Wilson, M., & Hash, J. (2003). Building an information technology
security awareness and training program (NIST Special Publication 800-
50 ). National Institute of Standards and Technology. Retrieved from
•
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
[NIST SP 800-53]
National Institute of Standards and Technology, Joint Task Force
Transformation Initiative. (2009). Recommended security controls for
federal information systems and organizations (NIST Special Publication
800-53, revision 3). Retrieved from
• • • • • • • •
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-
final_updated-errata_05-01-2010.pdf
[NIST SP 800-61]
Scarfone, K., Grance, T., & Masone, K. (2008). Computer security
incident handling guide (NIST Special Publication 800-61, revision 1).
National Institute of Standards and Technology. Retrieved from • •
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
61r2.pdf
[NIST SP 800-64]
Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick,
Jessica. (2008). Security considerations in the system development life
cycle (NIST Special Publication 800-64, revision 2). National Institute of
Standards and Technology. Retrieved from
• • •
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-
Revision2.pdf
[NIST SP 800-82]
Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control
systems (ICS) security (NIST Special Publication 800-82). National
Institute of Standards and Technology. Retrieved from
•
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
[NIST SP 800-83]
Mell, P., Kent, K., & Nusbaum, J. (2005). Guide to malware incident
prevention and handling (NIST Special Publication 800-83). National
Institute of Standards and Technology. Retrieved from
•
http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
[NIST SP 800-128]
National Institute of Standards and Technology. (2011). Guide for
security-focused configuration management of information systems
(Special Publication 800-128). Retrieved from
• •
http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
57
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[NIST SP 800-137]
Dempsey, K., Chawla, N. S., Johnson, A., Johnston, R., Jones, A.C.,
Orebaugh, A. ... Stine, K. (2011). Information security continuous
monitoring (ISCM) for federal information systems and organizations
(NIST Special Publication 800-137). National Institute of Standards and
• • • •
Technology. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-
137/SP800-137-Final.pdf
[NIST SP 800-36]
National Institute of Standards and Technology. (2003). Guide to
selecting information technology security products (SP 800-36).
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-36/NIST-
• • • • •
SP800-36.pdf
[NIST SP 800-48]
securing legacy IEEE 802.11 wireless networks (SP 800-48 Rev 1).
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-48-
• • • •
rev1/SP800-48r1.pdf
[NIST SP 800-52]
National Institute of Standards and Technology. (2005). Guidelines for
the selection and use of transport layer security (TLS) implementations
(SP 800-52). Retrieved from • • • •
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist8005
2.pdf
[NIST SP 800-63]
National Institute of Standards and Technology. (2013). Electronic
authentication guideline (SP 800-63-2). Retrieved from • • •
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
[NIST SP 800-73-3]
National Institute of Standards and Technology. (2010). Interfaces for
personal identity verification (SP 800-73-3). Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-
• •
3_PART1_piv-card-applic-namespace-date-model-rep.pdf
[NIST SP 800-76-1]
National Institute of Standards and Technology. (2007). Biometric data
specification for personal identity verification (SP 800-76-1). Retrieved
from http://csrc.nist.gov/publications/nistpubs/800-76-1/SP800-76-
• •
1_012407.pdf
[NIST. SP 800-82]
industrial control systems (ICS) security (SP 800-82). Retrieved from • • • • • • • • • •
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
58
Glossary
ACM
EDM
TVM
CPM
WM
IAM
References
RM
ISC
SA
IR
[NIST. SP 800-86]
integrating forensic techniques into incident response (SP 800-86).
• • • • •
[NIST SP 800-97]
National Institute of Standards and Technology. (2007). Establishing
wireless robust security networks: A guide to IEEE 802.11i. (SP800-97).
Retrieved from http://csrc.nist.gov/publications/nistpubs/800-97/SP800-
•
97.pdf
[OECD Reducing Systemic Cybersecurity Risk]
Sommer, P., & Brown, I. (2011). Reducing systemic cybersecurity risk.
Organisation for Economic Co-operation and Development. Retrieved • •
from http://www.oecd.org/dataoecd/57/44/46889922.pdf
[SCADA AU RMF]
IT Security Expert Advisory Group. (2012). Generic SCADA risk
management framework for Australian critical infrastructure. Retrieved
from http://www.tisn.gov.au/Documents/SCADA-Generic-Risk-
• •
Management-Framework.pdf
[SEI CMM]
Paulk, M., Weber, C., Garcia, S., Chrissis, M.B., & Bush, M. (1993). Key
practices of the capability maturity
model (Version 1.1, Technical Report CMU/SEI-93-TR-25). Software • •
Engineering Institute, Carnegie Mellon University. Retrieved from
http://www.sei.cmu.edu/reports/93tr025.pdf
[Situation Awareness in Dynamic Systems]
Endsley, M. (1995). Toward a theory of situation awareness in dynamic
systems. Human Factors, pp. 32-64.
• • •
[Supply Chain Risk Management Awareness]
Filsinger, J., Fast, B., Wolf, D.G., Payne, J.F.X., & Anderson, M. (2012).
Supply chain risk management awareness. Armed Forces
Communication and Electronics Association Cyber Committee. Retrieved
• • • •
from http://www.afcea.org/committees/cyber/documents/Supplychain.pdf
[TSA Pipeline Security]
U.S. Department of Homeland Security, Transportation Security
Administration. (2011). Pipeline security guidelines. Retrieved from
http://www.tsa.gov/sites/default/files/assets/pdf/Intermodal/tsa_pipeline_s
• • • • • • • •
ec_guideline_april2011.pdf
[WH Trusted Identities in Cyberspace]
The White House. National strategy for trusted identities in cyberspace.
(2011). Retrieved from
http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_
• •
041511.pdf
59
60
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 GLOSSARY
APPENDIX B: GLOSSARY
Term Definition Source

access Ability and means to enter a facility, to communicate with or otherwise interact Adapted from
with a system, to use system resources to handle information, to gain CNSSI 4009
knowledge of the information the system contains, or to control system
components and functions.
access control Limiting access to organizational assets only to authorized entities (e.g., users, Adapted from
programs, processes, or other systems). See asset. CNSSI 4009
access Management processes to ensure that access granted to the organization’s Adapted from
management assets is commensurate with the risk to critical infrastructure and CERT RMM
organizational objectives. See access control and asset.
ad hoc In the context of this model, ad hoc (i.e., an ad hoc practice) refers to ONG-C2M2
performing a practice in a manner that depends largely on the initiative and
experience of an individual or team (and team leadership), without much in the
way of organizational guidance in the form of a prescribed plan (verbal or
written), policy, or training. The methods, tools, and techniques used, the
priority given a particular instance of the practice, and the quality of the
outcome may vary significantly depending on who is performing the practice,
when it is performed, and the context of the problem being addressed. With
experienced and talented personnel, high-quality outcomes may be achieved
even though practices are ad hoc. However, because lessons learned are
typically not captured at the organizational level, approaches and outcomes are
difficult to repeat or improve across the organization.
anomalous/anomaly Inconsistent with or deviating from what is usual, normal, or expected. Merriam-
Webster.com
architecture See cybersecurity architecture.
assessment See risk assessment.
asset Something of value to the organization. Assets include many things, including
technology, information, roles performed by personnel, and facilities. For the
purposes of this model, assets to be considered are IT and OT hardware and
software assets, as well as information essential to operating the function.
asset, change, and The ONG-C2M2 domain with the purpose to manage the organization’s OT ONG-C2M2
configuration and IT assets, including both hardware and software, commensurate with the
management risk to critical infrastructure and organizational objectives.
(ACM)
asset owner A person or organizational unit, internal or external to the organization, that has CERT RMM
primary responsibility for the viability, productivity, and resilience of an
organizational asset.
authentication Verifying the identity of a user, process, or device, often as a prerequisite to DOE RMP
allowing access to resources in an IT or ICS.
authenticator The means used to confirm the identity of a user, processor, or device (e.g., NIST 800-53
user password or token).
61

availability Ensuring timely and reliable access to and use of information. For an asset, the DOE RMP &
quality of being accessible to authorized users (people, processes, or devices) CERT RMM
whenever it is needed.
business impact A mission impact analysis that prioritizes the impact associated with the Adapted from
analysis compromise of an organization’s information assets, based on a qualitative or NIST SP800-30
quantitative assessment of the sensitivity and criticality of those assets.
change control A continuous process of controlling changes to information or technology CERT RMM
(change assets, related infrastructure, or any aspect of services, enabling approved
management) changes with minimum disruption.
common operating Activities and technologies to collect, analyze, alarm, present, and use ONG-C2M2
picture cybersecurity information, including status and summary information from the
other model domains.
computer security A computer security incident is a violation or imminent threat of violation of NIST 800-61
incident computer security policies, acceptable use policies, or standard security (computer
practices. An ―imminent threat of violation‖ refers to a situation in which the security
organization has a factual basis for believing that a specific incident is about to incident)
occur. For example, the antivirus software maintainers may receive a bulletin
from the software vendor, warning them of new malware that is rapidly
spreading across the Internet. Also, see incident.
confidentiality The preservation of authorized restrictions on information access and DOE RMP &
disclosure, including means for protecting personal privacy and proprietary Adapted from
information. For an information asset, confidentiality is the quality of being CERT RMM
accessible only to authorized people, processes, and devices.
configuration A documented set of specifications for an IT or OT system or asset, or a Adapted from
baseline configuration item within a system, that has been formally reviewed and agreed NIST 800-53
upon at a given point in time, and which should be changed only through Glossary
change control procedures. The baseline configuration is used as a basis for
future builds, releases, and/or changes.
configuration A collection of activities focused on establishing and maintaining the integrity of NIST SP 800-
management assets, through control of the processes for initializing, changing, and 128
monitoring the configurations of those assets throughout their life cycle.
contingency plan Management policy and procedures used to guide an enterprise response to a CNSSI 4009
perceived loss of mission capability. The contingency plan is the first plan used
by the enterprise risk managers to determine what happened, why, and what to
do. It may point to the continuity of operations plan or disaster recovery plan for
major disruptions.
continuous Maintaining ongoing awareness of the current cybersecurity state of the Adapted from
monitoring function throughout the operational environment by collecting, analyzing, NIST 800-137
alarming, presenting, and using OT system and cybersecurity information to
identify anomalous activities, vulnerabilities, and threats to the function in order
to support incident response and organizational risk management decisions.
controls The management, operational, and technical methods, policies, and DOE RMP
procedures—manual or automated—(i.e., safeguards or countermeasures)
prescribed for an IT and ICS to protect the confidentiality, integrity, and
availability of the system and its information.
62

critical infrastructure Assets that provide the essential services that underpin American society. The HSPD-7
Nation possesses numerous key resources, whose exploitation or destruction by
terrorists could cause catastrophic health effects or mass casualties comparable
to those from the use of a weapon of mass destruction, or could profoundly affect
our national prestige and morale. In addition, there is critical infrastructure so vital
that its incapacitation, exploitation, or destruction through terrorist attack could
have a debilitating effect on security and economic well-being.
current Updated at an organization-defined frequency (e.g., as in the asset inventory is ONG-C2M2
kept ―current‖) that is selected such that the risks to critical infrastructure and
organization objectives associated with being out-of-date by the maximum
interval between updates are acceptable to the organization and its
stakeholders.
cyber attack An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the DOE RMP
purpose of disrupting, disabling, destroying, or maliciously controlling a
computing environment/infrastructure, or for destroying the integrity of the data
or stealing controlled information.
cybersecurity The ability to protect or defend the use of cyberspace from cyber attacks. DOE RMP and
Measures taken to protect a computer or computerized system (IT and OT) Merriam-
against unauthorized access or attack. Webster.com
cybersecurity An integral part of the enterprise architecture that describes the structure and DOE RMP
architecture behavior for an enterprise’s security processes, cybersecurity systems,
personnel, and subordinate organizations, showing their alignment with the
organization’s mission and strategic plans. See enterprise architecture and
network architecture.
cybersecurity event Any observable occurrence in a system or network that is related to a ONG-C2M2
cybersecurity requirement (confidentiality, integrity, or availability). See also event.
cybersecurity The effect on the measures that are in place to protect from and defend against ONG-C2M2
impact cyber attack.
cybersecurity See incident.
incident
cybersecurity See incident life cycle.
incident life cycle
cybersecurity plan Formal document that provides an overview of the cybersecurity requirements DOE RMP
for an IT and ICS and describes the cybersecurity controls in place or planned
for meeting those requirements.
cybersecurity policy A set of criteria for the provision of security services. DOE RMP
cybersecurity A cybersecurity program is an integrated group of activities designed and ONG-C2M2
program managed to meet cybersecurity objectives for the organization and/or the
function. A cybersecurity program may be implemented at either the
organization or the function level, but a higher-level implementation and
enterprise viewpoint may benefit the organization by integrating activities and
leveraging resource investments across the entire enterprise.
63

cybersecurity The ONG-C2M2 domain with the purpose to establish and maintain an ONG-C2M2
program enterprise cybersecurity program that provides governance, strategic planning,
management and sponsorship for the organization’s cybersecurity activities in a manner that
(CPM) aligns cybersecurity objectives with the organization’s strategic objectives and
the risk to critical infrastructure.
cybersecurity A plan of action designed to achieve the performance targets that the CERT RMM
program strategy organization sets to accomplish its mission, vision, values, and purpose for the
cybersecurity Requirements levied on an IT and OT that are derived from organizational Adapted from
requirements mission and business case needs (in the context of applicable legislation, DOE RMP
Executive Orders, directives, policies, standards, instructions, regulations,
procedures) to ensure the confidentiality, integrity, and availability of the
services being provided by the organization and the information being
processed, stored, or transmitted.
cybersecurity Obligations for ensuring the organization’s cybersecurity requirements are met. ONG-C2M2
responsibilities
cybersecurity risk The risk to organizational operations (including mission, functions, image, DOE RMP
reputation), resources, and other organizations due to the potential for
unauthorized access, use, disclosure, disruption, modification, or destruction of
information and/or IT and ICS. See risk.
cybersecurity Performance targets for personnel with cybersecurity responsibilities that the Adapted from
workforce organization sets to meet cybersecurity requirements. CERT RMM
management
objectives
defined practice A practice that is planned (i.e., described, explained, made definite and clear, Adapted from
and standardized) and is executed in accordance with the plan. CERT RMM
dependency risk Dependency risk is measured by the likelihood and severity of damage if an IT or Adapted from
OT system is compromised due to a supplier or other external party on which NIST 7622, pg.
delivery of the function depends. Evaluating dependency risk includes an 10
assessment of the importance of the potentially compromised system and the
impact of compromise on organizational operations and assets, individuals, other
organizations, and the Nation. See upstream dependencies and supply chain risk.
deprovisioning The process of revoking or removing an identity’s access to organizational CERT RMM
assets. See also provisioning.
domain In the context of the model structure, a domain is a logical grouping of ONG-C2M2
cybersecurity practices.
domain objectives The practices within each domain are organized into objectives. The objectives ONG-C2M2
represent achievements that support the domain (such as ―Manage Asset
Configuration‖ for the ASSET domain and ―Increase Cybersecurity Awareness‖
for the WORKFORCE domain). Each of the objectives in a domain comprises a
set of practices, which are ordered by maturity indicator level.
64

downstream Business process most commonly used in the petroleum industry to describe API STD 689,
activities postproduction processes (e.g., refining, transportation, and marketing of Collection and
petroleum products). Exchange of
Reliability and
Maintenance
Data for
Equipment,
First Edition,
July 2007
downstream External parties dependent on the delivery of the function, such as customers ONG-C2M2
dependencies and some operating partners.
electricity subsector A portion of the energy sector that includes the generation, transmission, and ES-SPP
distribution of electricity.
enterprise The largest (i.e., highest-level) organizational entity to which the organization Adapted from
participating in the ONG-C2M2 survey belongs. For some participants, the SGMM v1.1
organization taking the survey is the enterprise itself. See organization. Glossary
enterprise The design and description of an enterprise’s entire set of IT and OT: how they DOE RMP (but
architecture are configured, how they are integrated, how they interface to the external changed ICS to
environment at the enterprise’s boundary, how they are operated to support the OT)
enterprise mission, and how they contribute to the enterprise’s overall security
posture. See cybersecurity architecture and network architecture.
entity Something having separate or distinct existence. Merriam-
Webster.com
establish and The development and maintenance of the object of the practice (such as a CERT RMM
maintain program). For example, ―Establish and maintain identities‖ means that not only
must identities be provisioned, but they also must be documented, have
assigned ownership, and be maintained relative to corrective actions, changes
in requirements, or improvements.
event Any observable occurrence in a system or network. Depending on their NIST 800-61
potential impact, some events need to be escalated for response. To ensure
consistency, criteria for response should align with the organization’s risk
criteria.
event and incident The ONG-C2M2 domain with the purpose to establish and maintain plans, ONG-C2M2
response, continuity procedures, and technologies to detect, analyze, and respond to cybersecurity
of operations (IR) events and to sustain operations throughout a cybersecurity event,
function A subset of the operations of the organization that are being evaluated based ONG-C2M2
on the C2M2 model.
governance An organizational process of providing strategic direction for the organization Adapted from
while ensuring that it meets its obligations, appropriately manages risk, and CERT RMM
efficiently uses financial and human resources. Governance also typically
includes the concepts of sponsorship (setting the managerial tone), compliance
(ensuring that the organization is meeting its compliance obligations), and
alignment (ensuring that processes such as those for cybersecurity program
management align with strategic objectives).
65

guidelines A set of recommended practices produced by a recognized authoritative ONG-C2M2
source representing subject matter experts and community consensus, or
internally by an organization. See standard.
identity The set of attribute values (i.e., characteristics) by which an entity is CNSSI 4009
recognizable and that, within the scope of an identity manager’s responsibility,
is sufficient to distinguish that entity from any other entity.
identity and access The ONG-C2M2 domain with the purpose to create and manage identities for ONG-C2M2
management (IAM) entities that may be granted logical or physical access to the organization’s
assets. Control access to the organization’s assets, commensurate with the
risk to critical infrastructure and organizational objectives.
impact Negative consequence to subsector functions. ONG-C2M2
incident An event (or series of events) that significantly affects (or has the potential to Adapted from
significantly affect) critical infrastructure and/or organizational assets and CERT RMM
services and requires the organization (and possibly other stakeholders) to
respond in some way to prevent or limit adverse impacts. See also computer
security incident and event.
incident life cycle The stages of an incident from detection to closure. Collectively, the incident Adapted from
lifecyle includes the processes of detecting, reporting, logging, triaging, CERT RMM
declaring, tracking, documenting, handling, coordinating, escalating and
notifying, gathering and preserving evidence, and closing incidents. Escalated
events also follow the incident life cycle, even if they are never formally
declared to be incidents.
information assets Information or data that is of value to the organization, including diverse Adapted from
information such as operational data, intellectual property, customer CERT RMM
information, and contracts.
information sharing See Information Sharing and Communications (ISC).
information sharing An Information Sharing and Analysis Center (ISAC) shares critical information Adapted from
and analysis center with industry participants on infrastructure protection. Each critical Electricity
(ISAC) infrastructure industry has established an ISAC to communicate with its Sector
members, its government partners, and other ISACs about threat indications, Information
vulnerabilities, and protective strategies. ISACs work together to better Sharing and
understand cross-industry dependencies and to account for them in emergency Analysis Center
response planning.. website home
page
information sharing The ONG-C2M2 domain with the purpose to establish and maintain ONG-C2M2
and relationships with internal and external entities to collect and provide
communications cybersecurity information, including threats and vulnerabilities, to reduce risks
(ISC) and to increase operational resilience, commensurate with the risk to critical
infrastructure and organizational objectives.
information A discrete set of electronic information resources organized for the collection, DOE RMP
technology (IT) processing, maintenance, use, sharing, dissemination, or disposition of
information. In the context of this publication, the definition includes
interconnected or dependent business systems and the environment in which
they operate.
66

institutionalization The extent to which a practice or activity is ingrained into the way an organization ONG-C2M2
operates. The more an activity becomes part of how an organization operates,
the more likely it is that the activity will continue to be performed over time, with a
consistently high level of quality. (―Incorporated into the ingrained way of doing
business that an organization follows routinely as part of its corporate culture.‖ –
CERT RMM). See also maturity indicator level.
integrity Guarding against improper information modification or destruction. Integrity DOE RMP &
includes ensuring information nonrepudiation and authenticity. For an asset, CERT RMM
integrity is the quality of being in the condition intended by the owner and
therefore continuing to be useful for the purposes intended by the owner.
least privilege A security control that addresses the potential for abuse of authorized Adapted from
privileges. The organization employs the concept of least privilege by allowing NIST 800-53
only authorized access for users (and processes acting on behalf of users) who
require it to accomplish assigned tasks in accordance with organizational
missions and business functions. Organizations employ the concept of least
privilege for specific duties and systems (including specific functions, ports,
protocols, and services). The concept of least privilege is also applied to
information system processes, ensuring that the processes operate at privilege
levels no higher than necessary to accomplish required organizational missions
and/or functions. Organizations consider the creation of additional processes,
roles, and information system accounts as necessary to achieving least
privilege. Organizations also apply least privilege concepts to the design,
development, implementation, and operations of IT and OT systems.
logging Logging typically refers to automated recordkeeping (by elements of an IT or ONG-C2M2
OT system) of system, network, or user activity. Logging may also refer to
keeping a manual record (e.g., a sign-in sheet) of physical access by personnel
to a protected asset or restricted area, although automated logging of physical
access activity is commonplace. Regular review and audit of logs (manually or
by automated tools) is a critical monitoring activity that is essential for
situational awareness (e.g., through the detection of cybersecurity events or
weaknesses).
logical control A software, firmware, or hardware feature (i.e., computational logic, not a Adapted from
physical obstacle) within an IT or OT system that restricts access to and CNSSI 4009
modification of assets only to authorized entities. For contrast, see physical definition of
control. ―internal security
controls‖
maturity The extent to which an organization has implemented and institutionalized the ONG-C2M2
cybersecurity practices of the model.
67

maturity indicator A measure of the cybersecurity maturity of an organization in a given domain of ONG-C2M2
level (MIL) the model. The model currently defines four maturity indicator levels (MILs) and
holds a fifth level in reserve for use in future versions of the model. Each of the
four defined levels is designated by a number (0 through 3) and a name, for
example, ―MIL3: managed.‖ A MIL is a measure of the progression within a
domain from individual and team initiative, as a basis for carrying out
cybersecurity practices, to organizational policies and procedures that
institutionalize those practices, making them repeatable with a consistently
high level of quality. As an organization progresses from one MIL to the next,
the organization will have more complete or more advanced implementations
of the core activities in the domain.
midstream activities Business category involving the processing, storage, and transportation API STD 689,
sectors of the petroleum industry. Collection and
Exchange of
Reliability and
Maintenance
Data for
Equipment,
First Edition,
July 2007
monitoring Collecting, recording, and distributing information about the behavior and Adapted from
activities of systems and persons to support the continuous process of CERT RMM
identifying and analyzing risks to organizational assets and critical (monitoring
infrastructure that could adversely affect the operation and delivery of services. and risk
management)
monitoring The requirements established to determine the information gathering and CERT RMM
requirements distribution needs of stakeholders.
multifactor Authentication using two or more factors to achieve authentication. Factors Adapted from
authentication include (i) something you know (e.g., password/PIN), (ii) something you have NIST 800-53
(e.g., cryptographic identification device, token), (iii) something you are (e.g.,
biometric), or (iv) you are where you say you are (e.g., GPS token). See
authentication.
network A framework that describes the structure and behavior of communications Adapted from
architecture among IT and/or OT assets and prescribes rules for interaction and CNSSI 4009 (IA
interconnection. See enterprise architecture and cybersecurity architecture. architecture)
objective(s) See domain objectives and organizational objectives.
68

operating picture Real-time (or near-real-time) awareness of the operating state of a system or ONG-C2M2
function. An operating picture is formed from data collected from various
trusted information sources that may be internal or external to the system or
function (e.g. temperature, weather events and warnings, cybersecurity alerts).
The operating picture may or may not be presented graphically. It involves the
collection, analysis (including fusion), and distribution of what is important to
know to make decisions about the operation of the system.
A common operating picture (COP) is a single operating picture that is
available to the stakeholders of the system or function so that all stakeholders
can make decisions based on the same reported operating state. See common
operating picture.
operational The organization’s ability to adapt to risk that affects its core operational CERT RMM
resilience capacities. Operational resilience is an emergent property of effective
operational risk management, supported and enabled by activities such as
security and business continuity. A subset of enterprise resilience, operational
resilience focuses on the organization’s ability to manage operational risk,
whereas enterprise resilience encompasses additional areas of risk such as
business risk and credit risk. See the related term operational risk.
operating states See pre-defined states of operation. ONG-C2M2
operational risk The potential impact on assets and their related services that could result from Adapted from
inadequate or failed internal processes, failures of systems or technology, the CERT RMM
deliberate or inadvertent actions of people, or external events. In the context of
this model, our focus is on operational risk from cybersecurity threats.
operations Programmable systems or devices that interact with the physical environment ONG-C2M2
technology (OT) (or manage devices that interact with the physical environment). Examples
include industrial control systems, building management systems, fire control
systems, and physical access control mechanisms.
organization An organization of any size, complexity, or positioning within an organizational Adapted from
structure that is charged with carrying out assigned mission and business DOE RMP
processes and that uses IT and OT in support of those processes. In the
context of the model, the organization is the entity using the model or that is
under examination.
organizational Performance targets set by an organization. See strategic objectives. Adapted from
objectives CERT RMM
periodic A review or activity that occurs at specified, regular time intervals, where the Adapted from
review/activity organization-defined frequency is commensurate with risks to organizational SEI CMM
objectives and critical infrastructure. Glossary
personal Information that reveals details, either explicitly or implicitly, about a specific NISTIR 7628
information individual’s household dwelling or other type of premises. This is expanded Vol. 3, Glossary
beyond the normal "individual" component because there are serious privacy
impacts for all individuals living in one dwelling or premise. This can include
items such as energy use patterns or other types of activities. The pattern can
become unique to a household or premises just as a fingerprint or DNA is
unique to an individual.
69

physical control A type of control that prevents physical access to and modification of information CERT RMM
assets or physical access to technology and facilities. Physical controls often
include such artifacts as card readers and physical barrier methods.
plan A detailed formulation of a program of action. Merriam-
Webster.com
policy A high-level overall plan embracing the general goals and acceptable Merriam-
procedures of an organization. Webster.com
position description A set of responsibilities that describe a role or roles filled by an employee. Also ONG-C2M2
known as a job description.
practice An activity described in the model that can be performed by an organization to ONG-C2M2
support a domain objective. The purpose of these activities is to achieve and
sustain an appropriate level of cybersecurity for the function, commensurate
with the risk to critical infrastructure and organizational objectives.
pre-defined states Distinct operating modes (which typically include specific IT and OT ONG-C2M2
of operation configurations as well as alternate or modified procedures) that have been
designed and implemented for the function and can be invoked by a manual or
automated process in response to an event, a changing risk environment, or
other sensory and awareness data to provide greater safety, resiliency,
reliability, and/or cybersecurity. For example, a shift from the normal state of
operation to a high-security operating mode may be invoked in response to a
declared cybersecurity incident of sufficient severity. The high-security
operating state may trade off efficiency and ease of use in favor of increased
security by blocking remote access and requiring a higher level of
authentication and authorization for certain commands until a return to the
normal state of operation is deemed safe.
procedure In this model, procedure is synonymous with process.
process A series of discrete activities or tasks that contribute to the fulfillment of a task CERT RMM
or mission. (Business
Process)
provisioning The process of assigning or activating an identity profile and its associated CERT RMM
roles and access privileges. See also deprovisioning.
recovery time Documented goals and performance targets the organization sets for recovery ONG-C2M2
objectives of an interrupted function in order to meet critical infrastructure and
refining The control or management of any operation by which the physical or chemical Natural
characteristics of oil or products are changed, but exclusive of the operations of Resources,
passing oil through separators to remove gas, placing oil in settling tanks to Office of
remove basic sediment and water, dehydrating oil, and generally cleaning and Conservation –
purifying oil. General
Operations,
Louisiana
Administrative
Code, Title 43,
Part XIX, March
2013
70

risk A measure of the extent to which an organization is threatened by a potential DOE RMP
circumstance or event, and typically a function of (1) the adverse impacts that
would arise if the circumstance or event occurs and (2) the likelihood of
occurrence.
risk analysis A risk management activity focused on understanding the condition and Adapted from
potential consequences of risk, prioritizing risks, and determining a path for CERT RMM
addressing risks. Determines the importance of each identified risk and is used
to facilitate the organization’s response to the risk.
risk assessment The process of identifying risks to organizational operations (including mission, DOE RMP
functions, image, reputation), resources, other organizations, and the Nation,
resulting from the operation of an IT and ICS.
risk criteria Objective criteria that the organization uses for evaluating, categorizing, and ES-C2M2
prioritizing operational risks based on impact, tolerance for risk, and risk
response approaches.
risk designation, as An indication, such as high, medium, or low, of the position’s potential for Adapted from
in ―position risk adverse impact to the efficiency, integrity, or availability of the organization’s OPM
designation‖ services.
risk disposition A statement of the organization’s intention for addressing an operational risk. CERT RMM
Typically limited to ―accept,‖ ―transfer,‖ ―research,‖ or ―mitigate.‖
risk management The program and supporting processes to manage cybersecurity risk to DOE RMP
program organizational operations (including mission, functions, image, reputation),
resources, other organizations, and the Nation. It includes (1) establishing the
context for risk-related activities, (2) assessing risk, (3) responding to risk once
determined, and (4) monitoring risk over time.
risk management The ONG-C2M2 domain with the purpose to establish, operate, and maintain ONG-C2M2
(RM) an enterprise cybersecurity risk management program to identify, analyze, and
mitigate cybersecurity risk to the organization, including its business units,
subsidiaries, related interconnected infrastructure, and stakeholders.
risk management Strategic-level decisions on how senior executives manage risk to an DOE RMP
strategy organization’s operations, resources, and other organizations.
risk mitigation Prioritizing, evaluating, and implementing appropriate risk-reducing controls. DOE RMP
risk mitigation plan A strategy for mitigating risk that seeks to minimize the risk to an acceptable CERT RMM
level.
risk parameter/risk Organization-specific risk tolerances used for consistent measurement of risk CERT RMM
parameter factors across the organization. Risk parameters include risk tolerances and risk
measurement criteria.
risk register A structured repository where identified risks are recorded to support risk ONG-C2M2
management.
risk response Accepting, avoiding, mitigating, sharing, or transferring risk to organizational DOE RMP
operations, resources, and other organizations.
risk taxonomy The collection and cataloging of common risks that the organization is subject Adapted from
to and must manage. The risk taxonomy is a means for communicating these CERT RMM
risks and for developing mitigation actions specific to an organizational unit or
line-of-business if operational assets and services are affected by them.
71

role A group attribute that ties membership to function. When an entity assumes a CNSSI 4009
role, the entity is given certain rights that belong to that role. When the entity
leaves the role, those rights are removed. The rights given are consistent with
the functionality that the entity needs to perform the expected tasks.
secure software Developing software using recognized processes, secure coding standards, ONG-C2M2
development best practices, and tools that have been demonstrated to minimize security
vulnerabilities in software systems throughout the software development life
cycle. An essential aspect is to engage programmers and software architects
who have been trained in secure software development.
separation of duties [A security control that] ―addresses the potential for abuse of authorized NIST 800-53,
privileges and helps to reduce the risk of malevolent activity without collusion. pp. 31, F-13
Separation of duties includes, for example: (i) dividing mission functions and
information system support functions among different individuals and/or roles;
(ii) conducting information system support functions with different individuals
(e.g., system management, programming, configuration management, quality
assurance and testing, and network security); and (iii) ensuring security
personnel administering access control functions do not also administer audit
functions. Organizations with significant personnel limitations may compensate
for the separation of duty security control by strengthening the audit,
accountability, and personnel security controls.‖
service level Defines the specific responsibilities of the service provider, including the Adapted from
agreement (SLA) satisfaction of any relevant cybersecurity requirements, and sets the CNSSI 4009
customer’s expectations regarding the quality of service to be provided.
situational A sufficiently accurate and up-to-date understanding of the past, current, and Adapted from
awareness projected future state of a system (including its cybersecurity safeguards), in SGMM
the context of the threat environment and risks to the system’s mission, to Glossary
support effective decision making with respect to activities that depend on
and/or affect how well a system functions. It involves the collection of data
(e.g., via sensor networks), data fusion, and data analysis (which may include
modeling and simulation) to support automated and/or human decision making
(for example, concerning OT system functions). Situational awareness also
involves the presentation of the results of the data analysis in a form (e.g.,
using data visualization techniques, appropriate use of alarms) that aids human
comprehension and allows operators or other personnel to quickly grasp the
key elements needed for good decision making.
situational The ONG-C2M2 domain with the purpose to establish and maintain activities ONG-C2M2
awareness (SA) and technologies to collect, analyze, alarm, present, and use cybersecurity
information, including status and summary information from the other model
domains, to form a common operating picture (COP), commensurate with the
risk to critical infrastructure and organizational objectives.
sponsorship Enterprise-wide support of cybersecurity objectives by senior management as ONG-C2M2
demonstrated by formal policy or by declarations of management’s
commitment to the cybersecurity program along with provision of resources.
Senior management monitors the performance and execution of the
cybersecurity program and is actively involved in the ongoing improvement of
all aspects of the cybersecurity program.
72

stakeholder An external organization or an internal or external person or group that has a Adapted from
vested interest in the organization or function (that is being evaluated using this CERT RMM
model) and its practices. Stakeholders involved in performing a given practice
(or who oversee, benefit from, or are dependent upon the quality with which
the practice is performed) could include those from within the function, from
across the organization, or from outside the organization.
standard A standard is a document, established by consensus, that provides rules, Adapted from
guidelines, or characteristics for activities or their results. See guidelines. ISO/IEC Guide
2:2004
states of operation See pre-defined states of operation.
strategic objectives The performance targets that the organization sets to accomplish its mission, CERT RMM
vision, values, and purpose.
strategic planning The process of developing strategic objectives and plans for meeting these CERT RMM
objectives.
supply chain The set of organizations, people, activities, information, and resources for NISTIR 7622
creating and moving a product or service (including its sub-elements) from Source of 1st
suppliers through to an organization’s customers. paragraph cited
The supply chain encompasses the full product life cycle and includes design, as [NDIA ESA]
development, and acquisition of custom or commercial off-the-shelf (COTS)
products, system integration, system operation (in its environment), and
disposal. People, processes, services, products, and the elements that make
up the products wholly impact the supply chain.
supply chain risk Supply chain risk is measured by the likelihood and severity of damage if an IT Adapted from
or OT system is compromised by a supply chain attack, and takes into account NIST 7622, pg.
the importance of the system and the impact of compromise on organizational 7 & pg. 10
operations and assets, individuals, other organizations, and the Nation.
Supply chain attacks may involve manipulating computing system hardware,
software, or services at any point during the life cycle. Supply chain attacks are
typically conducted or facilitated by individuals or organizations that have
access through commercial ties, leading to stolen critical data and technology,
corruption of the system/ infrastructure, and/or disabling of mission-critical
operations. See risks and supply chain.
supply chain and The ONG-C2M2 domain with the purpose to establish and maintain controls to ONG-C2M2
external manage the cybersecurity risks associated with services and assets that are
dependencies dependent on external entities, commensurate with the risk to critical
management infrastructure and organizational objectives.
(EDM)
threat Any circumstance or event with the potential to adversely impact organizational Adapted from
operations (including mission, functions, image, or reputation), resources, and DOE RMP
other organizations through IT, OT, or communications infrastructure via
unauthorized access, destruction, disclosure, modification of information,
and/or denial of service.
73

threat and The ONG-C2M2 domain with the purpose to establish and maintain plans, ONG-C2M2
vulnerability procedures, and technologies to detect, identify, analyze, manage, and
management (TVM) respond to cybersecurity threats and vulnerabilities, commensurate with the
risk to the organization’s infrastructure (e.g., critical, IT, operational) and
threat assessment The process of evaluating the severity of threat to an IT and ICS or DOE RMP
organization and describing the nature of the threat.
threat profile A characterization of the likely intent, capability, and targets for threats to the ONG-C2M2
function. It is the result of one or more threat assessments across the range of
feasible threats to the IT and OT of an organization and to the organization
itself, delineating the feasible threats, describing the nature of the threats, and
evaluating their severity.
threat source An intent and method targeted at the intentional exploitation of a vulnerability or DOE RMP
a situation, or a method that may accidentally exploit a vulnerability.
traceability The ability to determine whether or not a given attribute of the current state is ONG-C2M2
valid (e.g., the current configuration of a system or the purported identity of a
user) based on the evidence maintained in a historical record showing how the
attribute was originally established and how it has changed over time.
upstream activities Business category of the petroleum industry involving exploration and API STD 689,
production (e.g., offshore oil/gas production facility, drilling rig, intervention Collection and
vessel). Exchange of
Reliability and
Maintenance
Data for
Equipment,
First Edition,
July 2007
upstream External parties on which the delivery of the function depends, including ONG-C2M2
dependencies suppliers and some operating partners.
validate Collect and evaluate evidence to confirm or establish the quality of something ONG-C2M2
(e.g., information, a model, a product, a system, or component) with respect to
its fitness for a particular purpose.
vulnerability A cybersecurity vulnerability is a weakness or flaw in IT, OT, or Adapted from
communications systems or devices, system procedures, internal controls, or NISTIR 7628
implementation that could be exploited by a threat source. A vulnerability class Vol. 1, pp. 8
is a grouping of common vulnerabilities.
vulnerability Systematic examination of an IT or product to determine the adequacy of DOE RMP
assessment cybersecurity measures, identify security deficiencies, provide data from which
to predict the effectiveness of proposed cybersecurity measures, and confirm
the adequacy of such measures after implementation.
74

workforce life cycle For the purpose of this model, the workforce life cycle comprises the distinct ONG-C2M2
phases of workforce management that apply to personnel both internal and
external to the organization. Specific cybersecurity implications and requirements
are associated with each life cycle phase. The workforce life cycle includes
recruiting, hiring, onboarding, skill assessments, training and certification,
assignment to roles (deployment), professional growth and development, re-
assignment and transfers, promotions and demotions, succession planning, and
termination or retirement. The phases may not be in strict sequences, and some
phases (like training, re-assignment, and promotions) may recur.
workforce The ONG-C2M2 domain with the purpose to establish and maintain plans, ONG-C2M2
management (WM) procedures, technologies, and controls to create a culture of cybersecurity and
to ensure the ongoing suitability and competence of personnel, commensurate
with the risk to critical infrastructure and organizational objectives.
workforce See cybersecurity workforce management objectives.
management
objectives
75
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 ACRONYMS
APPENDIX C: ACRONYMS
Acronym Definition
C2M2 Cybersecurity Capability Maturity Model
CBA cost-benefit analysis
CERT®-RMM CERT® Resilience Management Model
COP common operating picture
COTS commercial off-the-shelf
CVSS Common Vulnerability Scoring System
DHS Department of Homeland Security
DOE Department of Energy
ES-C2M2 Electricity Subsector Cybersecurity Capability Maturity Model
ICS industrial control system
ICS-CERT Industrial Control Systems Cyber Emergency Response Team
ICSJWG Industrial Control Systems Joint Working Group
IEC International Electrotechnical Commission
ISAC Information Sharing and Analysis Center
IT information technology
MIL maturity indicator level
NIST National Institute of Standards and Technology
ONG-C2M2 Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model
OT operations technology
RPO recovery point objective
RTO recovery time objective
RMP Electricity Subsector Cybersecurity Risk Management Process Guideline
SCADA supervisory control and data acquisition
SEI Software Engineering Institute
SLA service level agreement
US-CERT United States Computer Emergency Readiness Team
VoIP Voice over Internet Protocol
76
Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model Version 1.1 NOTICES
NOTICES
This material is based on the Technical Report, “Electricity Subsector Cybersecurity Capability
Maturity Model Version 1.0 (ES-C2M2)” © 2012 Carnegie Mellon University. This version of
ONG-C2M2 is being released and maintained by the U.S. Department of Energy (DOE). The U.S.
Government has, at minimum, unlimited rights to use, modify, reproduce, release, perform,
display, or disclose this version the ONG-C2M2 or corresponding toolkits provided by DOE, as
well as the right to authorize others, and hereby authorizes others, to do the same.
ONG-C2M2 was created with the funding and support of DOE under the Federal Government
Contract Number FA8721-05-C-0003 between the U.S. Department of Defense and Carnegie
Mellon University for the operation of the Software Engineering Institute, a federally-funded
research and development center.
Capability Maturity Model® is a registered trademark of Carnegie Mellon University.
77

Cyber Security

Uploaded by

Copyright:

Available Formats

Cyber Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security

Uploaded by

Copyright:

Available Formats

OIL AND NATURAL GAS SUBSECTOR

CYBERSECURITY CAPABILITY MATURITY MODEL (ONG-C2M2)

APPENDIX B: Glossary ................................................................................................................................. 61

Program Technical Lead

1.1 Intended Audience

1.2 Document Organization

Role Recommended Document Sections

2.1 Model Development Approach

3. ABOUT THE OIL AND NATURAL GAS SUBSECTOR

Source: American Petroleum Institute

Figure 1: Critical Elements of the Oil Supply Chain

4.1 Maturity Models

4.2 Critical Infrastructure Objectives

4.3 IT and OT Assets

4.4 Relationship to the Risk Management Process

Figure 2: Risk Management Process

Domain Model contains 10 domains

Approachz Objectives (one or more per domain)

(one per domain)

Figure 3: Model and Domain Elements

Asset, Change, and Configuration Management

Identity and Access Management

Threat and Vulnerability Management

Information Sharing and Communications

Event and Incident Response, Continuity of Operations

Supply Chain and External Dependencies Management

Cybersecurity Program Management

5.2 Maturity Indicator Levels

5.2.1 Approach Progression

Table 1: Example of Approach Progression in the

5.2.2 Institutionalization Progression

Table 2: Mapping of Management Practices to Domain-Specific Practices

2 Manage Cybersecurity Risk Management Practices

Maturity Indicator Level 0 (MIL0)

Maturity Indicator Level 1 (MIL1)

MIL1 is characterized by a single management practice:

Maturity Indicator Level 2 (MIL2)

Maturity Indicator Level 3 (MIL3)

5.2.3 Summary of MIL Characteristics

Table 3: Summary of Maturity Indicator Level Characteristics

5.3 Practice Reference Notation

1. Establish Cybersecurity Risk Management Strategy

MIL2 a. There is a documented cybersecurity risk management strategy

Figure 4: Referencing an Individual Practice, Example: RM-1a

6. USING THE MODEL

Figure 5: Recommended Approach for Using the Model

6.1 Prepare To Use the Model

6.2 Perform an Evaluation

6.3 Analyze Identified Gaps

6.4 Prioritize and Plan

6.5 Implement Plans and Periodically Reevaluate

Inputs Activities Outputs

7. MODEL DOMAINS Example: Risk Management

Managing cybersecurity risk involves framing, identifying and assessing, responding to

Objectives and Practices

1. Establish Cybersecurity Risk Management Strategy

2. Manage Cybersecurity Risk

7.2 Asset, Change, and Configuration Management

Objectives and Practices

1. Manage Asset Inventory