Daily Rules, Proposed Rules, and Notices of the Federal Government
To ensure receipt of the comments by the due date, submission by email (
The proposed collection is based on the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2). The model structure includes domains—logical groupings of cybersecurity risk management activities—and maturity indicator levels (MILs). The content within each domain includes characteristics, which are expressions of domain activities at each level of maturity. The model, using the Self-Evaluation Survey document can be used by various electricity subsector entities to identify best practices and potential resource allocations for cybersecurity in terms of supply chain management, information sharing, asset, change and configuration management, and risk management, among others. It is imperative that the owners and operators of the nation's electric utilities, as well as the government agencies supporting the subsector, have the ability to understand what capabilities and competencies will allow the sector to defend itself, and how to prioritize necessary investments. This program supports strategies identified in the White House Cyberspace Policy Review 2010 and the 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. DOE will collect survey results from voluntary participants of the ES-C2M2 program to analyze and compare results across the industry to better understand the subsector's overall cybersecurity capabilities. The collected information will also be used to develop benchmarks that will be shared with program participants.
This information collection request contains: (1) OMB No. New; (2) Information Collection Request Title: Electricity Subsector Cybersecurity Capability Maturity Model Program; (3) Type of Request: New; (4) Purpose: The Department of Energy, at the request of the White House, and in collaboration with DHS and industry experts, has developed a maturity model with owners, operators and subject matter experts to meet their request to identify and prioritize cybersecurity capabilities relative to risk and cost; (5) Annual Estimated Number of Respondents: 250; (6) Annual Estimated Number of Total Responses: 250; (7) Annual Estimated Number of Burden Hours: 2000; (8) Annual Estimated Reporting and Recordkeeping Cost Burden: $100,000.
Section 301 of the Department of Energy Organization Act, codified at 42 U.S.C. 7151.