The Energy Department today released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by the National Institutes of Standards and Technology (NIST) in February 2014.  The voluntary Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure and was developed in response to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” through collaboration between industry and government.     

Strengthening the security and resilience of the nation’s critical infrastructure to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, privacy, and civil liberties is vital to national and economic security. Today’s release of the Energy Sector Cybersecurity Framework Implementation Guidance is another important step in helping industry create and sustain resilient systems that can survive a cyber incident while maintaining critical functions by helping organizations better understand how they can leverage the framework’s prioritized approach.  In developing this guidance, we collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council. We also coordinated with other Sector Specific Agency representatives and interested government stakeholders.   

As the Energy Sector-Specific Agency, the Energy Department worked closely with federal and private sector partners to ensure alignment between its Cybersecurity Capability Maturity Models (C2M2) and the framework. The guidance released today discusses in detail how the C2M2, which helps organizations evaluate, prioritize, and improve their own cybersecurity capabilities, maps to the framework. The guidance also recognizes that there are a number of other risk management tools, processes, standards, and guidelines already widely used by energy sector organizations that align well with the Cybersecurity Framework.  
 
The Energy Department has a long history of working closely with federal partners, including the Department of Homeland Security, and private partners on the cybersecurity of critical energy infrastructure. Since 2010, the Department has invested more than $150 million in cybersecurity research, development and commercialization projects led by industry, universities and national labs, including new technologies that strengthen the security of energy delivery system computers against unexpected activity and of communications between field devices and control centers. All of the Department’s cybersecurity activities align with the Roadmap to Achieve Energy Delivery Systems Cybersecurity, which was developed by industry, facilitated by the Energy Department, and released in September 2011. To learn more about the Department’s support of the Administration’s strategic and comprehensive approach to cybersecurity for the grid, visit the cybersecurity section of the Department’s Office of Electricity Delivery and Energy Reliability’s website.