Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” of February 2013 directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary Framework for reducing cyber risks to critical infrastructure. The Framework aims to be flexible and repeatable, while helping asset owner and operators manage cybersecurity risk.
On January 8, 2015, the Office of Electricity Delivery and Energy Reliability (OE) released guidance to help the energy sector establish or align existing cybersecurity risk management programs to meet the objectives of the Cybersecurity Framework released by NIST in February 2014. The Energy Sector Cybersecurity Framework Implementation Guidance discusses in detail how the Cybersecurity Capability Maturity Model (C2M2), which helps organizations evaluate, prioritize, and improve their own cybersecurity capabilities, maps to the framework. The guidance also recognizes that there are a number of other risk management tools, processes, standards, and guidelines already widely used by energy sector organizations that align well with the Cybersecurity Framework. In developing this guidance, OE collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council, and with other Sector Specific Agency representatives and interested government stakeholders.