← Frameworks / Maturity Model

DOE Cybersecurity Capability Maturity Model v2.1

Voluntary cybersecurity maturity model developed by the Department of Energy for the energy sector. 10 domains covering asset management, threat and vulnerability management, risk management, identity and access management, situational awareness, event and incident response, third-party risk management, workforce management, cybersecurity architecture, and program management. Each domain assessed across Maturity Indicator Levels (MIL 0-3) measuring organizational capability progression. Used by electric utilities, oil and gas companies, and other energy subsectors for self-assessment.

Clauses: 10

Avg Coverage: 83.6%

Publisher: U.S. Department of Energy (DOE) Version: 2.1 (2022)

DOE C2M2 v2.1 → SP 800-53 SP 800-53 → DOE C2M2 v2.1 Coverage Analysis

Clause	Title	SP 800-53 Controls
ACCESS	Identity and Access Management	AC-02 AC-03 AC-05 AC-06 AC-07 AC-17 IA-02 IA-03 IA-04 IA-05 IA-08 IA-12
ARCHITECTURE	Cybersecurity Architecture	SC-07 SC-32 AC-04 PL-08 SA-08 SC-46 SA-17
ASSET	Asset, Change, and Configuration Management	CM-02 CM-03 CM-05 CM-06 CM-07 CM-08 CM-09 PM-05
PROGRAM	Cybersecurity Program Management	PM-01 PM-02 PM-03 PM-04 PM-06 PM-09 PM-14 PL-01 PL-02
RESPONSE	Event and Incident Response, Continuity of Operations	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-08 CP-01 CP-02 CP-04 CP-09 CP-10
RISK	Risk Management	RA-01 RA-02 RA-03 RA-07 PM-09 PM-28
SITUATION	Situational Awareness	AU-02 AU-03 AU-06 SI-04 CA-07 SC-48 IR-05
THIRD	Third-Party Risk Management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 PM-30
THREAT	Threat and Vulnerability Management	RA-02 RA-03 RA-05 RA-07 RA-09 PM-15 PM-16 SI-02 SI-05
WORKFORCE	Workforce Management	AT-01 AT-02 AT-03 AT-04 PS-01 PS-02 PS-03 PS-04 PS-06 PS-07 PM-13