← Frameworks / DOE C2M2 v2.1 / Control Mappings

DOE Cybersecurity Capability Maturity Model v2.1

Voluntary cybersecurity maturity model developed by the Department of Energy for the energy sector. 10 domains covering asset management, threat and vulnerability management, risk management, identity and access management, situational awareness, event and incident response, third-party risk management, workforce management, cybersecurity architecture, and program management. Each domain assessed across Maturity Indicator Levels (MIL 0-3) measuring organizational capability progression. Used by electric utilities, oil and gas companies, and other energy subsectors for self-assessment.

Controls: 84

Total Mappings: 89

Publisher: U.S. Department of Energy (DOE) Version: 2.1 (2022)

DOE C2M2 v2.1 → SP 800-53 SP 800-53 → DOE C2M2 v2.1 Coverage Analysis

AC (7) AT (4) AU (3) CA (1) CM (7) CP (5) IA (6) IR (7) PL (3) PM (13) PS (6) RA (6) SA (4) SC (4) SI (3) SR (5)

AC Access Control

Control	Name	DOE C2M2 v2.1 References
AC-02	Account Management	ACCESS
AC-03	Access Enforcement	ACCESS
AC-04	Information Flow Enforcement	ARCHITECTURE
AC-05	Separation Of Duties	ACCESS
AC-06	Least Privilege	ACCESS
AC-07	Unsuccessful Login Attempts	ACCESS
AC-17	Remote Access	ACCESS

AT Awareness and Training

Control	Name	DOE C2M2 v2.1 References
AT-01	Security Awareness And Training Policy And Procedures	WORKFORCE
AT-02	Security Awareness	WORKFORCE
AT-03	Security Training	WORKFORCE
AT-04	Security Training Records	WORKFORCE

AU Audit and Accountability

Control	Name	DOE C2M2 v2.1 References
AU-02	Auditable Events	SITUATION
AU-03	Content Of Audit Records	SITUATION
AU-06	Audit Monitoring, Analysis, And Reporting	SITUATION

CA Security Assessment and Authorization

Control	Name	DOE C2M2 v2.1 References
CA-07	Continuous Monitoring	SITUATION

CM Configuration Management

Control	Name	DOE C2M2 v2.1 References
CM-02	Baseline Configuration	ASSET
CM-03	Configuration Change Control	ASSET
CM-05	Access Restrictions For Change	ASSET
CM-06	Configuration Settings	ASSET
CM-07	Least Functionality	ASSET
CM-08	Information System Component Inventory	ASSET
CM-09	Configuration Management Plan	ASSET

CP Contingency Planning

Control	Name	DOE C2M2 v2.1 References
CP-01	Contingency Planning Policy And Procedures	RESPONSE
CP-02	Contingency Plan	RESPONSE
CP-04	Contingency Plan Testing And Exercises	RESPONSE
CP-09	Information System Backup	RESPONSE
CP-10	Information System Recovery And Reconstitution	RESPONSE

IA Identification and Authentication

Control	Name	DOE C2M2 v2.1 References
IA-02	User Identification And Authentication	ACCESS
IA-03	Device Identification And Authentication	ACCESS
IA-04	Identifier Management	ACCESS
IA-05	Authenticator Management	ACCESS
IA-08	Identification and Authentication (Non-Organizational Users)	ACCESS
IA-12	Identity Proofing	ACCESS

IR Incident Response

Control	Name	DOE C2M2 v2.1 References
IR-01	Incident Response Policy And Procedures	RESPONSE
IR-02	Incident Response Training	RESPONSE
IR-03	Incident Response Testing And Exercises	RESPONSE
IR-04	Incident Handling	RESPONSE
IR-05	Incident Monitoring	SITUATIONRESPONSE
IR-06	Incident Reporting	RESPONSE
IR-08	Incident Response Plan	RESPONSE

PL Planning

Control	Name	DOE C2M2 v2.1 References
PL-01	Security Planning Policy And Procedures	PROGRAM
PL-02	System Security Plan	PROGRAM
PL-08	Security and Privacy Architectures	ARCHITECTURE

PM Program Management

Control	Name	DOE C2M2 v2.1 References
PM-01	Information Security Program Plan	PROGRAM
PM-02	Information Security Program Leadership Role	PROGRAM
PM-03	Information Security and Privacy Resources	PROGRAM
PM-04	Plan of Action and Milestones Process	PROGRAM
PM-05	System Inventory	ASSET
PM-06	Measures of Performance	PROGRAM
PM-09	Risk Management Strategy	RISKPROGRAM
PM-13	Security and Privacy Workforce	WORKFORCE
PM-14	Testing, Training, and Monitoring	PROGRAM
PM-15	Security and Privacy Groups and Associations	THREAT
PM-16	Threat Awareness Program	THREAT
PM-28	Risk Framing	RISK
PM-30	Supply Chain Risk Management Strategy	THIRD

PS Personnel Security

Control	Name	DOE C2M2 v2.1 References
PS-01	Personnel Security Policy And Procedures	WORKFORCE
PS-02	Position Categorization	WORKFORCE
PS-03	Personnel Screening	WORKFORCE
PS-04	Personnel Termination	WORKFORCE
PS-06	Access Agreements	WORKFORCE
PS-07	Third-Party Personnel Security	WORKFORCE

RA Risk Assessment

Control	Name	DOE C2M2 v2.1 References
RA-01	Risk Assessment Policy And Procedures	RISK
RA-02	Security Categorization	THREATRISK
RA-03	Risk Assessment	THREATRISK
RA-05	Vulnerability Scanning	THREAT
RA-07	Risk Response	THREATRISK
RA-09	Criticality Analysis	THREAT

SA System and Services Acquisition

Control	Name	DOE C2M2 v2.1 References
SA-04	Acquisitions	THIRD
SA-08	Security Engineering Principles	ARCHITECTURE
SA-09	External Information System Services	THIRD
SA-17	Developer Security and Privacy Architecture and Design	ARCHITECTURE

SC System and Communications Protection

Control	Name	DOE C2M2 v2.1 References
SC-07	Boundary Protection	ARCHITECTURE
SC-32	System Partitioning	ARCHITECTURE
SC-46	Cross Domain Policy Enforcement	ARCHITECTURE
SC-48	Sensor Relocation	SITUATION

SI System and Information Integrity

Control	Name	DOE C2M2 v2.1 References
SI-02	Flaw Remediation	THREAT
SI-04	Information System Monitoring Tools And Techniques	SITUATION
SI-05	Security Alerts And Advisories	THREAT

SR Supply Chain Risk Management

Control	Name	DOE C2M2 v2.1 References
SR-01	Policy and Procedures	THIRD
SR-02	Supply Chain Risk Management Plan	THIRD
SR-03	Supply Chain Controls and Processes	THIRD
SR-05	Acquisition Strategies, Tools, and Methods	THIRD
SR-06	Supplier Assessments and Reviews	THIRD