Electric Sector Cybersecurity Risk Management Maturity Initiative

Electric Sector Cybersecurity Risk Management Maturity Initiative

002 ESCRMM PDF FILLABLE FORM 2012-05-10-1731

Electric Sector Cybersecurity Risk Management Maturity Initiative

OMB: 1910-5167

Document [pdf]
Download: pdf | pdf
OMB Control Number : xxxx-xxxx

Electricity Subsector
Cybersecurity Risk
Management Maturity
Initiative

FINAL
PILOT EVALUATION QUESTIONNAIRE

Disclaimer:
Completed form should be
considered sensitive and protected
accordingly.
Fillable PDF Form - version 2012-05-10

Electricity Subsector Cybersecurity Risk Management Maturity Initiative OMB Control Number : xxxx-xxxx

Contents
Part A: Information about the Organization ........................................................................................ 3
Part B: Questions by Domain ............................................................................................................. 4
Answer Scale and Scoring Process................................................................................................. 4
ASSET Domain .................................................................................................................................. 5
RISK Domain ..................................................................................................................................... 7
ACCESS Domain ............................................................................................................................... 9
WORKFORCE Domain .................................................................................................................... 11
DEPENDENCIES Domain ............................................................................................................... 14
THREAT Domain ............................................................................................................................. 17
RESPONSE Domain ........................................................................................................................ 20
SITUATION Domain ........................................................................................................................ 23
SHARING Domain ........................................................................................................................... 26
CYBER Domain ............................................................................................................................... 28

Glossary............................................................................................................................................ 33
Expiration Date: DD-MM-YYYY

Public reporting burden for this collection of information is estimated to average eight hours per response, including the
time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing
and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this
collection of information, including suggestions for reducing this burden, to Office of the Chief Information Officer, Records
Management Division, IM-23, Paperwork Reduction Project (1910-new), U.S. Department of Energy, 1000 Independence
Ave SW, Washington, DC, 20585-1290; and to the Office of Management and Budget (OMB), OIRA, Paperwork Reduction
Project (1910-new), Washington, DC 20503.

PILOT EVALUATION | DO NOT DISCLOSE

2

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Part A: Information about the Organization
NOTE: Questions 1 and 2 are part of the Draft Pilot Evaluation Question Set but do not have
input fields as this data will not be collected during pilot evaluations.
1.

Organization completing this questionnaire (include division if applicable)
a. Name
b. Address
c. Is the organization being assessed a subset of the overall organization?
d. If yes, please include the name of the overall organization

2.

Contact information for the person responsible for completing this questionnaire
a. Name
b. Email address
c. Phone

3.

Which of the following best characterizes your organization’s ownership structure?
a. Investor-owned
b. Cooperative
c. Government-owned by
i.
Municipality/City
ii.
State
iii.
Federal government

4.

Which electricity functions are performed by your organization (select all that apply):
a. Generation
b. Transmission
c. Distribution
d. Markets
e. Other: _____________

5.

For which function is this questionnaire being completed (select one)?
a. Generation
If Generation is selected, please provide your non-nuclear generation capacity in
megawatts: _______________
b. Transmission
If Transmission is selected, please provide the total generation capacity connected to your
transmission system in megawatts: _______________
c. Distribution
If Distribution is selected, please provide your customer meter count: _______________

PILOT EVALUATION | DO NOT DISCLOSE

3

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Part B: Questions by Domain
Answer Scale
To complete each question, select a response from the following scale that best describes the extent to
which the practice is implemented for the function selected (generation, transmission, distribution, or
markets).
4-point answer scale

The organization’s performance of the practice described in the model
is …

Fully implemented

Complete

Largely implemented

Complete, but with a recognized opportunity for improvement

Partially implemented

Incomplete; there are multiple opportunities for improvement

Not implemented

Absent; the practice is not performed in the organization

Scoring Process
The model defines four maturity indicator levels (MILs), and holds a fifth level in reserve for use in
future versions of the model. Each of the four defined levels is referenced by a number (0 through 3)
and a name, for example, “MIL3: Managed.” The Maturity Indicator Levels are:
MIL0: Incomplete
MIL1: Initiated
MIL2: Performed
MIL3: Managed
MILX: Reserved for future use
MIL0 through MIL3 define the maturity progression in the model. Each level describes the approach
and institutionalization of the practices in a domain at that MIL. The maturity indicator levels apply
independently to each domain. As a result there is the potential for different MIL ratings for the 10
domains. For example, an organization could be functioning at MIL1 in one domain, MIL2 in another
domain, and MIL3 in a third domain.
The MIL levels are cumulative within each domain; an organization must satisfy each of the
characteristics in a level and the predecessor level(s). For example, each of the characteristics in MIL1
and MIL2 must be satisfied for a domain in order to be rated MIL2 in the domain. Similarly,
characteristics in MIL1, MIL2, and MIL3 must be satisfied in order to be rated MIL3.
Completion of a MIL is computed from answer input provided for the questions presented in the ten
domains in Part B of this document. Each question describes a characteristic that can be answered
with the four point answer scale. The characteristics are assigned scores based on the answer
selected. The scores are assigned as follows:
‘Fully Implemented’ characteristic = Complete
‘Largely Implemented’ characteristic = Complete
‘Partially Implemented’ characteristic = Incomplete
‘Not Implemented’ characteristic = Incomplete

PILOT EVALUATION | DO NOT DISCLOSE

4

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

ASSET

ASSET Domain
Asset, Change, and Configuration Management
Manage the organization’s operational technology (OT) assets, information technology (IT) assets, and
communications devices, including both hardware and software, commensurate with the risk to critical
infrastructure and organizational objectives, including activities to:
•
Identify, inventory, and prioritize assets,
•
Manage asset configurations, and
•
Manage changes to assets and to the asset inventory.
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with asset inventory.
a. There is an inventory of assets that are important to the
TBD
delivery of the function
b. Inventory attributes include information to support the
TBD
cybersecurity strategy (e.g., location, asset owner,
security requirements, service dependencies, and
conformance of assets to relevant industry standards)
c. Inventoried assets are prioritized (e.g., critical versus
TBD
noncritical or a more complex range) based on their role
d. The asset inventory is current and complete for assets of
TBD
defined categories that are selected based on risk
analysis
e. Asset prioritization is informed by risk analysis (i.e., a
TBD
formal or structured risk analysis is used as the basis of
prioritization)

2.

Please rate your implementation of the following activities associated with asset configuration
management.
a. Selected assets are controlled to ensure they remain in a
TBD
common configuration (configuration management applies
in cases where it is desirable to ensure that multiple
assets are configured similarly)
b. Configuration baselines are established and kept current
TBD
for high priority assets
c. Configuration of assets are monitored for consistency with
TBD
baselines
d. Configuration baselines are designed to satisfy
TBD
cybersecurity objectives
e. Modifications to configuration baselines are subject to
TBD
defined change management policies

PILOT EVALUATION | DO NOT DISCLOSE

5

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

ASSET

3.

Please rate your implementation of the following activities associated with asset change
management.
a. Changes to inventoried assets are evaluated before being
TBD
implemented
b. Changes to inventoried assets are logged
TBD
c. Change management practices address the full lifecycle
TBD
of assets (i.e., acquisition, deployment, operation,
retirement)
d. Changes to assets are tested prior to being deployed
TBD
e. Changes to assets are tested for cybersecurity impact
TBD
prior to being deployed
f. Change logs include information about modifications that
TBD
impact the cybersecurity requirements of assets
(availability, integrity, confidentiality)

4.

Please rate your implementation of the following activities associated with planning and managing
Asset, Change, and Configuration Management activities.
a. One or more plans or procedures are in place that guide
TBD
the activities
b. One or more standards and/or guidelines have been
TBD
identified to inform the activities
c. One or more policies are in place that guide the activities
TBD
d. The policies include compliance requirements for
TBD
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
TBD
conformance with the policy
f. Stakeholders are identified and involved in the activities
TBD
g. Resources (people, funding, and tools) are provided to
TBD
support the activities
h. Responsibility and authority for the performance of the
TBD
activities are assigned to personnel
i. Personnel performing the activities have the skills and
TBD
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

6

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

RISK

RISK Domain
Risk Management
Establish, operate, and maintain a cybersecurity risk management and mitigation program to identify
and manage cybersecurity risk to the organization and its related interconnected infrastructure and
stakeholders.
• Strategy
• Sponsorship
• Program
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with risk management
strategy.
TBD
a. There is a notional risk management strategy
b. There is a documented risk management strategy
TBD
c. The strategy provides an approach for risk prioritization
TBD
d. Organizational risk goals and objectives (e.g., tolerance
TBD
for risk, risk avoidance approaches, risk parameter
factors) are defined
e. The risk management strategy is periodically updated to
TBD
reflect the current threat environment

2.

Please rate your implementation of the following activities associated with risk sponsorship.
a. Management encourages personnel who discover or
TBD
become aware of cybersecurity risks to the function to
communicate those risks
b. A risk management program has been established and
TBD
endorsed by management
c. Risk governance has been established (i.e., senior
TBD
management has established goals, sponsorship, and
accountability for the function’s Risk Management
activities, and periodically reviews performance to ensure
that strategic goals are being achieved).
d. The development and maintenance of Risk Management
TBD
policies and guidelines are sponsored

PILOT EVALUATION | DO NOT DISCLOSE

7

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

RISK

3.

Please rate your implementation of the following activities associated with the risk management
program.
a. Risk assessments and mitigation are performed
TBD
b. Risk assessments and mitigation are performed in
TBD
accordance with the risk management program’s
documented plan
c. Risks are identified, analyzed, disposed, and tracked to
TBD
closure in accordance with the risk management program
d. A network (IT and/or OT) architecture is used to support
TBD
risk analysis
e. The risk management program defines and operates risk
TBD
management policies and procedures that implement the
Risk Strategy
f. A current cybersecurity architecture is used to support risk
TBD
analysis
g. Risks are monitored and communicated to support
TBD
situational awareness
h. Pre-defined states of operation are defined and invoked
TBD
(manual or automated process) based on risk
i. An organization-specific risk taxonomy is documented and
TBD
is used in Risk Management activities

4.

Please rate your implementation of the following activities associated with planning and managing
Risk Management activities.
a. One or more plans or procedures are in place that guide
TBD
the activities
b. One or more standards and/or guidelines have been
TBD
identified to inform the activities
c. One or more policies are in place that guide the activities
TBD
d. The policies include compliance requirements for
TBD
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
TBD
conformance with the policy
f. Stakeholders are identified and involved in the activities
TBD
g. Resources (people, funding, and tools) are provided to
TBD
support the activities
h. Responsibility and authority for the performance of the
TBD
activities are assigned to personnel
i. Personnel performing the activities have the skills and
TBD
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

8

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

ACCESS

ACCESS Domain
Identity and Access Management
Create and manage identities for entities that may be granted logical or physical access to the
organization's assets. Control access to the organization's assets, commensurate with the risk to critical
infrastructure and organizational objectives.
• Identity management
• Access management
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with identity management
activities.
a. Identities are provisioned for personnel and other entities
TBD
who require access to assets (note that this does not
preclude shared identities)
b. Credentials are issued for personnel and devices that
TBD
require access to assets (e.g., passwords, smart cards,
certificates, keys)
c. Identity repositories are periodically reviewed and updated
TBD
to ensure validity (i.e. to ensure that the identities still
need access)
d. Identities are deprovisioned when no longer required
TBD
e. Standard procedures are implemented to provision and
TBD
deprovision identities
f. Credentials are periodically reviewed to ensure that they
TBD
are associated with the correct entities
g. Identity management is informed by risk analysis
TBD
h. Requirements for credentials are informed by the
TBD
function’s risk criteria (e.g., multifactor credentials for
higher risk access)
i. Identity management activities are coordinated with
TBD
Workforce Management activities to ensure that personnel
identities are valid

PILOT EVALUATION | DO NOT DISCLOSE

9

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

ACCESS

2.

3.

Please rate your implementation of the following activities associated with access management
activities.
a. Access requirements, including those for remote access,
TBD
are determined
b. Access is granted to identities based on requirements
TBD
c. Access is revoked when no longer required
TBD
d. Access requests are reviewed and approved by the asset
TBD
owner
e. Standard procedures are implemented to grant and
TBD
revoke access (e.g., Role-based access control)
TBD
f. Access privileges are periodically reviewed and updated
to ensure validity
g. Least privilege and separation of duties principles are
TBD
applied
h. Access to assets is granted by the asset owner based on
TBD
risk to the function
i. Anomalous access attempts are monitored to inform
TBD
situational awareness
Please rate your implementation of the following activities associated with planning and managing
Identity and Access Management activities.
a. One or more plans or procedures are in place that guide
the activities
b. One or more standards and/or guidelines have been
identified to inform the activities
c. One or more policies are in place that guide the activities
d. The policies include compliance requirements for
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
conformance with the policy
f. Stakeholders are identified and involved in the activities
g. Resources (people, funding, and tools) are provided to
support the activities
h. Responsibility and authority for the performance of the
activities are assigned to personnel
i. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

10

TBD
TBD

TBD
TBD

TBD
TBD
TBD

TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

WORKFORCE

WORKFORCE Domain
Workforce Management
Establish and maintain plans, procedures, technologies, and controls to create a culture of
cybersecurity and to ensure the ongoing suitability and competence of personnel, commensurate with
the risk to critical infrastructure and organizational objectives.
• Responsibilities
• Workforce controls
• Knowledge, skills, and abilities
• Awareness
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with workforce
cybersecurity responsibilities.
a. Cybersecurity responsibilities for the function are identified
TBD
b. Cybersecurity requirements for roles are established (e.g.,
TBD
separation of duties, least privilege)
c. Cybersecurity responsibilities are assigned to specific
TBD
roles, including external service providers
d. Cybersecurity responsibilities are documented in position
TBD
descriptions
e. Cybersecurity responsibilities and job requirements are
TBD
reviewed and updated as appropriate
f. Cybersecurity responsibilities are included in job
TBD
performance evaluation criteria
g. Assigned cybersecurity responsibilities are managed to
TBD
ensure adequacy and redundancy of coverage

PILOT EVALUATION | DO NOT DISCLOSE

11

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

WORKFORCE

2.

Please rate your implementation of the following activities associated with managing the
workforce lifecycle.
a. Personnel transfer and termination procedures are
TBD
defined and address cybersecurity
b. Risk designations are created based on risk analysis
TBD
c. Risk designations are assigned to positions
TBD
d. Recruiting and retention are aligned to support
TBD
cybersecurity workforce management objectives
e. Succession planning is performed for personnel based on
TBD
risk designation
f. Security policy includes a formal disciplinary process and
TBD
sanctions for employees who commit violations of security
policy
g. Personnel vetting (e.g., background checks, drug tests) is
TBD
performed at hire for positions that have responsibilities
for or access to the assets required for delivery of the
function
h. Personnel vetting is performed periodically for positions
TBD
that have responsibilities for or access to the assets
required for delivery of the function
i. Vetting is performed for employees, vendors, and
TBD
contractors at a level commensurate with position risk
designation

3.

Please rate your implementation of the following activities associated with cybersecurity training.
a. Cybersecurity training is made available to personnel with
TBD
cybersecurity responsibilities
b. Cybersecurity knowledge, skill, and ability gaps are
TBD
identified
c. Personnel with cybersecurity responsibilities complete
TBD
continuing education and professional development
d. Assessments of specific workforce skills are performed
TBD
e. Assessments of the training program are performed
TBD
f. Plan to address identified cybersecurity knowledge, skill,
TBD
and ability gaps is maintained
g. Personnel with cybersecurity responsibilities complete
TBD
continuing education and professional development,
consistent with job role and cybersecurity responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

12

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

WORKFORCE

4.

Please rate your implementation of the following activities associated with cybersecurity
awareness.
a. Cybersecurity awareness activities occur
TBD
b. Cybersecurity awareness activities occur in accordance
TBD
with a defined awareness plan
c. Cybersecurity awareness content is based on
TBD
understanding of function-specific cybersecurity threats
d. Cybersecurity awareness content is based on an
TBD
understanding of organization-specific (cross-function)
cybersecurity threats

5.

Please rate your implementation of the following activities associated with planning and managing
Workforce Management activities.
a. One or more plans or procedures are in place that guide
TBD
the activities
b. One or more standards and/or guidelines have been
TBD
identified to inform the activities
c. One or more policies are in place that guide the activities
TBD
d. The policies include compliance requirements for
TBD
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
TBD
conformance with the policy
f. Stakeholders are identified and involved in the activities
TBD
g. Resources (people, funding, and tools) are provided to
TBD
support the activities
h. Responsibility and authority for the performance of the
TBD
activities are assigned to personnel
i. Personnel performing the activities have the skills and
TBD
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

13

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

DEPENDENCIES

DEPENDENCIES Domain
Supply Chain and External Dependencies Management
Establish and maintain controls to manage the cybersecurity risk associated with services and assets
that are dependent on external entities, commensurate with the organization's business and security
objectives.
• Dependency identification
• Risk management
• Cybersecurity requirements
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with identifying
dependencies.
a. Important suppliers and other up-stream dependencies
TBD
are identified (i.e. external parties on which the delivery of
the function depend)
b. Important down-stream dependencies are identified (i.e.
TBD
external parties that are dependent on the delivery of the
function)
c. Important suppliers and up-stream dependencies are
TBD
identified according to a defined practice
d. Important down-stream dependencies are identified
TBD
according to a defined practice
e. Dependencies are prioritized based on established criteria
TBD
f. Bidirectional dependencies are identified
TBD
g. Single-source dependencies are identified

TBD

2.

Please rate your implementation of the following activities associated with dependency risk
management.
a. Significant cybersecurity risks due to suppliers and other
TBD
external dependencies are identified and addressed
b. Cybersecurity risks due to suppliers and other external
TBD
dependencies are identified according to a defined
practice
c. Identified external dependency cybersecurity risks are
TBD
analyzed and disposed according to a defined practice
d. Cybersecurity risks due to external dependencies are
TBD
managed according to the organization’s risk
management criteria and process
e. Suppliers, vendors, and other upstream dependencies are
TBD
integrated into the information sharing process

PILOT EVALUATION | DO NOT DISCLOSE

14

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

DEPENDENCIES

3.

Please rate your implementation of the following activities associated with cybersecurity
requirements.
a. Cybersecurity requirements are considered when
TBD
establishing relationships with external entities
b. Cybersecurity requirements are established for suppliers
TBD
and up-stream dependencies according to a defined
practice, including requirements for secure software
development practices where appropriate
TBD
c. Agreements with suppliers and other external entities
include cybersecurity requirements
d. Evaluation and selection of suppliers and other external
TBD
entities includes consideration of their ability to meet
cybersecurity requirements
e. Agreements with suppliers and other up-stream
TBD
dependencies require notification of cybersecurity
incidents related to the delivery of the product or service
f. Suppliers and other external entities are periodically
TBD
reviewed for their ability to continually meet the
cybersecurity requirements
g. Cybersecurity requirements are established for up-stream
TBD
dependencies based on the organization’s risk criteria
h. Agreements with suppliers require notification of
TBD
vulnerability-inducing product defects throughout the
intended lifecycle of delivered products
i. Acceptance testing of procured assets includes testing for
TBD
cybersecurity specifications (Note: this should be
coordinated with change management activities in Asset,
Change, and Configuration Management)
j. Authoritative information sources are monitored to identify
TBD
and avoid known sources of counterfeit parts and services

PILOT EVALUATION | DO NOT DISCLOSE

15

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

DEPENDENCIES

4.

Please rate your implementation of the following activities associated with planning and managing
Supply Chain and External Dependencies Management activities.
a. One or more plans or procedures are in place that guide
the activities
b. One or more standards and/or guidelines have been
identified to inform the activities
c. One or more policies are in place that guide the activities
d. The policies include compliance requirements for
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
conformance with the policy
f. Stakeholders are identified and involved in the activities
g. Resources (people, funding, and tools) are provided to
support the activities
h. Responsibility and authority for the performance of the
activities are assigned to personnel
i. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

16

TBD

TBD
TBD
TBD

TBD
TBD

TBD

TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

THREAT

THREAT Domain
Threat and Vulnerability Management
Establish and maintain plans, procedures, and technologies to identify, analyze, and manage
cybersecurity threats and vulnerabilities, commensurate with the risk to critical infrastructure and
organizational objectives.
• Threat management
• Vulnerability management
• Cybersecurity patch management
• Assessments
Within the function (generation, transmission, distribution, or retail) that is the focus of this evaluation,
please answer the following questions:
1.

Please rate your implementation of the following activities associated with threat management.
a. Cybersecurity threat information is gathered and
TBD
interpreted for the function
b. Threats that are considered important to the function are
TBD
mitigated
c. Information sources to support threat management
TBD
activities are identified and monitored (e.g., ES-ISAC,
ICS-CERT, US-CERT, industry associations, vendors)
d. Guidelines or criteria are established and used in the
TBD
analysis and prioritization of identified threats
e. Threats are addressed according to the prioritization
TBD
criteria and mitigating actions are validated
f. Threat information is shared through participation in
TBD
identified information sharing channels
g. Analysis and prioritization of threats are informed by the
TBD
function's risk criteria
h. Threat identification and analysis activities inform
TBD
function's risk management activities

PILOT EVALUATION | DO NOT DISCLOSE

17

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

THREAT

2.

Please rate your implementation of the following activities associated with vulnerability
management.
a. Cybersecurity vulnerability information is gathered and
TBD
interpreted for the function
b. Vulnerabilities that are considered important to the
TBD
function are remediated
c. Information sources to support vulnerability management
TBD
activities are identified and monitored
d. Guidelines or criteria are established and used in the
TBD
analysis and prioritization of identified vulnerabilities
e. Vulnerabilities are addressed according to the
TBD
prioritization criteria and remediation actions are validated
f. Vulnerability management activities are informed by the
TBD
function's risk criteria
g. Vulnerability identification and analysis activities inform
TBD
function's risk management activities
h. Vulnerability assessments are performed (e.g.,
TBD
architectural reviews, penetration testing, cybersecurity
exercises, vulnerability identification tools)

3.

Please rate your implementation of the following activities associated with cybersecurity patch
management.
a. Patches that mitigate cybersecurity vulnerabilities are
TBD
deployed
b. Information sources to support patch management
TBD
activities are identified and monitored
c. Guidelines or criteria are established and used in the
TBD
analysis and prioritization of cybersecurity patches (e.g.,
NIST Common Vulnerability Scoring System could be
used for IT patches)
d. Patches are deployed according to the prioritization
TBD
criteria (Note: prioritization criteria should include
coverage of emergency patching)
e. Patch management activities are informed by the
TBD
function’s risk criteria

PILOT EVALUATION | DO NOT DISCLOSE

18

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

THREAT

4.

Please rate your implementation of the following activities associated with planning and managing
Threat and Vulnerability Management activities.
a. One or more plans or procedures are in place that guide
the activities
b. One or more standards and/or guidelines have been
identified to inform the activities
c. One or more policies are in place that guide the activities
d. The policies include compliance requirements for
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
conformance with the policy
f. Stakeholders are identified and involved in the activities
g. Resources (people, funding, and tools) are provided to
support the activities
h. Responsibility and authority for the performance of the
activities are assigned to personnel
i. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

19

TBD
TBD

TBD
TBD

TBD

TBD
TBD
TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

RESPONSE

RESPONSE Domain
Event and Incident Response, Continuity of Operations
Establish and maintain plans, procedures, and technologies to detect, analyze, and respond to
cybersecurity incidents and to sustain critical functions throughout a cyber event, commensurate with
the risk to critical infrastructure and organizational objectives.
• Detect events
• Declare incidents
• Respond to incidents
• Manage continuity
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with cybersecurity event
detection.
a. Individuals who detect an anomalous event they believe
TBD
may have cybersecurity implications, report the event to a
clearly identified person or role in the function with the
responsibility for receiving such reports
b. Events are detected or reported according to a defined
TBD
practice
c. Events are logged and tracked according to a defined
TBD
practice
d. Event information is correlated to support incident analysis
TBD
by identifying patterns, trends, and other common features
e. Cybersecurity event detection is informed by Threat and
TBD
Vulnerability Management and Risk Management
information (e.g., event detection is tuned to help detect
known threats and monitor for identified risks)
f. Cybersecurity event detection is enabled by Situational
TBD
Awareness activities (e.g., the common operating picture
for the function is monitored to support the identification of
cybersecurity events)

PILOT EVALUATION | DO NOT DISCLOSE

20

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

RESPONSE

2.

Please rate your implementation of the following activities associated with cybersecurity incident
declaration.
TBD
a. Cybersecurity incident criteria are established based on
the potential impact to the function
b. Events are analyzed to identify and declare cybersecurity
TBD
incidents
c. Events are analyzed according to a defined practice
TBD
d. Incidents are logged and tracked to closure according to a
TBD
defined practice
e. Cybersecurity incident declaration criteria are periodically
TBD
updated according to a defined practice
f. Events are analyzed to identify and declare cybersecurity
TBD
incidents according to a defined practice
g. Declared incidents are correlated to support the discovery
TBD
of patterns, trends, and other common features
h. Incident declaration criteria are periodically updated based
TBD
on Threat and Vulnerability Management, Situational
Awareness, and Risk Management information

3.

Please rate your implementation of the following activities associated with cybersecurity incident
response.
a. Actions are taken to respond to cybersecurity incidents to
TBD
limit impact to the function and restore normal operations
b. Incident response personnel are identified and roles are
TBD
assigned
c. Incident response is performed according defined
TBD
procedures that address all phases of the incident
lifecycle (e.g., triage, handling, communication,
coordination, and closure)
d. Incident response procedures are exercised
TBD
e. Training is conducted for incident response teams
TBD
f. Cybersecurity incident root-cause analysis and lessonsTBD
learned activities are performed as part of the defined
process
g. Procedures are followed to coordinate and collaborate
TBD
with law enforcement when appropriate, including support
for evidence collection and preservation
h. Incident response personnel participate in community
TBD
cybersecurity exercises (e.g., table top, simulated
incidents)
i. The incident response process is periodically reviewed
TBD
and updated
j. Incident response activities are coordinated with relevant
TBD
external entities

PILOT EVALUATION | DO NOT DISCLOSE

21

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

RESPONSE

4.

5.

Please rate your implementation of the following activities associated with continuity
management.
a. Assets that are important to the delivery of the function
TBD
are identified (Note: this may be connected to or provided
from Asset, Change, and Configuration Management)
b. The activities necessary to sustain minimum operations of
TBD
the function are identified
c. The sequence of activities necessary to return the function
TBD
to normal operation is identified
d. Business impact analyses are conducted according to
TBD
defined practices to inform the development of continuity
plans
e. Recovery time objectives are established for the function
TBD
f. Continuity plans are developed to sustain and restore
TBD
operation of the function according to a defined practice
g. Continuity plans are evaluated and exercised
TBD
h. Business impact analyses are periodically reviewed and
TBD
updated
i. The results of continuity plan testing and/or activation are
TBD
compared to recovery objectives, and plans are improved
accordingly
j. Continuity plans are periodically reviewed and updated
TBD
Please rate your implementation of the following activities associated with planning and managing
Event and Incident Response and Continuity of Operations activities.
a. One or more plans or procedures are in place that guide
the activities
b. One or more standards and/or guidelines have been
identified to inform the activities
c. One or more policies are in place that guide the activities
d. The policies include compliance requirements for
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
conformance with the policy
f. Policy and/or procedures for reporting incident information
to designated authorities conform with applicable laws,
regulations, and contractual agreements
g. Stakeholders are identified and involved in the activities
h. Resources (people, funding, and tools) are provided to
support the activities
i. Responsibility and authority for the performance of the
activities are assigned to personnel
j. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

22

TBD
TBD

TBD
TBD

TBD
TBD

TBD

TBD
TBD

TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

SITUATION

SITUATION Domain
Situational Awareness
Establish and maintain activities and technologies to collect, analyze, alarm, present, and use power
system and cybersecurity information, including status and summary information from the other model
domains, to form a common operating picture, commensurate with the risk to critical infrastructure and
organizational objectives.
• Logging
• Monitoring
• Awareness
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with logging.
a. Logging capabilities are identified and selected
TBD
capabilities are activated
b. A consistent level of logging is occurring for assets
TBD
important to the function
c. Logging requirements have been defined and
TBD
documented for all assets of selected classes and/or
priority
d. Logging is performed in compliance with the documented
TBD
requirements
e. Logs are managed with consistency within the function
TBD
f. Log data are being aggregated within the function
TBD
g. Logging requirements are based on the risk to the function
TBD
h. Logging is integrated with other business and security
processes
TBD

PILOT EVALUATION | DO NOT DISCLOSE

23

Electricity Subsector Cybersecurity Risk Management Maturity Initiative OMB Control Number : xxxx-xxxx
SITUATION

2.

Please rate your implementation of the following activities associated with monitoring.
a. Cybersecurity monitoring activities are performed (e.g.
TBD
periodic reviews of log data)
b. Operational environments are monitored for anomalous
TBD
behavior that may indicate a cybersecurity event
c. Monitoring and analysis requirements have been defined
TBD
and documented
d. Monitoring and analysis is performed in compliance with
TBD
the documented requirements
e. Monitoring requirements are based on the risk to the
TBD
function
f. Monitoring is integrated with other business and security
TBD
processes
g. Alarms and alerts are implemented
TBD
h. Alarms and alerts are defined by severity level for both
TBD
power system and cybersecurity information

3.

Please rate your implementation of the following activities associated with awareness.
a. A local operating picture exists for the function
TBD
b. A common operating picture exists across functions
TBD
c. The cybersecurity operations of the function are informed
TBD
based on the common operating picture
d. Common operating picture incorporates information from
TBD
external sources (including external entities on which the
function depends)
e. Pre-defined states of operation are defined and invoked
TBD
(manual or automated process) based on the common
operating picture

PILOT EVALUATION | DO NOT DISCLOSE

24

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

SITUATION

4.

Please rate your implementation of the following activities associated with planning and managing
Situational Awareness activities.
a. One or more plans or procedures are in place that guide
the activities
b. One or more standards and/or guidelines have been
identified to inform the activities
c. One or more policies are in place that guide the activities
d. The policies include compliance requirements for
specified standards and/or guidelines
e. The activities are periodically reviewed to ensure
conformance with the policy
f. Stakeholders are identified and involved in the activities
g. Resources (people, funding, and tools) are provided to
support the activities
h. Responsibility and authority for the performance of the
activities are assigned to personnel
i. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

25

TBD
TBD

TBD
TBD
TBD
TBD
TBD

TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

SHARING

SHARING Domain
Information Sharing and Communications
Establish and maintain relationships with internal and external entities to share information, including
threats and vulnerabilities, in order to reduce risks and increase operational resilience, commensurate
with the risk to critical infrastructure and organizational objectives.
• Communication
• Analysis
• Coordination
Within the function (generation, transmission, distribution, or markets) that is the focus of this
evaluation, please answer the following questions:
1.

Please rate your implementation of the following activities associated with cybersecurity
information sharing.
TBD
a. The key stakeholders (including connected utilities) with
which information needs to be shared have been identified
b. Communication with key stakeholders is performed
TBD
c. Communication with key stakeholders is based on
TBD
documented communication strategies within functional
areas
d. Contracts and agreements with third parties incorporate
TBD
sharing of cybersecurity threat information
e. Cybersecurity information reporting requirements are
TBD
identified
f. Information shared supports situational awareness at
TBD
organization, regional, and national levels

2.

Please rate your implementation of the following activities associated with cybersecurity
information analysis.
TBD
a. Analysis of shared information is performed
b. Analysis of shared information occurs based on defined
TBD
procedures
c. Procedures are in place to create action plans in response
TBD
to information received
d. Technical sources are identified that can be accessed to
TBD
gain expert insights
e. Procedures are in place to analyze and de-conflict
TBD
received information

PILOT EVALUATION | DO NOT DISCLOSE

26

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

SHARING

3.

4.

Please rate your implementation of the following activities associated with cybersecurity
coordination.
TBD
a. Responsibility for the collection of shared cybersecurity
information is assigned
b. Cybersecurity information is shared across functional
TBD
areas
c. Trusted information sharing partners are identified
TBD
d. The function participates with information sharing and
TBD
analysis centers
e. A robust network of internal and external trust
TBD
relationships (both formal and informal) has been
established to vet and validate information about cyber
events
f. There is a strategy or policy and procedure for incident
TBD
coordination with external partners & stakeholders
g. Provisions are established and maintained to enable
TBD
secure sharing of sensitive or classified information
Please rate your implementation of the following activities associated with planning and managing
Cybersecurity Information Sharing and Communications activities.
a. One or more plans or procedures are in place that guide
the activities
b. Plans for the activities address both standard operations
and emergency operations
c. One or more standards and/or guidelines have been
identified to inform the activities
d. One or more policies are in place that guide the activities
e. The policies include compliance requirements for
specified standards and/or guidelines
f. The policies address protected information, ethical use
and sharing of information, including, as appropriate,
sensitive and classified information
g. The activities are periodically reviewed to ensure
conformance with the policy
h. Stakeholders are identified and involved in the activities
i. Resources (people, funding, and tools) are provided to
support the activities
j. Responsibility and authority for the performance of the
activities are assigned to personnel
k. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

27

TBD
TBD
TBD
TBD
TBD

TBD
TBD

TBD
TBD

TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

CYBER

CYBER Domain
Cybersecurity Program Management
Establish and maintain a cybersecurity program that provides governance, strategic planning, and
sponsorship for the organization’s cybersecurity activities in a manner that aligns cybersecurity
objectives with the organization’s strategic objectives and the risk to critical infrastructure.
• Strategy
• Sponsorship
• Program
• Architecture
Within the function (generation, transmission, distribution, markets) that is the focus of this evaluation,
please answer the following questions:
1.

Please rate your implementation of the following activities associated with the cybersecurity
program strategy.
TBD
a. The organization’s strategic objectives are generally
understood among senior management
b. The organization’s cybersecurity objectives are generally
TBD
understood among the personnel performing
cybersecurity activities, but may not be connected to the
organization’s strategic objectives
c. The organization’s strategic objectives are documented
TBD
and well-understood throughout the organization
d. The organization’s cybersecurity strategy and priorities
TBD
are documented and aligned with the organization’s
strategic objectives
e. The development and implementation of a cybersecurity
TBD
strategy and its integration with organizational objectives
is required by policy
f. Cybersecurity strategy and objectives address the
TBD
organization’s role in critical infrastructure

PILOT EVALUATION | DO NOT DISCLOSE

28

Electricity Subsector Cybersecurity Risk Management Maturity Initiative OMB Control Number : xxxx-xxxx
CYBER

2.

Please rate your implementation of the following activities associated with sponsorship of the
cybersecurity program.
TBD
a. Some resources (people, tools, and funding) are provided
to support cybersecurity activities, but may be
compartmentalized (or siloed)
b. Senior management is aware of cybersecurity concerns
TBD
and provides at least vocal sponsorship for cybersecurity
activities
c. The importance and value of cybersecurity activities is
TBD
regularly communicated by senior management
d. Activities to support and develop a culture of cybersecurity
TBD
in the organization are sponsored
e. The creation and maintenance of a cybersecurity program
TBD
plan is sponsored by the organization
f. If the organization develops or procures software, secure
TBD
software development practices are sponsored as an
element of the cybersecurity program
g. Adequate funding and other resources (i.e. people and
TBD
tools) are provided to establish and operate a
cybersecurity program
h. The development and maintenance of cybersecurity
TBD
policies and guidelines is sponsored

3.

Please rate your implementation of the following activities associated with the cybersecurity
program.
a. Cybersecurity activities are performed by individuals in the
TBD
organization and may be compartmentalized
b. Cybersecurity requirements are developed for key
TBD
operational systems and assets
c. A cybersecurity program is established and maintained to
TBD
provide security for IT and OT systems, networks, and
data, consistent with the cybersecurity strategy and
requirements
d. Industry activities are monitored to identify emerging
TBD
cybersecurity trends, issues, standards, and initiatives
e. Cybersecurity activities across the function and across the
TBD
domains in this model are integrated, coordinated, and
aligned into a systematic policy and procedure to ensure
that the organization’s cybersecurity objectives and
strategy are addressed
f. Organization monitors and participates in selected
TBD
emerging cybersecurity standards or initiatives to support
cybersecurity strategies and objectives
g. Coordination occurs with organization’s compliance efforts
TBD
to support ongoing achievement of any cybersecurity
compliance requirements

PILOT EVALUATION | DO NOT DISCLOSE

29

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

CYBER

4.

Please rate your implementation of the following activities associated with cybersecurity
architecture.
a. A strategy to architecturally isolate the organization’s IT
TBD
systems from OT systems is implemented
b. A cybersecurity architecture is in place to enable
TBD
segmentation, isolation, and other requirements that
support the cybersecurity strategy and priorities
c. Architectural segmentation and isolation is maintained
TBD
according to a documented plan
d. Architectural segmentation and isolation strategies are
TBD
informed by the organization’s risk tolerance
e. Cybersecurity architecture is routinely updated as may be
TBD
required to keep it current and to address new
requirements

5.

Please rate your implementation of the following activities associated with cybersecurity
requirements for software development (including software developed internally and software
developed by third parties).
a. Software to be deployed on assets of selected classes
TBD
and/or priority is developed using secure software
development practices
b. Policies require that software to be deployed on assets
TBD
above a priority threshold be developed using secure
software development practices

PILOT EVALUATION | DO NOT DISCLOSE

30

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

CYBER

6.

Please rate your implementation of the following activities associated with planning and managing
Cybersecurity Program activities.
a. One or more plans or procedures are in place that guide
the activities

TBD

b. Question deleted
c. One or more standards and/or guidelines have been
identified to inform the activities
d. One or more policies are in place that guide the activities
e. The policies include compliance requirements for
specified standards and/or guidelines
f. The policies include compliance requirements for any
applicable regulations related to cybersecurity

TBD
TBD
TBD
TBD

g. Question deleted
h. The activities are periodically reviewed to ensure
conformance with the policy
i. Stakeholders are identified and involved in the activities
j. Responsibility and authority for the performance of the
activities are assigned to personnel
k. Personnel performing the activities have the skills and
knowledge needed to perform their assigned
responsibilities

PILOT EVALUATION | DO NOT DISCLOSE

31

TBD
TBD

TBD
TBD

Electricity Subsector Cybersecurity Risk Management Maturity Initiative
CYBER

7.

Please rate your implementation of the following cross-domain activities.
a. Asset inventory attributes support Threat and Vulnerability
TBD
Management (i.e., inventory includes sufficient information
about the assets to enable threat and vulnerability
analysis)
b. Configuration management [ASSET] is coordinated with
TBD
cybersecurity patch management [THREAT] (i.e.,
configuration baselines are updated to reflect the
deployment of patches to mitigate cybersecurity
vulnerabilities)
c. Change management activities are coordinated with
TBD
Threat and Vulnerability Management activities (e.g.,
changes made to mitigate vulnerabilities are subject to the
change management procedures)
d. Asset, Change, and Configuration Management activities
TBD
are coordinated with Supply Chain and External
Dependencies Management activities for high priority
assets that are dependent on external parties (i.e., the
performance of asset inventory, change management,
and configuration management activities for assets that
are controlled by third parties are addressed in the formal
agreements and requirements for the third party)
e. Risk assessment and disposition activities [RISK] are
TBD
integrated with threat and vulnerability identification and
assessment [THREAT]
f. Threat and vulnerability management information
TBD
[THREAT] is communicated within the function to support
situational awareness activities [SITUATION]
g. Event and Incident Response, Continuity of Operations
TBD
Incident response information [RESPONSE] is shared
with relevant external entities (e.g., ES-ISAC, trade
associations, vendors) [SHARING][DEPENDENCIES]
h. Response and continuity activities [RESPONSE] are
TBD
coordinated with Asset, Change, and Configuration
Management activities to ensure that restored assets are
configured appropriately and inventory information is
updated
i. Common operating picture is shared with stakeholders
TBD
external to the function [SHARING][DEPENDENCIES]

PILOT EVALUATION | DO NOT DISCLOSE

32

OMB Control Number : xxxx-xxxx

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Glossary
Referenced Sources of Definitions
The following documents have been referenced for terms defined in this glossary.

[CNSSI 4009]

Committee on National Security Systems, National Information Assurance
(IA) Glossary, CNSSI 4009 Instructions no. 4009, April 26, 2010.

[FIPS 200]

FIPS-200: Minimum Security Requirements for Federal Information and
Information Systems, National Institute of Standards and Technology,
2006, http://csrc.nist.gov/publications/fips/fips200/FIPS-200-finalmarch.pdf

[NDIA ESA]

National Defense Industrial Association System Assurance Committee,
Engineering for System Assurance, National Defense Industry Association
(NDIA), September 2008.

[NIST 800-53]

Security and Privacy Controls for Federal Information Systems and
Organization, NIST Special Publication 800-53, Revision 4, Initial Public
Draft, February 2012.
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%204

[NIST 800-61]

Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone, Computer
Security Incident Handling Guide – Recommendations of the National
Institute of Standards and Technology, NIST Special Publication 800-61,
Revision 2 (Draft), January 2012.
http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp80061rev2.pdf

[NISTIR 7622]

Marianne Swanson, Nadya Bartol, and Rama Moorthy, Piloting Supply
Chain Risk Management for Federal Information Systems, Draft NISTIR
7622, June 2010. http://csrc.nist.gov/publications/drafts/nistir7622/draft-nistir-7622.pdf.

[NISTIR 7628]

Interagency Report 7628: Guidelines for Smart Grid Cyber Security,
National Institute of Standards and Technology, Volumes 1-3, 2010,
http://csrc.nist.gov/publications/PubsNISTIRs.html

Some of the definitions sourced from the named references needed to be generalized somewhat to
make them applicable beyond an information systems perspective, to include concepts applicable to
Electricity Subsector operations technology (OT), or to particularize examples to the electricity sector.
PILOT EVALUATION | DO NOT DISCLOSE

33

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

For example: (The second definition for “Access Control” is an adaptation by the model team for use
here).

Access Control

The process of granting or denying specific
requests: 1) for obtaining and using information
and related information processing services; and 2)
to enter specific physical facilities (e.g., Federal
buildings, military establishments, and border
crossing entrances).

CNSSI 4009

Access Control

The process of granting or denying specific
requests: 1) for obtaining and using information
and related information processing services, and
for gaining operational control; and 2) to enter
specific physical facilities (e.g., a substation, control
center, or a locked equipment cabinet).

Adapted from
CNSSI 4009

Glossary Terms
Term

Definition

Source

Access

Ability and means to communicate with or otherwise interact with a
system, to use system resources to handle information, to gain
knowledge of the information the system contains, or to control
system components and functions.

CNSSI 4009

Access Control

The process of granting or denying specific requests: 1) for obtaining
and using information and related information processing services; and
2) to enter specific physical facilities ...

CNSSI 4009

Access Control
Mechanism

Security safeguards (i.e., hardware and software features, physical
controls, operating procedures, management procedures, and various
combinations of these) designed to detect and deny unauthorized
access and permit authorized access to an information system.

Accountability

Principle that an individual is entrusted to safeguard and control
equipment, keying material, and information and is answerable to
proper authority for the loss or misuse of that equipment or
information.

CNSSI 4009

Authentication

The process of verifying the identity or other attributes claimed by or
assumed of an entity (user, process, or device), or to verify the source
and integrity of data.

CNSSI 4009

NIST SP 800-53: Verifying the identity of a user, process, or device,
often as a prerequisite to allowing access to resources in an
information system. [FIPS 200]

PILOT EVALUATION | DO NOT DISCLOSE

34

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Authenticator

The means used to confirm the identity of a user, processor, or device
(e.g., user password or token).

NIST 800-53

Authorization

Access privileges granted to a user, program, or process or the act of
granting those privileges.

CNSSI 4009

Access Control
Enforcement

Data integrity and confidentiality are enforced by access controls.
When the subject requesting access has been authorized to access
particular processes, it is necessary to enforce the defined security
policy (e.g., MAC or DAC). These policy-based controls are enforced via
access control mechanisms distributed throughout the system (e.g.,
MAC sensitivity labels; DAC file permission sets, access control lists,
roles, user profiles). The effectiveness and the strength of access
control depend on the correctness of the access control decisions (e.g.,
how the security rules are configured) and the strength of access
control enforcement (e.g., the design of software or hardware security)

Certification

Comprehensive evaluation of the technical and non-technical security
safeguards of an information system to support the accreditation
process that establishes the extent to which a particular design and
implementation meets a set of specified security requirements. See
security control assessment.

Change Management
and Configuration
Management

Configuration management means that assets are managed to a
configuration baseline to ensure that similar assets remain in a
common configuration. Change management applies to both changes
to specific configurations and also more broadly to changes in the
asset landscape (deploying a new class of assets, or changing out a
major asset). In the context of software development, the
configuration of the source code base should be managed to ensure
that stable and consistent configurations are released. Changes to the
source code should be subject to change control procedures, reviews,
and tests prior to committing those changes to a new software
configuration (which may also be called a release or a version).

Contingency Plan

Management policy and procedures used to guide an enterprise
response to a perceived loss of mission capability. The Contingency
Plan is the first plan used by the enterprise risk managers to determine
what happened, why, and what to do. It may point to the COOP or
Disaster Recovery Plan for major disruptions.

PILOT EVALUATION | DO NOT DISCLOSE

35

CNSSI 4009

CNSSI 4009

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Continuity of
Operations Plan (COOP)

Management policy and procedures used to guide an enterprise
response to a major loss of enterprise capability or damage to its
facilities. The COOP is the third plan needed by the enterprise risk
managers and is used when the enterprise must recover (often at an
alternate site) for a specified period of time. Defines the activities of
individual departments and agencies and their sub-components to
ensure that their essential functions are performed. This includes plans
and procedures that delineate essential functions; specifies succession
to office and the emergency delegation of authority; provide for the
safekeeping of vital records and databases; identify alternate operating
facilities; provide for interoperable communications, and validate the
capability through tests, training, and exercises. See also Disaster
Recovery Plan and Contingency Plan.

Critical Energy
Infrastructure
Information (CEII)

Critical Energy Infrastructure Information is specific engineering,
vulnerability, or detailed design information about proposed or
existing critical infrastructure (physical or virtual) that: relates details
about the production, generation, transmission, or distribution of
energy; could be useful to a person planning an attack on critical
infrastructure; is exempt from mandatory disclosure under the
Freedom of Information Act; and gives strategic information beyond
the location of the critical infrastructure.

Cybersecurity risk

TBD

Disaster Recovery Plan
(DRP)

Management policy and procedures used to guide an enterprise
response to a major loss of enterprise capability or damage to its
facilities. The DRP is the second plan needed by the enterprise risk
managers and is used when the enterprise must recover (at its original
facilities) from a loss of capability over a period of hours or days. See
Continuity of Operations Plan and Contingency Plan.

CNSSI 4009

Event

An event is any observable occurrence in a system or network. Events
include a user connecting to a file share, a server receiving a request
for a web page, a user sending email, and a firewall blocking a
connection attempt. Adverse events are events with a negative
consequence, such as system crashes, packet floods, unauthorized use
of system privileges, unauthorized access to sensitive data, and
execution of malware that destroys data.
TBD – Need to generalize for OT.

NIST 800-61

Federated Identity
Management

Managing identities and access across organizational boundaries in a
standardized manner (including standardized policies, procedures, and
technologies).
TBD – need authoritative source for definition.

Generally Accepted
Privacy Principles
(GAPP)

Generally Accepted Privacy Principles. Privacy principles and criteria
developed and updated by the AICPA and Canadian Institute of
Chartered Accountants to assist organizations in the design and
implementation of sound privacy practices and policies.

PILOT EVALUATION | DO NOT DISCLOSE

36

CNSSI 4009

NISTIR 7628
Vol. 3,
Glossary

Electricity Subsector Cybersecurity Risk Management Maturity Initiative OMB Control Number : xxxx-xxxx

Hacker

In common usage, a hacker is a person who breaks into computers
and/or computer networks, usually by gaining access to administrative
controls. Proponents may be motivated by diverse objectives from the
shear entertainment value they find in the challenge of circumventing
computer/network security to political or other ends. Hackers are
often unconcerned about the use of illegal means to achieve their
ends. Out-and-out cyber-criminal hackers are often referred to as
"crackers."

NISTIR 7628
Vol. 3,
Glossary

Identity

The set of attribute values (i.e., characteristics) by which an entity (e.g.,
personnel, contractor) is recognizable and that, within the scope of an
identity manager’s responsibility, is sufficient to distinguish that entity
from any other entity (e.g., personnel, contractor).

CNSSI 4009

Identity-Based Access
Control

Access control based on the identity of the user (typically relayed as a
characteristic of the process acting on behalf of that user) where
access authorizations to specific objects are assigned based on user
identity.

CNSSI 4009

Incident

A computer security incident is a violation or imminent threat of
violation of computer security policies, acceptable use policies, or
standard security practices. An “imminent threat of violation” refers to a

NIST 800-61
(computer
security
incident)

Inside(r) Threat

An entity with authorized access (i.e., within the security domain) that
has the potential to harm an information system or enterprise through
destruction, disclosure, modification of data, and/or denial of service.

CNSSI 4009

Integrator

A person or company that specializes in bringing together component
subsystems into a whole and ensuring that those subsystems function
together, a practice known as System Integration. Systems integrators
may work in many fields but the term is widely used in the information
technology (IT) field.

Intrusion

Unauthorized act of bypassing the security mechanisms of a system.

CNSSI 4009

Intrusion Detection
Systems (IDS)

Hardware or software products that gather and analyze information
from various areas within a computer or a network to identify possible
security breaches, which include both intrusions (attacks from outside
the organizations) and misuse (attacks from with the organizations).

CNSSI 4009

Intrusion Detection
Systems (IDS), (hostbased)

IDSs which operate on information collected from within an individual
computer system. This vantage point allows host-based IDSs to
determine exactly which processes and user accounts are involved in a
particular attack on the Operating System. Furthermore, unlike
network-based IDSs, host-based IDSs can more readily “see” the
intended outcome of an attempted attack, because they can directly
access and monitor the data files and system processes usually
targeted by attacks.

CNSSI 4009

situation in which the organization has a factual basis for believing that a
specific incident is about to occur. For example, the antivirus software
maintainers may receive a bulletin from the software vendor, warning them of
new malware that is rapidly spreading across the Internet.
TBD –Need to generalize for OT.

PILOT EVALUATION | DO NOT DISCLOSE

37

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Intrusion Detection
Systems (IDS),
(network-based)

IDSs which detect attacks by capturing and analyzing network packets.
Listening on a network segment or switch, one network-based IDS can
monitor the network traffic affecting multiple hosts that are connected
to the network segment.

CNSSI 4009

Intrusion Prevention
System (IPS)

System that can detect an intrusive activity and can also attempt to
stop the activity, ideally before it reaches its targets.

CNSSI 4009

ISO/IEC27001

International Organization for Standardization/International
Electrotechnical Commission Standard 27001. A auditable international
standard that specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving a documented Information Security Management System
within the context of the organization's overall business risks. It uses a
process approach for protection of critical information.

NISTIR 7628
Vol. 3,
Glossary

Multi-Factor
Authentication

Authentication using two or more factors to achieve authentication.
Factors include: (i) something you know (e.g. password/PIN); (ii)
something you have (e.g., cryptographic identification device, token);
or (iii) something you are (e.g., biometric). See Authenticator.

NIST 800-53

Personal Information

Information that reveals details, either explicitly or implicitly, about a
specific individual’s household dwelling or other type of premises. This
is expanded beyond the normal "individual" component because there
are serious privacy impacts for all individuals living in one dwelling or
premise. This can include items such as energy use patterns or other
types of activities. The pattern can become unique to a household or
premises just as a fingerprint or DNA is unique to an individual.

NISTIR 7628
Vol. 3,
Glossary

Personally Identifiable
Information (PII)

Information which can be used to distinguish or trace an individual's
identity, such as their name, social security number, biometric records,
etc. alone, or when combined with other personal or identifying
information which is linked or linkable to a specific individual, such as
date and place of birth, mother’s maiden name, etc.

CNSSI 4009

Privacy Impact
Assessment (PIA)

A process used to evaluate the possible privacy risks to personal
information, in all forms, collected, transmitted, shared, stored,
disposed of, and accessed in any other way, along with the mitigation
of those risks at the beginning of and throughout the life cycle of the
associated process, program or system.

Protected Critical
Infrastructure
Information (PCII)

The Protected Critical Infrastructure Information (PCII) Program is an
information-protection program that enhances information sharing
between the private sector and the government. The Department of
Homeland Security and other federal, state and local analysts use PCII
to, 1) analyze and secure critical infrastructure and protected systems,
identify vulnerabilities and develop risk assessments, and enhance
recovery preparedness measures.

Provisioning /
Deprovisioning

Granting (provisioning) and removing or revoking (deprovisioning)
access based on identities and roles.
TBD - Need authoritative source for definition.

PILOT EVALUATION | DO NOT DISCLOSE

38

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Public-key cryptography

A cryptographic approach that involves the use of asymmetric key
algorithms instead of or in addition to symmetric key algorithms.
Unlike symmetric key algorithms, it does not require a secure initial
exchange of one or more secret keys to both sender and receiver.

NISTIR 7628
Vol. 3,
Glossary

Remote Access

Access to an organization's nonpublic information system by an
authorized user (or an information system) communicating through an
external, non-organization-controlled network (e.g., the Internet).

CNSSI 4009

NIST 800-53: Access to an organizational information system by a user
(or a process acting on behalf of a user) communicating through an
external network (e.g., the Internet).
Resilience/Robustness

The ability of an Information Assurance entity to operate correctly and
reliably across a wide range of operational conditions, and to fail
gracefully outside of that operational range.

CNSSI 4009
(robustness)

Risk Assessment

The process of identifying, prioritizing, and estimating risks. This
includes determining the extent to which adverse circumstances or
events could impact an enterprise. Uses the results of threat and
vulnerability assessments to identify risk to organizational operations
and evaluates those risks in terms of likelihood of occurrence and
impacts if they occur. The product of a risk assessment is a list of
estimated, potential impacts and unmitigated vulnerabilities. Risk
assessment is part of risk management and is conducted throughout
the Risk Management Framework (RMF).

CNSSI 4009

NIST SP 800-53: The process of identifying risks to organizational
operations (including mission, functions, image, reputation),
organizational assets, individuals, other organizations, and the Nation,
resulting from the operation of an information system.
Part of risk management, incorporates threat and vulnerability
analyses, and considers mitigations provided by security controls
planned or in place. Synonymous with risk analysis.
Risk Management

The process of managing risks to organizational operations (including
mission, functions, image, or reputation), organizational assets,
individuals, other organizations, or the nation resulting from the
operation or use of an information system, and includes: 1) the
conduct of a risk assessment; 2) the implementation of a risk
mitigation strategy; 3) employment of techniques and procedures for
the continuous monitoring of the security state of the information
system; and 4) documenting the overall risk management program.
NIST SP 800-53: The process of managing risks to organizational
operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation
resulting from the operation of an information system, and includes: 1.
the conduct of a risk assessment; 2. the implementation of a risk
mitigation strategy; and 3. employment of techniques and procedures
for the continuous monitoring of the security state of the information
system.

PILOT EVALUATION | DO NOT DISCLOSE

39

CNSSI 4009

Electricity Subsector Cybersecurity Risk Management Maturity Initiative OMB Control Number : xxxx-xxxx

Role

A group attribute that ties membership to function. When an entity
(e.g., personnel, contractor) assumes a role, the entity is given certain
rights that belong to that role. When the entity leaves the role, those
rights are removed. The rights given are consistent with the
functionality that the entity needs to perform the expected tasks.

CNSSI 4009

Role-Based Access
Control (RBAC)

Access control based on user roles (i.e., a collection of access
authorizations a user receives based on an explicit or implicit
assumption of a given role). Role permissions may be inherited
through a role hierarchy and typically reflect the permissions needed
to perform defined functions within an organization. A given role may
apply to a single individual or to several individuals.

CNSSI 4009

Service Level
Agreement (SLA)

Defines the specific responsibilities of the service provider and sets the
customer expectations.

CNSSI 4009

Single Sign-on

A property of access control of multiple, related, but independent
software systems. With this property a user/device logs in once and
gains access to all related systems without being prompted to log in
again at each of them.

NISTIR 7628
Vol. 3,
Glossary

Situational Awareness

Within a volume of time and space, the perception of an enterprise’s
security posture and its threat environment; the
comprehension/meaning of both taken together (risk); and the
projection of their status into the near future.

CNSSI 4009

Social Engineering

The act of manipulating people into performing actions or divulging
confidential information. The term typically applies to trickery or
deception being used for purposes of information gathering, fraud, or
computer system access.

NISTIR 7628
Vol. 3,
Glossary

Supply Chain

The set of organizations, people, activities, information, and resources
for creating and moving a product or service (including its subelements) from suppliers through to an organization's customers.
[Engineering for System Assurance, National Defense Industry
Association (NDIA), Sep 2008.]

NISTIR 7622

The supply chain encompasses the full product life cycle and includes
design, development, and acquisition of custom or commercial off-theshelf (COTS) products, system integration, system operation (in its
environment), and disposal. People, processes, services, products, and
the elements that make up the products wholly impact the supply
chain.
Symmetric cipher

Cryptography solution in which both parties use the same key for
encryption and decryption, hence the encryption key must be shared
between the two parties before any messages can be decrypted.

NISTIR 7628
Vol. 3,
Glossary

System Development
Life Cycle (SDLC)

The scope of activities associated with a system, encompassing the
system’s initiation, development and acquisition, implementation,
operation and maintenance, and ultimately its disposal that instigates
another system initiation.

CNSSI 4009

PILOT EVALUATION | DO NOT DISCLOSE

40

Electricity Subsector Cybersecurity Risk Management Maturity Initiative

OMB Control Number : xxxx-xxxx

Threat

Any circumstance or event with the potential to adversely impact
organizational operations (including mission, functions, image, or
reputation), organizational assets, individuals, other organizations, or
the Nation through an information system via unauthorized access,
destruction, disclosure, modification of information, and/or denial of
service.

CNSSI 4009

Threat Assessment

Process of formally evaluating the degree of threat to an information
system or enterprise and describing the nature of the threat.

CNSSI 4009

Vulnerability

Weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited by a
threat source.

CNSSI 4009

Vulnerability
Assessment

Systematic examination of an information system or product to
determine the adequacy of security measures, identify security
deficiencies, provide data from which to predict the effectiveness of
proposed security measures, and confirm the adequacy of such
measures after implementation.

CNSSI 4009

PILOT EVALUATION | DO NOT DISCLOSE

41


File Typeapplication/pdf
AuthorDavid White;FMuneer@icfi.com
File Modified2012-05-10
File Created2012-04-05

© 2024 OMB.report | Privacy Policy