Marshalling Experts to Design a Cyber Security Capability Maturity Model

Client: U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability
computer server and wires cybersecurity capability maturity model structure graphic Cybersecurity Capability Maturity Model report cover

Project Overview

We coordinated a complex series of advisory groups and facilitated more than 40 electric sector and government experts to develop the Electricity Sector Cybersecurity Capability Maturity Model within an accelerated five-month time frame.

Need

A White House initiative to help utilities measure their cyber security posture across the electricity sector required extensive coordination among cybersecurity experts, utility CEOs, model developers, and government leaders. Under a truncated timeline, OE needed to gather input, develop, and pilot a model to help utilities assess their cyber security capabilities.

Our Solution

Nexight Group facilitated a five-month initiative to develop, pilot, and release a Cybersecurity Capability Maturity Model with a highly distributed team. Through conference calls, webinars, and in-person meetings, we facilitated coordination, information gathering, and review from five key groups:

  • Carnegie Mellon University Software Engineering Institute (SEI), which developed the model
  • 30-member Industry Advisory Group, which developed model domains and content in Nexight-facilitated meetings
  • More than 20 subject matter experts who reviewed the model draft for accuracy
  • CEOs from representative utilities who provided guidance on model utility
  • DOE and White House leaders overseeing initiative progress

Nexight’s experience in facilitating large groups to consensus played a key role in model development. Through two workshops, we facilitated Industry Advisory Group members to develop a model with 10 domains and 4 maturity indicator levels. Our analysis and synthesis of workshop results provided the key input for SEI to develop a Cybersecurity Capability Maturity Model and pilot it at 17 utilities. Nexight Group also managed coordination throughout the initiative by developing and executing a Communications Plan with OE and a team of contractors. We developed presentations for OE officials to use in briefing the public and White House on model content and progress. Nexight also developed updates to key groups throughout development and produced press releases on model progress.

Impact

The model and accompanying self-evaluation tool enable utilities in the electricity sector to evaluate their cyber security capabilities in a consistent manner, communicate their capability levels to peers in meaningful terms, and prioritize cyber security investments based on their maturity levels. Since model release, more than 75 utilities have downloaded the self-evaluation toolkit, and OE has facilitated onsite evaluations at nearly 10 utilities.