The Georgian State Electrosystem (GSE) is an electricity transmission system operator that owns and operates 3,350 km transmission lines and 90 substations and provides power transmission and dispatch services all over the country. Transmission is provided from hydro, thermal, and wind power plants to power distribution companies and direct customers.
The main areas of GSE activity are to:
- Plan and coordinate electricity generation and consumption
- Provide access to the transmission network
- Develop the transmission network (construct new cross-border and internal transmission lines and substations)
- Maintain the transmission network.
GSE has indicated an interest in undertaking a US Department of Energy (DOE) Cybersecurity Capability Maturity Model (C2M2) assessment as a first step toward incorporating cyber security investments in its next ten year Network Development Plans (TYNDP) objective.
The C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure the maturity of an organization’s cybersecurity capabilities. The C2M2 is designed to measure both the sophistication and sustainment of a cyber security program. The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations. The goal of a C2M2 assessment is to develop a logical understanding and measurement of the policies, processes, and procedures involved in the development of an organization’s cyber security posture. The model provides maturity indicator levels (MILs) designed to discuss an organization’s operational capabilities and management of cybersecurity risk during both normal operations and times of crises. The C2M2 and the assessment toolkit are publicly available from DOE.
To ensure that GSE receives the most benefit from the C2M2 assessment, the contractor shall provide a facilitator and scribe to perform the C2M2 assessments in Tbilisi, Georgia. The C2M2 is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The domains are:
- Risk Management
- Asset, change, and configuration management
- Identity and access management
- Threat and vulnerability management
- Situational Awareness
- Information sharing and communications
- Event and incident response, continuity of operations
- Supply chain and external dependencies management
- Workforce management
- Cybersecurity program management
The facilitator will have overall responsibility for preparing the organization for and conducting the C2M2 self-evaluation. The facilitator will focus on the discussion and arrive at a consensus response. The C2M2 facilitator should be familiar with the C2M2, the Facilitator’s Guide, and the materials listed in the Facilitator’s Guide. The specific responsibilities include:
- Complete the phases of a typical C2M2 self-evaluation process
- Ensure that all activities in the self-evaluation process are executed efficiently and effectively
- Work with the organization to ensure the self-evaluation produces high-quality results
- Facilitate the C2M2 self-evaluation workshop
- Review the detailed outcomes with the organization
- Assist in the planning of follow-up activities
The scribe supports the facilitator in performing the assessment. The specific responsibilities include:
- Record responses, notes, and comments during the C2M2 self-evaluation workshop
- Generate the C2M2 Evaluation Scoring Report
- Distribute the C2M2 Evaluation Scoring Report to the organization
The C2M2 facilitator and scribe will conduct two 3 day workshops that will assess the maturity of the GSE organizational cyber security initiatives. The first workshop will be conducted the second week of July 2018 (tentative). The second workshop will be conducted in October 2018 (tentative).