Trusted Cyber Security and Regulatory Compliance


Critical Infrastructure


Oil & Gas Industry

Oil & Gas Industry

The Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2) was established as a result of the Administration’s efforts to improve electricity subsector cybersecurity capabilities, and to understand the cybersecurity posture of the energy sector. The ONG-C2M2 includes the core C2M2 as well as additional reference material and implementation guidance specifically tailored for the oil and natural gas subsector. The ONG-C2M2 comprises a maturity model, an evaluation tool, and DOE- facilitated self-evaluations. Unlike other sectors, however, there are no direct cybersecurity laws or regulations targeting this sector. Instead, they are one of many to have to comply with Sarbanes-Oxley, state breach laws, and the Payment Card Industry Digital Security Standard (PCI-DSS) where relevant. But on the operations side, cybersecurity regulations are largely indirect through mechanisms like the Chemical Facility Anti-Terrorism Standards (CFATS) that is more about physical security for potentially dangerous chemicals, but it has a cybersecurity element around protecting the inventory information. - See more at:

The ONG-C2M2 provides a mechanism that helps organizations evaluate, prioritize, and improve cybersecurity capabilities. The model is a common set of industry-vetted cybersecurity practices, grouped into ten domains and arranged according to maturity level. The ONG-C2M2 evaluation tool allows organizations to evaluate their cybersecurity practices against ONG-C2M2 cybersecurity practices.

CyberForce leverages enterprises architecture models and frameworks to achieve comprehensive documentation of our customer’s active infrastructure. This data is used to populate the FedRAMP SSP templates for comprehensiveness. The complete system is then subject to a thorough and detailed RMF analysis to zero in on critical assets and assets in the critical path. Once this is done we leverage the NIST 800-53 and FedRAMP standards to undertake complete testing of the system.

As part of the baselining exercise, we leverage Client Staff to accomplish as complete a coverage as possible, as opposed to a statistical model, which is reserved for ongoing checks. This approach is taken to close the door on the would-be hackers banking on systems being left untested over time. We leverage proprietary and standard tools such as DHS CSET and CSAT.

We proceed further into CyberForce created micro-object models to document the results at a granular level. This micro-object oriented model allows us to compile state of security along many slices – such as state of security for a particular geography and for a specific set of systems.

Observations are cross walked to CFATS and other relevant standards as well as any internal client system security framework of controls. It is this Architecture to Artifacts comprehensiveness that is representative of CyberForce’s value.