Federal agencies pursuing energy improvements using performance contracting vehicles, such as energy savings performance contracts (ESPCs) and utility energy service contracts (UESCs), must be sure that energy projects, and the specific energy conservation measures (ECMs) that will be implemented do not introduce cybersecurity vulnerabilities at the federal facilities where they are installed.
Legal and regulatory cybersecurity requirements provide the framework for federal and agency-specific policies and conditions for cybersecurity across federal facilities. These include, but are not limited, to:
- E-Government Act (Public Law 107-347)
- Federal Information Security Management Act of 2014, as amended (to include P.L. 113-283)
- Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1
- NIST's Federal Information Processing Standards
- All other applicable cybersecurity guidance and best practices as laid out in other NIST Special Publications
- All cybersecurity requirements and policies of the contracting federal agency.
Federal project executives (FPEs) can advise agencies on including cybersecurity control terms and conditions in their ESPCs or UESCs starting with acquisition planning through project development and post-award review.
Considerations by Phase
The Federal Energy Management Program (FEMP) offers the following considerations for integrating cybersecurity planning into performance contracts during each phase of the ESPC or UESC process.
Phase 1: Acquisition Planning
During the acquisition planning phase, the federal agency needs to consider any federal or agency-specific policies and requirements for ECMs that introduce or increase cybersecurity vulnerabilities. If required, the acquisition planning documentation should include cybersecurity as a prospective requirement and all agency personnel (including contracting and legal) should be aware of the potential impact on schedule and cost. For UESCs, integrate the cybersecurity control requirements with the performance assurance plan and include in the task order.
Phase 2: Contractor Selection
During the contractor selection phase, agencies have the ability to make the contractor or utility aware of the importance of including cybersecurity control(s) in their project. Agencies can add their individual organization’s definition of cybersecurity control(s), legal and regulatory requirements, policies, standards, and expected contractor credentials to the ESPC notice of opportunity or UESC letter of interest. Contractors or utility partners need to be made aware of the agency cybersecurity control expectations and terms and conditions and be prepared if they want to pursue a particular opportunity. To get help with the contractor selection phase including drafting cybersecurity control expectations, agencies should contact their FPE or project facilitator.
Phase 3: Project Development
FEMP recommends agencies include their cybersecurity control(s) requirements during project development, specifically during the investment-grade audit (IGA) phase and set a trigger point in the development that the requirement must be put in writing and submitted for review. Agencies can require a draft cybersecurity control plan, agreed upon by the site/facility and their cybersecurity subject matter expert, to be submitted prior to the final IGA. The contractor or utility partner will need to produce the valid credentials for those who will conduct the assessment during the IGA. Cybersecurity language should be considered as a part of the Task Order.
The agency will need to identify early in project development, about the time that the ECMs are finalized, what part the site/facility will inspect and validate, who will be appointed to conduct the government witnessing and what the timeframe will be for the appointed agency person to submit their report.
Phase 4: Project Implementation
Cybersecurity controls should be considered as a topic of discussion in the post-award review meeting. Examples of topics to address include the approach for the implementation of cybersecurity control processes in the implementation of the ECMs, plans for government witnessing, and authority and credentials of cybersecurity personnel.
Phase 5: Post-Acceptance Performance
Cybersecurity is a continuous process. During the performance period, agencies should ensure there are no infringements or compromises of cybersecurity controls put in place. FEMP recommends agencies summarize any key parameters in the contract management plan. The contract management plan should include the process to ensure that performance of cybersecurity is being delivered.