Federal agencies pursuing energy improvements using energy savings performance contracting (ESPC) and utility energy service contracting (UESC) must be sure that energy projects—and the specific energy conservation measures (ECMs) intended to be implemented—do not introduce cyber vulnerabilities at the federal facilities where they are installed.
Legal and regulatory cybersecurity requirements provide the framework for federal and agency-specific policies and conditions for cybersecurity across federal facilities. These include, but are not limited, to:
- E-Government Act (Public Law 107-347)
- Federal Information Security Management Act of 2014, as amended (to include P.L. 113-283)
- Executive Order 13800
- National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1
- NIST's Federal Information Processing Standards (FIPS)
- All other applicable cybersecurity guidance and best practices as laid out in other NIST Special Publications (SP)
- All cybersecurity requirements and policies of the contracting federal agency.
Cybersecurity Considerations Across ESPC and UESC Project Phases
Federal project executives (FPEs) can advise agencies on including cybersecurity control terms and conditions in their ESPC or UESC starting with acquisition planning through project development and post-award review.
Below are considerations for integrating cybersecurity planning into your performance contract at each phase of the ESPC or UESC Process.
Phase 1: Acquisition Planning
During the acquisition planning phase, the federal agency needs to consider any federal or agency-specific policies and requirements for ECMs that introduce or increase cybersecurity vulnerabilities. If required, the acquisition planning documentation should include cybersecurity as a prospective requirement and all agency personnel (including contracting and legal) should be aware of the potential impact on schedule and cost. For UESCs, integrate the cybersecurity control requirements with the performance assurance plan and include in the task order.
Phase 2: Contractor Selection
During the contractor selection phase, agencies have the ability to make the contractor or utility aware of the importance of including cybersecurity control(s) in their project. Agencies can add their individual organization’s definition of cybersecurity control(s), legal and regulatory requirements, policies, standards, and expected contractor credentials to the ESPC notice of opportunity or UESC letter of interest. Contractors or utility partners need to be made aware of the agency cybersecurity control expectations and terms and conditions and be prepared if they want to pursue a particular opportunity. To get help with the contractor selection phase including drafting cybersecurity control expectations, agencies should contact their FPE or project facilitator.
Phase 3: Project Development
FEMP recommends agencies include their cybersecurity control(s) requirements during project development, specifically during the investment-grade audit (IGA) phase and set a trigger point in the development that the requirement must be put in writing and submitted for review. Agencies can require a draft cybersecurity control plan, agreed upon by the site/facility and their cybersecurity subject matter expert, to be submitted prior to the final IGA. The contractor or utility partner will need to produce the valid credentials for those who will conduct the assessment during the IGA. Cybersecurity language should be considered as a part of the Task Order.
The agency will need to identify early in project development, about the time that the ECMs are finalized, what part the site/facility will inspect and validate, who will be appointed to conduct the government witnessing and what the timeframe will be for the appointed agency person to submit their report.
Phase 4: Project Implementation
Cybersecurity controls should be considered as a topic of discussion in the post-award review meeting. Examples of topics to address include the approach for the implementation of cybersecurity control processes in the implementation of the ECMs, plans for government witnessing, and authority and credentials of cybersecurity personnel.
Phase 5: Post-Acceptance Performance
Cybersecurity is a continuous process. During the performance period, agencies should ensure there are no infringements or compromises of cybersecurity controls put in place. FEMP recommends agencies summarize any key parameters in the contract management plan. The contract management plan should include the process to ensure that performance of cybersecurity is being delivered.
Tools and Resources
The Federal Energy Management Program (FEMP) offers tools and resources to agencies regarding cybersecurity for their sites and facilities.
FEMP’s cybersecurity initiative focuses on efforts to help understand and improve the cybersecurity posture of facility-related control systems and distributed energy resources at federal facilities. FEMP offers the following key resources, tools, and training that will help enhance cybersecurity posture at federal facilities and may need to be addressed in UESC and ESPC contract language.
For assistance understanding cybersecurity within the ESPC and UESC project development process, a good place to start is by contacting an FPE.