The DoD has special legislative and Executive Order authorization for the acquisition of energy projects. These include Energy Savings Performance Contracts (ESPCs), Utility Energy Services Contracts (UESCs), Utilities Privatization (UP), Energy Resilience and Conservation Investment Program (ERCIP), and other contract or program vehicles. Cybersecurity requirements are now contractually required for third-party energy providers to ensure that, both DoD Information Network (DoDIN) and DoD Controlled Unclassified Information (CUI) data is protected from cyber threats; and that third parties who provide energy services to DoD are able to detect, mitigate and recover from a cyber attack. Energy security, resilience and cybersecurity are foundational elements for installation mission assurance.
FOR IMMEDIATE ACTION - Assistant Secretary of Defense for Sustainment (ASD(s)) Supplemental Guidance for the Utilities Privatization Program Memorandum Feb 7, 2019
DoD recognizes the risk posed by emerging threats to its mission critical cyber-supported Facility Related Control System (FRCS). FRCS cyber security enables resilience of essential utilities and other key services that support mission requirements. Utility system owners are accountable for system operation resilience and cybersecurity, including the safeguarding of CDI related to utility services.
Effective immediately, the DoD Components shall incorporate references (x) to (bb) in all new or renewing utility service contracts, or contracts undergoing material modifications or price determinations. Additionally, no later than sixty (60) days after the issuance of this guidance, the DoD Components shall submit a plan to the Office of the Assistant Secretary of Defense for Sustainment (ASD(s)) for review and approval documenting how references (x) to (bb) will be incorporated into existing utility service contracts.
UP contracts will require 2 Cyber Risk Management Plans; one for the FRCS Operation Technology using the NIST SP 800-82 that address the cybersecurity of the control system networks, components and devices, and one for their corporate IT systems using the NIST SP 800-171 that address how DoD Controlled Unclassified Information (CUI) is protected.
Cyber Risk Management Plans - NIST Standards
FRCS Networks, Components and Devices
Corporate IT business systems that host or transmit CUI
DFARS 252.204.7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
Owned and Operated by UP Contractor
UP Contractor to submit FRCS RMF Package and obtain Authority To Operate (ATO)
UP Contractor to submit CUI CRMP
Owned by DoD Operated by UP Contractor
DoD to submit FRCS RMF Package and obtain Authority To Operate (ATO)
UP Contractor to submit CUI CRMP
Templates, checklists and guidance is on the ESTCP website at:
Organizations can contact the ESTCP office for Cybersecurity Subject Matter Expert technical support to create and manage the required plans.
Third-Party Energy Projects – ESPC Example
To illustrate how DoD and Third-Party financing and project delivery occurs, an example of the Energy Savings Performance Contracts (ESPCs) lifecycle is shown in Figure 1. DoD works closely with the Department of Energy (https://energy.gov/eere/femp/energy-savings-performance-contracts-federal-agencies) to use ESPCs to upgrade outdated DoD infrastructure. An ESPC is a partnership between a federal agency and an energy service company (ESCO). After being selected for a potential award, the ESCO conducts a comprehensive facility energy audit and identifies improvements to save energy. In consultation with the agency, the ESCO designs and constructs a project that meets the agency's needs; and arranges financing to pay for the project.
Figure 1 – Energy Savings Performance Contract Lifecycle
Energy projects have additional requirements for safety because of the production, transmission and distribution of high and medium voltage used by the DoD (versus low voltage systems such as HVAC, lighting, etc.). With Third-Party energy projects, the DoD may either become the system owner upon completion, or it may become an end user with the Third-Party remaining as the system owner and providing power to DoD as a service.
Cybersecurity of Energy Control Systems and Data
Each Third-Party energy project will have unique operational and cybersecurity requirements depending on the local market energy resources (nuclear, coal, solar, wind, thermal, etc.), the Independent System Operator (ISO), and the Regional Transmission Office (RTO) and the DoD Interconnect to the local grid as shown in Figure 2.
Figure 2 – DoD Energy Data Flows
From the Facility-Related Control Systems Master List; for Utility Control Systems, Building Control Systems, or Utility Monitoring and Control Systems, the following Data and Information Types are applicable to energy projects (the System Owner and Authorizing Official make final determination):
In addition to the data and information types that will flow across the energy networks, for ESPC, UESC, EIRCP, and UP contracts, DoD is required to provide installation information such as:
Directly or indirectly, disclosure of Energy Consumption and Infrastructure (ECI) data may enable or assist adversaries to determine DoD missions, objectives, capabilities, intentions, or responses. Exposure of ECI information poses unnecessary risk to DoD missions; predictable risks from exposure of energy consumption and infrastructure data include:
Cybersecuring Covered Defense Information (CDI)
In response to Executive Order 13556 “Controlled Unclassified Information” and Presidential Policy Directive-21 Critical Infrastructure and Resilience, several Defense Federal Acquisition Regulation Supplement (DFARS) were published that have cybersecurity requirements for the protection and safeguarding of DoD OR contractor data on contractor owned and operated IT systems used on or for DoD projects:
Standard terms and their regulatory / NARA sources:
CDI is any unclassified information that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CDI has a broad definition and can be technical, administrative, or operational in nature. CDI applies to any information identified in the contract AND falls in any of the following categories:
Key Legislation, Policy and Guidance for Energy Projects
Deputy Assistant Secretary of Defense Energy, Installations and Environment FY 2019/FY 2020 Energy Resilience and Conservation Investment Program and Plans for the Remainder of the Future Years Defense Program Guidance Memorandum 2017 - This memorandum is a data call for Defense Components to submit proposed Energy Resilience and Conservation Investment Program (ERCIP) projects for FY 2019/FY 2020 and for the remainder of the Future Years Defense Program (FY 2021 to FY 2023).New this year is the addition of energy resilience/security as a separate project category, as the Department of Defense has been given new authorities in the National Defense Authorization Act of 2017.
Deputy Assistant Secretary of Defense Energy, Installations and Environment Installation Energy Plans – Energy Resilience and Cybersecurity Update and Expansion of the Requirement to All DoD Installations Memorandum 2017 - This policy memorandum is an update to the Office of the Assistant Secretary of Defense Energy, Installations, and Environment (OASD(EI&E)) Memorandum, “Installation Energy Plans,” March 31, 2016. The purposes of this update are to: 1) clarify energy resilience requirements, 2) to clarify cybersecurity requirements, and 2) expand the Installation Energy Plan (IEP) requirement to cover all Department of Defense (DoD) installations.
All IEPs will incorporate detailed cybersecurity plans applicable to any energy projects included in the plan, including any installation or modification of Operational Technology (OT) including Platform IT (PIT), Control Systems (CS), or Facility-Related Control Systems (FRCS). Cybersecurity for PIT, CS, FRCS must be incorporated IAW with Unified Facilities Criteria (UFC 4-010-06), “Cybersecurity of Facility-Related Control Systems,” September 2016, and DoD Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” All energy projects must adhere to the applicable Service's existing cybersecurity policy and guidance. DoD Components shall brief ASD(EI&E) on cybersecurity plans included in their IEPs during the annual IEP update to ASD(EI&E) or as requested.
National Defense Authorization Act 2017, Section 1650 Evaluation Of Cyber Vulnerabilities Of Department Of Defense Critical Infrastructure - Initiates a pilot program under which the Secretary shall assess the feasibility and advisability of applying new, innovative methodologies or engineering approaches
DoD has several organizations that provide energy acquisition services; the Defense Logistics Agency, Army Installations Management Command and USACE, Navy Installations Command and Shore Energy Program, and the Air Force Installations, Environment, and Energy and the Office of Energy Assurance.
Defense Logistics Agency Installation Energy - (http://www.dla.mil/Energy/Offers/Products/Installation-Energy/) office offers acquisition support for facility energy requirements such as coal, natural gas, electricity commodity purchase support, renewable energy credit purchases, long term renewable energy project development and energy savings performance initiatives. It also coordinates for the Department of Defense’s participation in electricity demand response programs.
DLA Energy Utility Services (http://www.dla.mil/Energy/Offers/Services/UtilityServices.aspx) - manages the utility services contracting mission supporting the utility privatization programs of service partners.It provides pre- and post-award contracting and technical expertise for service partners privatizing government-owned utility distribution systems of water, wastewater, electric and natural gas under authority of 10 U.S.C. 2688. It acts as the procurement, program management and technical liaison with the Deputy Under Secretary of Defense Installations and Environment for utility services contracting done in conjunction with the privatization of utility systems. Contracted support includes:
Point of Contact - For more information about working with DLA Energy for your utility service needs, please contact the following:
Army Privatization and Partnerships Division - (http://www.acsim.army.mil/installationservices/publicprivateinitiatives.html) - is responsible for policy, prioritization, resourcing, and oversight of 34 individual Residential Communities Initiative (RCI) projects and 1 Privatization of Army Lodging (PAL) project at 39 individual installations. The Division serves as the Army's center of excellence for privatization and partnerships expertise, supporting Soldiers, Families, and Civilians and ensuring the maximization and sustainability of Army assets and services through the use of privatization, public-public and public-private partnerships initiatives.
USACE Huntsville Energy Programs
The USACE Energy Division located in Huntsville, AL acts as a design and construction agent for DoD and provides expertise for high and medium voltage energy projects and third-party financing. The Huntsville Center team taps into programs and contract management expertise within the Energy Division and across the Center to help provide customers a comprehensive and customized energy solution in the following program areas:
The U.S. Army Corps of Engineers’ ESPC program awards master ESPCs and multiple award task order contracts (MATOCs), which are available to federal agencies.
Commander, Navy Installations Command Facilities Support Services Branch
Navy Shore Energy Program - (https://www.cnic.navy.mil/om/base_support/facility_system_investment/Navy_Shore_Energy_Program.html)
Energy bills are the single largest cost for Navy installations, reflecting about 28% of Navy’s shore budget. The Navy must reduce energy costs to free up scarce budget dollars to support training and fleet operations. The goal of the Navy Shore Energy Program is to reduce shore energy intensity by 30% (energy consumption per square foot) by 2015 and by 50% in 2020, while providing reliable energy to 100% of Navy Tier I/II Critical Assets. This goal positions the Navy to achieve legal and regulatory compliance related to shore energy, water management, and reduced carbon footprint, in addition to achieving the SECNAV’s energy targets. These targets require the reduction of shore energy consumption by 50% and require production of at least 50% of shore based energy requirements from alternative sources.
Air Force Installations, Environment & Energy (http://www.safie.hq.af.mil/Programs/Energy/ ) - SAF/IE is responsible for the strategic management and oversight of the Air Force's energy efforts and policy development across all domains of Air Force energy.
Air Force Office of Energy Assurance (OEA) (http://www.safie.hq.af.mil/Programs/Energy/OEA) - The office was established in February 2016 by the Secretary of the Air Force and Chief of Staff to serve the central management office for strategic energy and resiliency initiatives. OEA develops and executes strategic energy assurance initiatives as an extension of the Air Force Civil Engineer Center and in conjunction with the Office of the Assistant Secretary of the Air Force for Installations, Environment and Energy to ensure alignment with Air Force priorities.