Cybersecurity: Handling Risks from Third Parties – Part 3

April 17, 2018
In the last of a three-part series on cyber risks to building control systems, a veteran DoD consultant looks at the responsibilities now contractually required of third-party energy providers.

By Michael Chipley, PhD,
The PMC Group LLC,
Centreville VA

In previous installments, this series addressed both the Risk Management Framework (RMF) for Operational Technologies Control Systems, and the Cyber Risk Management Plans (CRMP) which all DoD contractors must now have in place. Here, the author looks at the cybersecurity requirements now contractually mandated for third-party energy providers.

The DoD has special legislative and Executive Order authorization for the acquisition of energy projects. These include Energy Savings Performance Contracts (ESPCs), Utility Energy Services Contracts (UESCs), Utilities Privatization (UP), Energy Resilience and Conservation Investment Program (ERCIP), and other contract or program vehicles. Cybersecurity requirements are now contractually required for third-party energy providers to ensure that, both the DoD Information Network (DoDIN) and DoD Controlled Unclassified Information (CUI) data is protected from cyber threats; and that third parties who provide energy services to DoD are able to detect, mitigate and recover from a cyber attack. Energy security, resilience and cybersecurity are foundational elements for installation mission assurance.

Third-Party Energy Projects – ESPC Example

To illustrate how DoD and Third-Party financing and project delivery occurs, an example of the Energy Savings Performance Contracts (ESPCs) lifecycle is shown in Figure 1. DoD works closely with the Department of Energy ( to use ESPCs to upgrade outdated DoD infrastructure. An ESPC is a partnership between a federal agency and an energy service company (ESCO). After being selected for a potential award, the ESCO conducts a comprehensive facility energy audit and identifies improvements to save energy. In consultation with the agency, the ESCO designs and constructs a project that meets the agency’s needs; and arranges financing to pay for the project.

Energy projects have additional requirements for safety because of the production, transmission and distribution of high and medium voltage used by the DoD (versus low voltage systems such as HVAC, lighting, etc.). With Third-Party energy projects, the DoD may either become the system owner upon completion, or it may become an end user with the Third-Party remaining as the system owner and providing power to DoD as a service.

Cybersecurity of Energy Control Systems and Data

Each Third-Party energy project will have unique operational and cybersecurity requirements depending on the local market energy resources (nuclear, coal, solar, wind, thermal, etc.), the Independent System Operator (ISO), and the Regional Transmission Office (RTO) and the DoD Interconnect to the local grid as shown in Figure 2.

From the DoD Facility-Related Control Systems Master List; for Utility Control Systems, Building Control Systems, or Utility Monitoring and Control Systems, the following Data and Information Types are applicable to energy projects (the System Owner and Authorizing Official make final determination):

•  C.2.8.12 General Information;

•  C.3.1.1 Facilities, Fleet, and Equipment Management Information Type;

•  C.3.5.8 System and Network Monitoring Information Type;

•  D.2.2 Key Asset and Critical Infrastructure Protection Information Type;

•  D.7.1 Energy Supply Information Type;

•  D.7.2 Energy Conservation and Preparedness Information Type;

•  D.7.4 Energy Production Information Type.

In addition to the data and information types that will flow across the energy networks, for ESPC, UESC, EIRCP, and UP contracts, DoD is required to provide installation information such as:

•  Installation site plans, GIS, and imagery;

•  Real Estate Transaction records;

•  Utility and Building CAD drawings and Building Information Models;

•  Utility and Building Control Systems Technical and Operator/User Manuals;

• Maintenance records and Standard Operating Procedures.

Directly or indirectly, disclosure of Energy Consumption and Infrastructure (ECI) data may enable or assist adversaries to determine DoD missions, objectives, capabilities, intentions, or responses. Exposure of ECI information poses unnecessary risk to DoD missions; predictable risks from exposure of energy consumption and infrastructure data include:

•  Enable adversary comparative analysis to determine changes in DoD missions;

•  Reveal undisclosed weapons systems or specialized equipment and their capabilities;

•  Aggregated data may inadvertently reveal critical information;

•  Reveal critical missions by displaying trends in energy consumption.

Cybersecuring Covered Defense Information (CDI)

In response to Executive Order 13556 “Controlled Unclassified Information” and Presidential Policy Directive-21 Critical Infrastructure and Resilience, several Defense Federal Acquisition Regulation Supplement (DFARS) were published that have cybersecurity requirements for the protection and safeguarding of DoD OR contractor data on contractor owned and operated IT or OT systems used on or for DoD projects:

•  DFARS 252.204.7008 – Compliance with Safeguarding Covered Defense Information Controls;

•  DFARS 252.204.7009 – Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information;

•  DFARS 252.204.7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting.

Standard terms and their regulatory / NARA sources:

•  Covered Defense Information (CDI);

•  Controlled Unclassified Information (CUI);

•  Unclassified Controlled Technical Information (UCTI).

CDI is any unclassified information that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CDI has a broad definition and can be technical, administrative, or operational in nature. CDI applies to any information identified in the contract AND falls in any of the following categories:

• Controlled technical data;

• Critical information (operations security);

•  Export control;

•  Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).

NOTE: Third-Party Energy Project Data (all DoD data provided to the Third-Party as well as real time energy data flows on both the IT and the OT energy systems networks) is considered Defense Covered Information and Third-Party contractors/vendors must insure DoD DCI is protected in accordance with the DFARS and NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

Key Legislation, Policy and Guidance for Energy Projects

Deputy Assistant Secretary of Defense Energy, Installations and Environment FY 2019/FY 2020 Energy Resilience and Conservation Investment Program and Plans for the Remainder of the Future Years Defense Program Guidance  Memorandum 2017 - This memorandum is a data call for Defense Components to submit proposed Energy Resilience and Conservation Investment Program (ERCIP) projects for FY 2019/FY 2020 and for the remainder of the Future Years Defense Program (FY 2021 to FY 2023).New this year is the addition of energy resilience/security as a separate project category, as the Department of Defense has been given new authorities in the National Defense Authorization Act of 2017.

Deputy Assistant Secretary of Defense Energy, Installations and Environment Installation Energy Plans – Energy Resilience and Cybersecurity Update and Expansion of the Requirement to All DoD Installations Memorandum 2017 - This policy memorandum is an update to the Office of the Assistant Secretary of Defense Energy, Installations, and Environment (OASD(EI&E)) Memorandum, “Installation Energy Plans,” March 31, 2016.  The purposes of this update are to: 1) clarify energy resilience requirements, 2) to clarify cybersecurity requirements, and 2) expand the Installation Energy Plan (IEP) requirement to cover all Department of Defense (DoD) installations.

All IEPs will incorporate detailed cybersecurity plans applicable to any energy projects included in the plan, including any installation or modification of Operational Technology (OT) including Platform IT (PIT), Control Systems (CS), or Facility-Related Control Systems (FRCS).  Cybersecurity for PIT, CS, FRCS must be incorporated IAW with Unified Facilities Criteria (UFC 4-010-06), “Cybersecurity of Facility-Related Control Systems,” September 2016, and DoD Federal Acquisition Regulations Supplement (DFARS) Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”  All energy projects must adhere to the applicable Service’s existing cybersecurity policy and guidance.  DoD Components shall brief ASD(EI&E) on cybersecurity plans included in their IEPs during the annual IEP update to ASD(EI&E) or as requested.

National Defense Authorization Act 2017, Section 1650 Evaluation Of Cyber Vulnerabilities Of Department Of Defense Critical Infrastructure - Initiates a pilot program under which the Secretary shall assess the feasibility and advisability of applying new, innovative methodologies or engineering approaches

A. to improve the defense of control systems against cyber attacks;

B. to increase the resilience of military installations against cybersecurity threats;

C. to prevent or mitigate the potential for high-consequence cyber attacks; and

D. to inform future requirements for the development of such control systems.

DoD  Energy Organizations

DoD has several organizations that provide energy acquisition services; the Defense Logistics Agency, Army Installations Management Command and USACE, Navy Installations Command and Shore Energy Program, and the Air Force Installations, Environment, and Energy and the Office of Energy Assurance.

Defense Logistics Agency Installation Energy - ( office offers acquisition support for facility energy requirements such as coal, natural gas, electricity commodity purchase support, renewable energy credit purchases, long term renewable energy project development and energy savings performance initiatives. It also coordinates for the Department of Defense’s participation in electricity demand response programs.

DLA Energy Utility Services (  - manages the utility services contracting mission supporting the utility privatization programs of service partners.It provides pre- and post-award contracting and technical expertise for service partners privatizing government-owned utility distribution systems of water, wastewater, electric and natural gas under authority of 10 U.S.C. 2688. It acts as the procurement, program management and technical liaison with the Deputy Under Secretary of Defense Installations and Environment for utility services contracting done in conjunction with the privatization of utility systems. Contracted support includes:

•  Water distribution;

•  Wastewater collection;

•  Electrical distribution;

•  Central heat and power plant;

•  Natural gas distribution;

•  Water plant;

•  Wastewater plant.

Point of Contact - For more information about working with DLA Energy for your utility service needs, please contact the following:

•  Utility Service Director 703-617-1529;       

•  Utility Service Deputy Director 703-617-1532;

•  Utility Service COR Program Managers 703-617-1491/1492.

Army Privatization and Partnerships Division  - (  - is responsible for policy, prioritization, resourcing, and oversight of 34 individual Residential Communities Initiative (RCI) projects and 1 Privatization of Army Lodging (PAL) project at 39 individual installations. The Division serves as the Army’s center of excellence for privatization and partnerships expertise, supporting Soldiers, Families, and Civilians and ensuring the maximization and sustainability of Army assets and services through the use of privatization, public-public and public-private partnerships initiatives.

USACE Huntsville Energy Programs - The USACE Energy Division located in Huntsville, AL acts as a design and construction agent for DoD and provides expertise for high and medium voltage energy projects and third-party financing. The Huntsville Center team taps into programs and contract management expertise within the Energy Division and across the Center to help provide customers a comprehensive and customized energy solution in the following program areas:

•  Commercial Utility Program (CUP);

•  Energy Resilience & Conservation Investment Program Validation;

•  Energy Engineering Analysis Program (EEAP);

•  Energy Information Management (EIM);

•  Energy Savings Performance Contracting (ESPC) Program;

•  Facilities Reduction Program (FRP);

•  Meter Data Management Systems (MDMS);

•  Power Purchase Agreement (PPA) Program;

•  Resource Efficiency Manager (REM) Program;

•  Utility Energy Services Contracting (UESC);

•  Utility Monitoring and Control Systems (UMCS).

The U.S. Army Corps of Engineers’ ESPC program awards master ESPCs and multiple award task order contracts (MATOCs), which are available to federal agencies. For assistance with RMF for 3rd Party Energy Systems, contact the USACE Huntsville Energy Division.

Commander, Navy Installations Command Facilities Support Services Branch

( -


Utilities commodities: electricity, steam, potable water, salt water, compressed air, natural gas, coal, heating oil, wastewater, solid waste disposal.


Utilities privatization, policy input, energy conservation, use and rates monitoring.

Navy Shore Energy Program 

- (

Energy bills are the single largest cost for Navy installations, reflecting about 28% of Navy’s shore budget. The Navy must reduce energy costs to free up scarce budget dollars to support training and fleet operations. The goal of the Navy Shore Energy Program is to reduce shore energy intensity by 30% (energy consumption per square foot) by 2015 and by 50% in 2020, while providing reliable energy to 100% of Navy Tier I/II Critical Assets. This goal positions the Navy to achieve legal and regulatory compliance related to shore energy, water management, and reduced carbon footprint, in addition to achieving the SECNAV’s energy targets. These targets require the reduction of shore energy consumption by 50% and require production of at least 50% of shore based energy requirements from alternative sources.

Air Force Installations, Environment & Energy

( - SAF/IE is responsible for the strategic management and oversight of the Air Force’s energy efforts and policy development across all domains of Air Force energy.

Air Force Office of Energy Assurance (OEA)

( - The office was established in February 2016 by the Secretary of the Air Force and Chief of Staff to serve the central management office for strategic energy and resiliency initiatives. OEA develops and executes strategic energy assurance initiatives as an extension of the Air Force Civil Engineer Center and in conjunction with the Office of the Assistant Secretary of the Air Force for Installations, Environment and Energy to ensure alignment with Air Force priorities.