United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Similar documents
Physical Security Reliability Standard Implementation

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Implementing Executive Order and Presidential Policy Directive 21

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Cybersecurity & Privacy Enhancements

Chapter X Security Performance Metrics

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Updates to the NIST Cybersecurity Framework

Chapter X Security Performance Metrics

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Framework for Improving Critical Infrastructure Cybersecurity

Bradford J. Willke. 19 September 2007

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

PIPELINE SECURITY An Overview of TSA Programs

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Views on the Framework for Improving Critical Infrastructure Cybersecurity

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Energy Assurance State Examples and Regional Markets Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials

IAEA Perspective: The Framework for the Security of Radioactive Material and Associated Facilities

NW NATURAL CYBER SECURITY 2016.JUNE.16

The next generation of knowledge and expertise

The NIST Cybersecurity Framework

John Snare Chair Standards Australia Committee IT/12/4

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

T&E Workforce Development

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

The Center for Internet Security

The Office of Infrastructure Protection

Safety of Nuclear Installations

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Department of Homeland Security Updates

AFRICA AND MIDDLE EAST AVIATION SECURITY ROADMAP

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

NCSF Foundation Certification

SEAWALL EARTHQUAKE SAFETY & DISASTER PREVENTION PROGRAM

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Standard CIP Cyber Security Critical Cyber Asset Identification

Critical Infrastructure Protection in the European Union

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

NIS Directive : Call for Proposals

First Session of the Asia Pacific Information Superhighway Steering Committee, 1 2 November 2017, Dhaka, Bangladesh.

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Standard CIP Cyber Security Critical Cyber Asset Identification

Cyber Security & Homeland Security:

FY Bay Area UASI Risk and Grants Management Program Update. November 14, 2013

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Overview of the Cybersecurity Framework

Item 4.4 Identification, isolation and elimination of major bottlenecks along international transport routes

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Remit Issue April 2016

Securing Buildings & Facilities From Emerging Cyber Threats

Cybersecurity and Vulnerability Assessment

INFORMATION ASSURANCE DIRECTORATE

ARRA State & Local Energy Assurance Planning & Implementation

Chapter X Security Performance Metrics

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Overview of the Federal Interagency Operational Plans

Scope Cyber Attack Task Force (CATF)

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity for ALL

Statement for the Record

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

For providing decision support on climate stressors to infrastructure and assets for federal, state, local, and private clients...

Information Security Continuous Monitoring (ISCM) Program Evaluation

Developing a Model for Cyber Security Maturity Assessment

EARTH Ex 2017 Middle Planning Conference

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

DFARS Cyber Rule Considerations For Contractors In 2018

Introducing Cyber Observer

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

IAEA Action Plan on Nuclear Safety

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

White Paper. View cyber and mission-critical data in one dashboard

International Organization for Standardization (ISO) on Climate Change Adaptation

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Critical Infrastructure Mission Implementation by State, Local, Tribal, and Territorial Agencies and Public-Private Partnerships.

Provisional Translation

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Georgia: Power Transmission Enhancement Project financed by Asian Development Bank (ADB)

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Cybersecurity and Data Protection Developments

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Energy Assurance Plans

FISMA Cybersecurity Performance Metrics and Scoring

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Enhancing the cyber security &

The NIS Directive and Cybersecurity in

FERC Reliability Technical Conference Panel III: ERO Performance and Initiatives ESCC and the ES-ISAC

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release September 23, 2014 EXECUTIVE ORDER

Australian Energy Sector Cyber Security Framework. Frequently Asked Questions FINAL V1-0

Cyber Security in Europe and CEER s new PEER initiative

National Cyber Security Strategy (NCS) Toolkit

The J100 RAMCAP Method

Transcription:

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS UTILITY CYBER SECURITY INITIATIVE (UCSI) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENT FOR THE GEORGIAN STATE ELECTROSYSTEM Questions Due: April 6, Proposals Due: April 26, Background The United States Energy Association (USEA) is an association of public and private energyrelated organizations, corporations, and government agencies. USEA represents the broad interests of the U.S. energy sector by increasing the understanding of energy issues, both domestically and internationally. The objectives of the USEA are to: Support the objectives of the World Energy Council (WEC) and the interests of USEA s members. Bring about a better understanding of domestic and international energy issues. Maintain liaison with other WEC Member Committees and create organizational and personal relationships internationally. Recognize individuals and organizations whose contributions enhance global understanding of energy issues. The Utility Cyber Security Initiative (UCSI) Working Group was established by the United States Agency for International Development (USAID), the USEA, and selected transmission and distribution utilities of the Black Sea region. This includes Ukraine, Georgia, Moldova, and Armenia. The goal is to foster development of policy directives, strategies, technical standards, utility management best practices, and the deployment of emerging grid technologies to assist Black Sea utilities in establishing a robust cyber security defense in light of the increasingly threatening cyber environment. To date, UCSI has conducted two working group meetings during which the UCSI has shared some American and European best practices related to cyber security preparedness and resilience. Scope of Work: C2M2 Assessment for GSE The Georgian State Electrosystem (GSE) is an electricity transmission system operator that owns and operates 3,350 km transmission lines and 90 substations and provides power transmission and dispatch services all over the country. Transmission is provided from hydro, thermal, and wind power plants to power distribution companies and direct customers. The main areas of GSE activity are to: 1

Plan and coordinate electricity generation and consumption Provide access to the transmission network Develop the transmission network (construct new cross-border and internal transmission lines and substations) Maintain the transmission network. GSE has indicated an interest in undertaking a US Department of Energy (DOE) Cybersecurity Capability Maturity Model (C2M2) assessment as a first step toward incorporating cyber security investments in its next ten year Network Development Plans (TYNDP) objective. The C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure the maturity of an organization s cybersecurity capabilities. The C2M2 is designed to measure both the sophistication and sustainment of a cyber security program. The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations. The goal of a C2M2 assessment is to develop a logical understanding and measurement of the policies, processes, and procedures involved in the development of an organization s cyber security posture. The model provides maturity indicator levels (MILs) designed to discuss an organization s operational capabilities and management of cybersecurity risk during both normal operations and times of crises. The C2M2 and the assessment toolkit are publicly available from DOE. To ensure that GSE receives the most benefit from the C2M2 assessment, the contractor shall provide a facilitator and scribe to perform the C2M2 assessments in Tbilisi, Georgia. The C2M2 is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The domains are: Risk Management Asset, change, and configuration management Identity and access management Threat and vulnerability management Situational Awareness Information sharing and communications Event and incident response, continuity of operations Supply chain and external dependencies management Workforce management Cybersecurity program management The facilitator will have overall responsibility for preparing the organization for and conducting the C2M2 self-evaluation. The facilitator will focus on the discussion and arrive at a consensus response. The C2M2 facilitator should be familiar with the C2M2, the Facilitator s Guide, and the materials listed in the Facilitator s Guide. The specific responsibilities include: Complete the phases of a typical C2M2 self-evaluation process Ensure that all activities in the self-evaluation process are executed efficiently and effectively Work with the organization to ensure the self-evaluation produces high-quality results Facilitate the C2M2 self-evaluation Review the detailed outcomes with the organization Assist in the planning of follow-up activities 2

The scribe supports the facilitator in performing the assessment. The specific responsibilities include: Record responses, notes, and comments during the C2M2 self-evaluation Generate the C2M2 Evaluation Scoring Report Distribute the C2M2 Evaluation Scoring Report to the organization The C2M2 facilitator and scribe will conduct two 3 day s that will assess the maturity of the GSE organizational cyber security initiatives. The first will be conducted the second week of July (tentative). The second will be conducted in October (tentative). The specific tasks include: 1. Workshop Preparation 1.1. The contractor shall have a kick-off conference call with USEA to discuss the proposed work, GSE, and the role of these assessments in the overall USEA program for the Black Sea utilities. This will provide context for the assessment s. 1.2. The contractor shall identify the specific domains that will be assessed at each. Two assessment s are scheduled to ensure that the representatives from GSE will receive the maximum benefit. This list shall be discussed with USEA prior to task 1.3. 1.3. The contractor will coordinate with USEA to schedule a conference call with the GSE C2M2 participants to provide an overview and explanation of the C2M2 model document, the assessment process, and the domains that will assessed at each. The contractor shall prepare a presentation for this conference call with GSE. The presentation shall be submitted to USEA as a draft for comment two weeks prior to the scheduled conference call. 1.4. The contractor shall identify and provide material to be provided to GSE prior to the first assessment. This may include, but not be limited to, the C2M2 Manual, the C2M2 toolkit questions, and applicable presentations. These should be provided to USEA six weeks prior to the first assessment. 1.5. The contractor shall coordinate a conference call with the GSE participants to review the C2M2 model document and answer questions prior to each assessment, at a minimum one month before each assessment. This may require additional conference calls prior to each assessment, as needed. 1.6. The contractor shall coordinate with USEA to review and tailor, at a minimum, the facilitator s guide and presentation to meet the specific needs of GSE, including improving the situational awareness of GSE senior management and prioritizing management domains to be addressed in GSE s upcoming TYNDP. The contractor shall prepare an agenda for each assessment. 2. Assessment Workshops 2.1. The contractor shall conduct the first assessment at a facility in Tbilisi, Georgia, tentatively scheduled for the week of July 9,. The will be scheduled for three days. 3

2.2. The contractor shall draft a report after the first that contains a summary of the actions taken and plans for the second. This report shall be reviewed by USEA and proposed revisions shall be submitted to the contractor. The first draft of the report shall be submitted one month after the first. 2.3. At the completion of the first assessment at GSE, the contractor shall request comments/input from the participants. These shall be documented and the report submitted to USEA one month after the first. As applicable, this shall be used to revise the methodology for the second assessment. 2.4. The contractor shall conduct the second assessment at a facility in Tbilisi, Georgia, tentatively scheduled for October. The will be scheduled for three days. 2.5. At the end of each assessment, the contractor shall generate a C2M2 report that will provide GSE with a visual analysis on the maturity of its cybersecurity program. An outcome of the assessment s shall be to set aspirational goals for each maturity indicator level in the 10 C2M2 domains. 3. Workshop Completion 3.1. At the completion of the second assessment, the contractor shall submit a final report that includes a workplan for meeting the maturity indicator levels identified by GSE during the assessment s. This report shall be submitted one month after the second assessment. This report shall help GSE prioritize areas for followup technical support consistent with the desire to incorporate cybersecurity into the TYNDP. 3.2. The contractor shall submit a report with lessons learned and recommendations for tailoring the C2M2 assessment process to other utilities in the Black Sea region. This report shall be submitted one month after the second assessment. Schedule of Milestones and s: The following is the schedule of activities: Subtask Date Action 1.1 Two weeks after Kick-off meeting Milestone contract award 1.2 O/A May 15, C2M2 domains for each assessment 1.3 O/A May 22, C2M2 overview presentation to USEA 1.3 O/A May 28, C2M2 overview conference call with GSE 1.4 O/A May 30, List of C2M2 documents to be distributed to GSE 1.5 O/A June 11, Q&A conference call with GSE 1.6 O/A June 22, Facilitator s Guide, Workshop agenda, and presentations 2.1 O/A July 11-13, 2019 First assessment Milestone 4

Subtask Date Action 2.5 O/A July 13, Report to GSE on their maturity levels and proposed MILs 2.2 O/A August 13, Summary report of first and proposed changes for second 2.3 O/A August 13, Report summarizing input from GSE after first and recommendations for second 1.5 O/A September 15, Conference call with GSE 1.6 O/A September 20, Workshop agenda and presentations. 2.4 O/A October 16-18, Second assessment 2.5 O/A October 18, Report to GSE on their maturity levels and proposed MILs 3.1 O/A November 18, Submit Final Report and workplan for 3.2 O/A November 18, achieving proposed MIL Submit recommendations for future Black Sea C2M2 assessments and lessons learned Milestone Criteria The following criteria will be used to evaluate proposals: 40% -- Proven experience in organizing and conducting C2M2 Assessments 30% -- Demonstrated knowledge of cyber security in the utility operational environment 30% -- Price Proposal Schedule Interested parties are requested to register their interest prior to April 6, via email to the following mailbox: proposals@usea.org. Registering interest will ensure you receive all questions submitted by interested parties and the corresponding responses from USEA. Questions on the terms of this request for proposals must be submitted prior to April 6, by email to the following mailbox: proposals@usea.org. All questions received and their corresponding responses will be distributed to all parties registering interest in this request for proposals. Final proposals must be submitted by email by the close of business EDT on April 26, to the following mailbox: proposals@usea.org. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback