Cyber Security Capability Maturity Model (C2M2) Assessment for the Georgian State Electrosystem

RFP Closed

Cyber Security Capability Maturity Model (C2M2) Assessment for the Georgian State Electrosystem

Funding Agency:

U.S. Agency for International Development

Implementing Agency:

United States Energy Association

RFP Closing Date:

April 26th, 2018

CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENT
FOR THE GEORGIAN STATE ELECTROSYSTEM

Questions Due: April 6, 2018
Proposals Due: April 26, 2018

C2M2_RFP.pdf

C2M2 Assessment Questions & Responses.pdf

Contractor Biodata.doc

Horizontal Tabs

Background and Scope

Introduction:

The United States Energy Association (USEA) is an association of public and private energy-related organizations, corporations, and government agencies. USEA represents the broad interests of the U.S. energy sector by increasing the understanding of energy issues, both domestically and internationally.

The objectives of the USEA are to:

Support the objectives of the World Energy Council (WEC) and the interests of USEA’s members.
Bring about a better understanding of domestic and international energy issues.
Maintain liaison with other WEC Member Committees and create organizational and personal relationships internationally.
Recognize individuals and organizations whose contributions enhance global understanding of energy issues.

Background:

The Utility Cyber Security Initiative (UCSI) Working Group was established by the United States Agency for International Development (USAID), the USEA, and selected transmission and distribution utilities of the Black Sea region. This includes Ukraine, Georgia, Moldova, and Armenia. The goal is to foster development of policy directives, strategies, technical standards, utility management best practices, and the deployment of emerging grid technologies to assist Black Sea utilities in establishing a robust cyber security defense in light of the increasingly threatening cyber environment. To date, UCSI has conducted two working group meetings during which the UCSI has shared some American and European best practices related to cyber security preparedness and resilience.

Scope of Work:

The Georgian State Electrosystem (GSE) is an electricity transmission system operator that owns and operates 3,350 km transmission lines and 90 substations and provides power transmission and dispatch services all over the country. Transmission is provided from hydro, thermal, and wind power plants to power distribution companies and direct customers.

The main areas of GSE activity are to:

Plan and coordinate electricity generation and consumption
Provide access to the transmission network
Develop the transmission network (construct new cross-border and internal transmission lines and substations)
Maintain the transmission network.

GSE has indicated an interest in undertaking a US Department of Energy (DOE) Cybersecurity Capability Maturity Model (C2M2) assessment as a first step toward incorporating cyber security investments in its next ten year Network Development Plans (TYNDP) objective.

The C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure the maturity of an organization’s cybersecurity capabilities. The C2M2 is designed to measure both the sophistication and sustainment of a cyber security program. The model was identified, organized, and documented by energy sector subject matter experts from both public and private organizations. The goal of a C2M2 assessment is to develop a logical understanding and measurement of the policies, processes, and procedures involved in the development of an organization’s cyber security posture. The model provides maturity indicator levels (MILs) designed to discuss an organization’s operational capabilities and management of cybersecurity risk during both normal operations and times of crises. The C2M2 and the assessment toolkit are publicly available from DOE.

To ensure that GSE receives the most benefit from the C2M2 assessment, the contractor shall provide a facilitator and scribe to perform the C2M2 assessments in Tbilisi, Georgia. The C2M2 is organized into 10 domains. Each domain is a logical grouping of cybersecurity practices. The domains are:

Risk Management
Asset, change, and configuration management
Identity and access management
Threat and vulnerability management
Situational Awareness
Information sharing and communications
Event and incident response, continuity of operations
Supply chain and external dependencies management
Workforce management
Cybersecurity program management

The facilitator will have overall responsibility for preparing the organization for and conducting the C2M2 self-evaluation. The facilitator will focus on the discussion and arrive at a consensus response. The C2M2 facilitator should be familiar with the C2M2, the Facilitator’s Guide, and the materials listed in the Facilitator’s Guide. The specific responsibilities include:

Complete the phases of a typical C2M2 self-evaluation process
Ensure that all activities in the self-evaluation process are executed efficiently and effectively
Work with the organization to ensure the self-evaluation produces high-quality results
Facilitate the C2M2 self-evaluation workshop
Review the detailed outcomes with the organization
Assist in the planning of follow-up activities

The scribe supports the facilitator in performing the assessment. The specific responsibilities include:

Record responses, notes, and comments during the C2M2 self-evaluation workshop
Generate the C2M2 Evaluation Scoring Report
Distribute the C2M2 Evaluation Scoring Report to the organization

The C2M2 facilitator and scribe will conduct two 3 day workshops that will assess the maturity of the GSE organizational cyber security initiatives. The first workshop will be conducted the second week of July 2018 (tentative). The second workshop will be conducted in October 2018 (tentative).

Implementation and Deliverables

Implementation:

The specific tasks include:

Workshop Preparation
1. The contractor shall have a “kick-off” conference call with USEA to discuss the proposed work, GSE, and the role of these assessments in the overall USEA program for the Black Sea utilities. This will provide context for the assessment workshops.
2. The contractor shall identify the specific domains that will be assessed at each workshop. Two assessment workshops are scheduled to ensure that the representatives from GSE will receive the maximum benefit. This list shall be discussed with USEA prior to task 1.3.
3. The contractor will coordinate with USEA to schedule a conference call with the GSE C2M2 participants to provide an overview and explanation of the C2M2 model document, the assessment process, and the domains that will assessed at each workshop. The contractor shall prepare a presentation for this conference call with GSE. The presentation shall be submitted to USEA as a draft for comment two weeks prior to the scheduled conference call.
4. The contractor shall identify and provide material to be provided to GSE prior to the first assessment workshop. This may include, but not be limited to, the C2M2 Manual, the C2M2 toolkit questions, and applicable presentations. These should be provided to USEA six weeks prior to the first assessment workshop.
5. The contractor shall coordinate a conference call with the GSE participants to review the C2M2 model document and answer questions prior to each assessment workshop, at a minimum one month before each assessment workshop. This may require additional conference calls prior to each assessment workshop, as needed.
6. The contractor shall coordinate with USEA to review and tailor, at a minimum, the facilitator’s guide and presentation to meet the specific needs of GSE, including improving the situational awareness of GSE senior management and prioritizing management domains to be addressed in GSE’s upcoming TYNDP. The contractor shall prepare an agenda for each assessment workshop.
Assessment Workshops
1. The contractor shall conduct the first assessment workshop at a facility in Tbilisi, Georgia, tentatively scheduled for the week of July 9, 2018. The workshop will be scheduled for three days.
2. The contractor shall draft a report after the first workshop that contains a summary of the actions taken and plans for the second workshop. This report shall be reviewed by USEA and proposed revisions shall be submitted to the contractor. The first draft of the report shall be submitted one month after the first workshop.
3. At the completion of the first assessment workshop at GSE, the contractor shall request comments/input from the participants. These shall be documented and the report submitted to USEA one month after the first workshop. As applicable, this shall be used to revise the methodology for the second assessment workshop.
4. The contractor shall conduct the second assessment workshop at a facility in Tbilisi, Georgia, tentatively scheduled for October 2018. The workshop will be scheduled for three days.
5. At the end of each assessment workshop, the contractor shall generate a C2M2 report that will provide GSE with a visual analysis on the maturity of its cybersecurity program. An outcome of the assessment workshops shall be to set aspirational goals for each maturity indicator level in the 10 C2M2 domains.
Workshop Completion
1. At the completion of the second assessment workshop, the contractor shall submit a final report that includes a workplan for meeting the maturity indicator levels identified by GSE during the assessment workshops. This report shall be submitted one month after the second assessment workshop. This report shall help GSE prioritize areas for follow-up technical support consistent with the desire to incorporate cybersecurity into the TYNDP.
2. The contractor shall submit a report with lessons learned and recommendations for tailoring the C2M2 assessment process to other utilities in the Black Sea region. This report shall be submitted one month after the second assessment workshop.

Schedule of Milestones and Deliverables:

The following is the schedule of activities:

Subtask	Date	Action
1.1	Two weeks after contract award	Kick-off meeting	Milestone
1.2	O/A May 15, 2018	C2M2 domains for each assessment workshop	Deliverable
1.3	O/A May 22, 2018	C2M2 overview presentation to USEA	Deliverable
1.3	O/A May 28, 2018	C2M2 overview conference call with GSE	Deliverable
1.4	O/A May 30, 2018	List of C2M2 documents to be distributed to GSE	Deliverable
1.5	O/A June 11, 2018	Q&A conference call with GSE	Deliverable
1.6	O/A June 22, 2018	Facilitator’s Guide, Workshop agenda, and presentations	Deliverable
2.1	O/A July 11-13, 2019	First assessment workshop	Milestone
2.5	O/A July 13, 2018	Report to GSE on their maturity levels and proposed MILs	Deliverable
2.2	O/A August 13, 2018	Summary report of first workshop and proposed changes for second workshop	Deliverable
2.3	O/A August 13, 2018	Report summarizing input from GSE after first workshop and recommendations for second workshop	Deliverable
1.5	O/A September 15, 2018	Conference call with GSE	Deliverable
1.6	O/A September 20, 2018	Workshop agenda and presentations.
2.4	O/A October 16-18, 2018	Second assessment workshop	Milestone
2.5	O/A October 18, 2018	Report to GSE on their maturity levels and proposed MILs	Deliverable
3.1	O/A November 18, 2018	Submit Final Report and workplan for achieving proposed MIL	Deliverable
3.2	O/A November 18, 2018	Submit recommendations for future Black Sea C2M2 assessments and lessons learned	Deliverable

Timeframe and Submission

Selection Criteria:

The following criteria will be used to evaluate proposals:

40% -- Proven experience in organizing and conducting C2M2 Assessments

30% -- Demonstrated knowledge of cyber security in the utility operational environment

30% -- Price

Timeframe:

Interested parties are requested to register their interest prior to April 6, 2018 via email to the following mailbox: [email protected]. Registering interest will ensure you receive all questions submitted by interested parties and the corresponding responses from USEA.
Questions on the terms of this request for proposals must be submitted prior to April 6, 2018 by email to the following mailbox: [email protected]. All questions received and their corresponding responses will be distributed to all parties registering interest in this request for proposals.
Final proposals must be submitted by email by the close of business EDT on April 26, 2018 to the following mailbox: [email protected].

Search form

RFP Closed