The selected Consultant will perform the following tasks:
Task One: Conduct C2M2 Assessments for Moldelectrica, Ukrenergo and MEPSO
The selected Consultant will conduct individual two-day workshops for Moldelectrica, Ukrenergo and MEPSO at the company headquarters to assess the maturity of their cyber security initiatives.
The Consultant should be familiar with the C2M2 software and assessment process, the Facilitator’s Guide, and the materials listed in the Facilitator’s Guide. The specific responsibilities will be to:
- Facilitate the C2M2 self-evaluation workshops
- Ensure that all activities in the self-evaluation process are executed efficiently and effectively
- Prepare a targeted profile report for each utility
- Review the report with the senior management of each of the organizations
- Prepare a high-level roadmap of activities for each utility to advance the maturity of their cyber security operations
- Prepare a Benchmarking Report for all ETAG C2M2 assessments
- Recommend follow-up activities based on the C2M2 results
Prior to each workshop, the Consultant will coordinate with USEA and each of the utilities to help prepare each utility for the assessments. This will be accomplished through a series of conference calls and exchange of documents to provide the utilities with a thorough overview and explanation of the C2M2 model document, the assessment process, and the domains that will be assessed during the workshops. An important part of these calls is to identify personnel from the counterpart utilities that will participate in the assessment.
Specific Tasks Include:
- The Consultant will have a “kick-off” conference call with USEA to discuss the proposed scope of work, and the role of these assessments in the overall USEA program for the Black Sea/Balkans utilities. This will provide context for the assessment workshops.
- The Consultant will coordinate with USEA to schedule and participate in individual conference calls with each utility to provide them with an overview and explanation of the C2M2 model document, the assessment process, and the domains that will be assessed at the workshop. The consultant shall prepare a presentation for these conference calls. The presentation shall be submitted to USEA as a draft for comment two weeks prior to the scheduled conference calls.
- The Consultant will identify and provide relevant materials to each utility prior to the assessment conference calls. This may include, but not be limited to, the C2M2 documentation, the C2M2 toolkit questions, and applicable presentations.
- The Consultant will travel to each country (North Macedonia, Moldova, Ukraine) over a total period of 10 days to conduct the 2-day workshops at the headquarters of each utility.
- At the conclusion of each workshop, the Consultant will shall generate a C2M2 Target Profile Report that will provide each utility with a visual analysis of the maturity of its cybersecurity program. This on-site generated report will be shared with the senior management of the utility at the conclusion of the workshop. An outcome of the assessment workshops shall be to prioritize C2M2 management domains in which the utility seeks to advance its maturity and the identification of aspirational goals for the selected domains in consultation with utility.
- Following the assessment workshop, the contractor shall request final comments/input from the participants and prepare an Interpretive Report providing insight based on the consultant’s expertise that explains the results of the Target Profile Report for policy-setting/project management readers, such as those at USAID and USEA
Task Two: Prepare a High-Level Roadmap of Actions to Advance Maturity of Prioritized Domains
For each utility assessed, the Consultant will prepare a draft high-level roadmap of actions and timeframes needed to improve the maturity of that utility’s priority C2M2 management domains identified at the conclusion of the assessment workshop. The roadmap shall not exceed five pages in length and shall include graphics and visual representations. The consultant will participate in a one-hour video conference for each utility organized by USEA to present the roadmap. The consultant will produce a final high-level roadmap incorporating the comments from the calls.
Task Three: Prepare Benchmarking Report Comparing Results of ETAG C2M2 Assessments
The Consultant will review the data and reports from the three previous ETAG C2M2 assessments together with the data from the assessments for Moldelectrica, Ukrenergo and MEPSO to compile a benchmarking report highlighting common cyber security challenges among the six utilities for which ETAG will have completed C2M2 assessments. The benchmarking report shall include recommendations for training and technical support that could be provided by the ETAG UCSI program to assist UCSI member utilities improve performance in areas that were identified as common deficiencies in the six benchmarked utilities. This benchmarking report shall be submitted six weeks following the conclusion of the C2M2 Assessment workshops.