RFP Closed

UTILITY CYBER SECURITY INITIATIVE (UCSI) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENTS FOR UKRENERGO, MOLDELECTRICA, AND MEPSO

Funding Agency:

USAID

Implementing Agency:

United States Energy Association

RFP Closing Date:

May 17th, 2020

Questions Due Date:

May 2nd, 2020

Please note: The schedule for this project will be determined in consultation with the firm selected for this assignment upon return to business as usual.

The United States Energy Association (USEA), in cooperation with the United States Agency for International Development (USAID), is seeking proposals from qualified consultants to conduct Cyber Security Maturity Model (C2M2) assessments for the national electric transmission system operators in Ukraine, Moldova and North Macedonia in conjunction with USEA’s Energy Technology and Governance Program (ETAG).

C2M2 RFP Final.pdf

Questions - C2M2 RFP.pdf

Horizontal Tabs

Background and Scope

Background:

The Energy Technology and Governance Program (ETAG) is a cooperative agreement between the United States Agency for International Development (USAID) and the United States Energy Association (USEA) established in 2012 to provide technical assistance to the electric and natural gas utilities in Southeast Europe and Eurasia. The overarching objectives of the program are to:

Encourage self-reliance among USAID and USEA counterparts in the Europe & Eurasia region by improving their energy security;
Encourage Euro-Atlantic integration of Europe & Eurasian utilities by adopting American and European rules, regulations and methodologies; and
Promote American investment, technology transfer and equipment sales in, and to, the Europe & Eurasia region.

The Utility Cyber Security Initiative (UCSI) Working Group is a program component under ETAG designed to foster development of policy directives, strategies, technical standards, utility management best practices, and the deployment of emerging grid technologies to assist Black Sea and Balkan utilities in establishing a robust cyber security defense in light of the increasingly threatening cyber environment. Participating countries include Ukraine, Georgia, Moldova, Armenia, Albania, Bosnia and Herzegovina, Kosovo, North Macedonia, Montenegro.

Over the past two years, UCSI has conducted three C2M2 assessments for electric transmission and distribution utilities in the Republic of Georgia, Ukraine and Kosovo. Based on the effectiveness of these assessments, the following three additional utilities have requested that the ETAG Program conduct C2M2 assessments for them.

Moldelectrica: The national state-owned Electric Transmission System Operator for Moldova headquartered in Chisinau, Moldova responsible for the operation and maintenance of more than 4,705 km transmission lines with more than 180 substations across the country.

Ukrenergo: The National Electric Transmission System Operator for Ukraine headquartered in Kiev, Ukraine responsible for the operation and maintenance of more than 21,000 km of transmission lines and 137 high-voltage (220-750 kV) substations across the country.
MEPSO: The National Electricity Transmission System Operator for North Macedonia based in Skopje, North Macedonia responsible for the operation and maintenance of more than 2,000 km transmission lines with more than 50 substations across the country.

The main functions of these utilities are to:

Plan and coordinate electricity generation and consumption
Provide access to the transmission network
Develop the transmission network (construct new cross-border and internal transmission lines and substations)
Maintain the transmission network.

Scope of Work:

The selected Consultant will perform the following tasks:

Task One: Conduct C2M2 Assessments for Moldelectrica, Ukrenergo and MEPSO

The selected Consultant will conduct individual two-day workshops for Moldelectrica, Ukrenergo and MEPSO at the company headquarters to assess the maturity of their cyber security initiatives.

The Consultant should be familiar with the C2M2 software and assessment process, the Facilitator’s Guide, and the materials listed in the Facilitator’s Guide. The specific responsibilities will be to:

Facilitate the C2M2 self-evaluation workshops
Ensure that all activities in the self-evaluation process are executed efficiently and effectively
Prepare a targeted profile report for each utility
Review the report with the senior management of each of the organizations
Prepare a high-level roadmap of activities for each utility to advance the maturity of their cyber security operations
Prepare a Benchmarking Report for all ETAG C2M2 assessments
Recommend follow-up activities based on the C2M2 results

Prior to each workshop, the Consultant will coordinate with USEA and each of the utilities to help prepare each utility for the assessments. This will be accomplished through a series of conference calls and exchange of documents to provide the utilities with a thorough overview and explanation of the C2M2 model document, the assessment process, and the domains that will be assessed during the workshops. An important part of these calls is to identify personnel from the counterpart utilities that will participate in the assessment.

Specific Tasks Include:

The Consultant will have a “kick-off” conference call with USEA to discuss the proposed scope of work, and the role of these assessments in the overall USEA program for the Black Sea/Balkans utilities. This will provide context for the assessment workshops.

The Consultant will coordinate with USEA to schedule and participate in individual conference calls with each utility to provide them with an overview and explanation of the C2M2 model document, the assessment process, and the domains that will be assessed at the workshop. The consultant shall prepare a presentation for these conference calls. The presentation shall be submitted to USEA as a draft for comment two weeks prior to the scheduled conference calls.
The Consultant will identify and provide relevant materials to each utility prior to the assessment conference calls. This may include, but not be limited to, the C2M2 documentation, the C2M2 toolkit questions, and applicable presentations.

The Consultant will travel to each country (North Macedonia, Moldova, Ukraine) over a total period of 10 days to conduct the 2-day workshops at the headquarters of each utility.

At the conclusion of each workshop, the Consultant will shall generate a C2M2 Target Profile Report that will provide each utility with a visual analysis of the maturity of its cybersecurity program. This on-site generated report will be shared with the senior management of the utility at the conclusion of the workshop. An outcome of the assessment workshops shall be to prioritize C2M2 management domains in which the utility seeks to advance its maturity and the identification of aspirational goals for the selected domains in consultation with utility.
Following the assessment workshop, the contractor shall request final comments/input from the participants and prepare an Interpretive Report providing insight based on the consultant’s expertise that explains the results of the Target Profile Report for policy-setting/project management readers, such as those at USAID and USEA

Task Two: Prepare a High-Level Roadmap of Actions to Advance Maturity of Prioritized Domains
For each utility assessed, the Consultant will prepare a draft high-level roadmap of actions and timeframes needed to improve the maturity of that utility’s priority C2M2 management domains identified at the conclusion of the assessment workshop. The roadmap shall not exceed five pages in length and shall include graphics and visual representations. The consultant will participate in a one-hour video conference for each utility organized by USEA to present the roadmap. The consultant will produce a final high-level roadmap incorporating the comments from the calls.

Task Three: Prepare Benchmarking Report Comparing Results of ETAG C2M2 Assessments

The Consultant will review the data and reports from the three previous ETAG C2M2 assessments together with the data from the assessments for Moldelectrica, Ukrenergo and MEPSO to compile a benchmarking report highlighting common cyber security challenges among the six utilities for which ETAG will have completed C2M2 assessments. The benchmarking report shall include recommendations for training and technical support that could be provided by the ETAG UCSI program to assist UCSI member utilities improve performance in areas that were identified as common deficiencies in the six benchmarked utilities. This benchmarking report shall be submitted six weeks following the conclusion of the C2M2 Assessment workshops.

Implementation and Deliverables

Deliverables:

The Consultant will be required to submit the following deliverables to USEA:
Please note: The schedule for this assignment will be determined upon return of business as usual.

Milestones/Deliverable

Due Date

C2M2 overview presentation (for conference calls with each utility)

Two weeks prior to scheduled conference calls

C2M2 Target Profile Reports for each utility

At the conclusion of each C2M2 workshop

C2M2 Interpretive Reports for each utility documenting comments/input from participants

One month following the C2M2 Assessment workshops

Draft high-level roadmaps of actions and timelines for each utility

One month following the C2M2 Assessment workshops

One-hour video conference with each utility organized by USEA to present the draft high level roadmaps

O/A two weeks following receipt of draft Roadmaps

Final high-level roadmaps for each utility incorporating comments

One week following video conferences

Benchmarking report comparing results of all ETAG C2M2 Assessments

Six weeks following the C2M2 Assessment workshops

Proposal Preparation:

Interested parties are requested to submit a cost proposal and a technical proposal of no more than 10 pages, including a Qualifications Statement that demonstrates expertise in conducting C2M2 Assessments and its proposed technical approach to executing the statement of work.

The sub-agreement between USEA and the winning offeror will be structured as a fixed price sub-agreement for labor, fringe benefits and overhead. USEA will fund other direct costs, including travel (transportation, lodging and a U.S. Government approved daily meals and incidental allowance) directly. The cost proposal should include an estimate of the number of people required to organize and conduct the scope of work. The technical and cost proposals must clearly identify the number of personnel proposed to travel to conduct the assessments. DO NOT include travel costs, as USEA will fund this directly.

Labor costs should include a level of effort for each person proposed to work on this assignment, their fully loaded daily rate, and the total estimated charge for each individual proposed.

CVs of each person proposed to work on this project must be included as an appendix. Offerors must also submit USAID Contractor Employee Biographical Data Sheets for each person, This form can be found here. CV’s and Biodata forms will not count toward the technical proposal page limit.

Timeframe and Submission

Selection Criteria:

The following criteria will be used to evaluate proposals:

40% -- Proven experience in using the C2M2 software to conduct cybersecurity maturity assessments

30% -- Demonstrated knowledge of cyber security practices in the utility operational environment

30% -- Price

Timeframe:

Please note: All email correspondence related to this RFP should have a subject heading of UCSI C2M2 RFP.

Proposal Schedule

Interested parties are requested to register their interest prior to April 20, 2020 via email to the following mailbox: [email protected]. Registering interest will ensure you receive all questions submitted by interested parties and the corresponding responses from USEA.

Questions on the terms of this request for proposals must be submitted prior to May 2, 2020 by email to the following mailbox: [email protected]. All questions received and their corresponding responses will be distributed to all parties registering interest in this request for proposals.

Final proposals must be submitted by email by the close of business EDT on May 17, 2020 to the following mailbox: [email protected].

Search form

RFP Closed

UTILITY CYBER SECURITY INITIATIVE (UCSI) CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ASSESSMENTS FOR UKRENERGO, MOLDELECTRICA, AND MEPSO

Horizontal Tabs

Proposal Schedule

USAID/USEA Energy Technology and Governance Program (ETAG)

May 17th, 2020

May 2nd, 2020

C2M2 RFP Final.pdf

Questions - C2M2 RFP.pdf

USEA Annual Report

About USEA

Contact Us