Cybersecurity Procurement Language Clauses for RFPs and EVSP Contracts
The Joint Office of Energy and Transportation (Joint Office) understands that cybersecurity risks must be addressed when building out electric vehicle supply equipment (EVSE).
With help from our laboratory partners, Pacific Northwest National Laboratory and Idaho National Laboratory, the Joint Office developed sample cybersecurity procurement language clausesthat can be modified for use in requests for proposals (RFPs) and electric vehicle service provider (EVSP) contracts.
By using the procurement language below as a guide, states and EVSE purchasers can reinforce cybersecurity as essential to the complete life cycle of the EVSE—from origination to discharge of contract. This sample language is intended to be tailored by the purchaser and incorporated in procurement specifications for EVSE equipment and services. States and EVSE purchasers are encouraged to seek legal advice from their procurement counsel before adopting any clauses included in this information. It is their responsibility to ensure that all procurements follow all applicable legal requirements, federal requirements, and state-specific policies and procedures.
Cybersecurity Procurement Language 101
The National Electric Vehicle Infrastructure Standards and Requirements (23 CFR 680), hereafter, “NEVI Standards and Requirements,” were established under the Bipartisan Infrastructure Law, which also established the National Electric Vehicle Infrastructure (NEVI) Formula Program and required the creation of minimum standards for EV charging infrastructure. 23 CFR 680.106(h) requires states or other direct recipients to implement cybersecurity strategies with their state EV infrastructure deployment plans.
The cybersecurity clauses below are a supplemental resource and starting point providing examples of cybersecurity procurement contract language in RFPs and EVSP contracts. Specific potential cybersecurity controls to consider can be found in the resources section at the end of the page.
The new cybersecurity procurement language clauses can be leveraged to:
- Effectively communicate expectations and requirements for cybersecurity.
- Incorporate cybersecurity into every stage of the EVSE life cycle.
- Inform during the RFP process.
- Serve as a starting point for the acquisition process.
- Help select clauses that align most with established cybersecurity procurements.
Cybersecurity procurement language clauses are NOT to be used for:
- Replacing existing and applicable cybersecurity standards.
- Inserting verbatim into procurement contracts.
Procurement Language Structure – A Cybersecurity Program Supported by Five Technical Pillars
The clauses are organized into six sections, which together form a cybersecurity program (CP) supported by five technical pillars. The pillars demonstrate a hierarchy of concepts, provide clarity around cybersecurity relationships, and connect to high-level cybersecurity components from the National Electric Vehicle Infrastructure Standards and Requirements (23 CFR 680). The pillars leverage additional resources and cybersecurity controls, and each pillar is connotated by a specific cybersecurity ID.
The five foundational pillars that support the cybersecurity program are:
- Identity, credential, and access management (ICAM)
- Configuration, vulnerability, and update management (CVUM)
- Secure payment (SP)
- Secure communications (SC)
- Physical security (PS).
Visual representation of the cybersecurity procurement language
Sample Cybersecurity Procurement Clauses
The section below includes specific sample clauses for each cybersecurity pillar. Learn how to read and understand the sample cybersecurity procurement language.
People enact an organization's cybersecurity program. A robust and holistic cybersecurity program should be detailed in one or more documents (e.g. "incident response plan," "security policy"). Collectively these documents are called a cybersecurity plan, and work together to implement a risk-based cybersecurity strategy to protect the charging infrastructure, manger cyber risks, and effectively respond to cyber threats or attacks.
An effective EVSP cybersecurity plan documents how the program is enacted internally, as well as security relationship with external groups, including:
- The organization's security policies, procedures, and remediation plan.
- A description of the organization's cybersecurity program requirements and how the EVSP will meet them.
- A plan to address the unique EVSE challenges, with consideration of the interconnectedness of these systems and their dependence on power, networking, and communications.
In addition, the plan should also include technical and operational cybersecurity topics, such as:
- User data privacy and protection.
- Secure data transfer and protection at rest.
- Secure communications protocols.
- Payment systems.
- Cloud protections.
- A way to ensure those that are entitled to access have it and those that are not are restricted.
- Employee cyber training with respect to these protections, patching, and updates.
- Incident response reporting and recovery with a communications plan, audits, and assessments.
- Continuity of operations.
- Risk acceptance and mitigation, disaster recovery, etc.
Categories:
Audits and Assessments, Continuity of Operations, Incident Prevention and Handling, Robust Cybersecurity Program, Subcontractor Protections, Risk Acceptance and Mitigation, Life Cycle Cybersecurity.
Sources:
[AGA], [DOE], [DOE EDS], [DOT], [ENCS], [NIST 800-53], [NIST 800-18], [FIPS 200]
|
ID: CP1 |
Clause: The EVSP cybersecurity program must address EVSE security and must document potential risks and protections throughout the lifetime. |
|---|---|
|
Related Controls:
NIST 800-53 Rev5: PL-2, PL-7, PL-8, PM-7, PM-8, PM-9, PM-11, PM-17, PM-18, RA-1, RA-2 |
Justification:
This clause emphasizes the need for EVSPs to maintain a proactive risk-based approach to manage the cybersecurity program throughout the life cycle of the EVSE. It is important for EVSPs to implement risk management activities that focus on vulnerabilities and impact for each stage of the engineering, development, and system operations life cycle from design to disposal. EVSPs should have established evaluation criteria to assess the risks and impact when determining procurement or operations decisions involving EVSE hardware, software, data, personnel, subcontractors, and vendors. |
|
ID: CP2 |
Clause: The EVSP must provide an annual self-assessment and/or third-party assessment to the state department of transportation (DOT) that includes evidence of updates and adherence to the cybersecurity plans within [an acceptable time period, e.g., 30 days] of annual assessment. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: AU-6, CA-2, CA-7, PL-2, PM-18, RA-3, SA-11 |
Justification: This clause emphasizes the need for the EVSP to maintain and update the cybersecurity program, and the current version of the cybersecurity plan shall be provided to the state DOT on an annual basis. The cybersecurity plan shall detail all of the items stipulated in the cybersecurity program requirements and shall provide a mechanism for implementing the cybersecurity program either directly within the cybersecurity plan or by referencing additional appropriate policy and procedure documents. |
|
ID: CP3 |
Clause: The EVSP must revise the cybersecurity plans annually to accommodate new risks, requirements, and standards and provide an updated copy to the state DOT within [an acceptable time period, e.g., 30 days] of annual update. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: PM-1, PM-9, PM-28 |
Justification: This clause emphasizes the need for the EVSP to evaluate and document any potential new cybersecurity risks or impacts from the proposed modification and implement appropriate security controls to mitigate negative impacts. Examples of changes include modifications to hardware or software, changes in system configurations or communications pathways, changes in security controls, and changes in physical or personnel security programs. On an annual basis, if the EVSP revises or makes updates to the cybersecurity plan, an updated copy must be provided to the state DOT for review and approval within [negotiated period, e.g., 30 days]. |
|
ID: CP4 |
Clause: Security incidents must be reported to [the designated security liaison] within [an acceptable time period, e.g., 48 hours] of discovery. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: AC-16, CA-7, IR-4 (8) (10), IR-5, IR-6 (2), IR-8 (1), RA-5 (11), RA-7, SI-5, SR-5, SR-6 |
Justification: This clause emphasizes the need for the EVSP to rapidly respond to (e.g., in a timely manner) and report any identified cybersecurity incident (e.g., unintended data or privacy leaks) that delays, disrupts, or harms the EVSE or has the potential to impact electric vehicle (EV) charger networks. It is important that EVSPs immediately report available information of any incident that has severely impacted the EVSE and provide updates as more information becomes available. |
|
ID: CP5 |
Clause: EVSP subcontractors must adhere to the same cybersecurity protections as established for the EVSP. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: SR-2, SR-3, SR-5 |
Justification: This clause emphasizes the need for EVSP subcontractors to be held to the same rigor of cybersecurity. Therefore, it is the responsibility of the EVSP to ensure that the subcontractors’ training and awareness of all cybersecurity policies, procedures, protections, roles, and responsibilities, including how accountability will be established and maintained, are documented. |
|
ID: CP6 |
Clause: The EVSP must indemnify, defend, and hold harmless, without limitations, the state, its departments, divisions, agencies, offices, commissions, officers, employees, and affiliates from all claims relating to cybersecurity breaches to the contracted EVSE. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: SR-1 |
Justification: This clause emphasizes that the EVSP is responsible for protecting the state and all listed parties from any liabilities relating to cybersecurity breaches to the contracted EVSE. The EVSP is obligated to act and defend the state and listed parties against any claim and proceeding of cybersecurity breaches to the contracted EVSE brought to them and is responsible for payments of any losses incurred by the state and all the listed parties relating to any claim suit or proceeding. |
ICAM is a key component to ensuring that access control to all systems is secure. The goal of this cybersecurity pillar is to provide the right person with the right privileges to access the right information at the right time to complete necessary tasks. Privileges should be restricted whenever possible, and individuals without proper access will not be permitted to perform privileged activities.
NEVI Standards and Requirements categories:
User or System Identification, Authorization and Authentication [23 CFR § 680.106 (h) (2)] [23 CFR § 680.114 (a) (2)], Access Control and Management [23 CFR § 680.106 (h) (2)]
Sources:
[NIST 800-53], [ENCS], [NIST 800-40]
|
ID: IC1 |
Clause: The EVSP must have centralized capabilities that authenticate, authorize, log, and monitor access. |
|---|---|
|
Related Controls:
NIST 800-53 Rev5: AC-2; AU-6; IA-2, IA-3 |
Justification:
Centralized capabilities provide a single point of control and management, making it possible to enforce consistent security policies and compliance across an organization's systems and applications. Centralized authentication and authorization help prevent and detect unauthorized access and maintain data confidentiality. Lastly, centralized logging and monitoring enable effective incident detection, response, and mitigation procedures. |
|
ID: IC2 |
Clause: The EVSP must configure accounts to limit user permissions to the minimum level necessary to perform authorized tasks (e.g., EVSP, EV driver, charging station management system, EV). |
|---|---|
|
Related Controls: NIST 800-53 Rev5: AC-2 |
Justification: Access control, which involves restricting access to systems, information, functions, tools, locations, components, or resources, plays a crucial role in limiting individual users and processes through the principle of least privilege. Insufficient access control methods can lead to unauthorized or unnoticed system breaches by adversaries. This principle limits access of each process, program, or user exclusively to authorized and necessary information and resources, effectively reducing potential attack entry points. |
|
ID: IC3 |
Clause: The EVSP must employ multifactor authentication. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: IA-2, IA-5 |
Justification: This clause focuses on adding an extra layer of security beyond just a single password. Aligning with the requirement for multiple methods to authenticate (e.g., something you have, something you know, something you are, or somewhere you are), this clause affirms that EVSPs are required to enforce multiple factors of authentication, such as passwords, tokens, or a one-time access code. |
Systems are interconnected with various other systems and undergo changes or updates when necessary. However, changes and updates create opportunities for malicious devices or malware to connect to the network or leave security gaps in devices that can be exploited.
Having knowledge of when a change was made to a device, software installation, or when a new system is connected to the network can help reduce security risks and achieve confidentiality, integrity, and authenticity. Understandably, no system is ever completely secure, and monitoring for vulnerabilities allows for best cybersecurity practices to be applied.
Having a clear and concise vulnerability management plan equips organizations with the ability to identify and respond to threats in a timely manner.
NEVI Standards and Requirements categories:
Vulnerability Management (Logging for intrusion prevention, detection, and response) [23 CFR § 680.106 (h) (2)], Secure Remote Updates [23 CFR § 680.114 (a) (2)], Remote Monitoring and Diagnostics [23 CFR § 680.114 (a) (3)]
Sources:
[NIST 800-53], [NIST 800-40]
|
ID: CM1 |
Clause: The organization must ensure the authenticity and integrity of applied updates and report any violations, and must have a formal patch management plan that includes procedures for identifying, testing, approving, and deploying patches and updates in a timely manner. |
|---|---|
|
Related Controls:
NIST 800-53 Rev5: SA-22; NIST 800-40v2 |
Justification:
Emphasis on the criticality of ensuring the authenticity and integrity of updates helps protect against security breaches or threats. Establishing requirements to report violations highlights the significance of accountability and proactive response in maintaining a secure system. The EVSP should recognize that a formal patch management plan emphasizes the importance of structured procedures for handling timely updates, reduces risks, and ensures a strong cybersecurity stance. |
|
ID: CM2 |
Clause: The update management process must be automated for timely and consistent deployment of security patches across all systems. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: SI-7 |
Justification: Regularly installing updates, patches, service packages, or other fixes to systems is essential for remedying discovered weaknesses and vulnerabilities, as the process of discovering these flaws is continuous. Such updates must be tested and validated before implementation, including for hardware, software, and firmware pertaining to all applicable products of the EVSE. |
The intent of SP is to protect cardholder data and secure the integrity of credit card transactions. These complementary standards impose requirements and controls that payment systems will need to comply with. Elements for consideration include how to handle and not exclude future payment types that do not currently exist and what happens to payments in the event of a network outage.
NEVI Standards and Requirements categories:
Payment Card Processing [23 CFR § 680.106 (f) (1)] [23 CFR § 680.106 (l)]
Sources:
[PCI DSS], [EMVCo]
|
ID: SP1 |
Clause: Payment systems must comply with current payment card industry security standards. |
|---|---|
|
Related Controls:
PCI DSS v4.0 |
Justification:
Demonstrating compliance with existing payment card industry standards reinforces the integrity of data security during payment transactions. These standards provide a baseline of requirements for payment protection. |
|
ID: SP2 |
Clause: Payment terminals must be EMVCo Level 1 certified. |
|---|---|
|
Related Controls: EMVCo |
Justification: EMV specifications for all payment terminals is essential for payment protection to secure and protect physical, electrical, and transport-level interfaces enabling the communication of data between the payment device and the acceptance device. |
SC is a necessary element for protecting data confidentiality, authentication, and content integrity both in transit and at rest. SC allows charging stations to digitally encrypt and authenticate (e.g., using public key infrastructure, identifying users, devices, and services). Employing cryptographic-agile protocols allows charging stations to update encryption without having to redesign hardware or systems.
NEVI Standards and Requirements categories:
Secure Charging Communications [23 CFR § 680.114 (a) (b) (c) (d)], Data Privacy [23 CFR § 680.106 (l)], Cloud, Cryptographic Agility, and Public Key Infrastructure [23 CFR § 680.106 (h) (2)] [23 CFR § 680.114 (a) (2)]
Sources:
[NIST 800-53], [CSA], [FedRAMP]
|
ID: SC1 |
Clause: EVSP must employ standardized secure protocols utilizing modern encryption and design for cryptographic agility. |
|---|---|
|
Related Controls:
NIST 800-53 Rev5: SC-8, SC-13, SC-28, SI-7 (6) |
Justification:
EVSE relies on secure point-to-point communications. Secure protocols using modern encryption protect data in transit. As computers become more advanced, protocols and encryption methods are also improving. Cryptographic agility will provide the EVSP with the ability to update the systems more effectively, providing the consumer with added security. |
|
ID: SC2 |
Clause: EVSP must limit personal data collection to data that is strictly necessary for purposes of EV charging and protect it throughout its life cycle. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: AC-16 |
Justification: Information that is not collected cannot be leaked, and information that is collected needs to be protected from the time of inception until destruction from both internal and external threats. |
|
ID: SC3 |
Clause: All data myst reside in the United States throughout its life cycle and be administered by those who have undergone background screening. |
|---|---|
|
Related Controls: CSA; FedRAMP; NIST 800-53 Rev5: PS-3, SA-9 (4), SA-9 (5) |
Justification: While no standards or generally accepted guidance require this, we felt strongly enough to propose that cloud protection data live in the United States, and those with access to it have a level of credibility validated via a background check. |
PS mechanisms protect software, hardware, networks, and data from physical actions and events that damage or disrupt functions or security objectives. PS fortifies the system by only allowing authorized personnel to physically access all systems and devices. It also includes environmental threats, such as natural and human-caused disasters, electrical interference, and electromagnetic radiation. Physical attacks may change the operation of a device, be in the form of illegal surveillance of payment devices, etc.
NEVI Standards and Requirements categories:
Tamper Prevention, Detection, and Response [23 CFR § 680.106 (h) (1)], Secure Operation during Communication Outages [23 CFR § 680.106 (h) (2)]
Sources:
[NISTIR], [NIST SP 800-53], [DOE]
|
ID: PS1 |
Clause: EVSP must utilize anti-tamper techniques to prevent, deter, and detect unauthorized physical access. |
|---|---|
|
Related Controls:
NIST 800-53 Rev 5: AT-3 (2), PE-3, PE-5, CM-7 (8) |
Justification:
This clause addresses the physical security of EVSE. There are many ways for an organization to implement physical access control, using both devices and procedures. It is inspired from the principle of least functionality, in which systems are configured for security using appropriate access controls. |
|
ID: PS2 |
Clause: Unexpected or unauthorized access must be immediately communicated. |
|---|---|
|
Related Controls: NIST 800-53 Rev5: AC-3 (12), AU-9, AU-13, IR-8, PS-7, SI-7 |
Justification: IThis clause is intended to address the enforcement of physical security and access control. Security is strengthened through monitoring and notifying the appropriate stakeholders in the event of unauthorized access. |
Cybersecurity Contract Language Considerations
The following are several important considerations for your organization as it prepares its EVSE cybersecurity contract language.
Preparing the Contract
- Bake security in by including cybersecurity experts in designing the language for the request for bids.
- Establish and adhere to cybersecurity evaluation criteria (rubric) to ensure all vendor bids are assessed equally.
- Include a cybersecurity expert in the vendor review and selection process. The expert’s role is to ensure that your organization’s interests are protected to the best of the selected vendor’s ability.
- Include cybersecurity requirements in all contracts and agreements to help protect your organization from cybersecurity risk from third parties of the system installed. This step will protect your organization not only from the main vendor, but also from their partners.
- Encourage cyber-related reporting to be reviewed by your organization’s cybersecurity staff, not just contracts staff, to maximize value to the organization.
Over the Life of the Contract
- Include the topic of cybersecurity in conversations with EVSPs and stress its importance.
- Review and provide feedback on the EVSP cybersecurity program and plan annually.
- Include cybersecurity experts in the design and installation of the system.
Managing Cyber Risk
- A 5-year contract requires 5 years of cybersecurity and contract management.
- Require third-party, annual evaluation of the installed system’s security.
- Cybersecurity needs may evolve over time. Contracts may need to be updated to address new needs or requirements.
- Focus on risk to your organization/site rather than compliance throughout the life of the contract.
- Don’t let your selected EVSP charge you to have them do the right thing. Cybersecurity is not a luxury!