Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Webinar: Sample Cybersecurity Procurement Clauses for EV Charging Infrastructure (Text Version)

This is a text version of Webinar: Sample Cybersecurity Procurement Clauses for EV Charging Infrastructure, presented on April 18, 2023.

Bridget Gilmore, Joint Office of Energy and Transportation: Everyone, thank you so much for joining us today. We will get started in just a couple of minutes, letting people enter in. Thanks for being here. Awesome. We're going to get started in just a couple minutes for any folks just jumping on, seeing the numbers still going up.

Awesome. Well, great. Thank you all so much for being here. Today's webinar topic is on sample cybersecurity procurement clauses. It should be a lot of great information. I'm going to go over just a bit of housekeeping. And for folks who have been joining our weekly webinars, thank you so much for being here week after week and also thank you for bearing with us as we go through these housekeeping details.

And we'll also provide a bit of information about the Joint Office for anyone who may not be familiar. So for the Zoom room, controls are located at the bottom of your screen. So you can - feel free to toggle your cursor to the bottom where you will find the Q&A function. This is where you should direct your questions for today's webinar. It's a great way of allowing the panelists to directly respond to your questions.

So please do direct them to that Q&A function. As a disclaimer, this webinar is being recorded and may be posted on the Joint Office website or be used internally. So if you speak during the webinar or use video, you are presumed to consent to recording and use of your voice or image.

In terms of our agenda, we will hear from - a bit about the Joint Office as well as our executive director, Gabe Klein. Then we will go into the presentation on cybersecurity clauses, where there will be lots of interactive polling questions. That should be really great. And then there will also be a facilitated discussion.

So just a bit about the Joint Office, very briefly for folks who may not be familiar with our office; it's a joint effort between the Department of Energy and the Department of Transportation to accelerate an electrified transportation system that is affordable, convenient, equitable, reliable, and safe. And our vision is to see a future where everyone can ride and drive electric come to fruition. We in the near term have been very much focused on four programs: So the bipartisan infrastructure law, providing unifying guidance, technical assistance and analysis support, specifically to five-year programs; the NEVI program, National Electric Vehicle Infrastructure Formula program (this is $5 billion for fast charging along major highway corridors); and then the Charging and Fueling Infrastructure Discretionary Grant program is also a five-year program with $2.5 billion in funding for both community and corridor grants for EV charging and alternative fueling infrastructure. And then we are also supporting the Low-No Emissions Grant program for Transit buses and the Clean School Bus Program for clean school bus deployment.

So in terms of our technical assistance, we are providing specialized assistance for states, communities, tribal nations, transit agencies, and school districts. We conduct one-on-one meetings with states to address questions and concerns for the NEVI program. We have a great concierge service with folks that are here to efficiently route your questions, depending on your inquiry type. And we have a team of over 50 people who are working across 10 organizations to answer your questions.

So we have a great website: driveelectric.gov has a lot of great different types of resources such as data and tools, infrastructure planning and implementation guidance, news and events, as well as our technical assistance request form which looks like this. You can see it's in the top right corner. You can contact us. Someone will respond to your inquiry within 48 hours. And you can also throughout our website, subscribe to news and updates, including how to find the next webinar topic that will be coming up.

So now I will introduce our executive director, Gabe Klein. So Gabe previously served as the commissioner of the Chicago Department of Transportation and director of the Washington, D.C., District Department of Transportation. He created his own mobility consultancy and has invested in and advised transportation startups. So he brings a lot of great expertise from the private sector to the Joint Office.

And from what I've gleaned, it sounds like Gabe's garage is absolutely filled to the brim with e-bikes and EVs, and guessing some electric garden equipment. So I'll turn it over to you, Gabe, to tell us a little bit about today's topic around cybersecurity.

Gabriel Klein, Joint Office of Energy and Transportation: Or do you just want to hear about my yard equipment? As we talked about earlier, it's all Ryobi not to be trying to pump up Ryobi stock. But yeah, I was using it all yesterday out at the beach, actually, all the different pieces. With that, I'll dive into the actual topic.

And I want to thank everybody for coming today. I know this is like, in some sense, not the sexiest topic. It seems like something that you can leave for later. It can be an afterthought.

And it really can't be. It's absolutely crucial. We are embarking on building a very complex ecosystem of infrastructure. There's a lot of moving parts. And there's also a lot of different stakeholders to engage.

And any time you're dealing with complex hardware, along with software, and many different component parts, you have to pay extra attention to what you're doing. So whether it's the charging network provider to the utility to the payment provider to the charger and the connection or the connectivity to the vehicle itself, like all of these pieces have to be securely connected. And of course, a lot of this also is interacting with the cloud as well. And so that's a big component of this.

We're really excited at the Joint Office that the final minimum standards for federally funded EV infrastructure are actually now in place. And that's there to offer signals throughout the ecosystem to ensure that the data is securely transferred from network to network, but also from network to the grid, from charger to charger, and from charger to the EV. And as I was just saying, taking into account the cloud as well.

The other thing is we're all learning. Cybersecurity for EV charging is a very nascent field. And there's a lot to consider throughout the technology life cycle. And that's why it's important, I think, to share what we know and best practices from experts.

And so I'm really excited that we have Ray Resendes from the U.S. DOT Volpe Center and Lori Ross O'Neill from PNNL. And they really have a wealth of experience developing cybersecurity procurement contract length language for emerging energy tech. And Ray has actually been supporting us and working with us directly, which has been hugely helpful to have his expertise in general on cyber, particularly as we look at reliability, connectivity, interoperability.

So I would just encourage you to listen. I'll be listening and then feel free to ask them questions. And thanks again to all of you for taking the time to tune in out of your day to learn with us. Thank you.

Bridget Gilmore: Great. Thank you so much, Gabe. And before we really jump into the presentation, we just want to learn a little bit more about the folks that are on the line. So, Justin, if we could please bring up the first polling question.

Great. So this first one is what sector are you from? So we'll give folks some time to respond to this question. And then once we reach a critical mass, we can go to the second one.

OK, great. Looks like we have a lot of folks from state government here today, folks from the federal government, but overall, a really great mix of different sectors. Thanks, Justin. We can go the next one.

And then this one is what region of the country are you from? Just to know where different folks are coming in from. OK, great. Yeah, it looks like a great geographic distribution, a bunch of folks from the northeast.

Thank you all so much for being here today. With that, I will have us close the polls and pass it along to Ray Resendes to introduce the team.

Raymond Resendes, U.S. Department of Transportation, Volpe Center: Thank you. So I've been, as Gabe said, I've been working, supporting the Joint Office. And we have been working with the national labs: Pacific Northwest National Lab with Lori Ross O'Neill, and Idaho National Lab has worked with them to develop the procurement language that we'll be talking about today.

And I also wanted to introduce my colleague from the Volpe Center, Brendan Harris, who will be taking over for me as the cybersecurity lead for the Joint Office. And you'll be able to contact him with any cyber questions you have for the program. And if you could give me sharing rights, go to my slides.

To start out why we're here, transportation historically was a low-risk target compared to other sectors such as banking and health care in the public sector. But with connectivity, as Gabe mentioned, that improved system performance. But it also increased the attack surface to the point that DHS's c-sub designated transportation, the transportation system part of the critical infrastructure, and that recently was emphasized in the national cybersecurity strategy that came out from the White House just this month.

And in the infrastructure bill that came out, for the first time the word cybersecurity was used in an infrastructure bill. It was so important. It was used 319 times. Across many sectors, grant programs have various requirements, requiring some level of cybersecurity planning - from requiring cybersecurity plans, risk management plans to a range of what we're trying to do here in the NEVI program of just recommending best practices, which is what we're going through today.

And that is really the purpose of this slide is why we're here. And it's to discuss sample cybersecurity procurement clauses for EV charging infrastructure contracts, which the NEVI program of the states can use in their proposals and contracts that they will award. And it's to help states more clearly communicate their expectations and requirements so that cybersecurity is included throughout the life cycle and what that means from requirements development design all the way through decommissioning at the end of the product's lifetime.

And this, Lori will emphasize this is not meant to be a cut-and-paste exercise. This to empower the state or the user to select the clauses that are most applicable to your situation and the type of procurements that you will be using. So really this is a starting point to help you develop and identify the appropriate clauses. That's why we don't call this procurement language but the actual clauses that would use your procurement language. And with that, I will turn it over to Lori O'Neil from Pacific Northwest National Lab.

Lori Ross O'Neil, Pacific Northwest National Laboratory: Thank you, Ray. I appreciate the introduction. I'll go ahead and get my slides up for everyone to see. Give me a moment here. Sorry.

All right. Everyone, I don't often tell you this, but look at your phone for a moment while I switch monitors. Sorry about that. It always comes up on the one I don't want. Do I need to swap? Stick with me here for just a moment.

All right. You should now be seeing just a single slide.

Justin Rickard, National Renewable Energy Laboratory: It looks good.

Lori Ross O'Neil: Excellent. Thank you for the verbal feedback. I can't see your smiling faces. So thank you for that.

So as Ray mentioned, I'm with the Pacific Northwest National Laboratory. And my team, as well as the Idaho National Lab team, has had the opportunity to develop these clauses that we're sharing with you today. And our hope is that these will be valuable to the states in their development of procurements and contracts as well as to those that would be submitting to those contracts as well to help give some guidance.

So as we go ahead and get started, I'm going to kick us off with a poll. I think you already know how to do that. I bet your fingers are ready. You're excited to do that.

So I'm going to go ahead and give us our first poll question just to keep you awake here. And then we'll jump into it. So as we had already asked about where you might be located, what your organization is, if you could just share with me your role within the organization, so I can better target our discussion today. Thank you.

All right excellent. Thank you for folks responding to that so quickly. So it looks like we have almost a little - the contracts folks are edging out the cyber IT folks by just a little bit. But we also have some design and planning folks, energy systems, engineering. And then it looks like the project management folks are taking the lead here and then also some operations.

So a great variety of folks on this call today. So I appreciate that. And the reason I say that is whenever I take on a project like this and I think in your design of your contracting language for your electric vehicle charging infrastructure, you're going to want a diverse team. So having these folks that are interested in this and trying to understand how these systems are going to work and how they're going to be managed throughout their lifecycle is key. So I love seeing a variety of folks involved with that.

So I'm going to jump into a picture here. I always like to do pictures. So the picture on the left is a very simple diagram and it's meant to show the interconnectedness of electric vehicle charging infrastructure. And Gabe Klein talked about this earlier. He mentioned the cloud and how things are interconnected and how there are more and more things that are reliant on the grid and reliant on electricity.

So what we're seeing in this very simple diagram, again, this is not the definitive source. But that electric vehicle charging, the vehicle, the application you interface with - it is going to be aggregated. It's going to be sent somewhere. And most things are sent to the cloud these days. So you have that lovely cloud picture that shows the payment provider, the electric utility who is expected to provide the power, and then what we call the charging network provider, or CNP, which manages or integrates all these capabilities.

The diagram on the right is basically the same thing but shown in a different way. And we're really thinking about electric vehicle charging infrastructure in four parts. So we have the power providers or the power aggregators. We have the networking capability so that's our - how are we going to transport the data or the information?

And then we have the data itself. This can be human readable data or system readable data. And then we have the computing, which is the compute cycles that make this go. And those are these big pieces that make up electric vehicle charging and support that infrastructure.

So as we're going through this process, we're thinking about what are the things that could happen to adversely affect any of these core capabilities. What malicious intent could be carried out on any of these things, and how can we prevent that? We always like to bake cybersecurity into any design process. Snapping it on later is much harder, much more labor intensive and much more expensive. So anything we can do to bring that team of folks we saw in the pool together to think about what are the things that could go wrong, how are we going to manage that risk now, and how do we design it in, and how do we manage it over the lifetime of the contract, so from design to retirement, I always say.

OK. Let's jump to the next slide. So what I'm going to talk to you about today, what we did, what was our approach, what are some strategies that we considered, and how we came up with six core strategies for the clauses, the cybersecurity clauses themselves, then how do you manage the contract throughout its life cycle from a cyber perspective, and then what are some next steps for soliciting feedback. And Bridget talked about that at the beginning, that we will be making - there is a capability to share your input back to drive electric. And we'll finish up with how to do that.

I wanted to give a special shout out to some organizations that were instrumental in helping us understand what the states are going through in their process - what electric utility providers are doing to participate in this. So we have the Arizona Department of Transportation, the Oregon Department of Transportation, IOActive, Seattle City Light, and Berkshire Hathaway Energy. So just a special thank you to those folks who put up with many, many questions from us.

All right. So what did we do in thinking about this project? So we started by identifying what are electric vehicle infrastructure-related cybersecurity procurement documents. Well, there were a lot related to or some related to energy. There were some related to electric vehicles. There were some related to infrastructure.

But we couldn't find anything that was exactly this. So you see over on the right side, there's pictures of some of the documents we considered. But we actually had over two dozen that we looked at, even things related to standards like payment processing and NIST, special publications.

And then Gabe also mentioned the final minimum standards. We looked at those in their rulemaking form. And then we went back and looked at them again in the final minimum standard form. So I'll talk about that as well.

So we took all these documents. We did a high-level comparison of them. We did what we call a landscape survey of comparing and contrasting them: what are the key overlaps, and what are the gaps that need to be looked at? And then we are doing our initial presentation to the states and stakeholders which are you, so thank you for being here and helping us to meet our project milestone.

And then based on feedback we get, we will actually go through and review it, update the clauses that we're proposing. And then ultimately, we will release a final version. And we will release a report as well. So you can read more in depth.

All right, moving on. So you're probably thinking who is PNNL, who is INL, I don't think I've ever heard of those. If you're familiar with any of the Department of Transportation entities, we are actually part of the Department of Energy. We are - the Department of Energy has 17 national labs here in the U.S. And PNNL and INL have experience in this space.

We have previously been involved with developing procurement language for Department of Homeland Security back in 2009. INL led that. PNNL did a similar activity for Department of Energy in 2014. It was cybersecurity procurement language for energy delivery systems. And then in 2017, we also had the opportunity to work with the Army's Office of Energy Initiatives to help them develop procurement clauses related strictly to renewables that would be part of army installations.

And then most recently, we have worked with the Space Systems Command to help them do something similar related to procurements that have to do with space hardware. So we've worked around this space. But this is the first time I think anyone's ever done it directly for electric vehicle charging infrastructure. So this was a challenge we were very excited about.

Obviously, electric vehicles are everywhere. There are so many electric devices that we rely on. I think Gabe mentioned that he loves to have electric things in his garage that he can make go. And so people are having more and more of these in our lives. So this is a perfect timing to think about how are we going to build cybersecurity in, how are we going to be safe and secure for the users, for those managing it, and for the infrastructure that it relies on, such as our electric grid, and how can we keep that safe and secure.

So what did we do after we digested all these documents is we went ahead and thought about how are we going to - how are we going to get our mind around this? So we distilled this down to six key strategies that I have here. And I don't expect you to read them now. I'm going to go through each of them and talk a little bit about what we feel are the key cybersecurity controls that need to be addressed within each of these strategies.

So within each of these strategies, we also have cybersecurity categories which you'll see. It'll make more sense as I get to one of them, and you'll be able to see it. But there'll be multiple categories within each strategy.

Then below each category, we have the actual clauses that we're proposing. And so you'll see that our clauses are very succinct. And they can be used for multiple areas I think within the life cycle. So they're not meant to be a one-size-fits-all.

They're meant to be a starting point for your organization as you're developing your contract language, because each environment is unique. Each organization is unique and how you're going to implement electric vehicle charging within your charging corridors is probably unique. So this is just simply a starting point.

OK. So let's go ahead and we're going to do a quick poll. We'll get ready for that. So get your fingers ready. All right. So this may be completely new to you or maybe your organization already includes cybersecurity requirements or clauses in your contracting language. So if you could just let me know, if your organization is already doing that, and if you don't know, totally fine.

All right. So we have 25% of the respondents said "yes." Yay! Great job. I just want to congratulate you on that. The folks that said "no," 14%, you know what, that's OK.

After this presentation, I think you'll know more. And those of you that don't know, I'm going to arm you with some information to take back to think about in how that might happen and how you can have discussions with your contracting folks if those are the people that you interface with. So we're going to educate people and hopefully give you some information to have those discussions.

All right. So what exactly are these clauses and how am I going to use them? That's probably what you're thinking. You might be thinking, "I'm not a cybersecurity person, I don't understand this," or "I'm not a contract person, I don't understand this." That's OK. We're going to try to boil this down as simple as possible, so it can be a discussion point, a starting point.

All right. So our intent is really to help the states communicate expectations and requirements. I think we all want to do that. We're going to ensure cybersecurity is included throughout its life cycle. So I've already said from design to retirement. So how can we do that?

We also want to inform those that may want to submit on these contracts, understand what cybersecurity requirements might be included, and what do they mean. So again, simply a starting point, this is not a cut and paste exercise. And we're looking to empower the states to select those clauses that fit your unique situation and implementation plans.

So again, it is not meant to be cut and pasted in there. I know it may be tempting to do that. But please don't do that. Think about it holistically and work with those - work with your team to determine what fits for you.

We also do not expect this to replace any standards or requirements that your organization is expected to adhere to. We realize that some states already have laws and requirements related to cybersecurity. Great job. So be sure to point back to what you have as well. Don't expect these to be a replacement. And don't have them in any way diminish from what you've already done.

So in other words, we're going to focus on what to do. We're not going to tell you how to do it, or we're not going to tell your contractors how to do it. That's really up to the negotiation of the states of how they're going to manifest that.

All right. So we're going to jump into our first set of clauses now. This one's going to be one of the beefier ones. So I will warn you, it's a little bit text dense.

All right. So one thing you'll see is up here at the top. Let's see if I can get my pointer going. All right. So up here at the top, we have the title. You'll also see there's a two-character code. And then I have the clauses that we're proposing numbered.

And the reason we did this is if you would like to provide feedback to us, you'll be able to do it, for example, on cybersecurity program clause 1. You could just simply say CP 1, and we'll know what you're talking about. We tried to come up with some mechanism to make that easy.

So I talked about the cybersecurity strategies. That's here in this box over here on the left. Then we talked about our cybersecurity categories. And these are generally accepted cybersecurity categories that we gleaned from these documents. And that's in the rectangular box to the right of our strategy.

And then the clauses themselves are numbered 1 through 5. So in this case, this is a set of clauses like I say it's a little text dense. So I went ahead for your reading pleasure. I highlighted or bolded the key idea I wanted you to get from each of these clauses.

So I did want to also mention that this document in a PDF form has gone out to the state TAs already. So if you're part of a state DOT, you would have access through your state TA to get a copy of this. Other ways to get it would be reaching out to the drive electric site, the contact link, and requesting it at this time.

So I just want to talk through these really briefly. And again, we try to roll this up. Think of each of these clauses as really the tip of the iceberg. There is a lot of implied meaning that goes along with these and that they're based on cybersecurity general practices, generally accepted practices that you'll find in things like NIST standards, FIPS, those types of things.

And we actually reference those. So you'll notice that after each clause, there's a set of square brackets. And inside those brackets are the sources where we - what we used to come up with these clauses. So we didn't make these up out of thin air. We actually pointed back to generally accepted cybersecurity best practices.

All right, so just to talk through these briefly, so the first one is really ensuring that the electric vehicle service provider has a strong cybersecurity program. So they may have a cybersecurity program to protect the business, maybe, let's say, their construction business. And they have a cybersecurity, an IT department, a CIO maybe.

And they probably have a cybersecurity program to protect the business. But what are they going to do to protect the electric vehicle charging infrastructure for the state and the users of that infrastructure? So you'll want to have a cybersecurity plan that relates directly to the electric vehicle charging infrastructure that you're contracting them to develop.

The next one, the number two is really looking at, OK, they've got this great plan, they've got an amazing program, how do I know how good it is? Well, we need to measure it. And how do you measure that? Either through a self-assessment or a third-party assessment, and that should be then presented to the state annually after the assessment.

Number three is really looking at that any unintended data or security - or I'm sorry data or privacy leaks must be reported. And you notice this is one where we have actually put some square brackets inside the clause itself. So the intent here is that, for example, we put in 72 hours, maybe for your organization or your state implementation. A disclosure needs to happen within, say, 4 hours or 24 hours, whatever that may be that's probably already part of your state OCIOs directives. So that will vary. So we just left that in there that whatever time frame works for you, you would fill that in.

So again, important to be able to notify of breaches. The state needs to be notified but also those that have had their personal information inadvertently shared. So they need to have a method to be notified, so disclosure of that information.

Number 4 is really looking at - there may be subcontractors to your prime electric vehicle service provider. So maybe let's go back to the idea of the construction company. So the construction company is perhaps going to partner with or sub to a telecommunications company. That telecommunications company needs to adhere to the same level of cybersecurity as the prime contractor. So that is the intent with number 4.

And then finally number 5, this is the indemnity clause. The states that we talked to were including these already in their contracts. We had not considered them actually from a cybersecurity perspective. But cybersecurity is security. And so we thought it was a good idea to include this in case you hadn't considered it already.

All right. So that is a lot of talking on my part. So let's go ahead and do another poll. Get your fingers ready for that. I'm going to go ahead and hit next.

All right. So does your organization have a mechanism to receive contractors notification of systems, breach, or weaknesses? Had a lot of I don't knows. And I would expect that. But I love that there were 21% that said yes - great job.

Recently, I had the opportunity to work with an organization who told me they had a wonderful method to receive notifications. They had a lovely email box set up. And they found out that there was nobody assigned to actually monitor the email box.

And so things were being put in there. The contractor was being paid because they said, "hey, we put things in your mailbox." And nobody ever looked in the mailbox to forward that information on to their cybersecurity department to evaluate and determine next steps. So this is a great place to start. It can be an easy process to set up. So good job.

All right, moving on. So identity credential and access management clauses, often referred to as ICAM. So this has just two clauses that we're looking at. And the first seems pretty straightforward for IT systems. But when you're thinking about systems connected to the internet or the cloud, that maybe don't necessarily ask you for a user ID and password.

So for example, I can connect to my Alexa or my Google device, and my home. It certainly doesn't ask me to authenticate every time. In fact, other people in my home can talk to it and tell it what to do. And they're not authenticating.

We probably want a little more security on that when it comes to our electric vehicle charging infrastructure. We don't want everyone and their brother to have access to our data. So we need to ensure that they're authenticated and authorized, meaning, they have a need to know, and they're granted that access.

And then the second clause is really looking at more than one way to authenticate. So thinking about your phone, you might receive a code to access your bank account or your banking app. So that's multiple methods to authenticate to the electric vehicle charging infrastructure that allow insurers more levels of security, so what we sometimes call defense in depth. And we want to keep this safe and secure. We don't want to have a single point of failure.

One thing you may not see here is passwords. We did not discuss passwords at all actually in our clauses. In fact, that's going to be our next poll question as I will be asking you about that. But we tried to really boil this down. And again, I say these are often the tip of the iceberg of what we looked at in these security guidance and security standards.

And that was one thing we seem to have trouble getting our minds around in that passwords for us was a case of a lot of - a lot of requirements. And it also required somebody making a lot of decisions about what that would look like. So we felt maybe going up a level instead of looking at passwords and just keeping it more general, and authenticated, and authorized, and the multifactor.

But I am curious to hear what you think about passwords. So let's go ahead and do our next poll question. Thinking about this question, how would you rate this? Do you agree, disagree, or neither that we have missed the boat by not including a password clause in our ICAM approach?

All right. We got - over 50% said neither agree or disagree. Some folks agree. And some folks, we have 15% disagree. So excellent, I appreciate that. Thank you so much. That's really, really helpful for my team to understand where we might have missed the boat or where we could be going. So thank you so much.

Let me go ahead and move on. So our next one is configuration, vulnerability, and update management clauses. And again, we just had two. We tried to boil this down to just a few clauses to really make it succinct. We certainly did not want to weigh the contracts down with cybersecurity clauses that were too prescriptive.

So I'm thinking about the first one. We're looking at supply chain of system updates and the level of trust in them. And similar to the cybersecurity program or the CP strategy, we need to know if there is a reason to mistrust that. And we need to have a way for it to be reported. So we're looking to have these reported to the state as soon as possible because supply chain issues can point to larger problems. So that's really what we're going for there in the first one.

The second one is really thinking about cybersecurity professionals. We often say cybersecurity professionals work 8 or 10 hours a day. But the bad guys work 24 hours a day. So we are constantly trying to keep ahead of them. And the one way to do that is by having good cybersecurity practices but also installing cybersecurity updates provided by vendors in a timely manner.

So it's important to do this. So being able to apply those security updates quickly and efficiently keeps us ahead of the bad guys, makes it a little harder for them to rattle our doorknobs if you will. So we want to be sure they get installed ASAP. And it's also important they get tested, too. We don't want untested updates to happen and to cause the system to not function as expected.

All right, another quick poll question, I hope you guys are still awake. So does your organization have a process to handle security patches in a timely manner?

Yay! 63% - I'm so happy. And then there was just 5% no. And then there was I don't know. It's a great, great discussion point to ask of your organization. So I feel confident we're safe and secure. So thank you for that.

All right, moving on. Talking about secure payment: so typically when people get a service, they have to pay for it. For example, electric power, right, we have to pay our utility bills. We have to pay to charge our vehicles.

So in thinking about that, we tried to just boil this down to something that was pretty concise. And fortunately, the payment card industry is mature. And we were able to lean on that.

So in this case, the first clause is looking at complying with current payment cards, industry security standards, pretty straightforward. That's the payment card industry, the data security standards. So we call that the PCI DSS.

And then we also have the EMVCo L1 certified, so those payment terminals. And EMV is a global standard for secure credit card transactions. And actually both of them are global standards. So being able to lean on that is important I think.

Rather, we don't want to reinvent the wheel. We don't want to delve down into the depths of it with the contractor. We want them to adhere to these standards. And we think that this is a good way to look at that.

OK, one more quick poll question for you thinking about money. Which of the following payments, methods should be provided for your EV charging users? That's actually a multiple choice question. We haven't had one of those before. So you can check all that apply.

All right. So it looks like the clear winner here is credit/debit cards. Then we have app subscription. And cash - cash is just 6%. But that's an interesting one. I know it's getting, especially during the pandemic, it was harder and harder to use cash.

So how would that play out? And then we have all of the above option, which I think is interesting that the credit/debit outweighed all the above, so interesting. And then we have other forms of payment, which I don't know what those are. But I'll be curious to know.

Hopefully you can share those with us at some point in the future. And then the I don't know, it's just 3%. So some folks haven't thought about it, completely understandable - something to bring up at your weekend picnic this - or your dinner table discussion.

Alrighty, moving on then, we have secure communications. We're wrapping up our strategies. We're coming towards the end of those.

And what are those secure communications? So when thinking about those we definitely want to focus on those that are standardized. So we're trying to avoid proprietary, or insecure communications, or those that are untested.

We want to go with those that are tried and true, those that are what we call standardized, have been looked at by industry experts. They have been tested. In some cases, they have bug bounties against them.

So they've had a longer life. They're hardened. Proprietary systems tend to have more weaknesses because they haven't been looked at as closely.

All right. The second one is really looking to reduce the amount of personal information. We explicitly called this out, because we want minimal data collection and protection from receipt to destruction. So again, we want the personal information collected throughout the life cycle to be limited to as little as possible so that if there were a compromise, there is not your personal data out there on the interweb or on the internet.

I realize that has happened to some of us. And I'm sorry for that. But we're trying to reduce that attack surface.

And then finally, on the third one, we're literally looking at - this is something actually pretty new. We didn't find a lot in this space, but this was something that the team felt very strongly about. And we put this in. So it might be a little controversial. And I definitely welcome your feedback on it.

So we want to know where the data is. And we want to know who has access to the data. Sometimes cloud resources can transcend countries. And so having a requirement that data resides in the U.S. as opposed to in another country, we felt that was important.

And we also wanted to ensure that the people who have administrative privileges and access to that data have had some kind of background screening, that there is some level of integrity for those people. And so number 3 is one that I'd like you to really think about. And so our next poll question actually deals with that.

So looking at that next poll question, do you have any concerns about information being stored or processed outside of the U.S.? And maybe you haven't thought about that.

All right, excellent. Oh, excellent. OK. Good to know. 78% have things that - they have concerns about their information being stored outside the U.S. 8% say "no." And 13% of you maybe haven't even thought about it yet. So good topic of dinner conversation there.

We just have a few more slides left. I know we're kind of running up on our time. So our last pillar - I'm sorry, our last strategy deals with physical security. I always say cybersecurity is security. Physical security is security.

So we include this because, well, their digital information is stored on physical systems. And we need to ensure that those physical systems are protected. So in looking at the first clause, we really want to ensure that the physical systems that encompass this digital information are not manipulated or tampered with.

So in this case, we're asking that anti-tamper techniques are implemented. And they're able to detect that. So an example might be a video surveillance system that's looking at the system itself to make sure that those that come and go are being monitored.

And then the next one is really looking at, similar to our cybersecurity program and configuration vulnerability and update management clauses, that unauthorized access or breaches is reported. So it's important, just because it's been detected, someone needs to know about it. And they need to be able to take action. So that's what we're looking for in the second clause.

All right. Let's do another quick one. And then we're probably coming up on the end. So does your organization's cybersecurity plan currently include physical security?

Alrighty. And it's fair to not know. Maybe you're not involved with the cybersecurity program at your organization. So it could be a trick question I guess if you're not involved with that.

But 44% say they don't know, which is totally fine. It's a good question to ask. And I love that 42% of you said, "yes, I know that we do cover it." So great. And then for 14%, something to work on, I think.

All right. We're going to move on. I know we're coming up on the top of the hour. And I appreciate you sticking with me this long.

OK. So you've had your six strategies. You're excited to go put some cybersecurity language into your contracts or your procurements. I have a couple tips for you. And I'm hoping that they'll be helpful for you as you go through the lifecycle of these electric vehicle charging infrastructure implementations.

So number one, you want to include cybersecurity experts in designing the language for the request for bid. You want to bake cybersecurity and not snap it on later. I've said that before. We want to establish and adhere to cybersecurity evaluation criteria for all the bids. So we actually want to have our cyber professionals involved with developing a rubric on which to assess the cybersecurity response of the bidders or the proposed contractors.

When we do the vendor review and selection, include your cybersecurity folks. They'll be able to answer those questions being part of the entire process. We want to include cybersecurity requirements in all contracts and agreements to protect your organization from risk from third parties.

So this is not just to protect your - I mentioned this before. We want to ensure that the prime has good cybersecurity practices and is protecting the electric vehicle charging infrastructure. But their subcontractors as well need to adhere to the same high level of integrity.

OK. Some other things to think about is a five-year contract requires five years of cybersecurity contract management. So someone will have to be assigned throughout the life of it. And if there's turnover or people change roles, it's going to take briefing those people, and bringing them alongside, and getting them up to speed so that they can be involved throughout.

Requiring a third-party annual evaluation of the installed system, we talked about that a little at the beginning with the cybersecurity program clauses that having an assessment done, is a good way to measure the effectiveness. We certainly don't want to wait till something bad happens. And cybersecurity is a changing field. It's very dynamic. It's going to evolve over time.

So the contracts themselves may need to have the clauses updated. We would certainly expect the cybersecurity plans to be updated annually based on what we know about new threats and mitigations. We also want to focus on the risk to the organization. We certainly don't want these clauses to be an exercise in compliance and check the box. It needs to be an ongoing risk assessment.

And risk deterrence is our goal. So it's living, breathing. It's not a check the box and put it on a shelf. This is going to be a lifestyle.

And finally, don't let your provider charge you for cybersecurity. It's not a luxury. It's a way of life. We expect it in our day-to-day lives. We should be expecting it in our infrastructure as well.

All right. I also wanted to mention that you probably have resources available to you from your state, your OCIO's office, and other organizations. So don't hesitate to use those as well. And here we go with our last question. It is, do you foresee that your organization could use any of these clauses for your contracts?

Wonderful. 84% said I didn't get a no, so that's positive. And I got some I don't know. So fair enough, I realize we might have to digest all this. It's a lot of information.

Here's my last slide. Thank you for sticking with me. I know this is a lot of information to take in. So we are in the process of reviewing the clauses. You've provided us feedback today, and you may provide additional feedback.

And ultimately, we'll go ahead and release a final report on this. And of course your feedback can be submitted to the drive driveelectric.gov/contact website. So thank you so much for your time. I really appreciate it.

Bridget Gilmore: Thank you so much, Lori. That was so much of a wealth of great information. I have a feeling that the recording of this webinar will be very valuable to folks. Just wanted to highlight a few of our upcoming webinars before folks jump off. Next week, we'll be talking about community charging models. Following that will be a focus on reliability for reliable charging experience.

We'll also have an opportunity to hear about the AFLEET tool, specifically for the CFI charging and fueling infrastructure grant program. So this is a tool for applicants to that program to understand how to use it. So there'll be a quick demo. And then May 9, there will be a webinar on minority business partnerships and outreach.

And then just briefly wanted to reiterate that if you have questions that didn't get answered today, please do submit them again through our contact form. We have a great team of staff that are there to route those to the correct people as we have incoming questions. So please do reach out and let us know what we didn't get to today.

We also have our newsletter. So you can go to driveelectric.gov/subscribe and then driveelectric.gov/webinars to see our upcoming webinar series. But thank you all so much for being here today. We really appreciate it. And hopefully, it was helpful information. Definitely feel free to provide feedback if there are other topics that you'd like us to address in the future. Thank you.