Cybersecurity Procurement Language Clauses for RFPs and EVSP Contracts

NIST 800-53 Rev5: PL-2, PL-7, PL-8, PM-7, PM-8, PM-9, PM-11, PM-17, PM-18, RA-1, RA-2

This clause emphasizes the need for EVSPs to maintain a proactive risk-based approach to manage the cybersecurity program throughout the life cycle of the EVSE. It is important for EVSPs to implement risk management activities that focus on vulnerabilities and impact for each stage of the engineering, development, and system operations life cycle from design to disposal. EVSPs should have established evaluation criteria to assess the risks and impact when determining procurement or operations decisions involving EVSE hardware, software, data, personnel, subcontractors, and vendors.

NIST 800-53 Rev5: AU-6, CA-2, CA-7, PL-2, PM-18, RA-3, SA-11

This clause emphasizes the need for the EVSP to maintain and update the cybersecurity program, and the current version of the cybersecurity plan shall be provided to the state DOT on an annual basis. The cybersecurity plan shall detail all of the items stipulated in the cybersecurity program requirements and shall provide a mechanism for implementing the cybersecurity program either directly within the cybersecurity plan or by referencing additional appropriate policy and procedure documents.

NIST 800-53 Rev5: PM-1, PM-9, PM-28

This clause emphasizes the need for the EVSP to evaluate and document any potential new cybersecurity risks or impacts from the proposed modification and implement appropriate security controls to mitigate negative impacts. Examples of changes include modifications to hardware or software, changes in system configurations or communications pathways, changes in security controls, and changes in physical or personnel security programs. On an annual basis, if the EVSP revises or makes updates to the cybersecurity plan, an updated copy must be provided to the state DOT for review and approval within [negotiated period, e.g., 30 days].

NIST 800-53 Rev5: AC-16, CA-7, IR-4 (8) (10), IR-5, IR-6 (2), IR-8 (1), RA-5 (11), RA-7, SI-5, SR-5, SR-6

This clause emphasizes the need for the EVSP to rapidly respond to (e.g., in a timely manner) and report any identified cybersecurity incident (e.g., unintended data or privacy leaks) that delays, disrupts, or harms the EVSE or has the potential to impact electric vehicle (EV) charger networks. It is important that EVSPs immediately report available information of any incident that has severely impacted the EVSE and provide updates as more information becomes available.

NIST 800-53 Rev5: SR-2, SR-3, SR-5

This clause emphasizes the need for EVSP subcontractors to be held to the same rigor of cybersecurity. Therefore, it is the responsibility of the EVSP to ensure that the subcontractors’ training and awareness of all cybersecurity policies, procedures, protections, roles, and responsibilities, including how accountability will be established and maintained, are documented.

NIST 800-53 Rev5: SR-1

This clause emphasizes that the EVSP is responsible for protecting the state and all listed parties from any liabilities relating to cybersecurity breaches to the contracted EVSE. The EVSP is obligated to act and defend the state and listed parties against any claim and proceeding of cybersecurity breaches to the contracted EVSE brought to them and is responsible for payments of any losses incurred by the state and all the listed parties relating to any claim suit or proceeding.

NIST 800-53 Rev5: AC-2; AU-6; IA-2, IA-3

Centralized capabilities provide a single point of control and management, making it possible to enforce consistent security policies and compliance across an organization's systems and applications. Centralized authentication and authorization help prevent and detect unauthorized access and maintain data confidentiality. Lastly, centralized logging and monitoring enable effective incident detection, response, and mitigation procedures.

NIST 800-53 Rev5: AC-2

Access control, which involves restricting access to systems, information, functions, tools, locations, components, or resources, plays a crucial role in limiting individual users and processes through the principle of least privilege. Insufficient access control methods can lead to unauthorized or unnoticed system breaches by adversaries. This principle limits access of each process, program, or user exclusively to authorized and necessary information and resources, effectively reducing potential attack entry points.

NIST 800-53 Rev5: IA-2, IA-5

This clause focuses on adding an extra layer of security beyond just a single password. Aligning with the requirement for multiple methods to authenticate (e.g., something you have, something you know, something you are, or somewhere you are), this clause affirms that EVSPs are required to enforce multiple factors of authentication, such as passwords, tokens, or a one-time access code.

NIST 800-53 Rev5: SA-22; NIST 800-40v2

Emphasis on the criticality of ensuring the authenticity and integrity of updates helps protect against security breaches or threats. Establishing requirements to report violations highlights the significance of accountability and proactive response in maintaining a secure system. The EVSP should recognize that a formal patch management plan emphasizes the importance of structured procedures for handling timely updates, reduces risks, and ensures a strong cybersecurity stance.

NIST 800-53 Rev5: SI-7

Regularly installing updates, patches, service packages, or other fixes to systems is essential for remedying discovered weaknesses and vulnerabilities, as the process of discovering these flaws is continuous. Such updates must be tested and validated before implementation, including for hardware, software, and firmware pertaining to all applicable products of the EVSE.

PCI DSS v4.0

Demonstrating compliance with existing payment card industry standards reinforces the integrity of data security during payment transactions. These standards provide a baseline of requirements for payment protection.

EMVCo

EMV specifications for all payment terminals is essential for payment protection to secure and protect physical, electrical, and transport-level interfaces enabling the communication of data between the payment device and the acceptance device.

NIST 800-53 Rev5: SC-8, SC-13, SC-28, SI-7 (6)

EVSE relies on secure point-to-point communications. Secure protocols using modern encryption protect data in transit. As computers become more advanced, protocols and encryption methods are also improving. Cryptographic agility will provide the EVSP with the ability to update the systems more effectively, providing the consumer with added security.

NIST 800-53 Rev5: AC-16

Information that is not collected cannot be leaked, and information that is collected needs to be protected from the time of inception until destruction from both internal and external threats.

CSA; FedRAMP; NIST 800-53 Rev5: PS-3, SA-9 (4), SA-9 (5)

While no standards or generally accepted guidance require this, we felt strongly enough to propose that cloud protection data live in the United States, and those with access to it have a level of credibility validated via a background check.

NIST 800-53 Rev 5: AT-3 (2), PE-3, PE-5, CM-7 (8)

This clause addresses the physical security of EVSE. There are many ways for an organization to implement physical access control, using both devices and procedures. It is inspired from the principle of least functionality, in which systems are configured for security using appropriate access controls.

NIST 800-53 Rev5: AC-3 (12), AU-9, AU-13, IR-8, PS-7, SI-7

IThis clause is intended to address the enforcement of physical security and access control. Security is strengthened through monitoring and notifying the appropriate stakeholders in the event of unauthorized access.