Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NICE eNewsletter Summer 2022 Government Spotlight

Evolved Cybersecurity Needs Evolved Training

By Maureen Roskoski, Vice President at Facility Engineering Associates and Contractor to GSA Office of Federal High-Performance Green Buildings

The facilities workforce is constantly evolving to adapt to changing environments.  For instance, the increase in energy efficiency demands a facilities workforce with advanced competencies in operations, maintenance, and energy-related technologies.  As our buildings have become smarter with more connected technology, there has been an increase in the need for cybersecurity knowledge in the facilities workforce driven by policy initiatives, regulatory requirements, and technology advancements.  How can an organization keep up with these emerging workforce needs and maintain a competent facilities workforce? 

The Federal Buildings Personnel Training Act (FBPTA) was enacted in 2010 and required the General Services Administration (GSA) to establish core competencies and a curriculum for those that run federal buildings. The FBPTA program developed a competency model that established 44 core competencies related to facility management, building operation, and energy management roles, including a total of 268 specific competencies. The model is updated annually which enables GSA to identify the evolving needs of the federal facility management workforce and add competencies to reflect those needs.  In 2018, additions to the model included cybersecurity competencies to help facilities personnel meet the federal government’s need for a workforce skilled in cybersecurity.  Over the past few decades, the tools for managing buildings have substantially changed, and today’s facility managers, energy managers, and building operators are more dependent on digital technologies to run buildings and monitor efficiency and costs. 

While technology has improved exponentially during the last 10 years, providing building managers with excellent and more sophisticated tools, it has also brought an increased threat of disruption through cyber-attacks. This threat requires facilities personnel to obtain and maintain competencies related to cybersecurity for facility systems, subsystems, sensors, and other devices.  This is of particular concern for facilities positions that work with building automation systems, fire and life safety systems, security systems, and other facility technology that is vulnerable to cybersecurity threats. Two competency areas – “Cybersecurity in Facility Management and Building Operation and Maintenance” and “Cybersecurity in Design and Acquisition” - and 19 cybersecurity competencies were added to the model (see table 1).  The key is that these competencies are focused on what facilities personnel need to know related to facility management and building operations and design and acquisition of facilities systems.  In that way, the FBPTA cybersecurity competencies are similar to NICE Framework Knowledge Statements.

This table is an excerpt from the FBTA Competency Model. The full model can be downloaded from the FBTA website.  

Core Competency

Performances

3.4 Cybersecurity in Facility Management and Building O&M

3.4.1. Demonstrate knowledge of cybersecurity requirements and configuration management of utility and building systems, subsystems, sensors, and other component devices to support continuity of operations.

3.4.2. Demonstrate knowledge of how to conduct cybersecurity and risk assessments for building systems, including inventory of critical assets, and identify vulnerable systems.

3.4.3. Demonstrate knowledge of how to implement policies and procedures that are based on risk assessments.

3.4.4. Demonstrate knowledge of how to develop subordinate plans to provide adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate.

3.4.5. Demonstrate knowledge of how to identify and respond to cyber alerts, vulnerabilities, changes in system controls, and incident response regarding threats to the cybersecurity of systems, subsystems, sensors, and other component devices.

3.4.6. Demonstrate knowledge of how to perform continuous monitoring of control systems and identify system instability.

3.4.7. Demonstrate knowledge of control systems' and recognizing abnormal behavior and anomalies.

3.4.8. Demonstrate knowledge of procedures for maintaining authority to operate (ATO) building systems.

3.4.9. Demonstrate knowledge of communication procedures regarding alerts, vulnerabilities, and incident response including when (and to whom) to report abnormal operations.

3.4.10. Demonstrate knowledge of cybersecurity technologies in accordance with relevant regulatory requirements, including hardware, software, and firmware.

3.4.11. Demonstrate knowledge of how to identify, address, and escalate issues where conflicting or competing policy, standards, and regulations create vulnerabilities in control systems.

3.5 Cybersecurity in Design and Acquisition

3.5.1 Demonstrate knowledge of cybersecurity requirements in facilities and associated control systems during requirements and procurement specifications development for new systems and upgrading/modification specifications for existing systems.

3.5.2. Demonstrate knowledge and ability to ensure cybersecurity requirements are appropriately addressed in contract procedures and requirements for long-term maintenance agreements.

3.5.3. Demonstrate ability to assess cyber commissioning technical requirements needed to ensure delivery, cybersecurity, and quality of services/products.

3.5.4. Demonstrate familiarity with incorporating cybersecurity requirements into lease language and occupancy agreements for systems, subsystems, sensors, and other component devices.

3.5.5. Demonstrate ability to identify, address, and escalate issues where new emerging technologies and cybersecurity requirements affect costs and budgeting.

3.5.6. Demonstrate knowledge of how to ensure external vendors and contractors follow cyber hygiene requirements.

3.5.7. Demonstrate ability to recognize and understand the role of cybersecurity requirements in the ecosystem of integrated project delivery.

In 2021, GSA added several new competencies in response to the need for additional knowledge and skills in cleaning, including healthy cleaning and chemistry of cleaning, reflecting facilities’ priorities during the COVID-19 pandemic. In addition, given an increase in the need for facilities personnel to understand the role resilience and climate change risk plays in facility management and building operation, GSA added a new core competency for resilience as well as additional competencies related to resilient energy and water systems and resilience planning related to climate change risks. 

A significant tool in helping organizations maintain a competent workforce is the access to training that will help fill the competency gaps of the evolving facilities workforce. To fill this need, as required by the FBPTA, GSA maps training, curriculum, certificates, and certifications to the competencies.  This mapping allows people to find training that best fits their competency needs.  GSA developed two free online tools that support the FBPTA and are available to the public: Accelerate FM and the Federal Skills Assessment Tool (FEDSAT).  Within the Accelerate FM tool, users select a position (such as Energy Manager, Building Operator, etc.) to see the competencies identified by their organization for that position so they can identify training that will help them meet their competency gaps. 

 The FEDSAT is a competency assessment tool where a user answers questions tied to FBPTA competencies.  If the question is answered correctly, credit is received for the related competency, but if the question is answered incorrectly the user is directed to free online training that has been mapped to that performance. This kind of specificity in directing users to training based on competencies provides organizations a simple way to assess proficiency of their workforce in a variety of facilities competency areas. 

 Integration of the FBPTA program into a workforce development program has many benefits including competency and proficiency assessment of personnel, the ability to identify competency gaps, and the opportunity to find the right training to meet individual and organizational needs.  Further, planning conducted while building your workforce development program helps identify and promote career progression and succession planning.  Overall, the FBPTA program and tools help you build or enhance your facilities workforce development program, make smart investments in training, and maintain a competent workforce, even as the workforce needs evolve.

NICE eNewsletter Summer 2022

Created July 21, 2022, Updated July 22, 2022