Skip to main content

About the Distributed Energy Resource Cybersecurity Framework

NREL developed the Distributed Energy Resource Cybersecurity Framework (DER-CF) to evaluate the cybersecurity posture of federal sites that employ distributed energy systems or plan to implement distributed energy resources (DERs) for day-to-day operations.

DERs—like solar panels and battery storage—offer consumers the flexibility to generate and store power for their homes or facilities onsite. As more of these devices come online, the grid becomes increasingly digital, distributed, and complex, resulting in more access points for adversaries to detect weaknesses and infiltrate vulnerable systems.

Download the DER-CF Fact Sheet

Photo of Tamara Reynolds

If not properly secured, cybersecurity attacks on these systems could affect the larger grid and lead to:

DER-CF helps organizations and federal sites harden their systems against these risks by evaluating DER cybersecurity posture and providing customized recommendations for improvement. The U.S. Department of Energy’s existing Cybersecurity Capability Model addresses cybersecurity for energy systems, but not renewable energy specifically. DER-CF fills that gap with a sharper focus on distributed energy technologies, physical security, and technical management.

Users can employ the DER-CF to continuously monitor their cybersecurity health, maintain compliance with federal mandates, and track their progress over time. For one-on-one support, fill out our technical assistance form.

Download the DER-CF Fact Sheet

Dercf fact sheet

How It Works

The DER-CF guides users through a tailored questionnaire to get a complete picture of their site’s cybersecurity. The questionnaire breaks cybersecurity into three pillars—governance, technical management, and physical security—ensuring that questions about action items are directed to the correct personnel. After completing the assessment, users can download a customized report, which includes scores and an action plan for improving their security controls and practices. Check out an example report.

Governance Maturity

Technical Management Maturity

Physical Security Maturity