Federal smart-building programs have long promised scalability-but few deployments have translated that promise into a replicable, documented procurement model. The U.S. General Services Administration's (GSA's) Oklahoma City (OKC) Federal Building has done precisely that, completing a multi-year grid-interactive efficient building (GEB) retrofit now cited by the Department of Energy (DOE) as a leading example for the entire federal portfolio.
The project is projected to reduce energy use by 41%, cut 3,100 metric tons of carbon emissions annually, and save approximately $400,000 per year in energy and water costs. More significantly for facilities professionals, it provides a concrete procurement and operational technology (OT) cybersecurity template applicable to any large-scale building automation rollout-public or private sector.
Project Overview: What Was Built and Why
The OKC Federal Building sits in downtown Oklahoma City-a medium-sized facility with limited expansion space and, by national standards, relatively low utility rates1relatively low utility rates. That combination made it a deliberately challenging test case: if a scalable GEB solution could work here, the logic ran, it could work anywhere across GSA's portfolio.
The OKC building is part of a five-building retrofit executed under a Utility Energy Service Contract (UESC), with approximately $11 million in funding drawn from a DOE grant and GSA appropriations. The project team comprised GSA (building owner), Ameresco (Energy Service Company, or ESCO), OG&E (utility partner), and subject matter experts (SMEs) from the National Renewable Energy Laboratory (NREL).
Technologies Deployed
GEB technologies deployed2GEB technologies deployed included:
- Solar photovoltaic (PV) array integrated with rooftop constraints
- Battery energy storage system (BESS) using advanced control algorithms to minimize demand charges
- Upgraded HVAC controls with new building automation system (BAS) graphics
- LED lighting controls replacing older, difficult-to-retrofit fixtures
These systems were connected to dynamically adjust energy loads in response to grid signals-shifting the building from a passive electricity consumer to an active grid asset.
| Metric | Outcome | Notes |
|---|---|---|
| Projected energy reduction | 41% | vs. pre-retrofit baseline |
| Annual energy & water savings | ~$400,000 | At 2023 utility rates |
| Carbon reduction | 3,100 metric tons/yr | CO₂-equivalent |
| Total project funding | ~$11 million | DOE grant + GSA appropriations |
| Contract mechanism | UESC | OG&E utility, Ameresco ESCO |
| Buildings in UESC scope | 5 | OKC is the GEB lead site |
Procurement Architecture: How the Contracting Model Enabled Interoperability
The procurement structure is arguably as instructive as the technology itself. The UESC mechanism enabled GSA to finance the retrofit through projected utility cost savings-with no upfront capital appropriation required for the energy conservation measures (ECMs).
Performance-Based Contracting in Practice
NREL SMEs developed an assurance performance plan defining energy savings targets and verification protocols before installation began. This approach3This approach required Ameresco to present a wide range of technology options with projected payback periods and life-cycle cost analyses, from which GSA conducted structured screening. Technologies were eliminated based on unfavorable cost/savings ratios-including ground-source heat pumps and high-efficiency condensing boilers-rather than technical preference alone.
Key contracting lessons for replication:
- Define interoperability requirements at the specification stage. The OKC project encountered coordination challenges because existing and new equipment used disparate control systems. Specifying BAS communication protocols (e.g., BACnet, Modbus) in performance contracts before vendor selection reduces integration friction during commissioning.
- Mandate standardized data models. Integrating BAS graphics updates into the retrofit scope-not as an afterthought-enabled consistent monitoring and fault detection across systems.
- Include SME roles in the contract team. NREL's involvement in training, REopt analysis, and M&V assurance added technical depth that neither the ESCO nor the utility could provide independently.
The OKC procurement model also navigated federal supplier diversity requirements. Buy American Act compliance for BESS and PV components proved challenging, as multiple team members noted3This approach that many relevant materials are primarily manufactured outside the United States. Teams pursuing similar projects should factor this constraint into technology screening at the earliest feasibility stage.
OT Cybersecurity: The Non-Negotiable Layer
Smart building deployments that expand BAS connectivity to the grid, cloud platforms, and remote monitoring infrastructure materially expand the OT attack surface. The OKC project-and GSA's broader smart buildings program-address this through policy and technical controls that facilities teams in both sectors should benchmark against.
GSA's BAS Standardization Initiative
In September 2024, GSA announced plans to standardize a BAS solution enterprise-wide4GSA announced it would standardize a BAS solution enterprise-wide across its portfolio-described as "a major step towards vulnerability mitigation and reducing cybersecurity risks associated with BAS hardware and software solutions." The enterprise-wide BAS standardization initiative is expected to open more competition for small business service contracts covering installation, programming, support, and maintenance of building automation systems. Standardization also simplifies patch management, configuration baselines, and anomaly detection across hundreds of dispersed facilities.
Applying NIST OT Security Frameworks
GSA's smart buildings policy requires cybersecurity best practices across all IP-networked building systems, including downstream devices, and explicitly incorporates cyber supply chain risk management (C-SCRM) principles. The applicable federal standard is NIST SP 800-825NIST SP 800-82-the Guide to Operational Technology (OT) Security-which was revised to Revision 3 in September 2023, expanding scope to include building automation systems and aligning with the NIST Cybersecurity Framework (CSF) 2.0.
For facilities teams, the critical OT cybersecurity controls applicable to BAS deployments include:
- Network segmentation: BAS and OT networks should be isolated from IT/corporate networks, with firewalls or unidirectional gateways at boundaries
- Continuous monitoring: GSA's central office remotely monitors BAS and advanced metering data, with requirements to address detected issues within defined SLAs
- Incident response planning: Recovery time objectives (RTOs) for OT zones must be defined based on operational tolerance-not derived from IT standards
- Supply chain verification: Vendor-supplied components should be assessed against C-SCRM criteria, including software bill-of-materials (SBOM) transparency
The convergence of IT and OT systems in smart buildings means that cybersecurity is now a first-order design requirement, not an afterthought. Teams that defer OT security planning until post-installation face significantly higher remediation costs and residual risk exposure.
For a broader view of how OT and building cybersecurity standards are evolving across the sector, see Integrated Building Security Standards Gain Momentum and Security-by-Design Surge in Building Automation Amid Rising Cyber-Physical Risks.
Scalability Lessons: From One Building to a Portfolio
The DOE case study explicitly positions the OKC deployment as a template for additional GEB retrofits-finding that GEB-ready strategies can be deployed across buildings with minimal investment2GEB technologies deployed. GSA's own administrator described a roadmap to replicate this model across the agency's 370-million-square-foot nationwide real estate portfolio.
For program managers and procurement officers planning similar rollouts, the OKC model demonstrates:
- Start with a challenging site, not the easiest one. Low utility rates and constrained space forced the OKC team to rigorously screen technologies by life-cycle economics-producing a replicable methodology rather than a site-specific outcome.
- Invest in tenant and operator training. NREL developed training programs for both building managers and tenants. Occupant comfort was maintained throughout demand-response events-a critical metric for public-sector facilities.
- Use performance contracts to align incentives. The UESC mechanism tied Ameresco's compensation to verified energy savings, creating a direct financial incentive for interoperability and system integration quality.
- Leverage federal energy programs for funding. The DOE's Federal Smart Buildings Accelerator (FSBA) and FEMP technical assistance programs provide assessment resources, training, and funding pathways that can reduce upfront cost burdens for smaller agencies and private-sector operators with limited capital budgets.
For private-sector adopters, the most directly transferable lesson is the performance-based contracting structure: defining measurable energy and interoperability outcomes in contract specifications, rather than specifying individual products, protects against vendor lock-in and creates accountability for long-term system performance.
Key Takeaways
- The GSA OKC Federal Building demonstrates that medium-sized facilities with constrained footprints and low utility rates can achieve significant GEB outcomes when procurement is structured around verified performance and multi-stakeholder collaboration.
- The UESC/ESPC mechanism remains the most viable no-upfront-cost pathway for major smart building retrofits in both public and private sectors.
- OT cybersecurity-including network segmentation, continuous monitoring, C-SCRM, and incident response planning-must be integrated into BAS procurement specifications, not addressed after commissioning.
- Standardized data protocols and BAS communication standards specified at the contract stage are the single most effective lever for reducing multi-vendor integration cost and complexity at scale.
- NIST SP 800-82 Rev. 3 and the NIST CSF 2.0 provide the current baseline framework for OT security governance in any connected building deployment.
For facilities managers and system integrators planning smart building programs in 2025 and beyond, the OKC case study-publicly available from the DOE Federal Energy Management Program2GEB technologies deployed-represents the most complete federal GEB implementation reference currently in circulation.
