The completed grid-interactive retrofit of the U.S. General Services Administration's (GSA) Oklahoma City (OKC) Federal Building has yielded procurement, cybersecurity, and data governance lessons that practitioners say are directly transferable to large-scale private-sector smart-building deployments. The project demonstrates that grid-interactive efficient building (GEB) strategies and technologies can be deployed across existing facilities with minimal investment. With federal agencies now formalizing the findings, building owners, system integrators, and vendors are examining how the model translates beyond the public estate.
Background
The OKC project originated in 2019 as part of a Utility Energy Service Contract (UESC) with Oklahoma Gas & Electric (OG&E) and energy services company Ameresco, encompassing five federal buildings across Oklahoma. The deep energy retrofit delivered cost savings through GEB technologies, a solar photovoltaic (PV) system, lighting controls, battery energy storage, and new HVAC controls.
The project supports GSA's goal of achieving net-zero-emissions buildings by 2045, leveraging investments funded in part by the Bipartisan Infrastructure Law and the Inflation Reduction Act. The Inflation Reduction Act includes $3.4 billion for GSA to build, modernize, and maintain more sustainable high-performance facilities, with $975 million allocated specifically for emerging and sustainable technologies.
The federal government manages a footprint of more than 300,000 buildings and spends $650 billion annually on goods and services - a scale that makes replicable, standards-aligned deployment models a priority for public and private stakeholders alike.
Project Details and Findings
The project team implemented nine energy conservation measures (ECMs) and smart building technologies, which the DOE's Federal Energy Management Program (FEMP) published as a formal case study in March 2023. The project is projected to reduce energy use by 41%, cut 3,100 metric tons of carbon emissions annually, and save approximately $400,000 per year in energy and water costs, according to GSA. Across all five retrofitted buildings, energy consumption is expected to fall by 41%, yielding $13.5 million in savings over the contract period.
The project addressed energy efficiency, renewable energy, load flexibility, and grid resilience. Bundling GEB technologies with short-payback ECMs helped offset the longer payback periods typical of resilience technologies, making them economically feasible. Total project funding was approximately $11 million, drawn from a DOE grant and GSA appropriations.
Existing and new equipment used a variety of control systems, which proved challenging from a coordination and integration standpoint - a friction point the case study identifies as a persistent obstacle in multi-vendor building environments. GSA acknowledged that cross-functional collaboration throughout design, development, and implementation was a primary driver of the project's success.
On procurement, GSA's Smart Buildings directive requires interoperability between devices through open protocol systems and mandates cybersecurity best practices - including cyber supply chain risk management (C-SCRM) principles - across IP-network-based systems and downstream devices.
OT/IoT Cybersecurity and Data Governance Implications
The OKC pilot's control environment - spanning building automation systems (BAS), IoT sensors, battery energy storage, and grid-responsive HVAC - highlights the convergence of operational technology (OT) and IT networks that now characterizes modern smart buildings. Many OT systems lack adequate security measures and often contain legacy products that are no longer vendor-supported and cannot be patched against new vulnerabilities.
At the federal level, the IoT Cybersecurity Improvement Act of 2020 directs NIST and the Office of Management and Budget to establish guidance for securely procuring IoT devices. Meanwhile, NIST's building systems cybersecurity program aims to develop application profiles and governance guidance for building owners, designers, and manufacturers - covering threats, countermeasures, and governance approaches - in collaboration with industry stakeholders through the Coalition for Smarter Buildings (C4SB).
For cross-sector application, CISA's updated Cybersecurity Performance Goals (CPG) 2.0 consolidates OT and IT goals into universal objectives, eliminating silos across IT, IoT, and OT environments while introducing new goals addressing third-party risk. OT-specific goals from prior CPG versions have been folded into universal goals that address IT and OT holistically, enabling organizations to apply a single framework across their entire estate. Private-sector facility operators can use CPG 2.0 as a baseline governance reference when specifying BAS, IoT edge devices, and grid-interactive controls in procurement documents.
Data governance presents a parallel challenge. GSA served as the final decision-maker and lead project manager, coordinating oversight, contract administration, and review of final designs and deliverables - a model that establishes clear data ownership and accountability across a multi-party contract structure involving a utility, an ESCO, and multiple technical sub-teams. For private-sector operators replicating this structure, defining data classification, retention, and access-control policies at contract inception - rather than post-deployment - is a key lesson the case study surfaces.
Outlook
The case study documents project roles, processes, costs, and benefits, and its findings are intended to accelerate additional GEB-ready retrofits. GSA's Green Proving Ground program, in collaboration with DOE, has selected 17 emerging and sustainable technologies for real-world evaluation, with GSA planning to invest $9.6 million to install and assess them. As federal procurement frameworks converge around open protocols, C-SCRM principles, and NIST-aligned cybersecurity governance, private-sector building owners and integrators face growing pressure to align specification and contracting practices with the standards now embedded in the public-sector baseline.
