The U.S. General Services Administration (GSA) has formalized an enterprise-wide Building Automation System (BAS) standard across its federal portfolio, using the Oklahoma City Federal Building's grid-interactive retrofit as a procurement and operational technology (OT) security blueprint. The move directly links physical building controls to federal cybersecurity policy, establishing vendor requirements and interoperability benchmarks that industry observers say are likely to influence private-sector procurement.
Background
The GSA manages a nationwide real estate portfolio of approximately 370 million rentable square feet and oversees more than $100 billion in annual products and services contracts. That scale has historically produced fragmented BAS deployments, with disparate vendor systems complicating maintenance, cross-agency data sharing, and security remediation.
The Oklahoma City pilot addressed that fragmentation directly. Completed in mid-2023, the Oklahoma City Federal Building project deployed grid-interactive efficient building (GEB) technologies - including solar photovoltaic generation, battery energy storage, and new HVAC controls - under a utility energy service contract (UESC) with Oklahoma Gas & Electric (OG&E) and energy services company Ameresco. According to the Department of Energy's Federal Energy Management Program (FEMP), the project demonstrated that GEB-ready strategies and technologies can be deployed across buildings with minimal investment.
The retrofit drew on multiple funding sources. The project received approximately $11 million from a Department of Energy grant and GSA appropriations. It is projected to reduce energy use by 41%, cut 3,100 metric tons of carbon emissions, and save approximately $400,000 annually in energy and water costs.
Details
Building on the Oklahoma City results, GSA announced in September 2024 that it would standardize its BAS across all new installations and major modernizations. GSA issued a Class Brand Name Justification for the Niagara Framework, manufactured by Tridium, Inc., citing market research indicating that the platform is sold and serviced by nearly every major BAS manufacturer, as well as BAS service providers and vendors of all sizes. The agency stated that both large BAS manufacturers and small business integrators can compete based on this enterprise standard.
On cybersecurity, GSA's Smart Buildings directive requires agencies to promote interoperability between devices through open protocol systems and implement cybersecurity best practices within GSA Internet Protocol (IP) network-based systems, including downstream devices, and protect against threats through the inclusion of cyber supply chain risk management (C-SCRM) principles.
The standardized approach also carries operational implications. According to GSA, an enterprise-wide BAS solution streamlines software and hardware for all new BAS installations and major modernizations of existing BAS, streamlines operations and maintenance contract support, and minimizes training requirements by reducing the number of different systems across the portfolio.
The broader OT security regulatory environment has tightened in parallel. On December 11, 2025, CISA released Cybersecurity Performance Goals 2.0 (CPG 2.0), an update aligned with NIST Cybersecurity Framework (CSF) 2.0, that folds previously OT-only goals into universal goals addressing both IT and OT environments holistically. CPG 2.0 also introduces goals covering risks from third-party providers with deep system access and zero-trust principles to mitigate lateral movement - both directly relevant to BAS vendor relationships in federal facilities.
A persistent challenge for OT practitioners is the gap between IT-centric federal contracting requirements and operational technology realities. NIST SP 800-171, which underpins the cybersecurity controls mandated by FAR 52.204-21 for civilian agency contracts, is aimed at IT systems and is not designed for OT environments that monitor and control physical functions. NIST SP 800-82 Revision 3, published in September 2023, addresses that gap with tailored security control baselines for OT systems at low, moderate, and high impact levels.
Outlook
FEMP positions the Oklahoma City model as a replicable template for the broader federal portfolio. GSA's FAR class deviation, issued in February 2025, signals continued regulatory refinement around how smart building technologies are procured and governed across agencies. For private-sector facility managers and system integrators, the convergence of open-protocol BAS requirements, C-SCRM contractual obligations, and CISA's unified IT/OT performance goals sets a de facto interoperability and security baseline that commercial procurement specifications are increasingly expected to reflect.
