Skip to main content

Privacy Policy

NREL is committed to the security and privacy of data related to the CVF Web tool. Users of the application will have the option to select from one of the following assessment methods, based on their needs:

  1. Anonymous "one-time" assessment (no data collection)
    1. This version of the tool does not store any data associated with the assessment because no login account is created. This anonymity is intended to be a solution for the U.S. Department of Defense and other federal agencies that have restrictions on storage of data. Note that this option requires that the full assessment be taken in one session, as there is no option to save the user’s progress. Any period of inactivity longer than two days will clear session data, and all progress will be lost. Additionally, there is no capability to review prior assessments or save scores so that they appear in the dashboard.

    2. Users of the anonymous version will still receive a score at the end of the assessment as well as a list of prioritized action items. Additionally, anonymous users can still provide comments to applicable assessment questions.

  2. Research-based "continuous" assessment (includes data collection)
    1. As part of NREL’s distributed energy resources cybersecurity research, the online Web tool will collect metrics based on users’ answers to questions in the assessment. The data will be securely stored for a maximum of 5 years in an encrypted, cloud-based environment hosted by Amazon Web Services. This environment has been thoroughly vetted and is compliant with Federal Risk and Authorization Management Program policies.

    2. The purpose of this research is to fine-tune the assessment and create a more efficient process for users by revising questions and answers. Collected data cannot be attributed to either the site or the user who provided the data. In other words, answers to the assessment questions are anonymous

    3. The "continuous" aspect of this assessment version allows users to view previous assessment reports, compare results, and more. It is intended to encourage habitual cybersecurity posture assessments in order to monitor growth.

Learn more about NREL’s security and privacy policy.