Natural Resources Canada and the U.S. Department of Energy’s Security and Privacy Notice

The 50001 Ready Navigator background

The 50001 Ready Navigator (the Navigator) software tool is an online guide for establishing an energy management system to plan, identify, prioritize, and implement projects that will improve your facility’s energy performance. Completion of the 50001 Ready Navigator tasks prepares facilities to pursue certification to the international best practice for energy management systems, ISO 50001. It was launched by the U.S. Department of Energy, as part of its 50001 Ready Recognition program, in 2017.  In 2022, the U.S. Department of Energy and Natural Resources Canada entered into an agreement to adapt the features for Canadian Navigator users.

Security

The security of your project’s account information is very important to both Natural Resources Canada and the U.S. Department of Energy. Project energy data for Canadian facilities seeking 50001 Ready Canada recognition, is not stored in the Navigator tool. Natural Resources Canada is responsible for the management of project energy data for facilities located in Canada. The U.S. Department of Energy is responsible for the management of project’s account information and project energy data for facilities located in the U.S. The web application has been designed with the following security features:

Server Traffic Level

The 50001 Ready Navigator is protected by the Cloudflare service which provides protection from denial-of-service (DDoS) and other large scale cyber-attacks.

The Navigator exclusively uses the Hypertext Transfer Protocol Secure (HTTPS) connection which ensures fully encrypted, secure communications between the server and the end user. Non-HTTPS requests to the server are redirected to the secure connection. The associated Secure Sockets Layer (SSL) security certificate uses the most up-to-date standards.

Server Level

The server is run in the secure Amazon Web Services (AWS) government cloud, which provides associated server security and monitoring.

Additionally, LBNL administrators monitor the server 24/7 and receive automatic error notification if the Navigator is having issues.

Server access via SSH (Secure Shell) is restricted by IP address to the 50001 Ready Navigator development team.

Navigator (Software) Level

The Navigator software includes various cybersecurity best practices, including:

• Fully encrypted password storage
• Complex password requirements
• Yearly password update requirements
• Throttled login attempts - limiting the number of login attempts that can be made per minute to prevent brute force attacks
• Cross-site request forgery protections (CSRF) - preventing non-authorized requests from being submitted
• SQL injection protection – filtering all sql (database) requests to prevent unauthorized execution of code
• Support library security alert monitoring – if security issues are identified with support software libraries, automatic notifications are sent to administrators to deploy fixes and patches immediately

Security Testing

The Navigator is routinely tested by automatic security scanners that test for a variety of potential vulnerabilities. If any are identified, notifications are automatically sent to administrators for corrections.

For more involved security testing, external security testing groups have been used to manually probe the Navigator for vulnerabilities, which are then reported and patched as needed.

Privacy

The 50001 Ready Navigator (the Navigator) does not store Canadian facility or project energy data.

Where information is collected in the Navigator (such as your project contact name and work email address) it is only used for the stated purpose of the tool or system you are using, such as applying for recognition. In all cases, such information is never sold to third parties.

Information collected may be used for the purpose of identifying industry trends, evaluating the reach and impact of the Navigator, or to gauge general usage statistics for the betterment of the site as a whole. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits.

For Canadian users, the retention and disposal of 50001 Ready Canada Recognition program records, provided directly to an NRCan’s email box, is governed by the Canadian federal Library and Archives of Canada Act.

Information provided to the U.S. Department of Energy’s Navigator website (project account contact name and work email address) is subject to protection by the U.S. Federal Information Security Management Act and the U.S. Freedom of Information Act. Basic project account information that is entered into the Navigator, as well as the facility’s energy data required when Canadian users apply for 50001 Ready Canada recognition, is collected by Natural Resources Canada under the authority of sections 21 to 24 of the Energy Efficiency Act, is not shared with third parties, and is subject to the Canadian federal Privacy Act and the Access to Information Act.

If you have any questions or comments about the information presented here, please send your comments to Natural Resources Canada by e-mail at 50001 50001ready@nrcan-rncan.gc.ca or by phone at 1-877-360-5500.