10 Steps For Control System Vendor’s to Get on the DoD Risk Management Framework Approved Product List and Get a Type Authorization
1. Download and review the NIST SP 800-53 R4 and NIST SP 800-82 R2 become intimately familiar with security control families.
2. Identify a Facilities-Related Control System Owner/Sponsor (USACE, NAVFAC, AFCEC, DHA, DLA, etc.); if you cannot get a service/agency sponsor, contact OSD Installations Energy office Daryl Haegley.
3. Download the UFC 4-010-06 Cybersecurity of Facility-Related Control Systems (and define the Platform Enclave Authorization Boundary), UFC 3-580-01 Telecommunications Interior Infrastructure Planning And Design, ESTCP Facility-Related Control Systems Information Assurance Guide, ESTCP Telecommunications and Network Guide, ESTCP FAT/SAT Checklist, and the ESTCP Penetration Testing Checklist.
4. Download the Energy, Installations and Environment (EI&E) Control Systems Master List from the DoD CIO RMF Knowledge Service Portal EIE Resource page at https://rmfks.osd.mil/login.htm and categorize the CS, Impact Levels, and Information/Data Types following the EI&E step-by-step guidance. A generic version is provided in the Guides and Checklist section below.
5. Download the Vendor RMF Core Security Authorization Package excel file and review the Control Correlation Identifier (CCI) questions and sample responses (note many CCI’s are automatically compliant); this will be the System Security Plan (SSP).
6. Prepare RMF CS Type Authorization Package documents and artifacts (System Security Plan, Security Assessment Report, Plan Of Action and Milestones, Contingency Plan, Event/Incident Communications Plan, Event/Incident Response Plan, Security Audit Plan)- note template documents will be posted by Spring 2017.
7. Download the DISA APL Process Guide, Applicant Testing Plan Rules of Engagement and Information Assurance Test Plan and at: http://disa.mil/network-services/ucco.
8. Follow the steps in the APL Process Guide Appendix C.
9. Submit documentation to an approved Testing Facility.
10. Obtain DISA APL Approval and Interoperability letters, send a copy to OSDEI&E Daryl Haegley.
For Subject Matter Expert assistance to help develop a Vendor Package, contact: Daryl Haegley (daryl.r.haegley.civ@mail.mil) or Tim Tetreault (timothy.j.tetreault.civ@mail.mil).
CONTROL SYSTEM CYBERSECURITY GUIDES AND CHECKLISTS
These Control System Risk Management Framework guides and checklists were developed for the DoD ESTCP 2017 R&D projects, but can be used by any organization with minor tailoring.
Facility-Related Control Systems Information Assurance Guide 12-2016 - this guide expands on the UFC and establishes the requirement for Subject Matter Experts, a Test and Development Environment with a list of free tools, a Design and Construction Sequence Table for new and modernization projects with FAT and SAT submittals, and contract language for RMF ATO package submittals (SSP, ITCP, SAR, POAM, EICP, IRP, SAP).
Facility-Related Telecommunications and Networking Guide 12-2016 - this guide expounds on the DoD UFC and describes the internal and external Passive Optical Networks (PONs) components and design criteria for the Joint Information Environment (JIE).
Control Systems Master List 12-2016 - this Master List breaksdown the top-level control system name, sub-system name, preliminary recommended C-I-A impact value, and the information/data types for each CS.
Control Systems FAT and SAT Checklist 12-2016 - this checklist is based on the DHS ICS-CERT Control Systems Procurement guide for Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) and is used in conjunction with the IA Guide Design and Construction Sequence Table.
Control Systems Penetration Testing Guide 12-2016 - this checklist is based on the EPRI Smart Grid Penetration Guide and SANS Penetration Testing Scope and Rules of Engagement and is used in conjunction with the IA Guide Design and Construction Sequence Table.