Energy and Water

Cybersecurity

The DoD has adopted the Risk Management Framework (RMF) for all Information Technology (IT) and Operational Technology (OT) networks, components and devices to include Facility-Related Control Systems (FRCS). FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO) on the DoD Information Network (DoDIN).

The  DoD CIO RMF Portal and the  Energy, Installation and Energy Environmental Security Technology Certification Program (ESTCP) website are the primary internal and external communications platforms to keep DoD stakeholders, vendors and contractors appraised of RMF policy, standards, guidance and a source of tools, checklists and templates.

Any organization can use the websites guidance, reference materials, checklists and templates and the majority can be used for both standard IT and FRCS, also often referred to as Operational Technology (OT) systems.

RMF_Process

DoD Risk Management Framework Process for DoD IT Systems

Document Title Document Purpose
RMF Guidance, generally applicable to traditional IT as well as facility-related control systems  
NIST Special Publication 800-37 (Chapter 3) The RMF process for all federal agencies
DoD Instruction 8510.01 RMF applied to the DoD; facility-related controls referred to as Platform IT (PIT), akin to aircraft avionics
RMF Guidance, specific to facility-related control systems  
NIST SP 800-82 Revision 2 (Chapter 6) Applying RMF to facility related control systems
Unified Facilities Criteria (UFC) 4-01-06 Specific guidance for facility-related controls in DoD
ESTCP Facility-Related Control Systems Cybersecurity Guidelines, Version 4 Specific guidance for ESTCP demonstrations
Glossary  
Committee on National Security Systems Instruction (CNSSI) 4009 
(CNSSI documents are not accessible by hyperlink, but must be accessed via the above library link)
The most comprehensive, formally accepted glossary available
STEP 1: Categorize the System  
Federal Information Processing Standards (FIPS) 199 Generally applicable categorization process
CNSSI 1253  Categorization process specific to national security systems
NIST SP 800-60 Volume 1 & Volume 2 Detailed considerations when determining categorization
STEP 2: Select Security Controls  
CNSSI 1253 Baseline security controls for national security IT systems
NIST SP 800-82 Rev 2 (Appendix G) Security overlay for facility-related control systems
NIST SP 800-53 Rev 4 (Appendix F) Catalogue of all IT security controls with details
STEP 3: Implement Security Controls  
NIST SP 800-82 Rev 2 (Chapter 6) Applying security controls to facility-related controls
STEP 4: Assess Controls Effectiveness  
NIST SP 800-53A Rev 4 (Chapter 3) Conducting effective security control assessments
STEP 5: Authorize System  
NIST SP 800-37 (Appendix F) Authorization packages
STEP 6: Monitor Security  
NIST SP 800-37 (Appendix G) Continuous monitoring of information systems
Authority to Operate (ATO) Packages  
NIST SP 800-37 (Appendix F) Detailed description of ATO package requirements
CNSSI 1254 Specific data elements required for an ATO
Examples  

Please contact the  Installation Energy (IE) or  ESTCP Program Offices if you have any questions, or need additional guidance.

Risk Management Framework (RMF) 101 for Managers: PowerPoint outlining the RMF process for facility managers step by step.

Program Areas

Featured Initiatives

Share