The construction contractor and system integrator will complete cyber commissioning to include the completion and submission of the following documents:

• Unified Facilities Guide Specifications (UFGS) 25 05 11 Cybersecurity Of Facility-Related Control Systems Contractor Computer Cybersecurity Compliance Statement - For each contractor-owned computer, list the make and model of the device, the device serial number, the operating system version, and the anti-malware software version. Attach additional sheets if required to document all computers.

• Unified Facilities Guide Specifications (UFGS) 25 05 11 Cybersecurity Of Facility-Related Control Systems Cybersecurity Schedules – consists of four tabs to be completed; Interconnection Schedule, Network Communication Schedule, Wireless, and Multiple IP Connection.

• Unified Facilities Guide Specifications (UFGS) 25 05 11 Cybersecurity Of Facility-Related Control Systems Inventory Spreadsheet - Provide a Control System Inventory report using the Inventory Spreadsheet listed under this Section documenting all [networked devices, including network infrastructure devices] [devices, including networked devices, network infrastructure devices, non-networked devices, input devices (e.g. sensors) and output devices (e.g. actuators)]. For each device provide all applicable information for which there is a field on the spreadsheet in accordance with the instructions on the spreadsheet.

• Unified Facilities Guide Specifications (UFGS) 25 05 11 Cybersecurity Of Facility-Related Control Systems Contractor Temporary Network Cybersecurity Compliance Statement - Provide a single submittal containing completed Contractor Computer Cybersecurity Compliance Statements for each company using contractor owned computers. Each Statement must be signed by a cybersecurity representative for the relevant company.

• FRCS FAT and SAT Checklist - a checklist for FRCS to ensure the OS and vendor software, physical networks (firewalls, routers, devices, etc.) are properly hardened using the proper Security Technical Implementation Guides (STIGs) and configured to the JIE requirements. This will include the development, maintenance and turnover of the project Test and Development Environment at construction complete.

• ACI TTP Fully-Mission Capable (FMC) Baseline - The FMC is a functional recovery point for the FRCS. Once this is defined, FRCS and IT managers should capture the FMC condition of their network entry points (e.g., firewalls, routers, remote access terminals, wireless access points, etc.), network topology, network data flow, and machine/device configurations, then store these in a secure location. This information should be kept under configuration management and updated every time changes are made to the network. This information forms the FMC baseline. The FMC baseline is used to determine normal operational conditions versus anomalous conditions of the FRCS. The Facility-Related Control Systems Inventory Spreadsheet is the initial FMC baseline.

• FRCS Information Systems Contingency Plan (ISCP) – The ISCP and the FMC are used to perform disaster recovery and includes where back-ups are stored and the process to restore the FMC, the sequence of re-restart, assignment of personnel to the Roles and Responsibilities Table, and how to perform Functional and Validation Testing.

• System Security Plan (SSP) – Use the DoD Core Authorization Package to develop a Preliminary SSP.

• Security Audit Plan (SAP) – The System, Application and User audit trail and procedures. Include a Plan Of Action and Milestones (POAM) to identify risks, mitigations, and timelines for remediation.
• Security Monthly Audit Report (SMAR) – Monthly or Quarterly audit report verifying accounts, patches, configurations, logs, AV/Malware, SSL/TLS, Certificates/Keys/PEM files, etc. are current and the system is “clean” at the construction complete turnover.