This section is the collection of key NIST publications, resources related to control systems, and tools that can used in the Test and Development and Production Environments for Continuous Monitoring and Auditing.


Date Posted

RMF Self-Assessment Tool (R-SAT)

A prescriptive, step-by-step method to facilitate and accelerate Risk Management Framework (RMF) Self-Assessments through automation. The RMF Self-Assessment Tool (R-SAT) is an Excel based tool that was designed to streamline the process for obtaining an Authority to Operate for network-enabled Facility-Related Control Systems (FRCS) by providing focused, step-by-step guidance and outputs supporting RMF Steps 1-3. RSAT works in conjunction with the Enterprise Mission Assurance Support Service (eMASS) government-owned application.

Sept 2020

An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems

Personnel who maintain Facility Related Control Systems (FRCS) of any type are required to implement cybersecurity to attain and maintain an Authority to Operate (ATO) on their respective systems. This document is a guide for installation personnel owning and operating control systems to assist in addressing the cybersecurity process for FRCS in the Army through the Risk Management Framework (RMF) approach, which en-compasses six steps. This manual walks the reader through the administrative aspects of each step.

June 2020

(UFGS) 25 05 11 Cybersecurity Of Facility-Related Control Systems Contractor Computer Cybersecurity Compliance Statement

August 2019

USACE Energy Division Request for Proposal, Attachment 1 – Energy Security and Resilience, Standards and Requirements

July 2018

USACE Energy Division Operational Technology (OT) Intelligent Control Systems for Energy Production Assets

July 2018

USACE Energy Division Operation Technology Foundation and Process

July 2018

Supplemental Guidance for the Utilities Privitization Program Memo 02-07-19

Feb 2019

RMF Process Power Point

July 2017

PPD–21 Critical Infrastructure Security and Resilience 2016

Jan 2019

NDAA 2019

Aug 2019

NDAA 2018

Aug 2018

NDAA 2017

Aug 2018

Navy Facility-Related Cybersecurity Specification

Aug 2019

NAVFAC ICS Checklist

Oct 2018

Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2013

Jan 2019

Executive Order 13556 "Controlled Unclassified Information” 2010

Jan 2019

EO 13800 Strengthening The Cybersecurity Of Federal Networks and Critical Infrastructure 2017

Jan 2019

EI&E RMF FRCS Master List (Current)

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE Distribution of the Facility-Related Control Systems Master List Memorandum 07-2021

This memorandum and attachment provide a baseline to codify the categories that make up FRCS for the DoD. The FRCS Master List at Attachment A provides the type, description, function, and mission description of each FRCS category. The distribution of this list allows DoD Components to address cybersecurity and management of FRCS utilizing a standardized definition. Additionally, the standardization of these categories will enable the DoD Components to more accurately program and budget for FRCS activities. The office recognizes that one list cannot be comprehensive for all DoD Components by virtue of the wide range of missions occurring within the DoD. In the absence of a DoD Component-specific FRCS Master List, DoD Components are able and encouraged to use this list as a guidepost in developing their own DoD Component specific FRCS Master List.

July 2019

DSD Memo - Responding to Breaches of PII

Aug 2019

DoD Cyber Strategy Summary Final 09-2018

Aug 2019


Dec 2018

DoD Cloud Computing Strategy Final with Memo - July 5 2012

The attached DoD Cloud Computing Strategy lays the groundwork, consistent with the Federal Cloud Computing Strategy, for accelerating cloud adoption in the Department. The strategy includes steps to foster adoption of cloud computing, optimize data center consolidation, establish the DoD enterprise cloud infrastructure and continue to deliver cloud services. A robust and resilient multi-provider, Enterprise Cloud Environment will enable the Department to achieve the goals of the Joint Information Environment.

Dec 2018

CJCSM 6510.01B Cyber Incident Handling Program 2012

This manual describes the Department of Defense (DoD) Cyber Incident Handling Program and specifies its major processes, implementation requirements, and related U.S. government interactions.

Nov 2018


April 2019

Federal Virtual Training Environment (FedVTE)

Cybersecurity Training: Federal Virtual Training Environment (FedVTE) is a free online, on-demand cybersecurity training system that is available at no charge for government personnel and veterans. Managed by DHS, FedVTE contains more than 800 hours of training on topics such as ethical hacking and surveillance, risk management, and malware analysis. Course proficiency ranges from beginner to advanced levels. Several courses align with a variety of IT certifications such as Network +, Security +, and Certified Information Systems Security Professional (CISSP).

Jan 2019

DoD Instruction 8010.01 Department of Defense Information Network (DoDIN) Transport

The DODIN (i.e., transport) and the associated network services contain various dissemination elements required to operate, maintain, and secure required distribution capabilities. a.  The DODIN consists of all networks and information systems owned or leased by DOD.  The DODIN includes common enterprise service networks (classified and unclassified), intelligence networks operated by DoD Components within the IC, closed mission system and battlefield networks, and other special purpose networks. All DODIN transport reference and solution architectures follow the DoD Enterprise Architecture and Joint Information Environment (JIE) Enterprise Reference and Solution Architectures (e.g., Satellite Communications (SATCOM) Gateway Solution Architecture, wide area network Solution Architecture).

Nov 2018

Approval of Multi-Factor Authentication Alternatives RSA and Yubikey

CIO signed memorandum authoring the use of RSA and Yubikeys for MFA that can be used when us of PKI is not feasible. Per DFARS, contractor/vendors must have MFA on their systems that contain CUI.

Nov 2018

Whole Building Design Guide Cybersecurity Resource Page

Provides a Cyber 101 overview of Cybersecurity of Control Systems, links to the DoD publications and other key guidance (DHS, Private Sector, NIST, SANS, ISA, etc.)

June 2018

Unified Facilities Guide Specifications (UFGS) 25 50 00.00 20 Cybersecurity of Facility-Related Control Systems

This guide specification covers the requirements for a Construction Contractor version of the NAVFAC Cybersecurity Hygiene Checklist, required by the Joint CNIC/NAVFAC CYBERSECURITY TASKING FOR ASHORE CONTROL SYSTEMS (dated 06 October 2016), for facilities that are in various phases of design or construction (i.e., not yet in CNIC's existing inventory). These requirements are based on basic cybersecurity.

June 2018

Unified Facilities Guide Specifications (UFGS) 25 10 10 Utility Monitoring And Control System (UMCS) Front End And Integration

Detailed step-by-step guidance on how the components and networks will connect and communicate.

June 2018

Unified Facilities Criteria (UFC) 4-010-06 Cybersecurity Of Facility-Related Control Systems

Defines the FRCS, Platform Enclave, and high level design guidance.

June 2018

Platform Enclave Navy

Figure D-1 shows which components of the 5-Level control system architecture are included in the Navy's Platform Enclave (PE) called the Control System Platform Enclave (CS-PE). The Navy's CS-PE is implemented at and has a presence today at Navy installations. The Navy is deploying an operational architecture (OA) called the Navy Utilities Monitoring and Control System (NUMCS), which is also shown in Figure D-1.All Control Systems must connect to the Platform Enclave, and must either be separately authorized or fall under the type accreditation of the CS-PE and NUMCS.

June 2018

Platform Enclave Marine Corps

The USMC Platform Enclave follows the Navy's overall architecture, but utilizes a variation in terminology.

June 2018

Platform Enclave Air Force

The installations' CS inventory enables thorough awareness of existing systems, their interconnections, and their link to the mission or function they serve. At a minimum, the inventory should capture both CS hardware (physical devices and systems) and software (communications platforms and applications) down to Level 2 of the CS Topology defined in UFC 4-010-06, Cybersecurity of Facility-Related Control Systems, Appendix E. These five CS Topology levels (represented in Figure 2-1) are a collection of components logically grouped together by function and information assurance approach. Furthermore, Figure 2-1 clarifies what components are under CE's purview.

June 2018

GAO Report 15-6 Federal Facility Cybersecurity, DHS and GSA Should Address Cyber Risk to Building and Access Control Systems

The Department of Homeland Security (DHS) is responsible for protecting federal facilities, including thousands of office buildings, laboratories, and warehouses, which are part of the nation’s critical infrastructure. These facilities contain building and access control systems such as heating, ventilation, and air conditioning; electronic card readers; and closed-circuit camera systems that are increasingly being automated and connected to other information systems or networks and the Internet.1 As these systems are becoming more connected, their vulnerability to potential cyber attacks is also increasing.

June 2016

EPRI Smart Meter AMI Penetration Testing

This security test plan template was created by the National Electric Sector Cybersecurity Organization Resource (NESCOR) to provide guidance to electric utilities on how to perform penetration tests on AMI systems.

June 2018

EPRI Smart Grid Penetration Testing Guide

This security test plan template was created by the National Electric Sector Cybersecurity Organization Resource (NESCOR) to provide guidance to electric utilities on how to perform penetration tests on Smart Grid systems.

June 2018

DHS ICS-CERT Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies

This recommended practice document provides guidance for developing mitigation strategies for specific cyber threats and direction on how to create a Defense-in-Depth security program for control system environments. The document presents this information in four parts: 1) “Background and Overview” outlines the current state of ICS cybersecurity and provides an overview of what defense in depth means in a control system context; 2) “ICS Defense-in-Depth Strategies” provides strategies for securing control system environments; 3) “Security Attacks” outlines how threat actors could carry out attacks against critical infrastructures and the potential impact to ICSs and networks; and 4)“Recommendations for Securing ICS” provides resources for securing ICSs based on the current state-of-the-art methods and lessons learned from ICS-CERT activities, national and sector-specific standards for ICS security, and tools and services available through ICS-CERT and others that can be used to improve the security posture of ICS environments.

June 2018

DoD CIO RMF Knowledge Service Portal EIE PIT Control Systems (requires CAC)

Establishes the policy and step-by-step guidance to create a RMF package for FRCS -  Site Overview.

June 2018

DFARS CUI Cyber Incident Reporting Form

This is the DFARS Contract clause an investigator should look for in their contract/subcontract. If the ESTCP contract does not include this clause, contact the ESTCP office so a modification can be issued.

June 2018

DFARS Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement

This guidance is intended for stakeholders charged with protection of unclassified controlled technical information (CTI) resident on or transiting through contractor information system(s) covered by DFARS 252-204-7012 (Safeguarding Unclassified Controlled Technical Information). CTI is technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. This guide will assist stakeholders in carrying out their responsibilities should a defense contractor report a compromise on a contract that contains unclassified CTI.

June 2015

DoD Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP)

Establishes the requirement for a Jump-Kit Rescue CD with the Fully Mission Capable Baseline configurations, how to Detect, Mitigate and Recover a FRCS that has been attacked/compromised.

March 2018

DHS ICS-CERT, FBI and NSA Seven Steps to Effectively Defend Industrial Control Systems

Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it’s not a matter of if an intrusion will take place, but when. In Fiscal Year (FY) 2015, 295 incidents were reported to ICS-CERT, and many more went unreported or undetected. The capabilities of our adversaries have been demonstrated and cyber incidents are increasing in frequency and complexity. Simply building a network with a hardened perimeter is no longer adequate. Securing ICSs against the modern threat requires well-planned and well-implemented strategies that will provide network defense teams a chance to quickly and effectively detect, counter, and expel an adversary. This paper presents seven strategies that can be implemented today to counter common exploitable weaknesses in “as-built” control systems.

May 2016

CNSSI 4009 Committee on National Security Systems (CNSS) Glossary

This instruction applies to all U.S. Government Departments, Agencies, Bureaus and Offices; supporting contractors and agents; that collect, generate process, store, display, transmit or receive classified or controlled unclassified information or that operate, use, or connect to National Security Systems (NSS), as defined herein.

May 2015