Many new facility energy and water technologies are not able to provide their full benefit (operational efficiency or energy and cost savings) to DoD due to restrictions on network connectivity stemming from cybersecurity concerns. Additionally, new facility energy and water technologies increasingly incorporate “smart” components and control systems that rely on network connectivity to send and receive data and control signals. For these technologies to operate as intended and be cost-effective, they must have access to DoD networks with minimal additional installation, operation and maintenance costs. Currently, the process to gain ATO, a requirement for network connected systems and devices, can be cost-prohibitive and time consuming, which limits DoD’s ability to benefit from these advanced technologies.
Platform IT (PIT), which is identified in the RMF process, is a category of both IT hardware and software that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems. PIT is further categorized as PIT products, PIT subsystems, or PIT systems. PIT differs from “traditional” IT in that it is integral to – and dedicated to the operation of – a specific platform. Although the term PIT is used only by DoD, the concept of categorizing components and systems dedicated to the operation of a specific platform is not.
DoDI 8510.01 provides for cybersecurity reciprocity for purposes of reducing time and resources wasted on redundant test, assessment and documentation efforts and is best achieved through transparency (i.e., making sufficient evidence regarding the security posture of an IS or PIT system available, so that an Authorizing Official (AO) from another organization can use that evidence to make credible, risk-based decisions regarding the acceptance and use of that system or the information it processes, stores, or transmits).
A key challenge for reciprocity is identifying the risks associated with the service’s/agency’s Platform Enclave (Transport Backbone) and applying appropriate security control mitigations to ensure the AO from one service will honor the authorization from another service with a different enclave configuration (e.g. Navy PSNet and AF COINE).
Additional information on the RMF process and related references can be found on the SERDP & ESTCP website at:
https://www.serdp-estcp.org/focusareas/867943c7-3959-4242-a34c-438d25e4e37b/control-systems-cybersecurity#tools-training