An Army Guide to Navigating the Cyber Security Process for ...
ERDC/CERL SR-19-5
An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems
Cybersecurity and Risk Management Framework explanations for the Real World
Michael Cary Long, Joseph Bush, Stephen Briggs, Tapan Patel, Eileen Westervelt, Daniel Shepard, Eric Lynch, and David Schwenk
October 2019
Construction Engineering Research Laboratory
Approved for public release; distribution is unlimited.
The U.S. Army Engineer Research and Development Center (ERDC) solves the nation's toughest engineering and environmental challenges. ERDC develops innovative solutions in civil and military engineering, geospatial sciences, water resources, and environmental sciences for the Army, the Department of Defense, civilian agencies, and our nation's public good. Find out more at erdc.usace.army.mil.
To search for other technical reports published by ERDC, visit the ERDC online library at .
ERDC/CERL SR-19-5 October 2019
An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems
Cybersecurity and Risk Management Framework explanations for the Real World Joseph Bush, Tapan Patel and Eileen T. Westervelt
U.S. Army Engineer Research and Development Center (ERDC) Construction Engineering Research Laboratory (CERL) 2902 Newmark Dr. Champaign, IL 61824
Michael Cary Long and Daniel Shepard
U.S. Army Corps of Engineers Cybersecurity Technical Center of Expertise Huntsville, Alabama 35816
Eric Lynch
U.S. Army Corps of Engineers UMCS Mandatory Center of Expertise Huntsville, Alabama 35816
Stephen J. Briggs
Facilities Dynamics Engineering Champaign, IL Columbia, MD 21046
David M. Schwenk
Private Consultant Urbana, IL 61801
Final Technical Report (TR)
Approved for public release; distribution is unlimited.
Prepared for Headquarters, U.S. Army Corps of Engineers Washington, DC 20314-1000
Under Standards and Criteria Program via MIPR 11268080, "A1040-FY19 TSG Oversight of ITTP."
ERDC/CERL SR-19-5
ii
Abstract
Personnel who maintain Facility Related Control Systems (FRCS) of any type are required to implement cybersecurity to attain and maintain an Authority to Operate (ATO) on their respective systems. This document is a guide for installation personnel owning and operating control systems to assist in addressing the cybersecurity process for FRCS in the Army through the Risk Management Framework (RMF) approach, which encompasses six steps. This manual walks the reader through the administrative aspects of each step.
DISCLAIMER: The contents of this report are not to be used for advertising, publication, or promotional purposes. Citation of trade names does not constitute an official endorsement or approval of the use of such commercial products. All product names and trademarks cited are the property of their respective owners. The findings of this report are not to be construed as an official Department of the Army position unless so designated by other authorized documents.
DESTROY THIS REPORT WHEN NO LONGER NEEDED. DO NOT RETURN IT TO THE ORIGINATOR.
ERDC/CERL SR-19-5
iii
Contents
Abstract .......................................................................................................................................................... ii
Figures and Tables........................................................................................................................................vi
Preface ...........................................................................................................................................................vii
1 Introduction............................................................................................................................................1 1.1 Background ..................................................................................................................... 1 1.2 Key terminology............................................................................................................... 1 1.3 Control system architecture ........................................................................................... 4 1.4 Objectives of cybersecurity............................................................................................. 5 1.5 Key resources.................................................................................................................. 6 1.6 Online tracking systems ................................................................................................. 7 1.7 Key personnel roles ........................................................................................................ 7 1.8 Why RMF ......................................................................................................................... 8 1.9 How does RMF apply to my system ............................................................................... 9 1.10 RMF process chart.......................................................................................................... 9 1.11 Scope............................................................................................................................... 9
2 RMF Step 1: Categorize System ......................................................................................................11 2.1 What is "categorization" and how do I know what my system is? ............................. 11 2.1.1 System categorization definitions..................................................................................... 11 2.1.2 System categorization based on methodical system review .......................................... 13 2.1.3 System categorization based on Energy, Installations & Environment (EI&E) platform information technology (PIT) control system master list categorization ................................................................................................................ 19 2.1.4 NIST SP 800-60, Vol. 2,-Rev. 1, Information Types ......................................................... 21 2.1.5 Required categorization rationale .................................................................................... 22 2.2 Army Portfolio Management System (APMS) registration .......................................... 24 2.3 Enterprise Mission Assurance Support Service (eMASS) account ............................25 2.4 eMASS system registration ..........................................................................................26 2.4.1 Registration Step 1............................................................................................................ 27
3 RMF Step 2: Select Security Controls ............................................................................................29 3.1 Security controls ........................................................................................................... 29 3.2 Tailoring ......................................................................................................................... 30 3.2.1 Common (inherited)........................................................................................................... 31 3.2.2 Hybrid ................................................................................................................................. 31 3.2.3 System-specific .................................................................................................................. 32 3.2.4 Control families.................................................................................................................. 32 3.2.5 Control Correlation Identifiers (CCIs) ................................................................................ 32 3.3 Overlays ......................................................................................................................... 33 3.3.1 Current available overlays selectable in eMASS ............................................................. 33 3.3.2 NIST 800-82 ICS overlay .................................................................................................... 34
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- publication moved nist sp 800 60 vol i rev 1 guide for
- it information technology definition
- build and operate a trusted gig dtic
- general services administration gsa enterprise
- national weather service instruction 60 702 information
- categorize step tips and techniques for systems nist
- citywide data classification standard
- volume i guide for mapping types of information nist
- an army guide to navigating the cyber security process for
- risk management handbook rmh chapter 14 risk assessment
Related searches
- best cyber security etfs 2019
- best cyber security stocks 2019
- best cyber security stocks
- cyber security eft
- champlain college cyber security review
- cyber security key words
- cyber security companies stock
- vanguard cyber security etf
- top cyber security stocks 2017
- cyber security information
- cyber security terms
- cyber security software