An Army Guide to Navigating the Cyber Security Process for ...

ERDC/CERL SR-19-5

An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems

Cybersecurity and Risk Management Framework explanations for the Real World

Michael Cary Long, Joseph Bush, Stephen Briggs, Tapan Patel, Eileen Westervelt, Daniel Shepard, Eric Lynch, and David Schwenk

October 2019

Construction Engineering Research Laboratory

Approved for public release; distribution is unlimited.

The U.S. Army Engineer Research and Development Center (ERDC) solves the nation's toughest engineering and environmental challenges. ERDC develops innovative solutions in civil and military engineering, geospatial sciences, water resources, and environmental sciences for the Army, the Department of Defense, civilian agencies, and our nation's public good. Find out more at erdc.usace.army.mil.

To search for other technical reports published by ERDC, visit the ERDC online library at .

ERDC/CERL SR-19-5 October 2019

An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems

Cybersecurity and Risk Management Framework explanations for the Real World Joseph Bush, Tapan Patel and Eileen T. Westervelt

U.S. Army Engineer Research and Development Center (ERDC) Construction Engineering Research Laboratory (CERL) 2902 Newmark Dr. Champaign, IL 61824

Michael Cary Long and Daniel Shepard

U.S. Army Corps of Engineers Cybersecurity Technical Center of Expertise Huntsville, Alabama 35816

Eric Lynch

U.S. Army Corps of Engineers UMCS Mandatory Center of Expertise Huntsville, Alabama 35816

Stephen J. Briggs

Facilities Dynamics Engineering Champaign, IL Columbia, MD 21046

David M. Schwenk

Private Consultant Urbana, IL 61801

Final Technical Report (TR)

Approved for public release; distribution is unlimited.

Prepared for Headquarters, U.S. Army Corps of Engineers Washington, DC 20314-1000

Under Standards and Criteria Program via MIPR 11268080, "A1040-FY19 TSG Oversight of ITTP."

ERDC/CERL SR-19-5

ii

Abstract

Personnel who maintain Facility Related Control Systems (FRCS) of any type are required to implement cybersecurity to attain and maintain an Authority to Operate (ATO) on their respective systems. This document is a guide for installation personnel owning and operating control systems to assist in addressing the cybersecurity process for FRCS in the Army through the Risk Management Framework (RMF) approach, which encompasses six steps. This manual walks the reader through the administrative aspects of each step.

DISCLAIMER: The contents of this report are not to be used for advertising, publication, or promotional purposes. Citation of trade names does not constitute an official endorsement or approval of the use of such commercial products. All product names and trademarks cited are the property of their respective owners. The findings of this report are not to be construed as an official Department of the Army position unless so designated by other authorized documents.

DESTROY THIS REPORT WHEN NO LONGER NEEDED. DO NOT RETURN IT TO THE ORIGINATOR.

ERDC/CERL SR-19-5

iii

Contents

Abstract .......................................................................................................................................................... ii

Figures and Tables........................................................................................................................................vi

Preface ...........................................................................................................................................................vii

1 Introduction............................................................................................................................................1 1.1 Background ..................................................................................................................... 1 1.2 Key terminology............................................................................................................... 1 1.3 Control system architecture ........................................................................................... 4 1.4 Objectives of cybersecurity............................................................................................. 5 1.5 Key resources.................................................................................................................. 6 1.6 Online tracking systems ................................................................................................. 7 1.7 Key personnel roles ........................................................................................................ 7 1.8 Why RMF ......................................................................................................................... 8 1.9 How does RMF apply to my system ............................................................................... 9 1.10 RMF process chart.......................................................................................................... 9 1.11 Scope............................................................................................................................... 9

2 RMF Step 1: Categorize System ......................................................................................................11 2.1 What is "categorization" and how do I know what my system is? ............................. 11 2.1.1 System categorization definitions..................................................................................... 11 2.1.2 System categorization based on methodical system review .......................................... 13 2.1.3 System categorization based on Energy, Installations & Environment (EI&E) platform information technology (PIT) control system master list categorization ................................................................................................................ 19 2.1.4 NIST SP 800-60, Vol. 2,-Rev. 1, Information Types ......................................................... 21 2.1.5 Required categorization rationale .................................................................................... 22 2.2 Army Portfolio Management System (APMS) registration .......................................... 24 2.3 Enterprise Mission Assurance Support Service (eMASS) account ............................25 2.4 eMASS system registration ..........................................................................................26 2.4.1 Registration Step 1............................................................................................................ 27

3 RMF Step 2: Select Security Controls ............................................................................................29 3.1 Security controls ........................................................................................................... 29 3.2 Tailoring ......................................................................................................................... 30 3.2.1 Common (inherited)........................................................................................................... 31 3.2.2 Hybrid ................................................................................................................................. 31 3.2.3 System-specific .................................................................................................................. 32 3.2.4 Control families.................................................................................................................. 32 3.2.5 Control Correlation Identifiers (CCIs) ................................................................................ 32 3.3 Overlays ......................................................................................................................... 33 3.3.1 Current available overlays selectable in eMASS ............................................................. 33 3.3.2 NIST 800-82 ICS overlay .................................................................................................... 34

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.