1 INTRODUCTION - Under Secretary of Defense for ...



Managing Cyber Risksto Facility-Related Control SystemsFRCS Cybersecurity Plans GuidanceMarch 31, 2016Updated April 26, 20181 INTRODUCTIONRecent Department of Defense (DoD) instructions and guidance direct owners/operators of Facility-Related Control Systems (FRCS) attached to the DoD Information Network (DoDIN) to account for operational resilience and cybersecurity defense posture. The Office of the Assistant Secretary of Defense for Energy, Installations & Environment (OASD EI&E) intends this FRCS Cybersecurity Plans guidance to be used in conjunction with the FY 2016-FY 2023 FRCS Cyber Plan Status and Funding Template. This is to assist the DoD Components with building and recording control system inventories and to ensure a standard format for review across the Department, in accordance with Reference (h). This guidance and the template are Unclassified. The plans will be FOUO or Classified depending upon the information (Reference (s)). 00Managing life-cycle cybersecurity risk, per Reference (e), requires considerable collaboration among control systems stakeholders: installation/facility control engineers and operators; physical security, information network and system security experts; and when applicable, control system vendors and system integrators. Resources for carrying out the DoD’s Risk Management Framework (RMF) and registering control systems are available at the RMF Knowledge Service portal (Reference (i)). PurposeEach DoD Component shall develop an FRCS Cybersecurity Plan (referred to hereafter as the ‘Plan’) that maintains Defense Critical Infrastructure (DCI) in accordance with the authority of DoDD 3020.40 (Reference (p)). Maintaining DCI includes DCI assets or control systems supporting DCI assets, initially focused on securing Defense Critical Assets (DCA) and Tactical Critical Assets (TCA) to achieve an environment which ensures cyber protection of FRCS. Plans should address control systems connected to the DoDIN, systems that are Internet-facing, and systems that are stand-alone. Implementing the FRCS Cybersecurity Plan means that each DoD Component will complete the internal tasks required to identify the goals and resources, with milestones set, to identify, register, and implement cyber security controls on DoD FRCS. System OverviewScopeThe scope of the Plan includes all elements of a control system (as shown in Figure 1), such as computer hardware, software, and associated sensors and controllers used to monitor and control infrastructure and facilities (e.g., installation electricity, water, wastewater, natural gas, lighting, building heating and air conditioning equipment, utility control systems, building control systems, electronic security systems, and traffic, medical, transportation, and fire and life safety systems). A DoD Component’s Plan should include three phases:Phase 1: Establish and maintain inventories of DoD FRCS under the DoD Component’s authority or control.Phase 2: Identify, plan, and execute actions required to make inventoried FRCS and FRCS-enabled systems resilient to cyber-related attacks or other system degradations with potential impacts to FRCS security. Phase 3: Develop and implement a continuous monitoring process to identify and respond to emerging threats, and maintain a constant posture to respond and adapt to technological advancements with regard to FRCS and how FRCS interact with the DoDIN ecosystem. System Reference Architecture Figure 1: Notional System Reference Architecture. Source: Reference (t), page 6Guidance ReferencesDoD Instruction 8500.01, “Cybersecurity,” March 2014DoD Instruction 8510.01, “Risk Management Framework,” March 2014DoD Instruction 8530.01, “Cybersecurity Activities Support to DoD Information Network Operations,” March 2016DOD Instructions 8140.01, “Cyberspace Workforce Management,” August 2015DOD Directive 8570.01-M, “Information Assurance Workforce Improvement Program,” November 2015Deputy Secretary of Defense Memorandum, “Mission Assurance Assessment Program Interim Implementation,” April 2015National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 revision 2, “Guide to Industrial Control Systems Security,” May 2015Assistant Secretary of Defense Memorandum, “Managing Cyber Risks to Facility-Related Control Systems,” March 31, 2016Risk Management Framework (RMF) Knowledge Service Portal ()DoD 5220.22-M, “National Industrial Security Program,” February 28, 2006DoD Instruction 5220.22, “National Industrial Security Program (NISP),” March 18, 2011DoD Financial Management Regulation (FMR) Volume 2B, Chapter 18, Section 18103, September 2015Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) for Department of Defense (DoD) Industrial Control Systems (ICS), Version 1.0, January 20162015 DoD Mission Assurance Assessment BenchmarksDepartment of Homeland Security (DHS) Cyber Security Evaluation Tool (CSET), Directive 3020.40, “Mission Assurance,” November 29, 2016National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60, Volume I, “Guide for Mapping Types of Information and Information Systems to Security Categories,” August 2008National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” September 2011DoD Manual 3020.45, “Defense Critical Infrastructure Program Security Classification Manual,” February 15, 2011Unified Facilities Criteria (UFC) 4-010-06, “Cybersecurity of Facility-Related Control Systems,” September 19, 2016US Cyber Command TASKORD 16-0043, Microsoft Windows 10 Secure Host Baseline, March 2016(v)DoD Memorandum, “Mitigating Cyber Risks to Platform Information Technology and Control Systems,” January 19, 1027MANAGEMENT Description of FRCS Cybersecurity Plan ImplementationIdentify phases, actions, and estimated timelines and resources required to establish and maintain an inventory of control systems that are controlled, owned, or operated by the DoD Component. Points of ContactInclude POCs for the Plan (not the POC for each inventoried system).NameArea of ResponsibilityOrganization EmailJohn DoeProgram ManagerNavy FacilitiesJohn.doe.civ@navy.milMajor TasksEach Plan shall include a brief description of each of the 11 major tasks required for securing the system. Add as many subsections as necessary to this section to describe all major tasks adequately. For each subtask of the 11 major tasks, identify the resources required, who is the lead on the task, the achievement measures which are tangible outcomes that demonstrably improve security, and a projected completion date. The tasks described in this section should not be site-specific, rather generic or overall project tasks that are required to, for example, create inventory, install hardware and software, prepare data, and verify the system. Information previously captured in FRCS Cybersecurity Plans may need to be split out, particularly if already completed. Include the following information for the description of each major task, if ernanceIdentify and describe the governance mechanism established to oversee and manage steps toward their cybersecure Control System (CS) environment.TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionCharter200 hour/$XXJane DoeStakeholder sign offXX/XX/XXXXCurrent & Future CS EnvironmentIdentify phases, actions, and estimated timelines and funding needed to establish and maintain an inventory of FRCS. This inventory is to include any network enclaves, CS-dedicated testing and development systems; and network devices owned and operated by the DoD Component, (Reference (g)). Break out inventory subtasks to show resources required for standalone, DoD Network, and Internet-facing FRCS; templates for system inventories can be found on the RMF Knowledge Service portal, (Reference (i)).TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionRoll-up inventory scanGrassMarlin software, 150 hours/$XXJane DoeNetwork WireframeXX/XX/XXXXStand-Alone Inventory. Includes isolated inventory that is not directly connected to the internet, Virtual Local Area Networks (VLANs), Local Area Networks (LANs), DoD registered IT networks or Wide Area Networks (WANs).TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionInventory Count200 Hours/$XXJane DoeAccurate Level 4 inventory (per figure 1)XX/XX/XXXXDoD Network Inventory. Includes any inventory that is directly connected to the DoDIN, such as cleared defense contractors who operate pursuant to DoD 5220.22-M (Reference (j)), the National Industrial Security Program (NISP) in accordance with DoDI 5220.22 (Reference (k)), and commercial cloud computing services. TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionInventory Count200 Hours/$XXJane DoeAccurate Level 3 inventory (per figure 1)XX/XX/XXXXInternet-facing Inventory. Includes inventory with a direct connection, active or inactive, to the Internet, such as intranets, wireless networks, and dial-up modems. TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionInventory Count200 Hours/$XXJane DoeAccurate Level 5 inventory (per figure 1)XX/XX/XXXXOperating WIN XP or Unsupported Operating Systems (OS) Inventory. Per Reference (u), all DoD Components are required to migrate or upgrade Microsoft Windows operating systems by January 31, 2017. Waivers for FRCS may be obtained before January 31, 2019 from your Component’s Authorizing Official, and must be reported in the Plan. Report every instance where XP exists on inventory collected in Section 2 (a, b, c). This collection is to include and all office-type technology located anywhere: ships, coalition command, Combatant Commands, tactical settings such as forward operating bases and labs. Include Plan of Action and Milestones (POA&M) for completed inventory and upgrades to any Defense Critical Infrastructure Program (DCIP) control systems to a supported OS. TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionOS Inventory200 Hours/$XXJane Doe# tally of OSXX/XX/XXXXWindows OS Implementation Waiver20 Hours/$XXJohn DoeWaiver received d/m/yy from AOXX/XX/XXXXCount of Completed RMF. Report all inventory that has completed the RMF process pursuant to DoDI 8510.01 (Reference (b)). Provide a count of completed RMF packages for Assess & Authorize (A&A)/Assess and Evaluate, as well as implemented continuous monitoring and the Estimated Total number of packages. TaskResource RequiredLOE/$# of Packages Complete / # Estimated Total PackagesLead StaffAchievement MeasuresDeadline for CompletionRMF Count200 Hours/$XX50 complete/102 estimatedJane Doe49% CompleteXX/XX/XXXXAssess & Authorize200 Hours/$XXJane Doe% Complete tallyXX/XX/XXXXAssess Only200 Hours/$XXJane Doe% Complete tallyXX/XX/XXXXContinuous Monitoring200 Hours/$XX3 Implemented/12 estimatedJohn Doe25% CompleteXX/XX/XXXXDCA/TCA Counts and Assessment status. Report all inventory that supports the DCIP classed as DCA or TCA Tier 1 (Reference (v)). This report will be classified and should include appropriate headings; see DCIP classification guide (Reference (s)). TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionDCA Count200 Hours/$XXJane DoeTotal #XX/XX/XXXXTCA Count200 Hours/$XXJane DoeTotal #XX/XX/XXXXCyber Assessment200 Hours/$XXJohn Doe# FRCS accessedXX/XX/XXXXIdentify FRCS Mitigations Required200 Hours/$XXJane Dee# mitigationsXX/XX/XXXX% FRCS Cyber Mitigations Complete200 Hours/$XXJane Dee% mitigations completeXX/XX/XXXXTotal Cost to Mitigate FRCS1200 Hours SMEs; $XXYYZZ process, technologies, contracts, etc.Fred Fast$ to Mitigate FRCS XX/XX/XXXXSegment the CS NetworksEach DoD Component shall identify procedures, resources, and milestones for segmenting CS networks away from traditional business IT systems by utilizing VLANs as a main pillar of cybersecurity and industry standards to create a separate and distinct Platform Enclave (PE); see Reference (c). Include a Program Management Plan with timelines to completion. Include a segmentation strategy, with a minimum VLAN separation between the Operational Technology (OT) network and the IT network with a POA&M to migrate to a fully separate physical network with VLAN separation between automation cells; see Reference (g), section 6.2.1.3.TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionIndustry Review200 Hours/$XXJane DoeApproach finalizedXX/XX/XXXXCreate Platform Enclaves2000 Hours/$XXJohn Doe# implementedXX/XX/XXXXCreate CS Test & Development Environment (TDE)Each DoD Component shall identify actions, milestones, and resources required to design and build a Test & Development environment (TDE) to test and deploy patches and new CS equipment. Included in this section are Component-identified control systems hardware and software that will be incorporated into TDE and Cyber Range Environments to support system owner/operator cyber defense training and Cyber Protection Teams (CPT) efforts. In 2017, the EI&E office stood up the first FRCS Cyber Range at the National Cyber Range (NCR) and worked with USCYBERCOM and the Cyber Range Working Group to have FRCS exercises added to the Ranges. However, the current Ranges can only provide a very small capability to exercise FRCS, typically only on the PE IT Front-End. The sheer number of OA devices and components, vendor/suppliers, and combinations of system integrations makes it almost impossible to model or mimic a real world production FRCS. TaskFRCS System, Device, HW, SW, FWResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionDesign / Range environmentHVAC1200 Hours/$XXJane DoeFinal design approvedXX/XX/XXXXBuild environmentPoE Lighting1200 Hours/$XXJohn DoeDesign implementedXX/XX/XXXXRisks & DependenciesEach DoD Component shall identify procedures used for identifying risks and dependencies within the overall Plan timeline, to include resource shortfalls, technology dependencies, supply chain dependencies, organizational change management, and an approach to integrating the RMF (Reference (b)) per Project.TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionRMF review300 hours/$XXJane DoeProgram Management Plan, Mission Dependency Model usageXX/XX/XXXXDoD Component PolicyIdentify revisions and additions and include a list of significant milestones and a top-down management strategy to ensure policies are implemented, including an estimation of funding requirements.TaskResource RequiredLOE/$Lead StaffDemonstrable Achievement MeasuresDeadline for CompletionCurrent Policy Review400 hours/$XXJane DoePolicy ReportXX/XX/XXXXCommunication StrategyIdentify revisions and additions and include a list of significant milestones and a top-down management strategy to ensure policies are implemented, including an estimation of funding requirements.TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionCommunications Plan800 hours/$XXJane DoeApproved PlanXX/XX/XXXXSustainment StrategyProvide a summary of proposed procedures (methodologies) to ensure DoD Component FRCS cybersecurity processes are implemented, working effectively, and providing security from the most recent cyber threats and vulnerabilities. Include a schedule of major milestones toward a methodology for developing baselines, monitoring normal activity, identifying abnormal activity, identifying sources of threats and vulnerabilities (such as usage of Advanced Cyber Industrial Control System Tactics, Techniques and Procedures (ACI TTP), Joint Mission Assurance Assessment (JMAA) benchmarks, Department of Homeland Security Industrial Control System-Computer Emergency Response Team (ICS CERT) Cybersecurity Evaluation Tool (CSET), ICS CERT alerts or other alert process, etc.)(see References (m), (n), (o)); conducting self-assessments and an estimation of funding requirements. At a minimum, methodologies should encompass both continuous monitoring and response IAW Reference (r), including mitigation and resolution timelines of security events. TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionMonitoring Software Review200 hoursJane Doe, N6Monitoring software purchase decisionXX/XX/XXXXImplementation Config. Mgmt. ProcessExisting ResourcesNAVFAC% implementation of process (measured by a Facility Engineering Command)Q2 FY18CSET Self-AssessmentExisting ResourcesJohn Doe# of CSET AssessmentsXX/XX/XXXXTraining StrategyProvide a list of training objectives, significant milestones, and anticipated funding needs. Describe anticipated methodologies for ensuring competencies (such as for an energy manager, facility manager, public works staff, and information technology specialists) are maintained in their future business environments. Include a schedule and milestone for Position Description (PD) development.TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionPatch Management Review150 hoursJane Doe, Facilities ManagementPatch management scheduleXX/XX/XXXXContinuous MonitoringDescribe continuous monitoring tools and techniques and how they will be used to ensure threats are identified and mitigated; see Reference (f). Utilize existing TTPs for developing routine monitoring procedures to maintain on-going awareness of security posture for FRCS. Include detection procedures and requirements. TaskResource RequiredLOE/$Lead StaffAchievement MeasuresDeadline for CompletionTest & Implement ESS150 hoursJane Doe, Facilities ManagementATOXX/XX/XXXXPost-Implementation VerificationIdentify which DoD Component cybersecurity organization has performed a review. Describe the reviewing organization’s process for reviewing the implementation of the Plan itself (vice configuration management) and deciding if it was successful. Describe how an action item list will be created to rectify any noted discrepancies. Describe the frequency of ongoing reviews. Note Reviewer findings, planned mitigation or remediation, and rationales.TaskResource RequiredLOE/$Lead StaffReviewing Organization with POCReviewer FindingsDemonstrable Achievement MeasuresDeadline for CompletionFrequency of Ongoing ReviewsReview FRCS Cybersecurity Plan150 hours/$15KBill DoeNAVFACTom DoeReviewer noted discrepancies between planned positions and budgeted positions in FY2020First review conducted. Discrepancies between planned positions and budgeted positions noted and corrected.XX/XX/XXXXAnnuallyScheduleProvide a schedule of activities to be accomplished. Show the required tasks (described in Section 2.3, Major Tasks) in chronological order, with the beginning and end dates of each task.TaskStart DateEnd DateNotes / Challenges to TimelineActivityXX/XX/XXXXXX/XX/XXXXPLAN SUPPORTHardware, Software, Facilities, and MaterialsList support software, materials, equipment, and facilities required for the Plan to include all the major tasks in Section 2. HardwareRequired Hardware# required/$ costDate NeededDell laptop3/$XXXX/XX/XXXXSoftwareRequired Software# requiredDate NeededGrassMarlin v33/$XXXX/XX/XXXXFacilitiesIdentify the physical facilities and accommodations required by the Plan. Examples include physical workspace for assembling and testing hardware components, desk space for software installers, and classroom space for training the staff. Specify the hours per day needed, number of days, and anticipated dates. If the facilities needed are site-specific, provide this information in Section 4, Requirements by Site.MaterialProvide a list of required support materials.PersonnelProvide personnel requirements including staffing, training and certifications for cybersecurity workforce; see References (d) and (e).Task# of PersonnelLength of Time NeededTypes of Skills NeededDoD, GIAC, ISACA or MOS certificationsSkill LevelHire SW Engineers76 monthsCybersecurity; ability to develop a TDEGICSPHighHire Penetration Testers21 monthNetwork surveillance, capture, and forensicsGICSP, CISSPHighResources & Assessments per Fiscal YearResource RequirementsProvide the FY16 and FY17 actuals, FY18 budgeted, and POM estimates to execute the Plan, including dollars invested in cybersecurity mitigations/remediation for FRCS. Include any reimbursable or otherwise paid support by other agencies (e.g., DHS, USCYBERCMD) or contractors to complete Plan activities including:Inventory of installation control systems, see Reference (a), Enclosure 2, 13d, t.Mitigating/upgrading non-secure network configurations (use VLANs, PSNET, etc.). Include costs to build fully separate enclave, see Reference (a), Enclosure 2, 13b, u.Replacing / upgrading legacy HW/SW (Win XP, field controllers, etc.), see Reference (a), Enclosure 2, 13d, u. Purchasing, staffing, implementing continuous monitoring; incident response and reporting, see Reference (a), Enclosure 2, 13h, o, q; DoD FMR, see Reference (l).Creating Test & Development Environments for penetration testing and patch management, see Reference (a), Enclosure 2, 13g, pleting assess & authorize process; annual system security plans / audits, see Reference (a), Enclosure 2, 13d.Establishing workforce certifications and training (AOs, AODRs, ISMs, SCAs, etc.), see Reference (a), Enclosure 2, 13k, l; Enclosure 4; References (d) and (e).Indicate those that remain unfunded and justification.RequirementFY16 ActualFY17 ActualFY18 BudgetedFY2019BudgetedFY2020BudgetedFY2021BudgetedFY2022BudgetedFY2023BudgetedInventoryMitigationReplace/UpgradePurchasing, staffing, CM, IR & reportingTDE CreationA&A process, annual plans/auditsWorkforce certs & training% FRCSMitigation CompleteTotal Costs to Mitigate FRCSTotalAssessment CountsList all assessment types and provide the number of FRCS assessed or to be assessed per FY (Reference (v)). Provide a count of FRCS that have a POA&M but have not gained ATO. RequirementFY16FY17FY18FY2019FY2020FY2021FY2022FY2023Component MA Assessments15JMAA Assessments5Component FRCS Assessments4Total Assessment Count24 # FRCS with POAM but no ATO10% FRCS Mitigation Completed 50% (5 of 10)Total FY $ to Assess FRCS$250KFunding & SourcesList each unique investment related to FRCS cybersecurity along with the budget codes listed below. Provide the FY 2016 and 2017 actuals, FY 2018 budgeted and FY 2019-FY 2023 funding amounts, including dollars invested in cybersecurity mitigations/remediation for FRCS. Clearly indicate what has not been funded and its priority relative to all resourcing requests. Example of first 6 columns. FY budget columns follow in tab 3.4 of the Template.TCBAPEBLIFund SourceUII1319030603673NZ2919BASE007-000007145RDT&E, NAVYAdvanced Technology DevelopmentFuture Naval Capabilities Advanced Technology DevelopmentCommunications SecurityBase FundingCOMPUTER OPTIMIZED BATCH RECONCILIATION APPLICATION ON THE WEBIT, NAVFAC CIOFRCS Platform EnclavePE’s for CIOBLI’s for CIO/PPBase FundingUII’s for CIO BMA Enterprise Environment Mission AreaIT, NAVFAC CIOFRCS TDEPE’s for CIOBLI’s for CIO/PPBase FundingUII’s for CIO BMA Enterprise Environment Mission AreaIT, NAVFAC CIOFRCS Continuous MonitoringPE’s for CIOBLI’s for CIO/PPBase FundingUII’s for CIO BMA Enterprise Environment Mission AreaSRM/NAVFACFRCS Pier SystemPE’s for I&EO&M or MILCON/RPIEBase Funding007-000009994SRM/NAVFACFRCS Utility Monitoring and Control SystemPE’s for I&EO&M or MILCON/RPIEBase Funding007-000009994MILCOM/NAVFACFRCS MicrogridPE’s for I&EO&M or MILCON/RPIEBase Funding007-000009994Personal Property/SecurityFRCS Electronic Security SystemPE’s for DNI/Law Enforcement/SecurityBLI’s for DSE/PPBase FundingUII’s for BMA Defense Security EnterpriseTotalsDefinitionsTreasury Code (TC).* Identifies the Treasury Code for the resource record. The Treasury Code is a defined set of four to six-digit numeric codes from the Comptroller that identifies Appropriation types.Budget Activity (BA).* Identifies the Budget Activity code for the resource record. Budget Activity is a two-digit identifier for the categories within each appropriation and fund account to identify the purposes, projects, or types of activities financed by the appropriation. Program Element (PE). The Program Element is a primary data element in the Future Years Defense Program (FYDP) and generally represents aggregations of organizational entities and related resources. The PE is up to ten-digits in length, a seven-digit numeric identifier followed by a three-digit DoD Component identification code. Budget Line Item (BLI).* Identifies the Budget Line Item (BLI) which varies by the Appropriation group: Operation and Maintenance (O&M) - provide the Activity Group (AG) and Sub-Activity Group (SAG); Research, Development, Test & Evaluation (RDT&E) - provide the Project Number; Procurement - provide the Line Item; and MILCON - provide the Project Number. Fund Source. Identifies whether the resources are 'Base' or Overseas Contingency Operations (OCO).Unique Investment Identifier (UII). Unique Investment Identifier (UII) which is a persistent numeric code applied to Information Technology/Cyberspace Activities (IT/CA) investment that allows the identification and tracking of an IT/CA investment across multiple fiscal years of an agency’s IT/CA investment portfolio. The unique investment identifier is composed of a 3-digit agency code (007 for DoD) concatenated with a 9-digit unique investment number generated by the agency separated by a dash; e.g., 007-123456789. UII's are generated for the DoD IT/CA budget in the Defense Information Technology Investment Portal (DITIP).* The list of Treasury Code, Budget Activity Code, and Budget Line Item values can be found on the SNaP website () by clicking the "Instructions" tab, then selecting the "Documents" item, and opening the "Appropriations List" file.Special Budget GuidanceThe Defense Information Technology Portfolio Repository (DITPR) is used to identify information systems and report their accreditation and authorization status to Congress. In accordance with the aforementioned DoDIs, both IS and “IS/FRCS Hybrid/Converged Systems” (see §3.5, below) must be registered to DITPR, and the RMF security authorization documentation must be posted to eMASS or be made available via “similar electronic means” (e.g., USMC and the IC utilize a different tool). The DITPR ID is used to correlate the eMASS and Select & Native Programming Data Input System for Information Technology (SNaP-IT) databases. The DITPR ID is created after a new record has been created.The SNaP-IT is the authoritative DoD database used for publishing the DoD IT Budget Estimates to Congress; to the Circular A-11 Section 53 and Section 300 exhibits to the Office of Management and Budget (OMB); and for monthly IT performance reporting to OMB’s IT Dashboard.The CIO SNaP-IT office issued DoD Financial Management Regulation (FMR) Volume 2B, Chapter 18 Section 18103 in September 2015 (Reference (l)). This revised chapter applies to the FY 2017 budget and addresses PIT/CS in paragraph J: “J. Industrial Control Systems (ICS)/ Platform Information Technology (PIT)/ Supervisory Control and Data Acquisition (SCADA).”IMPORTANT: As DoDI 8530.01, Cybersecurity Activities Support to DoD Information Network Operations; the Joint Information Environment (JIE); and the new Chapter 18 FMR Volume 2B are implemented, many of the IS and FRCS perimeter and boundary edge protection devices (as well as continuous monitoring) will be part of the IT/Cyber budget. Expenditures for new OT products needed for cybersecurity of existing IT will be reported as part of the IT/Cyber budget. The software, services, or major applications that are acquired to provide continuous monitoring of PIT which are not part of the Host-Based Security System/Assured Compliance Assessment Solution; will also be part of the IT/Cyber budget.System RegistrationsProvide a listing of system registrations in DoD repositories. Prior to loading into eMASS, the type of Enterprise Information Environment Mission Area (EIEMA) and associated Business Mission Area (BMA) must be identified. Following are critical distinctions between types of PEs and which EIEMA Area they belong to. If the PE will be provided by IT/communications, typically select “Enterprise IT Infrastructure.” If the PE will be provided by non-IT/communications, select the appropriate category within “Business Mission Area (BMA),” “Warfighter Mission Area (WMA),” or “DoD Portion of the Intelligence MA (DIMA).” For FRCS-supporting PEs (the traditional IT Front End), TDE, and Continuous Monitoring, use the BMA “Enterprise Information Environment Mission Area.” After consulting with the local CIO, in DITPR, select MA-Domain, “Communications, Computing Infrastructure, or Cybersecurity.” The FRCS PE, TDE and CM will typically be accounted for as CIO IT assets. These FRCS portions are typically accounted for as PP.For EI&E owned and operated FRCS, use the BMA, Installations and Environment; and in DITPR, select MA-Domain, Real Property & Installation Lifecycle Management (RPILM). These FRCS are typically accounted for as Real Property Installed Equipment (RPIE).For law enforcement and security owned and operated FRCS, use the BMA, Defense Security Enterprise, and in DITPR, select MA-Domain Defense Security Enterprise, Law. These FRCS are typically accounted for as PP. 9231117726798(eMASS)System Name(eMASS)System Acronym(eMASS)VersionBMARegulatory StandardC-I-A RatingDITPRSNAP-ITFISMA/FIACAMSite1 UMCSSITE1-FRCS-UMCS-NI-A1.0IENIST SP 800-82 R2H-H-Hcenter7424722Figure 3 – DITPR ID correlates information between eMASS, DITPR and SNaP-ITFigure 3 – DITPR ID correlates information between eMASS, DITPR and SNaP-IT12350755566410Figure 2- Enterprise Information Environment Mission Area (EIEMA)Figure 2- Enterprise Information Environment Mission Area (EIEMA)6716732511193004197351898650Figure 4 – SnaP-IT is used to budget for FRCS Cybersecurity0Figure 4 – SnaP-IT is used to budget for FRCS Cybersecurityright930275Common Systems List the ten (10) most common (Unclassified) Critical FRCS types within the DoD Component. Vendor NameFRCS CategoryFRCS SystemModelApproximate CountCommentsVendor 1Building Control SystemHVACRECOMMENDATIONSProvide specific suggestions for DoD policy changes.Provide any other recommendations relating to improving the FRCS Cybersecurity Plan format, information types, methodologies, etc.4.3 Submit recommendations for Issue Papers. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download