Energy Exchange 2017 - Track 4 - Cyber and Control System Technologies, Session 2 - Understanding and implementing the RMF Process Looking Forward: USACE MILCON Cybersecurity Integration Mr. Daniel Shepard US Army Corps of Engineers, Engineering & Support Center, Huntsville August [XX], 2017 Tampa Convention Center Tampa, Florida
What We Did DOD & ARMY LEVEL CYBERSECURITY GUIDANCE ACSIM Cybersecurity Strategy for Facility-Related Control Systems (FEB2017) OSD Memo, DoD Cybersecurity Campaign (JUN2015) DASD, Managing Cyber Risks to Facility-Related Control Systems (MAR2014) DoDI 8510.01, Risk Management Framework (RMF) (MAR2014) Developed Inventory Methodology Used by ACSIM, Navy, Marines, and Air Force. Completed Proof of Concept of Control Systems Inventory Methodology at Redstone Arsenal. the United Facility Criteria 04-010-06. Supported OACSIM in the Development of the Army s Strategic Plan for the Implementation of Cybersecurity for Facility-Related Control Systems.
USACE Control Systems Inventory Methodology 3
What We Do ICS-CS TCX Technical Team Planning Established January 2015, the ICS-CS TCX Army Accountability CYBER STRONG!! Army Ownership CYBER THREAT Was to Fill a GAP in the Army s Ownership & Accountability for Facility Control Systems. Planning Participate in Planning Charrettes/DD-1391 Development Prepare Cybersecurity Cost Estimates for Control Systems Design Design/Technical Submittal Reviews for Compliance Validation of UFC Design Requirements for Inclusion/Compliance Acquisition Assist in SOW Development Participate in Source Selection Boards Execution Monitoring of Risk Management Framework Requirements Ensure Control Systems are Cyber-Secure and are ATO Ready
What We Missed PLANNING CHARRETTE / DD-1391 PREP Where s Cyber? CYBERSECURITY Without Mandates to Use the ICS-CS TCX for Project Oversight on Cybersecurity Requirements for Control Systems REPRESENTATIVE CYBER THREAT CRITICAL ISSUES TO ADDRESS Not Including Cybersecurity Requirement Costs In DD-1391 Lack of Early Engagement in Project Development Process Lack of Technical Understanding & Expert Know-How Army Accountability CYBER STRONG?? GULP!!! Army Ownership Our Project Delivery Process for Control Systems Became Obsolete and Vulnerable. Minimal Engagement for Design/Technical Reviews
RMF Process to MILCON
RMF In The MILCON Process STEP 1 CATEGORIZE - System STEP 1 - CATEGORIZE - System STEP 2 SELECT - Security Controls STEP 3 IMPLEMENT - Security Controls STEP 3 IMPLEMENT - Security Controls STEP 4 ASSESS - Security Controls STEP 5 AUTHORIZE - System STEP 5 AUTHORIZE - System STEP 6 MONITOR - Security Controls
Looking Forward: USACE MILCON Cybersecurity Integration Planning: Budgeting for Cybersecurity in Project Scope (250k per identified platform) Control System Cybersecurity TCX DD1391 Review at Code 3 prior to 3086 certification. TCX assistance to Districts in Design RFP Acquisition req s (if requested) Design: Utilize guidance set forth in UFC 4-010-06, Cybersecurity of Facility-Related Control Systems & Pending UFGS 01 35 53.01, Cybersecurity of Facility-Related Control Systems (Est. Q2 FY 18) TCX provides design submittal reviews (if requested) by District Construction: Assist Districts in developing Construction Acquisition RFP req s Ensure project associated control systems are inventoried and categorized Include submittal requirements for Final Inventory System Categorization Authorization to operate Authorization to connect to the network Include Requirement To attach to the network and operate PITs upon facility turnover Modify contract as requirements are updated Requirements will NOT remain static