Facility-related Control System Authorization Framework
William Horner | RDECOM, CERDEC, NVESD
The objective of this project is to develop a set of integrated tools, templates and processes to provide a framework that dramatically streamlines the practical path to obtaining an Authorization to Operate (ATO) for Facility-related Control Systems (FRCS). The framework of this project will aggregate existing guidance, tools and techniques, such as those found on the RMF Knowledge Service (RMF KS) and the Strategic Environmental Research and Development Program (SERDP) and the Environmental Security Technology Certification Program (ESTCP) websites, and leverage ongoing efforts, such as RMF-related working groups. This body of information will be presented in a way that walks FRCS owners through the processes of protecting and defending their systems and the missions that they support.
To meet the technical objectives, the research team will develop an end-to-end framework focused on FRCS Owner’s in-practice duties for Risk Management Framework (RMF) ATO such that roles, processes, available tools and resources are clear and assist with the integration of automation and streamlining techniques where possible. The FRCS A&A Framework will support FRCS inventory, mission assurance, RMF Authorization to Operate (ATO), and monitoring efforts through integration of current tools and guidance into intuitive, useful, instructions, wizards, worksheets and templates. The framework will be designed specifically for the application of RMF to FRCS Cybersecurity processes, such as Security Categorization, the Industrial Control System (ICS) Overlay, Mission Assurance, and development of FRCS-specific security policies and procedures.
A two-phased approach will be implemented for this project. The first phase will be designed to get as far along in the development of the framework so that a useful pilot/prototype can be reviewed and tested at the end of the first 12 months. This first phase will include focus group sessions with facility and IT personnel unfamiliar with FRCS RMF processes to ensure features and capabilities are most useful. During the second, six-month phase, early adopter’s feedback will be integrated into the framework, and it will be more widely distributed. A more comprehensive verification of usability from early adopters and focus groups will be performed. The project's framework will be demonstrated by a real-world use case, such as Night Vision and Electronic Sensors Directorate (NVESD)’s Area 300 Energy Monitoring and Control Network located at Fort Belvoir, which will use the framework to apply cybersecurity and risk management policies, procedures, and guidance, and build a full RMF package(s) for submission for ATO including one or more FRCS.
The framework of this project is expected to provide several swift and impactful RMF A&A timeline and budget benefits to the Department of Defense (DoD), specifically for FRCS operators, assessors, facility managers and mission owners, as well as the accelerated realization of actual energy savings through quicker implementation of new energy-saving FRCS technologies. Considering the large quantity of FRCS deployed in the DoD that have not been assessed for risk or mission impacts, coupled with the extremely arduous process and documentation that FRCS system owners face, this in-practice framework can provide significant cost avoidance and a more rapid timeline to energy security by dramatically compressing the learning curve, and accelerating the path to ATO. By reducing the manual data entry and providing self-assessment-specific templates and guidance, a marked cost reduction is expected in achieving an RMF ATO. In addition to reduced costs associated with obtaining an ATO, this framework will reduce the man-hours required to develop RMF packages to perform FRCS assessments.