Installation Energy and Water

Cybersecurity Facility-Related Control Systems (FRCS)

The DoD has adopted the Risk Management Framework (RMF) for all Information Technology (IT) and Operational Technology (OT) networks, components and devices to include Facility-Related Control Systems (FRCS). FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO) on the DoD Information Network (DoDIN).

The DoD CIO RMF Portal and the  Installation  Environmental Security Technology Certification Program (ESTCP) website are the primary internal and external communications platforms to keep DoD stakeholders, vendors and contractors appraised of RMF policy, standards, guidance and a source of tools, checklists and templates.

The portal and website are almost exact replicas, but the DoD CIO RMF portal requires a CAC card to access and contains additional FOUO documents and POC’s email and phone numbers. The general format and content of the websites are:

  • Homepage Introduction and FAQ’s
  • Overview of Platform IT (PIT), Operational Technology & Facility-Related Control Systems
  • FRCS Reference Architecture, Networks and Components
  • NIST SP 800-82 R2 ICS Security Guide
  • Continuous Monitoring (CM) Strategy and Auditing
  • Test and Development Environment (TDE)
  • Pre-design Cybersecurity Requirements
  • Design Cybersecurity Requirements
  • Telecommunications and Networking (Joint Information Environment)
  • Typical Design and Construction Sequence
  • Energy Projects, Third-party Financing and Cybersecurity
  • Medical Facilities-Related Control Systems, Medical Devices and Equipment
  • Registering FRCS In eMASS, DITPR and SNaP-IT
  • Protecting DoD Controlled Unclassified Information (CUI)
  • Instructions, Manuals, Policies, Plans and Memo’s
  • Resources And Tools
  • Templates And Checklists
  • Conducting An RMF Self-Assessment

Any organization can use the websites guidance, reference materials, checklists and templates and the majority can be used for both standard IT and FRCS, also often referred to as Operational Technology (OT) systems.



DoD Risk Management Framework Process for DoD IT Systems

Document Title Document Purpose
RMF Guidance, generally applicable to traditional IT as well as facility-related control systems  
NIST Special Publication 800-37 (Chapter 3) The RMF process for all federal agencies
DoD Instruction 8510.01 RMF applied to the DoD; facility-related controls referred to as Platform IT (PIT), akin to aircraft avionics
RMF Guidance, specific to facility-related control systems  
NIST SP 800-82 Revision 2 (Chapter 6) Applying RMF to facility related control systems
Unified Facilities Criteria (UFC) 4-01-06 Specific guidance for facility-related controls in DoD
ESTCP Facility-Related Control Systems Cybersecurity Guidelines, Version 4 Specific guidance for ESTCP demonstrations
Committee on National Security Systems Instruction (CNSSI) 4009 
(CNSSI documents are not accessible by hyperlink, but must be accessed via the above library link)
The most comprehensive, formally accepted glossary available
STEP 1: Categorize the System  
Federal Information Processing Standards (FIPS) 199 Generally applicable categorization process
CNSSI 1253  Categorization process specific to national security systems
NIST SP 800-60 Volume 1 & Volume 2 Detailed considerations when determining categorization
STEP 2: Select Security Controls  
CNSSI 1253 Baseline security controls for national security IT systems
NIST SP 800-82 Rev 2 (Appendix G) Security overlay for facility-related control systems
NIST SP 800-53 Rev 4 (Appendix F) Catalogue of all IT security controls with details
STEP 3: Implement Security Controls  
NIST SP 800-82 Rev 2 (Chapter 6) Applying security controls to facility-related controls
STEP 4: Assess Controls Effectiveness  
NIST SP 800-53A Rev 4 (Chapter 3) Conducting effective security control assessments
STEP 5: Authorize System  
NIST SP 800-37 (Appendix F) Authorization packages
STEP 6: Monitor Security  
NIST SP 800-37 (Appendix G) Continuous monitoring of information systems
Authority to Operate (ATO) Packages  
NIST SP 800-37 (Appendix F) Detailed description of ATO package requirements
CNSSI 1254 Specific data elements required for an ATO

Please contact the  Installation Energy (IE) or  ESTCP Program Offices if you have any questions, or need additional guidance.

Risk Management Framework (RMF) 101 for Managers: PowerPoint outlining the RMF process for facility managers step by step.

Featured Initiatives