Legislation, Instructions, Manuals, Policies, Plans and Memos

This section is the collection of key legislation, executive orders, policy and guidance documents that implement the DoD Cybersecurity and Risk Management Framework processes with an emphasis on EI&E owned and operated critical infrastructure, control systems, and real-property assets.


The National Defense Authorization Act is the law that funds the Department of Defense, and enables Congress to perform oversight by requiring DoD to conduct studies and analysis, conduct pilot programs, and produce reports related to cybersecuring control systems.


(A) DESIGNATION OF INTEGRATING OFFICIAL.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems within the Department of Defense.

“(B) RESPONSIBILITIES.—The official designated pursuant to subsection (a) shall be responsible for matters described in such subsection at all levels of command, from the Department to the facility using industrial control systems, including developing Department-wide certification standards for integration of industrial control systems and taking into consideration frameworks set forth by the National Institute of Standards and Technology for the cybersecurity of such systems.”


Not later than January 1, 2018, the Secretary of Defense shall make such changes to the cybersecurity scorecard as are necessary to ensure that the Secretary measures the progress of each element of the Department of Defense in securing the industrial control systems of the Department against cyber threats, including such industrial control systems as supervisory control and data acquisition systems, distributed control systems, programmable logic controllers, and platform information technology.

FY18 NDAA SEC. 11604. REPORT ON SIGNIFICANT SECURITY RISKS OF DEFENSE CRITICAL ELECTRIC INFRASTRUCTURE – Requires identification of significant security risks to defense critical electric infrastructure posed by significant malicious cyber-enabled activities.

(A) REPORT REQUIRED.- Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall, in coordination with the Director of National Intelligence, the Secretary of Energy, and the Secretary of Homeland Security, submit to the appropriate committees of Congress a report setting forth the following. (1) Identification of significant security risks to defense critical electric infrastructure posed by significant malicious cyber-enabled activities.

FY18 NDAA SEC. 1629. MEASUREMENT OF COMPLIANCE WITH CYBERSECURITY REQUIREMENTS FOR INDUSTRIAL CONTROL SYSTEMS – Requires a scorecard to measure progress towards securing the ICS of DoD against cyber threats, including CS and PIT.

IN GENERAL.-Not later than January 1, 2018, the Secretary of Defense shall make such changes to the cybersecurity scorecard as are necessary to ensure that the Secretary measures the progress of each element of the Department of Defense in securing the industrial control systems of the Department against cyber threats, including such industrial control systems as supervisory control and data acquisition systems, distributed control systems, programmable logic controllers, and platform information technology.

CYBERSECURITY SCORECARD DEFINED.-In this section, the term ''cybersecurity scorecard'' means the Department of Defense Cybersecurity Scorecard used by the Department to measure compliance with cybersecurity requirements as described in the plan of the Department titled ''Department of Defense Cybersecurity Discipline Implementation Plan''.


Section 1650(b)(1) of the National Defense Authorization Act for fiscal year 2017 (114–328; 10 U.S.C. 2224 note) is amended—

(A) in subparagraph (C), by striking ‘‘and’’ at the end;

(B) in subparagraph (D), by striking the period at the end and inserting ‘‘; and’’; and

(C) by adding at the end the following:

‘‘(E) to assess the strategic benefits derived from, and the challenges associated with, isolating military infrastructure from the national electric grid and the use of microgrids.’’.

FY17 NDAA SEC. 1644. REQUIREMENT TO ENTER INTO AGREEMENTS RELATING TO USE OF CYBER OPPOSITION FORCES - Issue a joint training and certification standard for the protection of control systems for use by all cyber operations forces within the Department of Defense. Such standard shall— (1) provide for applied training and exercise capabilities; and (2) use expertise and capabilities from other departments and agencies of the Federal Government, as appropriate.

FY17 NDAA SEC. 1650. EVALUATION OF CYBER VULNERABILITIES OF DEPARTMENT OF DEFENSE CRITICAL INFRASTRUCTURE - Submit to the congressional defense committees a plan for the evaluation of the cyber vulnerabilities of the critical infrastructure of the Department of Defense.

Initiate a pilot program under which the Secretary shall assess the feasibility and advisability of applying new, innovative methodologies or engineering approaches—

(A) to improve the defense of control systems against cyber attacks;

(B) to increase the resilience of military installations against cybersecurity threats;

(C) to prevent or mitigate the potential for high-consequence cyber attacks; and

(D) to inform future requirements for the development of such control systems.

F17 NDAA Report 114-255 TITLE XXVIII-MILITARY CONSTRUCTION GENERAL PROVISIONS - Cybersecurity Risk to Department of Defense facilities

The committee finds that Department of Defense facilities are transitioning to smart buildings increasingly utilizing wireless controls for heating, ventilation and air conditioning, security systems, lighting, electrical power, fire alarms, elevators, visitor controls, cellular communications, Wi-Fi networks, first responder communications and other systems are increasing interconnected and online.  This higher connectivity has increased the threat and vulnerability to cyber-attacks, particularly in ways existing DOD regulations were not designed to consider.

Therefore, the committee directs the Secretary of Defense  to deliver to the congressional defense committees a report  that: (1) Delineates the structural risks inherent in control  systems and networks, and the potential consequences associated  with a system compromise through a cyber event; (2) Assesses the current vulnerabilities to cyber attack initiated through  Industrial Control Systems (ICS) at Department of Defense installations worldwide, for the purpose of determining risk mitigation actions for current and future implementation; (3)  Proposes a common, Department-wide implementation plan to upgrade and improve the security of control systems and networks to mitigate identified risks; (4) Assesses the extent to which existing Department of Defense military construction  directives, regulations, and instructions require the consideration of cybersecurity vulnerabilities and cyber risk in pre-construction design processes and requirements development processes for military construction projects; and (5) the capabilities of the Army Corps of Engineers, the Naval Facilities Engineering Command, the Air Force Civil Engineer Center, and other construction agents, as well as participating stakeholders, to identify and mitigate full-spectrum cyber-enabled risk to new facilities and major renovations.

For the purposes of this legislation, ICS include, but are not limited to, Supervisory Control and Data Acquisition Systems, Building Automation Systems Utility Monitoring and Energy Management and Control Systems.

Such report shall include an estimated budget for the implementation plan, and shall be delivered no later than 180 days after the date of the enactment of this Act.

Policies and Executive Orders

Request For Information Executive Order on America’s Cybersecurity Workforce - The US Department of Defense (DoD) is requesting information to assist the Government in identifying and evaluating skill gaps in Federal and non-Federal cybersecurity personnel and training gaps for specific critical infrastructure sectors, defense critical infrastructure, and the Department of Defense's platform information technologies; and recommending curricula for closing the identified skills gaps for Federal personnel and steps the United States Government can take to close such gaps for non-Federal personnel by, for example, supporting the development of similar curricula by education or training providers.

The Executive Order (EO) on America’s Cybersecurity Workforce calls for a report to the President “To strengthen the ability of the Nation to identify and mitigate cybersecurity vulnerabilities in critical infrastructure and defense systems, particularly cyber-physical systems (CPS) for which safety and reliability depend on secure control systems…”All responses should be submitted via e-mail to Daryl Haegley at  daryl.r.haegley.civ@mail.mil no later than 5:00 PM (EST) on September 13, 2019. Only attach MS Word/Excel compatible files or Adobe Acrobat PDF files in electronic correspondence.

Executive Order 13556 Controlled Unclassified Information 2010 - Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2013 - Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.

Executive Order 13800 Strengthening The Cybersecurity Of Federal Networks and Critical Infrastructure 2017 - Effective immediately, each Agency Head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework), or any successor document, developed by the National Institute of Standards and Technology to manage the agency’s cybersecurity risk. Each Agency Head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.

PPD–21 Critical Infrastructure Security and Resilience 2016 - It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The Federal Government shall work with critical infrastructure owners and operators and SLTT entities to take proactive steps to manage risk and strengthen the security and resilience of the Nation's critical infrastructure, considering all hazards that could have a debilitating impact on national security, economic stability, public health and safety, or any combination thereof. These efforts shall seek to reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to critical infrastructure.

DoD Strategies, Instructions, and Directives

Cybersecurity Maturity Model Certification 2019 - DoD has initiated the Cybersecurity Maturity Model Certification. In early 2019, the department issued a memo making the Defense Contract Management Agency responsible for auditing the contractor/vendor community against the DFARS 7012 requirement. https://www.acq.osd.mil/cmmc/

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.If you are a DoD contractor/vendor and need to create a Cyber Risk Management Plan (CRMP), we have posted a complete set of templates on the DoD ESTCP Cybersecurity Resource page at:  https://serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/FRCS-Protecting-CUI

GSA has also published notice in the FAR that they will be adopting the same rule for all federal agencies and will apply to all federal contractors/vendors.

An Army Guide to Navigating the Cyber Security Process for Facility Related Control Systems 2019Cybersecurity and Risk Management Framework explanations for the Real World. Personnel who maintain Facility Related Control Systems (FRCS) of any type are required to implement cybersecurity to attain and maintain an Authority to Operate (ATO) on their respective systems. This document is a guide for installation personnel owning and operating control systems to assist in addressing the cybersecurity process for FRCS in the Army through the Risk Management Framework (RMF) approach, which en-compasses six steps. This manual walks the reader through the administrative aspects of each step.

Control System (CS) / Platform Information Technology (PIT) Workforce Development Final Report 2016 - The Office of the Assistant Secretary of Defense for Energy Installations & Environment [OASD(EI&E)] tasked the Johns Hopkins University Applied Physics Laboratory (JHU/APL) to assess the potential for cyber vulnerabilities to be caused by or potentially prevented by facility management personnel at DoD facilities. The purpose of this project was to identify vulnerabilities in facility cyber operations and the associated competencies, training, and changes to the workforce that could be added to the DoD’s traditional FM/FE/SaM/SeM/FEM/LOG management staff to improve cybersecurity and situation awareness in facility management and to identify cost effective techniques to mitigate cyber vulnerabilities in facility operations.

DoD Cloud Computing Strategy Final with Memo July 2012 - The attached DoD Cloud Computing Strategy lays the groundwork, consistent with the Federal Cloud Computing Strategy, for accelerating cloud adoption in the Department. The strategy includes steps to foster adoption of cloud computing, optimize data center consolidation, establish the DoD enterprise cloud infrastructure and continue to deliver cloud services. A robust and resilient multi-provider, Enterprise Cloud Environment will enable the Department to achieve the goals of the Joint Information Environment.

DoD Cloud Strategy 2018 December 2018 - The DoD must maintain its strategic advantage across the globe by laying the foundation needed to harness the power of data and information systems through cloud computing. To ensure this, the Department must address the unique mission requirements through a multi-cloud, multi-vendor strategy that incorporates General Purpose and Fit For Purpose clouds along with the advantages of multiple commercial cloud providers. The attached strategy addresses key cloud computing objectives, challenges, and strategic approaches for the DoD. The Department will shift its security focus from perimeter defense to securing data and services. This shift will be accomplished first through strong authentication for both people and machines and secure encryption mechanisms both at rest and in transit. We must embrace computing solutions that enable warfighters in their environment versus forcing them to conform to the current environment of siloed data and legacy applications. The integration and operation of computing solutions will be straightforward and repeatable, regardless of the required classification level of the system. While certain DoD programs are not immediately amenable to migration to the cloud, some of these systems may ultimately be bridged to the cloud, while others may be addressed through separate non-cloud solutions. DoD will utilize this guiding strategy to further develop a detailed enterprise approach for managing its data, infrastructure, and application landscape. The advent of commercial cloud has provided a powerful opportunity to address these problems.

DoD Cyber Strategy Summary Final September 2018 - American prosperity, liberty, and security depend upon open and reliable access to information. The Internet empowers us and enriches our lives by providing ever-greater access to new knowledge, businesses, and services. Computers and network technologies underpin U.S. military warfighting superiority by enabling the Joint Force to gain the information advantage, strike at long distance, and exercise global command and control. The Department’s cyberspace objectives are:

(A) Ensuring the Joint Force can achieve its missions in a contested cyberspace environment;

(B) Strengthening the Joint Force by conducting cyberspace operations that enhance U.S.

military advantages;

(C) Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part

of a campaign, could cause a significant cyber incident;

(D) Securing DoD information and systems against malicious cyber activity, including DoD

information on non-DoD-owned networks; and

(E) Expanding DoD cyber cooperation with interagency, industry, and international partners.

DoD Instruction 8531.01 DoD Vulnerability Management - In accordance with the authority in DoD Directive 5144.02, this issuance: Establishes policy, assigns responsibilities, and provides procedures for DoD vulnerability management and response to vulnerabilities identified in all software, firmware, and hardware within the DoD information network (DODIN); Establishes a uniform DoD Component-level cybersecurity vulnerability management program based on federal and DoD standards; Establishes policy and assigns responsibilities for the DoD Vulnerability Disclosure Program (VDP); Establishes policy, assigns responsibilities, and provides procedures for DoD’s participation in the Vulnerabilities Equities Process (VEP), in accordance with the Vulnerabilities Equities Policy and Process for the U.S. Government (USG).

DoD Instruction 8010.01 Department of Defense Information Network (DoDIN) Transport - The DODIN (i.e., transport) and the associated network services contain various dissemination elements required to operate, maintain, and secure required distribution capabilities. a.  The DODIN consists of all networks and information systems owned or leased by DOD.  The DODIN includes common enterprise service networks (classified and unclassified), intelligence networks operated by DoD Components within the IC, closed mission system and battlefield networks, and other special purpose networks. All DODIN transport reference and solution architectures follow the DoD Enterprise Architecture and Joint Information Environment (JIE) Enterprise Reference and Solution Architectures (e.g., Satellite Communications (SATCOM) Gateway Solution Architecture, wide area network Solution Architecture).

DoD Instruction 8140.01 Cyberspace Workforce Management 2015 - The DoD maintains a total force management perspective to provide qualified cyberspace government civilian and military personnel to identified and authorized positions, augmented where appropriate by contracted services support. These personnel function as an integrated workforce with complementary skill sets to provide an agile, flexible response to DoD requirements. The appropriate mix of military and government civilian positions and contracted support designated to perform cyberspace work roles is determined in accordance with DoD Instruction (DoDI) 1100.22 (Reference (bc)).

DoD Instruction 8320.05 Unique Identification (UID) Standards for Supporting DoD Net-Centric Operations the DoD Information Enterprise 11-2017 - Supports the National Military Strategy of the United States of America (Reference (c)) and the requirements of DoDI 8320.02 (Reference (d)) for sharing data, information, and information technology (IT) services by enabling sharing, analyzing, and disseminating authoritative, unambiguous on-demand data associated with unique identifiers with mission partners in a global environment. ASD(EI&E) maintains and oversees implementation of Reference (h) as the UID standard for all real property in which the DoD Components hold a legal interest on the behalf of the U.S. Government, to include an RPUID to permanently and uniquely identify a DoD real property asset, and an RPSUID to permanently and uniquely identify a DoD real property site.

DoD Instruction 8500.01, Cybersecurity, March 2014 - DoD will implement a multi-tiered cybersecurity risk management process to protect U.S. interests, DoD operational capabilities, and DoD individuals, organizations, and assets from the DoD Information Enterprise level, through the DoD Component level, down to the IS level as described in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39 (Reference (o)) and Committee on National Security Systems (CNSS) Policy (CNSSP) 22 (Reference (p)).

DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 2014 - Implements References (c) through (f) by establishing the RMF for DoD IT (referred to in this instruction as “the RMF”), establishing associated cybersecurity policy, and assigning responsibilities for executing and maintaining the RMF. The RMF replaces the DoD Information Assurance Certification and Accreditation Process (DIACAP) and manages the life-cycle cybersecurity risk to DoD IT in accordance with References (g) through (k).

DoD Instruction 8530.01 Cybersecurity Activities Support to DoD Information Network Operations March 2016 - DoD protects (i.e., secures and defends) the DoDIN and DoD information using key security principles, such as isolation; containment; redundancy; layers of defense; least privilege; situational awareness; and physical or logical segmentation of networks, services, and applications to allow mission owners and operators, from the tactical to the DoD level, to have confidence in the confidentiality, integrity, and availability of the DoDIN and DoD information to make decisions.

DoD DIRECTIVE 3020.40 MISSION ASSURANCE (MA) 2016 - Establishes policy and assigns responsibilities to meet the goals of refining, integrating, and synchronizing aspects of DoD security, protection, and risk-management programs that directly relate to mission execution as described in the DoD Mission Assurance Strategy and Mission Assurance Implementation Framework. Assigns responsibilities for execution of critical infrastructure roles assigned to DoD in Presidential Policy Directive (PPD)-21 and prescribed in DoD Instruction (DoDI) 5220.22. Ensures consistency with applicable provisions of the National Infrastructure Protection Plan and compliance with applicable provisions of Part 29 of Title 6, Code of Federal Regulations. Maintains a Defense Critical Infrastructure (DCI) line of effort within MA to sustain programming, resources, functions, and activities supporting those responsibilities formerly under the Defense Critical Infrastructure Program (DCIP).

Air Force Instruction 17-101 Risk Management Framework (RMF) for Air Force Information Technology (IT) Feb 2017 - applies to all military and civilian AF personnel, members of the AF Reserve Command (AFRC), Air National Guard (ANG), third-party governmental employee and contractor support personnel in accordance with appropriate provisions contained in memoranda support agreements and AF contracts. This document is substantially changed and must be reviewed in its entirety. This instruction reissues, renames, supersedes, and rescinds AFI 33-210, Air Force Certification and Accreditation Program, to AFI 17-101, Risk Management Framework for Air Force Information Technology. This directive establishes the Risk Management Framework (RMF) for AF IT, establishes associated cybersecurity policy, and assigns responsibilities for executing and maintaining the RMF.


Chairman Of The Joint Chiefs Of Staff Manual (CJCSM) 6510.01B - Cyber Incident Handling Program 2012 - This manual describes the Department of Defense (DoD) Cyber Incident Handling Program and specifies its major processes, implementation requirements, and related U.S. government interactions.

Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM) V1.2 2017 - This Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). It provides standardized security policies and procedures for use in safeguarding classified information processed by cleared contractors’ Information Systems (ISs) operating under the security cognizance of the DSS. There are many IS types and system configurations that operate within cleared contractor facilities. The predominant IS types are Standalone Information Systems, Local Area Networks (LANs), Unified Networks, Interconnected Systems, and Wide Area Networks (WANs). Tactical, embedded, data-acquisition, legacy, and special-purpose systems are Special Categories of systems requiring alternative set of controls not readily available in typical systems. Some ISs are incapable of being modified by users and are designed and implemented to provide a very limited set of predetermined functions. These systems are considered members of a special category, as are data-acquisition systems and other special-purpose test type systems. Mobile systems may be periodically relocated to another cleared contractor facility or government site. A mobile system may be a complete system or components of a larger, more complex system. Special procedures are required to document applicability and control, and to account for the movement, operations, and security of systems that are relocated to alternative locations.

DoD Manual 3020.45, Volume 2 Defense Critical Infrastructure Program (DCIP): DCIP Remediation Planning - In accordance with the authority in Reference (a) and the guidelines and responsibilities as assigned in Reference (b), this Manual provides uniform procedures for the execution of DCIP activities. This Volume describes a process for DoD leaders, once risk has been assessed, to determine, plan, justify, and implement remediation actions to reduce risk to defense critical infrastructure (DCI). The process documented in this Volume ensures informed decisions are made to manage risk to DCI. Informed risk management decisions are important to ensure the availability of DCI while making efficient use of limited resources.

Implementation Plans

Air Force Civil Engineer Control Systems Cybersecurity Implementation Plan 2017 - Cybersecurity threats to Air Force (AF) missions, capabilities, and systems extend beyond those targeting traditional IT networks and weapons platforms. Control systems (CS) support and enable critical infrastructure and capabilities across AF installations. Cyber-attacks on these historically vulnerable control systems can cause mission failure, extended operational impacts, and physical damage to critical infrastructure, as well as provide a foothold for additional attack vectors into the broader Air Force Information Network (AFIN).

ARMY’S Cybersecurity Strategy For Facility-Related Control Systems 2017 - Army Installations are platforms for Army readiness. They provide secure and sustainable facilities and infrastructure to organize, train, equip, deploy, and conduct combat operations by land forces. Increasingly, Army facilities and infrastructure rely on networked control systems to support real-time centralized monitoring and operations, making them vulnerable to attack or compromise. The Army must assure the confidentiality, availability, and integrity of the information and the control systems that underpin our facilities and critical infrastructure. This strategy identifies goals and objectives for a supportable level of cybersecurity across facility-related control systems. The Army will use this plan to increase resiliency across facility-related control systems and encourage greater collaboration across the facilities and information technology communities to ensure the consistent application of cybersecurity.

NAVY Implementation Plan Managing Cyber Risks To Facility-Related Control Systems 2016 - The Navy Ashore Domain Cybersecurity Plan identifies the goals, milestones, and resources required to identify, register, and implement cybersecurity controls on DoD facility related control systems (CS).  The Navy Ashore Domain Cybersecurity Plan is prioritized on Task Critical Assets (Tiers 1 and 2 or higher) and supporting infrastructure of those assets to ensure cyber protection of the most critical facility-related CS as described in section 2.1. The Deputy CNO for Fleet Readiness and Logistics will manage oversight and resourcing efforts for the cybersecurity of facility-related CS within the Shore Readiness program in order to safeguard critical missions conducted aboard Navy Installations.  As the shore integrator of tenant commands, mission owners, and operators aboard Navy Installations; Commander, Navy Installations Command will ensure the inventory, assessment, cybersecurity, and continuous monitoring of facility-related CS is implemented per references (e) and enclosure (1). As the Functional Authorizing Official (FAO), Commander, Naval Facilities Engineering Command will be responsible and accountable as the technical authority and Security Control Assessor (SCA) for the authorization of all systems under their cognizance and to ensure system design and development balance mission requirements and risk per reference (e) and enclosure (1).

Memorandums and Letters

Air Force Guidance Memorandum Civil Engineering Control Systems Cybersecurity Feb 2017 - establishes cybersecurity policy for civil engineer (CE)-owned or operated control systems (CS). This Memorandum details the unique operational characteristics of Air Force (AF) CS, outlines roles and responsibilities for managing risk under the Risk Management Framework, and implements guidance and policy for securing and mitigating risk to AF CE CS. This Guidance Memorandum supersedes Engineering Technical Letter 11-1 and applies to all military and civilian Air Force personnel, the Air Force Reserve and the Air National Guard. Compliance with this Memorandum is mandatory.

Air Force Civil Engineering Center (AFCEC)’s Cybersecurity Requirements for Vendors on Facility-Related Control Systems (FRCS) Feb 2019 - The AFCEC Authorizing Official (AO) has identified and established the baseline of 47 Security Controls with 320 Assessment Procedures (AP). The proposed vendor is responsible for the following; perform an initial security assessment, a scan of vulnerabilities, applying all relative DISA Security Technical Im plementation Guide (STIG) configuration, provide a copy of the scan results to the USAF CE unit, mitigate the identified vulnerabilities prior to final acceptance by USAF through the RMF Methodology by uploading the evidence into eMASS. Below are the approved standardized templates to be completed and then used as eMASS artifacts. Once the vendor has completed the assessment and submitted it for review, it will flow in eMASS to the AFCEC/COOI Compliance Branch for validation and submission to the SCAR => SCA=> AODR=> AO. Any questions can be directed to the AFCEC/COOI org box:   afcec.comi.ics@us.af.mil.

Air Force Related Documents:

Navy RMF Steps 1 and 2 Jan 2017 – 2019 – The Navy RMF Steps 1 and 2 provides guidance and templates to complete the RMF Steps 1 and 2 Categorization process and the Security Assessment Plan (SAP).

Navy Related Documents:

Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review March 2019 -  Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense's (DoD' s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD's CUI.

Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review Feb 2019 -  Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense's (DoD' s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD's CUI.

Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review Jan 2019 -  Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a means to safeguard the Department of Defense's (DoD' s) controlled unclassified information (CUI) that is processed, stored or transmitted on the contractor's internal unclassified information system or network. Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD's CUI.

ASD EI&E Managing Cyber Risks to Facility-Related Control Systems Memorandum 2016 - Cyber-attacks on DoD Information Technology (IT) demonstrate the need for continuous vigilance and effective defensive measures. Per references (a) through (c), system owners and operators are accountable for system operational resilience and cybersecurity defense posture. To that end, your staffs shall develop plans identifying the goals, milestones and resources needed to identify, register, and implement cyber security controls on DoD facility-related control systems under your cognizance. Plans shall be submitted to the point of contact listed below by December 31, 2016, and shall identify steps to obtain required resources and mitigate vulnerabilities per reference (b). The goal is to implement cybersecurity controls on the most critical facility-related control systems by the end of Fiscal Year 2019.

DASD Installation Energy FY 2019/FY 2020 Energy Resilience and Conservation Investment Program and Plans for the Remainder of the Future Years Defense Program Guidance Memorandum 2017 - This memorandum is a data call for Defense Components to submit proposed Energy Resilience and Conservation Investment Program (ERCIP) projects for FY 2019/FY 2020 and for the remainder of the Future Years Defense Program (FY 2021 to FY 2023). Detailed guidance for the FY 2019/FY 2020 ERCIP program is included in Attachment A. New this year is the addition of energy resilience/security as a separate project category, as the Department of Defense has been given new authorities in the National Defense Authorization Act of 2017.

DoD Deputy Secretary of Defense Accelerating Enterprise Cloud Adoption Memorandum 12-2017 – I am directing aggressive steps to establish a culture of experimentation, adaption, and risk-taking; to ensure we are employing emerging technologies to meet warfighter needs; and to increase speed and agility in technology development and procurement.

Deputy Secretary of Defense Mission Assurance Assessment Program Interim Implementation Memorandum April 2015 – The 2012 Mission Assurance Strategy seeks to align risk management programs within the Department of Defense. As a next step in this effort, the Department will integrate all higher headquarters vulnerability assessments under the Mission Assurance Assessment Program (MAAP), which will be coordinated by the Chairman of the Joint Chiefs of Staff (CJCS). The MAAP methodology is an integrated approach to assessing risk to mission. Final guidance is forthcoming, and in the interim, this memorandum institutes guidance for the MAAP related to roles and responsibilities, assessments priorities and related assessment periodicities. By FY 2017, the MAAP will institute the MAA, a risk assessment consisting of a criticality assessment, threat/hazard assessments, and vulnerability assessment. This assessment will serve as the higher headquarters assessment for the following programs: Defense Critical Infrastructure Program; Anti-Terrorism; Continuity of Operations Program; Emergency Management; Cyber Security; Physical Security; and Chemical, Biological, Radiological, and High-Yield Explosive Preparedness.

DoD CIO Risk Management Framework Assess Only Guidance 2017 - Clarify and expand the RMF Assess Only guidance that is in Department of Defense Instruction (DODI) 8510.01. All IT Services and Products have cybersecurity considerations even though they might not be authorized for operation by implementing the full 6-step RMF process. However, cybersecurity requirements must still be identified, tailored appropriately, and assessed or evaluated before operational use, whether they are included in a system's authorization boundary or not. The Assess Only construct identifies two assessment approaches: 1) the Assess, Approve for Use, and Inherit which addresses IT products and services that are assessed, but do not become part of an authorized system's authorization boundary, and 2) the Assess and Incorporate approach which addresses IT products or services that will become part of another authorized system's authorization boundary.

DoD CIO GIAC GICSP Approval Letter 2016 - Based on the Information Assurance (IA) Workforce Improvement Program Advisory Council Certification Committee's recommendation, I am pleased to inform you that the GIAC Global Industrial Cyber Security Professional (GI CSP) certification is approved for the Department of Defense (DoD) Computer Network Defense Analyst (CND-A), Computer Network Defense Infrastructure Support (CND-IS) and Information Assurance Technical Level II (IAT Level II) workforce categories. The certification met the requirements of the DoD Manual 8570.01 "Information Assurance Workforce Improvement Program" and has good alignment to the category and levels for which approved.

DoD CIO Cybersecurity Reciprocity Memorandum 2016 - The Department of Defense (DoD) requires speed and agility in the delivery of warfighting capability to the field and must deliver secure solutions. Achieving this balance requires scarce security resources be spent on due diligence and analysis, rather than redundant and unnecessary testing. As stated in the Reference, it is Department policy that "The DoD RMF presumes acceptance of existing test and assessment results and authorization documentation." Although this principle has been Department policy, Components frequently do not evaluate the enterprise-wide body of evidence developed by other components in their earlier authorizations of common systems or software. This is the very basis for reciprocity. Effective immediately, in accordance with the Reference, Components shall maximize the use of assessment results and authorizations of common information technology systems and software by fellow Department Components in earlier deployments.

DoD CIO Approval of Multi-Factor Authentication Alternatives 000744-17 Gemalto SafeNet eToken PASS Model 30002016 Memorandum 2017 - This memorandum certifies the Gemalto SafeNet eToken PASS Model 3000 as a DoDapproved technology that may be used on the Non-classified Internet Protocol Router Network (NIPRNet) as part of an alternate MFA solution under References (a) and (b). The eToken PASS Model 3000 is a one-time password capability that can be used in combination with another factor (e.g. a PIN) to facilitate user-authentication. While it provides greater assurance than a user name and password, it provides less assurance than DoD-approved PKI, and is not intended as a broad replacement for DoD-approved PKI. The eToken PASS Model 3000 was evaluated by the PUWG, and may be used to authenticate to both privileged and non-privileged user accounts.

DoD CIO Approval of ldentity Federation Service Providers 000751-17 Centrify Server Suite and Centrify - This memorandum certifies and approves the Centrify Server Suite (CSS) and Centrify Privileged Service (CPS) as DoD-approved IFS on both the Non-classified Internet Protocol Router Network (NIPRNet) and the Secret Internet Protocol Router Network (SIPRNet). CSS and CPS may be used to facilitate user-authentication in combination with DoD-approved Public Key Infrastructure and/or alternative Multi Factor Authentication credentials. Centrify Server Suite facilitates privileged and unprivileged user-authentication via Microsoft Active Directory to workstations and servers utilizing Linux Operating Systems. Centrify Privileged Service is a gateway that facilitates privileged-user authentication to the system or application that the privileged user administers.

DoD USD AT&L Windows 10 Compatibility Assessment for Weapon Systems Memorandum 2016 - On February 26, 2016. the Deputy Secretary of Defense directed that the Department of Defense (DoD) transition to and deploy the Microsoft Windows 10 Operating System (OS) using the DoD Secure Host Baseline (SHB) by January 3 1, 2017.

DUSD EI&E Real Property-related Industrial Control System Cybersecurity Memorandum 2014 - The Department's computer networks and systems are under incessant cyber attack, and specific steps are underway to implement trustworthy cybersecurity practices. Recognizing the increased threats, vulnerabilities, and risks the Department recently updated the Department of Defense Instruction (DoD!) 8500.01, Cybersecurity on March 14, 2014, and the DoD 8510.01, Risk Management Framework on March 12, 2014. For the first time, these instructions mandate that Industrial Control Systems (ICS) be made secure against cyber attacks by implementing a Risk Management Framework (RMF). Real property-related ICS includes, but is not limited to, building automation systems, energy/utility monitoring and control systems, computerized controllers on heating, ventilation and air conditioning equipment, smart meters, etc. Damage to or compromise of any ICS may be a mission disabler. For example, disruption of a computerized chiller controller could deleteriously impact critical military operations and readiness. A more serious mission disabling event could occur if the ICS was used as a gateway into the installation' s Information Technology system or possibly the Department's broader information networks.

DUSD Principal Cyber Advisor Mitigating Cyber Risks to Platform Information Technology and Control Systems Memorandum 2017 - Cybersecurity of DoD critical infrastructure (CI) and Industrial Control Systems (lCS) remains an area of serious concern for operational commanders (REF A), the Services, and the Department. Congress recently expressed similar concern through language in the 2017 NDAA (REF B) with focus on the evaluation of cyber vulnerabilities of DoD CI. To strengthen the Department's cybersecurity posture and reduce vulnerabilities that impact support to our operating forces and supporting systems, it is clear we must address the increasing risks of cyber-attacks on DoD Information Technology (IT), Platform Information IT (PIT), and Industrial Control Systems (lCS) present in and/or supporting DoD networks, weapon systems, critical enabling capabilities and key critical infrastructure (collectively "PIT Systems").

Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information) - The DoD implementation of the EO was issued December 2015 as the “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).

OUSD Director for Defense Intelligence Guidance on Implementation of Controlled Unclassified Information Memorandum 2017 – This memorandum provides clarification regarding the Department of Defense (DoD) policy and implementation requirements for the protection of controlled unclassified information (CUI). The Information Security Oversight Office (ISSO) of the National Archives and Records Administration (NARA) published, and released 32 Code of Federal Regulations (CFR) Part 2002, “Controlled Unclassified Information (CUI); Final Rule, “the implementing requirements for Executive Order 13556, “Controlled Unclassified Information,” with an effective date for implementation of November 14, 2016.

OUSD Director, Defense Pricing/Defense Procurement and Acquisition Policy Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting Memorandum 2017 – The Department amended the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 to provide for the safeguarding of controlled unclassified information when residing on or transiting through a contractor’s internal information system  or network, DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, to safeguard covered defense information that is processed or stored on their internal information system or network. Contractor’s, who will self-attest to meeting these requirements, have until December 31, 2017, to implement NIST SP 800-171.

PACOM-NORTHCOM Letter to SECDEF Cybersecurity of DoD Critical Infrastructure Industrial Control Systems 2016 – We respectfully request your assistance in providing focus and visibility on an emerging threat we believe will have serious consequences on our ability to execute assigned mission if not addressed - Cybersecurity of DoD Critical Infrastructure Industrial Control Systems (ICS). We believe this issue is important enough to eventually include in your cyber scorecard. We must establish clear ownership policies at all levels of the Department, and invest in detection tools and processes to baseline normal network behavior from abnormal behavior. Once we’ve established this accountability, we should be able to track progress for establishing acceptable cybersecurity for our infrastructure ICS.

USCYBERCOM TASKORD 16-0043 MICROSOFT WINDOWS 10 SECURE HOST BASELINE (SHB) 2016 -  This TASKORD directs DOD CC/S/A/FA to immediately  conduct planning, resourcing, preparation and execution for the  migration of all existing Windows clients that run non-server Microsoft Windows operating systems on DOD information networks, on  all unclassified, Secret fabric, and Top Secret Collateral DOD information systems, including DOD programs, special access programs, mission systems, and strategic, tactical, and research, development, training, and evaluation systems to include all computing systems currently running Windows operating systems including PIT, and weapons systems to the maximum extent possible to Windows 10 and the SHB to improve network security and operational resilience with a completion date of 31 January 2017.