4. Download the Energy, Installations and Environment (EI&E) Control Systems Master List from the DoD CIO RMF Knowledge Service Portal EIE Resource page at https://rmfks.osd.mil/login.htm and categorize the CS, Impact Levels, and Information/Data Types following the EI&E step-by-step guidance. A generic version is provided in the Guides and Checklist section below.
5. Download the Vendor RMF Core Security Authorization Package excel file and review the Control Correlation Identifier (CCI) questions and sample responses (note many CCI’s are automatically compliant); this will be the System Security Plan (SSP).
6. Prepare RMF CS Type Authorization Package documents and artifacts (System Security Plan, Security Assessment Report, Plan Of Action and Milestones, Contingency Plan, Event/Incident Communications Plan, Event/Incident Response Plan, Security Audit Plan)- note template documents will be posted by Spring 2017.
8. Follow the steps in the APL Process Guide Appendix C.
9. Submit documentation to an approved Testing Facility.
10. Obtain DISA APL Approval and Interoperability letters, send a copy to OSDEI&E Daryl Haegley.
For Subject Matter Expert assistance to help develop a Vendor Package, contact: Daryl Haegley (firstname.lastname@example.org) or Tim Tetreault (email@example.com).
CONTROL SYSTEM CYBERSECURITY GUIDES AND CHECKLISTS
These Control System Risk Management Framework guides and checklists were developed for the DoD ESTCP 2017 R&D projects, but can be used by any organization with minor tailoring.
Facility-Related Control Systems Information Assurance Guide 12-2016 - this guide expands on the UFC and establishes the requirement for Subject Matter Experts, a Test and Development Environment with a list of free tools, a Design and Construction Sequence Table for new and modernization projects with FAT and SAT submittals, and contract language for RMF ATO package submittals (SSP, ITCP, SAR, POAM, EICP, IRP, SAP).
Control Systems Master List 12-2016 - this Master List breaksdown the top-level control system name, sub-system name, preliminary recommended C-I-A impact value, and the information/data types for each CS.
Control Systems FAT and SAT Checklist 12-2016 - this checklist is based on the DHS ICS-CERT Control Systems Procurement guide for Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) and is used in conjunction with the IA Guide Design and Construction Sequence Table.
Control Systems Penetration Testing Guide 12-2016 - this checklist is based on the EPRI Smart Grid Penetration Guide and SANS Penetration Testing Scope and Rules of Engagement and is used in conjunction with the IA Guide Design and Construction Sequence Table.