Cybersecurity Systems Branch oversees management of cybersecurity system accreditations

By Ms. Kerry GatesJuly 6, 2017

Figure 1 - Risk Management Framework 6-Step Process
(Photo Credit: U.S. Army) VIEW ORIGINAL

The U.S. Army Engineering and Support Center, Huntsville provides quality oversight for the management of cybersecurity system accreditations of Industrial Control Systems for the Department of Defense using the Risk Management Framework requirements.

The cybersecurity requirement is mandated for the defense department per the Risk Management Framework standards in accordance with the DOD Instructions 8500.01 "Cybersecurity" and 8510.01 "RMF for DOD IT" both updated and released in March 2014. Replacing the DOD Information Assurance Certification and Accreditation Process, the Risk Management Framework is comprised of six steps: Categorize the System, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize System, and Monitor Security Controls.

The cybersecurity project delivery team includes cybersecurity program and project managers, Industrial Control System Technical Center of Expertise technical experts and contracting professionals. The Cybersecurity Program works directly with the Industrial Control System Technical Center of Expertise, also located within Huntsville Center, to assess and authorize industrial control systems for various defense department customers.

Industrial Control Systems can include, but are not limited to, Utility Monitoring and Control Systems, Electronic Security Systems, Building Automation Systems, Supervisory Control and Data Acquisition systems and similar control systems. Huntsville Center also provides Industrial Control System technical expertise through additional programs, including the Electronic Security System Mandatory Center of Expertise, Sustainability and Energy Center of Expertise for Metering, and the Utility Monitoring Control System Mandatory Center of Expertise.

Additionally, the Cybersecurity Program is developing the capability to execute Risk Management Framework requirements for microgrids and medical systems. The program can perform studies to assist customers in evaluating if their Industrial Control System can undergo an assessment and achieve an authorization to proceed or if updates are required before applying the Risk Management Framework requirements.

When initiating a project, the cybersecurity team, in coordination with the customer, will develop an acquisition plan and execution schedule for obtaining and maintaining system accreditation. The team also ensures the contractor fulfills the duties of the contract by providing all required documentation and artifacts, to include, but not limited to, a final hardware and software list, a System Security Plan, Configuration Management Plan, Contingency Plan, Risk Assessment Report, Physical Security Plan, Patch Management Process, a Plan of Actions and Milestones, and Continuous Monitoring Plan.

The team also ensures the appropriate personnel are on site during the independent Security Control Assessor-Validator assessment to assist with answering any questions related to the system. The team can contract out the requirements for executing continuous monitoring after the Authority to Operate is achieved to ensure the certification is maintained as required under the Risk Management Framework; or the team can support the customer in ensuring the continuous monitoring process is understood and executed at the local level.

The cybersecurity team has various contract vehicles available and will work with various DOD organizations to obtain an Authority to Operate certification and will work with customers to ensure the requirements for maintaining that certification are understood and can be executed as required. Through up-front coordination and communication with the customer, the cybersecurity team ensures the customer is aware of all of the requirements for securing its system and what its roles and responsibilities as the end user and system owner will be once Authority to Operate status is achieved.

The Cybersecurity Program understands the requirements for obtaining and maintaining a Risk Management Framework Authority to Operate certification and has proven successful in obtaining those certifications for customers. The Cybersecurity Program is home to the Industrial Control System Cybersecurity Technical Center of Expertise, the Electronic Security System Mandatory Center of Expertise, the Sustainability and Energy Center of Expertise for Metering and the Utility Monitoring Control System Mandatory Center of Expertise, and has the necessary in-house support to execute a wide array of projects. The Cybersecurity Project Delivery Team provides turnkey solutions that include project management, technical expertise and contract support and manages cybersecurity projects from inception to completion. Finally, the CS Program has Information Assurance Management level II and level III certified cybersecurity specialists in the Industrial Control System Cybersecurity Technical Center of Expertise to assist with execution of the Risk Management Framework process to meet the customers' cybersecurity needs.