The DoD has adopted the Risk Management Framework (RMF) for all Information Technology (IT) and Operational Technology (OT) networks, components and devices to include Facility-Related Control Systems (FRCS). FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO) on the DoD Information Network (DoDIN).
The DoD CIO RMF Portal and the Installation Environmental Security Technology Certification Program (ESTCP) website are the primary internal and external communications platforms to keep DoD stakeholders, vendors and contractors appraised of RMF policy, standards, guidance and a source of tools, checklists and templates.
The portal and our site contain the same information, but the DoD CIO RMF portal requires a CAC card to access and contains additional FOUO documents and POC’s email and phone numbers. The general format and content of the portal and our website are:
- Overview of Platform IT (PIT), Operational Technology & Facility-Related Control Systems
- Continuous Monitoring (CM) Strategy and Auditing
- Test and Development Environment (TDE)
- Design and Commissioning
- Medical Facilities-Related Control Systems, Medical Devices and Equipment
- Energy Projects, Third-party Financing and Cybersecurity
- Registering FRCS In eMASS, DITPR and SNaP-IT
- Protecting DoD Controlled Unclassified Information (CUI)
- Legislation Instructions, Manuals, Policies, Plans and Memo’s
- Resources And Tools, and Publications
- Templates and Checklists
Any organization can use the websites guidance, reference materials, checklists and templates and the majority can be used for both standard IT and FRCS, also often referred to as Operational Technology (OT) systems.
DoD Risk Management Framework Process for DoD IT Systems
Document Title | Document Purpose |
RMF Guidance, generally applicable to traditional IT as well as facility-related control systems |
|
The RMF process for all federal agencies | |
RMF applied to the DoD; facility-related controls referred to as Platform IT (PIT), akin to aircraft avionics | |
RMF Guidance, specific to facility-related control systems |
|
Applying RMF to facility related control systems | |
Specific guidance for facility-related controls in DoD | |
ESTCP Facility-Related Control Systems Cybersecurity Guidelines, Version 4 | Specific guidance for ESTCP demonstrations |
Glossary |
|
Committee on National Security Systems Instruction (CNSSI) 4009 (CNSSI documents are not accessible by hyperlink, but must be accessed via the above library link) | The most comprehensive, formally accepted glossary available |
STEP 1: Categorize the System |
|
Generally applicable categorization process | |
Categorization process specific to national security systems | |
Detailed considerations when determining categorization | |
STEP 2: Select Security Controls |
|
Baseline security controls for national security IT systems | |
Security overlay for facility-related control systems | |
Catalogue of all IT security controls with details | |
STEP 3: Implement Security Controls |
|
Applying security controls to facility-related controls | |
STEP 4: Assess Controls Effectiveness |
|
Conducting effective security control assessments | |
STEP 5: Authorize System |
|
Authorization packages | |
STEP 6: Monitor Security |
|
Continuous monitoring of information systems | |
Authority to Operate (ATO) Packages |
|
Detailed description of ATO package requirements | |
Specific data elements required for an ATO | |
Examples |
Please contact the Installation Energy (IE) or ESTCP Program Offices if you have any questions, or need additional guidance.
