Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), incorporate Platform IT (PIT) into the RMF process. PIT is a category of both IT hardware and software that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems. PIT is further categorized as PIT products, PIT subsystems, or PIT systems. PIT differs from “traditional” IT in that it is integral to – and dedicated to the operation of – a specific platform. Although the term PIT is used only by DoD, the concept of categorizing components and systems dedicated to the operation of a specific platform is not. For example, within the private sector, the term “Operational Technology” (OT) is also used to refer to these systems and components.
The most common forms of Energy, Installation and Energy (EI&E) PIT are Facility-Related Control Systems (FRCS), which are a combination of control components (e.g., electrical, mechanical, hydraulic, or pneumatic, etc.), special purpose controlling devices, and standard IT that act together upon underlying mechanical and/or electrical equipment to achieve an objective (e.g., transport of matter or energy, maintain a secure and comfortable work environment, etc.). All automated control systems are considered PIT. Industrial Control Systems (ICS) are automated control systems that act upon industrial systems and processes. ICS is used as a general term that encompasses several – but not all -- types of control systems. These include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control systems, such as the Programmable Logic Controllers (PLCs) often found in the industrial sector and critical infrastructure. In the past, the Assistant Secretary of Defense for Energy, Installations and Environment (ASD(EI&E)) community used ICS in an even broader sense to represent all types of control systems (SCADA, DDC, DCS, building, vehicle, transportation, etc.). However, since most uses of the term ICS do not pertain to industrial systems or processes, the term “Control System” is used herein for this general category of PIT.
The EI&E community is responsible for all FRCS related to real property assets (facilities), including but not limited to:
- Control System Platform Enclaves (PE)
- Airfield Systems (AS)
- Pier Systems (PS)
- Environmental Monitoring (EM)
- Electronic Security Systems (ESS)
- Fire & Life Safety (FLS)
- Dam, Lock & Levee Systems (DLL)
- Medical Control Systems (MED)
- Traffic Control Systems (TCS)
- Transportation & Fueling Systems (TFS)
- Meteorological Control Systems (MET)
- Building Control Systems (BCS)
- Utility Control Systems (UCS)
- Utility Monitoring & Control Systems (UMCS)
NOTE: For the purposes of this guidance, all references to “Platform IT”, “PIT”, “Control Systems”, and “FRCS” pertain only to those items owned and operated by the Energy, Installations and Environment community.
To protect its facilities and infrastructure, DoD needs to know the type, quantity and purpose of PIT it owns and uses. For all PIT identified, including FRCS, the PIT owner, in coordination with an Authorizing Official (AO), must determine whether a collection of PIT products and/or subsystems “rises to the level of” a PIT System. In accordance with DODI 8510.01, PIT products and/or subsystems which do not rise to the level of a PIT System must undergo security assessment, but do not necessarily need to be authorized under the RMF. However, PIT Systems undergo both security assessment and authorization by an AO.
The enterprise system used to track DoD IT, including PIT, is the Enterprise Mission Assurance Support Service (eMASS). Both “Assess and Authorize” and “Assess-Only” CS will be entered into eMASS. In order to standardize how EI&E-owned and -operated CS information is entered into eMASS, the DoD CS Working Group (WG) is working to incorporate new data fields and PIT capabilities into eMASS. DoD has developed a list of common FRCS and a corresponding control overlay selection tool for selecting an appropriate combination of security controls in the EI&E FRCS Master List. The EI&E FRCS Master List is maintained along with this step-by-step guide on the DoD Chief Information Officer (CIO) RMF Knowledge Service portal and the ESTCP website, where it will remain a living document.
Requests for information about cybersecurity of FRCS and other PIT associated with DoD facilities that are not listed in the companion EI&E PIT Control System Master List should be sent to the component representative and the ASD-EI&E representatives listed here:
Throughout industry, and informally within DoD, the term Operational Technology (OT) is used to differentiate control systems from traditional Information Systems (IS). Other emerging terms related to control systems include Hybrid/Converged Systems, Cyber Physical Systems, the Internet of Things, and the Industrial Internet of Things. Current working definitions are provided in the glossary linked to this webpage.
Some control systems are a hybrid of traditional IS and FRCS. These hybrid/converged systems can contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:
- Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
- Keyless entry/keypad systems that use Active Directory (contain PII)
- Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
- Patient Monitoring Systems (contain PII, HIPAA)
- Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
- Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII)
For DoD, the installation infrastructure issue is complicated by the use of Defense Business Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged system becomes subject to FISMA and reportable as a Federal Identity, Credential, and Access Management (FICAM) system and also as DITPR requirement.
As more of these systems become interconnected and connected to the internet, the distinction between what is an IS, a DBS, and FRCS will become even more challenging. Nonetheless, the vast majority of FRCS will not be registered or maintained in DITPR. If in doubt, register a system in eMASS regardless of whether it is an IS, FRCS, IS/FRCS hybrid, or FISMA-reportable. The AO and the Information System Security Manager (ISSM) may coordinate with the DoD or Component CIO for guidance on DITPR and SNaP-IT registration. The DoD CIO will issue guidance for reporting of PIT cybersecurity costs – to include upgrades to legacy systems, turn-key acquisitions to meet network protection requirements, and continuous cyber monitoring.