The Continuous Monitoring (CM) Strategy has been developed by the DOD using the DISA Endpoint Security Solutions (ESS) tool suite for the Level 4 Operations Center servers and workstations. The Project PM and support/system integrator contractors will be given guidance on the tools and applications to use for Level 3 and below components and devices.
For FRCS projects that require connection to the DoDIN, the Project Team will be required to demonstrate the solution is compatible with the FRCS continuous monitoring Host-Based Scanning System (HBSS) and the Assured Compliance Assessment Solution (ACAS) for Level 4, using active scanning and a FRCS passive network monitoring capability to provide end-to-end monitoring of both legacy systems and new systems that can support end-to-end active scanning as shown in Figure 1. The monitoring capability will be based on a robust, multi-tier architecture that provides local, regional, and NSOC alarm monitoring, as well as remote alarm assessment, dispatch, and response. The multi-tier structure provides multiple levels of FRCS event visibility that corresponds to the DoD Mission Assurance program and includes redundant primary and secondary monitoring capability within regions or in clusters.
Figure 1 – Active Scanning and Passive Monitoring of the FRCS
Note: FRCS Level 4 servers, workstations, laptops, firewalls, switches, routers and other IT equipment are capable of HBSS/ACAS active scanning, and some newer Level 3 devices and components can be actively scanned. Many older Level 3 and almost all Level 2 devices and components and below do not have the capability to be actively scanned and GREAT CARE must be exercised when establishing the IP scan range and subnets. In general, Passive Monitoring and manual audit/inspection of Level 3 and below should be performed.
For Closed Restricted Network (CRN) projects, FRCS monitoring capability shall be analyzed on a case-by-case basis to determine suitability and cost effectiveness.
FRCS contractors cannot use non-approved laptops/ computer and external portable media storage devices on the DoD network; only FRCS/ UCS/ BCS/ DDC government-approved field laptop and portable media will be used for both the Test and Development Environment and the Production system.
While no FRCS can be guaranteed to continue to function and operate when a determined advisory has targeted the FRCS, the ability to withstand cyberwar attacks, even if in a degraded state, is a key consideration, particularly for Mission Critical and Mission Essential facilities. Contractors should design, construct, and operate the FRCS in accordance with the USCYBERCOM Industrial Control Systems Advanced Techniques, Tactics, and Procedures 2016. Understanding how to Detect, Mitigate, and Recover from a cyberattack on the FRCS is vital; the Jump-Kit Rescue CD is a key deliverable that defines the Fully-Mission Capable (FMC) Baseline and is the living document that maintains the current FRCS configurations and operating parameters. USCYBERCOM, the Network Security Operations Center (NOSC), and the services Facilities-Related Control Systems Operations Center (FRCSOC) use the FMC to develop and manage the Continuous Monitoring strategy and conduct auditing on a regular basis.
FRCS Configuration Management and Auditing
A FRCS configuration Standard Operating Procedure (SOP) shall be established to support effective and efficient monitoring and auditing of the FRCS. Managing the configuration and auditing requires the following:
- Maintain baseline configurations in accordance with technical specifications for systems and security technology set forth by the PE.
- Establish and enforce security configurations for individual FRCS applications such as HVAC, Lighting, and IDS systems and products.
- Monitor and control changes to the baseline configurations and to the constituent components of security systems (including hardware, software, firmware, and documentation) throughout the respective system lifecycle. Configuration management can be largely accomplished through updating FRCS documentation received during initial project installation.
- Perform regular system, application and user audits of the FRCS