The DoD CIO uses three primary tools to inventory and report on the status of IT and OT FRCS; the enterprise Mission Assurance Support System (eMASS), the Defense Information Technology Repository Tool (DITPR), and the Select & Native Programming Data Input System for Information Technology (SNaP-IT).

eMASS is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully-integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) for Department of Defense (DOD) Information Technology (IT) and DOD Information Assurance Certification and Accreditation Process (DIACAP) Package Reports. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authority to connect information systems to DOD networks.

PIT Systems undergo both security assessment and authorization by an AO. The enterprise system used to track DoD IT, including PIT, is the Enterprise Mission Assurance Support Service (eMASS). Both Assess and Authorize (AA) and Assess and Evaluate (AE) FRCS will be entered into eMASS. In order to standardize how EI&E-owned and -operated FRCS information is entered into eMASS, the DoD CS Working Group (WG) is working to incorporate new data fields and OT capabilities into eMASS. Use this step-by-step guidance document to understand eMASS. 

DITPR contains a comprehensive unclassified inventory of the DoD’s mission critical and mission essential Information technology systems and their interfaces. It contains basic overview information regarding all DoD IT systems to include; system names, acronyms, descriptions, sponsoring component, approval authority, points of contact, and other basic information required for any analysis of DoD inventory, portfolios, or capabilities. It supports the Title 40/Clinger-Cohen Act inventory requirements and the capital planning and investment processes of selection, control, and evaluation.

Snap-IT is used for publishing the DoD Information Technology (IT) Budget Estimates to Congress, the Circular A-11 Section 53 and Section 300 exhibits to the Office of Management and Budget (OMB), and for monthly IT performance reporting to the OMB IT Dashboard.

Facility-Related Control Systems Platform Enclave (PE)

The Facility-Related Control System Platform Enclave (PE) is the “Traditional IT Front-End” and defined in UFC 4-010-06 Cybersecurity of Facility-Related Control Systems Reference Architecture shown in Figure 1.

Figure 1 – 5-Level Control System Architecture


Significant portions of the control system resemble a standard IT system which can be implemented in a standard manner for different control systems, regardless of the details of the control system itself. This has led to the creation of the Platform Enclave concept, which groups the “standard IT” portions of the control system, plus related standard policies and procedures, into an entity which can be handled separately from the rest of the control system. In some cases, this Platform Enclave will be separately authorized and the overall control system will have two authorizations, one for the Platform Enclave and one for the Operational Architecture which primarily covers the “non-standard IT” components of the system. In other cases, a single authorization will be used for the entire system. Even in cases where a single authorization is used, however, it’s helpful to identify and categorize the “standard IT” portions of the control system.

Using the UFC Reference Architecture, components and agencies develop their respective architecture, such as the Air Force Community of Interest Network Enclave (COINE) PE shown in Figure 2.

Figure 2 – Air Force Community of Interest Network Enclave (COINE)

The PE Level 3, 4 and 5 servers, workstation, laptops, firewalls, switches now become the responsibility of the CIO IT or third-party owner to resource, operate and maintain. The Energy, Infrastructure and Environment (EI&E) will continue to resource, maintain and operate the Operational Architecture/Operational Technologies with MILCON and SRM funds. This arrangement will ensure that the PE assets undergo technology refresh that is compliant with the Joint Information Environment (JIE), and able to utilize the Host-Based Scanning System (HBSS)/ Assured Compliance Assessment Solution (ACAS).

IS/FRCS Hybrid/Converged Systems

Some control systems (also commonly called Operational Technology or OT) are a hybrid of traditional IS and FRCS. These hybrid/converged systems contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:

  • Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
  • Keyless entry/keypad systems that use Active Directory (contain PII)
  • Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
  • Pediatric Monitoring Systems (contain PII, HIPAA)
  • Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
  • Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII).

For DoD, the installation infrastructure issue is complicated by the use of DefenseBusiness Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged FRCS becomes reportable as a FISMA and Federal Identity, Credential, and Access Management (FICAM) system, and requires a corresponding DITPR and SNaP-IT investment.

As more of these OT FRCS become interconnected and connected to the Internet of Things (IoT), the distinction between what is an IS, a DBS, and FRCS will become even more challenging. Nonetheless, the vast majority of FRCS will not be registered or maintained in DITPR. If in doubt, register a system in eMASS regardless of whether it is an IS, FRCS, IS/CS hybrid, or FISMA-reportable. The AO and the Information System Security Manager (ISSM) may coordinate with the DoD or Component CIO for guidance on DITPR and SNaP-IT registration. The IS FRCS Decision Tree in Figure 3 and the Table 1 provide examples of what systems should typically be registered in each of the 3 systems.

Figure 3 – IS and FRCS Decision Tree

 

eMASS Assess and Authorize or Assess and Evaluate

eMASS Name

BMA

NIST Standard

C-I-A

CIO Registry

AA - ATO

SITE1-FRCS-PE-I-AA

CIO EIEMA

NIST 800-53 R4

H-H-H

eMASS, DITPR, SNaP-IT (FISMA)

AE

SITE1-FRCS-BCS-NI-AE

IE

NIST 800-82 R2

M-M-H

eMASS

AE

SITE1-FRCS-UCS-NI-AE

IE

NIST 800-82 R2

M-M-M

eMASS

AE

SITE1-FRCS-FLS-NI-AE

IE

NIST 800-82 R2

M-M-H

eMASS

AA-ATO

SITE1-FRCS-ESS-I-AA

DSE

NIST 800-53 R4, 800-82 R2, Privacy Act Overlay

H-H-H

eMASS, DITPR, SNaP-IT (FISMA/FIACAM)

Table 1 – Examples of FRCS CIO Tools Registries Entries