An example sequence and duration of FRCS activities during design and construction is outlined in Table 1.

Table 1 Typical Sequence of FRCS Design and Construction Activities

Activity / Lead

New Project

Renovation Project

Typical Duration

Presolicitation RFP Considerations

Obtain the Regional and ESTCP Platform Enclaves catogorization and categorize the FRCS

Use the EI&E FRCS Master Control List for C-I-A Values and Information/Data Types

Obtain the Regional and local Platform Enclaves catogorization and categorize the FRCS

Use the EI&E FRCS Master Control List for C-I-A Values and Information/Data Types

NA

Design

  • Basis of Design
  • Concept Design (10-15%)
  • Design Development (35-50%)
  • Pre-Final (90%)
  • Final (100%)

Lead: A/E

Documents/Models/Tools:

  • Construction Design Documents / Building Information Model (BIM) / CAD
  • CSET
  • GrassMarlin
  • Draft Baseline System Security Plan (SSP)
  • IT Contingency Plan and CONOPS (ITCP)

FRCS front end or new susbsystem back end to connect to front end

Confirm/revise system categorization, define network architecture, system components, concept of operations, drawings, and specifications.

At 90% design create initial SSP and baseline security risk assessment.

FRCS front end upgrade or subsystem modernization

Confirm/revise system categorization, define network architecture, system components, concept of operations, drawings, and specifications.

At 90% design create initial SSP and baseline security risk assessment.

3-6 Months

Construction

Test and Development (T&D) and Patch Management Environments (Virtual or Physical)

Lead: Construction/System Integrator

Documents/Models/Tools:

  • VM
  • Kali Linux
  • SamuraiSTFU

Conduct FRCS build and patch activities without impacting the organization’s production systems (test and development  environment typically provided by vendor).

Validate and verify the upgrade/modernization/ patch is ready to support the additional systems without impacting the organization’s production systems (test and development environment typically provided by vendor).

4 – 6 weeks

Construction

Build/Configure Servers

Build and/or configure servers to properly operate the FRCS solution.

Build and/or configure servers to properly operate the FRCS solution.

1 – 2 weeks

Construction

Install Supporting Software

Lead: Construction/System Integrator

Install supporting software on FRCS servers.

Install supporting software on FRCS servers.

1 – 2 weeks

Construction

Configure Supporting Software

Lead: Construction/System Integrator

Documents/Models/Tools:

  • STIGS
  • SCAP
  • Continuous Monitoring
  • Kali Linux
  • SamuraiSTFU
  • FAT/SAT Checklist
  • Penetration Testing Scope and ROE (if required)
  • Jump-Kit Rescue CD

Configure FRCS software to meet unique needs.  After the operating system is loaded, apply hardening criteria (STIGs), run Security Content Automated Protocol (SCAP)-validated tool, perform factory acceptance testing (FAT) on major system components and devices, perform initial penetration testing.

Configure FRCS software to meet unique needs.  After the operating system is loaded, apply hardening criteria (STIGS), run Security Content Automated Protocol (SCAP)-validated tool, perform FAT on major system components and devices, perform initial penetration testing.

1 – 2 weeks

NOTE: If a vendor will be creating a STIG for the UMCS Front-End or lower Level devices, this process can take several months to a year.

Apply STIGS to the PE and isolate lower Levels until vendor STIGS are approved.

Construction

Implement and assess security controls

Lead: construction/system integrator

Documents/Models/Tools:

  • CSET
  • SSP
  • Security Assessment Report (SAR)
  • Plan of Action & Milestones (POAM)
  • ITCP
  • Event/Incident Communications Procedures (EICP)
  • Security Incident Response Procedures (SIRP)
  • Penetration Testing Scope, ROE, Checklist (if required)
  • Jump-Kit Rescue CD

Conduct RMF Steps 3 and 4 by applying controls identified during the requirements and design phase, by assessing the adequacy and effectiveness of security controls, and by documenting findings in the security assessment report.  Create draft approval package.

Conduct RMF Steps 3 and 4 by applying controls identified during the requirements and design phase, by assessing the adequacy and effectiveness of security controls, and by documenting findings in the security assessment report.  Create draft approval package.

12 – 20 weeks

Conduct testing on initial build

Lead: construction/system integrator

Documents/Models/Tools:

  • Kali Linux
  • SamuraiSTFU

Test FRCS solution in a test and development environment to ensure system errors are found, corrected before solution is deployed on network.

Test FRCS solution in a test and development environment to ensure system errors are found,  corrected before solution is deployed on network.

2 – 4 weeks

Construction - conduct pilot implementation deployment

Lead: construction/system integrator

Documents/Models/Tools:

  • Kali Linux
  • SamuraiSTFU

    • Penetration Testing Scope, ROE, Checklist (if required)
    • Jump-Kit Rescue CD

Pilot implementation of  FRCS solution on a small subset of user base to evaluate solution against real-world requirements. Conduct site acceptance testing, and if required final penetration testing, and create final approval package.

Conduct site acceptance testing, and if required  final penetration testing, and create final approval package.

Varies with size of deployment (number of facilities and interconnections)

Receive Authorization (ATO) and move to production

Lead: construction/system integrator

Documents/Models/Tools:


    • Continuous Monitoring tools
    • Jump-Kit Rescue CD

Deploy the FRCS to full production and implement continuous monitoring.

Deploy the FRCS to full production and extend continuous monitoring to new systems.

NA