ESTCP invested in a project to develop a cost-effective solution to streamline and tailor Risk Management Framework (RMF) processes for Facility-Related Control Systems (FRCS). 

The Department of Defense (DoD) manages over 500 installations where Public Works personnel are System Owners (SOs) of many FRCS, such as energy and water control systems, building control systems, microgrid controls, heating ventilation and air conditioning (HVAC), and several other types of control systems. Though these FRCS are usually not connected to the local enterprise network, they often support critical buildings, or critical missions have a dependence on them. 

SOs must perform RMF self-assessments to identify, mitigate, and monitor cyber-security risks. Unfortunately, it is often the case that FRCS owners/operators have little to no cybersecurity or RMF background and don’t have the required organizational security policies and procedures in place. 

IPERC developed the RMF Self-Assessment Tool (R-SAT) to help bridge this gap.

R-SAT is an Excel-based tool that steps FRCS SOs through the RMF Steps 1-3 to build and tailor the preliminary: 

1) Security Categorization

2) Security Plan (baseline control set)

3) Self-Assessment Test Results

Enterprise Mission Assurance Support Service (eMASS) templates are populated by R-SAT for quick and easy upload to the FRCS RMF package. Security policy and procedure templates accompany R-SAT to further streamline self-assessment test results and provide a solid start for SOs to tailor and implement within in their organization.

R-SAT was developed to apply across the military services and federal agencies, but specifically for FRCS. It could be easily modified to accommodate service- or agency-specific FRCS nuances, or for non-FRCS systems. Some organizations have developed their own overlays. These can be quickly integrated into R-SAT. 


For FRCS, R-SAT pulls preliminary Information Types (NIST SP 800-60) and CIA Impact Levels based on the SO’s type of FRCS from the FRCS Master List. This security categorization may be adjusted in the R-SAT form that emulates eMASS fields. Special factors specific to each FRCS type are provided to assist this tailoring.

The security categorization worked up in R-SAT is used to create the security control baseline. Applicable controls (NIST SP 800-53 and CNSSI 1253) populate the Control Information Form. Here SOs may choose to apply the ICS Overlay (NIST SP 800-82) or FRCS Moderate Overlay, and inherited (Tier 1 and Tier 2) controls. These are also populated in the Control Information Form which has a macro to copy this information into the equivalent eMASS import template. 

Similarly, the R-SAT Test Results Form is populated based on the Security Categorization and overlay/inherited control options chosen. If the security policies and procedure templates are used, SOs will also choose this option in the form. Self-Assessment Test Results are populated with standard language to apply the overlays and other selected options, which can then be copied into the equivalent eMASS import template. 

R-SAT provides significant time-savings in developing RMF artifacts and eMASS data entry. It also helps focus FRCS SOs on the security requirements that require more attention. 

R-SAT and the accompanying User Guide and templates will soon be available for download on the project overview. Instructional videos will also be available to provide a tutorial for new users.