The DoD has adopted the Risk Management Framework (RMF) for all Information Technology (IT) and Operational Technology (OT) networks, components and devices to include Facility-Related Control Systems (FRCS). FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO) on the DoD Information Network (DoDIN).

The DoD CIO RMF Portal and the Installation  Environmental Security Technology Certification Program (ESTCP) website are the primary internal and external communications platforms to keep DoD stakeholders, vendors and contractors appraised of RMF policy, standards, guidance and a source of tools, checklists and templates.

The portal and our site contain the same information, but the DoD CIO RMF portal requires a CAC card to access and contains additional FOUO documents and POC’s email and phone numbers. The general format and content of the portal and our website are:

Any organization can use the websites guidance, reference materials, checklists and templates and the majority can be used for both standard IT and FRCS, also often referred to as Operational Technology (OT) systems.


DoD Risk Management Framework Process for DoD IT Systems

Document Title

Document Purpose

RMF Guidance, generally applicable to traditional IT as well as facility-related control systems


NIST Special Publication 800-37 (Chapter 3)

The RMF process for all federal agencies

DoD Instruction 8510.01

RMF applied to the DoD; facility-related controls referred to as Platform IT (PIT), akin to aircraft avionics

RMF Guidance, specific to facility-related control systems


NIST SP 800-82 Revision 2 (Chapter 6)

Applying RMF to facility related control systems

Unified Facilities Criteria (UFC) 4-01-06

Specific guidance for facility-related controls in DoD

ESTCP Facility-Related Control Systems Cybersecurity Guidelines, Version 4

Specific guidance for ESTCP demonstrations



Committee on National Security Systems Instruction (CNSSI) 4009 (CNSSI documents are not accessible by hyperlink, but must be accessed via the above library link)

The most comprehensive, formally accepted glossary available

STEP 1: Categorize the System


Federal Information Processing Standards (FIPS) 199

Generally applicable categorization process

CNSSI 1253 

Categorization process specific to national security systems

NIST SP 800-60 Volume 1 & Volume 2

Detailed considerations when determining categorization

STEP 2: Select Security Controls


CNSSI 1253

Baseline security controls for national security IT systems

NIST SP 800-82 Rev 2 (Appendix G)

Security overlay for facility-related control systems

NIST SP 800-53 Rev 4 (Appendix F)

Catalogue of all IT security controls with details

STEP 3: Implement Security Controls


NIST SP 800-82 Rev 2 (Chapter 6)

Applying security controls to facility-related controls

STEP 4: Assess Controls Effectiveness


NIST SP 800-53A Rev 4 (Chapter 3)

Conducting effective security control assessments

STEP 5: Authorize System


NIST SP 800-37 (Appendix F)

Authorization packages

STEP 6: Monitor Security


NIST SP 800-37 (Appendix G)

Continuous monitoring of information systems

Authority to Operate (ATO) Packages


NIST SP 800-37 (Appendix F)

Detailed description of ATO package requirements

CNSSI 1254

Specific data elements required for an ATO



Please contact the Installation Energy (IE) or ESTCP Program Offices if you have any questions, or need additional guidance.