Tampa Convention Center • Tampa, Florida

Looking Forward: USACE MILCON Cybersecurity Integration

Energy Exchange 2017 - Track 4 - Cyber and Control System Technologies, Session 2 - Understanding and implementing the RMF Process

Mr. Daniel ShepardUS Army Corps of Engineers, Engineering & Support Center, Huntsville

August [XX], 2017

Energy Exchange: Connect • Collaborate • Conserve

DOD & ARMY LEVEL CYBERSECURITY GUIDANCE • ACSIM Cybersecurity Strategy for Facility-Related Control Systems (FEB2017)

• OSD Memo, DoD Cybersecurity Campaign (JUN2015)

• DASD, Managing Cyber Risks to Facility-Related Control Systems (MAR2014)

• DoDI 8510.01, Risk Management Framework (RMF) (MAR2014)

What We Did

• Developed Inventory Methodology Used by ACSIM, Navy, Marines, and Air Force.

• Completed Proof of Concept of Control Systems Inventory Methodology at Redstone Arsenal.

• the United Facility Criteria 04-010-06.

• Supported OACSIM in the Development of the Army’s Strategic Plan for the Implementation

of Cybersecurity for Facility-Related Control Systems.

Energy Exchange: Connect • Collaborate • Conserve3

USACE Control Systems Inventory Methodology

Energy Exchange: Connect • Collaborate • Conserve

CYBER THREAT

ArmyOwnership

ArmyAccountability

CYBERSTRONG!!

…Was to Fill a GAP in the Army’s Ownership & Accountability for Facility Control Systems.

Established January 2015, the ICS-CS TCX…

What We Do

Planning

•Participate in Planning Charrettes/DD-1391 Development

•Prepare Cybersecurity Cost Estimates for Control Systems

Design

•Design/Technical Submittal Reviews for Compliance

•Validation of UFC Design Requirements for Inclusion/Compliance

Acquisition

•Assist in SOW Development

•Participate in Source Selection Boards

Execution

•Monitoring of Risk Management Framework Requirements

•Ensure Control Systems are Cyber-Secure and are ATO Ready

ICS-CS TCX Technical Team Planning

Energy Exchange: Connect • Collaborate • Conserve

Where’s Cyber?

PLANNING CHARRETTE / DD-1391 PREP

CYBERSECURITY

REPRESENTATIVE

• Lack of Technical Understanding & Expert Know-How

• Lack of Early Engagement in Project Development Process

• Not Including Cybersecurity Requirement Costs In DD-1391

• Minimal Engagement for Design/Technical Reviews

CRITICAL ISSUES TO ADDRESS

CYBER THREAT

CYBERSTRONG??

Without Mandates to Use the ICS-CS TCX for Project Oversight on Cybersecurity Requirements for Control Systems…

…Our Project Delivery Process for Control Systems Became Obsolete and Vulnerable.

ArmyOwnership

ArmyAccountability

GULP!!

!

What We Missed

Energy Exchange: Connect • Collaborate • Conserve

RMF Process to MILCON

Energy Exchange: Connect • Collaborate • Conserve

STEP 1 – CATEGORIZE - System

STEP 1 - CATEGORIZE - System

STEP 5 – AUTHORIZE - System

STEP 3 – IMPLEMENT - Security Controls

STEP 2 – SELECT - Security Controls

STEP 6 – MONITOR - Security Controls

STEP 3 – IMPLEMENT - Security Controls

STEP 4 – ASSESS - Security ControlsSTEP 5 – AUTHORIZE - System

RMF In The MILCON Process

Energy Exchange: Connect • Collaborate • Conserve

Looking Forward: USACE MILCON Cybersecurity Integration

Planning:• Budgeting for Cybersecurity in Project Scope (250k per identified platform) • Control System Cybersecurity TCX DD1391 Review at Code 3 prior to 3086 certification.• TCX assistance to Districts in Design RFP Acquisition req’s (if requested)

Design:• Utilize guidance set forth in UFC 4-010-06, Cybersecurity of Facility-Related Control Systems

& Pending UFGS 01 35 53.01, Cybersecurity of Facility-Related Control Systems (Est. Q2 FY 18)• TCX provides design submittal reviews (if requested) by District

Construction: • Assist Districts in developing Construction Acquisition RFP req’s

• Ensure project associated control systems are inventoried and categorized• Include submittal requirements for

Final Inventory System Categorization Authorization to operate Authorization to connect to the network

• Include Requirement “To attach to the network and operate” PITs upon facility turnover• Modify contract as requirements are updated

Requirements will NOT remain static