Looking Forward: USACE MILCON Cybersecurity Integration · Tampa Convention Center • Tampa,...
Transcript of Looking Forward: USACE MILCON Cybersecurity Integration · Tampa Convention Center • Tampa,...
Tampa Convention Center • Tampa, Florida
Looking Forward: USACE MILCON Cybersecurity Integration
Energy Exchange 2017 - Track 4 - Cyber and Control System Technologies, Session 2 - Understanding and implementing the RMF Process
Mr. Daniel ShepardUS Army Corps of Engineers, Engineering & Support Center, Huntsville
August [XX], 2017
Energy Exchange: Connect • Collaborate • Conserve
DOD & ARMY LEVEL CYBERSECURITY GUIDANCE • ACSIM Cybersecurity Strategy for Facility-Related Control Systems (FEB2017)
• OSD Memo, DoD Cybersecurity Campaign (JUN2015)
• DASD, Managing Cyber Risks to Facility-Related Control Systems (MAR2014)
• DoDI 8510.01, Risk Management Framework (RMF) (MAR2014)
What We Did
• Developed Inventory Methodology Used by ACSIM, Navy, Marines, and Air Force.
• Completed Proof of Concept of Control Systems Inventory Methodology at Redstone Arsenal.
• the United Facility Criteria 04-010-06.
• Supported OACSIM in the Development of the Army’s Strategic Plan for the Implementation
of Cybersecurity for Facility-Related Control Systems.
Energy Exchange: Connect • Collaborate • Conserve3
USACE Control Systems Inventory Methodology
Energy Exchange: Connect • Collaborate • Conserve
CYBER THREAT
ArmyOwnership
ArmyAccountability
CYBERSTRONG!!
…Was to Fill a GAP in the Army’s Ownership & Accountability for Facility Control Systems.
Established January 2015, the ICS-CS TCX…
What We Do
Planning
•Participate in Planning Charrettes/DD-1391 Development
•Prepare Cybersecurity Cost Estimates for Control Systems
Design
•Design/Technical Submittal Reviews for Compliance
•Validation of UFC Design Requirements for Inclusion/Compliance
Acquisition
•Assist in SOW Development
•Participate in Source Selection Boards
Execution
•Monitoring of Risk Management Framework Requirements
•Ensure Control Systems are Cyber-Secure and are ATO Ready
ICS-CS TCX Technical Team Planning
Energy Exchange: Connect • Collaborate • Conserve
Where’s Cyber?
PLANNING CHARRETTE / DD-1391 PREP
CYBERSECURITY
REPRESENTATIVE
• Lack of Technical Understanding & Expert Know-How
• Lack of Early Engagement in Project Development Process
• Not Including Cybersecurity Requirement Costs In DD-1391
• Minimal Engagement for Design/Technical Reviews
CRITICAL ISSUES TO ADDRESS
CYBER THREAT
CYBERSTRONG??
Without Mandates to Use the ICS-CS TCX for Project Oversight on Cybersecurity Requirements for Control Systems…
…Our Project Delivery Process for Control Systems Became Obsolete and Vulnerable.
ArmyOwnership
ArmyAccountability
GULP!!
!
What We Missed
Energy Exchange: Connect • Collaborate • Conserve
RMF Process to MILCON
Energy Exchange: Connect • Collaborate • Conserve
STEP 1 – CATEGORIZE - System
STEP 1 - CATEGORIZE - System
STEP 5 – AUTHORIZE - System
STEP 3 – IMPLEMENT - Security Controls
STEP 2 – SELECT - Security Controls
STEP 6 – MONITOR - Security Controls
STEP 3 – IMPLEMENT - Security Controls
STEP 4 – ASSESS - Security ControlsSTEP 5 – AUTHORIZE - System
RMF In The MILCON Process
Energy Exchange: Connect • Collaborate • Conserve
Looking Forward: USACE MILCON Cybersecurity Integration
Planning:• Budgeting for Cybersecurity in Project Scope (250k per identified platform) • Control System Cybersecurity TCX DD1391 Review at Code 3 prior to 3086 certification.• TCX assistance to Districts in Design RFP Acquisition req’s (if requested)
Design:• Utilize guidance set forth in UFC 4-010-06, Cybersecurity of Facility-Related Control Systems
& Pending UFGS 01 35 53.01, Cybersecurity of Facility-Related Control Systems (Est. Q2 FY 18)• TCX provides design submittal reviews (if requested) by District
Construction: • Assist Districts in developing Construction Acquisition RFP req’s
• Ensure project associated control systems are inventoried and categorized• Include submittal requirements for
Final Inventory System Categorization Authorization to operate Authorization to connect to the network
• Include Requirement “To attach to the network and operate” PITs upon facility turnover• Modify contract as requirements are updated
Requirements will NOT remain static