RMF Considerations For Navy Industrial Control . - Energy Exchange


RMF Considerations for Navy Industrial Control SystemsTrack 4 Session 2RMF Considerations for Navy IndustrialControl Systems Track 4 Session 2Jeff JohnsonNaval District WashingtonAugust [XX], 2017Tampa Convention Center Tampa, Florida

Ashore ICS HVAC and Utility PrioritiesSecure then C2 then SmartGridPrioritiesFiberCopperWirelessRadioInterim SecureSecure & Monitor1. DoD Mission AssetsInterim SecureSecure & Monitor3. Supporting Infrastructure for Mission AssetsInterim SecureInventorySecure & MonitorInterim Secure2. Navy Priority Energy BuildingsSecure & Monitor4. Smart Grid – (advancedmonitoring and analytics)Facility Engineering Operations ionTransport)1. Enclave(Security)2. NUMCS(Hosting)3. Smart Grid(Analytics & Monitoring)NIPRNETEnergy Exchange:Cybersecurity of critical infrastructure is a major focusof theConnectShore Collaborate Conserve

CNIC/ NAVFAC Joint Letter. Commander, Naval Facilities Engineering Command. As the functional authorizingofficial (FAO), NAVFAC will:(1) Be responsible and accountable, as the technical authority and security controlassessor, for the authorization of all systems under their cognizance.(2) Ensure system design, development, and authorizations balance missionrequirements and community risk.CNIC/Navy Regional Commanders. Assume overall responsibility and oversight forthe execution of this effort within their respective Regions, which includes:(1) Inventory, assess, interim secure, secure, and continuously monitor all facilitycontrol systems on Navy installations.(2) Provide the Wide Area Network (PSNeT) and platform enclave (PE) for connectingcontrol systems, which will be connected to PSNet.Energy Exchange: Connect Collaborate Conserve3

Other Impacted Control Systems Fire Alarm SystemsAccess Control and Intrusion DetectionVideo Display and Analytics SystemsLighting ControlElevator SystemsEnergy Exchange: Connect Collaborate Conserve4

Risk Management Framework Focus on Enterprise Architecture and SitePackages (Platform Enclave and Systems) NAVFAC is the Shore Technical Authority New Projects have RMF as part of design andacceptance DoD UFGS for new Construction orRenovations5Energy Exchange: Connect Collaborate Conserve

DoD RMF ProcessEnergy Exchange: Connect Collaborate Conserve6

RMF Overview The basic process steps are similar toDIACAP but there are significant differencesin several of the RMF process steps:– Categorization using impact levels associated with Confidentiality, Integrity,and Availability (CIA) categories vice MAC/CL– RMF has two process options Assess Only and Assess and Authorize– Security controls are more granular than DIACAP IA Controls– RMF has added Overlays for special assessment categories (e.g., Space,Cross Domain Solution, Classified)– Impact levels change from Low/Medium/High to Low/Moderate/High andrisk changes from Low/Medium/High to Very Low/Low/Medium/High/Very HighEnergy Exchange: Connect Collaborate Conserve7

RMF Overview (Cont) Anticipate there will be considerably moreresources required to perform the initial riskassessment (SCA) and final risk assessments(AO) on Security Controls. Escalation is mandatory for High and VeryHigh Security Controls IATO’s are no longer an accreditationvehicle, ATO’s with conditions replace IATO' sbut the criteria is slightly differentEnergy Exchange: Connect Collaborate Conserve8

DOD RMF IT Definitions DOD Information Technology has been divided into four forms:––––IS: A discrete set of information resources organized for the collection, processing, maintenance,use, sharing, dissemination, or disposition of information. Note: Information systems alsoinclude specialized systems such as industrial/process controls systems, telephone switching andprivate branch exchange (PBX) systems, and environmental control systems.PIT: May consist of both hardware and software that is physically part of, dedicated to, oressential in real time to the mission performance of special purpose systems (i.e., platforms). PITdiffers from products in that it is integral to a specific platform type as opposed to being usedindependently or to support a range of capabilities (e.g., major applications, enclaves or PITsystems).IT Services: IT services are outside the service user organization’s authorization boundary, andthe service user’s organization has no direct control over the application or assessment ofrequired security controls. DoD organizations that use IT services are typically not responsiblefor authorizing them (i.e., issue an authorization decision).IT Products: Products (including applications), are defined in DoDI 8500.01 as “individual IThardware or software items.” They can be commercial or government provided and can includefor example, operating systems, office productivity software, firewalls, and routers.Sources: RMF Knowledge Service: https://rmfks.osd.mil/rmf/Pages/default.aspx and CNSSI 4009Energy Exchange: Connect Collaborate Conserve9

Question?10Energy Exchange: Connect Collaborate Conserve

DIACAP but there are significant differences in several of the RMF process steps: - Categorization using impact levels associated with Confidentiality, Integrity, and Availability (CIA) categories vice MAC/CL - RMF has two process options Assess Only and Assess and Authorize - Security controls are more granular than DIACAP IA Controls