Transcription
UFC 4-010-0619 September 2016Change 1, 18 January 2017UNIFIED FACILITIES CRITERIA (UFC)CYBERSECURITY OFFACILITY-RELATEDCONTROL SYSTEMSAPPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED
UFC 4-010-0619 September 2016Change 1, 18 January 2017UNIFIED FACILITIES CRITERIA (UFC)CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMSAny copyrighted material included in this UFC is identified at its point of use.Use of the copyrighted material apart from this UFC must have the permission of thecopyright holder.U.S. ARMY CORPS OF ENGINEERSNAVAL FACILITIES ENGINEERING COMMAND (Preparing Activity)AIR FORCE CIVIL ENGINEER CENTERRecord of Changes (changes are indicated by \1\ . /1/)Change No.1Date01/19/2017LocationRevised paragraphs 3-3, 3-6 (second bullet), 3-6.2, 4-3(second to last bullet), and 5-2.2.2.
UFC 4-010-0619 September 2016Change 1, 18 January 2017FOREWORDThe Unified Facilities Criteria (UFC) system is prescribed by MIL-STD 3007 and providesplanning, design, construction, sustainment, restoration, and modernization criteria, and appliesto the Military Departments, the Defense Agencies, and the DoD Field Activities in accordancewith USD (AT&L) Memorandum dated 29 May 2002. UFC will be used for all DoD projects andwork for other customers where appropriate. All construction outside of the United States isalso governed by Status of Forces Agreements (SOFA), Host Nation Funded ConstructionAgreements (HNFA), and in some instances, Bilateral Infrastructure Agreements (BIA.)Therefore, the acquisition team must ensure compliance with the most stringent of the UFC, theSOFA, the HNFA, and the BIA, as applicable.UFC are living documents and will be periodically reviewed, updated, and made available tousers as part of the Services’ responsibility for providing technical criteria for militaryconstruction. Headquarters, U.S. Army Corps of Engineers (HQUSACE), Naval FacilitiesEngineering Command (NAVFAC), and Air Force Civil Engineer Center (AFCEC) areresponsible for administration of the UFC system. Defense agencies should contact thepreparing service for document interpretation and improvements. Technical content of UFC isthe responsibility of the cognizant DoD working group. Recommended changes with supportingrationale should be sent to the respective service proponent office by the following electronicform: Criteria Change Request. The form is also accessible from the Internet sites listed below.UFC are effective upon issuance and are distributed only in electronic media from the followingsource: Whole Building Design Guide web site http://dod.wbdg.org/.Hard copies of UFC printed from electronic media should be checked against the currentelectronic version prior to use to ensure that they are current.AUTHORIZED BY:JAMES C. DALTON, P.E.JOSEPH E. GOTT, P.E.Chief, Engineering and ConstructionU.S. Army Corps of EngineersChief EngineerNaval Facilities Engineering CommandEDWIN H. OSHIBA, SES, DAFMICHAEL McANDREWDeputy Director of Civil EngineersDCS/Logistics, Engineering &Force ProtectionDASD (Facilities Investment and Management)Office of the Assistant Secretary of Defense(Energy, Installations, and Environment)
UFC 4-010-0619 September 2016Change 1, 18 January 2017UNIFIED FACILITIES CRITERIA (UFC)NEW DOCUMENT SUMMARY SHEETDocument: UFC 4-010-06, Cybersecurity of Facility-Related Control SystemsSuperseding: NoneDescription: UFC 4-010-06 provides requirements for incorporating cybersecurity intothe design of facility-related control systems.Justification: DoDI 8500.01, Cybersecurity requires the implementation of a “multiLeveled cybersecurity risk management process as described in National Institute ofStandards and Technology (NIST) Special Publication (SP) 800-39 and the Committeeon National Security Systems (CNSS) Policy 22.” It further requires the use of NIST SP800-37, and a transition to CNSSI No. 1253 and NIST SP 800-53. For control systems,NIST SP 800-82 R2 Appendix G is used as the overlay under CNSSI No. 1253.This UFC provides criteria for the inclusion of cybersecurity in the design of controlsystems in order to address appropriate Risk Management Framework (RMF) securitycontrols during design and subsequent construction.Impact: While the inclusion of cybersecurity during the design and construction ofcontrol systems will increase the cost of both design and construction, it is more costeffective to implement these security controls starting at design than to implement themon a designed and installed system. Historically, control systems have not includedthese cybersecurity requirements, so the addition of these cybersecurity requirementswill increase both cost and security. The increase in cost will be lower than the increasein cost of applying these requirements after design.Note: This UFC is based on NIST SP 800-53 R4 and NIST SP 800-82 R2. As newversions of NIST publications are issued, guidance will be posted on the RMFKnowledge Service (https://rmfks.osd.mil) and will be included in updates to this UFC.
UFC 4-010-0619 September 2016Change 1, 18 January 2017TABLE OF CONTENTSCHAPTER 1 INTRODUCTION . 11-1BACKGROUND. . 11-2PURPOSE AND SCOPE. . 11-3APPLICABILITY. . 11-4GENERAL BUILDING REQUIREMENTS. . 11-5ORGANIZATION. . 21-6CYBERSECURITY POINTS OF CONTACT BY SERVICE. . 21-7REFERENCES. . 21-8GLOSSARY. . 2CHAPTER 2 CONTROL SYSTEM CYBERSECURITY OVERVIEW . 32-1RISK MANAGEMENT FRAMEWORK OVERVIEW. . 32-1.1Security Controls. . 32-1.2RMF Goal. . 32-1.3Platform Information Technology. . 32-1.4Inherited Security Controls. 42-1.5Applicability of RMF Security Controls to Design. . 42-25-LEVEL CONTROL SYSTEM ARCHITECTURE. . 52-2.1“Standard IT” Parts of the Control System. . 62-2.2“Non-Standard IT” Parts of the Control System. . 72-2.3Platform Enclave. 72-3CONTROL SYSTEM PROCUREMENT OVERVIEW. . 7CHAPTER 3 APPLYING CYBERSECURITY IN DESIGN . 93-1OVERVIEW. . 93-1.1Five Steps for Cybersecurity Design. . 93-1.2Definition of “Organization”. . 93-2STEP 1: DETERMINE CONTROL SYSTEM IMPACT RATING. . 103-3STEP 2: DETERMINATION OF SECURITY CONTROLS. . 103-3.1Recommend Security Controls to Tailor Out. 113-4STEP 3: IDENTIFICATION OF CONTROL CORRELATIONIDENTIFIERS. . 113-5STEP 4: CATEGORIZATION OF CONTROL CORRELATIONIDENTIFIERS BY RESPONSIBILITY. . 113-6STEP 5: INCORPORATE CYBERSECURITY REQUIREMENTS. . 12i
3-6.1UFC 4-010-0619 September 2016Change 1, 18 January 2017Addressing DoD Selected Values in CCIs. . 133-6.2Other “Organization Defined Values” in CCIs. . 133-6.3Requirement Definition and Implementation CCIs. . 13CHAPTER 4 MINIMUM CYBERSECURITY DESIGN REQUIREMENTS . 154-1DESIGN TO MINIMIZE FAILURE. . 154-1.1Reduce Dependency on the Network. . 154-1.2Reduce Extraneous Functionality . 154-2DESIGN TO MANAGE FAILURE. . 154-2.1Design for Graceful Failure. . 154-2.2Degraded Operation. . 164-2.3Redundancy. 164-3DO NOT IMPLEMENT STANDARD IT FUNCTIONS. . 164-4DO NOT PROVIDE REMOTE ACCESS. 17CHAPTER 5 CYBERSECURITY DOCUMENTATION. 195-1OVERVIEW. . 195-2REQUIREMENTS BY DESIGN PHASE. . 195-2.1Basis of Design. . 195-2.2Design Submittals. . 19APPENDIX A REFERENCES . 21APPENDIX B GLOSSARY . 23B-1ACRONYMS . 23B-1.1General Acronyms . 23B-1.2Security Control Family Acronyms . 24B-2DEFINITION OF TERMS . 25APPENDIX C RISK MANAGEMENT FRAMEWORK (RMF) OVERVIEW . 31C-1RMF OVERVIEW . 31C-2RMF PROCESS . 31C-3DEFINITION OF CONTROLS FROM NIST AND DODI 8510 . 32C-3.1Control Families . 32C-3.2Control Elements and Enhancements . 33C-3.3Control Correlation Identifiers . 36C-4C-4.1REQUIREMENT DEFINITION VS IMPLEMENTATION . 37CCIs Defining a Requirement . 37ii
C-4.2C-5UFC 4-010-0619 September 2016Change 1, 18 January 2017CCIs Requiring Implementing a Requirement. 38PLATFORM INFORMATION TECHNOLOGY . 38APPENDIX D PLATFORM ENCLAVE . 40D-1PLATFORM ENCLAVE CONCEPT OVERVIEW . 40D-2PLATFORM ENCLAVE USING TWO AUTHORIZATIONS . 40D-3PLATFORM ENCLAVE BENEFITS . 40D-4ARMY PLATFORM ENCLAVE APPROACH . 41D-5NAVY PLATFORM ENCLAVE APPROACH FOR BCS AND UCS . 41D-6AIR FORCE PLATFORM ENCLAVE APPROACH . 41APPENDIX E 5-LEVEL CONTROL SYSTEM ARCHITECTURE . 44E-1INTRODUCTION . 44E-25-LEVEL ARCHITECTURE OVERVIEW. 45E-3LEVEL 0: SENSORS AND ACTUATORS . 46E-4LEVEL 1: FIELD CONTROL SYSTEM (NON-IP) . 48E-5LEVEL 2: FIELD CONTROL SYSTEM (IP). 50E-6LEVEL 3: FIELD POINT OF CONNECTION (FPOC). 55E-7LEVEL 4: CONTROL SYSTEM FRONT END AND CONTROL SYSTEMIP NETWORK . 56E-8LEVEL 5: EXTERNAL CONNECTION AND CONTROL SYSTEMMANAGEMENT . 58APPENDIX F CYBERSECURITY CONSIDERATIONS FOR INTEGRATING CRITICALUTILITY OR BUILDING CONTROL SYSTEMS WITH NON-CRITICAL UMCS . 60F-1INTRODUCTION . 60F-2LIMIT OUTSIDE FUNCTIONALITY . 61F-3FCS-UMCS CONNECTION METHODS . 61F-3.1Hardware I/O Interface . 62F-3.2Hardware Gateway Interface . 63F-3.3Firewall Interface . 64F-4OTHER CONSIDERATIONS . 65F-4.1Local User Interfaces . 65F-4.2Management of Risk . 65APPENDIX G IMPLEMENTATION GUIDANCE FOR SECURITY CONTROLS . 68G-1INTRODUCTION . 68G-2GENERAL GUIDANCE . 68iii
G-2.1UFC 4-010-0619 September 2016Change 1, 18 January 2017Control System versus Standard IT System Terminology. 68G-2.2DoD-Defined Values . 68G-2.3Security Controls Which are “Automatically Met” . 68G-2.4Security Controls Applicability by Architecture Level . 69G-2.5Impact Level Applicability. 69G-3GUIDANCE FOR INDIVIDUAL SECURITY CONTROLS. 69G-3.1Access Control (AC) Control Family . 69G-3.2Audit and Accountability (AU) Control Family . 73G-3.3Security Assessment and Authorization (CA) Control Family . 74G-3.4Configuration Management (CM) Control Family. 75G-3.5Contingency Planning (CP) Control Family. 76G-3.6Identification and Authorization (IA) Control Family . 77G-3.7Incident Response (IR) Control Family . 79G-3.8Maintenance (MA) Control Family . 79G-3.9Media Protection (MP) Control Family . 79G-3.10Physical and Environmental Protection (PE) Control Family . 80G-3.11Planning (PL) Control Family . 81G-3.12Program Management (PM) Control Family . 82G-3.13Personnel Security (PS) Control Family. 83G-3.14Risk Assessment (RA) Control Family . 83G-3.15System and Services Acquisition (SA) Control Family. 84G-3.16System and Communications Protection (SC) Control Family . 85G-3.17System and Information Integrity (SI) Control Family . 88APPENDIX H CONTROL CORRELATION IDENTIFIER (CCI) TABLES . 90H-1INTRODUCTION . 90H-2TABLE STRUCTURE AND CONTENT . 90H-3CCI TABLE NOTES . 91H-3.1Controls Inherited from Platform Enclave . 91H-3.2CCIs in Multiple Tables . 91H-4CCI TABLE DESCRIPTIONS . 92H-4.1CCI Summary Table . 92H-4.2CCI Not Applicable to Control Systems . 92H-4.3CCIs Removed from LOW Impact Control System Baseline . 92iv
H-4.4UFC 4-010-0619 September 2016Change 1, 18 January 2017Designer CCIs . 92H-4.5Platform Enclave CCIs . 92H-5CCI TABLES . 93FIGURESFigure 2-1 5-Level Control System Architecture . 6Figure 2-2 Control System Architecture . 8Figure C-3 NIST Risk Management Framework Steps . 32Figure C-4 NIST SP 800-53 Control AC-2. 35Figure D-1 Navy and Air Force Platform Enclave and Operational Architecture . 41Figure E-1 5-Level Control System Architecture . 45Figure F-1 Hardware I/O Interface Example. 62TABLESTable E-1 Level 0 . 46Table E-2 Level 1 . 48Table E-3 Level 2 . 50Table E-4 Level 3 . 55Table E-5 Level 4 . 56Table E-6 Level 5 . 58Table G-1 Access Control (AC) Control Family . 70Table G-2 Audit and Accountability (AU) Control Family . 73Table G-3 Security Assessment and Authorization (CA) Control Family . 74Table G-4 Configuration Management (CM) Control Family . 75Table G-5 Contingency Planning (CP) Control Control Family. 76Table G-6 Identification and Authorization (IA) Control Control Family . 78Table G-7 Maintenance (MA) Control Control Family. 79Table G-8 Media Protection (MP) Control Family .
Engineering Command (NAVFAC), and Air Force Civil Engineer Center (AFCEC) are responsible for administration of the UFC system. Defense agencies should contact the preparing service for document interpretation and improvements. Technical content of UFC is the responsibility of the cognizant DoD working group. Recommended changes with supporting
