DEPARTMENT OF DEFENSE CONTROL SYSTEMS SECURITY ...

1 1 DEPARTMENT OF DEFENSE CONTROL SYSTEMS SECURITY REQUIREMENTS GUIDE Version 1, Release 1 January 26, 2021 2 Table of Contents 1. CONTROL SYSTEMS in the DEPARTMENT of DEFENSE Introduction Scope and Applicability Terms and Concepts SECURITY Requirements Guides / SECURITY Technical Implementation Guides Document Revisions, Comments, Availability Update Cycle Business Mission Objectives for CONTROL SYSTEMS System SECURITY Objectives for CONTROL SYSTEMS CONTROL System SECURITY Architecture Cybersecurity Governance for CONTROL SYSTEMS System Authorization for CONTROL SYSTEMS Cyberspace DEFENSE and Incident Response in the CONTROL System Environment CONTROL System Incident Response 2. Cybersecurity Framework CONTROL SYSTEMS Organizational Profile Cybersecurity Profile Purpose and Scope CSF Profile Priority Matrix CSF High Priority Rationale 3.

2 System SECURITY Requirements for CONTROL SYSTEMS Minimum Standards for Cybersecurity Adapted Scope and Intent of SECURITY CONTROL Families DoD Policy Regarding SECURITY Controls System SECURITY Requirements Mapping Tables Appendices A) References B) Glossary C) NIST Cybersecurity Framework Glossary 3 1 CONTROL SYSTEMS IN THE DEPARTMENT OF DEFENSE (DoD) Introduction CONTROL SYSTEMS underpin the operation of all DoD missions and are key elements in many diverse DoD operating environments. CONTROL SYSTEMS which typically consist of controllers and user interfaces that monitor and CONTROL equipment are prevalent and essential to the function of weapon SYSTEMS , utilities, facilities , medical SYSTEMS , manufacturing and the DEFENSE industrial base.

3 This variance in mission functions and disciplines means that these communities of interest have different terminology and accepted norms. However, there are also areas of commonality in terms of system objectives and the cybersecurity activities necessary to protect them as well as types of cybersecurity risks. CONTROL SYSTEMS also pose unique risks due to their interaction with the physical world. These cyber to physical interactions can have unintended and disastrous implications. For example, at a NASA research facility: a SECURITY patch caused monitoring equipment in a large engineering oven to stop running, resulting in a fire that destroyed spacecraft hardware inside the oven. The computer reboot caused by the software upgrade also impeded alarm activation, leaving the fire undetected for hours before it was discovered.

4 1 Though unintended, this cyber to physical incident highlights risks that adversaries could utilize to not just delay or stop critical business functions of the DEPARTMENT , but also to cause environmental and physical harm, including the loss of life. These risks are increased from the proliferation of cyber physical SYSTEMS in the National SECURITY environment. The combination of the importance of CONTROL SYSTEMS and relevance to National SECURITY requires specific considerations and guidance to ensure that all risk and threats are managed according to risk management policies. Understanding National SECURITY SYSTEMS (NSS) and critical system dependencies on CONTROL SYSTEMS is a priority and those dependencies should be a factor for all system owners when managing risks to their SYSTEMS .

5 The CONTROL SYSTEMS SECURITY Requirements Guide (SRG) seeks to streamline and unify the DEPARTMENT s risk-based approach to managing CONTROL SYSTEMS cybersecurity. It utilizes and integrates the Cybersecurity Framework (CSF) to aid organizational risk management and the DoD Risk management Framework (RMF) to enable system risk management . A traditional SRG focuses on SECURITY CONTROL implementation in specific SYSTEMS or technology types. This SRG provides higher-level orientation to inform organizational cybersecurity activities for all CONTROL SYSTEMS in the DoD in addition to providing guidance on SECURITY requirements for CONTROL SYSTEMS , regardless of individual system type or unique operating environment.

6 This broader approach is necessary to enhance planning and overall execution of cybersecurity risk 1 Industrial CONTROL System SECURITY Within NASA S Critical And Supporting Infrastructure: 4 management for CONTROL SYSTEMS as cybersecurity maturity in many of these SYSTEMS is minimal or technically unfeasible in contrast to traditional SYSTEMS . The audience for this SRG includes: DoD Components, Program Executive Offices, Program Offices and Mission Owners using, or considering the use of CONTROL SYSTEMS . DoD programs that utilize CONTROL SYSTEMS or operate in CONTROL system environments. DoD Authorizing Officials and their representatives. CONTROL SYSTEMS Operators.

7 The following document consists of three primary sections. First, foundational material to orient the reader to the scope, applicability, cybersecurity concepts and terminology used in the SRG. Second, a Cybersecurity Framework (CSF) profile, a specific artifact to help organizations and stakeholders with the prepare step to organize cybersecurity implementation at an organization-level. Third, specific SECURITY requirements guidance to aid SYSTEMS to better shape and describe the spirit and intent of SECURITY requirements for CONTROL SYSTEMS . Scope and Applicability This SRG, in support of DoDI , establishes the DoD SECURITY objectives for all CONTROL SYSTEMS . Personnel may apply this SRG to environments classified as publicly releasable up to and including TOP SECRET General Service (GENSER).

8 Missions including CONTROL SYSTEMS with a sensitive compartmented information (SCI) classification must follow existing DoD and Intelligence Community (IC) policies, as applicable. This SRG does not provide guidance for operation environments with SCI classification levels. 5 This SRG supports the responsibilities of DoD Component heads, per 44 USC 3534 (a) (1) (ii) Federal information SECURITY management Act (FISMA), to provide protections for SYSTEMS used or operated by an agency, contractor of an agency, or other organization on behalf of an agency. This DoD SRG applies to all CONTROL SYSTEMS operated by or on behalf of the DoD by a contractor or other entity. The SRG does not apply retroactively to already-fielded SYSTEMS ; however, the guidance should be leveraged as DoD CONTROL SYSTEMS undergo updates, upgrades, and enhancements, where feasible.

9 Owners or operators can be DoD Components, United States ( ) Government agencies, or commercial entities. DoD CONTROL SYSTEMS are likely to support the following: CONTROL SYSTEMS supporting National SECURITY SYSTEMS ( weapons SYSTEMS ) CONTROL SYSTEMS supporting Medical SYSTEMS CONTROL SYSTEMS supporting facilities CONTROL SYSTEMS supporting Manufacturing This DoD SRG complements the existing RMF procedures for cybersecurity programs described in DoDI , Cybersecurity, by providing consistent requirements based on common strategic objectives for deploying CONTROL SYSTEMS and the cybersecurity activities that are most critical for meeting those objectives. Each DoD organization retains the autonomy to determine its own risk tolerance for CONTROL SYSTEMS using the policy requirements articulated by the DoDI 8500 series, guidelines found on the RMF KS, and the parameters of organization-specific cybersecurity programs, and can adjust the requirements in this DoD SRG as needed to best support the needs of its specific environment.

10 Terms and Concepts This SRG introduces terminology and concepts unique to specific CONTROL system environments while also relying on terms used throughout the cyber domain to better orient cybersecurity practitioners ( , Availability Requirements, Cyber-Physical considerations). Still, the intent is to describe SECURITY objectives tailored to the unique requirements of CONTROL system environments rather than apply traditional information system methods that may not be applicable to CONTROL system environments. CONTROL SYSTEMS are SYSTEMS in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. CONTROL SYSTEMS include Supervisory CONTROL and Data Acquisition (SCADA), industrial and process controls SYSTEMS , cyber-physical SYSTEMS , facilities -related CONTROL SYSTEMS and other types of industrial measurement and CONTROL SYSTEMS .