Air Force Platform Information Technology Pit Cybersecurity Guidebook

1. Air Force Platform Information Technology Pit Cybersecurity Guidebook 2020
2. Air Force Platform Information Technology (pit) Cybersecurity Guidebook
3. Air Force Platform Information Technology Pit Cybersecurity Guidebook Guide
4. Air Force Platform Information Technology Pit Cybersecurity Guidebook 2017

Fishing rs3. Information technology (IT) (e.g., DoD-owned or DoD-controlled information systems (ISs), platform information technology (PIT) systems, IT products and services) as defined in DoDI 8500.01 (Reference (h)) and control systems and industrial control systems (ICS) as defined in National Institute (NIST) Special Publication (SP). This guidebook is based on a set of key tenets that form the basis for the guidance that follows. The following tenets are not exhaustive, but do outline some of the more important concepts and 1 The revised policies and this guidebook reflect the Department's decision to adopt the term cybersecurity in place of information assurance. Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), incorporate Platform IT (PIT) into the RMF process. In addition, ESPCs and UESCs must include a cybersecurity plan for ECMs and energy resilience projects that include the installation or modification of Operational Technology (OT). OT encompasses Platform Information Technology (PIT), Control Systems (CJS), or Facility- Related Control Systems (FRCS). There is increasing concern that U.S. Air Force systems containing information technology are vulnerable to intelligence exploitation and offensive attack through cyberspace. In this report, we analyze how the acquisition/life-cycle management community can improve cybersecurity.

• Tools and Training
  • Installation Energy and Water
    • Cybersecurity

Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), incorporate Platform IT (PIT) into the RMF process. PIT is a category of both IT hardware and software that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems. PIT is further categorized as PIT products, PIT subsystems, or PIT systems. PIT differs from 'traditional' IT in that it is integral to – and dedicated to the operation of – a specific platform. Although the term PIT is used only by DoD, the concept of categorizing components and systems dedicated to the operation of a specific platform is not. For example, within the private sector, the term 'Operational Technology' (OT) is also used to refer to these systems and components.

The most common forms of Energy, Installation and Energy (EI&E) PIT are Facility-Related Control Systems (FRCS), which are a combination of control components (e.g., electrical, mechanical, hydraulic, or pneumatic, etc.), special purpose controlling devices, and standard IT that act together upon underlying mechanical and/or electrical equipment to achieve an objective (e.g., transport of matter or energy, maintain a secure and comfortable work environment, etc.). All automated control systems are considered PIT. Industrial Control Systems (ICS) are automated control systems that act upon industrial systems and processes. ICS is used as a general term that encompasses several – but not all -- types of control systems. These include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control systems, such as the Programmable Logic Controllers (PLCs) often found in the industrial sector and critical infrastructure. In the past, the Assistant Secretary of Defense for Energy, Installations and Environment (ASD(EI&E)) community used ICS in an even broader sense to represent all types of control systems (SCADA, DDC, DCS, building, vehicle, transportation, etc.). However, since most uses of the term ICS do not pertain to industrial systems or processes, the term 'Control System' is used herein for this general category of PIT.

The EI&E community is responsible for all FRCS related to real property assets (facilities), including but not limited to:

• Control System Platform Enclaves (PE)
• Airfield Systems (AS)
• Pier Systems (PS)
• Environmental Monitoring (EM)
• Electronic Security Systems (ESS)
• Fire & Life Safety (FLS)
• Dam, Lock & Levee Systems (DLL)
• Medical Control Systems (MED)
• Traffic Control Systems (TCS)
• Transportation & Fueling Systems (TFS)
• Meteorological Control Systems (MET)
• Building Control Systems (BCS)
• Utility Control Systems (UCS)
• Utility Monitoring & Control Systems (UMCS)

NOTE: For the purposes of this guidance, all references to 'Platform IT', 'PIT', 'Control Systems', and 'FRCS' pertain only to those items owned and operated by the Energy, Installations and Environment community.

To protect its facilities and infrastructure, DoD needs to know the type, quantity and purpose of PIT it owns and uses. For all PIT identified, including FRCS, the PIT owner, in coordination with an Authorizing Official (AO), must determine whether a collection of PIT products and/or subsystems 'rises to the level of' a PIT System. In accordance with DODI 8510.01, PIT products and/or subsystems which do not rise to the level of a PIT System must undergo security assessment, but do not necessarily need to be authorized under the RMF. However, PIT Systems undergo both security assessment and authorization by an AO.

The enterprise system used to track DoD IT, including PIT, is the Enterprise Mission Assurance Support Service (eMASS). Both 'Assess and Authorize' and 'Assess-Only' CS will be entered into eMASS. In order to standardize how EI&E-owned and -operated CS information is entered into eMASS, the DoD CS Working Group (WG) is working to incorporate new data fields and PIT capabilities into eMASS. DoD has developed a list of common FRCS and a corresponding control overlay selection tool for selecting an appropriate combination of security controls in the EI&E FRCS Master List. The EI&E FRCS Master List is maintained along with this step-by-step guide on the DoD Chief Information Officer (CIO) RMF Knowledge Service portal and the ESTCP website, where it will remain a living document.

Requests for information about cybersecurity of FRCS and other PIT associated with DoD facilities that are not listed in the companion EI&E PIT Control System Master List should be sent to the component representative and the ASD-EI&E representatives listed here:

Industry/Emerging Definitions

Throughout industry, and informally within DoD, the term Operational Technology (OT) is used to differentiate control systems from traditional Information Systems (IS). Other emerging terms related to control systems include Hybrid/Converged Systems, Cyber Physical Systems, the Internet of Things, and the Industrial Internet of Things. Current working definitions are provided in the glossary linked to this webpage.

IS/FRCS Hybrid/Converged Systems

Some control systems are a hybrid of traditional IS and FRCS. These hybrid/converged systems can contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:

• Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
• Keyless entry/keypad systems that use Active Directory (contain PII)
• Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
• Patient Monitoring Systems (contain PII, HIPAA)
• Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
• Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII)

For DoD, the installation infrastructure issue is complicated by the use of Defense Business Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged system becomes subject to FISMA and reportable as a Federal Identity, Credential, and Access Management ( FICAM) system and also as DITPR requirement.

As more of these systems become interconnected and connected to the internet, the distinction between what is an IS, a DBS, and FRCS will become even more challenging. Nonetheless, the vast majority of FRCS will not be registered or maintained in DITPR. If in doubt, register a system in eMASS regardless of whether it is an IS, FRCS, IS/FRCS hybrid, or FISMA-reportable. The AO and the Information System Security Manager (ISSM) may coordinate with the DoD or Component CIO for guidance on DITPR and SNaP-IT registration. The DoD CIO will issue guidance for reporting of PIT cybersecurity costs – to include upgrades to legacy systems, turn-key acquisitions to meet network protection requirements, and continuous cyber monitoring.

Featured Initiatives

• Tools and Training
  • Installation Energy and Water
    • Cybersecurity

Air Force Platform Information Technology Pit Cybersecurity Guidebook 2020

The DoD CIO uses three primary tools to inventory and report on the status of IT and OT FRCS; the enterprise Mission Assurance Support System (eMASS), the Defense Information Technology Repository Tool (DITPR), and the Select & Native Programming Data Input System for Information Technology (SNaP-IT). Star trek armada 3 uprising.

eMASS is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully-integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) for Department of Defense (DOD) Information Technology (IT) and DOD Information Assurance Certification and Accreditation Process (DIACAP) Package Reports. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authority to connect information systems to DOD networks.

DITPR contains a comprehensive unclassified inventory of the DoD's mission critical and mission essential Information technology systems and their interfaces. It contains basic overview information regarding all DoD IT systems to include; system names, acronyms, descriptions, sponsoring component, approval authority, points of contact, and other basic information required for any analysis of DoD inventory, portfolios, or capabilities. It supports the Title 40/Clinger-Cohen Act inventory requirements and the capital planning and investment processes of selection, control, and evaluation.

Snap-IT is used for publishing the DoD Information Technology (IT) Budget Estimates to Congress, the Circular A-11 Section 53 and Section 300 exhibits to the Office of Management and Budget (OMB), and for monthly IT performance reporting to the OMB IT Dashboard.

Facility-Related Control Systems Platform Enclave (PE)

The Facility-Related Control System Platform Enclave (PE) is the 'Traditional IT Front-End' and defined in UFC 4-010-06 Cybersecurity of Facility-Related Control Systems Reference Architecture shown in Figure 1.

Figure 1 – 5-Level Control System Architecture

Significant portions of the control system resemble a standard IT system which can be implemented in a standard manner for different control systems, regardless of the details of the control system itself. This has led to the creation of the Platform Enclave concept, which groups the 'standard IT' portions of the control system, plus related standard policies and procedures, into an entity which can be handled separately from the rest of the control system. In some cases, this Platform Enclave will be separately authorized and the overall control system will have two authorizations, one for the Platform Enclave and one for the Operational Architecture which primarily covers the 'non-standard IT' components of the system. In other cases, a single authorization will be used for the entire system. Even in cases where a single authorization is used, however, it's helpful to identify and categorize the 'standard IT' portions of the control system.

Using the UFC Reference Architecture, components and agencies develop their respective architecture, such as the Air Force Community of Interest Network Enclave (COINE) PE shown in Figure 2.

Figure 2 – Air Force Community of Interest Network Enclave (COINE)

The PE Level 3, 4 and 5 servers, workstation, laptops, firewalls, switches now become the responsibility of the CIO IT or third-party owner to resource, operate and maintain. The Energy, Infrastructure and Environment (EI&E) will continue to resource, maintain and operate the Operational Architecture/Operational Technologies with MILCON and SRM funds. This arrangement will ensure that the PE assets undergo technology refresh that is compliant with the Joint Information Environment (JIE), and able to utilize the Host-Based Scanning System (HBSS)/ Assured Compliance Assessment Solution (ACAS).

IS/FRCS Hybrid/Converged Systems

Some control systems (also commonly called Operational Technology or OT) are a hybrid of traditional IS and FRCS. These hybrid/converged systems contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:

• Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
• Keyless entry/keypad systems that use Active Directory (contain PII)
• Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
• Pediatric Monitoring Systems (contain PII, HIPAA)
• Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
• Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII).

For DoD, the installation infrastructure issue is complicated by the use of DefenseBusiness Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged FRCS becomes reportable as a FISMA and Federal Identity, Credential, and Access Management (FICAM) system, and requires a corresponding DITPR and SNaP-IT investment.

Air Force Platform Information Technology (pit) Cybersecurity Guidebook

1. Air Force Platform Information Technology Pit Cybersecurity Guidebook 2020
2. Air Force Platform Information Technology (pit) Cybersecurity Guidebook
3. Air Force Platform Information Technology Pit Cybersecurity Guidebook Guide
4. Air Force Platform Information Technology Pit Cybersecurity Guidebook 2017

Fishing rs3. Information technology (IT) (e.g., DoD-owned or DoD-controlled information systems (ISs), platform information technology (PIT) systems, IT products and services) as defined in DoDI 8500.01 (Reference (h)) and control systems and industrial control systems (ICS) as defined in National Institute (NIST) Special Publication (SP). This guidebook is based on a set of key tenets that form the basis for the guidance that follows. The following tenets are not exhaustive, but do outline some of the more important concepts and 1 The revised policies and this guidebook reflect the Department's decision to adopt the term cybersecurity in place of information assurance. Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), incorporate Platform IT (PIT) into the RMF process. In addition, ESPCs and UESCs must include a cybersecurity plan for ECMs and energy resilience projects that include the installation or modification of Operational Technology (OT). OT encompasses Platform Information Technology (PIT), Control Systems (CJS), or Facility- Related Control Systems (FRCS). There is increasing concern that U.S. Air Force systems containing information technology are vulnerable to intelligence exploitation and offensive attack through cyberspace. In this report, we analyze how the acquisition/life-cycle management community can improve cybersecurity.

• Tools and Training
  • Installation Energy and Water
    • Cybersecurity

Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), incorporate Platform IT (PIT) into the RMF process. PIT is a category of both IT hardware and software that is physically part of, dedicated to, or essential in real time to the mission performance of special purpose systems. PIT is further categorized as PIT products, PIT subsystems, or PIT systems. PIT differs from 'traditional' IT in that it is integral to – and dedicated to the operation of – a specific platform. Although the term PIT is used only by DoD, the concept of categorizing components and systems dedicated to the operation of a specific platform is not. For example, within the private sector, the term 'Operational Technology' (OT) is also used to refer to these systems and components.

The most common forms of Energy, Installation and Energy (EI&E) PIT are Facility-Related Control Systems (FRCS), which are a combination of control components (e.g., electrical, mechanical, hydraulic, or pneumatic, etc.), special purpose controlling devices, and standard IT that act together upon underlying mechanical and/or electrical equipment to achieve an objective (e.g., transport of matter or energy, maintain a secure and comfortable work environment, etc.). All automated control systems are considered PIT. Industrial Control Systems (ICS) are automated control systems that act upon industrial systems and processes. ICS is used as a general term that encompasses several – but not all -- types of control systems. These include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control systems, such as the Programmable Logic Controllers (PLCs) often found in the industrial sector and critical infrastructure. In the past, the Assistant Secretary of Defense for Energy, Installations and Environment (ASD(EI&E)) community used ICS in an even broader sense to represent all types of control systems (SCADA, DDC, DCS, building, vehicle, transportation, etc.). However, since most uses of the term ICS do not pertain to industrial systems or processes, the term 'Control System' is used herein for this general category of PIT.

The EI&E community is responsible for all FRCS related to real property assets (facilities), including but not limited to:

• Control System Platform Enclaves (PE)
• Airfield Systems (AS)
• Pier Systems (PS)
• Environmental Monitoring (EM)
• Electronic Security Systems (ESS)
• Fire & Life Safety (FLS)
• Dam, Lock & Levee Systems (DLL)
• Medical Control Systems (MED)
• Traffic Control Systems (TCS)
• Transportation & Fueling Systems (TFS)
• Meteorological Control Systems (MET)
• Building Control Systems (BCS)
• Utility Control Systems (UCS)
• Utility Monitoring & Control Systems (UMCS)

NOTE: For the purposes of this guidance, all references to 'Platform IT', 'PIT', 'Control Systems', and 'FRCS' pertain only to those items owned and operated by the Energy, Installations and Environment community.

To protect its facilities and infrastructure, DoD needs to know the type, quantity and purpose of PIT it owns and uses. For all PIT identified, including FRCS, the PIT owner, in coordination with an Authorizing Official (AO), must determine whether a collection of PIT products and/or subsystems 'rises to the level of' a PIT System. In accordance with DODI 8510.01, PIT products and/or subsystems which do not rise to the level of a PIT System must undergo security assessment, but do not necessarily need to be authorized under the RMF. However, PIT Systems undergo both security assessment and authorization by an AO.

The enterprise system used to track DoD IT, including PIT, is the Enterprise Mission Assurance Support Service (eMASS). Both 'Assess and Authorize' and 'Assess-Only' CS will be entered into eMASS. In order to standardize how EI&E-owned and -operated CS information is entered into eMASS, the DoD CS Working Group (WG) is working to incorporate new data fields and PIT capabilities into eMASS. DoD has developed a list of common FRCS and a corresponding control overlay selection tool for selecting an appropriate combination of security controls in the EI&E FRCS Master List. The EI&E FRCS Master List is maintained along with this step-by-step guide on the DoD Chief Information Officer (CIO) RMF Knowledge Service portal and the ESTCP website, where it will remain a living document.

Requests for information about cybersecurity of FRCS and other PIT associated with DoD facilities that are not listed in the companion EI&E PIT Control System Master List should be sent to the component representative and the ASD-EI&E representatives listed here:

Industry/Emerging Definitions

Throughout industry, and informally within DoD, the term Operational Technology (OT) is used to differentiate control systems from traditional Information Systems (IS). Other emerging terms related to control systems include Hybrid/Converged Systems, Cyber Physical Systems, the Internet of Things, and the Industrial Internet of Things. Current working definitions are provided in the glossary linked to this webpage.

IS/FRCS Hybrid/Converged Systems

Some control systems are a hybrid of traditional IS and FRCS. These hybrid/converged systems can contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:

• Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
• Keyless entry/keypad systems that use Active Directory (contain PII)
• Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
• Patient Monitoring Systems (contain PII, HIPAA)
• Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
• Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII)

For DoD, the installation infrastructure issue is complicated by the use of Defense Business Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged system becomes subject to FISMA and reportable as a Federal Identity, Credential, and Access Management ( FICAM) system and also as DITPR requirement.

As more of these systems become interconnected and connected to the internet, the distinction between what is an IS, a DBS, and FRCS will become even more challenging. Nonetheless, the vast majority of FRCS will not be registered or maintained in DITPR. If in doubt, register a system in eMASS regardless of whether it is an IS, FRCS, IS/FRCS hybrid, or FISMA-reportable. The AO and the Information System Security Manager (ISSM) may coordinate with the DoD or Component CIO for guidance on DITPR and SNaP-IT registration. The DoD CIO will issue guidance for reporting of PIT cybersecurity costs – to include upgrades to legacy systems, turn-key acquisitions to meet network protection requirements, and continuous cyber monitoring.

Featured Initiatives

• Tools and Training
  • Installation Energy and Water
    • Cybersecurity

Air Force Platform Information Technology Pit Cybersecurity Guidebook 2020

The DoD CIO uses three primary tools to inventory and report on the status of IT and OT FRCS; the enterprise Mission Assurance Support System (eMASS), the Defense Information Technology Repository Tool (DITPR), and the Select & Native Programming Data Input System for Information Technology (SNaP-IT). Star trek armada 3 uprising.

eMASS is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully-integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) for Department of Defense (DOD) Information Technology (IT) and DOD Information Assurance Certification and Accreditation Process (DIACAP) Package Reports. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authority to connect information systems to DOD networks.

DITPR contains a comprehensive unclassified inventory of the DoD's mission critical and mission essential Information technology systems and their interfaces. It contains basic overview information regarding all DoD IT systems to include; system names, acronyms, descriptions, sponsoring component, approval authority, points of contact, and other basic information required for any analysis of DoD inventory, portfolios, or capabilities. It supports the Title 40/Clinger-Cohen Act inventory requirements and the capital planning and investment processes of selection, control, and evaluation.

Snap-IT is used for publishing the DoD Information Technology (IT) Budget Estimates to Congress, the Circular A-11 Section 53 and Section 300 exhibits to the Office of Management and Budget (OMB), and for monthly IT performance reporting to the OMB IT Dashboard.

Facility-Related Control Systems Platform Enclave (PE)

The Facility-Related Control System Platform Enclave (PE) is the 'Traditional IT Front-End' and defined in UFC 4-010-06 Cybersecurity of Facility-Related Control Systems Reference Architecture shown in Figure 1.

Figure 1 – 5-Level Control System Architecture

Significant portions of the control system resemble a standard IT system which can be implemented in a standard manner for different control systems, regardless of the details of the control system itself. This has led to the creation of the Platform Enclave concept, which groups the 'standard IT' portions of the control system, plus related standard policies and procedures, into an entity which can be handled separately from the rest of the control system. In some cases, this Platform Enclave will be separately authorized and the overall control system will have two authorizations, one for the Platform Enclave and one for the Operational Architecture which primarily covers the 'non-standard IT' components of the system. In other cases, a single authorization will be used for the entire system. Even in cases where a single authorization is used, however, it's helpful to identify and categorize the 'standard IT' portions of the control system.

Using the UFC Reference Architecture, components and agencies develop their respective architecture, such as the Air Force Community of Interest Network Enclave (COINE) PE shown in Figure 2.

Figure 2 – Air Force Community of Interest Network Enclave (COINE)

The PE Level 3, 4 and 5 servers, workstation, laptops, firewalls, switches now become the responsibility of the CIO IT or third-party owner to resource, operate and maintain. The Energy, Infrastructure and Environment (EI&E) will continue to resource, maintain and operate the Operational Architecture/Operational Technologies with MILCON and SRM funds. This arrangement will ensure that the PE assets undergo technology refresh that is compliant with the Joint Information Environment (JIE), and able to utilize the Host-Based Scanning System (HBSS)/ Assured Compliance Assessment Solution (ACAS).

IS/FRCS Hybrid/Converged Systems

Some control systems (also commonly called Operational Technology or OT) are a hybrid of traditional IS and FRCS. These hybrid/converged systems contain or transmit Personally Identifiable Information (PII), Protected Critical Infrastructure Information (PCII), Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI) information/data. Consequently, they need to be registered and maintained in DITPR, Snap-IT, and eMASS. Examples of systems that may be hybrid/converged systems include:

• Access control/alarm systems that use badges/Common Access Cards and Active Directory for keyless entry (contain PII)
• Keyless entry/keypad systems that use Active Directory (contain PII)
• Meter data management systems that interconnect with a local utility with real time demand and response (if the meter data is determined to contain PCII)
• Pediatric Monitoring Systems (contain PII, HIPAA)
• Vehicle fueling/charging stations/pumps with credit card swipe (contain PCI)
• Computerized maintenance management systems/work order systems that interconnect with control system back-end controllers and devices (if the system is determined to contain PCII or PII).

For DoD, the installation infrastructure issue is complicated by the use of DefenseBusiness Systems (DBS) as a primary IS type. In general, FRCS are not a DBS, but when a FRCS relies upon a DBS active directory for identity and access management credentials, the hybrid/converged FRCS becomes reportable as a FISMA and Federal Identity, Credential, and Access Management (FICAM) system, and requires a corresponding DITPR and SNaP-IT investment.

Air Force Platform Information Technology (pit) Cybersecurity Guidebook

As more of these OT FRCS become interconnected and connected to the Internet of Things (IoT), the distinction between what is an IS, a DBS, and FRCS will become even more challenging. Nonetheless, the vast majority of FRCS will not be registered or maintained in DITPR. If in doubt, register a system in eMASS regardless of whether it is an IS, FRCS, IS/CS hybrid, or FISMA-reportable. The AO and the Information System Security Manager (ISSM) may coordinate with the DoD or Component CIO for guidance on DITPR and SNaP-IT registration. The IS FRCS Decision Tree in Figure 3 and the Table 1 provide examples of what systems should typically be registered in each of the 3 systems.

Figure 3 – IS and FRCS Decision Tree Setting up mikrotik router.

Table 1 – Examples of FRCS CIO Tools Registries Entries

Air Force Platform Information Technology Pit Cybersecurity Guidebook Guide

Air Force Platform Information Technology Pit Cybersecurity Guidebook 2017

Featured Initiatives