25-05-11 Cybersecurity For Facility - Related Control Systems

SUBJECT: Joint Base Lewis-McChord (JBLM), Directorate of Public Works (DPW) Division 25 Cybersecurity Design Standards

1. PURPOSE:
The purpose of this memorandum is to establish the official Joint Base Lewis-McChord (JBLM), Directorate of Public Works (DPW) Division 25 Cybersecurity Design Standard. This standard ensures that all projects involving Facility-Related Control Systems (FRCS), including Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems, incorporate mandatory cybersecurity requirements from the earliest stages of design. Adherence to this standard is a prerequisite for:

a. Achieving a system's Authority to Operate (ATO).
b. Successfully processing the system through the Army's Information Technology Approval System (ITAS).
c. Ensuring the long-term security, sustainment, and continued support of the system by JBLM personnel after project turnover.
d. Justifying Future Lifecycle and Security Funding. The artifacts produced through this process, particularly the POA&M and asset inventory, create the formal, auditable documentation required to program and defend future funding requests for security upgrades and lifecycle replacements.

2. APPLICABILITY:
This standard applies to all projects at Joint Base Lewis-McChord (JBLM) that include the installation, modification, or expansion of any system defined as an FRCS.
As per UFC 4-010-06, criteria include, but are not limited to, control systems for:

a. Heating, Ventilation, and Air Conditioning (HVAC) and Direct Digital Controls (DDC)
b. Electrical (power, metering, lighting)
c. Water (potable, wastewater, storm water)
d. Fire and Life Safety and Mass Notification
e. Vertical Transportation (elevators)
f. This standard explicitly includes systems that may be categorized as Industrial Control Systems (ICS), SCADA (e.g., District Steam Plants, Traffic Management), or Distributed Control Systems (DCS) when they are integral to a facility's infrastructure.

3. JBLM DPW DIVISION 25 CYBERSECURITY DESIGN STANDARD:
For any project meeting the applicability criteria in Section 2, the Statement of Work (SOW) shall be augmented to include the following requirements for the Designer of Record (DOR).

3.1 Design Analysis (DA) Requirement
The SOW shall require the DOR to include a dedicated Cybersecurity section within the Design Analysis. This analysis shall be performed in accordance with UFC 4-010-06. It must:

a. Document the system's RMF categorization (Confidentiality, Integrity, Availability).
b. Define the system’s authorization boundary.
c. Justify the inclusion of UFGS 25 05 11, ‘Cybersecurity for Facility-Related Control Systems,’ in the construction specifications.

3.2 Construction Deliverable Requirement
The SOW shall require the design specifications (Division 25) to mandate the contractor provide the following cybersecurity submittals. The scope of each deliverable depends on whether the work involves an existing, registered system or a new, unregistered system.

A. Control System Inventory Report
A detailed inventory of all hardware with the operating system or firmware that runs it, and all software components. This report is required to create or update the official asset baseline in eMASS and is critical for tracking vulnerabilities and managing the system lifecycle. It must include all manufacturers, models, serial numbers, versions, and MAC address information.

New System Requirement: Provide a complete inventory list for all components within the new system's authorization boundary.
Existing System Requirement: Provide an inventory list of only the new or modified components being added to the existing system.

B. Network Diagrams
These are as-built diagrams used to define the system's authorization boundary and shall illustrate the physical and logical layout of all system components.

The Network Topology Diagrams include the following:

Physical Topology:How the cables are run. It shows the actual physical location of components (buildings, rooms, racks) and how they are interconnected with physical media (fiber, copper).
Logical Topology: How the configured specifications communicate across the network. It shows the IP addressing scheme, subnets, VLANs, and routing paths.

The System Boundary Diagram must include a visual demarcation (usually a dashed red line) drawn around the collection of components that fall under the control of the System Owner and need an Authority to Operate (ATO). It explicitly marks the "edge" of the system where security controls like firewalls (Boundary Protection) are enforced.

The Network Riser Diagram must abstract away some of the low-level detail. Instead of showing every single cable run, it shows the major components (servers, switches, JACEs, firewalls) and the primary connections between them. If the system or system components are to be in a facility and its connections will not leave the facility, this document should illustrate that as evidence of its design.

New System Requirement: These diagrams must show the entire network architecture for the new standalone system.
Existing System Requirement: These diagrams must show how new system components connect and integrate with the existing, registered system architecture.

C. Data Flow Diagram (DFD)
A diagram illustrating how data is transmitted between major system components. It is used to analyze information flow controls (AC-4) and must show the type of data (e.g., Command & Control, Authentication, Sensor Data), the direction of flow, and the protocols used (e.g., BACnet/IP, HTTPS, Fox) for each major communication path.

New System Requirement: The DFD shall cover all major data flows within the new system's boundary.
Existing System Requirement: The DFD shall cover the data flows for only the new or modified components and their interactions with the existing system.

D. Ports, Protocols, and Services (PPS) Report
A list of all communication PPS used by new components, with an operational justification for each. This is required to update the eMASS PPSM record.

New System Requirement: The report shall list the PPS for all components within the new system's boundary.
Existing System Requirement: The report shall list the PPS for only the new or modified components.

E. STIG/SRG Compliance & Vulnerability Report
A complete evidence package from non-production testing that serves as the primary evidence for the ATO assessment. The package must include:

Completed STIG Checklists (.ckl files).
Vulnerability scan reports (e.g., SCAP, Nessus).
A Plan of Action & Milestones (POA&M)-formatted list of all findings.

New System Requirement: The report must cover the compliance and vulnerability status of all applicable components in the new system.
Existing System Requirement: The report shall cover the compliance and vulnerability status of only the new or modified components.

F. System Backups & Configuration Files
A package containing system images of new computers, final secured configuration files for all devices, and all required software installation media. This provides evidence for Contingency Plan (CP) controls.

New System Requirement: Provide backup and configuration files for all components of the new system.
Existing System Requirement: Provide backup and configuration files for only the new or modified components.

G. RMF Package Development
The complete set of documentation required to initiate the RMF process and create a new system record in eMASS.

New System Requirement: Required. All deliverables must be comprehensive enough to support the creation of a new RMF package from scratch.
Existing System Requirement: Not Applicable. Deliverables A-F will be used to update the existing eMASS record.

4. GOVERNING REGULATIONS AND DOCUMENTS:

a. Army CIO Memo, 25 Aug 2020: Policy for Operational Technology Cybersecurity.
b. Army CIO Memo, 16 Sep 2021: Implementation of the Risk Management Framework for Department of the Army Operational Technology.
c. UFC 4-010-06: Cybersecurity of Facility-Related Control Systems.
d. UFGS 25 05 11: Cybersecurity for Facility-Related Control Systems.
e. DoDI 8510.01: Risk Management Framework (RMF) for DoD Information Technology (IT).
f. NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations.
g. ER 1110-345-700: Design Analysis, Drawings and Specifications.

5. POINT OF CONTACT:
The POC for this memorandum and for all FRCS cybersecurity design inquiries is the DPW Cybersecurity RMF Team at usarmy.jblm.id-pacific.list.dpw-neo-rmf@army.mil.