1.1 DPW IT Cyber Security

1.2 Cybersecurity hardening is required with the introduction of all Information Technology (IT) systems to consist of Platform Information Technology (PIT), IT Services, and IT products IAW DODI 8500.01, DODI 8510.01, and AR 25-2. Deliverables will be made available to the local Public Works (PW) Risk Management Framework (RMF) team. IT specialist conducting administration functions are required to have baseline certifications IAW DoDM 8140.03 which will be provided to the DPW RMF team.

a. All IT systems whether PIT, IT Services, or IT product configuration changes are required to be reviewed by the Change Control Board (CCB) before purchasing and implementation.

b. IT as described above in paragraph (a) will not be added to any DPW managed IT system until cybersecurity hardening has been completed and the DPW RMF team has reviewed the deliverables produced by Security Technical Implementation Guides (STIG) found at https://public.cyber.mil.

c. Cybersecurity Hardening will be enforced on all DPW managed PIT, IT services, and IT Products to include use of (STIGs) producing STIG viewer (.ckl / .cklb) files completed as a deliverable to the DPW RMF team.
d. When introducing network devices to a DPW IT managed system (new, or old) Nessus scans will be required with producing a .nessus file no larger than 20 megabyte increments, and be deliverable to the DPW RMF team.

e. Workstations and servers shall be required to be configured with an approved Army provided image of the appropriate type consisting of LTSC-A, SHB-A, SHBS-A, or LTSC-A Server.

f. Documentation, and configurations for all above baseline software shall be provided with RMF software assessment specific requirements such as applicable Application Security and Development STIG checklists, software licensing information including number of licenses, where the licenses are installed, licensed period start and expiration dates, whether software maintenance/technical support are included, and details.

g. Documentation for all network infrastructure including but not limited to cabling, equipment, configurations, logins/passwords, and physical/logical diagrams shall be provided.

h. Verify vendor is properly registered in https://www.sam.gov/SAM/. Provide the CAGE/DUNS code to DPW IT.

j. If the system and/or software has an Authority to Operate (ATO) with any DoD component, provide the system/software ID number or the signed ATO to the DPW RMF Team.