Latest from Columns

BeeBright, Thinkstock, Getty Images

Cybersecurity: Is Your Risk Management Plan Ready? – Part 2

March 21, 2018
In the second of three articles on cyber risks to building control systems, a veteran DoD consultant looks at Cyber Risk Management Plans (CRMP), which all DoD contractors now must have in place for their IT systems.


In December, the first article in this series addressed cybersecurity of Operational Technologies (OT) Control Systems, which includes the field components and devices, controllers, servers, workstations, mobile and HMI. This second article addresses the Control System Vendor corporate business Information Technology (IT) systems that store and transmit Controlled Unclassified Information (CUI), which typically includes the CAD, BIM, technical specifications and operating manuals about the OT system. The series will conclude next month with a look at the responsibilities of third-party energy providers.

Protecting DoD Controlled Unclassified Information (CUI) 

Many contractors and vendors are still not aware of a change in the Defense Acquisition Regulation (DFAR) that required all DoD contractor/vendors to be compliant with NIST SP 800-171 Protecting DoD Controlled Unclassified Information by December 2017. 

The ESTCP website has guidance and templates any organization can use to develop their Cyber Risk Management Plan (CRMP) to meet the NIST SP 800-171 requirements (

All ESTCP projects that will collect, transmit, or store CUI data have a current CRMP IAW, with NIST SP 800-171 and the DFARS CUI Guide, were required to be in compliance by Dec 2017. 

Templates are provided for each of the documents and the ESTCP office will assist contractors/vendors to complete a CRMP. Note the templates can be used for both corporate IT business systems and OT demonstration projects. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data). 

CRMPs typically include the following documents: 

  • Corporate Information System Policies and Procedures – a generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions;
  • System Security Plan (SSP) – recommend using the CSET tool/template and select Requirements Based, NIST SP 800-171;
  • Security Assessment Report (SAR) – ESTCP does not require a SAR, however, many insurance companies or AO’s may require a SAR. An organization can use the modified FedRAMP template;
  • Plan of Action & Milestones (POAM) – use the modified FedRAMP templates (GSA and DoD provided) (POAM Template);
  • Information Systems Contingency and CONOPS Plan (ISCP) – use the modified FedRAMP template;
  • Event/Incident Communications Plan (EICP) – use the modified FedRAMP template and associated ESTCP EICP Graphics PowerPoint; 
  • Event/Incident Response Plan (EIRP) – use the modified FedRAMP templates; 
  • US-CERT Incident Response Form – use the excel file template for a non-DoD data incident; 
  • CJCSM 6510.01B - Cyber Incident Handling Program 2012 – use the procedures outlined in the manual for a DoD incident; 
  • Security Audit Plan (SAP) – use the modified NIST template. 

For an organization that has not completed a CRMP and this is the first time, a Work Breakdown Structure (WBS) is provided. This cost template is for investigators to use when preparing their full cost proposal and breaks down the Six Steps of the RMF into distinct cost line items. The ESTCP office will provide a Subject Matter Expert (SME) to assist the teams to prepare the documents and submittals. 


If you are a DoD contractor/vendor, you now must have a CRMP for your IT business systems in place. Creating a CRMP is not a trivial task and requires commitment from leadership to not only develop the initial documentation, but also put in place and provide the resources to conduct monthly/quarterly security audits, perform annual or semi-annual Table Top exercises, and conduct annual updates of the CRMP documents. 


A frequent contributor to HPAC Engineering magazine, the author is a consultant to federal agencies and private-sector clients. He has contributed to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 Revision 2 (R2), Guide to Industrial Control Systems (ICS) Security, and the U.S. Dept. of Homeland Security (DHS) Cyber Security Evaluation Tool (CSET); and creator of the National Institute of Building Sciences’ Cybersecurity for Building Control Systems workshop series. He can be contacted at [email protected]. This article first appeared in the January 2018 issue of HPAC Engineering magazine.