Published: 1 May, 2019
Purpose of RFI
The purpose of this RFI is to broaden industry participation and gather information for the Control Systems Tested Products List (CS TPL). This Request for Information (RFI) is to address all manufacturers and distributors of control system devices, herein referred to as Offerors. Interested parties should submit their responses in accordance with the “Instructions for Responders” available below. Thorough and complete Offeror responses will allow the Government to plan and scale the CS TPL test and assessment environment so as to be most responsive to Offerors.
Purpose of RFI
The purpose of this RFI is to broaden industry participation and gather information for the Control Systems Tested Products List (CS TPL). This Request for Information (RFI) is to address all manufacturers and distributors of control system devices, herein referred to as Offerors. Interested parties should submit their responses in accordance with the “Instructions for Responders” available below. Thorough and complete Offeror responses will allow the Government to plan and scale the CS TPL test and assessment environment so as to be most responsive to Offerors.
CS TPL Synopsis
The Office of the Principal Cyber Advisor to Secretary of Defense via the U.S. Army Combat Capabilities Development Command Aviation & Missile Center (CCDC-AvMC) seeks to provide Government organizations cost savings via increased acquisition efficiency while improving the cybersecurity posture for control systems across the Department of Defense (DoD) and the broader Federal Government. The CS TPL supports this initiative by developing a centralized test and assessment plan for control system products and populating results within a portal for Government buyers to access and use. The CS TPL will be continuously revised as newer systems are introduced, thus enabling Government users to continually fulfill their desire for cost efficiency. The concept for the CS TPL is seen in Figure 1, which contrasts the current state with the CS TPL future state. |
Scope of CS TPL
The scope of the CS TPL is to test products that are suitable for Operational Technology (OT) applications. These products are typically included in Industrial Control Systems, Facility-Related Control Systems, energy grids, smart buildings, medical systems, weapons systems, etc. These products can be characterized as non-standard Information Technologies that are level 0 through 4 of the notional 5-Level control system architecture depicted in Figure 2. The primary focus of the CS TPL will be products at levels 0 through 2. Level 0 are devices that connect to non-Internet-Protocol (IP) networked devices at Level 1. Level 1 devices connect to IP-enabled devices that comprise Level 2. Products at levels 3 and 4 that a) are not already addressed in the Defense Information System Agency’s existing Department of Defense Information Network (DoDIN) Approved Products List (APL) and support Operational Technology (OT) only, or b) provide some unique, required control system functionality may be included in the CS TPL to address OT gaps that exist in the DoDIN APL. |
Note that these layers are not absolute and there may be some differing opinions about what layer a particular device should be identified as comprising.
The CS TPL will not address items at levels above level 2 which are already addressed in the DoDIN APL except in specific cases as directed by the Office of the Secretary of Defense (OSD). The CS TPL will address CS unique applications and software which may operate at levels above 2, but such software and applications assessments will not include any operating systems, virtualization platforms or other cybersecurity or Information-Assurance-enabled applications addressed within the DoDIN APL. The evaluation of these items would be analogous to the now-deprecated “Certificate of Networthiness” which was previously required for use of some applications.
The CS TPL will not address items at levels above level 2 which are already addressed in the DoDIN APL except in specific cases as directed by the Office of the Secretary of Defense (OSD). The CS TPL will address CS unique applications and software which may operate at levels above 2, but such software and applications assessments will not include any operating systems, virtualization platforms or other cybersecurity or Information-Assurance-enabled applications addressed within the DoDIN APL. The evaluation of these items would be analogous to the now-deprecated “Certificate of Networthiness” which was previously required for use of some applications.
CS TPL Test and Assessment Process
The CS TPL test and assessment process can be broken down into three phases. The first phase occurs before testing and is dependent on the availability of the product information provided by the offeror through documentation. The second phase includes the actual testing process. The last phase of the timeline is to develop the artifacts in support of Risk Management Framework re-use and publish the results. After that, the product remains on the CS TPL for three years with the option to renew. Provision and Clauses The following provisions and clauses form the basis for the CS TPL. Full text versions can be found at: http://farsite.hill.af.mil/ and https://www.govinfo.gov.
|