OVERVIEW
A control system is a set of mechanical or electronic devices that regulates other devices or systems by way of control loops. Typically, control systems are computerized. Control systems are used throughout the federal government for actuators, sensors, and data collection/aggregation on all manner of equipment. The purpose of the Control Systems Tested Products List (CS TPL) process is to increase acquisition efficiency and improve the Cybersecurity posture for control systems across the Department of Defense. The CS TPL is available to all Military Departments and DoD agencies for the acquisition of control system components. The CS TPL is also available to non-DoD federal agencies at their discretion. The CS TPL is not an approved products list. Presence of a component on the CS TPL relays the security features and risks of the component. Listing on the CS TPL does not imply suitability for use in any given system.
SCOPE
Devices and/or aggregation of devices into subsystems (hereafter referred to generically as either device(s), product(s), or component(s)) within the scope of the CS TPL can be characterized as Non-standard Information Technologies (IT) defined by the Department of Defense 5-Level control system architecture from Unified Facilities Criteria (UFC) 4-010-06. This process will include components of the control system that fit into the “Non-Standard IT” description from Section 2-2.2 of the UFC 4-010-06. The primary focus of the CS TPL will be “Non-Standard IT” products at levels 1, 2, and 3 and will also involve evaluation of applications from level 2 and 4. Devices at level 3 and 4 which may be within scope of the CS TPL will be evaluated on a case-by-case basis for candidacy in the CS TPL program based on direct OT capabilities.
Level 0 consists of non-networked devices which communicate with devices at Level 1 or 2 using analog signals. Level 1 devices connect to non-IP (Internet Protocol) network, and Level 2 devices connect to an IP network at level 2 or 3. Products at level 4 that a) are not already addressed in the Defense Information Systems Agency’s Department of Defense Information Network (DoDIN) Approved Products List (APL) and support OT only, or b) provide some unique, required control system functionality may be included in the CS TPL. Typically, these products will be OT-system specific software applications.
The CS TPL is not intended to be a replacement for any existing government processes. The CS TPL will address control system unique components and software which may operate at levels above 2, but such components and software will not include any operating systems, IT infrastructure, virtualization platforms or other Cybersecurity or Information Assurance enabled applications addressed within the DoDIN APL.
PROCESS FLOW
A control system is a set of mechanical or electronic devices that regulates other devices or systems by way of control loops. Typically, control systems are computerized. Control systems are used throughout the federal government for actuators, sensors, and data collection/aggregation on all manner of equipment. The purpose of the Control Systems Tested Products List (CS TPL) process is to increase acquisition efficiency and improve the Cybersecurity posture for control systems across the Department of Defense. The CS TPL is available to all Military Departments and DoD agencies for the acquisition of control system components. The CS TPL is also available to non-DoD federal agencies at their discretion. The CS TPL is not an approved products list. Presence of a component on the CS TPL relays the security features and risks of the component. Listing on the CS TPL does not imply suitability for use in any given system.
SCOPE
Devices and/or aggregation of devices into subsystems (hereafter referred to generically as either device(s), product(s), or component(s)) within the scope of the CS TPL can be characterized as Non-standard Information Technologies (IT) defined by the Department of Defense 5-Level control system architecture from Unified Facilities Criteria (UFC) 4-010-06. This process will include components of the control system that fit into the “Non-Standard IT” description from Section 2-2.2 of the UFC 4-010-06. The primary focus of the CS TPL will be “Non-Standard IT” products at levels 1, 2, and 3 and will also involve evaluation of applications from level 2 and 4. Devices at level 3 and 4 which may be within scope of the CS TPL will be evaluated on a case-by-case basis for candidacy in the CS TPL program based on direct OT capabilities.
Level 0 consists of non-networked devices which communicate with devices at Level 1 or 2 using analog signals. Level 1 devices connect to non-IP (Internet Protocol) network, and Level 2 devices connect to an IP network at level 2 or 3. Products at level 4 that a) are not already addressed in the Defense Information Systems Agency’s Department of Defense Information Network (DoDIN) Approved Products List (APL) and support OT only, or b) provide some unique, required control system functionality may be included in the CS TPL. Typically, these products will be OT-system specific software applications.
The CS TPL is not intended to be a replacement for any existing government processes. The CS TPL will address control system unique components and software which may operate at levels above 2, but such components and software will not include any operating systems, IT infrastructure, virtualization platforms or other Cybersecurity or Information Assurance enabled applications addressed within the DoDIN APL.
PROCESS FLOW