Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2.5.3.3 Requirement Enhancements<br />
None<br />
2.5.3.4 References<br />
NIST SP 800-53r3 SA-3<br />
CAG CC-7<br />
NRC RG 5.71 C.4, C.4.1, C.4.2.1<br />
2.5.4 Acquisitions<br />
2.5.4.1 Requirement<br />
The organization includes the following requirements and specifications, explicitly or by reference, in<br />
control system acquisition contracts based on an assessment <strong>of</strong> risk and in accordance with applicable<br />
laws, directives, policies, regulations, and standards:<br />
<strong>Security</strong> functional requirements/specifications<br />
<strong>Security</strong>-related documentation requirements<br />
Developmental and evaluation-related assurance requirements.<br />
2.5.4.2 Supplemental Guidance<br />
The acquisition documents <strong>for</strong> control systems and services include, either explicitly or by reference,<br />
security requirements that describe: (1) required security capabilities (security needs and, as necessary,<br />
specific security controls), (2) required design and development processes, (3) required test and<br />
evaluation procedures, and (4) required documentation. The requirements in the solicitation documents<br />
permit updating security controls as new threats/vulnerabilities are identified and as new technologies are<br />
implemented.<br />
2.5.4.3 Requirement Enhancements<br />
1. The organization requires in acquisition documents that vendors/contractors provide in<strong>for</strong>mation<br />
describing the functional properties <strong>of</strong> the security controls employed within the control system.<br />
2. The organization requires in acquisition documents that vendors/contractors provide in<strong>for</strong>mation<br />
describing the design and implementation details <strong>of</strong> the security controls employed within the control<br />
system (including functional interfaces among control components).<br />
3. The organization limits the acquisition <strong>of</strong> commercial technology products with security capabilities<br />
to products that have been evaluated and validated through a government-approved process.<br />
2.5.4.4 References<br />
NIST SP 800-53r3 SA-4<br />
CAG CC-3, CC-7<br />
NRC RG 5.71 C.3.3.3, App. B.5.4, App. C.12.4<br />
2.5.5 <strong>Control</strong> System Documentation<br />
2.5.5.1 Requirement<br />
The organization:<br />
1. Obtains, protects as required, and makes available to authorized personnel, administrator and user<br />
guidance <strong>for</strong> the control system that includes in<strong>for</strong>mation on: (a) configuring, installing, and operating<br />
the system and (b) using the system’s security features<br />
26