Ensuring the security of facility control systems is crucial in today's digital landscape. The Facility Cybersecurity Framework (FCF) provides comprehensive tools and guidelines to help facility owners and operators manage cybersecurity risks effectively. By leveraging the FCF, facilities can enhance their cybersecurity posture, comply with federal regulations, and protect their critical infrastructure.
Facility Cybersecurity Framework
The Facility Cybersecurity Framework (FCF) assists facility owners and operators in managing their cybersecurity risks in both operational technology (OT) and information technology (IT) networks. FCF aligns strictly with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). A series of interconnected self-assessment tools are available, with more details provided below.
Identify Needs
Identify needs and key priorities from facility and site management to assess, mitigate, and track your facility's cybersecurity posture over time.
- Management Priorities Tool: Define goals for each NIST domain.
- Management Priorities and FCF Comparison: Compare your goals with your facility's current state to identify a mitigation path.
Find Gaps
Discover cybersecurity gaps and risks by reviewing your facility's cybersecurity policies.
- FCF Assessment: Evaluate your cybersecurity policies against the NIST CSF to comply with Executive Orders 13686 and 13800.
- Comparative Evaluation: Track changes in your cybersecurity posture over time and evaluate the return on investment from cybersecurity actions.
- Facility Cybersecurity Capability Maturity Model (F-C2M2): Assess the relative maturity of our facility’s OT cybersecurity policies and posture and identify facility-specific gaps.
- Risk Management Framework Pre-Assessment Tool: Find guidance on implementing security controls based on the identified baseline. This pre-assessment helps federal organizations prepare for actual control implementation.
- FCF Internet of Things (IoT) Tool: Identify security controls for developing or deploying IoT devices in networks, supporting the IoT Cybersecurity Improvement Act of 2020.
Understand and Mitigate Gaps
Understand and mitigate gaps once they have been discovered and learn how bad actors may exploit them. These tools help mitigate risk by understanding policy best practices, designing secure OT network architectures, discovering unknown vulnerabilities from externally exposed OT assets, and managing and tracking progress over time.
- Best Practices Tool: Understand how identified gaps could be exploited by known OT cyberattack techniques and tactics. Learn about vulnerabilities, best practices, and threat vectors to be vigilant about.
- Qualitative Risk Management Tool: Annotate and track the vulnerability, impact, and risk pertaining to OT systems.
- ArcGen: Diagram your network’s devices and structure to identify secure deployments.
- Mitigation of Externally Exposed Energy Delivery Systems (MEEDS) Tool (beta): Discover OT vulnerabilities from inadvertently externally exposed OT assets. MEEDS includes more than 700 queries aimed at industrial control systems, offering a safer solution for operational technologies compared to traditional IT scanning solutions.
Enhance Cybersecurity Knowledge
Enhance the agility and capability of federal cybersecurity through experiential learning and gamification. These tools advance understanding of key cybersecurity policies, best practices, and OT network and system concepts via real-world, interactive, and accredited training games.
- FCF Training Games: Real-world scenarios with both management and engineering pathways. Scenarios vary in time, difficulty, and cybersecurity concepts, with several offering continuing education units (CEUs).
- Network Defense Training Game: Players defend a faulty network by implementing security policy and configuration changes across five rounds of gameplay.
- Network Defense 3D Game: An immersive training game where players survey their network to identify vulnerable devices and determine the best countermeasures.