A Comprehensive Guide to Cybersecurity for Building Technology Contractors
- hvfsusa
- Feb 5, 2024
- 3 min read
As a Building Technology Contractor, you may find yourself working alongside cybersecurity contractors. This blog post aims to educate you on the coordination and effort required in this process, specifically focusing on Cybersecurity Vendor Pricing Considerations.
Pricing Considerations for Vendors With Respect to Cybersecurity
When considering pricing, it’s important to understand the various aspects of the cybersecurity process that could impact costs. These include:
RMF Documentation: The Risk Management Framework (RMF) requires specific documentation, which will require vendor time. The scope of the deliverable can be understood by reading the 25 5 11 spec.
Hardening Support: During the hardening process, controls are applied to the Facility Related Control Systems (FRCS). Some of this can be done autonomously by Cybernet, but some aspects will require vendor support.
Performance Verification Testing (PVT): PVT is defined by Division 25 8 10 or 25 10 10 specs and involves testing the system in the field and assessing its long-term performance and reliability.
Pre-IV&V Assessments: Independent Verification and Validation (IV&V) assessments are conducted after the hardening and RMF documentation are complete.
Training (and related documentation): If needed, training is provided.
Cyber Process Overview
The cybersecurity process can be broadly divided into two phases: Design and Construction/Commissioning.
Design
In the design phase, there are two main deliverables that are of importance:
Division 25 specs: These include 25 5 11, which is an overarching spec that defines deliverables and terminology; 25 8 10, which pertains to UMCS Testing; 25 10 10, which deals with UMCS Front End Integration; and 25 8 11.00 20, which is typically only for Navy contracts and deals with the Risk Management Framework (RMF).
Control Correlation Identifiers (CCIs): Also known as Control Sets, these define the controls that are to be applied to the FRCS. The 25 5 11 spec will indicate which RMF documents need to be submitted for the Authority To Operate (ATO). The CCIs/Control Sets will be used as a punch list of activities during Hardening and as a guide for what will be validated during Assessment.
Construction/Commissioning
In the construction/commissioning phase, the RMF documents required by the 25 5 11 spec are constructed and submitted for government approval. The FRCS are hardened in accordance with control sets/CCIs. Once the FRCS are hardened and the RMF documents have been reviewed and accepted by the government, an assessment occurs. If needed, training is provided. Finally, ATOs are conferred.
Training Coordination
The project requires training to be held in accordance with section 3.16 of the Division 25 5 11.02 specification. While sections 3.16.a – 3.16.d are labeled “Cybersecurity Training”, it is clear that this is actually training on the normal operation of the system as it pertains to software/firmware updates, audit logs, and user account management. You should verify your cyber partner has hours allocated to support this, but it will be a joint effort to create and perform the training. Vendor hours should be allocated to this task.
Conclusion
Understanding the cybersecurity process and the coordination required with cybersecurity contractors is crucial for Building Technology Contractors. By familiarizing yourself with the process and the various aspects that could impact pricing, you can ensure a smooth and efficient collaboration. Remember, cybersecurity is not just the responsibility of the cybersecurity contractor - it’s a team effort. This guide provides a comprehensive overview of the process, from design to commissioning, and highlights the importance of training coordination. With this knowledge, you can confidently navigate the cybersecurity landscape and contribute to a secure and successful project.
Comments