
Innovative Approaches to Obtaining Authority to Operate for Facility-Related Control Systems
ESTCP, Installation Energy and Water Program Area
Released February 2, 2017
Closed March 9, 2017
FY 2018
The DoD Installation Energy Test Bed sought innovative approaches to obtaining Authority To Operate (ATO) for common current and future network-reliant facility energy control systems and devices. Demonstrations were required to satisfy the requirements established in the Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology and any applicable Service-specific requirements. DoD sought solutions that resulted in Type Authorization1 (TA) and Reciprocity2 and/or could have easily been replicated by installation personnel responsible for this activity.
Demonstration projects with the following characteristics were preferable:
- High likelihood of achieving reciprocity between Services
- High calculable energy savings, in addition to cost savings, as a direct result of the technology
- Minimal design and engineering required for deployment of the technology after the demonstration (e.g., development of pre-filled standard RMF TA submittal templates)
- Identification of common and mismatched security controls across different Platform Enclaves
- Development of cost factors and metrics to demonstrate scalability of the solution
- Low cost to implement after the demonstration
- Cost sharing
Project teams were encouraged to include representatives from each of the Services to ensure broad acceptance of demonstrated approaches and technologies. The demonstration program iwas for technologies and methods with completed proof-of-principle work. The impact of the demonstration should have been to reduce the time and cost of gaining ATO for legacy and new facility energy control systems and devices and to validate the energy and cost savings achieved by allowing network connectivity of legacy systems.
1 Type Authorization-An official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.
2 Reciprocity-Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. Can apply to both TA and non-TA systems.
Funded projects will appear below as project overviews are posted to the website.