This UFC describes requirements for incorporating cybersecurity in the design of all facility-related control systems which include a network. This UFC covers the cybersecurity aspects of control system design, and the requirements of this UFC must be coordinated with the control system design and the criteria relevant to the control system. This UFC only covers aspects specific to control system design. Many projects have IT-specific components (such as IP network design security) which are not covered by this UFC; in those cases, the controls designer will need to coordinate with other disciplines. This UFC defines a process for identification of cybersecurity requirements based on the Risk Management Framework suitable for control systems of any impact rating and provides specific guidance suitable for control systems assigned LOW or MODERATE impact level.
This UFC covers the incorporation of cybersecurity concepts and requirements in support of the Risk Management Framework. This UFC does not implement the RMF and does not address anything beyond the design of the system. Use of this UFC does not result in an ATO under the RMF process but will provide a system that is more capable of receiving an ATO than a system not designed in accordance with this UFC.