Ensure that the security program has support and sponsorship from senior leadership.

Ensure that the security program includes governance, policy and role descriptions for both OT and IT.

• Name and role of the mission sponsor
• Copy of the Cyber policy that

– Directly addresses OT systems – Includes IT/OT RACI – Event action plan

A system asset inventory must be actively managed to keep information current. This applies to both hardware and software for all system components. The information included should be at a minimum of the following:

• Manufacturer, Model name, Model number
• Manufacturer support status (End of Life)
• Operating system (OS)/firmware manufacturer/version
• List of applications manufacturer/version
• Location (building, floor, room number)
• Network Address (e.g.IP)

• ASHREA LEVEL 2 ASEAM (A Simplified Energy Analysis Method) audit
• ASHREA LEVEL 3 audit
• An established comprehensive digital twin model
• An asset inventory program that collects and maintains this information
• Record drawings (if new construction)

Are all the devices and software that run building(s) accounted for in an up-to-date asset inventory program?

Do we maintain active jump kits per DOD guidance?

• A risk assessment report that includes BACS systems
• Report should include all systems, provide findings, understanding of the importance of the finding and mitigation to resolve the item.

Provide a list of service providers. With the following information:

• Service provider name
• Service provider security contact
• Service scope
• Service provider’s responsibilities
• Service provider agreements
• List of authorized service provider personnel

• Service provider support contract that includes:

– Services provided

– Include RACI

– Customer’s responsibility

– Software/firmware/OS admin responsibilities

• IT consultant contract
• Microsoft corporate subscription (OS support)

Documents that outline how, who and when anyone connects to the BACS system and/or network.

• Account names
• Account policies
• Roles
• Permissions
• Access methods (local/remote)

• Signed access policy rider attached to the service provider contract
• Signed copy of the remote access policy
• Log of vendor visits that includes confirmation access policy was reviewed with vendor prior to work
• Splash screen that is displayed each time the vendor logs in
• List of approved vendors, their roles and permissions
• Activity logs to support above

Actively managed drawings that include:

• How the networks are interconnected
• Description of systems and services on the network
• Description of systems and services that connect to the network
• Network management (devices, software and services)

• Physical drawings that show the logical and physical network (must have program to keep updated)
• Record drawings (if new construction)
• Asset inventory with IP addresses, protocols, ports and firmware/software deployed(must have program or method to keep updated)
• Passive network scanning programs that create a logical diagram of device communications

BACS backup documentation identifies:

• Scope (what is being backed up)
• Frequency
• Method
• Storage (online/offline)
• Location (onsite/offsite)

• Provide service contract from the vendor stating they are responsible for backups, including frequency storage, testing and RACI for events
• Provide corporate policy and documentation of controls to enable system backups
• Provide 3rd party contract stating they are responsible for backups, including frequency storage, testing and RACI for events
• If backups are manual:

– Provide system log showing when backups were taken

– Provide change control log show when backups were tested.

Are all building control systems, including the devices throughout the building, accurately and consistently backed up?

Do we maintain active jump kits per DOD guidance?

Documented physical access control establishes guidelines for asset owner-employees and service providers. At a minimum, these guidelines identify:

• Who has access to what location/area
• Access methods (key checkout, card, biometric, etc.)
• Enrollment Process
• Restrictions

• Provide access log for employees and vendors entering spaces
• Provide security policy for chaperons and vendor escorts as well as a logs to show enforcement of policy
• Provide access control user groups or key assignments to record who has potential access
• Provide access control logs or key check out logs to show who and when spaces are be accessed.

Processes for identifying users, adding and removing accounts, assigning permissions, and periodic review of accounts and permissions. Include any additional policies and procedures for privileged accounts

(e.g., administrator accounts)

• Provide policies and procedures for account management
• Provide a change control log that includes:

– List of active users and rights assigned

– Policy for changing a user’s level of permissions

– Audit and update policy

• Detailed network policy that includes roles and responsibilities.

– Responsibility and frequency for management tasks

• Maintenance/service contracts with network providers with details on how firmware/software and devices will be updated and kept current

• Documentation of change management policies and procedures
• Update change management log

• Physical drawings that show the logical and physical network(s)
• Process for keeping documentation updated

• New construction to provide a commissioning report that includes the commissioning procedures, deficiency log, and work done to close out deficiencies.
• Provide documentation that indicates periodic security reviews have been completed

Incident response or what happens when an event occurs documentation must include:

• Roles & responsibilities
• Communication plan
• Incident prevention
• Monitoring
• Containment of an event
• Remediation processes
• Recovery & restoration processes
• Post event analysis & forensics processes

• Provide documentation on how the team would be alerted to an incident and what the immediate steps are
• Provide service provider contract(s) stating their role in an incident response
• Provide corporate policy and documentation of roles to address incident response
• Provide documentation showing rehearsals or simulated incidents
• Provide evidence that backup procedures are periodically executed
• Provide a policy that mandates a review of a current response plan and how to update it to address new practices or threats

Do you have an incident response and recovery plan for your building systems that include cybersecurity incidents, and do you periodically test it per DOD guidance?

Do we know how to report a cyber incident in accordance with DOD policies?

Security awareness and training documentation must show:

• Areas of focus
• Expectations
• Frequency
• Active management to stay current on cybersecurity trends

• Provide evidence that the personnel has completed security awareness training and that the training is specific to their role.
• Provide service provider contracts that require personnel to be informed of and comply with the building owner’s policies and procedures.

Data protection policy and procedure documentation that includes:

• Data classification
• Data protection (at rest or in motion)
• Data retention
• Data purging

• Show controls that are in place to encrypt data in transit and at rest
• Show sections of service contracts that require any vendor that has access to system data that they must protect the data both in transit and at rest