82 FR 14879 - National Cybersecurity Center of Excellence (NCCoE) Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing Sector
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology Federal Register Volume 82, Issue 55 (March 23, 2017)
National Institute of Standards and Technology
Federal Register Volume 82, Issue 55 (March 23, 2017)
| Page Range | 14879-14880 | |
| FR Document | 2017-05759 |
[Federal Register Volume 82, Number 55 (Thursday, March 23, 2017)] [Notices] [Pages 14879-14880] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-05759] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No.: 170221188-7188-01] RIN 0693-XC072 National Cybersecurity Center of Excellence (NCCoE) Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing Sector AGENCY: National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) invites organizations to provide products and technical expertise to support and demonstrate security platforms for the Capabilities Assessment for Securing Manufacturing Industrial Control Systems. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Manufacturing sector program. Participation in the Capabilities Assessment for Securing Manufacturing Industrial Control Systems use case is open to all interested organizations. DATES: Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities of the project, but no earlier than April 24, 2017. When the use case has been completed, NIST will post a notice on the NCCoE Manufacturing sector program Web site at https://nccoe.nist.gov/projects/use_cases/manufacturing announcing the completion of the use case and informing the public that it will no longer accept letters of interest for the Capabilities Assessment for Securing Manufacturing Industrial Control Systems use case. ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, Rockville, MD 20850. Letters of interest must be submitted to [email protected], or via hardcopy to National Institute of Standards and Technology, NCCoE; 9700 Great Seneca Highway, Rockville, MD 20850. Organizations whose letters of interest are accepted in accordance with the process set forth in the SUPPLEMENTARY INFORMATION section of this notice will be asked to sign a Cooperative Research and Development Agreement (CRADA) with NIST. A CRADA template can be found at: https://nccoe.nist.gov/library/nccoe-consortium-crada-example. FOR FURTHER INFORMATION CONTACT: Jim McCarthy via email at [email protected]; by telephone at 301-975-0228; or by mail to National Institute of Standards and Technology, NCCoE, 9700 Great Seneca Highway, Rockville, MD 20850. Additional details about the Manufacturing sector program can be found here: https://nccoe.nist.gov/projects/use_cases/manufacturing. SUPPLEMENTARY INFORMATION: Background: The NCCoE, part of NIST, is a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The NCCoE brings together experts from industry, government, and academia under one roof to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for companies and individuals using IT systems; and encourage development of innovative, job-creating cybersecurity products and services. Process: NIST is soliciting responses from all sources of relevant security capabilities (see below) to enter into a Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector. The full Capabilities Assessment for Securing Manufacturing Industrial Control Systems use case can be viewed here: https://nccoe.nist.gov/projects/use_cases/capabilities-assessment-securing-manufacturing-industrial-control-systems. Interested parties should contact NIST using the information provided in the FOR FURTHER INFORMATION CONTACT section of this notice. NIST will then provide each interested party with a letter of interest template, which the party must complete, certify that it is accurate, and submit to NIST. NIST will contact interested parties if there are questions regarding the responsiveness of the letters of interest to the use case objective or requirements identified below. NIST will select participants who have submitted complete letters of interest on a first come, first served basis within each category of product components or capabilities listed below up to the number of participants in each category necessary to carry out this use case. However, there may be continuing opportunities to participate even after initial activity commences. Selected participants will be required to enter into a consortium CRADA with NIST (for reference, see ADDRESSES section above). NIST published a notice in the Federal Register on October 19, 2012 (77 FR 64314) inviting U.S. companies to enter into National Cybersecurity Excellence Partnerships (NCEPs) in [[Page 14880]] furtherance of the NCCoE. For this demonstration project, NCEP partners will not be given priority for participation. Capabilities Assessment for Securing Manufacturing Industrial Control Systems Objective: This is the first of a four-part series designed to provide businesses with the information they need to establish an anomaly detection and prevention capability in their own environments. This project will be using commercially available hardware/software deployed on an established lab infrastructure. The goal of this project is to provide businesses with a cybersecurity example solution that can be implemented or that can inform improved cybersecurity in their manufacturing processes. Implementing behavioral anomaly detection tools provides a key security component in sustaining business operations, particularly those based on Industrial Control Systems (ICS). One of the ways to disrupt operations is to introduce anomalous data into a manufacturing process, whether deliberately or inadvertently. Although the example solution will focus on cybersecurity, our example solution may also produce residual benefit to manufacturers for detecting anomalous conditions not related to security. A detailed description of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems Project is available at https://nccoe.nist.gov/projects/use_cases/capabilities-assessment-securing-manufacturing-industrial-control-systems. Requirements: Each responding organization's letter of interest should identify which security platform component(s) or capability(ies) it is offering. Letters of interest should not include company proprietary information, and all components and capabilities must be commercially available. Components are listed in the High-Level Architectures section of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems use case (for reference, please see the link in the Process section above) and include, but are not limited to:ICS behavioral anomaly detection tools. Human Machine Interfaces (HMIs). Programmable Logic Controllers (PLCs). Security Information and Event Management (SIEM) platform. Each responding organization's letter of interest should identify how their products address one or more of the following desired solution characteristics in the High-Level Architectures section of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems use case (for reference, please see the link in the Process section above): Detection of anomalous conditions. Process and/or device damage prevention. SIEM-based alerting/alarming capability. In their letters of interest, responding organizations need to understand and commit to provide: 1. Access for all participants' project teams to component interfaces and the organization's experts necessary to make functional connections among security platform components; and 2. Support for development and demonstration of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector use case in NCCoE facilities, which will be conducted in a manner consistent with Federal requirements (e.g., FIPS 200, FIPS 201, SP 800-53, and SP 800-63). Additional details about the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector use case are available at: https://nccoe.nist.gov/projects/use_cases/capabilities-assessment-securing-manufacturing-industrial-control-systems. NIST cannot guarantee that all of the products proposed by respondents will be used in the demonstration. Each prospective participant will be expected to work collaboratively with NIST staff and other project participants under the terms of the consortium CRADA in the development of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector capability. Prospective participants' contribution to the collaborative effort will include assistance in establishing the necessary interface functionality, connection and set-up capabilities and procedures, demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and demonstration plans and scripts necessary to demonstrate the desired capabilities. Each participant will train NIST personnel, as necessary, to operate its product in capability demonstrations to the manufacturing community. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector use case. These descriptions will be public information. Under the terms of the consortium CRADA, NIST will support development of interfaces among participants' products by providing IT infrastructure, laboratory facilities, office facilities, collaboration facilities, and staff support to component composition, security platform documentation, and demonstration activities. The dates of the demonstration of the Capabilities Assessment for Securing Manufacturing Industrial Control Systems for the Manufacturing sector capability will be announced on the NCCoE Web site at least two weeks in advance at http://nccoe.nist.gov/. The expected outcome of the demonstration is to improve security to manufacturing environments that employ the use of ICS, and subsequent adoption of behavioral anomaly detection tools by industry. Participating organizations will benefit from the knowledge that their products are interoperable with other participants' offerings. For additional information on NCCoE governance, business processes, and operational structure, visit the NCCoE Web site http://nccoe.nist.gov/. Kevin Kimball, NIST Chief of Staff. [FR Doc. 2017-05759 Filed 3-22-17; 8:45 am] BILLING CODE 3510-13-P
![Federal Register / Vol. 82, No. 55 / Thursday, March 23, 2017 / Notices 14879
Dated: March 20, 2017. invites organizations to provide Background: The NCCoE, part of
Ronald K. Lorentzen, products and technical expertise to NIST, is a public-private collaboration
Acting Assistant Secretary for Enforcement support and demonstrate security for accelerating the widespread
and Compliance. platforms for the Capabilities adoption of integrated cybersecurity
Assessment for Securing Manufacturing tools and technologies. The NCCoE
Appendix—Issues and Decision
Industrial Control Systems. This notice brings together experts from industry,
Memorandum
is the initial step for the National government, and academia under one
I. Summary Cybersecurity Center of Excellence roof to develop practical, interoperable
II. Background (NCCoE) in collaborating with cybersecurity approaches that address
III. Period of Investigation technology companies to address the real-world needs of complex
IV. Scope of the Investigation cybersecurity challenges identified Information Technology (IT) systems.
V. Scope Comments
VI. Changes Since the Preliminary
under the Manufacturing sector By accelerating dissemination and use
Determination program. Participation in the of these integrated tools and
VII. List of Issues Capabilities Assessment for Securing technologies for protecting IT assets, the
VIII. Discussion of Comments Manufacturing Industrial Control NCCoE will enhance trust in U.S. IT
General Issues: Systems use case is open to all communications, data, and storage
Comment 1: Selection of Surrogate Country interested organizations. systems; reduce risk for companies and
Comment 2: Selection of Surrogate Final DATES: Interested parties must contact individuals using IT systems; and
Ratios and Use of CYDSA’s Financial encourage development of innovative,
NIST to request a letter of interest
Statement job-creating cybersecurity products and
Comment 3: Treatment of Joint Product template to be completed and submitted
Comment 4: Treatment of Water to NIST. Letters of interest will be services.
Comment 5: Net Versus Gross Weight accepted on a first come, first served Process: NIST is soliciting responses
Comment 6: Surrogate Value for Marine basis. Collaborative activities will from all sources of relevant security
Insurance commence as soon as enough completed capabilities (see below) to enter into a
Comment 7: Recalculating Marine and signed letters of interest have been Cooperative Research and Development
Insurance by Using Gross Unit Price returned to address all the necessary Agreement (CRADA) to provide
Comment 8: Consideration of FOPs as components and capabilities of the products and technical expertise to
Overhead support and demonstrate security
project, but no earlier than April 24,
Comment 9: Partial Rejection of platforms for the Capabilities
Petitioner’s SV Submissions 2017. When the use case has been
completed, NIST will post a notice on Assessment for Securing Manufacturing
Comment 10: Selection of Voluntary
Respondent the NCCoE Manufacturing sector Industrial Control Systems for the
Comment 11: Surrogate Value for Ocean program Web site at https:// Manufacturing sector. The full
Freight nccoe.nist.gov/projects/use_cases/ Capabilities Assessment for Securing
Comment 12: Converting Expense for manufacturing announcing the Manufacturing Industrial Control
INVCARU completion of the use case and Systems use case can be viewed here:
Comment 13: Surrogate Value for PCl3 https://nccoe.nist.gov/projects/use_
informing the public that it will no
Comment 14: Adjustment of Import cases/capabilities-assessment-securing-
Statistics longer accept letters of interest for the
Capabilities Assessment for Securing manufacturing-industrial-control-
Company-Specific Issues: Taihe
Manufacturing Industrial Control systems.
Comment 15: Taihe’s Movement Expenses
Company-Specific Issues: WW Group Systems use case. Interested parties should contact NIST
Comment 16: Conversion Calculation for using the information provided in the
ADDRESSES: The NCCoE is located at
Water Surrogate Value FOR FURTHER INFORMATION CONTACT
9700 Great Seneca Highway, Rockville,
Comment 17: Adjustment of Irrecoverable section of this notice. NIST will then
MD 20850. Letters of interest must be
VAT provide each interested party with a
IX. Conclusion submitted to manufacturing_nccoe@
letter of interest template, which the
nist.gov, or via hardcopy to National
[FR Doc. 2017–05805 Filed 3–22–17; 8:45 am] party must complete, certify that it is
Institute of Standards and Technology, accurate, and submit to NIST. NIST will
BILLING CODE 3510–DS–P
NCCoE; 9700 Great Seneca Highway, contact interested parties if there are
Rockville, MD 20850. Organizations questions regarding the responsiveness
whose letters of interest are accepted in of the letters of interest to the use case
DEPARTMENT OF COMMERCE
accordance with the process set forth in objective or requirements identified
National Institute of Standards and the SUPPLEMENTARY INFORMATION section below. NIST will select participants
Technology of this notice will be asked to sign a who have submitted complete letters of
Cooperative Research and Development interest on a first come, first served
[Docket No.: 170221188–7188–01] Agreement (CRADA) with NIST. A basis within each category of product
RIN 0693–XC072 CRADA template can be found at: components or capabilities listed below
https://nccoe.nist.gov/library/nccoe- up to the number of participants in each
National Cybersecurity Center of consortium-crada-example. category necessary to carry out this use
Excellence (NCCoE) Capabilities FOR FURTHER INFORMATION CONTACT: Jim case. However, there may be continuing
Assessment for Securing McCarthy via email at James.McCarthy@ opportunities to participate even after
Manufacturing Industrial Control nist.gov; by telephone at 301–975–0228; initial activity commences. Selected
Systems for the Manufacturing Sector or by mail to National Institute of
sradovich on DSK3GMQ082PROD with NOTICES
participants will be required to enter
AGENCY: National Institute of Standards Standards and Technology, NCCoE, into a consortium CRADA with NIST
and Technology, Department of 9700 Great Seneca Highway, Rockville, (for reference, see ADDRESSES section
Commerce. MD 20850. Additional details about the above). NIST published a notice in the
Manufacturing sector program can be Federal Register on October 19, 2012
ACTION: Notice.
found here: https://nccoe.nist.gov/ (77 FR 64314) inviting U.S. companies
SUMMARY: The National Institute of projects/use_cases/manufacturing. to enter into National Cybersecurity
Standards and Technology (NIST) SUPPLEMENTARY INFORMATION: Excellence Partnerships (NCEPs) in
VerDate Sep<11>2014 17:13 Mar 22, 2017 Jkt 241001 PO 00000 Frm 00015 Fmt 4703 Sfmt 4703 E:\FR\FM\23MRN1.SGM 23MRN1](https://thefederalregister.org/doc/82_FR_14934/page/1.svg)
![14880 Federal Register / Vol. 82, No. 55 / Thursday, March 23, 2017 / Notices
furtherance of the NCCoE. For this Architectures section of the Capabilities Industrial Control Systems for the
demonstration project, NCEP partners Assessment for Securing Manufacturing Manufacturing sector use case. These
will not be given priority for Industrial Control Systems use case (for descriptions will be public information.
participation. reference, please see the link in the Under the terms of the consortium
Capabilities Assessment for Securing Process section above): CRADA, NIST will support
Manufacturing Industrial Control • Detection of anomalous conditions. development of interfaces among
Systems Objective: This is the first of a • Process and/or device damage participants’ products by providing IT
four-part series designed to provide prevention. infrastructure, laboratory facilities,
businesses with the information they • SIEM-based alerting/alarming office facilities, collaboration facilities,
need to establish an anomaly detection capability. and staff support to component
and prevention capability in their own In their letters of interest, responding composition, security platform
environments. This project will be using organizations need to understand and documentation, and demonstration
commercially available hardware/ commit to provide: activities.
software deployed on an established lab 1. Access for all participants’ project The dates of the demonstration of the
infrastructure. The goal of this project is teams to component interfaces and the Capabilities Assessment for Securing
to provide businesses with a organization’s experts necessary to make Manufacturing Industrial Control
cybersecurity example solution that can functional connections among security Systems for the Manufacturing sector
be implemented or that can inform platform components; and capability will be announced on the
improved cybersecurity in their 2. Support for development and
NCCoE Web site at least two weeks in
manufacturing processes. Implementing demonstration of the Capabilities
advance at http://nccoe.nist.gov/. The
behavioral anomaly detection tools Assessment for Securing Manufacturing
expected outcome of the demonstration
provides a key security component in Industrial Control Systems for the
is to improve security to manufacturing
sustaining business operations, Manufacturing sector use case in NCCoE
environments that employ the use of
particularly those based on Industrial facilities, which will be conducted in a
manner consistent with Federal ICS, and subsequent adoption of
Control Systems (ICS). One of the ways behavioral anomaly detection tools by
to disrupt operations is to introduce requirements (e.g., FIPS 200, FIPS 201,
SP 800–53, and SP 800–63). industry. Participating organizations
anomalous data into a manufacturing will benefit from the knowledge that
process, whether deliberately or Additional details about the
Capabilities Assessment for Securing their products are interoperable with
inadvertently. Although the example other participants’ offerings.
Manufacturing Industrial Control
solution will focus on cybersecurity, our For additional information on NCCoE
Systems for the Manufacturing sector
example solution may also produce governance, business processes, and
use case are available at: https://
residual benefit to manufacturers for operational structure, visit the NCCoE
nccoe.nist.gov/projects/use_cases/
detecting anomalous conditions not Web site http://nccoe.nist.gov/.
capabilities-assessment-securing-
related to security. A detailed
manufacturing-industrial-control- Kevin Kimball,
description of the Capabilities
systems. NIST cannot guarantee that all NIST Chief of Staff.
Assessment for Securing Manufacturing
of the products proposed by
Industrial Control Systems Project is [FR Doc. 2017–05759 Filed 3–22–17; 8:45 am]
respondents will be used in the
available at https://nccoe.nist.gov/ BILLING CODE 3510–13–P
demonstration. Each prospective
projects/use_cases/capabilities-
participant will be expected to work
assessment-securing-manufacturing-
collaboratively with NIST staff and DEPARTMENT OF COMMERCE
industrial-control-systems.
Requirements: Each responding other project participants under the
organization’s letter of interest should terms of the consortium CRADA in the National Oceanic and Atmospheric
identify which security platform development of the Capabilities Administration
component(s) or capability(ies) it is Assessment for Securing Manufacturing
RIN 0648–XF308
offering. Letters of interest should not Industrial Control Systems for the
include company proprietary Manufacturing sector capability. Mid-Atlantic Fishery Management
information, and all components and Prospective participants’ contribution to Council (MAFMC); Public Meeting
capabilities must be commercially the collaborative effort will include
assistance in establishing the necessary AGENCY: National Marine Fisheries
available. Components are listed in the
interface functionality, connection and Service (NMFS), National Oceanic and
High-Level Architectures section of the
set-up capabilities and procedures, Atmospheric Administration (NOAA),
Capabilities Assessment for Securing
demonstration harnesses, environmental Commerce.
Manufacturing Industrial Control
Systems use case (for reference, please and safety conditions for use, integrated ACTION: Notice of a public meeting.
see the link in the Process section platform user instructions, and
demonstration plans and scripts SUMMARY: The Mid-Atlantic Fishery
above) and include, but are not limited Management Council (Council) will
to: necessary to demonstrate the desired
capabilities. Each participant will train hold public meetings of the Council and
• ICS behavioral anomaly detection its Committees.
tools. NIST personnel, as necessary, to operate
• Human Machine Interfaces (HMIs). its product in capability demonstrations DATES: The meetings will be held on
• Programmable Logic Controllers to the manufacturing community. Tuesday, April 11 through Thursday,
Following successful demonstrations, April 13, 2017. For agenda details, see
sradovich on DSK3GMQ082PROD with NOTICES
(PLCs).
• Security Information and Event NIST will publish a description of the SUPPLEMENTARY INFORMATION.
Management (SIEM) platform. security platform and its performance ADDRESSES: The meetings will be held at
Each responding organization’s letter characteristics sufficient to permit other the Icona Golden Inn, 7849 Dune Drive,
of interest should identify how their organizations to develop and deploy Avalon, NJ 08202; telephone: (609) 368–
products address one or more of the security platforms that meet the security 5155.
following desired solution objectives of the Capabilities Council address: Mid-Atlantic Fishery
characteristics in the High-Level Assessment for Securing Manufacturing Management Council, 800 N. State
VerDate Sep<11>2014 17:13 Mar 22, 2017 Jkt 241001 PO 00000 Frm 00016 Fmt 4703 Sfmt 4703 E:\FR\FM\23MRN1.SGM 23MRN1](https://thefederalregister.org/doc/82_FR_14934/page/2.svg)
Document Created: 2017-03-23 02:46:00
Document Modified: 2017-03-23 02:46:00
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and | |
| Contact | Jim McCarthy via email at [email protected]; by telephone at 301-975-0228; or by mail to National Institute of Standards and Technology, NCCoE, 9700 Great Seneca Highway, Rockville, MD 20850. Additional details about the Manufacturing sector program can be found here: https://nccoe.nist.gov/ projects/use_cases/manufacturing. | |
| FR Citation | 82 FR 14879 | |
| RIN Number | 0693-XC07 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR