On this page:
National Park Service (NPS) Requirements
National Park Service (NPS) Requirements
Cybersecurity of Building Automation and Control Systems Within NPS Facilities
Associated Chief Information Officer (ACIO) Policy Number: ACIO-2020-002
begin excerpt
"4. AUDIENCE
The audience for this policy includes all NPS organizations, officials, and employees. The audience for this policy is also contractors or grantees and others operating on behalf of the NPS, as described below. Example of these types of information technology systems that help with managing, automating, and controlling buildings include but are not limited to the following:
- Advanced Metering Infrastructure.
- Closed-Circuit Television (CCTV) Surveillance Systems.
- CO2 Monitoring.
- Digital Signage Systems.
- Digital Video Management Systems.
- Electronic Security Systems.
- Emergency Management Systems.
- Energy Management Systems.
- Exterior Lighting Control Systems.
- Fire Alarm Systems.
- Fire Sprinkler Systems.
- Heating, ventilation, and Air-Conditioning (HVAC).
- Interior Lighting Control Systems.
- Intrusion Detection Systems.
- Laboratory Instrument Control Systems.
- Laboratory Information Management Systems (LIMS).
- Physical Access Control Systems.
- Plumbing.
- Public Safety/Land Mobile Radios.
- Renewable Energy Geothermal Systems.
- Renewable Energy Photo Voltaic Systems.
- Shade Control Systems.
- Smoke and Purge Systems.
- Vertical Transport System {Elevators & Escalators).
5. AUTHORITY
Federal Information Security Modernization Act of 2014 and the Federal Information Technology Acquisition Reform Act.
6. POLICY
It is the policy of the NPS to manage the cybersecurity of NPS Facilities as follows:
- Identify – Identify any systems in use that you are responsible for managing.
- Patch – Apply all available patches to your systems in order to mitigate any known vulnerability.
- Access – limit access and administrative privilege to only those people who need it. Access should always be in person and not remotely over the network.
- Software – limit software on the system to only that software which is required to run the system.
- Internet – Access to the internet should be cut off or extremely limited.
- Physical Access – Physical access should be limited to only those who have a need to access. Physical access tool such as locks, card readers, or guards should be used.
- Auditing – Regularly reviewing audit logs can help identify security events.
- Incident response – any suspected incident must be reported to NPS_CSIRT_Team@nps.gov
7. ROLES AND RESPONSIBILITIES
NPS Chief Information Officer - Consistent with 40 U.S.C. 11315(b), the CIO promotes to the agency head the effective, efficient, and secure use of IT to accomplish the agency's mission, the CIO serves as the primary strategic advisor to the agency head concerning the use of IT. Consistent with 40 U.S.C. 11319(b)(l)(A}, the CIO has a significant role, including, as appropriate, as lead advisor, in all annual and multi-year planning, programming, budgeting, and execution decisions, as well as in all management, governance, and oversight processes related to IT.
Local IT Specialist – Responsible for identifying and securing any building automation and control systems under their purview.
Facility Management – Responsible for working with the local IT specialist to secure building automation and control systems under their purview."
end excerpt