SECURITY OBJECTIVES
(CT:CSG-2; 07-02-2025)
(Office of Origin: DS/CTS/TIE)
19 FAM 701.3-1 Organizational Responsibilities
(CT:CSG-2; 07-02-2025)
a. The Department is responsible for the following:
(1) Identifying, inventorying, and accrediting all OT in use;
(2) Mitigating, assessing, and monitoring known cybersecurity risks to identified OT;
(3) Ensuring all contract vehicles include mandatory cybersecurity terms as directed by A/OPE policies for any OT role, service, and/or product;
(4) Procuring, shipping, documenting, and introducing OT into Post consistent with Department cyber-supply chain risk management (C-SCRM) policy;
(5) Planning, developing, and using OT consistent with Department’s Artificial Intelligence (AI) policy, 20 FAM 200; and
(6) Meeting regulatory OT cybersecurity requirements.
b. System owners for all OT are responsible for implementing the following security objectives:
(1) Restricting logical access to the OT’s network, network activity, and devices:
(a) OT’s use of wireless capabilities must be consistent with applicable policies e.g., 12 FAH-10, 12 FAH-6;
(b) Any logical connectivity between different OT and/or IT systems is prohibited unless included within the ATO (Authorization To Operate) scope of the OT system; and
(c) Prior to converting standalone OT to non-standalone OT, all requirements detailed in the OT system-specific standard must be implemented and assessed.
(2) Restrict physical access to the OT’s network and devices:
(a) Only authorized individuals, as defined in the system-specific security standard, shall access designated OT components;
(b) OT components located in a Limited Access Area (LAA), or CAA must follow applicable physical security criteria, as detailed in 12 FAH-5 H-450, and installation requirements located in 12 FAH-6 H-315 and 12 FAH-6 H-631;
(c) Physical access to designated OT components by individuals not authorized must be escorted and documented;
(d) Maintain and document an OT security training program to ensure all personnel fulfilling a designated OT role (e.g. OTSO, administrator, operator) are properly trained; and
(e) Ensure all personnel performing installations and maintenance on OT components meet the requirements of the OT-specific security standard, and other applicable standards.
(3) Protect OT components from exploitation:
(a) Ensure all manufacturer reported vulnerabilities are addressed in a timely manner; and
(b) OT components must:
(i) Use configuration control board-approved hardware, firmware, and software. The system-specific security guide shall provide guidance for how tools are tracked, logged, and reported;
(ii) Not be removed from Department control nor used outside of a Department facility, unless following procedures defined in the system-specific standard; and
(iii) Be serviced with configuration control board-approved Department or contractor-owned diagnostics and maintenance hardware/software. Use of emergency hardware/software will be addressed on a case-by-case basis in coordination with the responsible OTSO.
(4) Detect security events and incidents:
(a) An incident response plan is in place; current and tested as defined in the system-specific standard;
(b) Ensure all OT security logs are stored and periodically reviewed by the OTSO commensurate with the risks identified during the accreditation process; and
(c) All OT operators and/or administrators must report any suspected or confirmed security incidents to Post’s OTSO, RSO, and the Cyber Incident Response Team (cirt@state.gov).
(5) Maintain functionality during adverse conditions:
Must have contingency operations in place, tested and documented, i.e., business continuity plan (BCP), including, but not limited to, the following:
(i) All OT shall allow for graceful degradation, i.e., backup power; and
(ii) All OT must have redundancy commensurate with the risks identified during the accreditation process.
(6) Restore and recover the system after a failure/incident:
Develop a recovery and restoration capability, including, but not limited to, the following:
(i) Define recovery objectives when recovering from disruptions;
(ii) Develop a site disaster recovery plan (DRP) to prepare all OT stakeholders to respond appropriately to significant disruptions in their operations;
(ii) Establish backup components and processes to ensure relevant OT’s state, data, configuration files, and programs are available to support recovery to a stable state;
(iii)Establish recovery processes and procedures that will be executed to restore OT components and services affected by cybersecurity incidents;
(iv) Establish communication plans to coordinate restoration activities with internal and external stakeholders and the executive management team; and
(v) Test these plans at reasonable intervals as defined by the applicable system-specific standard.
c. The following governance practices must be established and maintained to support this policy:
(1) System owners must support the development and implementation of applicable system-specific standards;
(2) All OT systems must pursue and maintain an Authority to Operate (ATO), issued by DT/CO/AA during the Assessment & Authorization process;
(3) All data is processed at or below the authorized level of classification for the system (i.e. Sensitive But Unclassified (SBU), Secret);
(4) Independent assessments are performed on all production OT at the frequency defined in the system-specific standard and reported findings resolved in a timely manner;
(5) An Operational Technology Executive Steering Committee (OTESC) meets periodically to provide OT oversight of this policy, review and approve future security policies and standards, and directs risk decisions concerning the protection of Department OT:
(a) This governance body consists of executive membership from all Bureaus who serve as owners of OT or provide OT security program support;
(b) Membership, scope, and operational details are defined in the OTESC Charter; and
(c) The OTESC may create working groups to address subsets of OT security challenges or seek help from OT subject matter experts to advise on the future direction of the use and protection of OT within the Department.