Cyber Security


Our Expertise

Increasingly, construction firms are expected to incorporate cybersecurity into the design, construction, and commissioning (Cx) processes of facilities and control systems projects. Government entities have released various Criteria, Special Publications, and Guide Specifications with which contractors must comply. In many instances, these cybersecurity requirements address the Risk Management Framework (RMF). H2L Solutions offers subject matter expertise in all areas of RMF compliance. RMF is a lifecycle process that incorporates standards used by federal agencies and the DoD community to make informed, risk-based decisions regarding security policies and controls. H2L Solutions can help your A&E firm at any stage of the project and ensure compliance with the latest DoD standards.


During the Design Phase of planned facilities, firms must begin to incorporate cybersecurity by designing and developing specifications to meet requirements of UFC 4-010-06, Cybersecurity of Facility-Related Control Systems. The goal of these efforts is to “bake security in” from the beginning—ultimately saving time, effort, and money by avoiding modifications during later stages.

    H2L tasks include:

  • Providing guidance on system categorization
  • Tailoring requirements of the UFGS 25 05 11 to each facility-related control system
  • Reviewing and providing comments prior to each Design Submittal (Concept, Development, Pre-Final, Final)
  • Selecting security controls based on distinctions between the Platform Enclave (standard IT) and Operational Architecture
  • Creating a Control Correlation Identifier (CCI) list, categorizing and identifying those requiring input from the designer
  • Developing templates and drafts of accreditation package components


The Construction Phase of planned facilities involves actual implementation of specifications and cybersecurity controls selected during the Design Phase. It also involves completion and submission of a number of documents required by the cyber commissioning (Cx) agent.

    H2L tasks include:

  • Implementing technical security controls that meet minimum baselines and necessary overlays
  • Securing hardware and software through implementation of applicable Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs)
  • Scanning using Security Content Automation Protocol (SCAP) and Assured Compliance Assessment Solution (ACAS)/Nessus
  • Completing FAT and SAT checklists for the systems
  • Developing a preliminary System Security Plan (SSP), Plan Of Action and Milestones (POA&M), and Security Audit Plan (SAP)


Cyber commissioning (Cx) is conducted by a third-party; it begins during project development and continues through Construction. The Cx process involves formal verification and documentation that the facility-related control system is designed, implemented, and functioning properly from a cybersecurity perspective.

    H2L tasks include:

  • Reviewing Owners Project Requirements and creating Cx Specification
  • Conducting reviews of Contractor’s Design and Construction submittals
  • Observing and documenting performance and functional testing
  • Verifying that cyber requirements follow the DoD’s Risk Management Framework (RMF) and the UFC 4-010-06
  • Confirming the system is installed and documented by Contractor as required by current specifications for cybersecurity and individual system types
  • Providing a Cx report with recommendations to mitigate vulnerabilities to a level that is acceptable to the System Owner (SO) and Authorizing Official (AO)