The very first step of the RMF process is determining C-I-A ratings of each system. Step 1 is the responsibility of the base and it needs to be done before the design phase begins so that the C-I-A ratings will be available to the AE's. The initial rating can be taken from the FRCS Master List of C-I-A Ratings and an A4 Information Technology (IT) Categorization and Selection Checklist (ITCSC) needs to be completed and forwarded to AFCEC for approval. A4 Information Technology (IT) Categorization and Selection Checklist (ITCSC) v1.61 is the form used to categorize the system.

The Air Force Guidance Memorandum, Civil Engineer Control Systems Cybersecurity is USAF policy for incorporating cybersecurity of all Civil Engineer owned, operated and maintained FRCS. This USAF policy applies to all military, civilian and contractors under contract to the DoD and who develop, acquire, deliver, use, operate, manage and maintain FRCS. This mandatory document is used to supplement the UFGS 25 05 11 and UFC 4-010-06 with USAF Cybersecurity requirements.

The Civil Engineer (CE) Facility Related Control Systems (FRCS) Baseline Security Controls lists the minimum security controls that must be addressed for USAF projects. Other controls from the UFC 4-010-06 can be added as needed, but these controls are the AO/AODR's baseline for systems wanting to be granted an ATO.

These forms need to be submitted by the base using the AFCEC Design Review Tool. Any questions can be directed to the AFCEC/COOI ICS HELPDESK.