Architecture and Engineering Services

Cybernet experts develop your design build projects

Cybernet Systems provides services in three areas of the overarching category of Architecture & Engineering Cybersecurity Services (A&E) to assist government agencies in obtaining and maintaining cybersecurity compliance and Authorizations to Operate (ATOs): Design-Build Request for Proposals, Design-Bid-Build projects, and Design-Build projects.

The ultimate purpose of the work is to clearly define the cybersecurity requirements and process in order to allow the Government to obtain an Authorization to Operate (ATO) for the Facility-Related Control Systems (FRCS) prior to the Beneficial Occupancy Date (BOD) of the facility.  Cybernet has aided our clients in obtaining over 60 ATOs using the Risk Management Framework (RMF).

Where do you start?

Just as government agencies build their physical infrastructure, they also must consider the importance of their cybersecurity infrastructure.  Design Build Requests for Proposal (BD-RFP) language must be clear, concise, and meet the objectives of the project. A wide variety of our clients have benefited from Cybernet’s Risk Management Framework (RMF) experts.

The Cybernet team:

  • Develops the language for the RFP

  • Sets up the overarching requirements for the cybersecurity design*
  • Includes general cybersecurity requirements, facility requirements, and source reference documents.

*May include some cybersecurity infrastructure design.

Who Does Cybernet Work With?

Cybernet works closely with the Design Builder, the Government and associated agencies, the vendors, and the site Information Systems Security Officer/Manager (ISSO/ISSM) as well as current UFC, UFGS, and other relevant standards to work through the needed process to acquire the information and content to include into the RFP.

Finding Your Right Solution

The Design Build-RFP 0%-50% Solution

This stage of the RFP speaks to general requirements for cybersecurity.

This includes:

  • Notable documents to be used as reference
  • A process for Government acceptance of cybersecurity documents, scanning, assessment, and hardening of systems
  • The process for attaining an Authority to Connect (ATC) if needed for systems
  • RMF process and the documents to be generated for an ATO or ATC, best practices, and allowable hardware and software per current Government oversight.

The individual FRCS are given initial Confidentiality, Integrity, and Availability (CIA) impact ratings at this time and included in the RFP.

In some cases, Cybernet will also perform a 35% Design solution (which varies with project needs) as part of DB-RFP efforts

*More information on the 35% Design Services is in the DBB section.  Design services typically do not exceed 35% on these project types.

The Design Build-RFP 50%-100% Solution

At this point, the RFP offers more specific requirements that include:

  • Individual FRCS are added, citing procedure, process, reference documents, and any additional information required by the Government.
  • Language and content are adjusted, added, or removed as required through review with the Government.

Typically, there is no further design as part of the project, but design can be added as needed for any project.

Compliance Standards
That Need This Type of Service:

  • Design Build Request for Proposal (DB-RFP)

  • Design-Bid-Build (DBB)

  • Design-Build (DB)

The Cybernet team is primed to tackle the hard tasks when solving system integration, and our past 10 years of experience shows our proven success.

The Next Step

Get connected with a Cybernet team member.

Download our most recent Capability Statement.

View our resources page.

It’s Time to Design

Working closely with the designer, the government, associated agencies, and the site ISSO/ISSM, Cybernet facilitates the process to acquire information needed for Design-Bid-Build (DBB) Project stages.

The Cybernet team:

  • Facilitates information development for cybersecurity infrastructure with stakeholders and subject matter experts
  • Defines required security protocols and documentation for system protection

  • Supports design – beginning through completion.
  • Follows Unified Facilities Criteria and other government requirements.

Design-Bid-Build Stages

Design-Bid-Build stages follow the guidance set forth in the Unified Facilities Criteria (UFC) 4-010-06.  Cybernet breaks the stages of design into multiple stages, fully customizable to the project:

  • 20%, 35%
  • Revised 35%, 65%, 100%
  • 100% and Corrected Final deliverables.

The deliverables in these incremental stages map onto the UFC 4-010-06. These stages and their content can be customized to fit the project.

At 20%:

  • FRCS CIA levels are determined through Government requirement, or designed in accordance with the UFC 04-010-06: 5-level control system architecture
  • Defense Health Agency (DHA) RMF Categorization Memorandum for Record (MFR): Security Categorization for Facility-Related Control Systems (FRCS) and the DOD Chief Information Officer’s MFR:  Distribution of Facility-Related Control Systems (FRCS) Master list

  • Employs a supplied or deduced Mission Criticality rating

  • A Design Narrative, also called a Basis of Design (BoD) is also constructed outlining the entire design process.

At 35%:

  • Adds in controls (or CCIs) for each FRCS given the CIA rating for that system.  These controls are tailored for each FRCS and define security actions that a system owner must ensure are taken to harden the system against compromise.

At 65%:

  • Introduces any needed diagrams and the Division 25 specification sections: 25 5 11, 25 8 10, 25 10 10, and 25 8 11.00 20.  These specifications define the requirements that will have to be met to obtain an ATO, as well as any RMF deliverables and artifacts that will be required as part of that process.

At 100%:

  • Corrected Final stages provide updated information to the previous submittals.

Your trust partner in design build

Cybernet professionals are your trusted partners from foundational design to construction to assessments in your Design Build (BD) projects.

The Cybernet team:

  • Supports cybersecurity design from foundation through construction and assessment

  • Defines and develops security criteria
  • Delivers all required documentation for compliance
  • Conducts all required assessments

Design-Build Stages

The DB project timeline follows much the same track as the DBB projects do, however, there is also additional RMF documentation that is required as set forth in the Division 25 specifications in the 65% design stage.  There is also additional RMF documentation required in the construction and outfitting stage, as well as assessment activities.

At 35%:

  • The DB project requires some of the early RMF documents that are not directly tied to information generated at later stages of design.

  • These may include:

    • the Device Account Lock Exception Request
    • Wireless Communication Request
    • Multiple IP/OT Connection Device Request
    • Cybersecurity Interconnection Schedule RMF documents.


At 100%:

  • This project type requires the Contractor Computer Cybersecurity Compliance Statements, Contractor Temporary Network Cybersecurity Compliance Statements, and the System Security Plan (SSP) RMF documents to help stage the project for the construction phase.

Readying for the Construction Phase

During the construction phase, the rest of the RMF documentation is completed to obtain an ATO for each FRCS. Cybernet can assist with all this documentation, including:

  • Cybersecurity Riser Diagram
  • Vendor Risk Assessment Report
  • Detailed Inventory Report
  • FRCS Hardware and Software Maintenance Tools
  • Information Flows/Paths Diagram
  • Network Communication Report
  • Network IP Plan
  • Password Summary Report
  • Software Licenses
  • Software Recovery and Reconstitution Images

  • STIG and SRG selection report

  • System Authorization Boundary Diagram

  • System Enterprise and Information Security Architecture

  • System Level Configuration Management Plan
  • System Level Contingency Plan
  • System Level Continuous Monitoring Plan
  • System Level Incident Response Plan
  • User Interface Banner Schedule
  • Wireless Communication Test Report

The final stage

Cybernet assists with every aspect of the final process. Cybernet conducts both automated ACAS and SCAP assessments of the FRCS, as well as manual assessment when the FRCS cannot be assessed through an automated scanner.  Reports of vulnerabilities that are discovered are shared with vendors, allowing them to harden their systems.

This process is typically repeated multiple times to ensure the FRCS have been hardened to requirements and all documentation has been submitted for the RMF ATO process.

Partners and Past Performance

Cybernet has supported and continues to support DoD and government agencies to ensure the government’s, system owner’s and facility cybersecurity requirements are compliant.

Past Performance

  • Navy NAVFAC SE, SW, NW, NE, Mid-Atlantic
  • Defense Health Agency
  • Medical Facilities Program Office (MFPO)
  • Naval Information Warfare Center (NIWC)
  • Marine Corps
  • Veterans Affairs (VA/the VA)
  • Government agencies to ensure the Government’s, System Owner’s, and facility cybersecurity requirements are compliant.

Future Projects