CECW-CO
DEPARTMENT OF THE ARMY
U. S. Army Corps of Engineers
Washington, D.C. 20314-1000
ER 25-1-113
Regulation
No. 25-1-113 31 January 2019
Engineering and Design
USACE CRITICAL INFRASTRUCTURE CYBERSECURITY
MANDATORY CENTER OF EXPERTISE
1. Purpose. This regulation establishes policies, roles, and responsibilities for the U.S Army
Corps of Engineers (USACE) Critical Infrastructure Cybersecurity Mandatory Center of
Expertise (UCIC-MCX) to assure that new and existing projects and facilities with control
systems that are owned and operated by USACE are secured and authorized according to
applicable Department of Defense and Army regulations. The center serves to protect
control systems and enable the systems to obtain an Authority to Operate (ATO). It also
establishes the mandatory functions of the UCIC-MCX that major subordinate commands
(MSCs) will utilize to advance the security of USACE control systems. This regulation
officially renames the Critical Infrastructure Cybersecurity Center of Expertise (CICSCX) to
the UCIC-MCX.
2. Applicability. This regulation applies to all USACE MSC’s, districts, centers,
laboratories, and Field Operating Activities (FOAs) that: a) own and operate control systems
across all business lines and mission areas, or b) design Civil Works control systems, or c)
design any other control systems that will be owned and operated by USACE.
This regulation applies to the cybersecurity of control systems as defined in Appendix D of
this regulation and categorized as one of the following:
a. National Critical Infrastructure Control Systems which include but are not limited to:
(1) Hydropower Control Systems
(2) Water Management Control Systems
(3) Navigation Control Systems
(4) Flood Risk Management Control Systems
(5) Dam Safety Control Systems
(6) Water Supply Control Systems
(7) Environmental Stewardship Control System
(8) Marine Traffic Control System
(9) Auxiliary Hydropower Control System
b. Other Control Systems which include but are not limited to:
ER 25-1-113 •31 January 2019
