Cybersecurity Now Defines How DOD Facilities Are Designed and Delivered

In December 2024, the Department of Defense (DOD) issued Change 4 to the Unified Facilities Criteria (UFC) 1-200-01, which governs DOD building codes. While many UFC updates focus on structural and environmental design, Change 4 represents a significant shift, elevating cybersecurity as a core design requirement.

Cybersecurity is no longer a secondary concern for facility-related control systems. The revised UFC reflects a broader cultural shift, embedding cyber resilience into the foundation of facility planning, design and operation. As digital and physical threats converge, resilient infrastructure must address both.

For many cybersecurity professionals, this update is less a change and more a long-awaited validation.

What’s New With Change 4

• Cybersecurity is now embedded in the design process. Change 4 formalizes that cybersecurity must be considered during planning, design, construction and sustainment — not added later. Design, development and operations teams are responsible for integrating cyber resilience from project concept through decommissioning.
• Accountability spans all disciplines. Change 4 brings engineers, architects, cybersecurity professionals and project managers into alignment, holding each discipline accountable for integrating cybersecurity into its workflow.
• Enhanced accountability. Cybersecurity features are treated as defined and deliberate deliverables, not discretionary features or afterthoughts.
• Stronger alignment with related guidance. Change 4 brings UFC 1-200-01 into closer alignment with:
  • UFC 4-010-06, the criteria for Cybersecurity of Facility-Related Control Systems (FRCS).
  • DoDI 8510.01, the Risk Management Framework (RMF) for DOD information technology.
  • NIST SP 800-82, the Guide to Industrial Control Systems (ICS) Security.

Cybersecurity in the Blueprint

Design-stage cybersecurity is not a new concept, but it is now a formal expectation. Many professional associations and companies have long advocated for building cybersecurity into the foundation of facilities from the outset, starting with scoping meetings and continuing through cyber commissioning.

Change 4 helps solidify that approach. It affirms cybersecurity as a design discipline, not just an operational function. When security is integrated early, outcomes improve — and collaboration across disciplines becomes a force multiplier.

Beyond DOD: Implications for Critical Infrastructure

While this update applies to DOD projects, its message reaches far beyond military facilities. Critical infrastructure sectors — including power, water, transmission and distribution, and transportation — can take valuable lessons from this update.

Take the power industry, for example. While North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards govern cybersecurity for the bulk electric system, these standards tend to focus heavily on compliance checklists rather than design-level resilience.

Change 4 serves as a timely reminder that whether the project is a substation, a smart building or a forward-operating base, cybersecurity must be part of the architecture, not just layered on top.

For Cyber Teams: Take the Green Light

Change 4 gives cybersecurity professionals a clear mandate to act. Key actions to prioritize include:

• Engage early and often in facility design reviews.
• Coordinate across disciplines and with facility owners.
• Lead facility-related control systems (FRCS) classification and risk management framework (RMF) processes.
• Deliver cyber commissioning as a core part of project closeout.

These steps support the desired outcome: a more resilient facility, fewer surprises during accreditation and a coordinated security posture.

Change 4 confirms what many have been saying for years: Cybersecurity is no longer optional. It’s not auxiliary. It’s not an afterthought. It’s mission-critical.

For those already embedding cybersecurity into the foundation of infrastructure, this update signals that the industry is catching up. And for others, it provides a clear directive: The future of secure facilities starts during the design phase.

Cyberthreats targeting critical infrastructure are becoming more frequent, more complex and harder to manage, especially with limited in-house resources. To align with Change 4 and incorporate cybersecurity into the design phase for critical infrastructure projects, consider a tailored approach built to protect operations and keep essential systems online.