compliance

BAS Cybersecurity Hardening Acceptance Checklist

This BAS Cybersecurity Hardening Acceptance Checklist verifies the controls that should be in place before owner turnover: credentials, segmentation, firmware baseline, remote access, and acceptance records.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Commercial Real Estate · Healthcare Facilities · Higher Education · Industrial Facilities · Government Buildings

9:41

Inspections

1 Inspection Details and Scope

Project or site name recorded Type here…

BAS/BMS scope and covered systems identified Type here…

Owner turnover or acceptance date recorded 🕒 mm/dd/yyyy hh:mm

Inspector and responsible commissioning contact identified Type here…

2 Credential and Account Hardening

All vendor and factory default passwords changed !

✓ Yes ✗ No

Unique user accounts are used for administrative access !

✓ Yes ✗ No

Inactive, test, and temporary accounts removed or disabled

✓ Yes ✗ No

Password policy meets site minimum requirements ["choices", [{"la...

Administrative access is limited to authorized personnel

✓ Yes ✗ No

3 Network Segmentation and Architecture

BAS network is segmented from enterprise user networks !

✓ Yes ✗ No

Internet-facing BAS devices are prohibited or explicitly approved !

✓ Yes ✗ No

Firewall rules and allowed ports are documented

✓ Yes ✗ No

Remote vendor access traverses a controlled jump path !

✓ Yes ✗ No

Network diagram reflects current BAS topology

✓ Yes ✗ No

4 Firmware, Patch, and Device Baseline

Controller and server firmware versions documented Type here…

Installed firmware matches approved baseline !

✓ Yes ✗ No

Security patches and updates applied where supported ["choices", [{"la...

Default service ports and unused services disabled where feasible

✓ Yes ✗ No

Device backup or restore image captured !

✓ Yes ✗ No

5 Remote Access and Monitoring Controls

Remote access is disabled by default when not required !

✓ Yes ✗ No

Multi-factor authentication is enabled for remote access where supported ["choices", [{"la...

Remote access sessions are logged

✓ Yes ✗ No

Time synchronization is configured across BAS devices ["choices", [{"la...

Security alerts or abnormal access events are reviewed

✓ Yes ✗ No

6 Turnover Documentation and Acceptance

As-built cybersecurity documentation delivered !

✓ Yes ✗ No

Open deficiencies and non-conformances documented Type here…

Inspector signature completed

✏️

Tap to sign

Overview

This checklist is for accepting a building automation system or building management system after cybersecurity hardening has been completed. It is organized the way a commissioning or turnover review should happen: first confirm the site, scope, and responsible contacts; then verify account and password controls; then check network segmentation and remote access; then confirm firmware, patch, and device baseline; and finally close out documentation and acceptance.

Use it when a BAS is being handed from the integrator or commissioning team to the owner, or when a project requires proof that default credentials were removed, the network is segmented, and remote access is controlled. It is also useful when the owner wants a repeatable baseline for future audits or change management. The checklist is especially helpful where multiple vendors, gateways, or front-end servers are involved and the actual installed topology needs to be compared against the as-built record.

Do not use it as a substitute for a full enterprise cybersecurity program or a penetration test. It is an acceptance inspection, so it should focus on observable controls, documented exceptions, and clear deficiencies. If the BAS is still under active design, the checklist may be too early; if the site has no defined owner turnover or baseline documentation, start with a commissioning scope review first. The goal is to leave the reviewer with a signed record of what was verified, what was missing, and what must be corrected before acceptance.

Standards & compliance context

This checklist supports owner turnover controls commonly expected under general industry cybersecurity and facility risk management practices, including ANSI/ASSP-style program expectations.
For BAS environments that interface with life-safety or fire systems, verify that any connected components respect applicable NFPA code requirements and AHJ expectations.
Where the BAS supports industrial or process areas, align hardening and access control review with the site’s broader safety and operational risk program.
If the system includes foodservice or healthcare spaces, adapt the checklist to the facility’s internal compliance requirements and any relevant public health or accreditation expectations.
Use the checklist as an acceptance record, not as a substitute for vendor hardening guides, commissioning specifications, or the owner’s cybersecurity policy.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Inspection Details and Scope

This section establishes what system is being accepted, who owns the turnover, and who is responsible for verifying the controls.

Project or site name recorded (weight 1.0)
BAS/BMS scope and covered systems identified (weight 1.0)
Owner turnover or acceptance date recorded (weight 1.0)
Inspector and responsible commissioning contact identified (weight 1.0)

Credential and Account Hardening

This section confirms that access is no longer relying on factory defaults, shared logins, or leftover temporary accounts.

All vendor and factory default passwords changed (critical · weight 4.0)
Verify that no default passwords remain on controllers, servers, gateways, workstations, or network devices.
Unique user accounts are used for administrative access (critical · weight 3.0)
Shared administrative logins should not be used for routine BAS administration unless explicitly approved and documented.
Inactive, test, and temporary accounts removed or disabled (weight 3.0)
Confirm that accounts created for installation, testing, or factory support are disabled or removed before turnover.
Password policy meets site minimum requirements (weight 3.0)
Verify minimum length, complexity, and change requirements are documented and enforced where supported by the platform.
Administrative access is limited to authorized personnel (weight 2.0)
Confirm access lists are restricted to approved owner, integrator, and support personnel with a documented need.

Network Segmentation and Architecture

This section checks whether the BAS is isolated and documented well enough to limit lateral movement and unauthorized access.

BAS network is segmented from enterprise user networks (critical · weight 5.0)
Verify separation using VLANs, firewalls, ACLs, or equivalent controls.
Internet-facing BAS devices are prohibited or explicitly approved (critical · weight 4.0)
Confirm no BAS controllers, HMIs, or gateways are directly exposed to the internet unless formally approved and risk-assessed.
Firewall rules and allowed ports are documented (weight 4.0)
Verify that inbound and outbound rules supporting BAS communications are documented and limited to required services.
Remote vendor access traverses a controlled jump path (critical · weight 4.0)
Confirm remote support access uses an approved VPN, jump host, or secure gateway rather than direct device access.
Network diagram reflects current BAS topology (weight 3.0)
Verify the as-built network diagram shows controllers, servers, gateways, firewalls, and remote access points.

Firmware, Patch, and Device Baseline

This section verifies that the installed software and device state match the approved acceptance baseline.

Controller and server firmware versions documented (weight 4.0)
Record firmware or software versions for BAS servers, supervisory controllers, field controllers, gateways, and network appliances.
Installed firmware matches approved baseline (critical · weight 5.0)
Verify versions are at or above the approved project baseline and do not include known unsupported releases.
Security patches and updates applied where supported (weight 4.0)
Confirm available security updates have been applied or deferred with documented owner approval and risk acceptance.
Default service ports and unused services disabled where feasible (weight 3.0)
Confirm unnecessary services, ports, and protocols are disabled or blocked at the device or network layer.
Device backup or restore image captured (critical · weight 4.0)
Verify a current configuration backup or restore image exists for critical BAS servers and controllers.

Remote Access and Monitoring Controls

This section confirms that remote support is controlled, logged, time-synced, and reviewed for abnormal activity.

Remote access is disabled by default when not required (critical · weight 4.0)
Verify remote access pathways are closed or disabled unless actively needed and approved.
Multi-factor authentication is enabled for remote access where supported (weight 3.0)
Confirm MFA is enabled for VPN, remote desktop, cloud portals, or other remote access methods when available.
Remote access sessions are logged (weight 3.0)
Verify login events, session start/stop, and administrative actions are retained in system logs or SIEM forwarding where available.
Time synchronization is configured across BAS devices (weight 2.0)
Confirm servers, controllers, and gateways use a consistent time source for accurate event logging and incident review.
Security alerts or abnormal access events are reviewed (weight 3.0)
Verify there is a defined process for reviewing failed logins, configuration changes, and suspicious remote access activity.

Turnover Documentation and Acceptance

This section closes the loop by capturing the as-built record, open issues, and formal sign-off needed for turnover.

As-built cybersecurity documentation delivered (critical · weight 2.0)
Confirm delivery of network diagrams, account inventory, firmware baseline, backup/restore procedure, and remote access instructions.
Open deficiencies and non-conformances documented (weight 2.0)
Record any unresolved items, compensating controls, and target dates for closure.
Inspector signature completed (critical · weight 1.0)

How to use this template

1. Enter the project or site name, BAS/BMS scope, turnover date, and the commissioning and owner contacts so the inspection has a clear acceptance record.
2. Verify that vendor and factory default credentials have been changed, unique admin accounts are in use, and any inactive or temporary accounts have been removed or disabled.
3. Walk the network architecture against the as-built diagram and confirm segmentation, firewall rules, remote access paths, and any internet-facing devices that require explicit approval.
4. Check controller and server firmware versions, compare them to the approved baseline, and record whether patches, disabled services, and backup images are in place.
5. Review remote access logs, MFA status, time synchronization, and security alerts, then document any deficiencies, non-conformances, and required corrective actions before sign-off.
6. Attach the final as-built cybersecurity documents and complete the inspector signature only after all critical items are either verified or formally accepted as exceptions.

Best practices

Treat shared administrator credentials as a deficiency unless the owner has explicitly approved a documented exception.
Photograph or export evidence for every critical item, including account lists, firewall settings, and firmware versions, at the time of inspection.
Verify the actual installed network path, not just the design drawing, because BAS topology often changes during commissioning.
Flag any internet-facing BAS device as a critical item unless there is written owner approval and a documented compensating control.
Confirm that remote vendor access uses a controlled jump path or equivalent approved access method, and do not accept direct ad hoc logins.
Check that time synchronization is consistent across controllers, servers, and gateways so logs can be correlated during an incident review.
Record open deficiencies in plain language with a corrective action owner and target date so turnover does not lose the issue in email threads.

What this template typically catches

Issues teams running this template most often surface in practice:

Factory default passwords still active on controllers, gateways, or front-end servers.

Shared vendor admin accounts used for multiple technicians instead of unique user accounts.

BAS network left on the enterprise user VLAN with no documented segmentation or firewall boundary.

Remote vendor access configured for direct inbound connections instead of a controlled jump path.

Firmware versions installed that do not match the approved baseline or are missing required security updates.

Unused services or default ports left enabled on servers, controllers, or protocol gateways.

As-built network diagrams that do not match the actual installed topology or remote access route.

Missing backup or restore image for a front-end server or critical controller group.

Common use cases

Hospital facilities turnover review

A healthcare facilities team uses the checklist to confirm that BAS access is restricted, remote vendor connections are controlled, and the as-built documentation matches the installed system before acceptance. The record helps the owner separate BAS access from broader hospital IT access.

University campus controls retrofit

A higher education project team uses the checklist after a controls retrofit that added new gateways and remote support access. It helps verify that the new devices are segmented correctly and that temporary commissioning accounts were removed before handoff.

Commercial office tower commissioning

A commissioning agent uses the checklist to validate that the BAS front end, controllers, and vendor access controls are hardened before the property management team takes over. The checklist provides a clean deficiency list for closeout and warranty tracking.

Industrial facility owner acceptance

An industrial site uses the checklist to baseline BAS cybersecurity for HVAC and utility systems that support operations. It helps the owner confirm that remote access, patch status, and device backups are documented before the system enters service.

Frequently asked questions

What does this BAS cybersecurity hardening acceptance checklist cover?

It covers the controls that should be verified before a building automation system is handed over to the owner. The checklist walks through account hardening, network segmentation, firmware and patch baseline, remote access controls, and turnover documentation. It is designed to capture observable acceptance evidence, not just a general security review.

When should this checklist be used?

Use it at commissioning, substantial completion, or any owner turnover event where the BAS/BMS is being accepted into service. It also works well after a major controls upgrade, controller replacement, or remote access change. If the system is already in operation, it can be used as a baseline hardening audit, but it is written for acceptance.

Who should complete the checklist?

A commissioning agent, controls integrator, BAS technician, or cybersecurity-aware facilities representative can complete it, with the owner’s responsible contact reviewing the results. The best practice is to have the person verifying the controls also confirm the evidence, such as screenshots, network diagrams, and account lists. For critical items, the owner or commissioning lead should sign off on any exceptions.

Does this checklist map to a specific regulation or standard?

It aligns with common cybersecurity and building-systems expectations from owner specifications, ANSI/ASSP-style risk management practices, and general security guidance used in industrial and facility environments. It is not tied to one mandatory code section, because BAS cybersecurity acceptance is usually driven by project requirements, owner standards, and vendor hardening guidance. If your site has a formal cybersecurity program, this checklist can be adapted to match it.

What are the most common mistakes this checklist catches?

The most common issues are unchanged vendor passwords, shared admin accounts, flat networks with no segmentation, and remote access paths that bypass the intended jump host or VPN controls. Teams also miss outdated firmware, open unused services, and undocumented firewall rules. Another frequent gap is turnover documentation that does not match the actual installed topology.

How often should BAS cybersecurity hardening be reviewed after acceptance?

At minimum, review it at turnover and again after any major BAS change, firmware update, or remote access modification. Many owners also re-run it on a scheduled basis, such as annually or during periodic facilities audits, to confirm the baseline has not drifted. If the system supports critical operations, review frequency should be tied to risk and change activity.

Can this checklist be customized for different BAS platforms?

Yes. It is meant to be adapted for the specific BAS/BMS vendor, controller family, and site architecture. You can add platform-specific items for Niagara, BACnet, Modbus gateways, cloud portals, or proprietary front-end servers, while keeping the same acceptance structure. The key is to preserve the observable evidence fields and the deficiency tracking.

How does this differ from a general IT security checklist?

This checklist is focused on building automation acceptance, where controllers, field devices, vendor access, and lifecycle constraints are different from standard office IT. It checks items like firmware baselines, remote vendor paths, and BAS network topology that general IT forms often miss. It is intended to confirm the BAS is hardened enough for turnover, not to replace enterprise cybersecurity governance.

What should be attached to the completed checklist?

Attach the current network diagram, approved firmware baseline, account or access list, remote access method description, and any screenshots or logs that prove the control is in place. If there are deficiencies, include corrective action notes and target closeout dates. Those attachments make the acceptance record usable later during audits, incidents, or warranty reviews.

Related templates

Inspections

Elevator Annual Inspection Log

Track annual elevator inspections, certificate posting, deficiencies, and corrective actions in o...

Inspections

Solar Inverter and Combiner Box Inspection

Inspect solar inverters and combiner boxes for fault codes, fuse issues, moisture intrusion, grou...

Inspections

Advanced Leak Detection Survey Record

Use this Advanced Leak Detection Survey Record to document methane survey scope, instrument check...

Inspections

Door Sweep and Threshold Seal Inspection

Inspect door sweeps, thresholds, and corner pad seals on entry doors to catch drafts, water ingre...

Inspections

ERV and HRV Effectiveness Verification Report

Verify ERV and HRV sensible and latent recovery performance against AHRI 1060 with documented tes...

Forms

ASSE 6010 Medical Gas Installer and Brazer Continuity Log

Track ASSE 6010 installer credentials and ASME Section IX brazer continuity in one log, with due ...

Sop

Editorial Calendar SOP

An Editorial Calendar SOP that standardizes how you plan, approve, edit, publish, and review cont...

Hr Policy

ADA Interactive Process Documentation Policy

Document the ADA interactive process with a clear policy for meeting notes, accommodation options...

Go deeper on the topic

Related concepts

Predictive Scheduling Law

Predictive scheduling laws — also called fair workweek laws or secure scheduling — require employers in covered industries to publish employee schedules...
Overtime Calculation

Overtime calculation is the process of applying federal, state, local, and contractual rules to hours worked to determine the correct pay — including...
Near-Miss Reporting

A near-miss is an event that could have caused injury or damage but didn't — a slip that didn't fall, a load that shifted but didn't drop, a machine that...
Lockout/Tagout

Lockout/tagout (LOTO) is the procedure for controlling hazardous energy — electrical, hydraulic, pneumatic, mechanical, thermal, chemical — before...

Related guides

Risks of Unregulated Generative AI in Workplaces

Unregulated generative AI exposes companies to data leaks, compliance violations, and productivity blind spots. Learn how to govern AI adoption before...
Overcoming Enterprise-Wide AI Deployment Challenges

Overcome enterprise-wide AI deployment challenges with scalable GenAI strategies that cut costs, boost adoption, and deliver measurable ROI.
5 Tips for Successfully Deploying Collaboration Tools

Deploy collaboration tools successfully with 5 proven tips to boost adoption, align teams, and improve communication from day one.
Effective Communication Strategies For Retail Associates

Discover proven retail communication strategies—mobile apps, personalization, and recognition tools—that keep frontline associates informed, engaged, and...

Ready to use this template?

Get started with MangoApps and use BAS Cybersecurity Hardening Acceptance Checklist with your team — pricing built for small business.

Get Started Customize with AI