Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008.

Published byRoderick Long Modified over 8 years ago

Similar presentations

Presentation on theme: "Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008."— Presentation transcript:

1 Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008

2 2/26/20082 Computing Division Responsibilities DOE Orders DOE datacalls External requests (Counterintelligence, incident reporting, …)

3 2/26/20083 Orders in contract 200.1 Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect 205.1 Dept of Energy Cyber Security management program 3/21/03 manual 205.1-2 media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N205.10 Cyber Security Requirements for risk management 2/19/04 N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

4 2/26/20084 Orders in contract This is a general order about documents and records, not specifically computing division responsibility. Order is in revision with more of a broad IT and computing emphasis 200.1 Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect 205.1 Dept of Energy Cyber Security management program 3/21/03 manual 205.1-2 media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N205.10 Cyber Security Requirements for risk management 2/19/04 N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

5 2/26/20085 Orders in contract 200.1 Information management Program 9/30/96 This order has expired but is apparently still in effect N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect 205.1 Dept of Energy Cyber Security management program 3/21/03 manual 205.1-2 media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N205.10 Cyber Security Requirements for risk management 2/19/04 N205.11 Security requirements for remote access to DOE information tech systems 2/19/04

6 2/26/20086 Orders in contract 200.1 Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect This has been superseded by 205.1A, contract should be corrected 205.1 Dept of Energy Cyber Security management program 3/21/03 manual 205.1-2 media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N205.10 Cyber Security Requirements for risk management 2/19/04 N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

7 2/26/20087 Orders in contract 200.1 Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect 205.1 Dept of Energy Cyber Security management program 3/21/03 The following orders have all either been explicitly cancelled or have expired and are no longer in effect; they should be removed from the contract manual 205.1-2 media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N205.10 Cyber Security Requirements for risk management 2/19/04 N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

8 2/26/20088 Actual Orders N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect –Order states “Basic Research Activities. The requirements of this Notice are not mandatory for basic scientific research and development activities conducted to support the Office of Science mission”; so this order primarily applies to “business” and financial software, most of which is well audited, but lacking a formal software quality assurance program. 205.1A Dept of Energy Cyber Security management program 3/21/03 –Fully developed program, thoroughly audited, in complete compliance O475.1 Counterintelligence Program –CI Site Support Plan has large effect on CD (explain later)

9 2/26/20089 PCSP Requirements Cyber Security Order 205.1A  Office of Science PCSP  a long list of legislation, NIST documents, and OMB memos that are incorporated into the PCSP (and hence into O205.1A) -> Fermilab CSPP -> ST&E -> Authority to Operate from DAA (Joanna Livengood) P.L. 103-356Government Management Reform Act of 1994, (October 13, 1994). P.L. 104-208Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA), (October 1, 1996). P.L. 104-231Electronic Freedom of Information Act (e-FOIA), (October 2,1996). P.L. 107-347Title III, Federal Information Security Management Act of 2002 (FISMA), (December 17, 2002).

10 2/26/200810 P.L. 93-579Privacy Act of 1974, as amended [Title 5 United States Code (U.S.C.) Section 552a], (December 31, 1974). P.L. 96-349Trade Secrets Act - (18 U.S.C., section 1905), (January 22, 2002). P.L. 97-255Federal Managers' Financial Integrity Act of 1982 (FMFIA), (September, 8, 1982). P.L. 99-474Computer Fraud and Abuse Act (18 U.S.C. section 1030), (October 16.1986). P.L. 99-508Electronic Communications Privacy Act of 1986, (October 21, 1986). P.L. 100-235Computer Security Act of 1987, (January 8, 1988). P.L.104-106Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996), (February 10, 1996). OMB Circular A-123Management Accountability and Control, (August 4, 1986), revised (Dec 21, 2004). OMB Circular A-130 Appendix IIISecurity of Federal Automated Information Resources, (November 2003) OMB Memorandum M-96-20Implementation of the Information Technology Management Reform Act of 1996, (April 4, 1996). OMB Memorandum M-97-02Funding Information Systems Investments, (October 25, 1996). OMB Memorandum M-99-05Instructions for Complying With The President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records, (January 7, 1990). OMB Memorandum M-99-18Privacy Policies on Federal Web Sites, (June 2, 1999).

11 2/26/200811 OMB Memorandum M-99-20Security of Federal Automated Information Resources, (June 23, 1999). OMB Memorandum M-00-07Incorporating and Funding Security in Information Systems Investments, (February 28, 2000). OMB Memorandum M-00-10OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act, (April 25, 2000). OMB Memorandum M-00-13Privacy Policies and Data Collection on Federal Web Sites, (June 22, 2000). OMB Memorandum M-00-015OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act, (September 25, 2000). OMB Memorandum M-01-05Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy, (December 20, 2000). OMB Memorandum M-01-08Guidance On Implementing the Government Information Security Reform Act, (January 16, 2001). OMB Memorandum M-01-26Component-Level Audits, (July 10, 2001). OMB Memorandum M-03-22OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, (September 30, 2003). OMB Memorandum M-04-04E-Authentication Guidance, (December 16, 2003). OMB Memorandum M-04-25FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, (July 17, 2006). OMB Memorandum M-04-26Personal Use Policies and "File Sharing" Technology, (September 8, 2004). OMB Memorandum M-05-02Financial Management Systems, (December 1, 2004).

12 2/26/200812 OMB Memorandum M-05-04Policies for Federal Agency Public Websites, (December 17, 2004). OMB Memorandum M-05-08Designation of Senior Agency Officials for Privacy, (February 11, 2005). OMB Memorandum M-06-15Safeguarding Personally Identifiable Information, (May 22, 2006). OMB Memorandum M-06-16Protection of Sensitive Agency Information, (June 23, 2006). OMB Memorandum M-06-19Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments, (July 12, 2006). NIST Federal Information Processing Standard (FIPS) 201-1 National Institute of Standards and Technology (NIST) Personal Identity Verification (PIV) of Federal Employees and Contractors, (March 2006). NIST FIPS 200Minimum Security Requirements for Federal Information and Information Systems (March 2006). NIST FIPS 199Standards for Security Categorization of Federal Information and Information Systems, (February 2004). NIST FIPS 142-2Security requirements for Cryptographic Modules, (May 2001). NIST Special Publication (SP) 800-92Guide to Computer Security Log Management, (September 2006). NIST SP 800-88Guidelines for Media Sanitization, (September 2006). NIST SP 800-83Guide to Malware Incident Prevention and Handling, (November 2005). NIST SP 800-73, Rev. 1Interfaces for Personal Identity Verification, March 2006, (updated April 20, 2006) NIST SP 800-70The NIST Security Configuration Checklists Program, (May 2005).

13 2/26/200813 NIST SP 800-65Integrating Security into the Capital Planning and Investment Control Process, (January 2005). NIST SP 800-64Security Considerations in the Information System Development Life Cycle, Revision 1, (June 2004). NIST SP 800-61Computer Security Incident Handling Guide, (January 2004) NIST SP 800-60Guide for Mapping Types of Information and Information Systems to Security Categories, (June 2004). NIST SP 800-55Security Metrics Guide for Information Technology Systems, (July 2003) NIST SP 800-53AGuide for Assessing the Security Controls in Federal Information Systems, (April 2006). NIST SP 800-53, Rev. 1Recommended Security Controls for Federal Information Systems, (December 2006). NIST SP 800-50Building an Information Security Awareness and Training Program, (October 2003) NIST SP 800-48Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, (November 2002). NIST SP 800-47Security Guide for Interconnecting Information Technology Systems, (August 2002). NIST SP 800-37Guide for the Security Certification and Accreditation of Federal Information Systems, (May 2004). NIST SP 800-34Contingency Planning Guide for Information Technology Systems, (June 2002). NIST SP 800-30Risk Management Guide for Information Technology Systems, (July 2002).

14 2/26/200814 NIST SP 800-26, Rev. 1Guide for Information Security Program Assessments and System Reporting Form, (November 2001). NIST SP 800-18, Rev. 1Guide for Developing Security Plans for Federal Information Systems, (February 2006). DOE P 205.1Departmental Cyber Security Management Policy, (May 8, 2001). DOE O 205.1ADepartmental of Energy Cyber Security Management Program, (December 4, 2006). DOE 0 221.2Cooperation with the Office of Inspector General, (March 22, 2001). DOE P 226.1Department of Energy Oversight Policy, (June 10, 2005) DOE 0 226.1Implementation of Department of Energy Oversight Policy, (September 15, 2005). DOE P 470.1Integrated Safeguards and Security Management (ISSM) Policy, (May 8, 2001). DOE 0 470.2BIndependent Oversight and Performance Assurance Program, (October 31, 2002). DOE 0 471.1Identification and Protection of Unclassified Controlled Nuclear Information, (June 30, 2000). DOE 0 470.4Safeguards and Security Program, (August 26, 2005). DOE 0 475.1Counterintelligence Program, (February 10, 2004). Executive Order (E.O). 12344Naval Nuclear Propulsion Program, (February 1, 1982).

15 2/26/200815 E.O. 12958Classified National Security Information, (April 17, 1995). E.O. 13011Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003) E.O. 13231Federal Information Technology, (July 17, 1996). E.O. 13228Establishing the Office of Homeland Security and the Homeland Security Council, (October 8, 2001). Homeland Security Presidential Directive (HSPD) 7 Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003) HSPD-12Policy for a Common Identification Standard for Federal Employees and Contractors, (August 27, 2004).

16 2/26/200816 Other Orders DOE M 470.4-4 Chg 1 (Manual, 08/26/2005, HS) Information Security: This Manual establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Section E, Technical Surveillance Countermeasures Program, is Official Use Only. Please contact the DOE Office of Health, Safety and Security at 301-903-0292 if your official duties require you to have access to this part of the directive. –This is a 135 page manual with all but 1 page devoted to classified information; 1 page says we need to treat OUO info according to the DOE OUO order (we are likely not in full compliance with OUO order, as we do not have lab-wide training or procedures for handling OUO). –CD leads Information Categorization Committee of the lab which developed PII policies and procedures and meets on an ongoing basis (as part of assurance). This committee will have to handle OUO and training issues eventually.

17 2/26/200817 Other Orders DOE N 206.5 (Notice, 10/09/2007, MA) Response and Notification Procedures for Data Breaches Involving Personally Identifiable Information: this requires prompt reporting of suspected or actual loss of PII; –our labwide policy is in full compliance. CD handles reporting as for cyber security incidents

18 2/26/200818 Other Orders DOE O 142.3 (Order, 06/18/2004, HS) Unclassified Foreign Visits and Assignments: –this order is primarily about physical visits by foreign nationals. –occasional language might lead you to suspect that same requirements (background checks, visa checks etc) also apply to remote cyber access, but the requirements clearly do not apply (yet!) and are superseded by access requirements defined in the PCSP.

19 2/26/200819 Compliance: Audits,Reviews,etc. IG audits Office of Independent Assessment – visits (with or without Office of Science/DOE OCIO partnership) –Site Assist Visit –Red team and penetration testing ST&E (System Test and Evaluation) reviews –Through DOE-Chicago –By external firm (Onpoint) Internal processes (specified in our CSPP) for ongoing internal reviews of all parts or our cyber program –Some simply part of the ongoing process –Some to assure compliance (such as Scanning, reviews of AV, much else) Training (also part of compliance to our CSPP) Authority to Operate signed by DOE site office – DAA.

20 2/26/200820 DOE Datacalls We get frequent datacalls from DOE which are not specified in contract but clearly related to the DOE orders and the CSPP; quite onerous and time consuming: –Quarterly FISMA Report –Quarterly POA&M Report –Site AV Software Report –Site Connectivity Datacall (OMB) –Site Connectivity Datacall (DOE) –Quarterly Privacy Report –Quarterly Cyber Security Report Card –OMB Compliance Datacalls (various) We participate in working groups (through SLCCC) and other related working groups and make comments on proposed new orders, manuals, policies etc (often in an attempt to head off overly prescriptive mandates) –Requests for Document Comments –Oracle and other software Products Inventory calls –CSWG Participation –PCSP Workgroup –SCMS Workshop –Ad-hoc working groups of SLCCC to review docs/propose docs/work with OCIO office

21 2/26/200821 Other external reporting (CSPP related) The Fermi Computer Security Coordinator must respond to frequent requests for information and reports (again not strictly in contract): –Send incident reports to CIAC, CI and the IG noting the incident details, remediation and site impact. These incident reports are generated during a FIRE. Frequency is ~6/year. –Send Negative Reports to CIAC. These reports are to acknowledge to CIAC, on a monthly basis, that there are no unreported incidents for the prior month. Note that this Negative Report is submitted even is an incident occurred during the reporting month. Frequency is 1/month. –Investigate CIAC Heads-Up notices and respond if any compromises are found. The Heads-Up notices contain an array of information ranging from upcoming threats to details of malicious activity or IP addresses to look for. Frequency is ~2-3/week. –Investigate and respond to CIAC generated tickets concerning interesting traffic or potentially compromised machines. These CIAC tickets are usually created by either US-Cert notices or the FNAL CPP data feeds to CIAC. Frequency is ~1 every 6 months under normal circumstances, and increases to 2-3/week when a new potential threat is discovered until the false positives can be identified.

22 2/26/200822 External Reporting (O475.1 related) –Investigate and respond to Counter Intelligence (CI) user data requests. These requests are formally made through Bruce Chrisman and are either one time information snapshots or ongoing data gathering. These requests typically include identifying the primary resources accessed by an individual for a specific period of time (or ongoing), snapshots or ongoing captures of electronic communications and disk images of non- shared resources. Frequency is ~1 snapshot request every 2 weeks, and 1-2/week of ongoing captures. –Investigate and respond to Counter Intelligence (CI) compromise machine reports. These reports are generated from FNAL CPP data sent to the OAC. The reports often contain FNAL machines that engaged in some communication to interesting Internet hosts. Frequency is ~1-2/week, with almost all cases resulting in false positives.

23 2/26/200823 External reporting (3) –Investigate and respond to Counter Intelligence (CI) Heads-Up notices. These notices are generated from CI community intelligence reports and first-hand experience of recent attack vectors. Frequency is ~1-2/week, and does not imply a compromise at FNAL, but rather a heads up that, given certain circumstances, there may be compromised machines, or a compromise is possible. –Respond to Counter Intelligence foreign travel requests. On rare occasions, CI may request that all persons traveling abroad have their hard drives imaged before and after their trip. Frequency is sporadic, with the actual work encompassing many individuals in a single request, requiring an emergency purchase of hard drives to fulfill the request, along with many hours of HDD duplication effort.

24 2/26/200824 External reporting (4) –Investigate and respond to law enforcement. Under normal circumstances, law enforcement (e.g. FBI) works with CI to communicate with FNAL. Once the initial communication is established, communications directly between FNAL and law enforcement may continue. This relationship may be developed through a FNAL reported compromise where law enforcement is requesting a copy of the compromised disk drive, or from interesting user activities for which law enforcement is concerned. Frequency is ~1/6 months. (presumably this is not under any specific DOE order, but we are required to do this under federal law?)

25 2/26/200825 200.1A (in the works) DOE O 200.1A, INFORMATION TECHNOLOGY MANAGEMENT –SLCC has provided extensive comments in Revcom on this proposed new order and also provided a suggested rewrite of the CRD for this revised order. –(SLCC did not like this order at all)

Download ppt "Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008."

Similar presentations

WHAT TO EXPECT IN AN EXTERNAL AUDIT OR INVESTIGATION An Overview of External Audit and Investigative Processes Performed by Outside Entities at UCSD.

WHAT TO EXPECT IN AN EXTERNAL AUDIT OR INVESTIGATION An Overview of External Audit and Investigative Processes Performed by Outside Entities at UCSD.
SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.

What is Insider Threat? “Potential damage to the interests of an organization by a person(s) who is regarded, falsely, as loyally working for or on behalf.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
The Department of Defense Intelligence Oversight Program

The Department of Defense Intelligence Oversight Program
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.

Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.

Tune IT Up Campaign Overview Mark Kaletka Computing Division 9/29/2009 Mark Kaletka Computing Division 9/29/2009.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Similar presentations

Ads by Google