Policy Formulation, the Real Scoop Computer Security Awareness Day Mark Leininger September 11, 2007
What is this talk about? Computer Security (honest) How Federal Law results in the computer security rules that we are obligated to follow. Was high school civics class like this?
Policy Process A peer at another lab suggested just showing a video of a dense fog slowly rolling in to describe the government process:
Four Sources of Federal Law Constitution Statutes Administrative Law (Regulations) Common Law
Constitution Origin of Federal Law Allows Congress to create Statutes Here is the process by which Congress creates Statutes (and other things)
Statutes Statute is synonymous with “Law” and “Act of Congress” Statute is legislation that has passed Congress Constitution gives Congress the power to create Statutes for limited purposes, for example to regulate commerce Statutes are codified in the United States Code (USC) Examples of recent Statutes: December 8, 1993 — North American Free Trade Agreement Implementation Act, Pub.L , 107 Stat December 81993North American Free Trade Agreement Implementation ActPub.L Stat — Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism ("USA PATRIOT") Act, Pub.L , 115 Stat Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism ("USA PATRIOT") ActPub.L Stat — Sarbanes-Oxley Act, Pub.L , 116 Stat Sarbanes-Oxley ActPub.L Stat — Homeland Security Act, Pub.L , 116 Stat Homeland Security ActPub.L Stat — E-Government Act of 2002, Pub.L , 116 Stat E-Government Act of 2002Pub.L Stat.
Statutes Some Statutes give Agencies of the Executive Branch the power to create Regulations. Not all Regulations achieve the desired effect:
Regulations: Administrative Law Published in the Federal Register Codified into the Code of Federal Regulations (CFRs) Regulation is not synonymous with law, but ends up having the force of law because it defines how to be in compliance with a law Regulations are the mechanism by which almost all day to day computer security requirements reach us at Fermilab
Review Four sources of Federal Law Constitution gives Congress right to create Statutes Statutes give agencies the right to create regulations Administrative Law (Regulations) Common Law The rest of this talk will focus on Administrative Law, specifically how regulations involving computer security make their way to the lab.
Office of Management and Budget Recall: Statutes give Agencies of the Executive Branch of Government the power to create Regulations. OMB is the largest office in the Executive Office of the President (EOP) OMB is tasked with giving expert advice to senior White House officials on a range of topics relating to federal policy, management, legislative, regulatory, and budgetary issues. The bulk of OMB's 500 employees are charged with monitoring the adherence of their assigned federal programs to presidential policies.
OMB and Information Systems Clinger-Cohen Act (a Statute) of 1996 requires OMB to: Establish processes for executive agencies to analyze, track, and evaluate the risks and results of major capital investments for information systems, and Report on the net program performance benefits achieved by executive agencies as a result of major capital investments in information systems. The Clinger-Cohen Act assigns agencies (like DOE) the responsibility for implementing OMB policies through effective capital planning and performance- and results-based management.
Department of Energy DOE is a cabinet level agency in the Executive Branch The President’s Cabinet consists of the highest level appointed officials in the Executive Branch, for example DOE, Department of Defense, Department of Transportation, Department of Homeland Security, etc.
DOE Here are two DOE org charts that show how the site office that manages Fermilab fits into DOE
How does Fermilab fit into DOE? Fermilab is a Federally Funded Research and Development Center. Fermilab is operated as a Government Owned Contractor Operated (GOCO) entity
Fermilab is an FFRDC A Federally Funded Research and Development Center. Federal Acquisition Regulation (FAR) part 35 defines an FFRDC: An FFRDC meets some special long-term research or development need which cannot be met as effectively by existing in-house or contractor resources. FFRDC’s are operated, managed, and/or administered by either a university or consortium of universities, other not- for-profit or nonprofit organization, or an industrial firm, as an autonomous organization or as an identifiable separate operating unit of a parent organization.
Fermilab is operated as a GOCO Fermilab as a facility is Government Owned Contractor Operated (GOCO). The contractor is Fermi Research Alliance (FRA), an alliance between the University of Chicago and University Research Associates (URA). We are not Federal Employees Our records (employee, financial, legal, etc) are not the property of the government, they belong to Fermilab.
Computer Security Requirements are in Fermilab’s Contract There is a contract between FRA and DOE to manage Fermilab. One of the items specified in that contract is the list of DOE regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office. The list of regulations in our contract can be seen at: Fermilab Contract These regulations go through a public review and comment process, RevCom, before being placed in our contract.
Program Cyber Security Plan One of the orders in our contract with DOE requires us to be in compliance with a document written by the Office of Science, called the Program Cyber Security Plan (PCSP) The PCSP requires us to be in compliance with a broad range of Federal regulations, seen partially on the next slide.
Some of the Requirements in PCSP Applicable Standards and Guidance Legislation Office of Management and Budget (OMB) Memorandum Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, Office of Management and Budget (OMB) Memorandum Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, Public Law (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) NIST Guidance Federal Information Processing Standards (FIPS) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February Special Publications SP , The NIST Security Configuration Checklists Program,May 2005.The NIST Security Configuration Checklists Program SP , Integrating Security into the Capital Planning and Investment Control Process, January SP , Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). SP , Guide for Mapping Types of Information and Information Systems to Security Categories, June SP , Recommended Security Controls for Federal Information Systems, February SP , Wireless Network Security: , Bluetooth, and Handheld Devices, November SP , Guide for the Security Certification and Accreditation of Federal Information Systems, May SP , Contingency Planning Guide for Information Technology Systems, June SP , Risk Management Guide for Information Technology Systems, July SP , Rev. 1 NIST DRAFT Special Publication , Revision 1: Guide for Information Security Program Assessments and System Reporting Form.NIST DRAFT Special Publication , Revision 1: Guide for Information Security Program Assessments and System Reporting Form SP , Rev. 1 Guide for Developing Security Plans for Federal Information Systems February DOE Policy and Guidance Revitalization of the Department of Energy Cyber Security Program (1/2006) Department of Energy Cyber Security Management Program Order 205.1, (Draft) Department of Energy Cyber Security Management Program, (3/21/2003) Notice Incident Prevention Warning and Response Manual Notice Foreign National Access to DOE Cyber Systems (extended to 9/30/06) Notice Password Generation, Protection and Use, (extended to 9/30/06) Notice Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) Notice Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) Notice Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) Notice Cyber Security Requirements for Risk Management, (3/18/06) Notice Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) Notice Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) Notice Extension of DOE Directive on Cyber Security, (7/6/2004)
PCSP requires a CSPP The PCSP requires a Cyber Security Program Plan (CSPP) The CSPP is the framework document for all computer security requirements at the lab. Computer Security Documents
Monitoring and Audits To ensure we are complying with all the required computer security regulations, the computer security program is audited several times a year: Inspector General DOE/CIO (Chief Information Officer in DOE) Office of Science in DOE Safeguards and Security Office in DOE These audits are in addition to all the other audits at the lab, for example financial, property, physical security, etc. We get data calls several times each month. Sometimes it feels like everyone is out to get us…
President’s Management Agenda In 2001 Whitehouse announced strategy for improving management of government: President's Management Agenda One requirement in PMA is Scorecards for each agency, including DOE. Areas such as computer security are rated as red, yellow or green. The pressure to reach a green score indirectly affects how resources are expended on computer security.
Summary Constitution-> Congress makes Statutes-> Statutes empower agencies to create regulations-> Regulations are in the Fermi contract with DOE-> Regulations require compliance with DOE Program Cyber Security Plan-> Program Cyber Security Plan requires compliance with broad range of other government regulations-> Program Cyber Security Plan requires us to have and follow a Cyber Security Program Plan, which contains our site requirements for computer security Got it?