1Lawrence Livermore National Laboratory

LLNL-PRES-413493

LLNL NAPs Implementation Project

NLIT 2009

Mark Dietrich, LLNL

2LLNL-PRES-413493

NNSA Policies are driving dramatic changes

Background

• NAPs alive since 2003

• Some iterations and pushback

• C-versions in late 2007

• LLNL Gap Analysis done early 2008

• HSS audit used NAPs vision 2008

• LLNL plan and revisions submitted to LSO 9/08, 1/09, 4/09

• Formal project opened 3/09

What’s NAP?

NNSA Policy Letters:

• NAP 14.1-C, NNSA Baseline Cyber Security Program

• NAP 14.2-C, NNSA C&A Process for Information Systems

Impact

• Full compliance: years away

• Good faith effort | steady progress

• Culture changes

• Risk and high stakes

Goal

• Make all cyber operations compliant with NAPs by September 30, 2012

3LLNL-PRES-413493

Broad impacting scope and strategy

Strategy

• Establish project team

• Develop project plan that Programs and institutional organizations can accept

• Use project team (and tools) to coordinate efforts of the PADs

• Implement centralized core services to reduce cost of NAP compliance

• Create standard configurations based on national standards

• Build a Site Security Configuration Library to track configuration standards

• Convert plans, policies and procedures to be NAP compliant

New requirements

• New security plan formats

• Security configuration standards

• Stronger risk assessments

• Contingency plans for each systems

• Business Impact Assessments

• Centralization of classified systems

• Up to 330 controls per system/service

• Restricting local administrative rights

• Overhaul of all computer security policies

• Integrate cyber security with the Lab’s emergency procedures

4LLNL-PRES-413493

Project Approach

Integration

• Integrate many plans into one

• Integrate services at the institution level into a single plan

• Subsume existing similar plans

Consolidation

Phasing the Approach

• Consolidate similar plans into broader site-wide plans

• Document differences in sub-plans

• Sub-plans inherit security policies from their parent plans

Project Approach

• Formalization, structured

• Led by an experienced PMP

• Broad reach across the enterprise

• Reporting and accountability

• Deliverables and milestones

• Starting with the site-wide plans

• Subordinate/program plans follow using well-crafted templates for plans and test plans

• Classified plans to follow to apply valuable lessons learned from unclas

5LLNL-PRES-413493

SharePoint used intensively for Project Management

Lists in Use

• Plans

• Deadlines

• Calendar

• Comms Plan

• Families

• NAP controls

• Strategies

• Subgroup tracking

• Lessons learned captures

• Risk Register

Meeting workspaces

• For project meetings

• Standing agenda items:

• Issue Log check

• Tasks check

• Plans statusing

• Posting minutes

• Recording decisions

• Planning agenda items well in advance

6LLNL-PRES-413493

The Plans lifecycle has been created and socialized

Plan development/review is a 9-month process Urgency of NAPs Implementation requires compressing 9 months into 5-6

months for unclassified plans

7LLNL-PRES-413493

Document flowdown

Requirement

LLNLPolicy

Procedure

ST&E

NAP14.1

NAP14.2

SPP

ISSP

Informationsystem accreditationmethod

SPPIM-2

SPPIM-3

STE-2 STE-3

Local

CSPP

SPPIM-1

STE-1

SPPIM-1

STE-1

Central policy catalog

8LLNL-PRES-413493

SPP (Security Plan Policy) and SSCL (Site Security Configuration Library)

SSCL

• The SSCL will be used in all security plans

• Each entry has:

• Approved configuration

• Security test script

• Listing of NAP controls met by each component

• Process development and prototyping underway

• Stores authorizations basis, configuration of controls and test tools for all components

• Ensures NAP-compliance based on NIST, NSA, DISA, CIS and other national standards

SPP

• Key document generated at the institution level

• Lists for every 14-2.C control:

• Policy (the NAP text)

• Supplemental guidance

• Enhancements

• Implementation

• “Dash-One” & “Dash-Two”

• Potential assessment methods

• Examine, interview, test

• 800.53 measures

• From this derives a plan’s ST&E

9Lawrence Livermore National Laboratory

LLNL-PRES-413493

LLNL NAPs Implementation Project

NLIT 2009

Mark Dietrich, LLNL