1 lawrence livermore national laboratory llnl naps implementation project nlit 2009 mark dietrich,...
TRANSCRIPT
1Lawrence Livermore National Laboratory
LLNL-PRES-413493
LLNL NAPs Implementation Project
NLIT 2009
Mark Dietrich, LLNL
2LLNL-PRES-413493
NNSA Policies are driving dramatic changes
Background
• NAPs alive since 2003
• Some iterations and pushback
• C-versions in late 2007
• LLNL Gap Analysis done early 2008
• HSS audit used NAPs vision 2008
• LLNL plan and revisions submitted to LSO 9/08, 1/09, 4/09
• Formal project opened 3/09
What’s NAP?
NNSA Policy Letters:
• NAP 14.1-C, NNSA Baseline Cyber Security Program
• NAP 14.2-C, NNSA C&A Process for Information Systems
Impact
• Full compliance: years away
• Good faith effort | steady progress
• Culture changes
• Risk and high stakes
Goal
• Make all cyber operations compliant with NAPs by September 30, 2012
3LLNL-PRES-413493
Broad impacting scope and strategy
Strategy
• Establish project team
• Develop project plan that Programs and institutional organizations can accept
• Use project team (and tools) to coordinate efforts of the PADs
• Implement centralized core services to reduce cost of NAP compliance
• Create standard configurations based on national standards
• Build a Site Security Configuration Library to track configuration standards
• Convert plans, policies and procedures to be NAP compliant
New requirements
• New security plan formats
• Security configuration standards
• Stronger risk assessments
• Contingency plans for each systems
• Business Impact Assessments
• Centralization of classified systems
• Up to 330 controls per system/service
• Restricting local administrative rights
• Overhaul of all computer security policies
• Integrate cyber security with the Lab’s emergency procedures
4LLNL-PRES-413493
Project Approach
Integration
• Integrate many plans into one
• Integrate services at the institution level into a single plan
• Subsume existing similar plans
Consolidation
Phasing the Approach
• Consolidate similar plans into broader site-wide plans
• Document differences in sub-plans
• Sub-plans inherit security policies from their parent plans
Project Approach
• Formalization, structured
• Led by an experienced PMP
• Broad reach across the enterprise
• Reporting and accountability
• Deliverables and milestones
• Starting with the site-wide plans
• Subordinate/program plans follow using well-crafted templates for plans and test plans
• Classified plans to follow to apply valuable lessons learned from unclas
5LLNL-PRES-413493
SharePoint used intensively for Project Management
Lists in Use
• Plans
• Deadlines
• Calendar
• Comms Plan
• Families
• NAP controls
• Strategies
• Subgroup tracking
• Lessons learned captures
• Risk Register
Meeting workspaces
• For project meetings
• Standing agenda items:
• Issue Log check
• Tasks check
• Plans statusing
• Posting minutes
• Recording decisions
• Planning agenda items well in advance
6LLNL-PRES-413493
The Plans lifecycle has been created and socialized
Plan development/review is a 9-month process Urgency of NAPs Implementation requires compressing 9 months into 5-6
months for unclassified plans
7LLNL-PRES-413493
Document flowdown
Requirement
LLNLPolicy
Procedure
ST&E
NAP14.1
NAP14.2
SPP
ISSP
Informationsystem accreditationmethod
SPPIM-2
SPPIM-3
STE-2 STE-3
Local
CSPP
SPPIM-1
STE-1
SPPIM-1
STE-1
Central policy catalog
8LLNL-PRES-413493
SPP (Security Plan Policy) and SSCL (Site Security Configuration Library)
SSCL
• The SSCL will be used in all security plans
• Each entry has:
• Approved configuration
• Security test script
• Listing of NAP controls met by each component
• Process development and prototyping underway
• Stores authorizations basis, configuration of controls and test tools for all components
• Ensures NAP-compliance based on NIST, NSA, DISA, CIS and other national standards
SPP
• Key document generated at the institution level
• Lists for every 14-2.C control:
• Policy (the NAP text)
• Supplemental guidance
• Enhancements
• Implementation
• “Dash-One” & “Dash-Two”
• Potential assessment methods
• Examine, interview, test
• 800.53 measures
• From this derives a plan’s ST&E
9Lawrence Livermore National Laboratory
LLNL-PRES-413493
LLNL NAPs Implementation Project
NLIT 2009
Mark Dietrich, LLNL