computing division role in “responsibility” for doe orders vicky white 26-feb-2008
TRANSCRIPT
Computing Division Role in “responsibility” for DOE Orders
Vicky White
26-Feb-2008
2/26/2008 2
Computing Division Responsibilities
• DOE Orders
• DOE datacalls
• External requests (Counterintelligence, incident reporting, …)
2/26/2008 3
Orders in contract• 200.1 Information management Program 9/30/96• N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in
effect• 205.1 Dept of Energy Cyber Security management program
3/21/03• manual 205.1-2 media sanitization 6/26/05 CANCELLED• N205.2 Foreign national Access to DOE Cyber Systems 11/1/99• N205.3 Password generation, protection and use 11/23/99• N205.8 Cyber Security Requirements for wireless devices and
information systems 2/11/04• N205.9 C&A of information systems 2/19/04• N205.10 Cyber Security Requirements for risk management 2/19/04• N205.11 Security requirements for remote access to DOE
information tech systems 2/19/04• O475.1 Counterintelligence Program
2/26/2008 4
Orders in contractThis is a general order about documents and records, not
specifically computing division responsibility. Order is in revision with more of a broad IT and computing emphasis
• 200.1 Information management Program 9/30/96• N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect• 205.1 Dept of Energy Cyber Security management program 3/21/03• manual 205.1-2 media sanitization 6/26/05 CANCELLED• N205.2 Foreign national Access to DOE Cyber Systems 11/1/99• N205.3 Password generation, protection and use 11/23/99• N205.8 Cyber Security Requirements for wireless devices and information
systems 2/11/04• N205.9 C&A of information systems 2/19/04• N205.10 Cyber Security Requirements for risk management 2/19/04• N205.11 Security requirements for remote access to DOE information tech
systems 2/19/04• O475.1 Counterintelligence Program
2/26/2008 5
Orders in contract• 200.1 Information management Program 9/30/96
This order has expired but is apparently still in effect• N203.1 Software Quality Assurance 10/02/00 EXPIRED but
still in effect• 205.1 Dept of Energy Cyber Security management program 3/21/03• manual 205.1-2 media sanitization 6/26/05 CANCELLED• N205.2 Foreign national Access to DOE Cyber Systems 11/1/99• N205.3 Password generation, protection and use 11/23/99• N205.8 Cyber Security Requirements for wireless devices and information
systems 2/11/04• N205.9 C&A of information systems 2/19/04• N205.10 Cyber Security Requirements for risk management 2/19/04• N205.11 Security requirements for remote access to DOE information tech
systems 2/19/04
2/26/2008 6
Orders in contract• 200.1 Information management Program 9/30/96• N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effectThis has been superseded by 205.1A, contract should be
corrected• 205.1 Dept of Energy Cyber Security management program
3/21/03• manual 205.1-2 media sanitization 6/26/05 CANCELLED• N205.2 Foreign national Access to DOE Cyber Systems 11/1/99• N205.3 Password generation, protection and use 11/23/99• N205.8 Cyber Security Requirements for wireless devices and information
systems 2/11/04• N205.9 C&A of information systems 2/19/04• N205.10 Cyber Security Requirements for risk management 2/19/04• N205.11 Security requirements for remote access to DOE information tech
systems 2/19/04• O475.1 Counterintelligence Program
2/26/2008 7
Orders in contract• 200.1 Information management Program 9/30/96• N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect• 205.1 Dept of Energy Cyber Security management program 3/21/03The following orders have all either been explicitly cancelled or
have expired and are no longer in effect; they should be removed from the contract
• manual 205.1-2 media sanitization 6/26/05 CANCELLED• N205.2 Foreign national Access to DOE Cyber Systems 11/1/99• N205.3 Password generation, protection and use 11/23/99• N205.8 Cyber Security Requirements for wireless devices and
information systems 2/11/04• N205.9 C&A of information systems 2/19/04• N205.10 Cyber Security Requirements for risk management
2/19/04• N205.11 Security requirements for remote access to DOE
information tech systems 2/19/04• O475.1 Counterintelligence Program
2/26/2008 8
Actual Orders
• N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect– Order states “Basic Research Activities. The requirements of this
Notice are not mandatory for basic scientific research and development activities conducted to support the Office of Science mission”; so this order primarily applies to “business” and financial software, most of which is well audited, but lacking a formal software quality assurance program.
• 205.1A Dept of Energy Cyber Security management program 3/21/03– Fully developed program, thoroughly audited, in complete
compliance
• O475.1 Counterintelligence Program– CI Site Support Plan has large effect on CD (explain later)
2/26/2008 9
PCSP Requirements
• Cyber Security Order 205.1A Office of Science PCSP a long list of legislation, NIST documents, and OMB memos that are incorporated into the PCSP (and hence into O205.1A) -> Fermilab CSPP -> ST&E -> Authority to Operate from DAA (Joanna Livengood)
P.L. 103-356 Government Management Reform Act of 1994, (October 13, 1994).
P.L. 104-208 Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA), (October 1, 1996).
P.L. 104-231 Electronic Freedom of Information Act (e-FOIA), (October 2,1996).
P.L. 107-347 Title III, Federal Information Security Management Act of 2002 (FISMA), (December 17, 2002).
2/26/2008 10
P.L. 93-579 Privacy Act of 1974, as amended [Title 5 United States Code (U.S.C.) Section 552a], (December 31, 1974).
P.L. 96-349 Trade Secrets Act - (18 U.S.C., section 1905), (January 22, 2002).
P.L. 97-255 Federal Managers' Financial Integrity Act of 1982 (FMFIA), (September, 8, 1982).
P.L. 99-474 Computer Fraud and Abuse Act (18 U.S.C. section 1030), (October 16.1986).
P.L. 99-508 Electronic Communications Privacy Act of 1986, (October 21, 1986).
P.L. 100-235 Computer Security Act of 1987, (January 8, 1988).
P.L.104-106 Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996), (February 10, 1996).
OMB Circular A-123 Management Accountability and Control, (August 4, 1986), revised (Dec 21, 2004).
OMB Circular A-130 Appendix III Security of Federal Automated Information Resources, (November 2003)
OMB Memorandum M-96-20 Implementation of the Information Technology Management Reform Act of 1996, (April 4, 1996).
OMB Memorandum M-97-02 Funding Information Systems Investments, (October 25, 1996).
OMB Memorandum M-99-05 Instructions for Complying With The President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records, (January 7, 1990).
OMB Memorandum M-99-18 Privacy Policies on Federal Web Sites, (June 2, 1999).
2/26/2008 11
OMB Memorandum M-99-20 Security of Federal Automated Information Resources, (June 23, 1999).
OMB Memorandum M-00-07 Incorporating and Funding Security in Information Systems Investments, (February 28, 2000).
OMB Memorandum M-00-10 OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act, (April 25, 2000).
OMB Memorandum M-00-13 Privacy Policies and Data Collection on Federal Web Sites, (June 22, 2000).
OMB Memorandum M-00-015 OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act, (September 25, 2000).
OMB Memorandum M-01-05 Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy, (December 20, 2000).
OMB Memorandum M-01-08 Guidance On Implementing the Government Information Security Reform Act, (January 16, 2001).
OMB Memorandum M-01-26 Component-Level Audits, (July 10, 2001).
OMB Memorandum M-03-22 OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, (September 30, 2003).
OMB Memorandum M-04-04 E-Authentication Guidance, (December 16, 2003).
OMB Memorandum M-04-25 FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, (July 17, 2006).
OMB Memorandum M-04-26 Personal Use Policies and "File Sharing" Technology, (September 8, 2004).
OMB Memorandum M-05-02 Financial Management Systems, (December 1, 2004).
2/26/2008 12
OMB Memorandum M-05-04 Policies for Federal Agency Public Websites, (December 17, 2004).
OMB Memorandum M-05-08 Designation of Senior Agency Officials for Privacy, (February 11, 2005).
OMB Memorandum M-06-15 Safeguarding Personally Identifiable Information, (May 22, 2006).
OMB Memorandum M-06-16 Protection of Sensitive Agency Information, (June 23, 2006).
OMB Memorandum M-06-19 Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments, (July 12, 2006).
NIST Federal Information Processing Standard (FIPS) 201-1
National Institute of Standards and Technology (NIST) Personal Identity Verification (PIV) of Federal Employees and Contractors, (March 2006).
NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems (March 2006).
NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, (February 2004).
NIST FIPS 142-2 Security requirements for Cryptographic Modules, (May 2001).
NIST Special Publication (SP) 800-92 Guide to Computer Security Log Management, (September 2006).
NIST SP 800-88 Guidelines for Media Sanitization, (September 2006).
NIST SP 800-83 Guide to Malware Incident Prevention and Handling, (November 2005).
NIST SP 800-73, Rev. 1 Interfaces for Personal Identity Verification, March 2006, (updated April 20, 2006)
NIST SP 800-70 The NIST Security Configuration Checklists Program, (May 2005).
2/26/2008 13
NIST SP 800-65 Integrating Security into the Capital Planning and Investment Control Process, (January 2005).
NIST SP 800-64 Security Considerations in the Information System Development Life Cycle, Revision 1, (June 2004).
NIST SP 800-61 Computer Security Incident Handling Guide, (January 2004)
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories, (June 2004).
NIST SP 800-55 Security Metrics Guide for Information Technology Systems, (July 2003)
NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems, (April 2006).
NIST SP 800-53, Rev. 1 Recommended Security Controls for Federal Information Systems, (December 2006).
NIST SP 800-50 Building an Information Security Awareness and Training Program, (October 2003)
NIST SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, (November 2002).
NIST SP 800-47 Security Guide for Interconnecting Information Technology Systems, (August 2002).
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems, (May 2004).
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems, (June 2002).
NIST SP 800-30 Risk Management Guide for Information Technology Systems, (July 2002).
2/26/2008 14
NIST SP 800-26, Rev. 1 Guide for Information Security Program Assessments and System Reporting Form, (November 2001).
NIST SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems, (February 2006).
DOE P 205.1 Departmental Cyber Security Management Policy, (May 8, 2001).
DOE O 205.1A Departmental of Energy Cyber Security Management Program, (December 4, 2006).
DOE 0 221.2 Cooperation with the Office of Inspector General, (March 22, 2001).
DOE P 226.1 Department of Energy Oversight Policy, (June 10, 2005)
DOE 0 226.1 Implementation of Department of Energy Oversight Policy, (September 15, 2005).
DOE P 470.1 Integrated Safeguards and Security Management (ISSM) Policy, (May 8, 2001).
DOE 0 470.2B Independent Oversight and Performance Assurance Program, (October 31, 2002).
DOE 0 471.1 Identification and Protection of Unclassified Controlled Nuclear Information, (June 30, 2000).
DOE 0 470.4 Safeguards and Security Program, (August 26, 2005).
DOE 0 475.1 Counterintelligence Program, (February 10, 2004).
Executive Order (E.O). 12344 Naval Nuclear Propulsion Program, (February 1, 1982).
2/26/2008 15
E.O. 12958 Classified National Security Information, (April 17, 1995).
E.O. 13011 Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003)
E.O. 13231 Federal Information Technology, (July 17, 1996).
E.O. 13228 Establishing the Office of Homeland Security and the Homeland Security Council, (October 8, 2001).
Homeland Security Presidential Directive (HSPD) 7
Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003)
HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors, (August 27, 2004).
2/26/2008 16
Other Orders
• DOE M 470.4-4 Chg 1 (Manual, 08/26/2005, HS) Information Security: This Manual establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Section E, Technical Surveillance Countermeasures Program, is Official Use Only. Please contact the DOE Office of Health, Safety and Security at 301-903-0292 if your official duties require you to have access to this part of the directive. – This is a 135 page manual with all but 1 page devoted to classified
information; 1 page says we need to treat OUO info according to the DOE OUO order (we are likely not in full compliance with OUO order, as we do not have lab-wide training or procedures for handling OUO).
– CD leads Information Categorization Committee of the lab which developed PII policies and procedures and meets on an ongoing basis (as part of assurance). This committee will have to handle OUO and training issues eventually.
2/26/2008 17
Other Orders
• DOE N 206.5 (Notice, 10/09/2007, MA) Response and Notification Procedures for Data Breaches Involving Personally Identifiable Information: this requires prompt reporting of suspected or actual loss of PII; – our labwide policy is in full compliance. CD
handles reporting as for cyber security incidents
2/26/2008 18
Other Orders
• DOE O 142.3 (Order, 06/18/2004, HS) Unclassified Foreign Visits and Assignments:– this order is primarily about physical visits by foreign
nationals. – occasional language might lead you to suspect that
same requirements (background checks, visa checks etc) also apply to remote cyber access, but the requirements clearly do not apply (yet!) and are superseded by access requirements defined in the PCSP.
2/26/2008 19
Compliance: Audits,Reviews,etc.
• IG audits• Office of Independent Assessment – visits (with or without Office of
Science/DOE OCIO partnership) – Site Assist Visit– Red team and penetration testing
• ST&E (System Test and Evaluation) reviews– Through DOE-Chicago– By external firm (Onpoint)
• Internal processes (specified in our CSPP) for ongoing internal reviews of all parts or our cyber program– Some simply part of the ongoing process– Some to assure compliance (such as Scanning, reviews of AV, much
else)• Training (also part of compliance to our CSPP)• Authority to Operate signed by DOE site office – DAA.
2/26/2008 20
DOE Datacalls
• We get frequent datacalls from DOE which are not specified in contract but clearly related to the DOE orders and the CSPP; quite onerous and time consuming:
– Quarterly FISMA Report – Quarterly POA&M Report– Site AV Software Report– Site Connectivity Datacall (OMB)– Site Connectivity Datacall (DOE)– Quarterly Privacy Report– Quarterly Cyber Security Report Card– OMB Compliance Datacalls (various)
• We participate in working groups (through SLCCC) and other related working groups and make comments on proposed new orders, manuals, policies etc (often in an attempt to head off overly prescriptive mandates)
– Requests for Document Comments– Oracle and other software Products Inventory calls– CSWG Participation– PCSP Workgroup– SCMS Workshop– Ad-hoc working groups of SLCCC to review docs/propose docs/work with OCIO office
2/26/2008 21
Other external reporting (CSPP related)
• The Fermi Computer Security Coordinator must respond to frequent requests for information and reports (again not strictly in contract):– Send incident reports to CIAC, CI and the IG noting the incident details,
remediation and site impact. These incident reports are generated during a FIRE. Frequency is ~6/year.
– Send Negative Reports to CIAC. These reports are to acknowledge to CIAC, on a monthly basis, that there are no unreported incidents for the prior month. Note that this Negative Report is submitted even is an incident occurred during the reporting month. Frequency is 1/month.
– Investigate CIAC Heads-Up notices and respond if any compromises are found. The Heads-Up notices contain an array of information ranging from upcoming threats to details of malicious activity or IP addresses to look for. Frequency is ~2-3/week.
– Investigate and respond to CIAC generated tickets concerning interesting traffic or potentially compromised machines. These CIAC tickets are usually created by either US-Cert notices or the FNAL CPP data feeds to CIAC. Frequency is ~1 every 6 months under normal circumstances, and increases to 2-3/week when a new potential threat is discovered until the false positives can be identified.
2/26/2008 22
External Reporting (O475.1 related)
– Investigate and respond to Counter Intelligence (CI) user data requests. These requests are formally made through Bruce Chrisman and are either one time information snapshots or ongoing data gathering. These requests typically include identifying the primary resources accessed by an individual for a specific period of time (or ongoing), snapshots or ongoing captures of electronic communications and disk images of non-shared resources. Frequency is ~1 snapshot request every 2 weeks, and 1-2/week of ongoing captures.
– Investigate and respond to Counter Intelligence (CI) compromise machine reports. These reports are generated from FNAL CPP data sent to the OAC. The reports often contain FNAL machines that engaged in some communication to interesting Internet hosts. Frequency is ~1-2/week, with almost all cases resulting in false positives.
2/26/2008 23
External reporting (3)
– Investigate and respond to Counter Intelligence (CI) Heads-Up notices. These notices are generated from CI community intelligence reports and first-hand experience of recent attack vectors. Frequency is ~1-2/week, and does not imply a compromise at FNAL, but rather a heads up that, given certain circumstances, there may be compromised machines, or a compromise is possible.
– Respond to Counter Intelligence foreign travel requests. On rare occasions, CI may request that all persons traveling abroad have their hard drives imaged before and after their trip. Frequency is sporadic, with the actual work encompassing many individuals in a single request, requiring an emergency purchase of hard drives to fulfill the request, along with many hours of HDD duplication effort.
2/26/2008 24
External reporting (4)
– Investigate and respond to law enforcement. Under normal circumstances, law enforcement (e.g. FBI) works with CI to communicate with FNAL. Once the initial communication is established, communications directly between FNAL and law enforcement may continue. This relationship may be developed through a FNAL reported compromise where law enforcement is requesting a copy of the compromised disk drive, or from interesting user activities for which law enforcement is concerned. Frequency is ~1/6 months.
(presumably this is not under any specific DOE order, but we are required to do this under federal law?)
2/26/2008 25
200.1A (in the works)
• DOE O 200.1A, INFORMATION TECHNOLOGY MANAGEMENT– SLCC has provided extensive comments in Revcom
on this proposed new order and also provided a suggested rewrite of the CRD for this revised order.
– (SLCC did not like this order at all)