1 / 30

Policy Formulation, the Real Scoop Computer Security Awareness Day

Policy Formulation, the Real Scoop Computer Security Awareness Day. Mark Leininger September 11, 2007. What is this talk about?. Computer Security (honest) How Federal Law results in the computer security rules that we are obligated to follow. Was high school civics class like this?.

arty
Download Presentation

Policy Formulation, the Real Scoop Computer Security Awareness Day

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Policy Formulation, the Real ScoopComputer Security Awareness Day Mark Leininger September 11, 2007

  2. What is this talk about? • Computer Security (honest) • How Federal Law results in the computer security rules that we are obligated to follow. • Was high school civics class like this?

  3. Policy Process • A peer at another lab suggested just showing a video of a dense fog slowly rolling in to describe the government process:

  4. Four Sources of Federal Law • Constitution • Statutes • Administrative Law (Regulations) • Common Law

  5. Constitution • Origin of Federal Law • Allows Congress to create Statutes • Here is the process by which Congress creates Statutes (and other things)

  6. Statutes • Statute is synonymous with “Law” and “Act of Congress” • Statute is legislation that has passed Congress • Constitution gives Congress the power to create Statutes for limited purposes, for example to regulate commerce • Statutes are codified in the United States Code (USC) • Examples of recent Statutes: • December 8, 1993 — North American Free Trade Agreement Implementation Act, Pub.L. 103-182, 107 Stat. 2057 • 2001-10-26 — Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism ("USA PATRIOT") Act, Pub.L. 107-56, 115 Stat. 272 • 2002-07-30 — Sarbanes-Oxley Act, Pub.L. 107-204, 116 Stat. 745 • 2002-11-25 — Homeland Security Act, Pub.L. 107-296, 116 Stat. 2135 • 2002-12-17 — E-Government Act of 2002, Pub.L. 107-347, 116 Stat. 2899

  7. Statutes • Some Statutes give Agencies of the Executive Branch the power to create Regulations. Not all Regulations achieve the desired effect:

  8. Regulations: Administrative Law • Published in the Federal Register • Codified into the Code of Federal Regulations (CFRs) • Regulation is not synonymous with law, but ends up having the force of law because it defines how to be in compliance with a law • Regulations are the mechanism by which almost all day to day computer security requirements reach us at Fermilab

  9. Review • Four sources of Federal Law • Constitution gives Congress right to create Statutes • Statutes give agencies the right to create regulations • Administrative Law (Regulations) • Common Law • The rest of this talk will focus on Administrative Law, specifically how regulations involving computer security make their way to the lab.

  10. Office of Management and Budget • Recall: Statutes give Agencies of the Executive Branch of Government the power to create Regulations. • OMB is the largest office in the Executive Office of the President (EOP) • OMB is tasked with giving expert advice to senior White House officials on a range of topics relating to federal policy, management, legislative, regulatory, and budgetary issues. The bulk of OMB's 500 employees are charged with monitoring the adherence of their assigned federal programs to presidential policies.

  11. OMB and Information Systems • Clinger-Cohen Act (a Statute) of 1996 requires OMB to: • Establish processes for executive agencies to analyze, track, and evaluate the risks and results of major capital investments for information systems, and • Report on the net program performance benefits achieved by executive agencies as a result of major capital investments in information systems. • The Clinger-Cohen Act assigns agencies (like DOE) the responsibility for implementing OMB policies through effective capital planning and performance- and results-based management.

  12. Department of Energy • DOE is a cabinet level agency in the Executive Branch • The President’s Cabinet consists of the highest level appointed officials in the Executive Branch, for example DOE, Department of Defense, Department of Transportation, Department of Homeland Security, etc.

  13. DOE • Here are two DOE org charts that show how the site office that manages Fermilab fits into DOE

  14. How does Fermilab fit into DOE? • Fermilab is a Federally Funded Research and Development Center. • Fermilab is operated as a Government Owned Contractor Operated (GOCO) entity

  15. Fermilab is an FFRDC • A Federally Funded Research and Development Center. • Federal Acquisition Regulation (FAR) part 35 defines an FFRDC: An FFRDC meets some special long-term research or development need which cannot be met as effectively by existing in-house or contractor resources. FFRDC’s are operated, managed, and/or administered by either a university or consortium of universities, other not-for-profit or nonprofit organization, or an industrial firm, as an autonomous organization or as an identifiable separate operating unit of a parent organization.

  16. Fermilab is operated as a GOCO • Fermilab as a facility is Government Owned Contractor Operated (GOCO). • The contractor is Fermi Research Alliance (FRA), an alliance between the University of Chicago and University Research Associates (URA). • We are not Federal Employees • Our records (employee, financial, legal, etc) are not the property of the government, they belong to Fermilab.

  17. Computer Security Requirements are in Fermilab’s Contract • There is a contract between FRA and DOE to manage Fermilab. • One of the items specified in that contract is the list of DOE regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office. • The list of regulations in our contract can be seen at: Fermilab Contract • These regulations go through a public review and comment process, RevCom, before being placed in our contract.

  18. Program Cyber Security Plan • One of the orders in our contract with DOE requires us to be in compliance with a document written by the Office of Science, called the Program Cyber Security Plan (PCSP) • The PCSP requires us to be in compliance with a broad range of Federal regulations, seen partially on the next slide.

  19. Some of the Requirements in PCSP Applicable Standards and Guidance Legislation Office of Management and Budget (OMB) Memorandum 03-33 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, 2003. Office of Management and Budget (OMB) Memorandum 99-05 Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal Information in Federal Records, January 7, 1999. Public Law 107-347 (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act (FISMA) of 2002. Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, February 8, 1996. Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) NIST Guidance Federal Information Processing Standards (FIPS) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July 2005. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. Special Publications SP 800-70, The NIST Security Configuration Checklists Program,May 2005. SP 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005. SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004). SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004. SP 800-53, Recommended Security Controls for Federal Information Systems,February 2005. SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002. SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004. SP 800-34, Contingency Planning Guide for Information Technology Systems,June 2002. SP 800-30, Risk Management Guide for Information Technology Systems,July 2002. SP 800-26, Rev. 1 NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form. SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems February 2006. DOE Policy and Guidance Revitalization of the Department of Energy Cyber Security Program (1/2006) Department of Energy Cyber Security Management Program Order 205.1, (Draft) Department of Energy Cyber Security Management Program, (3/21/2003) Notice 205.1-1 Incident Prevention Warning and Response Manual Notice 205.2 Foreign National Access to DOE Cyber Systems (extended to 9/30/06) Notice 205.3 Password Generation, Protection and Use, (extended to 9/30/06) Notice 205.4 Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) Notice 205.8 Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06) Notice 205.9 Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) Notice 205.10 Cyber Security Requirements for Risk Management, (3/18/06) Notice 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06) Notice 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004) Notice 205.13 Extension of DOE Directive on Cyber Security, (7/6/2004)

  20. PCSP requires a CSPP • The PCSP requires a Cyber Security Program Plan (CSPP) • The CSPP is the framework document for all computer security requirements at the lab. • Computer Security Documents

  21. Monitoring and Audits • To ensure we are complying with all the required computer security regulations, the computer security program is audited several times a year: • Inspector General • DOE/CIO (Chief Information Officer in DOE) • Office of Science in DOE • Safeguards and Security Office in DOE • These audits are in addition to all the other audits at the lab, for example financial, property, physical security, etc. • We get data calls several times each month. • Sometimes it feels like everyone is out to get us…

  22. President’s Management Agenda • In 2001 Whitehouse announced strategy for improving management of government: President's Management Agenda • One requirement in PMA is Scorecards for each agency, including DOE. Areas such as computer security are rated as red, yellow or green. The pressure to reach a green score indirectly affects how resources are expended on computer security.

  23. Summary • Constitution-> • Congress makes Statutes-> • Statutes empower agencies to create regulations-> • Regulations are in the Fermi contract with DOE-> • Regulations require compliance with DOE Program Cyber Security Plan-> • Program Cyber Security Plan requires compliance with broad range of other government regulations-> • Program Cyber Security Plan requires us to have and follow a Cyber Security Program Plan, which contains our site requirements for computer security • Got it?

More Related