Lessons Learned: Certification and Accreditation at LANL

1. Lessons Learned:Certification and Accreditation at LANL Michael S. Zollinger DCS-1 Group Leader Departmental Computing Services Division LA-UR 09-03039

2. Background • DOE Secretary Bodman issues security compliance order (SCO) to Los Alamos National Laboratory in Summer 2007 • Requirements that had to be met by 12/10/08 • 2 of the them required certification and accreditation (C&A) of the unclassified and classified computing environments under the NAP - 14.1-B, 14.2-B series documents • Existing accredited classified plans had to be reaccredited (~55 System Security Plans (SSP) • For the first time 14 unclassified SSP’s needed to be accredited

3. Groundwork • From the start there were several daunting challenges • LANL lacked the policy foundation required by the NAPs • First several months of time were spent developing policy • This was very crucial work which is now being updated • Now required to implement the NAP “C” series documents per our modified contract

4. How to Slice it? • The unclassified – what to do, what to do? • How do you divide this out? • 40 square mile campus with several unclassified segments and standalone computers • Computers ranging from electron microscopes, instrumentation cards, to high performance computing clusters

5. Compliance Foundation

6. NIST 800-53

7. Institutional Security Requirements (ISR) • LANL requirements for each SSP • System must be registered in computer registration database (Hostmaster) declaring SSP covering inventory item • If networked, system must be scanned by our network scanning tool and report out the vulnerabilities • Systems that contain vulnerabilities that are deemed critical are blocked at the switch until remediated • Some plans have additional ISR’s based on the risk profile for that plan

8. Unclassified Computing System (Site) Security Plans

9. Unclassified Production Computing SSP • Scope • Networked systems ranging from printers, laptops, embedded systems, desktops, workstations, servers, compute clusters, high performance compute clusters • Over 30,000 inventory items of this nature across all spectrums of unclassified networks • Key Features • Production Onsite Class – on LANL property only • 9 operating systems – vendor or user community supported with security related patches • Production Mobile Class • 7 operating systems – vendor or user community supported with security related patches • may leave LANL property at times and may connect through 3rd party ISP and VPN service to networks • Must pass network scans for vulnerabilities • Must be registered in Hostmaster registration database

10. Unclassified Research and Development Computing • Scope • Networked systems ranging from laptops, embedded systems, desktops, workstations, servers, compute clusters, controls systems, data acquisition systems, scientific instruments and instrumentation, etc. • Key Features • 9 operating systems • Customized and modified operating systems • Must implement an engineered controls to protect other networked devices from the unknown nature of the system and still allow network scans for vulnerabilities • May not use wireless in any capacity • May not leave an approved LANL location without CSSM approval • Must be registered in Hostmaster database

11. Unclassified Legacy Computing • Scope • Laptops, desktops, workstations and servers running approved operating systems that are no longer supported by vendor or user community with security related updates and patches • Key Features • May not leave LANL property or approved remote locations without approval from CSSM in advance • 4 approved operating systems • Must implement an engineered control to protect the network from the vulnerabilities that it possesses and still allow scanning for vulnerabilities • May never have wireless • Must be registered in Hostmaster database

12. Unclassified Standalone Computing • Scope • Wide variety of computers ranging from laptops and servers, to scientific instrumentation. Located on LANL property and at collaborative locations throughout the world • Key Features • Must receive approval to operate via a signed enclosure • Must be subject to audit every 90 days • Must be approved annually • Three classes of systems • Pure standalone • Standalone LAN – not connected to any institutional network, but may be connected to other systems in a standalone island • Standalone VPN – never connect directly to the institutional networks through any means other than central VPN service • Operating system agnostic • Most problematic SSP to manage

13. Challenges • LANL has incurred a significant mortgage • Maintenance cost is high • Must fund most new requirements from existing funding streams • Portfolio management underway

14. Future • NAPs “C” series are now in our contract and are being addressed • Implementation plan and schedule are being developed • Hard work underway to integrate CAP solutions

15. Lessons Learned • Defining accreditation boundary is extremely important • Good working relationship with DOE Site Office is crucial • LANL is very fortunate in this case • Frequent meetings with DOE are important to make sure everyone is on the same page

16. Lessons Learned – cont. • Education, education, education • No matter how often we briefed people on the accreditation process and the ensuing requirements it didn’t penetrate • Start early and keep in mind the mortgage • Keep aspirin nearby

17. Questions

18. Contact Information msz@lanl.gov