250 likes | 357 Views
Computing Division Role in “responsibility” for DOE Orders. Vicky White 26-Feb-2008. Computing Division Responsibilities. DOE Orders DOE datacalls External requests (Counterintelligence, incident reporting, …). Orders in contract. 200.1 Information management Program 9/30/96
E N D
Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008
Computing Division Responsibilities • DOE Orders • DOE datacalls • External requests (Counterintelligence, incident reporting, …)
Orders in contract • 200.1 Information management Program 9/30/96 • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect • 205.1 Dept of Energy Cyber Security management program 3/21/03 • manual 205.1-2 media sanitization 6/26/05 CANCELLED • N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 • N205.3 Password generation, protection and use 11/23/99 • N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 • N205.9 C&A of information systems 2/19/04 • N205.10 Cyber Security Requirements for risk management 2/19/04 • N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 • O475.1 Counterintelligence Program
Orders in contract This is a general order about documents and records, not specifically computing division responsibility. Order is in revision with more of a broad IT and computing emphasis • 200.1 Information management Program 9/30/96 • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect • 205.1 Dept of Energy Cyber Security management program 3/21/03 • manual 205.1-2 media sanitization 6/26/05 CANCELLED • N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 • N205.3 Password generation, protection and use 11/23/99 • N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 • N205.9 C&A of information systems 2/19/04 • N205.10 Cyber Security Requirements for risk management 2/19/04 • N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 • O475.1 Counterintelligence Program
Orders in contract • 200.1 Information management Program 9/30/96 This order has expired but is apparently still in effect • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect • 205.1 Dept of Energy Cyber Security management program 3/21/03 • manual 205.1-2 media sanitization 6/26/05 CANCELLED • N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 • N205.3 Password generation, protection and use 11/23/99 • N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 • N205.9 C&A of information systems 2/19/04 • N205.10 Cyber Security Requirements for risk management 2/19/04 • N205.11 Security requirements for remote access to DOE information tech systems 2/19/04
Orders in contract • 200.1 Information management Program 9/30/96 • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect This has been superseded by 205.1A, contract should be corrected • 205.1 Dept of Energy Cyber Security management program 3/21/03 • manual 205.1-2 media sanitization 6/26/05 CANCELLED • N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 • N205.3 Password generation, protection and use 11/23/99 • N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 • N205.9 C&A of information systems 2/19/04 • N205.10 Cyber Security Requirements for risk management 2/19/04 • N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 • O475.1 Counterintelligence Program
Orders in contract • 200.1 Information management Program 9/30/96 • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect • 205.1 Dept of Energy Cyber Security management program 3/21/03 The following orders have all either been explicitly cancelled or have expired and are no longer in effect; they should be removed from the contract • manual 205.1-2 media sanitization 6/26/05 CANCELLED • N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 • N205.3 Password generation, protection and use 11/23/99 • N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 • N205.9 C&A of information systems 2/19/04 • N205.10 Cyber Security Requirements for risk management 2/19/04 • N205.11 Security requirements for remote access to DOE information tech systems 2/19/04 • O475.1 Counterintelligence Program
Actual Orders • N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect • Order states “Basic Research Activities. The requirements of this Notice are not mandatory for basic scientific research and development activities conducted to support the Office of Science mission”; so this order primarily applies to “business” and financial software, most of which is well audited, but lacking a formal software quality assurance program. • 205.1A Dept of Energy Cyber Security management program 3/21/03 • Fully developed program, thoroughly audited, in complete compliance • O475.1 Counterintelligence Program • CI Site Support Plan has large effect on CD (explain later)
PCSP Requirements • Cyber Security Order 205.1A Office of Science PCSP a long list of legislation, NIST documents, and OMB memos that are incorporated into the PCSP (and hence into O205.1A) -> Fermilab CSPP -> ST&E -> Authority to Operate from DAA (Joanna Livengood)
Other Orders • DOE M 470.4-4 Chg 1 (Manual, 08/26/2005, HS) Information Security: This Manual establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Section E, Technical Surveillance Countermeasures Program, is Official Use Only. Please contact the DOE Office of Health, Safety and Security at 301-903-0292 if your official duties require you to have access to this part of the directive. • This is a 135 page manual with all but 1 page devoted to classified information; 1 page says we need to treat OUO info according to the DOE OUO order (we are likely not in full compliance with OUO order, as we do not have lab-wide training or procedures for handling OUO). • CD leads Information Categorization Committee of the lab which developed PII policies and procedures and meets on an ongoing basis (as part of assurance). This committee will have to handle OUO and training issues eventually.
Other Orders • DOE N 206.5 (Notice, 10/09/2007, MA) Response and Notification Procedures for Data Breaches Involving Personally Identifiable Information: this requires prompt reporting of suspected or actual loss of PII; • our labwide policy is in full compliance. CD handles reporting as for cyber security incidents
Other Orders • DOE O 142.3 (Order, 06/18/2004, HS) Unclassified Foreign Visits and Assignments: • this order is primarily about physical visits by foreign nationals. • occasional language might lead you to suspect that same requirements (background checks, visa checks etc) also apply to remote cyber access, but the requirements clearly do not apply (yet!) and are superseded by access requirements defined in the PCSP.
Compliance: Audits,Reviews,etc. • IG audits • Office of Independent Assessment – visits (with or without Office of Science/DOE OCIO partnership) • Site Assist Visit • Red team and penetration testing • ST&E (System Test and Evaluation) reviews • Through DOE-Chicago • By external firm (Onpoint) • Internal processes (specified in our CSPP) for ongoing internal reviews of all parts or our cyber program • Some simply part of the ongoing process • Some to assure compliance (such as Scanning, reviews of AV, much else) • Training (also part of compliance to our CSPP) • Authority to Operate signed by DOE site office – DAA.
DOE Datacalls • We get frequent datacalls from DOE which are not specified in contract but clearly related to the DOE orders and the CSPP; quite onerous and time consuming: • Quarterly FISMA Report • Quarterly POA&M Report • Site AV Software Report • Site Connectivity Datacall (OMB) • Site Connectivity Datacall (DOE) • Quarterly Privacy Report • Quarterly Cyber Security Report Card • OMB Compliance Datacalls (various) • We participate in working groups (through SLCCC) and other related working groups and make comments on proposed new orders, manuals, policies etc (often in an attempt to head off overly prescriptive mandates) • Requests for Document Comments • Oracle and other software Products Inventory calls • CSWG Participation • PCSP Workgroup • SCMS Workshop • Ad-hoc working groups of SLCCC to review docs/propose docs/work with OCIO office
Other external reporting (CSPP related) • The Fermi Computer Security Coordinator must respond to frequent requests for information and reports (again not strictly in contract): • Send incident reports to CIAC, CI and the IG noting the incident details, remediation and site impact. These incident reports are generated during a FIRE. Frequency is ~6/year. • Send Negative Reports to CIAC. These reports are to acknowledge to CIAC, on a monthly basis, that there are no unreported incidents for the prior month. Note that this Negative Report is submitted even is an incident occurred during the reporting month. Frequency is 1/month. • Investigate CIAC Heads-Up notices and respond if any compromises are found. The Heads-Up notices contain an array of information ranging from upcoming threats to details of malicious activity or IP addresses to look for. Frequency is ~2-3/week. • Investigate and respond to CIAC generated tickets concerning interesting traffic or potentially compromised machines. These CIAC tickets are usually created by either US-Cert notices or the FNAL CPP data feeds to CIAC. Frequency is ~1 every 6 months under normal circumstances, and increases to 2-3/week when a new potential threat is discovered until the false positives can be identified.
External Reporting (O475.1 related) • Investigate and respond to Counter Intelligence (CI) user data requests. These requests are formally made through Bruce Chrisman and are either one time information snapshots or ongoing data gathering. These requests typically include identifying the primary resources accessed by an individual for a specific period of time (or ongoing), snapshots or ongoing captures of electronic communications and disk images of non-shared resources. Frequency is ~1 snapshot request every 2 weeks, and 1-2/week of ongoing captures. • Investigate and respond to Counter Intelligence (CI) compromise machine reports. These reports are generated from FNAL CPP data sent to the OAC. The reports often contain FNAL machines that engaged in some communication to interesting Internet hosts. Frequency is ~1-2/week, with almost all cases resulting in false positives.
External reporting (3) • Investigate and respond to Counter Intelligence (CI) Heads-Up notices. These notices are generated from CI community intelligence reports and first-hand experience of recent attack vectors. Frequency is ~1-2/week, and does not imply a compromise at FNAL, but rather a heads up that, given certain circumstances, there may be compromised machines, or a compromise is possible. • Respond to Counter Intelligence foreign travel requests. On rare occasions, CI may request that all persons traveling abroad have their hard drives imaged before and after their trip. Frequency is sporadic, with the actual work encompassing many individuals in a single request, requiring an emergency purchase of hard drives to fulfill the request, along with many hours of HDD duplication effort.
External reporting (4) • Investigate and respond to law enforcement. Under normal circumstances, law enforcement (e.g. FBI) works with CI to communicate with FNAL. Once the initial communication is established, communications directly between FNAL and law enforcement may continue. This relationship may be developed through a FNAL reported compromise where law enforcement is requesting a copy of the compromised disk drive, or from interesting user activities for which law enforcement is concerned. Frequency is ~1/6 months. (presumably this is not under any specific DOE order, but we are required to do this under federal law?)
200.1A (in the works) • DOE O 200.1A, INFORMATION TECHNOLOGY MANAGEMENT • SLCC has provided extensive comments in Revcom on this proposed new order and also provided a suggested rewrite of the CRD for this revised order. • (SLCC did not like this order at all)