Computing Division Role in “responsibility” for DOE Orders Vicky White 26-Feb-2008

2/26/20082 Computing Division Responsibilities DOE Orders DOE datacalls External requests (Counterintelligence, incident reporting, …)

2/26/20083 Orders in contract Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect Dept of Energy Cyber Security management program 3/21/03 manual media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N Cyber Security Requirements for risk management 2/19/04 N Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

2/26/20084 Orders in contract This is a general order about documents and records, not specifically computing division responsibility. Order is in revision with more of a broad IT and computing emphasis Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect Dept of Energy Cyber Security management program 3/21/03 manual media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N Cyber Security Requirements for risk management 2/19/04 N Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

2/26/20085 Orders in contract Information management Program 9/30/96 This order has expired but is apparently still in effect N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect Dept of Energy Cyber Security management program 3/21/03 manual media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N Cyber Security Requirements for risk management 2/19/04 N Security requirements for remote access to DOE information tech systems 2/19/04

2/26/20086 Orders in contract Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect This has been superseded by 205.1A, contract should be corrected Dept of Energy Cyber Security management program 3/21/03 manual media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N Cyber Security Requirements for risk management 2/19/04 N Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

2/26/20087 Orders in contract Information management Program 9/30/96 N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect Dept of Energy Cyber Security management program 3/21/03 The following orders have all either been explicitly cancelled or have expired and are no longer in effect; they should be removed from the contract manual media sanitization 6/26/05 CANCELLED N205.2 Foreign national Access to DOE Cyber Systems 11/1/99 N205.3 Password generation, protection and use 11/23/99 N205.8 Cyber Security Requirements for wireless devices and information systems 2/11/04 N205.9 C&A of information systems 2/19/04 N Cyber Security Requirements for risk management 2/19/04 N Security requirements for remote access to DOE information tech systems 2/19/04 O475.1 Counterintelligence Program

2/26/20088 Actual Orders N203.1 Software Quality Assurance 10/02/00 EXPIRED but still in effect –Order states “Basic Research Activities. The requirements of this Notice are not mandatory for basic scientific research and development activities conducted to support the Office of Science mission”; so this order primarily applies to “business” and financial software, most of which is well audited, but lacking a formal software quality assurance program A Dept of Energy Cyber Security management program 3/21/03 –Fully developed program, thoroughly audited, in complete compliance O475.1 Counterintelligence Program –CI Site Support Plan has large effect on CD (explain later)

2/26/20089 PCSP Requirements Cyber Security Order 205.1A  Office of Science PCSP  a long list of legislation, NIST documents, and OMB memos that are incorporated into the PCSP (and hence into O205.1A) -> Fermilab CSPP -> ST&E -> Authority to Operate from DAA (Joanna Livengood) P.L Government Management Reform Act of 1994, (October 13, 1994). P.L Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA), (October 1, 1996). P.L Electronic Freedom of Information Act (e-FOIA), (October 2,1996). P.L Title III, Federal Information Security Management Act of 2002 (FISMA), (December 17, 2002).

2/26/ P.L Privacy Act of 1974, as amended [Title 5 United States Code (U.S.C.) Section 552a], (December 31, 1974). P.L Trade Secrets Act - (18 U.S.C., section 1905), (January 22, 2002). P.L Federal Managers' Financial Integrity Act of 1982 (FMFIA), (September, 8, 1982). P.L Computer Fraud and Abuse Act (18 U.S.C. section 1030), (October ). P.L Electronic Communications Privacy Act of 1986, (October 21, 1986). P.L Computer Security Act of 1987, (January 8, 1988). P.L Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996), (February 10, 1996). OMB Circular A-123Management Accountability and Control, (August 4, 1986), revised (Dec 21, 2004). OMB Circular A-130 Appendix IIISecurity of Federal Automated Information Resources, (November 2003) OMB Memorandum M-96-20Implementation of the Information Technology Management Reform Act of 1996, (April 4, 1996). OMB Memorandum M-97-02Funding Information Systems Investments, (October 25, 1996). OMB Memorandum M-99-05Instructions for Complying With The President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records, (January 7, 1990). OMB Memorandum M-99-18Privacy Policies on Federal Web Sites, (June 2, 1999).

2/26/ OMB Memorandum M-99-20Security of Federal Automated Information Resources, (June 23, 1999). OMB Memorandum M-00-07Incorporating and Funding Security in Information Systems Investments, (February 28, 2000). OMB Memorandum M-00-10OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act, (April 25, 2000). OMB Memorandum M-00-13Privacy Policies and Data Collection on Federal Web Sites, (June 22, 2000). OMB Memorandum M OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act, (September 25, 2000). OMB Memorandum M-01-05Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy, (December 20, 2000). OMB Memorandum M-01-08Guidance On Implementing the Government Information Security Reform Act, (January 16, 2001). OMB Memorandum M-01-26Component-Level Audits, (July 10, 2001). OMB Memorandum M-03-22OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, (September 30, 2003). OMB Memorandum M-04-04E-Authentication Guidance, (December 16, 2003). OMB Memorandum M-04-25FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, (July 17, 2006). OMB Memorandum M-04-26Personal Use Policies and "File Sharing" Technology, (September 8, 2004). OMB Memorandum M-05-02Financial Management Systems, (December 1, 2004).

2/26/ OMB Memorandum M-05-04Policies for Federal Agency Public Websites, (December 17, 2004). OMB Memorandum M-05-08Designation of Senior Agency Officials for Privacy, (February 11, 2005). OMB Memorandum M-06-15Safeguarding Personally Identifiable Information, (May 22, 2006). OMB Memorandum M-06-16Protection of Sensitive Agency Information, (June 23, 2006). OMB Memorandum M-06-19Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments, (July 12, 2006). NIST Federal Information Processing Standard (FIPS) National Institute of Standards and Technology (NIST) Personal Identity Verification (PIV) of Federal Employees and Contractors, (March 2006). NIST FIPS 200Minimum Security Requirements for Federal Information and Information Systems (March 2006). NIST FIPS 199Standards for Security Categorization of Federal Information and Information Systems, (February 2004). NIST FIPS 142-2Security requirements for Cryptographic Modules, (May 2001). NIST Special Publication (SP) Guide to Computer Security Log Management, (September 2006). NIST SP Guidelines for Media Sanitization, (September 2006). NIST SP Guide to Malware Incident Prevention and Handling, (November 2005). NIST SP , Rev. 1Interfaces for Personal Identity Verification, March 2006, (updated April 20, 2006) NIST SP The NIST Security Configuration Checklists Program, (May 2005).

2/26/ NIST SP Integrating Security into the Capital Planning and Investment Control Process, (January 2005). NIST SP Security Considerations in the Information System Development Life Cycle, Revision 1, (June 2004). NIST SP Computer Security Incident Handling Guide, (January 2004) NIST SP Guide for Mapping Types of Information and Information Systems to Security Categories, (June 2004). NIST SP Security Metrics Guide for Information Technology Systems, (July 2003) NIST SP AGuide for Assessing the Security Controls in Federal Information Systems, (April 2006). NIST SP , Rev. 1Recommended Security Controls for Federal Information Systems, (December 2006). NIST SP Building an Information Security Awareness and Training Program, (October 2003) NIST SP Wireless Network Security: , Bluetooth, and Handheld Devices, (November 2002). NIST SP Security Guide for Interconnecting Information Technology Systems, (August 2002). NIST SP Guide for the Security Certification and Accreditation of Federal Information Systems, (May 2004). NIST SP Contingency Planning Guide for Information Technology Systems, (June 2002). NIST SP Risk Management Guide for Information Technology Systems, (July 2002).

2/26/ NIST SP , Rev. 1Guide for Information Security Program Assessments and System Reporting Form, (November 2001). NIST SP , Rev. 1Guide for Developing Security Plans for Federal Information Systems, (February 2006). DOE P 205.1Departmental Cyber Security Management Policy, (May 8, 2001). DOE O 205.1ADepartmental of Energy Cyber Security Management Program, (December 4, 2006). DOE Cooperation with the Office of Inspector General, (March 22, 2001). DOE P 226.1Department of Energy Oversight Policy, (June 10, 2005) DOE Implementation of Department of Energy Oversight Policy, (September 15, 2005). DOE P 470.1Integrated Safeguards and Security Management (ISSM) Policy, (May 8, 2001). DOE BIndependent Oversight and Performance Assurance Program, (October 31, 2002). DOE Identification and Protection of Unclassified Controlled Nuclear Information, (June 30, 2000). DOE Safeguards and Security Program, (August 26, 2005). DOE Counterintelligence Program, (February 10, 2004). Executive Order (E.O) Naval Nuclear Propulsion Program, (February 1, 1982).

2/26/ E.O Classified National Security Information, (April 17, 1995). E.O Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003) E.O Federal Information Technology, (July 17, 1996). E.O Establishing the Office of Homeland Security and the Homeland Security Council, (October 8, 2001). Homeland Security Presidential Directive (HSPD) 7 Critical Infrastructure Identification, Prioritization, and Protection, (December 17, 2003) HSPD-12Policy for a Common Identification Standard for Federal Employees and Contractors, (August 27, 2004).

2/26/ Other Orders DOE M Chg 1 (Manual, 08/26/2005, HS) Information Security: This Manual establishes security requirements for the protection and control of information and matter required to be classified or controlled by statutes, regulations, or Department of Energy directives. Section E, Technical Surveillance Countermeasures Program, is Official Use Only. Please contact the DOE Office of Health, Safety and Security at if your official duties require you to have access to this part of the directive. –This is a 135 page manual with all but 1 page devoted to classified information; 1 page says we need to treat OUO info according to the DOE OUO order (we are likely not in full compliance with OUO order, as we do not have lab-wide training or procedures for handling OUO). –CD leads Information Categorization Committee of the lab which developed PII policies and procedures and meets on an ongoing basis (as part of assurance). This committee will have to handle OUO and training issues eventually.

2/26/ Other Orders DOE N (Notice, 10/09/2007, MA) Response and Notification Procedures for Data Breaches Involving Personally Identifiable Information: this requires prompt reporting of suspected or actual loss of PII; –our labwide policy is in full compliance. CD handles reporting as for cyber security incidents

2/26/ Other Orders DOE O (Order, 06/18/2004, HS) Unclassified Foreign Visits and Assignments: –this order is primarily about physical visits by foreign nationals. –occasional language might lead you to suspect that same requirements (background checks, visa checks etc) also apply to remote cyber access, but the requirements clearly do not apply (yet!) and are superseded by access requirements defined in the PCSP.

2/26/ Compliance: Audits,Reviews,etc. IG audits Office of Independent Assessment – visits (with or without Office of Science/DOE OCIO partnership) –Site Assist Visit –Red team and penetration testing ST&E (System Test and Evaluation) reviews –Through DOE-Chicago –By external firm (Onpoint) Internal processes (specified in our CSPP) for ongoing internal reviews of all parts or our cyber program –Some simply part of the ongoing process –Some to assure compliance (such as Scanning, reviews of AV, much else) Training (also part of compliance to our CSPP) Authority to Operate signed by DOE site office – DAA.

2/26/ DOE Datacalls We get frequent datacalls from DOE which are not specified in contract but clearly related to the DOE orders and the CSPP; quite onerous and time consuming: –Quarterly FISMA Report –Quarterly POA&M Report –Site AV Software Report –Site Connectivity Datacall (OMB) –Site Connectivity Datacall (DOE) –Quarterly Privacy Report –Quarterly Cyber Security Report Card –OMB Compliance Datacalls (various) We participate in working groups (through SLCCC) and other related working groups and make comments on proposed new orders, manuals, policies etc (often in an attempt to head off overly prescriptive mandates) –Requests for Document Comments –Oracle and other software Products Inventory calls –CSWG Participation –PCSP Workgroup –SCMS Workshop –Ad-hoc working groups of SLCCC to review docs/propose docs/work with OCIO office

2/26/ Other external reporting (CSPP related) The Fermi Computer Security Coordinator must respond to frequent requests for information and reports (again not strictly in contract): –Send incident reports to CIAC, CI and the IG noting the incident details, remediation and site impact. These incident reports are generated during a FIRE. Frequency is ~6/year. –Send Negative Reports to CIAC. These reports are to acknowledge to CIAC, on a monthly basis, that there are no unreported incidents for the prior month. Note that this Negative Report is submitted even is an incident occurred during the reporting month. Frequency is 1/month. –Investigate CIAC Heads-Up notices and respond if any compromises are found. The Heads-Up notices contain an array of information ranging from upcoming threats to details of malicious activity or IP addresses to look for. Frequency is ~2-3/week. –Investigate and respond to CIAC generated tickets concerning interesting traffic or potentially compromised machines. These CIAC tickets are usually created by either US-Cert notices or the FNAL CPP data feeds to CIAC. Frequency is ~1 every 6 months under normal circumstances, and increases to 2-3/week when a new potential threat is discovered until the false positives can be identified.

2/26/ External Reporting (O475.1 related) –Investigate and respond to Counter Intelligence (CI) user data requests. These requests are formally made through Bruce Chrisman and are either one time information snapshots or ongoing data gathering. These requests typically include identifying the primary resources accessed by an individual for a specific period of time (or ongoing), snapshots or ongoing captures of electronic communications and disk images of non- shared resources. Frequency is ~1 snapshot request every 2 weeks, and 1-2/week of ongoing captures. –Investigate and respond to Counter Intelligence (CI) compromise machine reports. These reports are generated from FNAL CPP data sent to the OAC. The reports often contain FNAL machines that engaged in some communication to interesting Internet hosts. Frequency is ~1-2/week, with almost all cases resulting in false positives.

2/26/ External reporting (3) –Investigate and respond to Counter Intelligence (CI) Heads-Up notices. These notices are generated from CI community intelligence reports and first-hand experience of recent attack vectors. Frequency is ~1-2/week, and does not imply a compromise at FNAL, but rather a heads up that, given certain circumstances, there may be compromised machines, or a compromise is possible. –Respond to Counter Intelligence foreign travel requests. On rare occasions, CI may request that all persons traveling abroad have their hard drives imaged before and after their trip. Frequency is sporadic, with the actual work encompassing many individuals in a single request, requiring an emergency purchase of hard drives to fulfill the request, along with many hours of HDD duplication effort.

2/26/ External reporting (4) –Investigate and respond to law enforcement. Under normal circumstances, law enforcement (e.g. FBI) works with CI to communicate with FNAL. Once the initial communication is established, communications directly between FNAL and law enforcement may continue. This relationship may be developed through a FNAL reported compromise where law enforcement is requesting a copy of the compromised disk drive, or from interesting user activities for which law enforcement is concerned. Frequency is ~1/6 months. (presumably this is not under any specific DOE order, but we are required to do this under federal law?)

2/26/ A (in the works) DOE O 200.1A, INFORMATION TECHNOLOGY MANAGEMENT –SLCC has provided extensive comments in Revcom on this proposed new order and also provided a suggested rewrite of the CRD for this revised order. –(SLCC did not like this order at all)