1 Lawrence Livermore National Laboratory LLNL NAPs Implementation Project NLIT 2009 Mark Dietrich, LLNL LLNL-PRES

2 NNSA Policies are driving dramatic changes Background NAPs alive since 2003 Some iterations and pushback C-versions in late 2007 LLNL Gap Analysis done early 2008 HSS audit used NAPs vision 2008 LLNL plan and revisions submitted to LSO 9/08, 1/09, 4/09 Formal project opened 3/09 What’s NAP? NNSA Policy Letters: NAP 14.1-C, NNSA Baseline Cyber Security Program NAP 14.2-C, NNSA C&A Process for Information Systems Impact Full compliance: years away Good faith effort | steady progress Culture changes Risk and high stakes Goal Make all cyber operations compliant with NAPs by September 30, 2012 LLNL-PRES

3 Broad impacting scope and strategy Strategy Establish project team Develop project plan that Programs and institutional organizations can accept Use project team (and tools) to coordinate efforts of the PADs Implement centralized core services to reduce cost of NAP compliance Create standard configurations based on national standards Build a Site Security Configuration Library to track configuration standards Convert plans, policies and procedures to be NAP compliant New requirements New security plan formats Security configuration standards Stronger risk assessments Contingency plans for each systems Business Impact Assessments Centralization of classified systems Up to 330 controls per system/service Restricting local administrative rights Overhaul of all computer security policies Integrate cyber security with the Lab’s emergency procedures LLNL-PRES

4 Project Approach Integration Integrate many plans into one Integrate services at the institution level into a single plan Subsume existing similar plans Consolidation Phasing the Approach Consolidate similar plans into broader site-wide plans Document differences in sub-plans Sub-plans inherit security policies from their parent plans Project Approach Formalization, structured Led by an experienced PMP Broad reach across the enterprise Reporting and accountability Deliverables and milestones Starting with the site-wide plans Subordinate/program plans follow using well-crafted templates for plans and test plans Classified plans to follow to apply valuable lessons learned from unclas LLNL-PRES

5 SharePoint used intensively for Project Management Lists in Use Plans Deadlines Calendar Comms Plan Families NAP controls Strategies Subgroup tracking Lessons learned captures Risk Register Meeting workspaces For project meetings Standing agenda items: Issue Log check Tasks check Plans statusing Posting minutes Recording decisions Planning agenda items well in advance LLNL-PRES

6 The Plans lifecycle has been created and socialized  Plan development/review is a 9-month process  Urgency of NAPs Implementation requires compressing 9 months into 5-6 months for unclassified plans LLNL-PRES

7 Document flowdown Requirement LLNL Policy Procedure ST&E NAP 14.1 NAP 14.1 NAP 14.2 NAP 14.2 SPP ISSP Information system accreditation method SPP IM-2 SPP IM-2 SPP IM-3 SPP IM-3 STE-2 STE-3 Local CSPP SPP IM-1 SPP IM-1 STE-1 SPP IM-1 SPP IM-1 STE-1 Central policy catalog LLNL-PRES

8 SPP (Security Plan Policy) and SSCL (Site Security Configuration Library) SSCL The SSCL will be used in all security plans Each entry has: Approved configuration Security test script Listing of NAP controls met by each component Process development and prototyping underway Stores authorizations basis, configuration of controls and test tools for all components Ensures NAP-compliance based on NIST, NSA, DISA, CIS and other national standards SPP Key document generated at the institution level Lists for every 14-2.C control: Policy (the NAP text) Supplemental guidance Enhancements Implementation “Dash-One” & “Dash-Two” Potential assessment methods Examine, interview, test measures From this derives a plan’s ST&E LLNL-PRES

9 Lawrence Livermore National Laboratory LLNL NAPs Implementation Project NLIT 2009 Mark Dietrich, LLNL LLNL-PRES