Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation.

Similar presentations


Presentation on theme: "Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation."— Presentation transcript:

1 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation at LANL Michael S. Zollinger DCS-1 Group Leader Departmental Computing Services Division LA-UR 09-03039

2 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Background DOE Secretary Bodman issues security compliance order (SCO) to Los Alamos National Laboratory in Summer 2007 –Requirements that had to be met by 12/10/08 –2 of the them required certification and accreditation (C&A) of the unclassified and classified computing environments under the NAP - 14.1-B, 14.2-B series documents Existing accredited classified plans had to be reaccredited (~55 System Security Plans (SSP) For the first time 14 unclassified SSP’s needed to be accredited

3 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Groundwork From the start there were several daunting challenges LANL lacked the policy foundation required by the NAPs –First several months of time were spent developing policy –This was very crucial work which is now being updated Now required to implement the NAP “C” series documents per our modified contract

4 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D How to Slice it? The unclassified – what to do, what to do? How do you divide this out? 40 square mile campus with several unclassified segments and standalone computers Computers ranging from electron microscopes, instrumentation cards, to high performance computing clusters

5 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Slide 5 Compliance Foundation SSP NAP 14.1- B, 14.2-B NIST 800-53

6 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D NIST 800-53 System Security Plans 17 Families of Controls LANL Implementation of Controls Institutional Security Requirements (ISR) Slide 6

7 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Institutional Security Requirements (ISR) LANL requirements for each SSP System must be registered in computer registration database (Hostmaster) declaring SSP covering inventory item If networked, system must be scanned by our network scanning tool and report out the vulnerabilities — Systems that contain vulnerabilities that are deemed critical are blocked at the switch until remediated Some plans have additional ISR’s based on the risk profile for that plan Slide 7

8 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Unclassified Computing System (Site) Security Plans Slide 8 Standalone Computing Legacy Computing R & D Computing Production Computing

9 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Unclassified Production Computing SSP Scope Networked systems ranging from printers, laptops, embedded systems, desktops, workstations, servers, compute clusters, high performance compute clusters Over 30,000 inventory items of this nature across all spectrums of unclassified networks Key Features Production Onsite Class – on LANL property only — 9 operating systems – vendor or user community supported with security related patches Production Mobile Class — 7 operating systems – vendor or user community supported with security related patches — may leave LANL property at times and may connect through 3 rd party ISP and VPN service to networks Must pass network scans for vulnerabilities Must be registered in Hostmaster registration database Slide 9

10 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Unclassified Research and Development Computing Scope Networked systems ranging from laptops, embedded systems, desktops, workstations, servers, compute clusters, controls systems, data acquisition systems, scientific instruments and instrumentation, etc. Key Features 9 operating systems Customized and modified operating systems Must implement an engineered controls to protect other networked devices from the unknown nature of the system and still allow network scans for vulnerabilities May not use wireless in any capacity May not leave an approved LANL location without CSSM approval Must be registered in Hostmaster database Slide 10

11 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Unclassified Legacy Computing Scope Laptops, desktops, workstations and servers running approved operating systems that are no longer supported by vendor or user community with security related updates and patches Key Features May not leave LANL property or approved remote locations without approval from CSSM in advance 4 approved operating systems Must implement an engineered control to protect the network from the vulnerabilities that it possesses and still allow scanning for vulnerabilities May never have wireless Must be registered in Hostmaster database Slide 11

12 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Unclassified Standalone Computing Scope Wide variety of computers ranging from laptops and servers, to scientific instrumentation. Located on LANL property and at collaborative locations throughout the world Key Features Must receive approval to operate via a signed enclosure Must be subject to audit every 90 days Must be approved annually — Three classes of systems Pure standalone Standalone LAN – not connected to any institutional network, but may be connected to other systems in a standalone island Standalone VPN – never connect directly to the institutional networks through any means other than central VPN service Operating system agnostic Most problematic SSP to manage Slide 12

13 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Challenges LANL has incurred a significant mortgage Maintenance cost is high Must fund most new requirements from existing funding streams Portfolio management underway Slide 13

14 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Future NAPs “C” series are now in our contract and are being addressed Implementation plan and schedule are being developed Hard work underway to integrate CAP solutions Slide 14

15 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned Defining accreditation boundary is extremely important Good working relationship with DOE Site Office is crucial LANL is very fortunate in this case Frequent meetings with DOE are important to make sure everyone is on the same page Slide 15

16 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned – cont. Education, education, education No matter how often we briefed people on the accreditation process and the ensuing requirements it didn’t penetrate Start early and keep in mind the mortgage Keep aspirin nearby Slide 16

17 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Questions Slide 17

18 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Contact Information msz@lanl.gov Slide 18


Download ppt "Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation."

Similar presentations


Ads by Google