Viewable by the world

Summary of Order

Status: In contract, 06-DEC-11

The purpose of 205.1B is to establish requirements for a Cyber Security Program that protects information and information systems. Under this order, the program must use a Risk Management Approach that uses analysis of threats and risks to make risk-based decisions that consider not only security but cost and mission effectiveness. This order also requires assurance systems so that appropriate oversight can monitor the risk evaluation and protection processes.

LBNL Implementation


Clause

Implementation

Assurance Systems

Status

1.

The contractor is responsible for assessing and managing risk within its environment, in the context of acceptable mission risk set collaboratively with the Federal Site Manager.

This is a continuous activity of the cyber program. Annually, the CIO and Site Manager agree on an acceptable level of risk and the cyber program manages to that level. Ongoing assurance activities demonstrate that the cyber program is actively assessing and managing risk.

Tri-annual tri-party assurance meetings and bi-weekly operation awareness meetings demonstrate this activity. Annual risk agreement available on request.

(tick)

2.

The contractor must formally establish a Site Risk Management Approach (RMA) that is consistent with the requirements of the applicable Senior DOE Management (SDM) RMA implementation.

The Cyber Security Program, Assurance and Monitoring Plan (CSPAM) describes our RMA. Our RMA is consistent with the 2010 PCSP and expected changes in the SDM RMA.

CSPAM available on request.

(tick)

3.

The contractor must establish and maintain an effective Assurance System that provides appropriate transparency to Federal oversight regarding cyber security risk management and overall performance.

We develop an annual Cyber Security Assurance Plan that documents planned or anticipated assurance activities. It includes independent and self assessments, performance measures, external reporting, issues management, and lessons learned.

Assurance System, including assurance plan and reports.

(tick)

4.

The contractor must establish and implement a configuration management approach. Where mission appropriate, the approach must consider federally established configurations, such as the Federal Desktop Core Configuration (FDCC) as an alternative.

The cyber program establishes, based on our RMA, minimum security requirements that serve as the LBNL baseline configuration. Lab policy requires employees and affiliates to meet the minimum security requirements.

Minimum Security Requirements; Lab policy: Security for Information Technology

(tick)

5.

Where mission appropriate, or where required in the SDM RMA Implementation Plan, the contractor must consider and incorporate Federal initiatives such as HSPD-12 (or compatible) logical access capabilities and the use of Internet Protocol (IP) v6 and Domain Name System Security Extensions (DNSSEC) as part of their system development life cycle plans.

We incorporate federal initiatives consistent with the 2010 PCSP or as mission appropriate.

LBNL Approach on Federal Initiatives

(tick)

6.

The contractor must establish a process to ensure that users acknowledge and consent to site privacy and monitoring policies.

The RPM acts as Lab policy and serves as notice to employees and affiliates. The RPM includes consent to site privacy and monitoring policies. Our website disclaimer page provides our Privacy and Security notice to external users of our online resources. Individual systems owners may incorporate the notice and we provide instructions to help them install it.

Lab Policy: Privacy Policy; Disclaimer page; Instructions for LBNL Privacy and Security Notice.

(tick)

7.

The contractor must establish and maintain an Incident Management Handling and Reporting Capability that is consistent with the contractor requirements contained within the applicable SDM RMA Implementation plan. This capability must include:

Our incident management handling and reporting capability is an ongoing activity of the cyber program.

Our internal incident response process details how we respond, manage, and report on incidents. Available on request.

(tick)

a.

Reporting cyber security and privacy incidents to the DOE Computer Incident Response Capability (DOE-CIRC).

We report cyber incidents to JC3 as described in our internal incident response process.

We can provide JC3 incident reports on request.

(tick)

b.

NNSA contractors must report cyber security and privacy incidents to the NNSA Information Assurance Response Center (NIARC).

Not applicable, no NSS



c.

If loss or unauthorized exposure of information associated with National Security Systems (NSS) is suspected, the incident must be immediately reported to the AO and DOE-CIRC.

Not applicable, no NSS



8.

Contractor’s NSS must adhere to the requirements established by the Committee on National Security Systems (CNSS).    Requests for equivalencies and for exemptions from CNSS requirements must follow those processes, as amplified by SDM RMA implementation plan direction.

Not applicable,  no NSS



9.

Contractors with NSS must implement DOE classified data protection levels as defined in their respective SDM RMA implementation plans.

Not applicable, no NSS



10.

Contractors with NSS must apply the classification markings in the electronic environment as described in the applicable SDM RMA implementation plans.

Not applicable, no NSS



11.

Contractors with NSS must implement requirements for accessing and protecting Restricted Data (RD), Formerly Restricted Data (FRD) and Transclassified Foreign Nuclear Information (TFNI) as defined in the SDM RMA implementation plans.

Not applicable, no NSS



12.

The contractor must ensure all information systems operate within the processes defined and approved by the Federal Authorized Official, and that all systems maintain an acceptable level of risk pursuant to (1) the agreed upon risk profile defined by Site and Federal management, and (2) approved oversight and assurance systems.

Annually, we present a risk letter to Site management that describes the high-level risk profile to which we manage, including the high-level residual risk we accept. Site management reviews our risk letter in the context of our annual risk assessment, other program documents, including our authority to operate package, and other assurance systems.

Supporting documents available on request.

(tick)

  • No labels