206.2 Implementation

1

General Requirements

1.a

HSPD-12 Credentials. HSPD-12 Credentials are the Federal identification credentials that are compliant with National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, dated 3-2006, or its successor. Contractor employees requiring an HSPD-12 Credential are subject to Personal Identity Verification (PIV) by DOE. Issuance of HSPD-12 Credentials to contractor employees whose term of service is less than 6 months is at the discretion of the Lead Program Secretarial Officer (LPSO) and based on a risk analysis.

1. HSPD–12 Credentials must be issued to:
   1. Cleared DOE contractor employees;
   2. Uncleared contractor employees servicing DOE Headquarters; and
   3. Other uncleared DOE contractor employees at the discretion of the LPSO and based on a risk analysis.
2. M&O contractors may authorize HSPD-12 Credential issuance to their own employees and to their subcontractors’ employees. DOE HSPD-12 Credentials are issued consistent with procedures contained in the DOE PIV Card Issuer (PCI) Operations Plan.

Berkeley Lab is an unclassified facility and does not require broad use of HSPD-12 credentials consistent with DOE's approach. For cleared employees or employees serving headquarters, DOE HQ manages the process for issuing HSPD-12 credentials to the limited number (less than 10) of Berkeley Lab staff who need them. Berkeley Lab’s approach is thoroughly documented on its Multifactor Authentication Implementation Approach (MFAIA), available on request

1.b

Identity. Contractors may participate in the enterprise identity management service (EIMS) and should determine participation based on business value and risks. If participating, contractors must:

1. Identify their authoritative data sources to the DOE registry of authoritative data sources; and

2. Make available identity information from authoritative data sources to the EIMS.

Optional. Berkeley Lab participates in DOE's OneID.

1.c

Electronic Transactions with DOE. When DOE requires digital signatures or encryption, contractors must enable the use of Public Key Infrastructure (PKI) certificates.

1. The PKI must comply with the current X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework.

2. Contractors should use the PKI certificates that are on the HSPD- 12 Credential, when practical.

When required by DOE for certain transactions, Berkeley Lab uses DOE's PKI system, Entrust.

2

DOE INFORMATION SYSTEMS. When operating a DOE information system as defined in this Order, the contractor must meet the following requirements.

The Berkeley Lab CIO is responsible for determining if a system meets the definition of a DOE Information System. Berkeley Lab does not have systems meeting this definition, i.e. systems whose primary purpose is to accomplish a Federal function.

2.a

General. DOE information systems must meet the requirements of Office of Management and Budget (OMB) M-11-11, which requires that agency implementations align with The Federal Chief Information Officers Council’s Federal Identity Credential Access Management (FICAM) Roadmap and Implementation Guidance.

N/A

2.b

Authentication and Authorization.

1. DOE information systems must ensure that the credential used for authentication meets the minimum level of assurance (LOA) requirements, which are determined by conducting an electronic authentication risk assessment per OMB M-04-04 in conjunction with a FIPS 199 assessment.

   1. New systems must accept the following credentials if presented by the user and the credential meets or exceeds the LOA of the system:
      1. An HSPD-12 Credential for DOE employees and contractor employees who possess an HSPD-12 Credential as required by this Order;
      2. An HSPD-12 Credential for Federal employees and contractor employees from other government agencies;
      3. A Personal Identity Verification Interoperability (PIV-I) credential; and
      4. A federated identity credential from an identity provider certified under the Trust Framework Provider Adoption Process (TFPAP).
   2. Existing DOE information systems must be upgraded to accept the credentials in 2b(1)(a), as appropriate, using the Risk Management Approach per DOE O 205.1B, Department of Energy Cyber Security Program, dated 5-16-11, or its successor.

2. DOE information system owners may issue and manage credentials for authentication ONLY when:

   1. The individual does not possess or have access to one of the credentials in 2b(1)(a); or
   2. The DOE information system requires individuals to authenticate with a credential in addition to the credentials in 2b(1)(a).

N/A

3 DOE FACILITIES

3.a

Access control decisions are based on risk management principles as required by DOE O 473.3, Protection Program Operations dated 6-29-11 and DOE O 470.4B, Safeguards and Security Program, dated 7-21-11, or their successors.

Not a requirement.

3.b

Contractors must recognize the following credentials as an acceptable credential for verifying a person's identity as part of the site’s physical access procedure:

1. An HSPD-12 Credential for DOE employees and contractor employees;

2. An HSPD-12 Credential for Federal employees and contractor employees from other government agencies; and

3. A PIV-I credential.

Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV.

3.c

Automated access control systems should obtain authoritative data for DOE employees and contractor employees external to the site from the EIMS offered by DOE.

Optional. Berkeley Lab has a very limited set of areas with restricted access. External employees do not gain access to these areas unaccompanied. Therefore there are no business drivers to automate access to external groups.

3.d

DOE O 473.3 contains the requirements for access control systems.

Not a requirement.