Status: In Contract, 27-Aug-13
Summary of Order
The purpose of DOE O 206.2 Identity, Credential, and Access Management (ICAM) is to establish baseline requirements to foster the efficient and effective use identity management systems.
HSPD-12 Credentials. HSPD-12 Credentials are the Federal identification credentials that are compliant with National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, dated 3-2006, or its successor. Contractor employees requiring an HSPD-12 Credential are subject to Personal Identity Verification (PIV) by DOE. Issuance of HSPD-12 Credentials to contractor employees whose term of service is less than 6 months is at the discretion of the Lead Program Secretarial Officer (LPSO) and based on a risk analysis.
Berkeley Lab is an unclassified facility and does not require broad use of HSPD-12 credentials consistent with DOE's approach. For cleared employees or employees serving headquarters, DOE HQ manages the process for issuing HSPD-12 credentials to the limited number (less than 10) of Berkeley Lab staff who need them. Berkeley Lab’s approach is thoroughly documented on its Multifactor Authentication Implementation Approach (MFAIA), available on request
Identity. Contractors may participate in the enterprise identity management service (EIMS) and should determine participation based on business value and risks. If participating, contractors must:
Optional. Berkeley Lab participates in DOE's OneID.
Electronic Transactions with DOE. When DOE requires digital signatures or encryption, contractors must enable the use of Public Key Infrastructure (PKI) certificates.
When required by DOE for certain transactions, Berkeley Lab uses DOE's PKI system, Entrust.
DOE INFORMATION SYSTEMS. When operating a DOE information system as defined in this Order, the contractor must meet the following requirements.
The Berkeley Lab CIO is responsible for determining if a system meets the definition of a DOE Information System. Berkeley Lab does not have systems meeting this definition, i.e. systems whose primary purpose is to accomplish a Federal function.
General. DOE information systems must meet the requirements of Office of Management and Budget (OMB) M-11-11, which requires that agency implementations align with The Federal Chief Information Officers Council’s Federal Identity Credential Access Management (FICAM) Roadmap and Implementation Guidance.
Authentication and Authorization.
3 DOE FACILITIES
Access control decisions are based on risk management principles as required by DOE O 473.3, Protection Program Operations dated 6-29-11 and DOE O 470.4B, Safeguards and Security Program, dated 7-21-11, or their successors.
Not a requirement.
Contractors must recognize the following credentials as an acceptable credential for verifying a person's identity as part of the site’s physical access procedure:
Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV.
Automated access control systems should obtain authoritative data for DOE employees and contractor employees external to the site from the EIMS offered by DOE.
Optional. Berkeley Lab has a very limited set of areas with restricted access. External employees do not gain access to these areas unaccompanied. Therefore there are no business drivers to automate access to external groups.
DOE O 473.3 contains the requirements for access control systems.
Not a requirement.