Skip to end of metadata
Go to start of metadata

The OCIO is responsible for managing and implementing IT and cyber-related contract requirements. This section describes how we implement those requirements and provide assurance regarding our implementation. This is not the record copy of applicable requirements.

Active (in contract)

DOE Orders and Policies

Directive

Effective Date

Description

Implementation Crosswalk

O 200.1A Information Technology Management

03-APR-09
Implementation Date is 09-Oct-09

Requires the use of sound business practices in the management of IT and compliance with applicable laws.

200.1A Implementation

O 205.1B Department of Energy Cyber Security Program

7/3/2014

Requires a cyber security program that uses the Risk Management Approach and an assurance system that demonstrates that the program is working.

205.1B Implementation

P 205.1 Departmental Cyber Security Management Policy

6/1/2005

Describes core principles like "line management owns security.

RPM Policy: Security for Information Technology

O 206.2 Identity, Credential, and Access Management (ICAM)6/3/2013Defines HSPD-12 requirements as well as additional requirements related to ICAM for DOE information systems.206.2 Implementation

O 241.1B Scientific and Technical Information Management

12/2/2011

Requires management and distribution of Scientific & Technical Information created through DOE-funded work.

241.1B Implementation

O 243.1B Records Management Program7/3/2014Requires records management program per NARA regulations243.1B Implementation
O 415.1 Information Technology Project Management6/3/2013Requires best practices in IT project management.415.1 Implementation
O 471.3 Identifying and Protecting OUO Information12/2/2014Requirements for handling Official Use Only information471.3 Implementation
M 471.3-1 Manual for Identifying and Protecting OUO Information12/2/2014Manual requirements for handling Official Use Only information471.3-1 Implementation

Contract Clauses

Clause

Effective Date

Description

Implementation

1450.4 Consensual Listening-In to or Recording Telephone/Radio Conversations

02-DEC-09

Recording of phone conversations is prohibited.

Reflected in RPM

414.1C as included in the EHS Standards Set Nov 2008.

Nov 2008

Requires that an overall quality management approach apply to all activities at the Laboratory, and that specific requirements apply to Safety Software.

Implemented in the OQMP.

CLAUSE I.124 – DEAR 952.204--77 COMPUTER SECURITY

18-DEC-08

Stipulates no expectation of Privacy in use of DOE systems.

Modified by P clause.  See details here.

Clause H.48 Common Security Configurations in Information Technology Acquisitions

Added via Mod M249 to C31.

Requires use of common security configurations in IT procurements to the extent stipulated in our implementation plan.

Modified by SC direction.  See details here.

Clause H.7 Privacy Act Records

C31 (always)

Stipulates which records are covered by the Privacy Act.

Details about implementation of Privacy Act at LBL are here.

Clause H.31 IPv6July 2011Stipulates where the contractor must flow down IPv6 compatibility in acquiring IT.Implementation detailed in Procurement Guidance on Flowing Down IPV6.

Pending

  • 206.1 Privacy Program

Inactive Directives (removed from contract)

 

Directive

Status

Description

LBL Implementation

O 243.1 Records Management

Replaced by 243.1B on 6/3/2013

Describes records management requirements to maintain and dispose of DOE records.

See ARO Website for specific disposition and management guidance. See crosswalk

O 243.2 Vital Records

Removed from contract on 12 Sep 2012 as part of C31 Reform (Redundant to O 243.1)

Requires vital records (i.e. to support disaster recovery) preservation and management.

Archives and Records policy in the RPM, combined with Laboratory Business Continuity and Emergency Management Plans implement this Directive. See crosswalk

241.1A Scientific and Technical Information Management

Removed from contract on 6 Dec 2011

Requires LBNL to manage all publications and transmit useful information to OSTI.

RPM 5.02

205.1A Energy Cyber Security Management

Removed from contract on 6 Dec 2011

Makes the Office of Science PCSP a governing document.

Lab's approved ATO is the implementation (including deviations) of the SC PCSP.  See second level crosswalk.

226.1A Implementation of DOE Oversight Policy

02-OCT-07

Requires a robust program of management oversight for several areas including cyber security. OCIO is lead for the cyber security assurance mechanisms.

Assurance plan is within CSPP and also here

205.1 Energy Cyber Security Management

NO LONGER IN CONTRACT

Soon to be updated with current 201.1A

Existing requirements are reflected in the Cyber Security Program Plan.

N 205.2 Foreign National Access to DOE Cyber Systems

NO LONGER IN CONTRACT
07-JAN-00

Indicate FN acess requirements in CSPP, conduct risk assessments, and prohibit offsite UCNI/NNPI access.

FN access requirements are in CSPP, RA reflects assessment, UCNI/NNPI are prohibited per RPM.

N 205.3 Password Generation, Protection, and Use

NO LONGER IN CONTRACT
16-MAR-00

Requirements for passwords .

Reflected in RPM 9.02

N 205.4 Handling Cyber Security Alerts & Advisories & Reporting Cyber Security Incidents

NO LONGER IN CONTRACT
09-APR-02

Requires reporting to CIAC.

Conducted by Computer Protection Program, reflected in CSPP.

N 205.8 Cyber Security Requirements for Wireless Devices and Information Systems

NO LONGER IN CONTRACT
01-JUN-05

Requires risk assessment prior to wireless deployment.

Reflected in CSPP>

N 205.9 Certification and Accreditation Process for Information Systems Including National Security Systems

NO LONGER IN CONTRACT
01-JUN-05

Requires C&A

Reflected in LBNL CSPP.

N 205.10 Cyber Security Requirements for Risk Management

NO LONGER IN CONTRACT
01-JUN-05

Conduct Risk Assessments

Reflected in LBNL CSPP. LBNL conducts annual risk assesments.

N 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems

NO LONGER IN CONTRACT
01-JUN-05

Sets requirements for remote access.

Implemented in CSPP.

N 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware

NO LONGER IN CONTRACT
01-JUN-05

Sets requirements for destruction of media.

Implemented by Property Mgt and Excess when media is disposed of. Policy is reflected in CSPP and RPM.

200.1 Information Management Program

NO LONGER IN CONTRACT

Requires the use of sound business practices in the management of IT and compliance with applicable laws.

RPM: Stewardship Policyin 9.01

Upcoming Policy Events

  • No labels