Cyber Contract Measures
Notable Outcome: LBNL's cyber security program provides cost-effective, mission-friendly protection of its scientific and operational computing assets. No reasonably preventable cyber security incidents significantly interfere with scientific or operational work, as measured by the incident review process. (Objective 8.2)
Protocol: Berkeley Lab will review incidents quarterly to determine whether they significantly impeded the work of the Laboratory and were reasonably preventable (i.e. outside our acceptable risk envelope as established in the risk assessment and CSPP). Significant interference would include failure to achieve mission goals or sustained disruption of activities that broadly impacts Laboratory operations outside of accepted risk envelopes. Berkeley Lab will also annually review its protection programs to determine whether they unduly or inefficiently disrupt scientific work.
Opportunities for Improvement identified in DOE’s FY09 LBNL Performance Evaluation Report
No opportunities for improvement were identified in the FY09 LBNL Performance Evaluation Report; however, we agreed that an important area for focus is cloud-security and policy. A cloud security working group has been formed, and drafts of guidance for researchers seeking to acquire cloud-based services are being prepared. A major paper on the security and policy implications of Google Apps use has been drafted and is being revised for circulation. A briefing for BSO is scheduled for Q2
Performance against each of the PEMP Notable Outcomes
Outcome: Review Incidents Quarterly and Determine whether they are within our acceptable risk envelope.
Our review of Q1 incidents suggests nothing but exceedingly minor and recoverable disruption to scientific work, and nothing that is outside our acceptable risk envelope. Incident quantities and costs are well within expected numbers. No scientific data was lost in any of these efforts, and disruption was limited to the time needed to clean up compromised systems. Additional detail will be provided to BSO in a closed, separate report on the Q1 incidents.
Outcome: Review program to ensure it does not unduly or inefficiently disrupt scientific work.
Conduct this review in Q3 or Q4.
Performance in meeting any contract requirements not specifically included in the PEMP, but that may positively or negatively affect Objective or Goal ratings. This should include results of independent assessments, self-assessments, etc.
No reviews are ongoing at this time. We expect reviews to be concentrated at the end of the performance period, conicident with activities related to the new ATO.
Areas of concern/risks.
At this time, we do not forsee any major concern areas; however, the theft of emails from Climate Researchers in the UK suggests that some of our researchers may be the target of directed, well-resourced attacks designed to diminish their credibility in the future. We continue to evaluate whether this development has implications for our acceptable risk envelope and if so, how we should respond.
Another area of concern is increasingly sophisticated, highly targeted attacks against individuals with access to specific institutional systems. Evidence from other peer institutions suggests these attacks are growing. In addition to awareness activities, existing efforts to patch third-party applications should provide additional protection. At this time, we believe these are within our acceptable risk envelope, but as above, we will continue to monitor this situation as part of our overall approach to managing risk for the institution.