...

Effective Date: October 1, 2016-September 30, 2017

...

During this process, we engage external assessors, either through Peer Review or through contracted external auditors, to evaluate system operation. These are the most in-depth and risk-informed evaluations we undertake. In the past, these reviews have taken multiple weeks and included both technical testing and document review. The results of these reviews become part of the authorization package and are available to DOE for review.  This process is not repeated under Continuous Authorization unless required by the AO or emerging conditions.

2.3 Internal Audit

UC operates an independent Internal Audit system for Berkeley Lab, Internal Audit Services (IAS). IAS's mission is to assess and monitor the Laboratory community in the performance of their oversight, management and operating responsibilities in relation to governance processes, systems of internal controls, and compliance with laws, regulations, contracts and Laboratory, UC, and DOE policies.

...

The DOE Berkeley Site Office (BSO) conducts graded oversight reviews of the Laboratory's Cyber Security Program. These reviews include ongoing operational awareness activities and, as needed,  scheduled assessments and reviews into particular risks or control families. Assessment topics are generally planned and calendared at the start of the performance year. Berkeley Lab's safeguards and security program is often subject to an extensive DOE BSO review.   The cornerstone of BASO oversight is ongoing Operational Awareness meetings between BASO SMEs and the Cyber Program.  These meetings cover incidents, emerging risks, and major technical/policy changes.  

Historically, DOE EA Historically, DOE Office of Health, Safety and Security (HSS) has conducted both assistance visits and red team/full evaluations of Laboratory cyber security programs. Additionally, Berkeley Lab can engage HSS EA upon request to review our systems and practices.

The DOE Office of Science has also initiated Integrated Safeguards and Security (S&S) Surveys that include cyber security in scope. The Office of Science works to coordinate any reviews with HSS EA reviews.  Beginning in FY23, these reviews have evolved to become Office of Science Cyber Peer Reviews. 

2.7 Peer Reviews

Berkeley Lab makes targeted use of peer reviews on an as needed basis and where internal expertise or external oversight is judged to be insufficient, or where the only reasonable form of oversight is peer review (for instance, where expertise about a specific issue is limited to the peer group).

...

UC conducts assessments of various aspects of the cyber security program in parallel with its assessment of the campuses. A scorecard process helps to ensure similarity with other UC campuses and cross campus comparisons. The scorecard is normalized across the campuses and Berkeley Lab and presented to the Regents for review. This typically happens annually, though is at the direction of UC.

3.4

...

IAS Advisory Service

IAS may be requested to perform advisory services for various areas of cyber security. Advisory services are activities designed to mitigate risk, improve operations, and/or assist management in achieving its business objectives, in which the nature and scope of the engagements are agreed upon with the management of the subject matter being evaluated. Examples include informational resources, counsel, advice, facilitation, process design, and training.

4.0 Performance Measures

4.1 Management Level Dashboard Measures

The Cyber Security Program reports to the Laboratory on the trends associated with incidents. The data is provided at the Laboratory Performance level and is updated monthly.

4.2 Cyber Security Performance Measures

The Cyber Security Program's key objective is to deliver efficient, effective and responsive cyber security and resources to enable the successful achievement of laboratory missions. Cyber Security Performance Measures are a strategic planning and management tool to monitor organization performance against operational/functional goals. Berkeley Lab management routinely monitors the following performance measures:

Cyber Security Incident Analysis

Number of incidents and extent/ severity of incidents experienced at Berkeley Lab. Measured and reported in an ongoing manner to cyber security staff and direct management. Reported at least semi-annually to the cyber security representatives of divisions (CPIC), monthly to CIO, and quarterly to Berkeley Site Office.

Customer Service and Response

Satisfaction surveys from community members on interaction with help-desk and cyber security contacts. Surveys are sent immediately following ticket resolution with ongoing feedback provided to managers of operations.

System Availability and Function Data

Functioning and availability of infrastructure and cyber critical systems measured by automated systems (percent of time available). Continuous reporting elevates problems to system administrators. Reported monthly for network systems and quarterly for business systems to IT management.

System Configuration Data

Patch levels for systems during periods of high risk (number or percent of systems that are vulnerable). For example, if a new MS patch is released for an "in the wild" vulnerability, Berkeley Lab will track the patch numbers until the numbers dwindle to baseline vulnerability expectations. This data is gathered on an ad hoc basis. When gathered, it is typically reported every few days to cyber security management.

Training Completion

Percent of Berkeley Lab staff that have completed required cyber security training. Reported in real-time as part of overall training reports to division representatives and as needed to cyber security management.

Cyber Security Training Feedback

Average rating on a scale of 1-5. Reported on demand with real time information to cyber security management and reported quarterly to cyber security management.

5.0 External Reporting

5.1 PEMP

IT prepares a Mid-year and Annual Assurance Report for BSO, UCOP, and Lab Management. Each Assurance Report provides an overview of Berkeley Lab's performance and recent assurance activities, including activities detailed in the IT Assurance Plan; performance against the PEMP’s Goals, Objectives, and Notable Outcomes; and related activities. This report provides the basis for a biannual tri-party Assurance meeting with counterparts from BSO and UCOP. Following meetings of each Operations' function; senior BSO, UCOP, and Berkeley Lab Management meet to discuss significant risks and concerns and corresponding mitigations.

5.2 Federal Manager's Financial Integrity Act (FMFIA)

FMFIA requires agencies to establish and maintain internal controls. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations.

The University of California Office of the President's (UCOP) Laboratory Management Office will issue an opinion regarding the Laboratory's system of internal accounting and management controls in effect during the fiscal period. Included with its internal control assertion is information about the internal accounting and management controls, reportable issues, and corrective action plans provided by the Laboratory Director based on input from CFO management and staff. The Cyber Security Program provides input to this opinion.

5.3 Annual Risk Letter

The Cyber Security Program provides an annual risk evaluation to the Berkeley Site Office. See also section 3.2. The Risk Letter summarizes the annual risk assessment and provides assurance that the Laboratory is managing within the agreed upon acceptable risk envelope.

5.4 Authority to Operate

The Cyber Security Program provides extensive program evaluation to DOE as part of its authority to operate process. The Program evaluation information includes information related to all aspects of external and internal testing of cyber security program controls. Under continuous authorization, the total assurance portfolio provides the justification for continued authorization. 

5.5 Cyber Security Incident Tracking and Reporting

Cyber security incident reports follow defined reporting channels, with primary reporting to the Department of Energy's Computer Incident Response Center (CIRC) or equivalent, with copies to Counterintelligence, the Office of the Inspector General, and the Berkeley Site Office. Incident reports are shared internally with key stakeholders to assure broad knowledge of current risks. Likewise, the Laboratory's cyber security staff remains abreast of new trends in attacks and threats primarily from public sector sources, but also from DOE sources such as CIAC alerts. As appropriate, briefing and discussions of cyber security incidents are entered into the Berkeley Lab Lessons Learned and Best Practices database and disseminated to target staff. These inputs, along with broad based incident review, allow the Laboratory to adjust its protection mechanisms continuously to ensure optimal protection. Incident trends and actions are communicated to the Computer Protection Implementation Committee, with membership from across the divisions.

5.6 FISMA Reporting

Berkeley Lab reports the status of its systems and authority to operate quarterly as part of DOE's overall approach to FISMA compliance.

6.0 Issues Management

The Cyber Security Program follows the Berkeley Lab Issues Management Program (LBNL PUB-5519) for managing issues. This program encompasses the continuous monitoring of work programs, performance to promptly identify issues to determine their risk and significance, their causes, and to identify and effectively implement corrective actions to ensure successful resolution and prevent the same or similar problems from occurring.

Cyber security issues are identified through self-assessments, incident assessments, and audits and reviews. At a graded approach, proper issues management includes causal analysis, development and implementation of corrective actions, and verification and validation of corrective action implementation and effectiveness.

6.1 Corrective Actions

As part of the Laboratory's Issues Management Program (IMP), all cyber security issues and associated corrective actions (except for those that are immediately corrected or rectified) are entered into the Berkeley Lab Corrective Action Tracking System (CATS) database. This database enables Berkeley Lab employees to identify, track, manage, resolve, and search for issues and associated corrective actions. Corrective Actions are tracked to completion and validated.

Major corrective actions are also reported to DOE (through the Office of Science) through the Plan of Actions and Milestones Process or POAMs. POAMs are an integral part of quarterly Federal Information Security Management Act reporting.

6.2 Event Tracking

All cyber security events are tracked and identified with the goal of identifying proximate and root causes. See earlier discussion.

6.3 General Tracking

Issues related to the functioning of systems or from users are tracked either through the help desk ticketing system or through internal trouble reports. All issues are worked to completion. Automated systems ensure attention to unresolved issues. Weekly meetings discuss any open incident issues.

6.4 Trending

All incident and damage statistics are tracked for trends based on more than a decade of data. Both ongoing and the annual risk assessments provide an opportunity to review trends and make adjustments to controls as appropriate. In addition, the Laboratory keeps summary connection information indefinitely so that long term studies of trends in attacks and connections can be conducted. These are often used to answer questions such as "what are the trends in password guessing attacks," and "how our our connections from other countries changing?"

7.0 Lessons Learned and Best Practices

The Program shares information gleaned from incidents as well as best practices from other labs and within the Laboratory widely. Generally, such information is shared via the CPP website as recommendations. Where appropriate, the program uses the Laboratory's Lessons Learned system.

8.0 Assurance Systems and Assessment Schedule

8.1 Outcomes and Related Assurance Systems

The Management Controls and Compliance Program (MCC) is a comprehensive program for analyzing internal controls to meet financial and related compliance objectives. The MCC Program supports legislative requirements such as the Chief Financial Officers Act, the Inspector General Act of 1978, as amended, FMFIA, FISMA, and the Improper Payments Information Act of 2002 (IPIA).

Analysis of internal controls typically involves key cyber security and IT assurance mechanisms such as change management, alternate checking routines, and access and audit management.

The Office of the Chief Financial Officer implements the Management Controls and Compliance Program for Berkeley Lab.  IT provides input on controls compliance as required.

3.5 IAS Advisory Service

IAS may be requested to perform advisory services for various areas of cyber security. Advisory services are activities designed to mitigate risk, improve operations, and/or assist management in achieving its business objectives, in which the nature and scope of the engagements are agreed upon with the management of the subject matter being evaluated. Examples include informational resources, counsel, advice, facilitation, process design, and training.

4.0 Performance Measures

4.1 Management Level Dashboard Measures

The Cyber Security Program reports to the Laboratory on the trends associated with incidents. The data is provided at the Laboratory Performance level and is updated monthly.

4.2 Cyber Security Performance Measures

The Cyber Security Program's key objective is to deliver efficient, effective and responsive cyber security and resources to enable the successful achievement of laboratory missions. Cyber Security Performance Measures are a strategic planning and management tool to monitor organization performance against operational/functional goals. Berkeley Lab management routinely monitors the following performance measures:

Cyber Security Incident Analysis

Number of incidents and extent/ severity of incidents experienced at Berkeley Lab. Measured and reported in an ongoing manner to cyber security staff and direct management. Reported at least semi-annually to the cyber security representatives of divisions (CPIC), monthly to CIO, and quarterly to Berkeley Site Office.

Customer Service and Response

Satisfaction surveys from community members on interaction with help-desk and cyber security contacts. Surveys are sent immediately following ticket resolution with ongoing feedback provided to managers of operations and quarterly reports shared with management.

System Availability and Function Data

Functioning and availability of infrastructure and cyber critical systems measured by automated systems (percent of time available). Continuous reporting elevates problems to system administrators. Reported monthly for network systems and quarterly for business systems to IT management.

System Configuration Data

Patch levels for systems during periods of high risk (number or percent of systems that are vulnerable). For example, if a new MS patch is released for an "in the wild" vulnerability, Berkeley Lab will track the patch numbers until the numbers dwindle to baseline vulnerability expectations. This data is gathered on an ad hoc basis. When gathered, it is typically reported every few days to cyber security management.

Training Completion

Percent of Berkeley Lab staff that have completed required cyber security training. Reported in real-time as part of overall training reports to division representatives and as needed to cyber security management.

Cyber Security Training Feedback

Average rating on a scale of 1-5. Reported on demand with real time information to cyber security management and reported quarterly to cyber security management.

5.0 External Reporting

5.1 PEMP

IT prepares a Mid-year and Annual Assurance Report for BSO, UCOP, and Lab Management. Each Assurance Report provides an overview of Berkeley Lab's performance and recent assurance activities, including activities detailed in the IT Assurance Plan; performance against the PEMP’s Goals, Objectives, and Notable Outcomes; and related activities. This report provides the basis for a biannual tri-party Assurance meeting with counterparts from BSO and UCOP. Following meetings of each Operations' function; senior BSO, UCOP, and Berkeley Lab Management meet to discuss significant risks and concerns and corresponding mitigations.

5.2 Federal Manager's Financial Integrity Act (FMFIA)

FMFIA requires agencies to establish and maintain internal controls. The agency head must annually evaluate and report on the control and financial systems that protect the integrity of Federal programs. The requirements of FMFIA serve as an umbrella under which other reviews, evaluations and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations.

The University of California Office of the President's (UCOP) Laboratory Management Office will issue an opinion regarding the Laboratory's system of internal accounting and management controls in effect during the fiscal period. Included with its internal control assertion is information about the internal accounting and management controls, reportable issues, and corrective action plans provided by the Laboratory Director based on input from CFO management and staff. The Cyber Security Program provides input to this opinion.

5.3 Annual Risk Letter

The Cyber Security Program provides an annual risk evaluation to the Berkeley Site Office. See also section 3.2. The Risk Letter summarizes the annual risk assessment and provides assurance that the Laboratory is managing within the agreed upon acceptable risk envelope.

5.4 Authority to Operate

The Cyber Security Program provides extensive program evaluation to DOE as part of its authority to operate process, typically on a three year cycle. The Program evaluation information includes information related to all aspects of external and internal testing of cyber security program controls.

5.5 Cyber Security Incident Tracking and Reporting

Cyber security incident reports follow defined reporting channels, with primary reporting to the Department of Energy's Computer Incident Response Center (CIRC) or equivalent, with copies to Counterintelligence, the Office of the Inspector General, and the Berkeley Site Office. Incident reports are shared internally with key stakeholders to assure broad knowledge of current risks. Likewise, the Laboratory's cyber security staff remains abreast of new trends in attacks and threats primarily from public sector sources, but also from DOE sources such as CIAC alerts. As appropriate, briefing and discussions of cyber security incidents are entered into the Berkeley Lab Lessons Learned and Best Practices database and disseminated to target staff. These inputs, along with broad based incident review, allow the Laboratory to adjust its protection mechanisms continuously to ensure optimal protection. Incident trends and actions are communicated to the Computer Protection Implementation Committee, with membership from across the divisions.

5.6 FISMA Reporting

Berkeley Lab reports the status of its systems and authority to operate quarterly as part of DOE's overall approach to FISMA compliance.

6.0 Issues Management

The Cyber Security Program follows the Berkeley Lab Issues Management Program (LBNL PUB-5519) for managing issues. This program encompasses the continuous monitoring of work programs, performance to promptly identify issues to determine their risk and significance, their causes, and to identify and effectively implement corrective actions to ensure successful resolution and prevent the same or similar problems from occurring.

Cyber security issues are identified through self-assessments, incident assessments, and audits and reviews. At a graded approach, proper issues management includes causal analysis, development and implementation of corrective actions, and verification and validation of corrective action implementation and effectiveness.

6.1 Corrective Actions

As part of the Laboratory's Issues Management Program (IMP), all cyber security issues and associated corrective actions (except for those that are immediately corrected or rectified) are entered into the Berkeley Lab Corrective Action Tracking System (CATS) database. This database enables Berkeley Lab employees to identify, track, manage, resolve, and search for issues and associated corrective actions. Corrective Actions are tracked to completion and validated.

Major corrective actions are also reported to DOE (through the Office of Science) through the Plan of Actions and Milestones Process or POAMs. POAMs are an integral part of quarterly Federal Information Security Management Act reporting.

6.2 Event Tracking

All cyber security events are tracked and identified with the goal of identifying proximate and root causes. See earlier discussion.

6.3 General Tracking

Issues related to the functioning of systems or from users are tracked either through the help desk ticketing system or through internal trouble reports. All issues are worked to completion. Automated systems ensure attention to unresolved issues. Weekly meetings discuss any open incident issues.

6.4 Trending

All incident and damage statistics are tracked for trends based on more than a decade of data. Both ongoing and the annual risk assessments provide an opportunity to review trends and make adjustments to controls as appropriate. In addition, the Laboratory keeps summary connection information indefinitely so that long term studies of trends in attacks and connections can be conducted. These are often used to answer questions such as "what are the trends in password guessing attacks," and "how our our connections from other countries changing?"

7.0 Lessons Learned and Best Practices

The Program shares information gleaned from incidents as well as best practices from other labs and within the Laboratory widely. Generally, such information is shared via the CPP website as recommendations. Where appropriate, the program uses the Laboratory's Lessons Learned system.

8.0 Assurance Systems and Assessment Schedule

8.1 Outcomes and Related Assurance Systems

8.2 FY17 Assessment Schedule