DOE’s Cyber Security Order, 205.1B, requires LBNL to consider and incorporate, when mission appropriate, Federal security initiatives. This page documents LBNL analysis and when applicable, summarizes our implementation of federal security initiatives.
Homeland Security Presidential Directive 12 (HSPD-12)
Origin: President of the United States
Document: HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors
Description
HSPD-12, dated August 27, 2004, requires agencies to use a common standard for forms of identification for employees and contractors. The National Institute for Standards and Technology (NIST) issues the standard that agencies must comply with. In practice, the standard requires the use of smart cards (versus flash badges). The smart cards can be used for both physical and computer/network access. The intended benefits are more secure access to government networks and more efficient issuance of federal credentials (agencies can share and trust credentials since they are the same standard).
Summary Analysis of Appropriateness
LBNL’s physical and computing environment is open and designed to support fundamental research. In addition, our scientific mission requires ongoing collaborations both within the DOE complex and across the world. Open, ad-hoc scientific collaboration requires ease and speed of access.
If we issued credentials to employees but not collaborators, there would be no increase in security as we would only cover a portion of our user population. If we refused access to collaborators, we would be negating our mission to conduct basic science, which relies on collaboration. As a result, HSPD-12 is inappropriate for our mission.
Implementation
Not Applicable
Internet Protocol version 6 (IPv6)
Origin: Office of Management and Budget (OMB)
Document: OMB M-05-22: Transitional Planning for Internet Protocol Version 6 (IPv6) (PDF)
Description
M-05-06 requires agency networks to transition to the use of IPv6 and ensure that new IT procurements are IPv6 compliant. IPv6 is an update to the internet protocol designed to increase the number of web addresses as IPv4, as implemented, will run out of web addresses.
Summary Analysis of Appropriateness
LBNL like all labs has agreed to encourage the adoption of IPv6 but does not plan to entirely convert our networks to IPv6. We have sufficient IPv4 address space to accommodate our current and future needs.
Implementation
LBNL had a significant role in the development (more than 15 years ago) of IPV6 as Bob Fink, a previous IT Department head, was one of the principle participants in its development. So we’ve been an early adopter and implementer of IPV6 on LBLnet. Our implementation of IPv6 continues to expand under the stewardship of an IPv6 team at Berkeley Lab. Details on recent activity are available on request.
In terms of acquisition planning, the LBL CIO has created guidance and waivers for the flowdown of IPV6 requirements available to Berkeley Lab employees.
Federal Desktop Core Configuration (FDCC)
Source: Office of Management and Budget (OMB)
Document: OMB M-07-11: Implementation of Commonly Accepted Security Configurations for Windows Operating Systems (PDF)
Description
FDCC sets configuration standards for Federal systems to improve their security. OMB Memos require that Federal Agencies use FDCC.
Summary Analysis of Appropriateness
LBNL sets baseline minimum security standards but researchers are permitted to determine their own specific configurations for different and diverse purposes. Their systems must often inter-operate with other, non-federal systems and research configurations typically need substantial flexibility. The requirement to adopt a particular configuration, report exceptions, and use specific tools works against the flexibility designed to be inherent in the LBNL contract as well as the risk-management approach to cyber security under which LBNL operates.
Implementation
FDCC is considered in the development of baseline GPOs, but is not used directly as a baseline, nor is it required. This approach is documented in the LBNL CSPAM, SARA, and Controls Catalog.