Director's Perspective

Welcome to the Office of Cyber Security Evaluations

John S. Boulden III, Director

This office, within HSS's Office of Independent Oversight, serves as the eyes and ears of the Secretary of Energy in overseeing classified and unclassified cyber security programs throughout the DOE complex. In May 1999, the Secretary created this office to increase emphasis on cyber security, reflecting the need for new protection strategies as computers and related information technologies fundamentally changed the way the Department accomplishes its mission. At the same time, the rapid spread of information networks introduced a new set of vulnerabilities that need to be evaluated and controlled. The goal of our evaluations is to provide feedback to senior Department leaders, line management, the Office of the Chief Information Officer, and external stakeholders (e.g., Congress) on the effectiveness of cyber security programs and policies at DOE sites. We work particularly closely with the Office of the Chief Information Officer in a unique relationship that helps them fulfill their information assurance role given their overall responsibility for cyber security within the Department.

To meet this challenge, we conduct rigorous performance testing to evaluate internal and external network protection measures. As part of this effort, we have developed a cadre of technical experts and established two cyber security testing facilities that conduct vulnerability testing of DOE sites over the Internet and conduct announced and unannounced network penetration tests of sites to evaluate external threats. We also have remote testing platforms that support onsite performance testing to evaluate a site's defense-in-depth. Our ability to evaluate both external and internal threats allows us to identify potential vulnerabilities and provide a snapshot of the overall effectiveness of a site's cyber security protection posture.

Our inspection reports are formatted to align with the families of controls contained in the National Institute of Standards and Technology (NIST) Special Publication 800-53 for unclassified systems and the Committee on National Security Systems (CNSS) guidance for classified systems. This allows inspected facilities to correlate the results of their certification and accreditation documentation with the inspection reports and identify which, if any, controls need more emphasis during the accreditation process. Also, in keeping with national guidance, inspected sites receive a separate rating for each of the following areas: Management, Operational, and Technical.

Our office performs many assessment activities concurrent with traditional safeguards and security inspections to minimize the number of reviews that each site has to undergo and to take advantage of synergy in these areas. In addition, we conduct cyber security reviews at DOE critical infrastructure sites, science laboratories, and a wide-range of other Departmental sites in order to ensure that the confidentiality, integrity, and availability of all information technology systems is appropriate.

While we maintain a busy schedule of announced assessments at major DOE sites, we have also established an ongoing, unannounced penetration testing program, conducted by a "red team." While announced inspections provide a more complete picture of the range of vulnerabilities that DOE sites face, along with the effectiveness of essential management processes, the red team assumes the role of adversary in order to identify weak links that could expose a site to a cyber attack. The red team approach also tests how well the site's incident reporting processes perform in detecting, deterring, and reporting cyber attacks.

I hope that you will find this web site helpful in understanding the roles of our office and the processes we use to fulfill our responsibilities.