Director's Perspective
Welcome to the Office of Cyber Security Evaluations
John S. Boulden III, Director
This office, within HSS's Office of Independent Oversight, serves as the eyes and ears of
the Secretary of Energy in overseeing classified and unclassified cyber security programs
throughout the DOE complex. In May 1999, the Secretary created this office to increase
emphasis on cyber security, reflecting the need for new protection strategies as computers
and related information technologies fundamentally changed the way the Department accomplishes
its mission. At the same time, the rapid spread of information networks introduced a new
set of vulnerabilities that need to be evaluated and controlled. The goal of our evaluations
is to provide feedback to senior Department leaders, line management, the Office of the
Chief Information Officer, and external stakeholders (e.g., Congress) on the effectiveness
of cyber security programs and policies at DOE sites. We work particularly closely with the
Office of the Chief Information Officer in a unique relationship that helps them fulfill
their information assurance role given their overall responsibility for cyber security
within the Department.
To meet this challenge, we conduct rigorous performance testing to evaluate internal and
external network protection measures. As part of this effort, we have developed a cadre of
technical experts and established two cyber security testing facilities that conduct
vulnerability testing of DOE sites over the Internet and conduct announced and unannounced
network penetration tests of sites to evaluate external threats. We also have remote testing
platforms that support onsite performance testing to evaluate a site's defense-in-depth.
Our ability to evaluate both external and internal threats allows us to identify potential
vulnerabilities and provide a snapshot of the overall effectiveness of a site's cyber security
protection posture.
Our inspection reports are formatted to align with the families of controls contained in
the National Institute of Standards and Technology (NIST) Special Publication 800-53 for
unclassified systems and the Committee on National Security Systems (CNSS) guidance for
classified systems. This allows inspected facilities to correlate the results of their
certification and accreditation documentation with the inspection reports and identify which,
if any, controls need more emphasis during the accreditation process. Also, in keeping with
national guidance, inspected sites receive a separate rating for each of the following areas:
Management, Operational, and Technical.
Our office performs many assessment activities concurrent with traditional safeguards
and security inspections to minimize the number of reviews that each site has to undergo
and to take advantage of synergy in these areas. In addition, we conduct cyber security
reviews at DOE critical infrastructure sites, science laboratories, and a wide-range of
other Departmental sites in order to ensure that the confidentiality, integrity, and availability
of all information technology systems is appropriate.
While we maintain a busy schedule of announced assessments at major DOE sites, we have also
established an ongoing, unannounced penetration testing program, conducted by a "red team."
While announced inspections provide a more complete picture of the range of vulnerabilities
that DOE sites face, along with the effectiveness of essential management processes, the
red team assumes the role of adversary in order to identify weak links that could expose a
site to a cyber attack. The red team approach also tests how well the site's incident reporting
processes perform in detecting, deterring, and reporting cyber attacks.
I hope that you will find this web site helpful in understanding the roles of our office and
the processes we use to fulfill our responsibilities.
This page was last updated on April 10, 2008
|