Director's Perspective
Welcome to the Office of Cyber Security Evaluations
James Lund, Acting Director
This office, within HSS's Office of Independent Oversight,
serves as the eyes and ears of the Secretary of Energy
in overseeing classified and unclassified cyber security
programs throughout the DOE complex. In May 1999,
the Secretary created this office to increase emphasis
on cyber security, reflecting the need for new protection
strategies as computers and related information technologies
fundamentally changed the way the Department accomplishes
its mission. At the same time, the rapid spread of
information networks introduced a new set of vulnerabilities
that need to be evaluated and controlled. The goal
of our evaluations is to provide feedback to senior
Department leaders, line management, the Office of
the Chief Information Officer, and external stakeholders
(e.g., Congress) on the effectiveness of cyber security
programs and policies at DOE sites. We work particularly
closely with the Office of the Chief Information Officer
in a unique relationship that helps them fulfill their
information assurance role given their overall responsibility
for cyber security within the Department.
To meet this challenge, we conduct rigorous performance
testing to evaluate internal and external network
protection measures. As part of this effort, we have
developed a cadre of technical experts and established
two cyber security testing facilities that conduct
vulnerability testing of DOE sites over the Internet
and conduct announced and unannounced network penetration
tests of sites to evaluate external threats. We also
have remote testing platforms that support onsite
performance testing to evaluate a site's defense-in-depth.
Our ability to evaluate both external and internal
threats allows us to identify potential vulnerabilities
and provide a snapshot of the overall effectiveness
of a site's cyber security protection posture.
Our inspection reports are formatted to align with
the families of controls contained in the National
Institute of Standards and Technology (NIST) Special
Publication 800-53 for unclassified systems and the
Committee on National Security Systems (CNSS) guidance
for classified systems. This allows inspected facilities
to correlate the results of their certification and
accreditation documentation with the inspection reports
and identify which, if any, controls need more emphasis
during the accreditation process. Also, in keeping
with national guidance, inspected sites receive a
separate rating for each of the following areas: Management,
Operational, and Technical.
Our office performs many assessment activities concurrent
with traditional safeguards and security inspections
to minimize the number of reviews that each site has
to undergo and to take advantage of synergy in these
areas. In addition, we conduct cyber security reviews
at DOE critical infrastructure sites, science laboratories,
and a wide-range of other Departmental sites in order
to ensure that the confidentiality, integrity, and
availability of all information technology systems
is appropriate.
While we maintain a busy schedule of announced assessments
at major DOE sites, we have also established an ongoing,
unannounced penetration testing program, conducted
by a "red team." While announced inspections provide
a more complete picture of the range of vulnerabilities
that DOE sites face, along with the effectiveness
of essential management processes, the red team assumes
the role of adversary in order to identify weak links
that could expose a site to a cyber attack. The red
team approach also tests how well the site's incident
reporting processes perform in detecting, deterring,
and reporting cyber attacks.
I hope that you will find this web site helpful in
understanding the roles of our office and the processes
we use to fulfill our responsibilities.
|