Cyber Security

Management System: Safeguards, Security, and Emergency Management

Subject Area: Cyber Security

Point of Contact:	WALTER DYKAS
Management System Owner:	EARL HICKS
Secondary Management System Owner:	THOMAS GRADLE JOHN MEDLOCK

SCMS Home Page | Revision History | Subject Area Definitions

Issue Date: 04/05/2011
SCMS Revision: 2.5

1.0 Introduction

The subject area describes how the Cyber Security Program protects the confidentiality, integrity and availability of U.S. Department of Energy (DOE) Information Systems and the data processed on those systems. The primary requirements for Office of Science (SC) Federal and Contractor Laboratory Facilities are defined by the Program Cyber Security Plan (PCSP). In addition to the PCSP, the implementation of Federally mandated certification and accreditation is addressed through facility Cyber Security Program Plans and System Security Plans. This included both unclassified and National Security Systems.

2.0 Contents

Procedures	Procedure Content
1. Maintaining the Office of Science (SC) Threat and Risk Statement	Obtain latest threat information from the Federal Intelligence Community. Evaluate and assess the information. Interpret and document the evaluation. Disseminate the Threat and Risk Statement to SC Facilities. Update and re-evaluate threat information and determine if updates to the Threat and Risk Assessment are needed.
2. Monitoring for Unclassified Systems	Develop and coordinate a continuous monitoring plan for site reviews with the Integrated Support Center (ISC). Evaluate Plans of Action and Milestones (POA&Ms), SC metrics, status reporting, and self assessments for each facility and establish priorities. Assign resources and schedule site reviews. Perform site reviews to address program requirements and accreditation status. Report the result of site reviews, update status of prior deficiencies, and establish POA&M actions to address identified gaps.
3. Monitoring for Classified Systems	Develop and coordinate a continuous monitoring plan for site reviews with the ISC. Evaluate POA&Ms, SC metrics, status reporting, self assessments for each facility, and establish priorities. Assign resources and schedule site reviews. Perform site reviews to address program requirements and accreditation status. Report the result of site reviews, update status of prior deficiencies, and establish POA&M actions to address identified gaps.
4. Identifying Cyber Security Requirements for Unclassified Systems	Identify Program requirements in the PCSP. Follow the National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series. Adhere to Office of Management and Budget (OMB) guidance as applicable.
5. Identifying Cyber Security Requirements for Classified Systems	Identify Program requirements in the PCSP and the SC National Security Systems Manual. Adhere to applicable Committee on National Security Systems (CNSS) requirements.
6. Performing Designated Approving Authority (DAA) Responsibilities	Identify Designated Approving Authority (DAA) responsibilities in the PCSP. This section deals with how the DAA carries out responsibilities not specified elsewhere.
7. Maintaining the Office of Science (SC) Program Cyber Security Plan (PCSP)	Identify changes in requirements. Evaluate the impact of these changes on operations and how new requirements can be implemented at SC facilities. Update the PCSP.

3.0 Exhibits/Forms

Office of Science (SC) Program Cyber Security Plan (PCSP)

4.0 Related Information

10 CFR 1045, Nuclear Classification and Declassification (1998)
CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems
CNSS Policy No. 22, Information Assurance Risk Management Policy for National Security Systems
DoD 5220.22-M, National Industrial Security Program Operating Manual

DOE O 142.1, Classified Visits Involving Foreign Nationals
DOE O 142.3, Change 1, Unclassified Foreign Visits and Assignments
DOE O 221.1A, Reporting Fraud, Waste, and Abuse to the Office of Inspector General
DOE O 221.2A, Cooperation with the Office of Inspector General
DOE P 226.1A, Department of Energy Oversight Policy
DOE O 226.1A, Implementation of Department of Energy Oversight Policy
DOE M 452.4-1A, Protection of Use Control Vulnerabilities and Design
DOE P 470.1, Integrated Safeguards and Security Management (ISSM) Policy
DOE O 470.2B, Independent Oversight and Performance Assurance Program
DOE O 470.4A, Safeguards and Security Program
DOE M 470.4-1, Change 1, Safeguards and Security Program Planning and Management
DOE M 470.4-2A, Physical Protection
DOE M 470.4-4A, Information Security
DOE M 470.4-5, Personnel Security
DOE O 471.1A, Identification and Protection of Unclassified Controlled Nuclear Information
DOE O 475.1, Counterintelligence Program
DOE O 5610.2, Change 1, Control of Weapon Data
Executive Order (E.O.) 12958, Classified National Security Information, dated 04/20/1995
E.O. 13011, Federal Information Technology
E.O. 13231, Critical Infrastructure Protection in the Information Age, dated 10/16/2001, under this Executive Order, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS)
E.O. 13526, Classified National Security Information Memorandum, dated 12/29/2009
HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
Memorandum from George Malosh, Acting Chief Operating Officer, Office of Science (SC), to SC Associate Directors, SC Office Directors, and SC Site Office Managers, titled "Office of Science Policy on the Protection of Personally Identifiable Information," dated 08/07/2006 (NOTE: CS-38 has been superseded by DOE O 206.1.)
NISPOM, National Industrial Security Program Operations Manual
National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules
NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
NIST FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems
NIST SP 800‑26, Security Self‑Assessment Guide for Information Technology Systems, was withdrawn on 02/2007 and superceded by NIST FIPS 200, NIST SP 800-53, and NIST SP 800-53A.
NIST SP 800-30, Risk Management Guide for Information Technology Systems
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
NIST SP 800‑37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
NIST SP 800-48, Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems
NIST SP 800-55, Revision 1 , Security Metrics Guide for Information Technology Systems
NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1: Guide
NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2: Appendices
NIST SP 800-61, Computer Security Incident Handling Guide
NIST SP 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process
NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
NIST SP 800-73, Revision 2, Interfaces for Personal Identity Verification
NIST SP 800-83, Guide to Malware Incident Prevention and Handling
NIST SP 800-88, Guidelines for Media Sanitization
NIST SP 800-92, Guide to Computer Security Log Management
NSTISSC Directive No 501, National Training Program for Information Systems Security (INFOSEC) Professionals
NSTISSC INFOSEC 1-99, The Insider Threat to U S. Government Information Systems
NSTISSC Policy No.11, National Information Assurance Acquisition Policy
NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP)
OMB Circular A-76, Performance of Commercial Activities (Outsourcing)
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs
OMB Circular A-123, Management Accountability and Control
OMB Circular A-127, Financial Management Systems
OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources (11/28/2000); Appendix III
OMB M-00-07, Incorporating and Funding Security in Information Systems Investments
OMB M-00-10, OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites
OMB M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act
OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
OMB M-01-08, Guidance on Implementing the Government Information Security Reform Act
OMB M-01-26, Component-Level Audits
OMB M-02-12, Reducing Redundant IT Infrastructure to Homeland Security
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
OMB M-04-04, E-Authentication Guidance for Federal Agencies
OMB M-04-16, Software Acquisition
OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
OMB M-05-02, Financial Management Systems
OMB M-05-04, Policies for Federal Agency Public Websites
OMB M-05-05, Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
OMB M-05-08, Designation of Senior Agency Officials for Privacy
OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996
OMB M-97-02, Funding Information Systems Investments
OMB M-98-04, Annual Performance Plans Required by the Government Performance and Results Act (GPRA)
OMB M-99-05, Instructions on complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records"
OMB M-99-18, Privacy Policies on Federal Web Sites
OMB M-99-20, Security of Federal Automated Information Resources
OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
P.L. 93-579, Privacy Act of 1974, as amended (Title 5 United States Code [U.S.C.] Section 552a)
P.L. 96-349, Trade Secrets Act (18 U.S.C., Section 1905)
P.L. 97-255, Federal Managers' Financial Integrity Act of 1982 (FMFIA)
P.L. 99-474, Computer Fraud and Abuse Act (18 U.S.C. Section 1030)
P.L. 99-508, Electronic Communications Privacy Act of 1986
P.L. 100-235, Computer Security Act of 1987
P.L. 103-62, Government Performance and Results Act of 1993 (GPRA)
P.L. 103-356, Government Management Reform Act of 1994
P.L. 104-13, Paperwork Reduction Act of 1995 (PRA)
P.L. 104-106, Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996)
P.L. 104-208, Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA)
P.L. 104-231, Electronic Freedom of Information Act (e-FOIA)
P.L. 105-277, Title XVII, Government Paperwork Elimination Act (GPEA)
P.L. 107-347, Title III, Federal Information Security Management Act of 2002 (FISMA)
Program Review for Information Security Management Assistance (PRISMA) Database
SC Records Maintained on Individuals Subject Area

5.0 Requirements

Document	Title	Requirement Decision Record
OMB Circular A-130	Management of Federal Information Resources	Completed
CNSSD-500	Information Assurance (IA) Education, Training, and Awareness	Completed
DOE M 200.1-1, Chapter 9 (restricted access)	Public Key Cryptography And Key Management (Unclassified)	Completed
DOE P 205.1	Departmental Cyber Security Management Policy	Completed
E.O. 13103	Computer Software Piracy	Completed
61 Federal Regulation 6428	Policies on Management of Federal Information Resources ([OMB] Circular no. A-130), dated 02-20-1996 (Final Action)	Completed
DOE-HQ Memo 06/25/2010	Office of Science (SC) Program Cyber Security Plan (PCSP)	Completed
NSD 42	National Policy for the Security of National Security Telecommunications and Information Systems	Completed
OMB M 04-26	Personal Use Policies and "File Sharing" Technology	Completed
OMB M-06-19	Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments	Completed
P.L. 107-347, 116 Stat. 289	E-Government Act of 2002 - Federal Information Security Management Act (FISMA)	Completed

6.0 Definitions

Definitions.

This is not the online OFFICIAL SCMS COPY of this file. Before using this printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.

This is the online OFFICIAL SCMS COPY of this file. Before using a printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.

SCMS Home Page | Revision History | Subject Area Definitions

Send a question or comment to the SCMS Help Desk.
Disclaimer

Filename: /OrbitSearch/SubjArea/CS/CS_SA.cfm
Last Major SCMS Revision: 11/05/2009