Management System: Safeguards, Security, and Emergency Management
Subject Area: Cyber Security
Point of Contact: | WALTER DYKAS |
Management System Owner: | EARL HICKS |
Secondary Management System Owner: | THOMAS GRADLE JOHN MEDLOCK |
Issue Date: 04/05/2011
SCMS Revision: 2.5
1.0 Introduction
The subject area describes how the Cyber Security Program protects the confidentiality, integrity and availability of U.S. Department of Energy (DOE) Information Systems and the data processed on those systems. The primary requirements for Office of Science (SC) Federal and Contractor Laboratory Facilities are defined by the Program Cyber Security Plan (PCSP). In addition to the PCSP, the implementation of Federally mandated certification and accreditation is addressed through facility Cyber Security Program Plans and System Security Plans. This included both unclassified and National Security Systems.
2.0 Contents
Procedures |
Procedure Content |
1. Maintaining the Office of Science (SC) Threat and Risk Statement |
|
2. Monitoring for Unclassified Systems |
|
3. Monitoring for Classified Systems |
|
4. Identifying Cyber Security Requirements for Unclassified Systems |
|
5. Identifying Cyber Security Requirements for Classified Systems |
|
6. Performing Designated Approving Authority (DAA) Responsibilities |
|
7. Maintaining the Office of Science (SC) Program Cyber Security Plan (PCSP) |
|
3.0 Exhibits/Forms
4.0 Related Information
-
10 CFR 1045, Nuclear Classification and Declassification (1998)
-
CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems
-
CNSS Policy No. 22, Information Assurance Risk Management Policy for National Security Systems
-
DoD 5220.22-M, National Industrial Security Program Operating Manual
-
DOE O 142.1, Classified Visits Involving Foreign Nationals
-
DOE O 142.3, Change 1, Unclassified Foreign Visits and Assignments
-
DOE O 221.1A, Reporting Fraud, Waste, and Abuse to the Office of Inspector General
-
DOE O 221.2A, Cooperation with the Office of Inspector General
-
DOE P 226.1A, Department of Energy Oversight Policy
-
DOE O 226.1A, Implementation of Department of Energy Oversight Policy
-
DOE M 452.4-1A, Protection of Use Control Vulnerabilities and Design
-
DOE P 470.1, Integrated Safeguards and Security Management (ISSM) Policy
-
DOE O 470.2B, Independent Oversight and Performance Assurance Program
-
DOE O 470.4A, Safeguards and Security Program
-
DOE M 470.4-1, Change 1, Safeguards and Security Program Planning and Management
-
DOE M 470.4-2A, Physical Protection
-
DOE M 470.4-4A, Information Security
-
DOE M 470.4-5, Personnel Security
-
DOE O 471.1A, Identification and Protection of Unclassified Controlled Nuclear Information
-
DOE O 475.1, Counterintelligence Program
-
DOE O 5610.2, Change 1, Control of Weapon Data
-
Executive Order (E.O.) 12958, Classified National Security Information, dated 04/20/1995
-
E.O. 13011, Federal Information Technology
-
E.O. 13231, Critical Infrastructure Protection in the Information Age, dated 10/16/2001, under this Executive Order, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS)
-
E.O. 13526, Classified National Security Information Memorandum, dated 12/29/2009
-
HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
-
Memorandum from George Malosh, Acting Chief Operating Officer, Office of Science (SC), to SC Associate Directors, SC Office Directors, and SC Site Office Managers, titled "Office of Science Policy on the Protection of Personally Identifiable Information," dated 08/07/2006 (NOTE: CS-38 has been superseded by DOE O 206.1.)
-
NISPOM, National Industrial Security Program Operations Manual
-
National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules
-
NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
-
NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
-
NIST FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors
-
NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems
-
NIST SP 800‑26, Security Self‑Assessment Guide for Information Technology Systems, was withdrawn on 02/2007 and superceded by NIST FIPS 200, NIST SP 800-53, and NIST SP 800-53A.
-
NIST SP 800-30, Risk Management Guide for Information Technology Systems
-
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
-
NIST SP 800‑37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach
-
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
-
NIST SP 800-48, Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks
-
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program
-
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
-
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems
-
NIST SP 800-55, Revision 1 , Security Metrics Guide for Information Technology Systems
-
NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1: Guide
-
NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2: Appendices
-
NIST SP 800-61, Computer Security Incident Handling Guide
-
NIST SP 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle
-
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process
-
NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
-
NIST SP 800-73, Revision 2, Interfaces for Personal Identity Verification
-
NIST SP 800-83, Guide to Malware Incident Prevention and Handling
-
NIST SP 800-88, Guidelines for Media Sanitization
-
NIST SP 800-92, Guide to Computer Security Log Management
-
NSTISSC Directive No 501, National Training Program for Information Systems Security (INFOSEC) Professionals
-
NSTISSC INFOSEC 1-99, The Insider Threat to U S. Government Information Systems
-
NSTISSC Policy No.11, National Information Assurance Acquisition Policy
-
NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP)
-
OMB Circular A-76, Performance of Commercial Activities (Outsourcing)
-
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs
-
OMB Circular A-123, Management Accountability and Control
-
OMB Circular A-127, Financial Management Systems
-
OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources (11/28/2000); Appendix III
-
OMB M-00-07, Incorporating and Funding Security in Information Systems Investments
-
OMB M-00-10, OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
-
OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites
-
OMB M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act
-
OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
-
OMB M-01-08, Guidance on Implementing the Government Information Security Reform Act
-
OMB M-01-26, Component-Level Audits
-
OMB M-02-12, Reducing Redundant IT Infrastructure to Homeland Security
-
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
-
OMB M-04-04, E-Authentication Guidance for Federal Agencies
-
OMB M-04-16, Software Acquisition
-
OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
-
OMB M-05-02, Financial Management Systems
-
OMB M-05-04, Policies for Federal Agency Public Websites
-
OMB M-05-05, Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
-
OMB M-05-08, Designation of Senior Agency Officials for Privacy
-
OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996
-
OMB M-97-02, Funding Information Systems Investments
-
OMB M-98-04, Annual Performance Plans Required by the Government Performance and Results Act (GPRA)
-
OMB M-99-05, Instructions on complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records"
-
OMB M-99-18, Privacy Policies on Federal Web Sites
-
OMB M-99-20, Security of Federal Automated Information Resources
-
OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
-
OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
-
P.L. 93-579, Privacy Act of 1974, as amended (Title 5 United States Code [U.S.C.] Section 552a)
-
P.L. 96-349, Trade Secrets Act (18 U.S.C., Section 1905)
-
P.L. 97-255, Federal Managers' Financial Integrity Act of 1982 (FMFIA)
-
P.L. 99-474, Computer Fraud and Abuse Act (18 U.S.C. Section 1030)
-
P.L. 99-508, Electronic Communications Privacy Act of 1986
-
P.L. 100-235, Computer Security Act of 1987
-
P.L. 103-62, Government Performance and Results Act of 1993 (GPRA)
-
P.L. 103-356, Government Management Reform Act of 1994
-
P.L. 104-13, Paperwork Reduction Act of 1995 (PRA)
-
P.L. 104-106, Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996)
-
P.L. 104-208, Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA)
-
P.L. 104-231, Electronic Freedom of Information Act (e-FOIA)
-
P.L. 105-277, Title XVII, Government Paperwork Elimination Act (GPEA)
-
P.L. 107-347, Title III, Federal Information Security Management Act of 2002 (FISMA)
-
Program Review for Information Security Management Assistance (PRISMA) Database
5.0 Requirements
Document | Title | Requirement Decision Record |
OMB Circular A-130 | Management of Federal Information Resources | Completed |
CNSSD-500 | Information Assurance (IA) Education, Training, and Awareness | Completed |
DOE M 200.1-1, Chapter 9 (restricted access) | Public Key Cryptography And Key Management (Unclassified) | Completed |
DOE P 205.1 | Departmental Cyber Security Management Policy | Completed |
E.O. 13103 | Computer Software Piracy | Completed |
61 Federal Regulation 6428 | Policies on Management of Federal Information Resources ([OMB] Circular no. A-130), dated 02-20-1996 (Final Action) | Completed |
DOE-HQ Memo 06/25/2010 | Office of Science (SC) Program Cyber Security Plan (PCSP) | Completed |
NSD 42 | National Policy for the Security of National Security Telecommunications and Information Systems | Completed |
OMB M 04-26 | Personal Use Policies and "File Sharing" Technology | Completed |
OMB M-06-19 | Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments | Completed |
P.L. 107-347, 116 Stat. 289 | E-Government Act of 2002 - Federal Information Security Management Act (FISMA) | Completed |
6.0 Definitions
This is not the online OFFICIAL SCMS COPY of this file. Before using this printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.
This is the online OFFICIAL SCMS COPY of this file. Before using a printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.
Send a question or comment to the
SCMS Help Desk.
Disclaimer
Last Major SCMS Revision: 11/05/2009