Management System: Safeguards, Security, and Emergency Management
Subject Area: Cyber Security
Procedure 5. Identifying Cyber Security Requirements for Classified Systems
Subject Matter Expert: | WALTER DYKAS |
---|---|
Management System Owner: | EARL HICKS |
Secondary Management System Owner: | THOMAS GRADLE, JOHN MEDLOCK |
Issue Date: 04/05/2011
SCMS Revision: 2.5
1.0 Applicability
This information applies to all Office of Science (SC) Facilities Staff that assumes the roles and responsibilities for implementing the requirements in the SC Cyber Security Requirements for Classified Systems document and the SC National Security Systems (NSS) Program Cyber Security Plan (PCSP) Implementation Manual.
2.0 Required Procedure
Step 1 | The SC Under Secretary, SC Director, SC Deputy Director for Field Operations, Associate Director for Safety, Security and Infrastructure (or his designee), Laboratory Directors, SC Supervisors, and Designated Approving Authority for the information system follow the Federal Information Security management Act (FISMA) implementation project model, determines the information group of the systems, and requires the control to assure the security of the information systems. NOTE: The approach is comprised of those activities that are specifically required within the FISMA framework and detailed in SC National Security Standards and guidance. |
Step 2 | The Information System Owner collects system data that includes:
NOTE: The highest information group processed, stored, or transmitted determines the Protection Level (PL) for the system (see the SC NSS Manual, included in the SC PCSP). |
Step 3 | Senior DOE Management, SC, Information Systems Security Manager (ISSM), and/or the Information System Owner, review the required controls to determine if the information group needs additional controls due to Consequence of Loss (CoL) resulting from Integrity or Availability. NOTE: Sites have the flexibility to tailor the security controls to a more stringent protection level in accordance with the CoL determination. The entirety of this effort is documented in the site Master System Security Plan (SSP). |
Step 4 | The Information System Owner generates a set of documents consistent with National Information Assurance Certification and Accreditation Process (NIACAP) and the SC NSS manual . NOTE: This set includes a threat statement, risk assessment, Master SSP, SP for the various types of systems (standalone, isolated network etc) at the site, contingency plans, etc. |
Step 5 | The Information System Owner develops a Security, Test and Evaluation (ST&E) plan and tests the controls to ensure that everything functions as specified. |
Step 6 | The Certification Agent, or as designated by the Designated Approving Authority (DAA), documents the results of the ST&E along with all the previous documents, compiles into a signed certification document by the certifying official, and provides to the DAA. NOTE: The DAA must be a senior level employee of the United States Government; hold a United States Government security clearance with access approval corresponding with the level of information processed by the systems; and understand the operational need for the system(s) in question and the operational consequences of not operating the system(s). The SC DAAs are the Federal Integrated Support Center or Site Office Managers and the Senior Information Officer for Headquarters. |
Step 7 | The DAA accepts which risks have been mitigated by the implementation of controls and the remaining residual risks that are being mitigated and tracked in the Plan of Actions and Milestones (POA&M) process. |
Step 8 | If the POA&M items are not met in a timely manner, the DAA may choose to withdraw the ATO at anytime. |
Step 9 | The DAA then makes a decision concerning whether or not the system is allowed to operate under these conditions and issues or refuses to issue a full Authority to Operate (ATO). |
3.0 References
-
10 CFR 1045, Nuclear Classification and Declassification (1998)
-
CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems
-
CNSS Policy No. 22, Information Assurance Risk Management Policy for National Security Systems
-
DoD 5220.22-M, National Industrial Security Program Operating Manual
-
DOE O 142.1, Classified Visits Involving Foreign Nationals
-
DOE O 142.3, Change 1, Unclassified Foreign Visits and Assignments
-
DOE O 221.1A, Reporting Fraud, Waste, and Abuse to the Office of Inspector General
-
DOE O 221.2A, Cooperation with the Office of Inspector General
-
DOE P 226.1A, Department of Energy Oversight Policy
-
DOE O 226.1A, Implementation of Department of Energy Oversight Policy
-
DOE M 452.4-1A, Protection of Use Control Vulnerabilities and Design
-
DOE P 470.1, Integrated Safeguards and Security Management (ISSM) Policy
-
DOE O 470.2B, Independent Oversight and Performance Assurance Program
-
DOE O 470.4A, Safeguards and Security Program
-
DOE M 470.4-1, Change 1, Safeguards and Security Program Planning and Management
-
DOE M 470.4-2A, Physical Protection
-
DOE M 470.4-4A, Information Security
-
DOE M 470.4-5, Personnel Security
-
DOE O 471.1A, Identification and Protection of Unclassified Controlled Nuclear Information
-
DOE O 475.1, Counterintelligence Program
-
DOE O 5610.2, Change 1, Control of Weapon Data
-
Executive Order (E.O.) 12958, Classified National Security Information, dated 04/20/1995
-
E.O. 13011, Federal Information Technology
-
E.O. 13231, Critical Infrastructure Protection in the Information Age, dated 10/16/2001, under this Executive Order, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS)
-
E.O. 13526, Classified National Security Information Memorandum, dated 12/29/2009
-
HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
-
Memorandum from George Malosh, Acting Chief Operating Officer, Office of Science (SC), to SC Associate Directors, SC Office Directors, and SC Site Office Managers, titled "Office of Science Policy on the Protection of Personally Identifiable Information," dated 08/07/2006 (NOTE: CS-38 has been superseded by DOE O 206.1.)
-
NISPOM, National Industrial Security Program Operations Manual
-
National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules
-
NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
-
NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
-
NIST FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors
-
NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems
-
NIST SP 800‑26, Security Self‑Assessment Guide for Information Technology Systems, was withdrawn on 02/2007 and superceded by NIST FIPS 200, NIST SP 800-53, and NIST SP 800-53A.
-
NIST SP 800-30, Risk Management Guide for Information Technology Systems
-
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
-
NIST SP 800‑37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach
-
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
-
NIST SP 800-48, Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks
-
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program
-
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
-
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems
-
NIST SP 800-55, Revision 1 , Security Metrics Guide for Information Technology Systems
-
NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1: Guide
-
NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2: Appendices
-
NIST SP 800-61, Computer Security Incident Handling Guide
-
NIST SP 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle
-
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process
-
NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
-
NIST SP 800-73, Revision 2, Interfaces for Personal Identity Verification
-
NIST SP 800-83, Guide to Malware Incident Prevention and Handling
-
NIST SP 800-88, Guidelines for Media Sanitization
-
NIST SP 800-92, Guide to Computer Security Log Management
-
NSTISSC Directive No 501, National Training Program for Information Systems Security (INFOSEC) Professionals
-
NSTISSC INFOSEC 1-99, The Insider Threat to U S. Government Information Systems
-
NSTISSC Policy No.11, National Information Assurance Acquisition Policy
-
NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP)
-
OMB Circular A-76, Performance of Commercial Activities (Outsourcing)
-
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs
-
OMB Circular A-123, Management Accountability and Control
-
OMB Circular A-127, Financial Management Systems
-
OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources (11/28/2000); Appendix III
-
OMB M-00-07, Incorporating and Funding Security in Information Systems Investments
-
OMB M-00-10, OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
-
OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites
-
OMB M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act
-
OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
-
OMB M-01-08, Guidance on Implementing the Government Information Security Reform Act
-
OMB M-01-26, Component-Level Audits
-
OMB M-02-12, Reducing Redundant IT Infrastructure to Homeland Security
-
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
-
OMB M-04-04, E-Authentication Guidance for Federal Agencies
-
OMB M-04-16, Software Acquisition
-
OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
-
OMB M-05-02, Financial Management Systems
-
OMB M-05-04, Policies for Federal Agency Public Websites
-
OMB M-05-05, Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
-
OMB M-05-08, Designation of Senior Agency Officials for Privacy
-
OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996
-
OMB M-97-02, Funding Information Systems Investments
-
OMB M-98-04, Annual Performance Plans Required by the Government Performance and Results Act (GPRA)
-
OMB M-99-05, Instructions on complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records"
-
OMB M-99-18, Privacy Policies on Federal Web Sites
-
OMB M-99-20, Security of Federal Automated Information Resources
-
OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
-
OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
-
P.L. 93-579, Privacy Act of 1974, as amended (Title 5 United States Code [U.S.C.] Section 552a)
-
P.L. 96-349, Trade Secrets Act (18 U.S.C., Section 1905)
-
P.L. 97-255, Federal Managers' Financial Integrity Act of 1982 (FMFIA)
-
P.L. 99-474, Computer Fraud and Abuse Act (18 U.S.C. Section 1030)
-
P.L. 99-508, Electronic Communications Privacy Act of 1986
-
P.L. 100-235, Computer Security Act of 1987
-
P.L. 103-62, Government Performance and Results Act of 1993 (GPRA)
-
P.L. 103-356, Government Management Reform Act of 1994
-
P.L. 104-13, Paperwork Reduction Act of 1995 (PRA)
-
P.L. 104-106, Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996)
-
P.L. 104-208, Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA)
-
P.L. 104-231, Electronic Freedom of Information Act (e-FOIA)
-
P.L. 105-277, Title XVII, Government Paperwork Elimination Act (GPEA)
-
P.L. 107-347, Title III, Federal Information Security Management Act of 2002 (FISMA)
-
Program Review for Information Security Management Assistance (PRISMA) Database
This is not the online OFFICIAL SCMS COPY of this file. Before using this printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.
This is the online OFFICIAL SCMS COPY of this file. Before using a printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.
Send a question or comment to the
SCMS Help Desk.
Disclaimer
Last Major SCMS Revision: 11/05/2009