5. Identifying Cyber Security Requirements for Classified Systems

Management System: Safeguards, Security, and Emergency Management

Procedure 5. Identifying Cyber Security Requirements for Classified Systems

Subject Matter Expert:	WALTER DYKAS
Management System Owner:	EARL HICKS
Secondary Management System Owner:	THOMAS GRADLE, JOHN MEDLOCK

| SCMS Home Page | Subject Area | Revision History | Subject Area Definitions

Issue Date: 04/05/2011
SCMS Revision: 2.5

1.0 Applicability

This information applies to all Office of Science (SC) Facilities Staff that assumes the roles and responsibilities for implementing the requirements in the SC Cyber Security Requirements for Classified Systems document and the SC National Security Systems (NSS) Program Cyber Security Plan (PCSP) Implementation Manual.

2.0 Required Procedure

Step 1	The SC Under Secretary, SC Director, SC Deputy Director for Field Operations, Associate Director for Safety, Security and Infrastructure (or his designee), Laboratory Directors, SC Supervisors, and Designated Approving Authority for the information system follow the Federal Information Security management Act (FISMA) implementation project model, determines the information group of the systems, and requires the control to assure the security of the information systems. NOTE: The approach is comprised of those activities that are specifically required within the FISMA framework and detailed in SC National Security Standards and guidance.
Step 2	The Information System Owner collects system data that includes: The information groups being processed, stored, or transmitted, Who owns the systems, The physical location of the servers, and End user devices. NOTE: The highest information group processed, stored, or transmitted determines the Protection Level (PL) for the system (see the SC NSS Manual, included in the SC PCSP).
Step 3	Senior DOE Management, SC, Information Systems Security Manager (ISSM), and/or the Information System Owner, review the required controls to determine if the information group needs additional controls due to Consequence of Loss (CoL) resulting from Integrity or Availability. NOTE: Sites have the flexibility to tailor the security controls to a more stringent protection level in accordance with the CoL determination. The entirety of this effort is documented in the site Master System Security Plan (SSP).
Step 4	The Information System Owner generates a set of documents consistent with National Information Assurance Certification and Accreditation Process (NIACAP) and the SC NSS manual . NOTE: This set includes a threat statement, risk assessment, Master SSP, SP for the various types of systems (standalone, isolated network etc) at the site, contingency plans, etc.
Step 5	The Information System Owner develops a Security, Test and Evaluation (ST&E) plan and tests the controls to ensure that everything functions as specified.
Step 6	The Certification Agent, or as designated by the Designated Approving Authority (DAA), documents the results of the ST&E along with all the previous documents, compiles into a signed certification document by the certifying official, and provides to the DAA. NOTE: The DAA must be a senior level employee of the United States Government; hold a United States Government security clearance with access approval corresponding with the level of information processed by the systems; and understand the operational need for the system(s) in question and the operational consequences of not operating the system(s). The SC DAAs are the Federal Integrated Support Center or Site Office Managers and the Senior Information Officer for Headquarters.
Step 7	The DAA accepts which risks have been mitigated by the implementation of controls and the remaining residual risks that are being mitigated and tracked in the Plan of Actions and Milestones (POA&M) process.
Step 8	If the POA&M items are not met in a timely manner, the DAA may choose to withdraw the ATO at anytime.
Step 9	The DAA then makes a decision concerning whether or not the system is allowed to operate under these conditions and issues or refuses to issue a full Authority to Operate (ATO).

3.0 References

10 CFR 1045, Nuclear Classification and Declassification (1998)
CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems
CNSS Policy No. 22, Information Assurance Risk Management Policy for National Security Systems
DoD 5220.22-M, National Industrial Security Program Operating Manual

DOE O 142.1, Classified Visits Involving Foreign Nationals
DOE O 142.3, Change 1, Unclassified Foreign Visits and Assignments
DOE O 221.1A, Reporting Fraud, Waste, and Abuse to the Office of Inspector General
DOE O 221.2A, Cooperation with the Office of Inspector General
DOE P 226.1A, Department of Energy Oversight Policy
DOE O 226.1A, Implementation of Department of Energy Oversight Policy
DOE M 452.4-1A, Protection of Use Control Vulnerabilities and Design
DOE P 470.1, Integrated Safeguards and Security Management (ISSM) Policy
DOE O 470.2B, Independent Oversight and Performance Assurance Program
DOE O 470.4A, Safeguards and Security Program
DOE M 470.4-1, Change 1, Safeguards and Security Program Planning and Management
DOE M 470.4-2A, Physical Protection
DOE M 470.4-4A, Information Security
DOE M 470.4-5, Personnel Security
DOE O 471.1A, Identification and Protection of Unclassified Controlled Nuclear Information
DOE O 475.1, Counterintelligence Program
DOE O 5610.2, Change 1, Control of Weapon Data
Executive Order (E.O.) 12958, Classified National Security Information, dated 04/20/1995
E.O. 13011, Federal Information Technology
E.O. 13231, Critical Infrastructure Protection in the Information Age, dated 10/16/2001, under this Executive Order, the President redesignated the National Security Telecommunications and Information Systems Security Committee (NSTISSC) as the Committee on National Security Systems (CNSS)
E.O. 13526, Classified National Security Information Memorandum, dated 12/29/2009
HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors
Memorandum from George Malosh, Acting Chief Operating Officer, Office of Science (SC), to SC Associate Directors, SC Office Directors, and SC Site Office Managers, titled "Office of Science Policy on the Protection of Personally Identifiable Information," dated 08/07/2006 (NOTE: CS-38 has been superseded by DOE O 206.1.)
NISPOM, National Industrial Security Program Operations Manual
National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules
NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems
NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems
NIST FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors
NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems
NIST SP 800‑26, Security Self‑Assessment Guide for Information Technology Systems, was withdrawn on 02/2007 and superceded by NIST FIPS 200, NIST SP 800-53, and NIST SP 800-53A.
NIST SP 800-30, Risk Management Guide for Information Technology Systems
NIST SP 800-34, Contingency Planning Guide for Information Technology Systems
NIST SP 800‑37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
NIST SP 800-48, Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks
NIST SP 800-50, Building an Information Technology Security Awareness and Training Program
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems
NIST SP 800-55, Revision 1 , Security Metrics Guide for Information Technology Systems
NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1: Guide
NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2: Appendices
NIST SP 800-61, Computer Security Incident Handling Guide
NIST SP 800-64, Revision 2, Security Considerations in the Information System Development Life Cycle
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process
NIST SP 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
NIST SP 800-73, Revision 2, Interfaces for Personal Identity Verification
NIST SP 800-83, Guide to Malware Incident Prevention and Handling
NIST SP 800-88, Guidelines for Media Sanitization
NIST SP 800-92, Guide to Computer Security Log Management
NSTISSC Directive No 501, National Training Program for Information Systems Security (INFOSEC) Professionals
NSTISSC INFOSEC 1-99, The Insider Threat to U S. Government Information Systems
NSTISSC Policy No.11, National Information Assurance Acquisition Policy
NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP)
Office of Science (SC) Program Cyber Security Plan (PCSP)
OMB Circular A-76, Performance of Commercial Activities (Outsourcing)
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs
OMB Circular A-123, Management Accountability and Control
OMB Circular A-127, Financial Management Systems
OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources (11/28/2000); Appendix III
OMB M-00-07, Incorporating and Funding Security in Information Systems Investments
OMB M-00-10, OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
OMB M-00-13, Privacy Policies and Data Collection on Federal Web Sites
OMB M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act
OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
OMB M-01-08, Guidance on Implementing the Government Information Security Reform Act
OMB M-01-26, Component-Level Audits
OMB M-02-12, Reducing Redundant IT Infrastructure to Homeland Security
OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
OMB M-04-04, E-Authentication Guidance for Federal Agencies
OMB M-04-16, Software Acquisition
OMB M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management
OMB M-05-02, Financial Management Systems
OMB M-05-04, Policies for Federal Agency Public Websites
OMB M-05-05, Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
OMB M-05-08, Designation of Senior Agency Officials for Privacy
OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996
OMB M-97-02, Funding Information Systems Investments
OMB M-98-04, Annual Performance Plans Required by the Government Performance and Results Act (GPRA)
OMB M-99-05, Instructions on complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records"
OMB M-99-18, Privacy Policies on Federal Web Sites
OMB M-99-20, Security of Federal Automated Information Resources
OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies
OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
P.L. 93-579, Privacy Act of 1974, as amended (Title 5 United States Code [U.S.C.] Section 552a)
P.L. 96-349, Trade Secrets Act (18 U.S.C., Section 1905)
P.L. 97-255, Federal Managers' Financial Integrity Act of 1982 (FMFIA)
P.L. 99-474, Computer Fraud and Abuse Act (18 U.S.C. Section 1030)
P.L. 99-508, Electronic Communications Privacy Act of 1986
P.L. 100-235, Computer Security Act of 1987
P.L. 103-62, Government Performance and Results Act of 1993 (GPRA)
P.L. 103-356, Government Management Reform Act of 1994
P.L. 104-13, Paperwork Reduction Act of 1995 (PRA)
P.L. 104-106, Division E, Clinger-Cohen Act (Information Technology Management Reform Act of 1996)
P.L. 104-208, Title VIII, Federal Financial Management Improvement Act of 1996 (FFMIA)
P.L. 104-231, Electronic Freedom of Information Act (e-FOIA)
P.L. 105-277, Title XVII, Government Paperwork Elimination Act (GPEA)
P.L. 107-347, Title III, Federal Information Security Management Act of 2002 (FISMA)
Program Review for Information Security Management Assistance (PRISMA) Database
SC Records Maintained on Individuals Subject Area

This is not the online OFFICIAL SCMS COPY of this file. Before using this printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.

This is the online OFFICIAL SCMS COPY of this file. Before using a printed copy, verify that it is the most current version by checking the Last Major Revision and Last Minor Revision dates (at the bottom of each document) on the SCMS Web site.

| SCMS Home Page | Subject Area | Revision History |

Send a question or comment to the SCMS Help Desk.
Disclaimer

Filename: \ORBIT\OrbitSearch\SubjArea\CS\CS_Pro5.cfm
Last Major SCMS Revision: 11/05/2009