Policy Formulation, the Real ScoopComputer Security Awareness Day

Mark Leininger September 11, 2007

What is this talk about?

Computer Security (honest) How Federal Law results in the

computer security rules that we are obligated to follow.

Was high school civics class like this?

Policy Process

A peer at another lab suggested just showing a video of a dense fog slowly rolling in to describe the government process:

Four Sources of Federal Law

Constitution Statutes Administrative Law (Regulations) Common Law

Constitution

Origin of Federal Law Allows Congress to create Statutes Here is the process by which Congress

creates Statutes (and other things)

Statutes Statute is synonymous with “Law” and “Act of Congress” Statute is legislation that has passed Congress Constitution gives Congress the power to create

Statutes for limited purposes, for example to regulate commerce

Statutes are codified in the United States Code (USC) Examples of recent Statutes:

December 8, 1993 — North American Free Trade Agreement Implementation Act, Pub.L. 103-182, 107 Stat. 2057

2001-10-26 — Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism ("USA PATRIOT") Act, Pub.L. 107-56, 115 Stat. 272

2002-07-30 — Sarbanes-Oxley Act, Pub.L. 107-204, 116 Stat. 745

2002-11-25 — Homeland Security Act, Pub.L. 107-296, 116 Stat. 2135

2002-12-17 — E-Government Act of 2002, Pub.L. 107-347, 116 Stat. 2899

Statutes

Some Statutes give Agencies of the Executive Branch the power to create Regulations. Not all Regulations achieve the desired effect:

Regulations: Administrative Law Published in the Federal Register Codified into the Code of Federal

Regulations (CFRs) Regulation is not synonymous with law,

but ends up having the force of law because it defines how to be in compliance with a law

Regulations are the mechanism by which almost all day to day computer security requirements reach us at Fermilab

Review Four sources of Federal Law

Constitution gives Congress right to create Statutes

Statutes give agencies the right to create regulations

Administrative Law (Regulations) Common Law

The rest of this talk will focus on Administrative Law, specifically how regulations involving computer security make their way to the lab.

Office of Management and Budget Recall: Statutes give Agencies of the

Executive Branch of Government the power to create Regulations.

OMB is the largest office in the Executive Office of the President (EOP)

OMB is tasked with giving expert advice to senior White House officials on a range of topics relating to federal policy, management, legislative, regulatory, and budgetary issues. The bulk of OMB's 500 employees are charged with monitoring the adherence of their assigned federal programs to presidential policies.

OMB and Information Systems Clinger-Cohen Act (a Statute) of 1996 requires

OMB to: Establish processes for executive agencies to

analyze, track, and evaluate the risks and results of major capital investments for information systems, and

Report on the net program performance benefits achieved by executive agencies as a result of major capital investments in information systems.

The Clinger-Cohen Act assigns agencies (like DOE) the responsibility for implementing OMB policies through effective capital planning and performance- and results-based management.

Department of Energy

DOE is a cabinet level agency in the Executive Branch

The President’s Cabinet consists of the highest level appointed officials in the Executive Branch, for example DOE, Department of Defense, Department of Transportation, Department of Homeland Security, etc.

DOE

Here are two DOE org charts that show how the site office that manages Fermilab fits into DOE

How does Fermilab fit into DOE? Fermilab is a Federally Funded

Research and Development Center. Fermilab is operated as a Government

Owned Contractor Operated (GOCO) entity

Fermilab is an FFRDC A Federally Funded Research and Development

Center. Federal Acquisition Regulation (FAR) part 35 defines

an FFRDC:

An FFRDC meets some special long-term research or development need which cannot be met as effectively by existing in-house or contractor resources.

FFRDC’s are operated, managed, and/or administered by either a university or consortium of universities, other not-for-profit or nonprofit organization, or an industrial firm, as an autonomous organization or as an identifiable separate operating unit of a parent organization.

Fermilab is operated as a GOCO Fermilab as a facility is Government

Owned Contractor Operated (GOCO). The contractor is Fermi Research

Alliance (FRA), an alliance between the University of Chicago and University Research Associates (URA).

We are not Federal Employees Our records (employee, financial,

legal, etc) are not the property of the government, they belong to Fermilab.

Computer Security Requirements are in Fermilab’s Contract There is a contract between FRA and DOE to

manage Fermilab. One of the items specified in that contract is

the list of DOE regulations that Fermilab must comply with, and a process for updating that list managed through our DOE site office.

The list of regulations in our contract can be seen at: Fermilab Contract

These regulations go through a public review and comment process, RevCom, before being placed in our contract.

Program Cyber Security Plan

One of the orders in our contract with DOE requires us to be in compliance with a document written by the Office of Science, called the Program Cyber Security Plan (PCSP)

The PCSP requires us to be in compliance with a broad range of Federal regulations, seen partially on the next slide.

Some of the Requirements in PCSPApplicable Standards and GuidanceLegislation Office of Management and Budget (OMB) Memorandum 03-33 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 September 26, 2003.Office of Management and Budget (OMB) Memorandum 99-05 Instructions For Complying With The President's Memorandum Of May 14, 1998, "Privacy and Personal

Information in Federal Records, January 7, 1999.Public Law 107-347 (44 U.S.C. Ch 36) E-Government Act of 2002, Title III— Information Security, also known as the Federal Information Security Management Act

(FISMA) of 2002.Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information

Resources, February 8, 1996. Public Law, Information Technology Management Reform Act of 1996 (Clinger-Cohen Act)NIST Guidance Federal Information Processing Standards (FIPS)FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, July 2005. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.Special PublicationsSP 800-70, The NIST Security Configuration Checklists Program,May 2005.SP 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005.SP 800-64, Security Considerations in the Information System Development Life Cycle, October 2003 (publication original release date) (revision 1 released June 2004).SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004.SP 800-53, Recommended Security Controls for Federal Information Systems,

February 2005.SP 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002.SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.SP 800-34, Contingency Planning Guide for Information Technology Systems,

June 2002.SP 800-30, Risk Management Guide for Information Technology Systems,

July 2002.SP 800-26, Rev. 1 NIST DRAFT Special Publication 800-26, Revision 1: Guide for Information Security Program Assessments and System Reporting Form.SP 800-18, Rev. 1 Guide for Developing Security Plans for Federal Information Systems February 2006.DOE Policy and Guidance Revitalization of the Department of Energy Cyber Security Program (1/2006)Department of Energy Cyber Security Management Program Order 205.1, (Draft)Department of Energy Cyber Security Management Program, (3/21/2003) Notice 205.1-1 Incident Prevention Warning and Response Manual Notice 205.2 Foreign National Access to DOE Cyber Systems (extended to 9/30/06) Notice 205.3 Password Generation, Protection and Use, (extended to 9/30/06)Notice 205.4 Handling Cyber Alerts and Advisories, and Reporting Cyber Security Incidents (extended to 07/06/05) Notice 205.8 Cyber Security Requirements for Wireless Devices and Information Systems, (3/18/06)Notice 205.9 Certification and Accreditation Process for Information Systems, including National Security Systems, (3/18/06) Notice 205.10 Cyber Security Requirements for Risk Management, (3/18/06) Notice 205.11 Security Requirements for Remote Access to DOE and Applicable Contractor Information Technology Systems (3/1/8/06)Notice 205.12 Clearing, Sanitizing, and Destroying Information System Storage Media, Memory Devices, and Other Related Hardware (2/19/2004)Notice 205.13 Extension of DOE Directive on Cyber Security, (7/6/2004)

PCSP requires a CSPP

The PCSP requires a Cyber Security Program Plan (CSPP)

The CSPP is the framework document for all computer security requirements at the lab.

Computer Security Documents

Monitoring and Audits To ensure we are complying with all the required

computer security regulations, the computer security program is audited several times a year: Inspector General DOE/CIO (Chief Information Officer in DOE) Office of Science in DOE Safeguards and Security Office in DOE

These audits are in addition to all the other audits at the lab, for example financial, property, physical security, etc.

We get data calls several times each month. Sometimes it feels like everyone is out to get us…

President’s Management Agenda In 2001 Whitehouse announced strategy for

improving management of government:President's Management Agenda

One requirement in PMA is Scorecards for each agency, including DOE. Areas such as computer security are rated as red, yellow or green. The pressure to reach a green score indirectly affects how resources are expended on computer security.

Summary Constitution-> Congress makes Statutes-> Statutes empower agencies to create regulations-> Regulations are in the Fermi contract with DOE-> Regulations require compliance with DOE Program

Cyber Security Plan-> Program Cyber Security Plan requires compliance

with broad range of other government regulations-> Program Cyber Security Plan requires us to have and

follow a Cyber Security Program Plan, which contains our site requirements for computer security

Got it?