Information related to this page.

This is a 100 point Cyber Security Scorecard covering reviews, corrective actions, improvements, risk assessments, and multiple training measures.

1. Reviews. 1

2. Corrective Action Management 1

3. Risk Assessments. 2

4. New or Substantially Improved Controls. 2

5. Training of Employees. 2

6. Training Guests. 2

7. PII Training. 3

8. Completion of Certification. 3

Objective: The Laboratory conducts internal and external reviews of its security program.

Maximum Score: 20
Scoring: Internal Audits: 5, Self Assessments Per Enclave: 3, Peer Reviews: 8, External Audits: 3, External Contracted Audits: 10

Protocol: Starts or Ends during Performance Period. Cannot double count across performance periods.

Performance Updates:

Objective: The laboratory closes findings in a timely manner.

Maximum Score: 10
Scoring:
0 Overdue to Target: 10,  1 Overdue to Target: 5,  2+ Overdue to Target: 0

Protocol: Measured via closure of reported main action POAMs to schedule via quarterly report.

Performance Updates:

Objective: The Laboratory codifies its understanding of risk.

Maximum Score: 10
Scoring: All Enclaves: 10, All But One: 5 Any Fewer: 0

Protocol: Annual risk assessment conducted by enclave turned in to site office during performance period.

Performance Updates:

Objective: The Laboratory continuously improves the effectiveness of its management, operational, and technical control environment by creating new controls or improving existing ones.

Maximum Score: 10
Scoring: 1-5 per improvement as jointly agreed during development with BSO.

Protocol: Will jointly agree with BSO on value as we propose and develop new controls.

Performance Updates:

Objective: The Laboratory ensures the awareness of its staff through training.

Maximum Score: 20
Scoring: 92+: 20, 85+: 18, 80+: 15, 75+: 12, 70+: 10, <: 0

Protocol: As measured by the defined employee group within JHQ.

Performance Updates:

Objective: The Laboratory will ensure that risk-based categories of guests receive appropriate cyber training.

Maximum Score: 10
Scoring:  90: 10, 80: 8, 70: 6, 60: 4, <: 0

Protocol: LBNL will select at least two organizations to prototype mandatory cyber training for guests (not annual). Total population size will be >30 people.

Discussion: The guest issue is different for cyber security then for EHS training. Because many of our guests are either very short-term or receive training from other organizations (such as LLNL), and because our training is quite high level, we have identified that there are only certain categories of individuals who should receive guest training. We are still attempting to understand what the best way of capturing this is, and who needs the LBL cyber security training. This project is the first step in that regard, identifying targeted guest-types and organizations for this project.

Performance Updates:

Objective: LBNL will train individuals who manage PII on their responsibilities

Maximum Score: 10
Scoring: 90: 10, 80: 8, 70: 6, 60: 4, <: 0

Protcol: LBNL will identify the position/organization categories for PII training, develop the training, and train as required within the Performance Period.

Discussion: This is a major initiative involving the identification of PII responsible individuals and the development of a new and intensive course on PII management.

Performance Updates:

Objective: The Laboratory will complete the necessary paperwork to Certify its systems.

Maximum Score: 10
Scoring: Yes: 10, No: Zero

Protocol: Certification is a Laboratory responsibility. This does not address accreditation.

Performance Updates: