Contract Measures and C&A

Certification and Accreditation process is proceeding apace. The external auditors are completing their assessment and our documentation is nearly done.

It's also summer which means its contract performance measures time (PEMP-o-Rama). We'll be adding our own assurance section to the CIO blog as soon as these are finalized. Right now, it looks like we'll have a new leadership metric for communication to senior management about cyber security risks and threats, as well as "Section 8" cyber metrics and a new, albeit small, scorecard for IT successes at LBL.

On the policy front, UCOP issued a whole new set of requirements which are quite well conceived, especially the new IS-3. We'll be evaluating what, if anything, needs to be done to update our community-facing (RPM) or internal facing (CSPP) policies to reflect the new UC policies in the coming weeks.

As a final note, the word for the week is: Burdensomeness.

Update, C&A, FISMA

The auditors we hired to perform our external Security Test and Evaluation for our C&A were onsite last week for the second phase of their testing. Things seem good and we await their final report.

I was at the University of California Information Technology Policy and Security in Santa Cruz last week. Among other interesting topics, some early discussion about the security and policy implications of dedicated on-demand connections of the kind being proposed throughout the R&E community turned out to be very interesting. Steve Lau and I gave a presentation about NIST and did some theorizing about the misapplication of FISMA to University grants and government partnerships. If you listen to my interview at Educause 2005, you can hear the outline of the problem we are seeing.

Basically, as agencies like the VA get into trouble you see broader (and improper) reading of the FISMA "on behalf of" and "government information" definitions, which are so overly broad as to trigger the FISMA requirements in pretty much any situation in which the government is involved (including research grants). This presents a situation where you might end up doing Certification and Accreditation type processes under small University research environments simply because they receive Federal funds. Not good.

e-discovery

Since it doesn't appear anywhere else, Nancy Ware is the e-discovery coordinator for LBL. We have a process in place to analyze and respond to possible e-discovery requests.