NIST it by that much redux.

Steve Lau and my talk at Internet2, NIST It By That Much, is looking more perceptive by the day. The Department of Energy Office of the CIO has released hundreds of page of new draft policy which, in my opinion, misunderstands NIST in precisely the way we described: it fails to recognize that the NIST documents create a baseline of controls from which you as the system owner are supposed to tailor your set of controls, NIST 800-53 is a baseline, not a set of minimum security standards for all systems.

The critical step in the NIST C&A process is "Tailoring the Baseline". This is where NIST moves from a set of well founded but ultimately arbitrary checklists, to something of value. When you tailor the baseline you start with the prescribed NIST baseline, then use scoping guidance, compensating controls, and parameterization to created an initial tailored baseline. These three activities allow you to customize the set of controls for your environment. With that tailored baseline in mind, you assess the remaining residual risk. If that risk is unacceptable, you go back to tailoring the baseline again.

The new DOE CIO Policies attempt to turn 800-53 into a set of Minimum Security Standards across the Department of Energy. The problem is that 800-53 is not a set of Minimum Standards, it's a catalog of controls from which you adopt the ones that are right for your system and its level of risk. Unfortunately, the concept of a tailored baseline doesn't exist in these new documents.

More on tailoring:

ATO Granted

The DOE through its DAA, the Manager of the BSO, has granted all five lbl enclaves new Authorities to Operate good for three years. This was the penultimate step in what was basically a two year long process throughout the Office of Science, led by SC SIME Mike Robertson, to not only improve cyber security throughout the DOE Office of Science, but to improve it in a way that truly takes advantage of the unique risks, capabilities, and missions of the various Office of Science sites, while still maximizing the similarities of the approach to documentation and risk-assessment.

The Certification and Accreditation process is described further here.

The new ATOs are good through September of 2010.

Getting this done in a way that actually reflects what we do here is no small feat. The security teams of the enclaves did an amazing job, as did oversight group at BSO, supported by Oak Ridge and Headquarters - in particular Mike Robertson.

By the way, I say penultimate because, of course, the process doesn't end with the granting of the ATO. The continued operation, management, and improvement of LBNL's cyber security program is what the DAA accepts, and that is where the actual productive work of the LBNL cyber security teams resides.

Contract Measures and C&A

Certification and Accreditation process is proceeding apace. The external auditors are completing their assessment and our documentation is nearly done.

It's also summer which means its contract performance measures time (PEMP-o-Rama). We'll be adding our own assurance section to the CIO blog as soon as these are finalized. Right now, it looks like we'll have a new leadership metric for communication to senior management about cyber security risks and threats, as well as "Section 8" cyber metrics and a new, albeit small, scorecard for IT successes at LBL.

On the policy front, UCOP issued a whole new set of requirements which are quite well conceived, especially the new IS-3. We'll be evaluating what, if anything, needs to be done to update our community-facing (RPM) or internal facing (CSPP) policies to reflect the new UC policies in the coming weeks.

As a final note, the word for the week is: Burdensomeness.