ATO Granted

The DOE through its DAA, the Manager of the BSO, has granted all five lbl enclaves new Authorities to Operate good for three years. This was the penultimate step in what was basically a two year long process throughout the Office of Science, led by SC SIME Mike Robertson, to not only improve cyber security throughout the DOE Office of Science, but to improve it in a way that truly takes advantage of the unique risks, capabilities, and missions of the various Office of Science sites, while still maximizing the similarities of the approach to documentation and risk-assessment.

The Certification and Accreditation process is described further here.

The new ATOs are good through September of 2010.

Getting this done in a way that actually reflects what we do here is no small feat. The security teams of the enclaves did an amazing job, as did oversight group at BSO, supported by Oak Ridge and Headquarters - in particular Mike Robertson.

By the way, I say penultimate because, of course, the process doesn't end with the granting of the ATO. The continued operation, management, and improvement of LBNL's cyber security program is what the DAA accepts, and that is where the actual productive work of the LBNL cyber security teams resides.

Contract Measures and C&A

Certification and Accreditation process is proceeding apace. The external auditors are completing their assessment and our documentation is nearly done.

It's also summer which means its contract performance measures time (PEMP-o-Rama). We'll be adding our own assurance section to the CIO blog as soon as these are finalized. Right now, it looks like we'll have a new leadership metric for communication to senior management about cyber security risks and threats, as well as "Section 8" cyber metrics and a new, albeit small, scorecard for IT successes at LBL.

On the policy front, UCOP issued a whole new set of requirements which are quite well conceived, especially the new IS-3. We'll be evaluating what, if anything, needs to be done to update our community-facing (RPM) or internal facing (CSPP) policies to reflect the new UC policies in the coming weeks.

As a final note, the word for the week is: Burdensomeness.