We put the fun in federally funded.

New motto for the Policy, Assurance, and Risk Management function of LBL.

Why doesn't anyone remember what an agency is?

Basically every law before FISMA rationally makes a distinction between National Labs and Feds. FISMA does too, it's just that everyone behaves as if it's not true.
Repeat after me: An M&O Contractor is not a "Contractor".


(1) the term "agency" means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include--

(A) the General Accounting Office;

(B) Federal Election Commission;

(C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or

(D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities;

Live from the NSF Large Facilities Conference

I'm in DC for the NSF Large Facilities Security conference. Excellent keynotes this morning (if a little depressing) and an enjoyable roundtable going on now. More on these a bit later, but in the meantime, here is the entirety of the NSF regulation on cyber security:

54.
Information Security
Security for all information technology (IT) systems employed in the performance of this award, including equipment and information, is the awardee’s responsibility. Within a time mutually agreed upon by the awardee and the cognizant NSF Program Officer, the awardee shall provide a written Summary of the policies, procedures, and practices employed by the awardee’s organization as part of the organization’s IT security program, in place or planned, to protect research and education activities in support of the award.
The Summary shall describe the information security program appropriate for the project including, but not limited to: roles and responsibilities, risk assessment, technical safeguards, administrative safeguards, physical safeguards, policies and procedures, awareness and training, and notification procedures in the event of a cyber-security breach. The Summary shall include the institution’s evaluation criteria that will measure the successful implementation of the IT Security Program.
In addition, the Summary shall address appropriate security measures
required of all subawardees, subcontractors, researchers and others who will have access to the systems employed in support of this award.
The Summary will be the basis of a dialog which NSF will have with the awardee, directly or through community meetings. Discussions will address a number of topics, such as, but not limited to, evolving security concerns and concomitant cyber-security policy and procedures within the government and at awardees' institutions, available education and training activities in cyber-security, and coordination activities among NSF awardees.

Why can't DOE have this?

NIST it by that much redux.

Steve Lau and my talk at Internet2, NIST It By That Much, is looking more perceptive by the day. The Department of Energy Office of the CIO has released hundreds of page of new draft policy which, in my opinion, misunderstands NIST in precisely the way we described: it fails to recognize that the NIST documents create a baseline of controls from which you as the system owner are supposed to tailor your set of controls, NIST 800-53 is a baseline, not a set of minimum security standards for all systems.

The critical step in the NIST C&A process is "Tailoring the Baseline". This is where NIST moves from a set of well founded but ultimately arbitrary checklists, to something of value. When you tailor the baseline you start with the prescribed NIST baseline, then use scoping guidance, compensating controls, and parameterization to created an initial tailored baseline. These three activities allow you to customize the set of controls for your environment. With that tailored baseline in mind, you assess the remaining residual risk. If that risk is unacceptable, you go back to tailoring the baseline again.

The new DOE CIO Policies attempt to turn 800-53 into a set of Minimum Security Standards across the Department of Energy. The problem is that 800-53 is not a set of Minimum Standards, it's a catalog of controls from which you adopt the ones that are right for your system and its level of risk. Unfortunately, the concept of a tailored baseline doesn't exist in these new documents.

More on tailoring:

Audit of the Department's Websites

The OIG has a draft out of their Audit of the Department's websites. Unfortunately, the cover letter asks that the draft not be shared. However, our response to the draft report can be shared (or in this case summarized).

LBL requires that all systems, whether they are workstations, servers, devices, microscopes, PDAs, or webservers, be managed in an appropriate, secure manner which integrates security into the lifecycle.

This approach is consistent with the philosophy that line management owns security - we want to push responsibility for appropriate configuration to the person responsible for using and managing the machine. This approach is also consistent with how most large research Universities manage websites (many servers, run at the Department or project level).

It is not consistent with the view that consolidation is always superior to decentralization.

Impact of HIPAA on US Medical / Public Health Research

Interesting article in Science this week reporting on a study in JAMA on the impact of the HIPAA Privacy Rule on Epidemiological researchers:

About 68% said the Privacy Rule has made research a great deal more difficult; half reported major delays; and nearly 40% faced much higher costs (see table). Only one-quarter said the rule has greatly improved confidentiality. Of those who modified a protocol to comply with HIPAA, two-thirds said it was much harder to recruit subjects.

The article goes on to talk about how the impacts come not just from the actual rule, but from uncertainty about how to apply the rule and, of course, cautiousness (risk-aversion).

For those who follow the micro-level of cyber security policy, this is not surprising but is always worth paying attention to. The impact of cyber security policy is not just felt in the rule itself, but in uncertainty regarding how far to take it and the over-cautiousness some rules and organizational relationships seem to impart.

Obviously, we want end users and developers to be aware of the risks they face, but in a research environment, the impact of this kind of uncertainty can lead to direct impacts on innovation and effective research.

ATO Granted

The DOE through its DAA, the Manager of the BSO, has granted all five lbl enclaves new Authorities to Operate good for three years. This was the penultimate step in what was basically a two year long process throughout the Office of Science, led by SC SIME Mike Robertson, to not only improve cyber security throughout the DOE Office of Science, but to improve it in a way that truly takes advantage of the unique risks, capabilities, and missions of the various Office of Science sites, while still maximizing the similarities of the approach to documentation and risk-assessment.

The Certification and Accreditation process is described further here.

The new ATOs are good through September of 2010.

Getting this done in a way that actually reflects what we do here is no small feat. The security teams of the enclaves did an amazing job, as did oversight group at BSO, supported by Oak Ridge and Headquarters - in particular Mike Robertson.

By the way, I say penultimate because, of course, the process doesn't end with the granting of the ATO. The continued operation, management, and improvement of LBNL's cyber security program is what the DAA accepts, and that is where the actual productive work of the LBNL cyber security teams resides.

Contract Measures and C&A

Certification and Accreditation process is proceeding apace. The external auditors are completing their assessment and our documentation is nearly done.

It's also summer which means its contract performance measures time (PEMP-o-Rama). We'll be adding our own assurance section to the CIO blog as soon as these are finalized. Right now, it looks like we'll have a new leadership metric for communication to senior management about cyber security risks and threats, as well as "Section 8" cyber metrics and a new, albeit small, scorecard for IT successes at LBL.

On the policy front, UCOP issued a whole new set of requirements which are quite well conceived, especially the new IS-3. We'll be evaluating what, if anything, needs to be done to update our community-facing (RPM) or internal facing (CSPP) policies to reflect the new UC policies in the coming weeks.

As a final note, the word for the week is: Burdensomeness.

Update, C&A, FISMA

The auditors we hired to perform our external Security Test and Evaluation for our C&A were onsite last week for the second phase of their testing. Things seem good and we await their final report.

I was at the University of California Information Technology Policy and Security in Santa Cruz last week. Among other interesting topics, some early discussion about the security and policy implications of dedicated on-demand connections of the kind being proposed throughout the R&E community turned out to be very interesting. Steve Lau and I gave a presentation about NIST and did some theorizing about the misapplication of FISMA to University grants and government partnerships. If you listen to my interview at Educause 2005, you can hear the outline of the problem we are seeing.

Basically, as agencies like the VA get into trouble you see broader (and improper) reading of the FISMA "on behalf of" and "government information" definitions, which are so overly broad as to trigger the FISMA requirements in pretty much any situation in which the government is involved (including research grants). This presents a situation where you might end up doing Certification and Accreditation type processes under small University research environments simply because they receive Federal funds. Not good.