EITS Certification and Accreditation Process

1
EITS Certification and Accreditation Process How
do you document a nation-wide network?
Warren S. Udy, CISSP Director, Office of
Information Assurance and Cyber Security
(IM-623), Energy IT Services Office of the Chief
Information Officer (OCIO) U.S. Department of
Energy (301) 903-5515
2
DOE Enterprise Network (DOEnet) (Wide Area
Network) Site Capacity
NRLFO Schenectady
Richland Ops LAN Hanford LAN BPA
West Valley Project Office
NETL-Albany
NRLFO Pittsburgh
Idaho Ops / INL / WWIS Back-Up/ AMWTP
RMOTC NPR-3
SC-Chicago
ESC-E DOE-HQ BPA/HQ WAPA/D.C.
NETL-Pittsburgh
EM CBC
WAPA
Ohio Field Office
LLSO
Naval Yard
Golden NREL
PPPO (Lexington)
NETL-Morgantown
GJPO
Yucca Mt
LM-Morgantown
SC-Oak Ridge Y12 Site Office
Nevada Site Office
LASO
NETL-Tulsa SWPA
ESC-W NNSA SC
Savannah River Ops
SEPA
ETS
Pantex
Carlsbad Field Office
Capacity/Connectivity Legend MPSL/IP Any to
Any DS-3 15 Mbs 45Mbs T1 - 1.5
Mb/s Connected Via Existing Site
SPRO
December 2008
Note VPN connectivity not shown
DOEnet WAN MPLS/IP Network Diagrams Maps
3
(No Transcript)
4
Terminology The Challenge

• Operational Management
• DOENET is just wires from point to point
• DOECOE is Desktop with all its back-end services

• From a CA point of view
• DOENET is infrastructure
• WAN
• LAN
• MAN
• Firewall
• Network Security
• DOECOE is just the desktop. The other back-end
  services are covered in several other plans

5
PCSP

• Stating the obvious..
• DOE has five PCSPs per DOE Order 205.1A
• NNSA
• Office of Science
• Under Secretary of Energy
• Power Administration
• Office of the CIO
• All our efforts are under the OCIO PCSP.
• Bill Lay, Associate CIO for IT Services is the
  single DAA for unclassified systems.

6
DAA Risk Acceptance

• Prior to 2008, over 15 DAAs covered the HQ
  network
• Report dated Oct 2007, HSS found
• Having multiple DAAs led to differing
  implementation of cyber security with varying
  risks.
• CA needs to address the complex IT operating
  environment that is shared by multiple
  organizations to ensure consistency of risk
  acceptance.
• Need to establish a process for rolling up
  risks accepted by other DAAs to provide an
  overall risk.
• Solution One PCSP, One DAA and
  DAA Representatives.

7
One DAA

• Cons
• OCIO does not understand our system!
• How can the OCIO accept the risk for a system
  they know nothing about?
• We want to control our system.

• Pros
• One risk acceptance view
• Common understanding of all the network risks.
• Common Control acceptance for all offices
• Efficiency through the use of master plans.
• Common implementation of security controls.

8
DAA/Cyber Structure
Bill Lay DAA
Eric Cole DAAR

• All systems also need
• System/Data Owner
• ISSO
• ISSM needed for each major entity/office

Warren Udy Certification Agent
IM Systems
Mission/Office Systems
9
DOENET The challenge

• DOE Network Nationwide, constantly changing
• Each office connects for different reasons.
• Some for just financials
• Some for ISP
• Some because we provide back-end services
  (mail/storage, etc) and their desktops (DOECOE)
• We have over 7,300 desktops/laptops and over
  1,000 servers

10
Risk Management Framework
11
Supplemental Standards
System Security Plan
DOENET Common Controls (98)
STIG (FDCC if Required)
AHE Common Controls (46)
12
Initial System Review
System Security Plan
Five Page Summary
List of sub-systems Or Inventory list
13
Five Page Summary

• FIPS-199 categorization of data
• POCs
• Data owner
• ISSO
• PIA
• eAuth Review
• Operating System
• Possible variance in configuration
• Interconnections
• Security Scan
• Final approval to include in a master plan and to
  operate. If the box does not fit and system, a
  full CA will be initiated.

14
CA Big Picture
Windows
Unix
others
DOECOE
IBM
Oracle
Share Point
PKI
DOENet
15
Common Controls
AHE
DOENet
16
Common Control Coverage Percentage of complete
coverage
Remember all controls must be addressed
17
(No Transcript)
18
Two types of connections
Firewall
SITE A
DOENET
CA Boundary
19
Two types of connections
Controlled Interface
SITE B
DOENET
CA Boundary
20
System Sub-System Boundary
21
DOENET Expansion to sites

• Review legacy plans (A-B)
• Inherit legacy plans in place (C)
• Convert to OCIO plans (C-D)
• Continuous Monitoring (D-Z..)

A
Z
B
C
D
22
Analogy

• Construction
• Walls
• Utilities
• Security
• Fire suppression
• Put furniture in building

• Cyber CA
• Infrastructure
• Common Controls
• Environmental
• Physical Security
• Personnel Security
• Put IT Systems in the federal site boundary.

23
CA Big Picture
Site A
24
Adding the federal entity to DOENet
GTN/FORS
Federal Entity
Site A
25
Adding the federal entity to DOENet
Federal Entity
GTN/FORS
26
Embedded Users
27
Site Expansion Documents

• Network Diagram
• Boundary description
• Roles and Responsibilities
• Hardware inventory
• Software inventory
• Local threat review
• Interconnect Agreement(s)
• Document of site specific Common Controls
• Testing of Common Controls
• POAM as needed
• Risk Assessment
• Certification/Accreditation letters with
  signature

28
Roles and Responsibilities (RACI)
29
Future

• More site Visits
• NNSA Sites
• EM Sites
• ??
• Trusted Internet Connection

DOENET System Security Plan


Site A

Site B
TIC
30
Questions?