Attendee Introduction by aP68V1sd

VIEWS: 0 PAGES: 18

									                                 Lessons Learned:
                     Certification and Accreditation at LANL


                                                          Michael S. Zollinger
                                                         DCS-1 Group Leader
                          Departmental Computing Services Division
                                                                      LA-UR 09-03039




                                                                       UNCLASSIFIED

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Background

   •      DOE Secretary Bodman
          issues security compliance
          order (SCO) to Los Alamos
          National Laboratory in
          Summer 2007
          –      Requirements that had to be met by 12/10/08
          –      2 of the them required certification and accreditation
                 (C&A) of the unclassified and classified computing
                 environments under the NAP - 14.1-B, 14.2-B series
                 documents
                 •     Existing accredited classified plans had to be
                       reaccredited (~55 System Security Plans (SSP)
                 •     For the first time 14 unclassified SSP’s needed
                       to be accredited




                                                                       UNCLASSIFIED

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Groundwork

   •      From the start there were
          several daunting challenges
   •      LANL lacked the policy
          foundation required by the
          NAPs
          –      First several months of time were spent developing
                 policy
          –      This was very crucial work which is now being updated
                 •    Now required to implement the NAP “C” series
                      documents per our modified contract




                                                                       UNCLASSIFIED

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
How to Slice it?

         The unclassified –
          what to do, what to
          do?
          •      How do you divide this out?
          •      40 square mile campus with several
                 unclassified segments and standalone
                 computers
          •      Computers ranging from electron
                 microscopes, instrumentation cards, to high
                 performance computing clusters




                                                                       UNCLASSIFIED

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Compliance Foundation


                                                                          SSP
                                                           NAP 14.1-
                                                           B, 14.2-B
                                                     NIST 800-53

                                                                       UNCLASSIFIED      Slide 5

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
NIST 800-53


         System Security Plans
                                                                              Institutional
                                                                   LANL
      17 Families of                                                            Security
                                                              Implementation
        Controls                                                             Requirements
                                                                of Controls
                                                                                 (ISR)



                                                                       UNCLASSIFIED      Slide 6

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Institutional Security Requirements (ISR)

         LANL requirements for each SSP
          •      System must be registered in computer registration database (Hostmaster)
                 declaring SSP covering inventory item
          •      If networked, system must be scanned by our network scanning tool and report out
                 the vulnerabilities
                 —    Systems that contain vulnerabilities that are deemed critical are blocked at the
                      switch until remediated


         Some plans have additional ISR’s based
          on the risk profile for that plan


                                                                       UNCLASSIFIED              Slide 7

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Unclassified Computing System (Site) Security Plans




                                                                       UNCLASSIFIED      Slide 8

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Unclassified Production Computing SSP

         Scope
          •      Networked systems ranging from printers, laptops, embedded
                 systems, desktops, workstations, servers, compute clusters,
                 high performance compute clusters
          •      Over 30,000 inventory items of this nature across all spectrums
                 of unclassified networks


         Key Features
          •      Production Onsite Class – on LANL property only
                 —    9 operating systems – vendor or user community
                      supported with security related patches
          •      Production Mobile Class
                 —    7 operating systems – vendor or user community
                      supported with security related patches
                 —    may leave LANL property at times and may connect
                      through 3rd party ISP and VPN service to networks
          •      Must pass network scans for vulnerabilities
          •      Must be registered in Hostmaster registration database




                                                                       UNCLASSIFIED      Slide 9

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Unclassified Research and Development Computing

         Scope
          •      Networked systems ranging from laptops, embedded
                 systems, desktops, workstations, servers, compute
                 clusters, controls systems, data acquisition systems,
                 scientific instruments and instrumentation, etc.


         Key Features
          •      9 operating systems
          •      Customized and modified operating systems
          •      Must implement an engineered controls to protect
                 other networked devices from the unknown nature of
                 the system and still allow network scans for
                 vulnerabilities
          •      May not use wireless in any capacity
          •      May not leave an approved LANL location without
                 CSSM approval
          •      Must be registered in Hostmaster database

                                                                       UNCLASSIFIED      Slide 10

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Unclassified Legacy Computing

         Scope
          •      Laptops, desktops, workstations and servers
                 running approved operating systems that are no
                 longer supported by vendor or user community with
                 security related updates and patches


         Key Features
          •      May not leave LANL property or approved remote
                 locations without approval from CSSM in advance
          •      4 approved operating systems
          •      Must implement an engineered control to protect the
                 network from the vulnerabilities that it possesses
                 and still allow scanning for vulnerabilities
          •      May never have wireless
          •      Must be registered in Hostmaster database




                                                                       UNCLASSIFIED      Slide 11

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Unclassified Standalone Computing

         Scope
          •      Wide variety of computers ranging from laptops
                 and servers, to scientific instrumentation.
                 Located on LANL property and at collaborative
                 locations throughout the world


         Key Features
          •      Must receive approval to operate via a signed
                 enclosure
          •      Must be subject to audit every 90 days
          •      Must be approved annually
                 —    Three classes of systems
                        •      Pure standalone
                        •      Standalone LAN – not connected to any
                               institutional network, but may be connected
                               to other systems in a standalone island
                        •      Standalone VPN – never connect directly to
                               the institutional networks through any means
                               other than central VPN service
          •      Operating system agnostic
          •      Most problematic SSP to manage


                                                                       UNCLASSIFIED      Slide 12

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Challenges

         LANL has incurred a
          significant mortgage
          •      Maintenance cost is high


         Must fund most new
          requirements from
          existing funding streams
         Portfolio management
          underway


                                                                       UNCLASSIFIED      Slide 13

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Future

         NAPs “C” series are now
          in our contract and are
          being addressed
          •      Implementation plan and schedule are
                 being developed


         Hard work underway
          to integrate CAP
          solutions


                                                                       UNCLASSIFIED      Slide 14

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Lessons Learned

         Defining accreditation
          boundary is extremely
          important
         Good working relationship with
          DOE Site Office is crucial
          •      LANL is very fortunate in this case


         Frequent meetings with DOE
          are important to make sure
          everyone is on the same page



                                                                       UNCLASSIFIED      Slide 15

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Lessons Learned – cont.

         Education, education,
          education
          •      No matter how often we briefed people on
                 the accreditation process and the ensuing
                 requirements it didn’t penetrate


         Start early and keep in
          mind the mortgage
         Keep aspirin nearby

                                                                       UNCLASSIFIED      Slide 16

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Questions




                                                                       UNCLASSIFIED      Slide 17

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA
Contact Information

                                                            msz@lanl.gov




                                                                       UNCLASSIFIED      Slide 18

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA

								
To top