Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

attachment

VIEWS: 0 PAGES: 54

									System Name (General System Controls in place at BNL)

Date 4/29/2005

Name of individual leading testing: Kathy Hauser         Organization: ITD        Phone:

Other team member names: Steven Senz and Gary Tarbet, System 1

The table below provides a list of the NIST SP 800-53 baseline low security controls. This is a list of minimal controls that should be in place for
a system which has been assessed to have a low level of risk in the areas of confidentiality, integrity and availability. The system owner is
authorized and should supplement these controls if there are particular risks for the system under review that are not covered by the controls
provided below. The first three columns are taken directly from NIST SP 800-53 supplement 1. The right four columns are provided to allow the
system owner to document the following:

       Is the security control currently in place and enforced for the system under review? This is a Yes/No response. All No responses will
        normally require an entry in the system plan of actions and milestones (POA&M) to correct the deficiency.
       The second column provides an area for the system owner to describe the actual control being used for the system. NIST provides a
        recommended control. If the system owner does not utilize the recommended control then a compensating control must be implemented
        and documented here.
       Has the control been verified? This is again a Yes/No response.
       If the control has been verified how was it accomplished? To fit in the available space the following codes are recommended:
             o DR – document review
             o VT – visual test – I assume this mean something you “see” like on a screen, if so are most of these really visual tests
             o PT – physical test – I assume this means something you “touch/hear” e.g. weigh or height of an object, alarm volume,
             o OT – other (document test conducted in column two with control discussion.)




Baseline Low Security Controls per NIST SP 800-53                   Page 1 of 54                                                    8/9/2005
                      This form is For Official Use ONLY (FOUO) when filled in for a particular system
CONT-       CONTROL NAME                            CONTROL                                 System Name (General System Controls at BNL)
ROL #
                                                                                     In         Description of Control – If         Ver.?   How
                                                                                   Place?      alternative control is utilized
                                                                                                                                    (Y/N)   Ver?
                                                                                   (Y/N)          describe control and the
                                                                                             assurance that the control meets
                                                                                             the intent of the original control.

AC-1    ACCESS CONTROL               The organization develops, disseminates,        Y       SBMS Cyber Security, Unclassified       Y      DR
        POLICY                       and periodically reviews/updates: (i) a                 Section 1 – Accessing
        AND PROCEDURES               formal, documented, access control policy               Computing/Networking Resources
                                     that addresses purpose, scope, roles,                   provides the formal process for
                                     responsibilities, and compliance; and (ii)              obtaining access to BNL computing
                                     formal, documented procedures to                        resources. See
                                     facilitate the implementation of the access             https://sbms.bnl.gov/sbmsearch/subj
                                     control policy and associated access                    area/61/61_Pro1.cfm. Prior to
                                     controls.                                               entering this process the individual
                                                                                             must have an active BNL
                                                                                             appointment and have been
                                                                                             processed through the Guest
                                                                                             Information System (GIS) as
                                                                                             described below. In addition, prior
                                                                                             to being granted access to any BNL
                                                                                             system the individual must
                                                                                             complete the mandatory security
                                                                                             training.




   Baseline Low Security Controls per NIST SP 800-53                   Page 2 of 54                                            8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
AC-2   ACCOUNT MANAGEMENT           The organization manages information           Y   To start the process for access the     Y     DR
                                    system accounts, including establishing,           individual must go to the BNL HR,
                                    activating, modifying, reviewing,                  GIS page and complete the guest
                                    disabling, and removing accounts. The              registration form. The URL is
                                    organization reviews information system            (https://fsd84.bis.bnl.gov/guest/gues
                                    accounts [Assignment: organization-                tRegist.asp). Once the form has
                                    defined frequency].                                been processed by the departmental
                                                                                       GIS administrator the individual
                                                                                       will be assigned either a GIS
                                                                                       number or a Life Number
                                                                                       depending upon their employment
                                                                                       status at BNL. GIS numbers are
                                                                                       limited to a maximum of two years.
                                                                                       Accounts are removed immediately
                                                                                       upon notification that either a GIS
                                                                                       or Life number has been
                                                                                       deactivated. This notification
                                                                                       comes through HR.

AC-3   ACCESS ENFORCEMENT           The information system enforces assigned       Y   Account requests are processed          Y     DR
                                    authorizations for controlling access to the       using SBMS. This process is
                                    system in accordance with applicable               initiated by completing the process
                                    policy.                                            as described at
                                                                                       http://accounts.bnl.gov/. Beyond
                                                                                       access to general services (email,
                                                                                       web portal, etc.) each department
                                                                                       controls access to their systems.
                                                                                       The local systems administrators
                                                                                       closely monitor who is provided
                                                                                       access and removal of IDs once the
                                                                                       need is no longer present. The
                                                                                       account termination process is
                                                                                       detailed in SBMS Cyber Security,
                                                                                       Unclassified Section 6 –
                                                                                       Terminating Computer Accounts.




  Baseline Low Security Controls per NIST SP 800-53                   Page 3 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
Baseline Low Security Controls per NIST SP 800-53                   Page 4 of 54                         8/9/2005
                      This form is For Official Use ONLY (FOUO) when filled in for a particular system
AC-7   UNSUCCESSFUL LOGIN           The information system enforces a limit        Y   All systems lock the user               Y       VT
       ATTEMPTS                     of [Assignment: organization-defined               permanently after five (5)
                                    number] consecutive invalid access                 unsuccessful login attempts. The
                                                                                                                                     CSPP-
                                    attempts by a user during a [Assignment:           user must then call the help desk to
                                                                                                                                      sect.
                                    organization-defined time period] time             have their account reset. When
                                                                                                                                      5.2.4,
                                    period. The information system                     calling the help desk the user will
                                                                                                                                     page 26
                                    automatically [Selection: locks the                be asked random questions from the
                                    account/node for an [Assignment:                   information submitted via their GIS
                                    organization-defined time period], delays          account request to verify their
                                    next login prompt according to                     identity. Once verified the user’s
                                    [Assignment: organization-defined delay            account is reset and the user can
                                    algorithm.]] when the maximum number               again attempt to log in.
                                    of unsuccessful attempts is exceeded.
                                                                                       The helpdesk has control only over
                                                                                       the BNL domain

AC-8   SYSTEM USE                   The information system displays an             Y   When system access is granted after     Y       VT
       NOTIFICATION                 approved, system use notification                  successfully entering the
                                    message before granting system access              appropriate ID and password a
                                    informing potential users: (i) that the user       banner is displayed. The user must
                                    is accessing a U.S. Government                     acknowledge the banner by pressing
                                    information system; (ii) that system usage         the ‘ok” icon.
                                    may be monitored, recorded, and subject            http://intranet.bnl.gov/cybersecurity
                                    to audit; (iii) that unauthorized use of the       /banners/ This is a DOE/BNL
                                    system is prohibited and subject to                approved banner. A copy of the
                                    criminal and civil penalties; and (iv) that        banner is shown in the CSPP for
                                    use of the system indicates consent to             reference purposes.
                                    monitoring and recording. The system use           Tie this to the XP test
                                    notification message provides appropriate
                                    privacy and security notices (based on
                                    associated privacy and security policies or        In some cases the banner is
                                    summaries) and remains on the screen               displayed before credentials are
                                    until the user takes explicit actions to log       entered.
                                    on to the information system.




  Baseline Low Security Controls per NIST SP 800-53                   Page 5 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
AC-13   SUPERVISION AND              The organization supervises and reviews       Y   BNL has a variety of checks and         Y     DR
        REVIEW —                     the activities of users with respect to the       balances in place to review and, in         CSPP-
        ACCESS CONTROL               enforcement and usage of information              some cases, monitor the activities of       Section
                                     system access controls.                           users. These include:                        5.2.4,
                                                                                           (1) System logs for all sensitive       page 29
                                                                                                systems are sent to cyber
                                                                                                security for parsing and
                                                                                                review. All system logs are
                                                                                                archived and maintained in
                                                                                                case they are needed to
                                     NOTE: Recommend adding security                            reconstruct any activity.
                                     violations to the Disciplinary Actions                (2) System logs from non-
                                     SBMS page.                                                 sensitive systems can be
                                                                                                reviewed upon request from
                                                                                                HR, SSD, or Legal based
                                                                                                upon a suspected case of
                                                                                                misuse or inappropriate
                                                                                                activity.
                                                                                       System logs for non-sensitive systems
                                                                                       are not collected.

                                                                                          (3) Users must read and sign an
                                                                                              appropriate use policy as part
                                                                                              of the process for obtaining
                                                                                              access to the BNL
                                                                                              information system resources.
                                                                                              http://www.bnl.gov/itd/amo/
                                                                                          (4) From the internal BNL
                                                                                              network inappropriate
                                                                                              websites are automatically
                                                                                              blocked.




   Baseline Low Security Controls per NIST SP 800-53                   Page 6 of 54                                     8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
AC-14   PERMITTED ACTIONS            The organization identifies specific user      Y   As discussed above no one is           Y       PT
        WITHOUT                      actions that can be performed on the               permitted access to the internal
        IDENTIFICATION OR            information system without identification          BNL network without obtaining a
        AUTHENTICATION               or authentication.                                 GIS/Life number, successfully
                                                                                        completing the cyber security
                                                                                        training and obtaining approval
                                                                                        from the sponsoring manager.
                                                                                        http://accounts.bnl.gov Access to
                                                                                        the public side of the network is
                                                                                        provided without restrictions. This
                                                                                        includes BNL.org and the wireless
                                                                                        network.

AC-17   REMOTE ACCESS                The organization documents, monitors,          Y   SBMS Cyber Security, Unclassified      Y        DR
                                     and controls all methods of remote access          Section 1 – Accessing                           PT
                                     (e.g., dial-up, Internet) to the information       Computing/Networking Resources
                                                                                                                                      (show
                                     system including remote access for                 (step 4)
                                                                                                                                     token or
                                     privileged functions. Appropriate                  https://sbms.bnl.gov/sbmsearch/subj
                                                                                                                                       card)
                                     organization officials authorize each              area/61/61_Pro1.cfm
                                     remote access method for the information           Provides the process for obtaining a
                                     system and authorize only the necessary            remote access account. Access to
                                     users for each access method.                      sensitive information is governed
                                                                                        by a separate process as described
                                                                                        in the policy. Remote access is
                                                                                        generally controlled using token
                                                                                        cards that provide an additional
                                                                                        layer of access control because of
                                                                                        the increased risk from this type of
                                                                                        access.




   Baseline Low Security Controls per NIST SP 800-53                   Page 7 of 54                                       8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
AC-20   PERSONALLY OWNED             The organization restricts the use of         Y   As described previously each user      Y     PT –
        INFORMATION SYSTEMS          personally owned information systems for          is required to have an active IT             plug
                                     official U.S. Government business                 account. When a personal system is           laptop
                                     involving the processing, storage, or             plugged into the network the new             into port.
                                     transmission of federal information.              resource is noted and a request is           See what
                                                                                       made to register the system. The             happens
                                                                                       system will then be scanned for an
                                                                                       appropriate anti-virus program and
                                                                                       to verify the patch status of the
                                                                                       system. If the system is found to be
                                                                                       infected or without sufficient
                                                                                       patches it is not allowed on the
                                                                                       network until the situation is
                                                                                       corrected.
                                                                                       Currently, a system is not scanned
                                                                                       when they connect to the BNL
                                                                                       network. This is planned for the
                                                                                       future.

AT-1    SECURITY AWARENESS           The organization develops, disseminates,      Y   SBMS Cyber Security, Unclassified      Y        DR
        AND TRAINING POLICY          and periodically reviews/updates: (i) a           Section 1 – Accessing
        AND PROCEDURES               formal, documented, security awareness            Computing/Networking Resources:
                                     and training policy that addresses purpose,       https://sbms.bnl.gov/sbmsearch/subj
                                     scope, roles, responsibilities, and               area/61/61_Pro1.cfm provides the
                                     compliance; and (ii) formal, documented           formal requirement for completion
                                     procedures to facilitate the                      of the cyber security training prior
                                     implementation of the security awareness          to the issuance of a GIS/Life
                                     and training policy and associated security       number. The procedures for
                                     awareness and training controls.                  completing this training are
                                                                                       provided in the above referenced
                                                                                       document.




   Baseline Low Security Controls per NIST SP 800-53                   Page 8 of 54                                      8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
AT-2   SECURITY AWARENESS           The organization ensures all users             Y   All users must complete a computer       Y        DR
                                    (including managers and senior                     security awareness training course              look at
                                    executives) are exposed to basic                   prior to being granted access to the           training
                                    information system security awareness              BNL network.                                   database
                                    materials before authorizing access to the         http://accounts.bnl.gov/ On an
                                    system and [Assignment: organization-              annual basis each user takes
                                    defined frequency, at least annually]              mandatory training. As part of that
                                    thereafter.                                        training cyber security provides
                                                                                       updated training highlighting new
                                                                                       areas or issues of concern.

AT-3   SECURITY TRAINING            The organization identifies personnel with     Y   Each IT job classification has been      Y       DR
                                    significant information system security            documented and is maintained by                Look at
                                    roles and responsibilities, documents              HR. Each of these job descriptions             Training
                                    those roles and responsibilities, and              clearly addresses roles and                    Database
                                    provides appropriate information system            responsibilities, appropriate training
                                    security training before authorizing access        and education requirements, and
                                    to the system and [Assignment:                     required certifications.
                                    organization-defined frequency]
                                    thereafter.

AT-4   SECURITY TRAINING            The organization documents and monitors        Y   Human Resources maintains a              Y       DR
       RECORDS                      individual information system security             database of all training completed             Look at
                                    training activities including basic security       by anyone at BNL. This database is             Training
                                    awareness training and specific                    called the Quality and Training                Database
                                    information system security training.              Database. http://training.bnl.gov
                                                                                       All managers have access to the
                                                                                       information for their staff. Missed
                                                                                       or expired training is also tracked
                                                                                       and reported to the appropriate
                                                                                       manager.




  Baseline Low Security Controls per NIST SP 800-53                   Page 9 of 54                                         8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,       N   Interim SBMS policy developed;
AU-1   AUDIT AND
       ACCOUNTABILITY               and periodically reviews/updates: (i) a            will be incorporated into the
       POLICY AND                   formal, documented, audit and                      Unclassified Cyber Security SBMS
       PROCEDURES                   accountability policy that addresses               subject area.
                                    purpose, scope, roles, responsibilities, and
                                    compliance; and (ii) formal, documented
                                    procedures to facilitate the
                                    implementation of the audit and
                                    accountability policy and associated audit
                                    and accountability controls.
                                    The information system generates audit         Y   For all systems containing sensitive       Y           DR
AU-2   AUDITABLE EVENTS
                                    records for the following events:                  information the system log function                Review of
                                    [Assignment: organization-defined                  is turned on. These logs are sent to                 system
                                    auditable events].                                 the cyber security group and stored                audit logs.
                                                                                       for permanent archival.
                                                                                                                                            CSPP,
                                                                                        Sensitive systems include all main                sect.5.2.4,
                                                                                       servers and any systems with a                        p. 29
                                                                                       conduit
                                    The information system captures                Y   Contents of audit records include          Y           DR
AU-3   CONTENT OF AUDIT
       RECORDS                      sufficient information in audit records to         initiation, length, termination, user               Check for
                                    establish what events occurred, the                doing activity, and data accessed.                   required
                                    sources of the events, and the outcomes of                                                            information
                                    the events.
                                    The organization allocates sufficient audit    Y   Audit records are captured and             Y           PT
AU-4   AUDIT STORAGE
       CAPACITY                     record storage capacity and configures             analyzed while resident on local                   Review the
                                    auditing to prevent such capacity being            hard disks. Once the records have                  capacity of
                                    exceeded.                                          been analyzed they are stored on                   the optical
                                                                                       optical media for permanent                        drives and
                                                                                       retention.                                         the size of
                                                                                                                                          the backup
                                                                                                                                             files




   Baseline Low Security Controls per NIST SP 800-53                  Page 10 of 54                                            8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    In the event of an audit failure or audit    Y   At the present time BNL has               Y           DR
AU-5    AUDIT PROCESSING
                                    storage capacity being reached, the              hundreds of gigabytes of excess                     Check
                                    information system alerts appropriate            storage available for system log                    backup
                                    organizational officials and takes the           files. Files are routinely moved to               document
                                    following additional actions: [Assignment:       cyber security for analysis and then              procedures
                                    organization-defined actions to be taken         permanent storage as discussed
                                    (e.g., shutdown information system,              above. This is not an issue for
                                    overwrite oldest audit records, stop             BNL.
                                    generating audit records)].
                                    The information system protects audit        Y   System log files are stored on
AU-9    PROTECTION OF AUDIT
        INFORMATION                 information and audit tools from                 restricted systems with limited
                                    unauthorized access, modification, and           availability to the files
                                    deletion.
                                    The organization retains audit logs for      Y   System log files are retained             Y           PT
AU-11   AUDIT RETENTION
                                    [Assignment: organization-defined time           indefinitely at BNL. There is no                     Show
                                    period] to provide support for after-the-        plan to change this policy at this                drives with
                                    fact investigations of security incidents        time.                                             audit file –
                                    and to meet regulatory and organizational                                                             show
                                    information retention requirements.                                                                 directory
                                                                                                                                        structure
                                                                                                                                       CSPP-Sect.
                                                                                                                                       9.4.4, p. 42




   Baseline Low Security Controls per NIST SP 800-53                  Page 11 of 54                                         8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,       Y   The BNL C&A process is fully             Y       DR
CA-1   CERTIFICATION,ACCRED
       ITATION, AND SECURITY        and periodically reviews/updates: (i)              described in the BNL CSPP.
       ASSESSMENT POLICIES          formal, documented, security assessment            Basically, the process mirrors that
       AND PROCEDURES               and certification and accreditation policies       recommended in NIST SP 800-37,
                                    that address purpose, scope, roles,                800-30 and FIPS 199 along with
                                    responsibilities, and compliance; and (ii)         related publications referenced in
                                    formal, documented procedures to                   these documents.
                                    facilitate the implementation of the
                                    security assessment and certification and
                                    accreditation policies and associated
                                    assessment, certification, and
                                    accreditation controls.




   Baseline Low Security Controls per NIST SP 800-53                  Page 12 of 54                                          8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization authorizes all               Y   BNL has no system connections.             Y          DR
CA-3   INFORMATION SYSTEM
       CONNECTIONS                  connections from the information system           This security control does not
                                    to other information systems outside of           apply. BNL does share resources
                                    the accreditation boundary and                    via ESnet, however information
                                    monitors/controls the system                      from this network comes in through
                                    interconnections on an ongoing basis.             the PDN authentication server
                                    Appropriate organizational officials              Stony Brook Univ. has a link to the
                                    approve information system                        Medical Department and the Travel
                                    interconnection agreements.                       Office was in the process of setting
                                                                                      up an outside DSL link (don’t know
                                                                                      the status of this). There is
                                                                                      communication between the
                                                                                      wireless enclave and the BNL
                                                                                      campus.
                                    The organization conducts an assessment       Y   This document provides a baseline          Y        DR/VT
CA-4   SECURITY
       CERTIFICATION                of the security controls in the information       set of controls that exist throughout               Review
                                    system to determine the extent to which           BNL. Additional controls                            baseline
                                    the controls are implemented correctly,           implemented for individual systems                  Conf for
                                    operating as intended, and producing the          are discussed within the                           workstation
                                    desired outcome with respect to meeting           certification package that is
                                                                                                                                          Conduct
                                    the security requirements for the system.         prepared for that system.
                                                                                                                                          specific
                                                                                      Also can conduct various tests on                     tests
                                                                                      configuration setting per Windows
                                                                                      2000/XP Security Test Procedures




   Baseline Low Security Controls per NIST SP 800-53                  Page 13 of 54                                           8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops and updates        Y   BNL currently has an active               Y           DR
CA-5   PLAN OF ACTION AND
       MILESTONES                   [Assignment: organization-defined                POA&M program. The BNL                               Show
                                    frequency], a plan of action and                 POA&M is reviewed quarterly for                     current
                                    milestones for the information system that       progress.                                          POA&M
                                    documents the organization’s planned,                                                              with action
                                    implemented, and evaluated remedial                                                                from audits
                                    actions to correct any deficiencies noted
                                    during the assessment of the security
                                    controls and to reduce or eliminate known
                                    vulnerabilities in the system.
                                    The organization authorizes (i.e.,           Y   As discussed in the CSPP, the             Y           DR
CA-6   SECURITY
       ACCREDITATION                accredits) the information system for            certification package is defined,                 Show ATO
                                    processing before operations and updates         roles and responsibilities are                      for the
                                    the authorization [Assignment:                   defined and the accreditation letter               enclave
                                    organization-defined frequency]. A senior        is signed.
                                    organizational official signs and approves
                                    the security accreditation.




   Baseline Low Security Controls per NIST SP 800-53                  Page 14 of 54                                         8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization monitors the security         Y   BNL has an active monitoring             Y         VT
CA-7   CONTINUOUS
       MONITORING                   controls in the information system on an           program. External systems, any                  Show the
                                    ongoing basis.                                     system with a direct connection to               Nessus
                                                                                       the outside networks, are scanned                system
                                                                                       daily. Internal systems are scanned             capabilit
                                                                                       quarterly. System administrators                  y on
                                                                                       have the ability to kickoff an                   screen
                                                                                       individual scan of their systems at
                                                                                       any time. The current vulnerability
                                                                                       status of each system is displayed to
                                                                                       the manager and cyber security.
                                                                                       https://sbms.bnl.gov/sbmsearch/subj
                                                                                       area/61/61_Pro4.cfm (Steps 10-13)
                                                                                       Note that ongoing means once a
                                                                                       quarter

                                                                                       Eternal systems are scanned weekly
                                                                                       with Nessus and daily port scans are
                                                                                       performed.
                                    The organization develops, disseminates,       Y   There is a notification process to       Y         DR
CM-1   CONFIGURATION
       MANAGEMENTPOLICY             and periodically reviews/updates: (i) a            alert individuals to system outages             On file at
       AND PROCEDURES               formal, documented, configuration                  and necessary maintenance and                   ITD Help
                                    management policy that addresses                   upgrades. Notices the following:                  Desk
                                    purpose, scope, roles, responsibilities, and       Notify-l list, CCB Members, and                   Office
                                    compliance; and (ii) formal, documented            the Help Desk Support Staff.
                                    procedures to facilitate the                       “Notifications” must use the
                                    implementation of the configuration                template below or the form on the
                                    management policy and associated                   ITD website at
                                    configuration management controls.                 http://intranet.bnl.gov/itd/internal/n
                                                                                       otice/default.asp




  Baseline Low Security Controls per NIST SP 800-53                  Page 15 of 54                                          8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, documents,      Y   Baseline configuration is discussed     Y        DR
CM-2   BASELINE
       CONFIGURATION                and maintains a current, baseline              below. Inventory control is                    Show the
                                    configuration of the information system        maintained on all systems. Upon                  CIS
                                    and an inventory of the system’s               receipt each system is added to the           benchmar
                                    constituent components.                        property management system                        k
                                                                                   http://intranet.bnl.gov/ppm. This is          documents
                                                                                   done either at receiving or when the
                                                                                   system is attached to the network.
                                                                                   In either case the system is captured
                                                                                   and a bar code tag is attached to
                                                                                   system to aid in quickly capturing
                                                                                   information on annual physical
                                                                                   inventory audits.
                                    The organization configures the security   Y   BNL is in the process of rolling out    Y        VT
CM-6   CONFIGURATION
       SETTINGS                     settings of information technology             the CIS benchmarks. Systems will               Testing
                                    products to the most restrictive mode          be configured to this standard.                  per
                                    consistent with information system             BNL unclassified systems have a               Windows
                                    operational requirements.                      CIA of low, low, low and are                  2000/XP
                                                                                   configured for that level of risk.            Security
                                                                                   Interim SBMS policy developed;                  Test
                                                                                   will be incorporated into the                 Procedur
                                                                                   Unclassified Cyber Security SBMS                 es
                                                                                   subject area.

                                    The organization develops, disseminates,   Y   There is a COOP section in the                  DR
CP-1   CONTINGENCY
       PLANNING POLICY AND          and periodically reviews/updates: (i) a        CSPP for the network only.
       PROCEDURES                   formal, documented, contingency
                                    planning policy that addresses purpose,
                                                                                   Interim SBMS policy developed;
                                    scope, roles, responsibilities, and
                                                                                   will be incorporated into the
                                    compliance; and (ii) formal, documented
                                                                                   Unclassified Cyber Security SBMS
                                    procedures to facilitate the
                                                                                   subject area.
                                    implementation of the contingency
                                    planning policy and associated
                                    contingency planning controls.




  Baseline Low Security Controls per NIST SP 800-53                  Page 16 of 54                                    8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
Baseline Low Security Controls per NIST SP 800-53                  Page 17 of 54                         8/9/2005
                      This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops and                 Y   No BNL systems need the classic
CP-2   CONTINGENCY PLAN
                                    implements a contingency plan for the             contingency plan. A
                                    information system addressing                     comprehensive review of the
                                    contingency roles, responsibilities,              systems was conducted and all
                                    assigned individuals with contact                 systems were found to have a
                                    information, and activities associated with       minimum recovery time objective
                                    restoring the system after a disruption or        of five (5) business days. These are
                                    failure. Designated officials within the          COTS systems that can be
                                    organization review and approve the               purchased from almost any major
                                    contingency plan and distribute copies of         computer supplier. Researchers are
                                    the plan to key contingency personnel.            appropriately informed concerning
                                                                                      their responsibility for protecting
                                                                                      their critical data and research
                                                                                      results.
                                                                                      Interim SBMS policy developed;
                                                                                      will be incorporated into the
                                                                                      Unclassified Cyber Security SBMS
                                                                                      subject area.
                                    The organization reviews the contingency      Y   The contingency plan will function
CP-5   CONTINGENCY PLAN
       UPDATE                       plan for the information system                   as the ongoing document for
                                    [Assignment: organization-defined                 update.
                                    frequency, at least annually] and revises         ITD reviews the systems for
                                    the plan to address system/organizational         possible changes in status on an
                                    changes or problems encountered during            annual basis. In addition, any new
                                    plan implementation, execution, or                system that is brought onboard
                                    testing.                                          BNL is reviewed prior to being
                                                                                      accepted as operational for
                                                                                      contingency planning requirements.
                                                                                      Interim SBMS policy developed;
                                                                                      will be incorporated into the
                                                                                      Unclassified Cyber Security SBMS
                                                                                      subject area.




  Baseline Low Security Controls per NIST SP 800-53                  Page 18 of 54                                       8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization conducts backups of       Y   BNL has examined all systems on            Y         PT
CP-9   INFORMATION SYSTEM
       BACKUP                       user-level and system-level information        site and none are considered                        Can
                                    (including system state information)           “critical”. Sensitive systems are                 witness
                                    contained in the information system            backed up using the Legato backup                   the
                                    [Assignment: organization-defined              system. Tapes for these systems are               backup
                                    frequency] and stores backup information       stored offsite with a prescribed tape               and
                                    at an appropriately secured location.          rotation. Other systems are backed               directory
                                                                                   upon locally with tapes stored for               structure.
                                                                                   immediate information retrieval.
                                                                                                                                       DR
                                                                                   Legato jukebox systems are stored
                                                                                   in areas with fire suppression                     Show
                                                                                   systems, extremely sensitive smoke                backup
                                                                                   detection and are on priority lists               process
                                                                                   for the onsite fire department. An               documen
                                                                                   extensive risk analysis has been                      t
                                                                                   completed to protect the systems
                                                                                   with sensitive information
                                                                                   necessary. Users are provided
                                                                                   space on the servers for storing any
                                                                                   data they desire to have backed up
                                                                                   on the Legato tape system. They
                                                                                   are taught as part of their training
                                                                                   that it is their responsibility to place
                                                                                   the data on the servers to ensure the
                                                                                   backups will be completed.
                                                                                   Need to reference the backup
                                                                                   process document here




  Baseline Low Security Controls per NIST SP 800-53                  Page 19 of 54                                       8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                     The organization employs mechanisms            Y   Need to develop the basic                    DR
CP-10   INFORMATION SYSTEM
        RECOVERY AND                 with supporting procedures to allow the            contingency plan/data recovery plan         CSPP
        RECONSTITUTION               information system to be recovered and             showing that uses rebuilt/replace
                                     reconstituted to the system’s original state       systems not recover fatally crashed
                                     after a disruption or failure.                     systems.
                                                                                        Systems are reloaded using the
                                                                                        baseline configuration as discussed
                                                                                        above. User data is then restored
                                                                                        from the backup tapes.




   Baseline Low Security Controls per NIST SP 800-53                  Page 20 of 54                                      8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,       Y   This is essentially PIV. PIV is in     Y          VT
IA-1   IDENTIFICATION
       ANDAUTHENTICATION            and periodically reviews/updates: (i) a            the process of being planned and                Walk
       POLICY AND                   formal, documented, identification and             implemented. This is a recognized                thru
       PROCEDURES                   authentication policy that addresses               risk item but current controls                 process
                                    purpose, scope, roles, responsibilities, and       provide substantial protection in              of sign
                                    compliance; and (ii) formal, documented            this area.                                      on –
                                    procedures to facilitate the                       SBMS policy provides defense in               show that
                                    implementation of the identification and           depth policy for each user. New                  one
                                    authentication policy and associated               users must enter their information             cannot
                                    identification and authentication controls.        in the SBMS system. Once entered                  use
                                                                                       the individual’s sponsor must                  system
                                                                                       approve request. Once request is                 w/o
                                                                                       approved and individual completes              GIS/life
                                                                                       the cyber security training, which             number
                                                                                       includes password makeup,
                                                                                       protection of identification
                                                                                       information and procedures for
                                                                                       reporting any potential
                                                                                       compromises is part of the training.




  Baseline Low Security Controls per NIST SP 800-53                  Page 21 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The information system uniquely          Y    Each user receives an individual       Y         PT
IA-2   USER IDENTIFICATION
       AND AUTHENTICATION           identifies and authenticates users (or        GIS/Life number. This private                 Review
                                    processes acting on behalf of users).         number uniquely identifies each               the GIS
                                                                                  user. In addition, users are                 database,
                                                                                  provided individual user IDs and               access
                                                                                  passwords for their systems access.           control
                                                                                  (look for shared passwords)                     lists
                                                                                  Systems have defined access
                                                                                  control lists that are controlled by
                                                                                  the local system administrator. This
                                                                                  provides another layer of security
                                                                                  for departmental specific systems.
                                                                                  All personnel are badged and the
                                                                                  lab has a vigorous personnel
                                                                                  verification policy. Anyone not
                                                                                  known to the staff in the area is
                                                                                  challenged.




  Baseline Low Security Controls per NIST SP 800-53                  Page 22 of 54                                  8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization manages user identifiers       Y   PIV – in progress.                     Y        DR
IA-4   IDENTIFIER
       MANAGEMENT                   by: (i) uniquely identifying each user; (ii)        See process above – show that each           Refer to
                                    verifying the identity of each user; (iii)          user has a unique identifier. Show            SBMS
                                    receiving authorization to issue a user             approval process (online or paper             process
                                    identifier from an appropriate                      trail)                                       documen
                                    organization official; (iv) ensuring that the                                                        t
                                    user identifier is issued to the intended
                                    party; (v) disabling user identifier after          Process for termination of accounts
                                    [Assignment: organization-defined time              https://sbms.bnl.gov/sbmsearch/subj
                                    period] of inactivity; and (vi) archiving           area/61/61_Pro6.cfm
                                    user identifiers.
                                    The organization manages information            Y   SBMS Cyber Security, Unclassified      Y       DR
IA-5   AUTHENTICATOR
                                    system authenticators (e.g., tokens, PKI            Section 1 – Accessing
       MANAGEMENT
                                    certificates, biometrics, passwords, key            Computing/Networking Resources
                                    cards) by: (i) defining initial authenticator       (step 4) provides the process for
                                    content; (ii) establishing administrative           obtaining a remote access account.
                                    procedures for initial authenticator                Access to sensitive information is
                                    distribution, for lost/compromised, or              governed by a separate policy as
                                    damaged authenticators, and for revoking            described in the SMBS page
                                    authenticators; and (iii) changing default          referenced above. Remote access is
                                    authenticators upon information system              generally controlled using token
                                    installation.                                       cards that provide an additional
                                                                                        layer of access control because of
                                                                                        the increased risk from this type of
                                                                                        access. The Statement on Proper
                                                                                        Use of Strong Authentication
                                                                                        Tokens is located at
                                                                                        http://www.bnl.gov/cybersecurity/fi
                                                                                        les/pdf/TokenUse.PDF and
                                                                                        provides instructions on use and
                                                                                        replacement of tokens.




  Baseline Low Security Controls per NIST SP 800-53                  Page 23 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The information system provides             Y   All passwords are hidden using dots   Y        VT
IA-6   AUTHENTICATOR
       FEEDBACK                     feedback to a user during an attempted          or asterisks to hide the actual               Show
                                    authentication and that feedback does not       information entered.                           that
                                    compromise the authentication                                                               password
                                    mechanism.                                                                                     are
                                                                                                                                 hidden
                                                                                                                                  when
                                                                                                                                 entered




  Baseline Low Security Controls per NIST SP 800-53                  Page 24 of 54                                   8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    For authentication to a cryptographic        Y   Need to review procurement SOW        Y       DR
IA-7   CRYPTOGRAPHIC
       MODULE                       module, the information system employs           on tokens, authentication equipment          Vendor
       AUTHENTICATION               authentication methods that meet the             to assure that compliance with FIP          documen
                                    requirements of FIPS 140-2.                      140-2 is required. Note I could not          tation
                                                                                     find the FIPS 140-2 requirement
                                                                                     when I looked at the crypto-card
                                                                                     section
                                                                                     http://www.bnl.gov/cybersecurity/cr
                                                                                     yptocards.asp
                                    The organization develops, disseminates,     Y   SBMS Cyber Security, Unclassified     Y       DR
IR-1   INCIDENT RESPONSE
       POLICY AND                   and periodically reviews/updates: (i) a          Section 4 – Protecting Computing              See
       PROCEDURES                   formal, documented, incident response            Resources describes the incident             policy
                                    policy that addresses purpose, scope,            response functions and procedures           and logs
                                    roles, responsibilities, and compliance;         for BNL. Procedures can be found
                                    and (ii) formal, documented procedures to        at
                                    facilitate the implementation of the             https://sbms.bnl.gov/sbmsearch/subj
                                    incident response policy and associated          area/61/61_Pro4.cfm.
                                    incident response controls.
                                    The organization implements an incident      Y   BNL has a dedicated resource that     Y        VT
IR-4   INCIDENT HANDLING
                                    handling capability for security incidents       deals with viruses and antivirus               Can
                                    that includes preparation, detection and         methods. In addition they have an            review
                                    analysis, containment, eradication, and          Incident Command Center that will           incident
                                    recovery.                                        direct the containment and                   reports
                                                                                     eradication of any incident                    and
                                                                                     https://sbms.bnl.gov/sbmsearch/subj         correctiv
                                                                                     area/61/61_Pro4.cfm. Teams are on           e action
                                                                                     call 24X7 when a potential incident
                                                                                     is detected.




  Baseline Low Security Controls per NIST SP 800-53                  Page 25 of 54                                    8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization promptly reports       Y     Once confirmed incidents are                   VT
IR-6   INCIDENT REPORTING
                                    incident information to appropriate           tracked and reported to US-CIAC.               Can
                                    authorities.                                  For each incident there is a                 review
                                                                                  postmortem lessons learned                     the
                                                                                  analysis completed to improve               procedur
                                                                                  incident handling procedures.                es and
                                                                                  Procedures can be found at                  correctiv
                                                                                  https://sbms.bnl.gov/sbmsearch/subj         e actions
                                                                                  area/61/2j01e011.pdf




  Baseline Low Security Controls per NIST SP 800-53                  Page 26 of 54                                 8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
Baseline Low Security Controls per NIST SP 800-53                  Page 27 of 54                         8/9/2005
                      This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization provides an incident          Y   BNL has a dedicated resource that
IR-7   INCIDENT RESPONSE
       ASSISTANCE                   support resource that offers advice and            deals with viruses and antivirus
                                    assistance to users of the information             methods. In addition they have an
                                    system for the handling and reporting of           Incident Command Center that will
                                    security incidents. The support resource is        direct the containment and
                                    an integral part of the organization’s             eradication of any incident. Teams
                                    incident response capability.                      are on call 24X7 when a potential
                                                                                       incident is detected.
                                                                                       http://www.bnl.gov/cybersecurity/in
                                                                                       cidents.asp
                                    The organization develops, disseminates,       Y   BNL provides patch management
MA-1   SYSTEM MAINTENANCE
       POLICY AND                   and periodically reviews/updates: (i) a            for Windows operating system as
       PROCEDURES                   formal, documented, information system             part of routine maintenance, and
                                    maintenance policy that addresses                  other OS platforms (Unix and
                                    purpose, scope, roles, responsibilities, and       Linux Users, Macintosh Users,
                                    compliance; and (ii) formal, documented            (Mac OS 10.X), and remediation
                                    procedures to facilitate the                       information for less-common
                                    implementation of the information system           operating systems (AIX, old
                                    maintenance policy and associated system           versions of SunOS, HP-UX, and
                                    maintenance controls.                              IRIX).
                                                                                       http://www.bnl.gov/cybersecurity/p
                                                                                       atching.asp
                                                                                       Updated DAT files for virus.
                                                                                       http://www.bnl.gov/cybersecurity/a
                                                                                       ntivirus.asp
                                    The organization schedules, performs, and      Y   Major systems at BNL have
MA-2   PERIODIC MAINTENANCE
                                    documents routine preventative and                 maintenance contracts. Any special
                                    regular maintenance on the components of           needs are addressed within these
                                    the information system in accordance with          contracts.
                                    manufacturer or vendor specifications              (need to show examples of contract)
                                    and/or organizational requirements.




  Baseline Low Security Controls per NIST SP 800-53                  Page 28 of 54                                      8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization approves, controls, and   Y   Remote maintenance is handled like
MA-4   REMOTE MAINTENANCE
                                    monitors remotely executed maintenance         other remote access. A VPN is
                                    and diagnostic activities.                     used which incorporates the use of a
                                                                                   valid cryptographic token.
                                                                                   http://www.bnl.gov/cybersecurity/v
                                                                                   pn/




  Baseline Low Security Controls per NIST SP 800-53                  Page 29 of 54                                   8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization maintains a list of         Y   All maintenance personnel are BNL
MA-5   MAINTENANCE
       PERSONNEL                    personnel authorized to perform                  employees. Any outside
                                    maintenance on the information system.           maintenance staff must be escorted
                                    Only authorized personnel perform                at all times in the Limited Areas.
                                    maintenance on the information system.           Escort procedures apply to Limited
                                                                                     Areas only.
                                    The organization develops, disseminates,     Y   SBMS Cyber Security, Unclassified
MP-1   MEDIA PROTECTION
       POLICY AND                   and periodically reviews/updates: (i) a          Section 7 – Procuring, Transferring,
       PROCEDURES                   formal, documented, media protection             Sanitizing, and Excessing Computer
                                    policy that addresses purpose, scope,            Systems provides the procedures
                                    roles, responsibilities, and compliance;         and responsibilities for properly
                                    and (ii) formal, documented procedures to        protecting BNL media assets. This
                                    facilitate the implementation of the media       information can be found at
                                    protection policy and associated media           https://sbms.bnl.gov/sbmsearch/subj
                                    protection controls.                             area/61/61_Pro7.cfm.
                                    The organization ensures that only           Y   BNL uses a defense in depth and
MP-2   MEDIA ACCESS
                                    authorized users have access to                  strong identification procedures to
                                    information in printed form or on digital        address this requirement as a first
                                    media removed from the information               line of defense. All systems are
                                    system.                                          protected by individual IDs and
                                                                                     passwords. Five incorrect login
                                                                                     attempts will result in the system
                                                                                     locking and requiring the authorized
                                                                                     user to call the help desk. Each
                                                                                     individual is also clearly badged to
                                                                                     provide immediate recognition
                                                                                     when a visitor is in an area.
                                                                                     Review procedures for physical
                                                                                     access and GIS/life number.




  Baseline Low Security Controls per NIST SP 800-53                  Page 30 of 54                                     8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization sanitizes or destroys          Y   As discussed above the SBMS
MP-7   MEDIA DESTRUCTION
       AND DISPOSAL                 information system digital media before             Cyber Security, Unclassified,
                                    its disposal or release for reuse outside the       Procuring, Transferring, Sanitizing,
                                    organization, to prevent unauthorized               and Excessing Computer System,
                                    individuals from gaining access to and              Sect. 7, Step 2, provides
                                    using the information contained on the              instructions for properly obtaining
                                    media.                                              sanitization services for a system.
                                                                                        https://sbms.bnl.gov/sbmsearch/subj
                                                                                        area/61/61_Pro7.cfm
                                    The organization develops, disseminates,        Y   The physical protection is covered
PE-1   PHYSICAL AND
       ENVIRONMENTAL                and periodically reviews/updates: (i) a             in the BNL Master Safeguards and
       PROTECTION POLICY            formal, documented, physical and                    Security Plan maintained by the
       AND PROCEDURES               environmental protection policy that                Safeguards & Security Division.
                                    addresses purpose, scope, roles,                    Department. Cyber Security’s
                                    responsibilities, and compliance; and (ii)          portion of that plan has been
                                    formal, documented procedures to                    reviewed by the head of Cyber
                                    facilitate the implementation of the                Security. Cyber Security has the
                                    physical and environmental protection               necessary identification to gain
                                    policy and associated physical and                  access to BNL in the event of an
                                    environmental protection controls.                  emergency to complete assigned
                                                                                        responsibilities.

                                                                                        https://sbms.bnl.gov/policies.cfm#II
                                                                                        I




  Baseline Low Security Controls per NIST SP 800-53                  Page 31 of 54                                           8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops and keeps            Y   Policy for access in the event of an   Y      VT
PE-2   PHYSICAL ACCESS
       AUTHORIZATIONS               current lists of personnel with authorized         emergency has been drafted and
                                    access to facilities containing information        appropriate personnel have been
                                    systems (except for those areas within the         granted the appropriate
                                    facilities officially designated as publicly       identification to gain access to the
                                    accessible) and issues appropriate                 facility in emergency situations.
                                    authorization credentials (e.g., badges,           Badges for physical access:
                                    identification cards, smart cards).
                                                                                       http://www.bnl.gov/ppm/T-
                                    Designated officials within the
                                                                                       Cs/suppl.asp
                                    organization review and approve the
                                    access list and authorization credentials          Logical access:
                                    [Assignment: organization-defined                  http://www.bnl.gov/cybersecurity/#
                                    frequency, at least annually].                     Registration




  Baseline Low Security Controls per NIST SP 800-53                  Page 32 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization controls all physical        Y   The laboratory has exceptionally
PE-3   PHYSICAL ACCESS
       CONTROL                      access points (including designated               tight security controls at all gates
                                    entry/exit points) to facilities containing       and sensitive buildings. All
                                    information systems (except for those             personnel must display a badge at
                                    areas within the facilities officially            all times. Anyone not known in an
                                    designated as publicly accessible) and            area is frequently challenged.
                                    verifies individual access authorizations         Access to the BNL facility is tightly
                                    before granting access to the facilities.         controlled.
                                    The organization also controls access to          See above process for badging and
                                    areas officially designated as publicly           access control
                                    accessible, as appropriate, in accordance
                                    with the organization’s assessment of risk.
                                    The organization monitors physical access     Y   Physical and fire alarms are active     Y     Review
PE-6   MONITORING PHYSICAL
       ACCESS                       to information systems to detect and              on all sensitive facilities (Property           with
                                    respond to incidents.                             Protection Areas and Limited                   PPAs
                                                                                      Areas). Visitors in Limited Areas             Physical
                                                                                      must be escorted at all times.                Security
                                                                                      Security and fire departments are             POC-N.
                                                                                      set to respond to any alarm incident.         Williams
                                                                                                                                     8/9/05
                                                                                      Ingress to the 18 PPAs and Limited
                                                                                      Areas is controlled by card reader
                                                                                      access.




  Baseline Low Security Controls per NIST SP 800-53                  Page 33 of 54                                       8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization controls physical access   Y   The laboratory has exceptionally
PE-7   VISITOR CONTROL
                                    to information systems by authenticating        tight security controls at all gates.
                                    visitors before authorizing access to           To obtain access each individual
                                    facilities or areas other than areas            must display the appropriate badge.
                                    designated as publicly accessible.              Anyone without a badge is diverted
                                                                                    to a holding area to verify
                                                                                    identification and obtain temporary
                                                                                    badges. Temporary badges are only
                                                                                    granted by previous arrangement of
                                                                                    the sponsor with security. BNL has
                                                                                    an aggressive challenge
                                                                                    environment for unknown
                                                                                    individuals.
                                                                                    See response to PE-2




  Baseline Low Security Controls per NIST SP 800-53                  Page 34 of 54                                     8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                     The organization maintains a visitor          Y   BNL security maintains logs of all
PE-8    ACCESS LOGS
                                     access log to facilities (except for those        visiting vehicles and individuals as
                                     areas within the facilities officially            discussed above.
                                     designated as publicly accessible) that
                                     includes: (i) name and organization of the
                                     person visiting; (ii) signature of the
                                     visitor; (iii) form of identification; (iv)
                                     date of access; (v) time of entry and
                                     departure; (vi) purpose of visit; and (vii)
                                     name and organization of person visited.
                                     Designated officials within the
                                     organization review the access logs
                                     [Assignment: organization-defined
                                     frequency] after closeout.
                                     The organization employs and maintains        Y   The BNL Computing Facility has
PE-12   EMERGENCY LIGHTING
                                     automatic emergency lighting systems              emergency lighting. Emergency,
                                     that activate in the event of a power             and is described in the BCF
                                     outage or disruption and that cover               Property Protection Area plan.
                                     emergency exits and evacuation routes.
                                     The organization employs and maintains        Y   All data centers are protected by
PE-13   FIRE PROTECTION
                                     fire suppression and detection                    extremely sensitive smoke detection
                                     devices/systems that can be activated in          and gas discharge systems. On site
                                     the event of a fire.                              fire station is able to respond to any
                                                                                       facility in a matter of 2-5 minutes of
                                                                                       an alarm being sounded. Fire drills
                                                                                       are held on a random basis in all
                                                                                       buildings.
                                                                                       Need to state type of fire protection
                                                                                       system in use – water, inert gas,
                                                                                       CO2, etc.




   Baseline Low Security Controls per NIST SP 800-53                  Page 35 of 54                                           8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                     The organization regularly maintains         Y   Data centers have temperature and
PE-14   TEMPERATURE AND
        HUMIDITY CONTROLS            within acceptable levels and monitors the        humidity controls.
                                     temperature and humidity within facilities       State permitted range of
                                     containing information systems.                  temperature and humidity. – what
                                                                                      happens when this is out of
                                                                                      specification.




   Baseline Low Security Controls per NIST SP 800-53                  Page 36 of 54                                       8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                     The organization protects the information   Y   Water lines are not present in the
PE-15   WATER DAMAGE
        PROTECTION                   system from water damage resulting from         data center areas. Shut offs for each
                                     broken plumbing lines or other sources of       building are available to the local
                                     water leakage by ensuring that master           fire department who can respond
                                     shutoff valves are accessible, working          very quickly if an incident occurs.
                                     properly, and known to key personnel.           There should be water sensors in
                                                                                     the datacenters.- from flooding
                                                                                     elsewhere in the building.
                                     The organization controls information       Y   Property management tags are
PE-16   DELIVERY AND
        REMOVAL                      system-related items (i.e., hardware,           affixed to all new equipment.
                                     firmware, software) entering and exiting        There is an annual physical
                                     the facility and maintains appropriate          inventory completed. Any system
                                     records of those items.                         transported off the facility must
                                                                                     have the appropriate documentation
                                                                                     and forms. Gate checks of vehicles
                                                                                     are held randomly for facility
                                                                                     property being transported off
                                                                                     facility.
                                     The organization develops, disseminates,    Y   The CSPP, which this document is        Y     DR
PL-1    SECURITY PLANNING
        POLICY AND                   and periodically reviews/updates: (i) a         a component of, reflects the current
        PROCEDURES                   formal, documented, security planning           BNL security planning policy.
                                     policy that addresses purpose, scope,
                                     roles, responsibilities, and compliance;
                                     and (ii) formal, documented procedures to
                                     facilitate the implementation of the
                                     security planning policy and associated
                                     security planning controls.




   Baseline Low Security Controls per NIST SP 800-53                  Page 37 of 54                                     8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops and                 Y   The CSPP provides the required          Y      DR
PL-2   SYSTEM SECURITY PLAN
                                    implements a security plan for the                information.
                                    information system that provides an
                                    overview of the security requirements for
                                    the system and a description of the
                                    security controls in place or planned for
                                    meeting those requirements. Designated
                                    officials within the organization review
                                    The organization reviews the security plan    Y   The CSPP is updated every two (2)       Y      DR
PL-3   SYSTEM SECURITY PLAN         and approve the plan.
       UPDATE                       for the information system [Assignment:           years. Or when there is a major
                                    organization-defined frequency] and               change to the environment.
                                    revises the plan to address
                                    system/organizational changes or
                                    problems identified during plan
                                    implementation or security control
                                    assessments.
                                    The organization establishes and makes        Y   The Personnel User Agreement is         Y      DR
PL-4   RULES OF BEHAVIOR
                                    readily available to all information system       required for each individual prior to
                                    users a set of rules that describes their         the issuance of access to any BNL
                                    responsibilities and expected behavior            information system assets. This
                                    with regard to information system usage.          agreement is located at
                                    The organization receives signed                  http://www.bnl.gov/cybersecurity/u
                                    acknowledgement from users indicating             ser_agreement.asp.
                                    that they have read, understand, and agree
                                    to abide by the rules of behavior, before
                                    authorizing access to the information
                                    system.
                                    The organization conducts a privacy           Y   Privacy impact assessment               Y
PL-5   PRIVACY IMPACT
       ASSESSMENT                   impact assessment on the information              completed. PIA is stored on some
                                    system.                                           BNL systems.




  Baseline Low Security Controls per NIST SP 800-53                  Page 38 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,    Y   SBMS Cyber Security, Unclassified     Y     DR
PS-1   PERSONNEL SECURITY
       POLICY AND                   and periodically reviews/updates: (i) a         Section 1 – Accessing
       PROCEDURES                   formal, documented, personnel security          Computing/Networking Resources
                                    policy that addresses purpose, scope,           provides the formal process for
                                    roles, responsibilities, and compliance;        obtaining access to BNL computing
                                    and (ii) formal, documented procedures to       resources. See
                                    facilitate the implementation of the            https://sbms.bnl.gov/sbmsearch/subj
                                    personnel security policy and associated        area/61/61_Pro1.cfm.
                                    personnel security controls.




  Baseline Low Security Controls per NIST SP 800-53                  Page 39 of 54                                   8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization assigns a risk                Y   BNL has designated 11 positions        Y      DR
PS-2   POSITION
       CATEGORIZATION               designation to all positions and establishes       with appropriately detailed position
                                    screening criteria for individuals filling         descriptions. The position
                                    those positions. The organization reviews          descriptions are reviewed with each
                                    and revises position risk designations             candidate during their annual
                                    [Assignment: organization-defined                  evaluation reviews. Position
                                    frequency].                                        descriptions are reviewed on an as
                                                                                       required basis when a specialty is
                                                                                       required that is not covered by the
                                                                                       current descriptions.
                                                                                       Need the ULR of the position
                                                                                       description. Could not find this on
                                                                                       the SBMS site.
                                    The organization screens individuals           Y   Individuals applying for a job at
PS-3   PERSONNEL SCREENING
                                    requiring access to organizational                 BNL receive standard screening
                                    information and information systems                prior to employment is permitted
                                    before authorizing access.                         through the GIS. Personnel
                                                                                       requiring access to sensitive or
                                                                                       classified areas receive additional
                                                                                       screening as required by Federal
                                                                                       policy. This represents
                                                                                       approximately 300 personnel on
                                                                                       site. Employment policy is located
                                                                                       at
                                                                                       https://sbms.bnl.gov/sbmsearch/subj
                                                                                       area/49/49_SA.cfm?parentID=49.




  Baseline Low Security Controls per NIST SP 800-53                  Page 40 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    When employment is terminated, the           Y   BNL has a detailed process for        Y     DR
PS-4   PERSONNEL
       TERMINATION                  organization terminates information              personnel terminated. This process
                                    system access, conducts exit interviews,         is detailed at
                                    ensures the return of all organizational         https://sbms.bnl.gov/sbmsearch/subj
                                    information system-related property (e.g.,       area/49/49_Pro9.cfm.
                                    keys, identification cards, building
                                    passes), and ensures that appropriate
                                    personnel have access to official records
                                    created by the terminated employee that
                                    are stored on organizational information
                                    systems.




  Baseline Low Security Controls per NIST SP 800-53                  Page 41 of 54                                    8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization reviews information            Y   Policy and procedures for personnel      Y     DR
PS-5   PERSONNEL TRANSFER
                                    systems/facilities access authorizations            transfers are detailed at
                                    when individuals are reassigned or                  https://sbms.bnl.gov/sbmsearch/subj
                                    transferred to other positions within the           area/49/49_Pro3.cfm. Personnel
                                    organization and initiates appropriate              transferring from one department to
                                    actions (e.g., reissuing keys, identification       another must turn in all BNL assets
                                    cards, building passes; closing old                 and effectively checkout of the
                                    accounts and establishing new accounts;             departing facility and then check in
                                    and changing system access                          to the receiving department.
                                    authorizations).                                    Training requirements must be
                                                                                        completed prior to gaining access to
                                                                                        the new systems areas.
                                    The organization completes appropriate          Y   Policy and procedures for access to      Y     DR
PS-6   ACCESS AGREEMENTS
                                    access agreements (e.g., nondisclosure              the facility by guests or visitors is
                                    agreements, acceptable use agreements,              detailed at
                                    rules of behavior, conflict-of-interest             https://sbms.bnl.gov/sbmsearch/subj
                                    agreements) for individuals requiring               area/50/50_SA.cfm.
                                    access to organizational information and
                                    information systems before authorizing
                                    access.
                                    The organization establishes personnel          Y   There are no third party agreements      Y     OT
PS-7   THIRD-PARTY
       PERSONNEL SECURITY           security requirements for third-party               at BNL. This control does not
                                    providers (e.g., service bureaus,                   apply. All contracts have a security
                                    contractors, and other organizations                statement included as part of the
                                    providing information system                        standard clauses in case this issue is
                                    development, information technology                 needed.
                                    services, outsourced applications, network
                                    and security management) and monitors
                                    provider compliance to ensure adequate
                                    security.




  Baseline Low Security Controls per NIST SP 800-53                  Page 42 of 54                                          8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization employs a formal            Y   This section of SBMS,                 Y     DR
PS-8   PERSONNEL SANCTIONS
                                    sanctions process for personnel failing to       https://sbms.bnl.gov/sbmsearch/subj
                                    comply with established information              area/147/147_SA.cfm, provides
                                    security policies and procedures.                detailed guidance for the process
                                                                                     dealing with actions which may
                                                                                     result in sanctions.




  Baseline Low Security Controls per NIST SP 800-53                  Page 43 of 54                                    8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,    Y   The CSPP, which this document is        Y     DR
RA-1   RISK ASSESSMENT
       POLICY AND                   and periodically reviews/updates: (i) a         a component of, provides the policy
       PROCEDURES                   formal, documented risk assessment              and procedures for conducting and
                                    policy that addresses purpose, scope,           documenting system related risks.
                                    roles, responsibilities, and compliance;
                                    and (ii) formal, documented procedures to
                                    facilitate the implementation of the risk
                                    assessment policy and associated risk
                                    assessment controls.
                                    The organization categorizes the            Y   FIPS 199 and NIST SP 800-60 were        Y     DR
RA-2   SECURITY
       CATEGORIZATION               information system and the information          utilized to determine the appropriate
                                    processed, stored, or transmitted by the        CIA categorization of each system.
                                    system in accordance with FIPS 199 and          Based upon this analysis
                                    documents the results (including                appropriate security controls for
                                    supporting rationale) in the system             each system are provided. A
                                    security plan. Designated senior-level          general “standard” set of security
                                    officials within the organization review        controls is detailed within this
                                    and approve the security categorizations.       document. Each system owner
                                                                                    provides exceptions for any security
                                                                                    control for their respective systems.
                                    The organization conducts assessments of    Y   A general risk assessment is            Y     DR
RA-3   RISK ASSESSMENT
                                    the risk and magnitude of harm that could       included within the laboratory
                                    result from the unauthorized access, use,       certification package. Each system
                                    disclosure, disruption, modification, or        has a supplementation risk
                                    destruction of information and                  assessment for each system
                                    information systems that support the            identified within each enclave. If
                                    operations and assets of the agency.            the general risk assessment meets
                                                                                    the needs of the system then no
                                                                                    supplemental risk assessment is
                                                                                    provided.




  Baseline Low Security Controls per NIST SP 800-53                  Page 44 of 54                                     8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization updates the risk             Y   Risk updates are done on an annual       Y      DR
RA-4   RISK ASSESSMENT
       UPDATE                       assessment [Assignment: organization-             basis. Each system is evaluated to
                                    defined frequency] or whenever there are          ensure that the CIA level remains
                                    significant changes to the information            appropriate. The system is then
                                    system, the facilities where the system           reviewed to ensure that the security
                                    resides, or other conditions that may             controls appropriately address the
                                    impact the security or accreditation status       risks and the residual risk is clearly
                                    of the system.                                    defined. All systems containing
                                                                                      any sensitive information are
                                                                                      individually reviewed and signed
                                                                                      off individually.




  Baseline Low Security Controls per NIST SP 800-53                  Page 45 of 54                                         8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
Baseline Low Security Controls per NIST SP 800-53                  Page 46 of 54                         8/9/2005
                      This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,        Y   BNL procurement and property            Y      DR
SA-1   SYSTEM AND SERVICES
       ACQUISITION POLICY           and periodically reviews/updates: (i) a             management policies are located at
       AND PROCEDURES               formal, documented, system and services             https://sbms.bnl.gov/SBMSearch/L
                                    acquisition policy that addresses purpose,          D/ld14/ld14t011.htm?parentID=9.
                                    scope, roles, responsibilities, and
                                    compliance; and (ii) formal, documented
                                    procedures to facilitate the
                                    implementation of the system and services
                                    acquisition policy and associated system
                                    and services acquisition controls.
                                    The organization determines, documents,         Y   BNL creates Exhibit 53s for each        Y      DR
SA-2   ALLOCATION OF
       RESOURCES                    and allocates as part of its capital planning       system and major area within BNL.
                                    and investment control process the                  This information is available to
                                    resources required to adequately protect            appropriate individuals to validate
                                    the information system.                             and review. CPIC processes are
                                                                                        used to prioritize and justify each
                                                                                        procurement.
                                    The organization manages the information        Y   Most of the systems at BNL are in       Y      DR
SA-3   LIFE CYCLE SUPPORT
                                    system using a system development life              the Operations and Maintenance
                                    cycle methodology that includes                     (O&M) stage of the systems
                                    information security considerations.                lifecycle. New systems that are
                                                                                        being planned develop a full
                                                                                        systems lifecycle plan as part of the
                                                                                        capital plan (Exhibit 300).
                                    The organization includes security              Y   Property management provides the        Y      DR
SA-4   ACQUISITIONS
                                    requirements and/or security                        staff support for all acquisitions.
                                    specifications, either explicitly or by             NIST SP 800-64 is utilized as part
                                    reference, in information system                    of the assessment process for each
                                    acquisition contracts based on an                   major acquisition. All property is
                                    assessment of risk.                                 inventoried and properly tagged
                                                                                        prior to dispersal to the procuring
                                                                                        department. Policy is located at
                                                                                        http://www.bnl.gov/ppm/main_e.as
                                                                                        p.




  Baseline Low Security Controls per NIST SP 800-53                  Page 47 of 54                                          8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization ensures that adequate     Y   Each system during the initial
SA-5   INFORMATION SYSTEM
       DOCUMENTATION                documentation for the information system       connection to the network is
                                    and its constituent components is              captured in the ITD Registration
                                    available, protected when required, and        database. BNL also has an asset
                                    distributed to authorized personnel.           database and this DB is used as part
                                                                                   of the bi-annual walkthrough
                                                                                   physical inventory, and annual spot
                                                                                   check.




  Baseline Low Security Controls per NIST SP 800-53                  Page 48 of 54                                    8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization complies with software         Y   As part of the Personnel User
SA-6   SOFTWARE USAGE
       RESTRICTIONS                 usage restrictions.                                 Agreement
                                                                                        http://www.bnl.gov/cybersecurity/u
                                                                                        ser_agreement.asp and the
                                                                                        mandatory cyber security training
                                                                                        each user is informed that BNL
                                                                                        personnel shall only use authorized
                                                                                        copies of software. Copying, use of
                                                                                        personal software on BNL systems
                                                                                        and any form of Piracy are not
                                                                                        permitted and are punishable
                                                                                        offenses.
                                    The organization enforces explicit rules        Y   As discussed above users are
SA-7   USER INSTALLED
       SOFTWARE                     governing the downloading and inst                  clearly trained on the proper
                                    allation of software by users.                      procurement and installation of
                                                                                        appropriate software for BNL
                                                                                        systems.
                                    The organization ensures that third-party       Y   This is not applicable to BNL.        Y      DR
SA-9   OUTSOURCED
       INFORMATION SYSTEM           providers of information system services
       SERVICES                     employ adequate security controls in
                                    accordance with applicable federal laws,
                                    directives, policies, regulations, standards,
                                    guidance, and established service level
                                    agreements. The organization monitors
                                    security control compliance.




  Baseline Low Security Controls per NIST SP 800-53                  Page 49 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,     Y   Interim SBMS policy developed;
SC-1   SYSTEM AND
       COMMUNICATIONS               and periodically reviews/updates: (i) a          will be incorporated into the
       PROTECTION POLICY            formal, documented, system and                   Unclassified Cyber Security SBMS
       AND PROCEDURES               communications protection policy that            subject area.
                                    addresses purpose, scope, roles,
                                    responsibilities, and compliance; and (ii)
                                    formal, documented procedures to
                                    facilitate the implementation of the
                                    system and communications protection
                                    policy and associated system and
                                    communications protection controls.




  Baseline Low Security Controls per NIST SP 800-53                  Page 50 of 54                                  8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The information system protects against        Y   SNORT is deployed as an IDS            Y         VT
SC-5   DENIAL OF SERVICE
       PROTECTION                   or limits the effects of the following types       solution. Any spike of activity on             Review
                                    of denial of service attacks: [Assignment:         external facing firewalls, web                  router
                                    organization-defined list of types of denial       servers, or routers is immediately            configura
                                    of service attacks or reference to source          alerted to the security staff and             tion table
                                    for current list].                                 actions are taken to protect those
                                                                                                                                      Review
                                                                                       assets. Also certain router features
                                                                                                                                      activity
                                                                                       are disabled that allow DOS attacks
                                                                                                                                        log
                                                                                       to occur –icmp etc (check book)
                                    The information system monitors and            Y   SNORT is deployed as an IDS            Y         VT
SC-7   BOUNDARY PROTECTION
                                    controls communications at the external            solution. Any spike of activity on
                                    boundary of the information system and at          external facing firewalls, web
                                    key internal boundaries within the system.         servers, or routers is immediately
                                                                                       alerted to the security staff and
                                                                                       actions are taken to protect those
                                                                                       assets. Nessus Scanner is available
                                                                                       to further detail any event or a
                                                                                       particular system.

                                                                                       The PDN controls communications
                                                                                       at the external boundary and
                                                                                       SNORT is used for the internal
                                                                                       boundaries




  Baseline Low Security Controls per NIST SP 800-53                  Page 51 of 54                                        8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                     When cryptography is employed within        Y   Hard and soft tokens are used to           Y      DR
SC-13   USE OF VALIDATED
        CRYPTOGRAPHY                 the information system, the system              provide an additional layer of                   Check
                                     performs all cryptographic operations           protection for those users granted              vendor
                                     (including key generation) using FIPS           remote access. These tokens are                specificia
                                     140-2 validated cryptographic modules           granted on an as required basis and             tion of
                                     operating in approved modes of operation.       ongoing use is routinely revalidated            tokens
                                                                                     (annually). Tokens are FIPS 140-2              for 140-2
                                                                                     compliant.
                                                                                     We have more types of
                                                                                     cryptography deployed, such as
                                                                                     Entrust, all SSL sites, SSH servers
                                                                                     and LDAP
                                     For publicly available systems, the         Y   Public access areas are open to use    Y          VT
SC-14   PUBLIC ACCESS
        PROTECTIONS                  information system protects the integrity       to support the mission and functions            Attempt
                                     of the information and applications.            of the laboratory. This is a                   unauthori
                                                                                     privacy/integrity issue – need to                 zed
                                                                                     confirm that public information is              access –
                                                                                     adequate safeguards – limited                    show
                                                                                     access, encrypted storage, etc.                  data is
                                                                                                                                    encrypte
                                                                                     I think they are referring to all                  d.
                                                                                     systems with conduits is the
                                                                                     integrity of the information and
                                                                                     applications protected




   Baseline Low Security Controls per NIST SP 800-53                  Page 52 of 54                                      8/9/2005
                         This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The organization develops, disseminates,       Y   BNL has deployed a customized            Y          VT
SI-1   SYSTEM AND
       INFORMATION                  and periodically reviews/updates: (i) a            version of Nessus Scanner that                    Review
       INTEGRITY POLICY AND         formal, documented, system and                     provides each department with a                      of
       PROCEDURES                   information integrity policy that addresses        clear assessment of their system                 NESSUS
                                    purpose, scope, roles, responsibilities, and       vulnerability status. An overview                report on
                                    compliance; and (ii) formal, documented            status is available to senior                    screen or
                                    procedures to facilitate the                       management. System                                printout
                                    implementation of the system and                   administrators can execute a scan
                                    information integrity policy and                   on their systems at any time to
                                    associated system and information                  verify their system status. Trending
                                    integrity controls.                                and current status information is
                                                                                       displayed graphically for
                                                                                       management. In addition SNORT
                                                                                       is deployed as an IDS solution and
                                                                                       Tipping Point is deployed to track
                                                                                       and report on unauthorized system
                                                                                       changes that might occur without
                                                                                       the approval of the system
                                                                                       administrator.
                                                                                       BNL developed a customized
                                                                                       interface to the Nessus vulnerability
                                                                                       scanner
                                    The organization identifies, reports, and      Y   As discussed above the flaw              Y           VT
SI-2   FLAW REMEDIATION
                                    corrects information system flaws.                 information is available for review               Report
                                                                                       by management and appropriate                    includes
                                                                                       system administrators to facilitate              SAN top
                                                                                       correction of system flaws.                           10
                                                                                                                                        vulnerabi
                                                                                                                                         lities &
                                                                                                                                        correctio
                                                                                                                                             ns




  Baseline Low Security Controls per NIST SP 800-53                  Page 53 of 54                                           8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system
                                    The information system implements            Y   BNL employs a full time individual     Y         VT
SI-3   MALICIOUS CODE
       PROTECTION                   malicious code protection that includes a        to monitor malicious code                     Review
                                    capability for automatic updates.                incidents. The individual also               DAT file
                                                                                     maintains the Trend Micro product            for most
                                                                                     and ensures that all systems have up          current
                                                                                     to date dat files. Reports of                  status.
                                                                                     potential threats and attempted
                                                                                                                                      PT
                                                                                     intrusions are provided to
                                                                                     management. See                               Review
                                                                                     http://www.bnl.gov/cybersecurity/p            Product
                                                                                     atching.asp for more information.            documen
                                                                                                                                       ts
                                    The organization receives information        Y   Alerts and potential threats are       Y        VT
SI-5   SECURITY ALERTS AND
       ADVISORIES                   system security alerts/advisories on a           continuously reviewed by the cyber            Review
                                    regular basis, issues alerts/advisories to       security department. Applicable              of CSIRT
                                    appropriate personnel, and takes                 information and alerts are                   response
                                    appropriate actions in response.                 distributed to the system                     reports
                                                                                     administrators within the
                                                                                     departments to ensure they have
                                                                                     their systems appropriately
                                                                                     configured.




  Baseline Low Security Controls per NIST SP 800-53                  Page 54 of 54                                     8/9/2005
                        This form is For Official Use ONLY (FOUO) when filled in for a particular system

								
To top