Skip Ribbon Commands
Skip to main content

(M10) Information Systems & Cybersecurity
Contractor Assurance

​​​​​​​​​​Management System Owner: Chief Information Officer (CIO)

Revision and Date: Revision 3.0 - December 20, 2018

1.0            Pur​pose

The purpose of the Information Systems & Cybersecurity management system is to provide policies, procedures, best practices, governance, monitoring, strategy and oversight functions, and a cybersecurity program, that together ensure that Fermilab IT assets are procured, managed, operated and disposed of in accordance with the contract.  In addition, it will ensure that information services support laboratory operations, the scientific program and the other management systems of the laboratory effectively, efficiently, securely, and safely.

2.0            Roles and Respons​​ibilities

Title Responsibilities
Chief Information Officer  (CIO)
  • Establishes and manages the Information Systems & Cybersecurity management system
Computer Security Manager
  • Oversees the Computer Security Program
  • Chairs the Computer Security Board
Fermilab Computer Security Coordinator
  • Serves as point of contact for law enforcement
  • Handles DOE incident response
Deputy Chief Information Officer
  • Chairs the IT Policy Board
Chief Operating Officer
  • Chairs the Information System Portfolio Management Team
Chief Research Officer
  • Chairs the Scientific Computing Portfolio Management Team
Head, Enterprise Architecture
  • Chairs the Community Collaboration Meeting
Head, Service Management
  • Assures IT services are operated in accordance with Information Technology Infrastructure Library (ITIL) processes.
Head, Project Management Office (Computing)
  • Provides project management support and oversight for all Information Systems portfolio projects
Fermilab Records Manager
  • Oversees records management
South Dakota IT Operations Liaison
  • Provides support and coordination for Fermilab computing and information activities in South Dakota

3.0            Primary Requirements

M&O Contract

○       C.4(b)(3) – Office of Science High-Energy Physics Program

○       C.4(c)(9) – Information Resources Management

Other DOE Orders

○       DOE O 200.1A – Information Technology Management

○       DOE O 205.1B – Department of Energy Cyber Security Program

○       DOE O 206.1 – Department of Energy Privacy Program

○       DOE O 243.1B Admin Chg 1 – Records Management Program

FRA Contract Clause Mapping to Management Systems.

4.0            Management System Description Ov​​​erview

The objectives of the Information Systems & Cybersecurity Management System are to deliver IT services, information system products and information management processes to laboratory staff, collaborators and clients to enable scientific and operational excellence. Its functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity and reliability of the laboratory's information assets.

4.1               IT P​​olicy.

All activities associated with computing and information are governed by Fermilab Information Policies and the Fermilab Computing Policy.  An additional set of Fermilab Computing Policies  provide governance and direction on specific functional areas and topics.  Together, this collection of documents helps ensure effective management system implementation and operation.

The IT Policy Board manages the process of formulating IT policies (including computer security policies) and making recommendations to the laboratory CIO.  The process also facilitates the representatives from different organizations to raise and communicate potential impacts of proposed policies (and policy changes) on their organizations.  The topics for potential new or revised policies can arise from the Computer Security Board, service owners, laboratory organizations or groups of users.

4.2               IT Investment Oversight and​ Governance.

The following IT investment oversight and governance processes have been established to optimize the IT portfolio and maximize the value proposition in each investment while properly managing risk. The portfolio of IT services is determined and managed through the Service Lifecycle and Continuous Service Improvement Service Management frameworks. Two Portfolio Management Teams (PMTs) execute investment decision processes. The goal of the PMTs is to maximize strategic impact and value delivered to Fermilab. To achieve this goal, each PMT reviews, evaluates and prioritizes projects and needs within its portfolio and ensures continued relevance and strategic alignment. 

4.2.1    Information Syste​​ms PMT

The Information Systems Portfolio Management Team (IS-PMT) provides a forum for reviewing and prioritizing the Fermilab IT information systems portfolio, which is a selected set of planned initiatives and projects that affect the information systems infrastructure at Fermilab. The IS-PMT also recommends to the chairperson which projects should be implemented. The IS-PMT is chaired by the Chief Operating Officer.

4.2.2    Scientific Compu​ting PMT

The Scientific Computing Portfolio Management Team (SC-PMT) provides a forum for the various scientific projects and programs at Fermilab to present their scientific computing needs and requirements and for the SC-PMT to evaluate and prioritize these needs.  The SC-PMT's goal is to ensure that computing resources are allocated in a manner that maximizes benefit to the Fermilab scientific community.  As the portfolio of scientific programs evolves, the SC-PMT will guide decisions that need to be made regarding the allocation of human resources and the investment of funds to purchase computing materials and services in a manner that most effectively meets the needs of the scientific program.  The SC-PMT plays an important role in reviewing scientific computing investment plans and making appropriate recommendations.  The SC-PMT is chaired by the Deputy Chief Research Officer.

4.3               Cyber Security.​​​

Cyber security processes ensure that information systems at Fermilab are operated at an appropriate level of risk.  One set of processes reviews risk assessments, security plans and impact statements to determine whether risks associated with new or modified systems or applications are consistent with the existing accepted risk envelope and makes recommendations about acceptance of any new residual risks.  Additional risk management processes include approval of variances from baselines.  Policies and procedures dealing with computer security are continuously reviewed and evaluated, particularly in response to reports on significant computer security incidents at Fermilab and elsewhere in the DOE complex. Analysis of significant computer security events include discussions of their implications and required countermeasures.  These processes are managed at regular meetings of the Computer Security Board (CS-Board).  In addition, a series of dashboards provide continuous monitoring of security operations.

4.4               Service Manage​​​ment.

Service Management defines and governs the processes by which the laboratory maintains and delivers computing services. These processes are modeled from the Information Technology Information Library (ITIL) framework and ISO20000 standard.  The processes are grouped into service lifecycle stages: Service Strategy, Service Design, Solution Delivery, and Service Transition.  Service Strategy incorporates the needs of the users and interacts with the PMTs and enterprise architecture.  Service Design interacts with Solution Delivery and ensures that Information Security, Continuity, Capacity, and Availability are considered and included in IT solutions.  Service Transition interacts with Solution Delivery to ensure that changes to Services and IT operational processes are carried out in a coordinated way.

4.5               Service Op​erations.

Service Operations ensures that IT Services are operated and delivered effectively and efficiently in accordance with user needs.  This includes both providing core IT services (networking, email, server and desktop support, enterprise application support) and scientific computing services (compute servers, storage servers, grid and cloud computing, scientific application support).

4.6               IT S​​olution Delivery.

The IT Project Management Office (IT PMO) process manages many computing projects, ranging from short-term, low-cost projects to multimillion-dollar projects involving many stakeholders. The mission of the IT PMO is to oversee and continuously improve IT solution-delivery methodology that helps computing project managers more effectively plan and manage computing projects and measure results.  The goal is to complete projects that deliver the planned value, on time and within budget, by applying project management practices and principles at a level that facilitates solid execution without excessive burden and overhead.

4.7               Enterprise Architec​​​ture.

The Enterprise Architecture (EA) process defines, maintains and governs the lifecycle and roadmap for Fermilab's computing environment. The process also aligns and maps the roadmap with the required IT investments. The goal of the Enterprise Architecture process is to enhance planning by establishing a comprehensive master plan that incorporates the underpinning computing environment roadmaps. As part of the lifecycle plan, the EA process also defines standards for the computing environment and identifies emerging technologies.

4.8               Software Quality Assu​rance.

Software Quality Assurance (SQA) defines necessary quality-assurance requirements for all software applications used by Fermilab.   Software quality assurance is implemented using a graded approach based on the analysis of potential risks should the software not perform as intended.  Evaluating each software application against potential consequences allows for the application of appropriate quality-assurance measures and controls.  Through this approach, Fermilab's SQA Program ensures development, management and delivery of reliable software applications through adequate planning, testing and control.

4.9               Publications & R​​ecords Management.

The goal of the Publications and Records Management process is to efficiently and effectively identify, maintain, catalog and preserve publications, records and other content that document Fermilab's history, organization, functions, policies, procedures, decisions, essential transactions and results of projects and research.  Publications & Records Management provides an overall framework regarding how recorded information should be appraised, saved, discarded or preserved.

The information management system applies across all sectors of the laboratory's line organizations and to all laboratory visitors, contractors and collaborators that operate computing assets and services on the laboratory network.

4.10              Integration with Other Management Systems

The Information Systems & Cybersecurity management system is integrated with other management systems in several ways:

  • IT governance functions and processes ensure prioritization of any development and modernization of the underlying IT Infrastructure and information systems needed for effective operation of the other management systems and for laboratory operations. Prioritization is conducted by portfolio management teams with broad representation across the scientific and operations sectors of the lab.
  • Information technology infrastructure, information systems and scientific computing functions are integrated with processes of the Quality, ES&H, and Finance management systems.
  • The scientific computing function is also integrated with the Science Experiment Planning management system, which provides strategic direction and priority guidance, and the Engineering management system in areas of scientific computing where engineering is performed.

Each function of the information management system involves communication processes. These are governed by the Stakeholder Relations & Communications management system as well as Computing organization communication processes.

4.11             Other Processes Supporting the Management System

  • Fermilab Computer Security Program (including all security plans, risk assessments, roles and responsibilities and operations of Fermilab Incident Response (FIR)
  • Annual Computer Security Awareness Day and periodic hands-on training sessions
  • Process and service reviews against established metrics and KPIs as part of the established Continuous Service Improvement Program (CSIP)
  • Problem identification and root-cause analysis as part of ITIL problem management
  • Service continuity related to business continuity of operations plan (for lab operations) and to science objectives, Memorandums of Understanding (MOUs), and Technical Scopes Of Work (TSWs) for the scientific program.
  • Self-assessments.
  • National laboratory Chief Information Officer (NLCIO) processes to interact with the DOE CIO and to assist in developing and interpreting DOE IT-related policy and guidance.
  • Fermilab Assurance Council
  • Computer Security Board (available on request)

5.0            Reports, Audits, Assessments and Required Re​​cords

  • Annual DOE review of performance (PEMP)
  • Assessment to achieve and maintain ISO/IEC 20000 certification for IT services.
  • Authority to operate granted by Fermilab Site Office designated approving authority based on external security testing and evaluation.
  • Bi-weekly meeting with the Fermilab Site Office
  • DOE data calls on information security
  • Fermilab Site Office Safeguards and Security Periodic Survey of Fermi National Accelerator Laboratory
  • FISMA audits
  • Inspector general audits
  • Internal self-assessments within Computing organizations
  • Internal audits
  • IT controls component of KPMG annual audit of financial systems.
  • Targeted audit areas that vary each year and are selected based on a formal risk assessment; CIO participates in risk assessment process with manager of internal audit. IT service-management processes are reviewed individually.
  • OMB 53 reporting to DOE
  • Quarterly self-assessments of aspects of operations of IT assets – reported to DOE
  • Periodic DOE OHEP review of scientific computing
  • Reports to the weekly Lab Status and All Experimenters' meetings.

6.0            Additional Refere​​nces

  • DOE O 241.1B – Scientific and Technical Information Management
  • Contract clause H.41 – Information Technology Acquisitions
  • Contract clause I.122 – DEAR 970.5232-7 Financial Management System
  • Federal Laws and Regulations
  • Public Law 107-347 Title III of the E-Government Act entitled the Federal Information Security Management Act of 2002 (FISMA)
  • Public Law 104-106, Information Technology Management Reform Act (Clinger/Cohen Act) of 1996
  • Public Law 107-30, Sarbanes Oxley Act of 2002
  • E.O. 13231, Critical Infrastructure Protection in the Information Age, Oct. 16, 2001
  • OMB Circular A-130, "Management of Federal Information Resources", Appendix III, Security of Federal Automated Information Resources, dated Feb. 8, 1996
  • OMB Circular A-11, Preparation, Submission and Execution of the Budget, Exhibits 53 and 300
  • OMB Circular A-123
  • NIST SP 800-53 sets out the baseline management, operational and technical controls that must be incorporated into a system to minimally assure the security of low- , moderate- and high-risk systems.
  • NIST SP 800-53A contains testing criteria for the security controls.
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems - offers a standardized methodology to assess the risks to the confidentiality, integrity and availability (CIA) of unclassified systems.
  • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.
  • Other NIST standards as appropriate

7.0            Definitions of Acronyms and Ter​​ms


CCDCore Computing Division
CCD LiaisonCore Computing South Dakota IT Operations Liaison
DUNEDeep Underground Neutrino Experiment
IS-PMTInformation Systems Portfolio Management Team
ITInformation Technology
ITILInformation Technology Infrastructure Library
SC-PMTScientific Computing Portfolio Management Team
SDSDSouth Dakota Services Division
SQASoftware Quality Assurance
SURFSanford Underground Research Facility

8.0            Extension of Management System To South Dakota


All Fermilab activities associated with computing and information in South Dakota are governed by the computing policies described in Section 4.1 above. The goal is to extend computing to SURF such that Fermilab team members stationed at SURF interact with all lab processes just as if they were located at Fermilab in Batavia.

In addition to Section 4.1, the following elements of this management system apply to Fermilab activities in South Dakota: 

  • 4.3.  Cyber Security
  • 4.5.  Service Operations
  • 4.8.  Software Quality Assurance
  • 4.9.  Publications and Records Management

The South Dakota Services Division (SDSD) is supported by a liaison appointed by the Core Computing Division (CCD) to ensure that SDSD IT computing requirements are sufficiently understood and met, and that computing activities in South Dakota are conducted in accordance with Fermilab policies and procedures.  The Core Computing South Dakota IT Operations Liaison (CCD Liaison) will periodically visit the site and is available by phone or email to provide support as necessary.  Other support for specific issues or technical needs will be provided by CCD or subject matter experts and coordinated through the CCD liaison.

Additionally, CCD will coordinate with the DUNE online coordinator to ensure the computing needs of the DUNE experiment will be met at SURF.

Due to the nature of the work in South Dakota and an integrated workforce comprising Fermilab and non-Fermilab staff, additional policies and cyber security measures may be required. Periodic assessments of South Dakota computing needs and the computing environment will be made by CCD subject matter experts in coordination with the CCD liaison and appropriate actions taken as required.

M10 internal supporting documents (login required).aspx
9/23/2015 10:50 AMMatt Crawford