Skip Ribbon Commands
Skip to main content

(M10) Information Systems & Cybersecurity
Contractor Assurance

​​​​​​​​​​Management System Owner:   Chief Information Officer

Revision Number:     1.5          Date:     August 1, 2019

1.0     Pur​pose

The purpose of the Information Systems & Cybersecurity management system is to provide policies, procedures, best practices, governance, monitoring, strategy and oversight functions, and a cybersecurity program, that together ensure that Fermilab IT assets are procured, managed, operated and disposed of per the contract. Also, it will ensure that information services will support laboratory operations, the scientific program, and the other management systems of the laboratory effectively, efficiently, securely, and safely.

2.0     Roles and Respons​​ibilities

Title Responsibilities
Chief Information Officer  (CIO)
  • Establishes and manages the Information Systems & Cybersecurity management system.
  • Chairs the Information System Portfolio Management Team.
Information System Security Manager
  • Oversees the Computer Security Program.
  • Chairs the Computer Security Board.

​Information Security Officer

  • Services as Point of Contact for law enforcement.
  • Handles DOE incident response.
Deputy Chief Information Officer
  • Chairs the IT Policy Board.
Chief Research Officer (CRO)
  • Chairs the Scientific Computing Portfolio Management Team.
Head, Enterprise Architecture
  • Chairs the Community Collaboration meeting.
Head, Service Management
  • Assures IT services are operated in accordance with Information Technology Infrastructure Library (ITIL) processes.
Head, Project Management Office (Computing)
  • Provides project management support and oversight for all Information Systems portfolio projects.
Fermilab Records Manager
  • Oversees records management for the laboratory.
South Dakota IT Operations Liaison
  • Provides support and coordination for Fermilab computing and information activities in South Dakota.
Computing Financial Manager
  • Oversees budget and procurement management for computing.

 

Lab Responsibilities 

TitleResponsibilities
All Users
  • Complete required Cybersecurity Training
  • Adhere to policies on Computing
  • Adhere to policies on Computing Personal Actions
  • Adhere to policies on Data Use, Data Management and Information Handling
  • Adhere to Restricted Central Service Policy
  • Use Service Desk Application for engagement of Computing
Division/Section/Department Heads
  • Enforce adherence to User Responsibilities
  • Work with Computing to address policy gaps
Windows/Mac users
  • Adhere to Virus and configuration policies
CFO/Procurement
  • Enforce policies on Computing Hardware and Software Procurement
Experiments
  • Adhere to Scientific Data Management Policies

3.0     Primary Requirements

3.1   M&O Contract

  • DOE Prime Contract No. DE-AC02-07CH11359 for the Management and Operation of the Fermi National Accelerator Laboratory (Fermilab)

  • C.4(b)(3) – Office of Science High-Energy Physics Program
  • C.4(c)(9) – Information Resources Management

3.2   Fermilab Performance Evaluation and Measurement Plan (PEMP)

  • Goal 8.0: Sustain and Enhance the Effectiveness of Integrated Safeguards and Security Managment (ISSM) and Emergency Management Systems;

  • Objective 8.2: Provide an Efficient and Effective CyberSecurity System for the Protection of Classified and Unclassified Information

  • Objective 8.3: Provide and Efficient and Effective Physical Security Program for the Protection of Special Nuclear Materials, Classified Matter, Classified Information, Sensitive Information, and Property.

  • Objective 8.3 Part 2: Classified Matter, Classified Information, and Sensitive Information. 

3.3   Other Required DOE Orders and Instructions

  • DOE P DOE O 200.1A - Information Technology Management 

  • DOE O 205.1C - Department of Energy Cyber Security Program

  • DOE O 206.1 - Department of Energy Privacy Program

  • DOE O 243.1B Admin Chg1 - Records Management Program

3.4   FRA Contract Clause Mapping to Management Systems

4.0     Management System Description Ov​​​erview

The objectives of the Information Systems & Cybersecurity Management System are to deliver IT services, information system products and information management processes to laboratory staff, collaborators and clients to enable scientific and operational excellence. Its functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity and reliability of the laboratory's information assets.

4.1   IT P​​olicy

All activities associated with computing and information are governed by Fermilab Information Policies and the Fermilab Computing Policy. An additional set of Fermilab Computing Policies provide governance and direction on specific functional areas and topics. Together, this collection of documents helps ensure effective management system implementation and operation.

The IT Policy Board manages the process of formulating IT policies (including computer security policies) and making recommendations to the laboratory CIO. The process also facilitates the representatives from different organizations to raise and communicate potential impacts of proposed policies (and policy changes) on their organizations. The topics for potential new or revised policies can arise from the Computer Security Board, service owners, laboratory organizations, or groups of users.

4.2   IT Investment Oversight and​ Governance

The following IT investment oversight and governance processes have been established to optimize the IT portfolio and maximize the value proposition in each investment while adequately managing risk. The portfolio of IT services is determined and managed through the Service Lifecycle and Continuous Service Improvement Service Management frameworks. Two Portfolio Management Teams (PMTs) execute investment decision processes. The goal of the PMTs is to maximize the strategic impact and value delivered to Fermilab. To achieve this goal, each PMT reviews, evaluates and prioritizes projects and needs within its portfolio and ensures continued relevance and strategic alignment.

4.2.1   Information Systems PMT

The Information Systems Portfolio Management Team (IS-PMT) provides a forum for reviewing and prioritizing the Fermilab IT information systems portfolio, which is a selected set of planned initiatives and projects that affect the information systems infrastructure at Fermilab. The IS-PMT also recommends to the chairperson which projects should be implemented. The Chief Information Officer chairs the IS-PMT.

4.2.2    Scientific Compu​ting PMT and Fermilab Computing Resource Scrutiny Group

The Scientific Computing Portfolio Management Team (SC-PMT) provides a forum for the various scientific projects and programs at Fermilab to present their scientific computing needs and requirements and for the SC-PMT to evaluate and prioritize these needs. The SC-PMT's goal is to ensure that computing resources are allocated in a manner that maximizes the benefit to the Fermilab scientific community. As the portfolio of scientific programs evolves, the SC-PMT will guide decisions that need to be made regarding the allocation of human resources and the investment of funds to purchase computing materials and services in a manner that most effectively meets the needs of the scientific program. The SC-PMT plays an essential role in reviewing scientific computing investment plans and making appropriate recommendations. The Chief Research Officer (CRO) chairs the SC-PMT.

              

The Fermilab Computing Resource Scrutiny Group (FCRSG) feeds into the SC-PMT and plays an essential role in reviewing scientific computing investment plans, scrutinizes/scrubs the experiment requests and makes appropriate recommendations.  The FCRSG ensures resources requested by the experiment are justified by their physics case. PAC will make relative physics priority calls which will be evaluated by the FCRSG to verify that the experiments are following those guidelines.

4.2.3  Service and Operational Delivery 

Computing processes are modeled from the Information Technology Information Library (ITIL V3 2011) framework and ISO20000 standard. The processes are grouped into service lifecycle stages:

  • Service Strategy determines and manages the requirement of the management system.  Service Strategy interacts with the PMTs and enterprise architecture.  Service Strategy manages the Service Portfolio.
  • Service Design ensures that services meet the requirements of the user and the management system. Information Security, Continuity, Capacity, and Availability are considered and included in IT solutions.
  • Service Transition ensures risk management and meeting operational requirements as services are moved to production. 
  • Service Operations ensures that IT Services are operated and delivered effectively and efficiently under the Management System.
  • A continuous improvement methodology is used to identify opportunities and track improvement.  This applies to the entire Management System.

4.2.4   IT Solution Delivery

The IT Project Management Office (IT PMO) process manages computing projects, ranging from short-term, low-cost projects to multimillion-dollar projects involving many stakeholders. The mission of the IT PMO is to oversee and continuously improve IT solution-delivery methodology that helps computing project managers more effectively plan and manage computing projects and measure results. The goal is to complete projects that deliver the planned value, on time and within budget, by applying project management practices and principles at a level that facilitates solid execution without excessive burden and overhead.

4.2.5   Enterprise Architecture
The Enterprise Architecture (EA) process defines, maintains, and governs the lifecycle and roadmap for Fermilab's computing environment. The process also aligns the roadmap with the required IT investments. As part of the lifecycle plan, the EA process also defines standards for the computing environment and identifies emerging technologies.

 

4.2.6   Software Quality Assurance

Software Quality Assurance (SQA) defines necessary quality-assurance requirements for all software applications used by Fermilab. Software quality assurance is implemented using a graded approach based on the analysis of potential risks should the software not perform as intended. Evaluating each software application against potential consequences allows for the application of appropriate quality-assurance measures and controls. Through this approach, Fermilab's SQA Program ensures development, management, and delivery of reliable software applications through adequate planning, testing, and control.

4.2.7   Publications and Records Management

The goal of the Publications and Records Management process is to efficiently and effectively identify, maintain, catalog and preserve publications, records, and other content that document Fermilab's history, organization, functions, policies, procedures, decisions, essential transactions, and results of projects and research. Publications & Records Management provides an overall framework regarding how recorded information should be appraised, saved, discarded, or preserved.

The information management system applies across all sectors of the laboratory's line organizations and to all laboratory visitors, contractors, and collaborators that operate computing assets and services on the laboratory network.

4.3   Cyber Security

 

Cybersecurity processes ensure that the information systems at Fermilab are operated at an appropriate level of risk. One set of processes reviews risk assessments, security plans, and impact statements to determine whether risks associated with new or modified systems or applications are consistent with the existing accepted risk envelope and makes recommendations about acceptance of any new residual risks. Additional risk management processes include approval of variances from baselines. Policies and procedures dealing with computer security are continuously reviewed and evaluated, particularly in response to reports on significant computer security incidents at Fermilab and elsewhere in the DOE complex. Analysis of significant computer security events include discussions of their implications and required countermeasures. These processes are managed at regular meetings of the Computer Security Board (CS- Board). Also, a series of dashboards provide continuous monitoring of security operations.

         4.4   Integration with Other Management Systems

The Information Systems & Cybersecurity management system is integrated with other management systems in several ways:

  • Information technology infrastructure, information systems, and scientific computing functions are integrated with processes of the Quality, ES&H, and Finance management systems, WDRS (training).

  • The scientific computing function is also integrated with the Science Experiment Planning management system, which provides strategic direction and priority guidance, and the Engineering management system in areas of scientific computing where engineering is performed.

Each function of the information management system involves communication processes. These are governed by the Stakeholder Relations & Communications management system as well as Computing organization communication processes.

4.5   Other Processes Supporting the Management System

  • National laboratory Chief Information Officer (NLCIO) processes to interact with the DOE CIO and to assist in developing and interpreting DOE IT-related policy and guidance.
  • Fermilab Assurance Council

5.0   Information System and Cybersecurity Policies

6.0   Key Processes, Procedures, and Manuals

Information System

Cybersecurity Management System

7.0   Approach to Collaboration and Communication

The Information System has a robust management platform, referred to as the Service Desk Application, that enables collaboration, facilitates work in-take and records and communicates work results. 

This platform allows people affiliated with the lab to:

  • Get Help
  • Request Something
  • Browse IT Service Descriptions (Service Catalog)
  • Track work requests
  • Get Information
  • Provide Feedback
  • Request up the Management System
  • View Service Metric and Outage Calendar

Computing also provides information to the lab through “At Work” under the Computing Tab.

Cybersecurity’s approach to outreach includes, but is not limited to:

  • Regular Fermilab Today Cybersecurity articles
  • Bi-weekly CSBoard meetings made up of Cybersecurity representatives from various D/S/P
  • Cybersecurity Awareness website located at https://securityawareness.fnal.gov

8.0   Contractor Assurance Requirements

8.1   Metrics and Key Performance Indicators (KPIs)

  • Information Systems

  • Cybersecurity
    • KPI: number of delinquent cybersecurity training items.
    • KPI:  Number of DOE reportable incidents

8.2   Assessments 

  • Information Systems

    • ISO20000 Certification
    • Peer Reviews of Service and Process 
    • External Vendor Maturity Assessment (ServiceNow)
    • Process Management
  • Cybersecurity
    • Authority to operate granted by Fermilab Site Office designated approving authority based on external security testing and evaluation.
    • ISO20000 Certification
    • Fermilab Site Office Safeguards and Security Periodic Survey of Fermi National Accelerator Laboratory
    • Annual DOE Review (PEMP)
    • FISMA audits
    • Inspector General audits
    • Internal self-assessments within Computing Division
    • Internal Audit reviews
    • IT controls component of KPMG annual audit of financial systems.
    • Targeted audit areas that vary each year and are selected based on a formal risk assessment; CIO participates in risk assessment process with manager of internal audit. IT service-management processes are reviewed individually.
    • OMB 53 reporting to DOE
    • Quarterly self-assessments of aspects of operations of IT assets – reported to DOE
    • Periodic DOE OHEP review of scientific computing

8.3   Approach to Issues Management

Individuals can report issues identified by system monitoring or discovered during assessments.  For Information System Management issues, iTrack is used to track issues that reach the appropriate risk threshold. For issues with a lower level of risk, our Service Desk Application is used for tracking and resolving all other issues.  Cybersecurity issues are also tracked through agenda items for the CS Board.

8.4   Lessons Learned

Problem Management and Continuous Improvement methods are leveraged where appropriate.  Problem Management also provides recommendations to address lessons learned.  The Service Desk application knowledge base is used to distribute communications.  Problem Management recommendations statuses are tracked in the Service Desk application and communicated weekly at the Computing Operations and Project Status meeting.  Cybersecurity performs lessons learned after each Cybersecurity incident.

 

8.5   Risk Management

New or significantly changed applications undergo a ‘technical risk assessment’ to assess any new risks that cannot be mitigated to an acceptable level and reviewed by the Cybersecurity Team and presented to CSBoard. Systems with moderate rating in any one or more of Confidentiality, Availability or Integrity are defined in a Moderate Level Major Application. Systems with heightened security controls are defined in a lessor ‘Minor’ application. Bi-weekly meetings with the FSO discuss new risks and are now documented on the appropriate FSO Fermipoint web site.

Risks/assessments monitored by: 

  • Self-Assessment Program  

  • iTrack Procedures and Risk Assignment 

  • Corrective Action Plans – in iTrack 

  • Effectiveness Reviews – in iTrack

9.0   Required Reports and Records

  • Annual DOE review of performance (PEMP)
  • Assessment to achieve and maintain ISO/IEC 20000 certification for IT services.
  • Authority to operate granted by Fermilab Site Office designated approving authority based on external security testing and evaluation.
  • Bi-weekly meeting with the Fermilab Site Office
  • DOE data calls on information security
  • Fermilab Site Office Safeguards and Security Periodic Survey of Fermi National Accelerator Laboratory
  • FISMA audits
  • Inspector general audits
  • Internal self-assessments within Computing organizations
  • Internal audits
  • IT controls component of KPMG annual audit of financial systems.
  • Targeted audit areas that vary each year and are selected based on a formal risk assessment; CIO participates in the risk assessment process with the manager of internal audit. IT service management processes are reviewed individually.
  • OMB 53 reporting to DOE
  • Quarterly self-assessments of aspects of operations of IT assets – reported to DOE
  • Periodic DOE OHEP review of scientific computing
  • 10.0  Extension of Management System to SDSTA (SURF)

    All Fermilab activities associated with computing and information in South Dakota are governed by the computing policies described in Section 4.1 above. The goal is to extend computing to SURF such that Fermilab team members stationed at SURF interact with all lab processes just as if they were located at Fermilab in Batavia. In addition to Section 4.1, the following elements of this management system apply to Fermilab activities in South Dakota:

    • 4.3. Cyber Security

    • 4.5. Service Operations

    • 4.8. Software Quality Assurance

    • 4.9. Publications and Records Management

    The South Dakota Services Division (SDSD) is supported by a liaison appointed by the Core Computing Division (CCD) to ensure that SDSD IT computing requirements are sufficiently understood and met and that computing activities in South Dakota are conducted in accordance with Fermilab policies and procedures. The Core Computing South Dakota IT Operations Liaison (CCD Liaison) will periodically visit the site and is available by phone or email to provide support as necessary. Additional support for specific issues or technical needs will be provided by CCD or subject matter experts and coordinated through the CCD liaison. Additionally, CCD will coordinate with the DUNE online coordinator to ensure the computing needs of the DUNE experiment will be met at SURF.

    Due to the nature of the work in South Dakota and an integrated workforce comprising Fermilab and non-Fermilab staff, additional policies and cybersecurity measures may be required. CCD subject matter experts will make periodic assessments of South Dakota computing needs and the computing environment in coordination with the CCD liaison and appropriate actions taken as required.

    11.0  Additional References

    • DOE O 241.1B – Scientific and Technical Information Management

    • Contract clause H.41 – Information Technology Acquisitions

    • Contract clause I.122 – DEAR 970.5232-7 Financial Management System

    • Federal Laws and Regulations

    • Public Law 107-347 Title III of the E-Government Act entitled the Federal Information Security Management Act of 2002 (FISMA)

    • Public Law 104-106, Information Technology Management Reform Act (Clinger/Cohen Act) of 1996

    • Public Law 107-30, Sarbanes Oxley Act of 2002

    • E.O. 13231, Critical Infrastructure Protection in the Information Age, Oct. 16, 2001

    • OMB Circular A-130, "Management of Federal Information Resources," Appendix III, Security of Federal Automated Information Resources, dated Feb. 8, 1996

    • OMB Circular A-11, Preparation, Submission and Execution of the Budget, Exhibits 53 and 300

    • OMB Circular A-123

    • NIST SP 800-53 sets out the baseline management, operational and technical controls that must be incorporated into a system to minimally assure the security of low-, moderate- and high-risk systems.

    • NIST SP 800-53A contains testing criteria for the security controls.

    • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems - offers a standardized methodology to assess the risks to the confidentiality, integrity, and availability (CIA) of unclassified systems.

    • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.

    • Other NIST standards as appropriate

    12.0   Acronyms and Terms

    Acronym Definition
    CCD Core Computing Division
    CCD Liaison Core Computing South Dakota IT Operations Liaison
    DUNE Deep Underground Neutrino Experiment
    IS-PMT Information Systems Portfolio Management Team
    IT Information Technology
    ITIL Information Technology Infrastructure Library
    SC-PMT Scientific Computing Portfolio Management Team
    SDSD South Dakota Services Division
    SQA Software Quality Assurance
    SURF Sanford Underground Research Facility
    Service Desk Application Service Now
    IS0 20000 Certification ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establishes, implement, operate, monitor, review, maintains, and improve an SMS. The requirements include the design, transition, delivery, and improvement of services to fulfill agreed service requirements.
    NIST National Institute of Standard and Technology U.S. Department of Commerce
    KPI Key Performance Indicator

     

    ​​  
      
      
      
      
    M10 internal supporting documents (login required).aspx
      
    9/23/2015 10:50 AMMatt Crawford