Skip Ribbon Commands
Skip to main content

(M10) Information
Contractor Assurance

​​​​​​​​​​Management System Owner: Chief Information Officer (CIO)

Revision and Date: Revision 2.1 - June 21, 2018

1.0            Pur​pose

The  information  management system's  purpose is to provide policies, procedures, best practices, governance, monitoring, strategy and oversight functions and a cybersecurity program that together ensure that Fermilab IT assets are procured, managed, operated and disposed of in accordance with the contract.  In addition, it will ensure that information services support laboratory operations, the scientific program and the other management systems of the laboratory effectively, efficiently securely and safely.

2.0            Roles and Respons​​ibilities

Title Responsibilities
Chief Information Officer  (CIO)·     Sets up and oversees operations of the information management system
Laboratory Director·     Chairs the IT Executive Council – the highest level IT governance body of the laboratory
Computer Security Manager

·     Oversees the Computer Security Program

·     Chairs the Computer Security Board

Fermilab Computer Security Coordinator

·     Serves as point of contact for law enforcement

·     Handles DOE incident response

Service Manager·     Assures IT services are operated in accordance with Information Technology Infrastructure Library (ITIL) processes.
Chief Operating Officer·     Chairs the Information System Portfolio Management Team
Deputy Chief Research Officer·     Chairs the Scientific Computing Portfolio Management Team
Chief Information Officer·     Chairs the IT Infrastructure Portfolio Management Team
Head of Office of Enterprise Architecture and Configuration Management·     Chairs the Enterprise Architecture Board
Head, Project Management Office (Computing Sector)·     Provides project management support and oversight for all Information Management System Portfolio Projects
Deputy Chief Information Officer·     Chairs the IT Policy Board
Fermilab Records Manager·     Oversees records management

3.0            Primary Requirements

M&O Contract

○       C.4(b)(3) – Office of Science High-Energy Physics Program

○       C.4(c)(9) – Information Resources Management

Other DOE Orders

○       DOE O 200.1A – Information Technology Management

○       DOE O 205.1B – Department of Energy Cyber Security Program

○       DOE O 206.1 – Department of Energy Privacy Program

○       DOE O 243.1B Admin Chg 1 – Records Management Program

FRA Contract Clause Mapping to Management Systems.

https://fermipoint.fnal.gov/organization/ood/cas/

4.0            Management System Description Ov​​​erview

The objectives of the Information Management System are to deliver IT services, information system products and information management processes to laboratory staff, collaborators and clients to enable scientific and operational excellence. Its functions assure the efficient and effective use of information resources in compliance with standards and best practices to protect the confidentiality, integrity and reliability of the laboratory's information assets.

4.1               IT P​​olicy.

The IT Policy Board (ITBoard) manages the process of formulating IT policies (including computer security policies) and making recommendations to the laboratory CIO.  The process also facilitates the representatives from different organizations to raise and communicate potential impacts of proposed policies (and policy changes) on their organizations.  The topics for potential new or revised policies can arise from the Computer Security Board, service owners, laboratory organizations or groups of users.

4.2               IT Investment Oversight and​ Governance.

The following IT investment oversight and governance processes have been established in order to optimize the IT portfolio and maximize the value proposition in a given investment while properly managing the overall risk. At the highest level, there is the IT Executive Council, and it provides guidance to three Portfolio Management Teams (PMTs) that execute the investment decision processes. The portfolio of services are determined and managed through the Service Lifecycle and Continuous Service Improvement Service Management frameworks. The goal of the PMTs is to maximize the strategic impact and value delivered to Fermilab. To achieve this goal, each PMT reviews, evaluates and prioritizes the projects and needs within its portfolio and ensure continued relevance and strategic alignment.  As appropriate, each PMT also recommends needed adjustments to ensure maximum value is realized by Fermilab from these investments.

4.2.1    IT Executive Co​uncil

Provides guidance and direction for the Computing Project Portfolio Management processes to ensure that IT investments are aligned with the laboratory's strategic agenda, goals and priorities.  The IT Executive Council, as needed, also provides a forum for establishing priorities among different PMTs.

4.2.2    Information Syste​​ms PMT

Manages the Fermilab IT information systems portfolio, which is a selected set of planned initiatives and projects that affect the information systems infrastructure at Fermilab.  The IS-PMT is chaired by the COO.

4.2.3    Information​ Technology PMT

Manages the Fermilab core information technology portfolio, which is a selected set of planned initiatives and projects that affect the information technology infrastructure at Fermilab.  The IT-PMT is chaired by  the  CIO.

4.2.4    Scientific Compu​ting PMT

Provides a forum for the various scientific projects and programs at Fermilab to present their scientific computing needs and requirements and for the Scientific Computing Portfolio Management Team (SC-PMT) to evaluate and prioritize these needs.  The SC-PMT's goal is to ensure that computing resources are allocated in a manner that maximizes benefit to the Fermilab scientific community.  As the portfolio of scientific programs evolves, the SC-PMT will guide decisions that need to be made regarding the allocation of human resources and the investment of funds to purchase computing materials and services in a manner that most effectively meets the needs of the scientific program.  The SC-PMT plays an important role in reviewing scientific computing investment plans and making appropriate recommendations.  The SC-PMT is chaired by the Deputy Chief Research Officer.

4.3               Cyber Security.​​​

Cyber security processes ensure that information systems at Fermilab are operated at an appropriate level of risk.  One set of processes reviews of risk assessments, security plans and impact statements to determine whether risks associated with new or modified systems or applications are consistent with the existing accepted risk envelope, and makes recommendations about acceptance of any new residual risks.  Further risk management processes include approval of variances from baselines. Policies and procedures dealing with computer security are continuously reviewed and evaluated, in particular in response to reports on significant computer security incidents at Fermilab and elsewhere in the DOE complex and discussions of their implications and required countermeasures.  These processes are managed at regular meetings of the Computer Security Board (CSBoard).  In addition, a series of dashboards provide continuous monitoring of security operations.

4.4               Service Manage​​​ment.

Service Management defines and governs the processes by which the laboratory maintains and delivers services. These processes are modeled from the Information Technology Information Library (ITIL) framework and ISO20000 standard.  The processes are grouped into service lifecycle stages; Service Strategy, Service Design, Solution Delivery, and Service Transition.  Service Strategy incorporates the needs of the users and interacts with the PMTs and enterprise architecture.  Service Design interacts with Solution Delivery and ensures that Information Security, Continuity, Capacity, and Availability are considered and included in IT solutions.  Service Transition Interacts with Solution Delivery to ensure that changes to Services and IT operational processes are carried out in a coordinated way.

4.5               Service Op​erations.

Service Operations ensures that IT Services are operated and delivered effectively and efficiently in accordance with user needs.  This includes both providing core IT services (networking, email, server and desktop support, enterprise application support) and scientific computing services (compute servers, storage servers, grid and cloud computing, scientific application support).

4.6               IT S​​olution Delivery.

The IT Project Management Office (IT PMO) process manages a large number of computing projects, ranging from short-term, low-cost projects to multi-million dollar projects involving many stakeholders. The mission of the IT PMO is to oversee and continuously improve IT solution-delivery methodology that helps computing sector project managers to more effectively plan and manage their computing projects and measure their results.  The goal is to complete projects that deliver the planned value, on time and within budget, by applying project management practices and principles at a level that facilitates successful completion without excessive burden and overhead.

4.7               Enterprise Architec​​​ture.

The Enterprise Architecture (EA) process defines, maintains and governs the lifecycle and roadmap for Fermilab's computing environment. The process also aligns and maps the roadmap with the required IT investments. The goal of the Enterprise Architecture process is to enhance planning by establishing a comprehensive master plan that incorporates the underpinning computing environment roadmaps. As part of the lifecycle plan, the EA process also defines standards for the computing environment and identifies emerging technologies.

4.8               Software Quality Assu​rance.

Software Quality Assurance (SQA) defines necessary quality-assurance requirements for all software applications used within Fermilab.   Software quality assurance is implemented using a graded approach based on the analysis of potential risks should the software not perform as intended.  Evaluating each software application against potential consequences allows for the application of appropriate quality-assurance measures and controls.  Through this approach, Fermilab's SQA Program ensures development, management and delivery of reliable software applications through adequate planning, testing and control.

4.9               Publications & R​​ecords Management.

The goal of the Publications & Records Management process is to efficiently and effectively identify, maintain, catalog and preserve publications, records and other content, that document Fermilab's history, organization, functions, policies, procedures, decisions, and essential transactions and results of projects and research.  Publications & Records Management provides an overall framework regarding how recorded information should be appraised, saved, discarded or preserved.

The information management system applies across all sectors of the laboratory's line organizations and to all laboratory visitors, contractors and collaborators that operate computing assets and services on the laboratory network.

The information management system is integrated with other management systems in several ways:

  • IT governance functions and processes ensure prioritization of any development and modernization of the underlying IT Infrastructure and information systems needed for effective operation of the other management systems and for laboratory operations. Prioritization is conducted by portfolio management teams with broad representation across the scientific and operations sectors of the lab.
  • Information technology infrastructure, information systems and scientific computing functions are integrated with processes of the quality assurance management system, the ES&H management system, the financial management system and the operations management system (business services).
  • The scientific computing function is also integrated with the science management system, which provides strategic direction and priority guidance, and the engineering management system in areas of scientific computing in which engineering is performed.

Each function of the information management system involves communication processes. These are governed by the communications management system as well as communication processes of the information management system.

Other Processes Supporting the Management System

  • Corporate process: The FRA board and subcommittees review the progress of this system several times a year.
  • Processes by which the IMS boards and councils listed above operate as described in their charter.
  • Computing Sector PMO processes by which IT projects are managed and metrics related to project management are tracked.
  • Fermilab Computer Security Program (including all security plans, risk assessments, roles and responsibilities and operations of Fermilab Incident Response (FIR)
  • Annual Computer Security Awareness Day and periodic hands-on training sessions
  • Process and service reviews against established metrics and KPIs as part of the established Continuous Service Improvement Program (CSIP)
  • Problem identification and root-cause analysis as part of ITIL problem management
  • Service continuity related to business continuity of operations plan (for lab operations) and to science objectives, Memorandums of Understanding (MOUs), and Technical Scopes Of Work (TSWs) for the scientific program.
  • Self-assessments.
  • National laboratory chief information officer (NLCIO) processes to interact with the DOE CIO and to assist in developing and interpreting DOE IT-related policy and guidance.
  • Policies which support the Information management system and provide aspects of assurance
  • Director's Policy on Computing
  • Fermilab Computing Policy
  • Computing and information management policies
  • Bodies which support the Information management system and provide aspects of assurance
  • Assurance Council
  • Computing Sector Project Management Oversight
  • Information Systems Portfolio Management Team
  • IT Infrastructure Portfolio Management Team
  • Scientific Computing Portfolio Management Team
  • Enterprise Architecture Board
  • IT Policy Board
  • Computer Security Board (available on request)
  • IT Executive Council (available on request)

5.0            Reports, Audits, Assessments and Required Re​​cords

  • Annual DOE review of performance (PEMP)
  • Assessment to achieve and maintain ISO/IEC 20000 certification for IT services.
  • Authority to operate granted by Fermilab Site Office designated approving authority based on external security testing and evaluation.
  • Bi-weekly meeting with the Fermilab Site Office
  • DOE data calls on information security
  • Fermilab Site Office Safeguards and Security Periodic Survey of Fermi National Accelerator Laboratory
  • FISMA audits
  • Inspector general audits
  • Internal self-assessments within Computing Sector organizations
  • Internal audits
  • IT controls component of KPMG annual audit of financial systems.
  • Targeted audit areas that vary each year and are selected based on a formal risk assessment;  CIO participates in risk assessment process with manager of internal audit. IT service-management processes are reviewed individually.
  • OMB 53 reporting to DOE
  • Quarterly self-assessments of aspects of operations of IT assets – reported to DOE
  • Periodic DOE OHEP review of scientific computing (most recent: February 2011)
  • Reports to the weekly Lab Status and All Experimenters' meetings.

6.0            Additional Refere​​nces

  • DOE O 241.1B – Scientific and Technical Information Management
  • Contract clause H.41 – Information Technology Acquisitions
  • Contract clause I.122 – DEAR 970.5232-7 Financial Management System
  • Federal Laws and Regulations
  • Public Law 107-347 Title III of the E-Government Act entitled the Federal Information Security Management Act of 2002 (FISMA)
  • Public Law 104-106, Information Technology Management Reform Act (Clinger/Cohen Act) of 1996
  • Public Law 107-30, Sarbanes Oxley Act of 2002
  • E.O. 13231, Critical Infrastructure Protection in the Information Age, Oct. 16, 2001
  • OMB Circular A-130, "Management of Federal Information Resources", Appendix III, Security of Federal Automated Information Resources, dated Feb. 8, 1996
  • OMB Circular A-11, Preparation, Submission and Execution of the Budget, Exhibits 53 and 300
  • OMB Circular A-123
  • NIST SP 800-53 sets out the baseline management, operational and technical controls that must be incorporated into a system to minimally assure the security of low- , moderate- and high-risk systems.
  • NIST SP 800-53A contains testing criteria for the security controls.
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems - offers a standardized methodology to assess the risks to the confidentiality, integrity and availability (CIA) of unclassified systems.
  • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.
  • Other NIST standards as appropriate

7.0            Definitions of Acronyms and Ter​​ms

 

​​ 

8.0            Extension of Management System To South Dakota

This section formally captures the extension of this management system to Fermilab activities and roles at SURF. (Add appropriate text below and change font back to black when finished)

In this new section, please make appropriate declarations about equivalencies AND note areas where the management system would operate differently.  Importantly, also note how your M.S. will provide assurances about performance at SURF (e.g., visits, inspections, monthly reports,  SDSD personnel oversight, and so on). 

ES&H has completed an analysis that generated a graphic identifying what requirements where for what work.  A reference to this analysis would be appropriate to include in this section.   In another example, the Legal Management System might observe formally that the Prime Contract applies to all legal matters identically to FRA-sponsored work in South Dakota as it does in Batavia and the same points of contact should be used. 

  
  
  
  
M10 internal supporting documents (login required).aspx
  
9/23/2015 10:50 AMMatt Crawford