1 / 9

LLNL NAPs Implementation Project NLIT 2009

LLNL NAPs Implementation Project NLIT 2009. Mark Dietrich, LLNL. NNSA Policies are driving dramatic changes. What’s NAP?. Background. NNSA Policy Letters: NAP 14.1-C, NNSA Baseline Cyber Security Program NAP 14.2-C, NNSA C&A Process for Information Systems. NAPs alive since 2003

keegan-mcdowell
Download Presentation

LLNL NAPs Implementation Project NLIT 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LLNL NAPs Implementation ProjectNLIT 2009 Mark Dietrich, LLNL LLNL-PRES-413493

  2. NNSA Policies are driving dramatic changes What’s NAP? Background • NNSA Policy Letters: • NAP 14.1-C, NNSA Baseline Cyber Security Program • NAP 14.2-C, NNSA C&A Process for Information Systems • NAPs alive since 2003 • Some iterations and pushback • C-versions in late 2007 • LLNL Gap Analysis done early 2008 • HSS audit used NAPs vision 2008 • LLNL plan and revisions submitted to LSO 9/08, 1/09, 4/09 • Formal project opened 3/09 Impact • Full compliance: years away • Good faith effort | steady progress • Culture changes • Risk and high stakes Goal • Make all cyber operations compliant with NAPs by September 30, 2012 LLNL-PRES-413493

  3. Broad impacting scope and strategy New requirements Strategy • New security plan formats • Security configuration standards • Stronger risk assessments • Contingency plans for each systems • Business Impact Assessments • Centralization of classified systems • Up to 330 controls per system/service • Restricting local administrative rights • Overhaul of all computer security policies • Integrate cyber security with the Lab’s emergency procedures • Establish project team • Develop project plan that Programs and institutional organizations can accept • Use project team (and tools) to coordinate efforts of the PADs • Implement centralized core services to reduce cost of NAP compliance • Create standard configurations based on national standards • Build a Site Security Configuration Library to track configuration standards • Convert plans, policies and procedures to be NAP compliant LLNL-PRES-413493

  4. Project Approach Consolidation Integration • Consolidate similar plans into broader site-wide plans • Document differences in sub-plans • Sub-plans inherit security policies from their parent plans • Integrate many plans into one • Integrate services at the institution level into a single plan • Subsume existing similar plans Phasing the Approach Project Approach • Starting with the site-wide plans • Subordinate/program plans follow using well-crafted templates for plans and test plans • Classified plans to follow to apply valuable lessons learned from unclas • Formalization, structured • Led by an experienced PMP • Broad reach across the enterprise • Reporting and accountability • Deliverables and milestones LLNL-PRES-413493

  5. SharePoint used intensively for Project Management Lists in Use Meeting workspaces • Plans • Deadlines • Calendar • Comms Plan • Families • NAP controls • Strategies • Subgroup tracking • Lessons learned captures • Risk Register • For project meetings • Standing agenda items: • Issue Log check • Tasks check • Plans statusing • Posting minutes • Recording decisions • Planning agenda items well in advance LLNL-PRES-413493

  6. The Plans lifecycle has been created and socialized • Plan development/review is a 9-month process • Urgency of NAPs Implementation requires compressing 9 months into 5-6 months for unclassified plans LLNL-PRES-413493

  7. Document flowdown Information system accreditation method ISSP NAP 14.1 NAP 14.2 Requirement LLNL Policy CSPP SPP Central policy catalog SPP IM-1 SPP IM-1 SPP IM-2 SPP IM-3 Procedure STE-1 STE-1 STE-2 STE-3 ST&E Local LLNL-PRES-413493

  8. SPP (Security Plan Policy) and SSCL (Site Security Configuration Library) SPP SSCL • Key document generated at the institution level • Lists for every 14-2.C control: • Policy (the NAP text) • Supplemental guidance • Enhancements • Implementation • “Dash-One” & “Dash-Two” • Potential assessment methods • Examine, interview, test • 800.53 measures • From this derives a plan’s ST&E • The SSCL will be used in all security plans • Each entry has: • Approved configuration • Security test script • Listing of NAP controls met by each component • Process development and prototyping underway • Stores authorizations basis, configuration of controls and test tools for all components • Ensures NAP-compliance based on NIST, NSA, DISA, CIS and other national standards LLNL-PRES-413493

  9. LLNL NAPs Implementation ProjectNLIT 2009 Mark Dietrich, LLNL LLNL-PRES-413493

More Related