llnl naps implementation project nlit 2009 n.
Download
Skip this Video
Download Presentation
LLNL NAPs Implementation Project NLIT 2009

Loading in 2 Seconds...

play fullscreen
1 / 9

LLNL NAPs Implementation Project NLIT 2009 - PowerPoint PPT Presentation


  • 125 Views
  • Uploaded on

LLNL NAPs Implementation Project NLIT 2009. Mark Dietrich, LLNL. NNSA Policies are driving dramatic changes. What’s NAP?. Background. NNSA Policy Letters: NAP 14.1-C, NNSA Baseline Cyber Security Program NAP 14.2-C, NNSA C&A Process for Information Systems. NAPs alive since 2003

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'LLNL NAPs Implementation Project NLIT 2009' - keegan-mcdowell


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
llnl naps implementation project nlit 2009

LLNL NAPs Implementation ProjectNLIT 2009

Mark Dietrich, LLNL

LLNL-PRES-413493

nnsa policies are driving dramatic changes
NNSA Policies are driving dramatic changes

What’s NAP?

Background

  • NNSA Policy Letters:
    • NAP 14.1-C, NNSA Baseline Cyber Security Program
    • NAP 14.2-C, NNSA C&A Process for Information Systems
  • NAPs alive since 2003
  • Some iterations and pushback
  • C-versions in late 2007
  • LLNL Gap Analysis done early 2008
  • HSS audit used NAPs vision 2008
  • LLNL plan and revisions submitted to LSO 9/08, 1/09, 4/09
  • Formal project opened 3/09

Impact

  • Full compliance: years away
  • Good faith effort | steady progress
  • Culture changes
  • Risk and high stakes

Goal

  • Make all cyber operations compliant with NAPs by September 30, 2012

LLNL-PRES-413493

broad impacting scope and strategy
Broad impacting scope and strategy

New requirements

Strategy

  • New security plan formats
  • Security configuration standards
  • Stronger risk assessments
  • Contingency plans for each systems
  • Business Impact Assessments
  • Centralization of classified systems
  • Up to 330 controls per system/service
  • Restricting local administrative rights
  • Overhaul of all computer security policies
  • Integrate cyber security with the Lab’s emergency procedures
  • Establish project team
  • Develop project plan that Programs and institutional organizations can accept
  • Use project team (and tools) to coordinate efforts of the PADs
  • Implement centralized core services to reduce cost of NAP compliance
  • Create standard configurations based on national standards
  • Build a Site Security Configuration Library to track configuration standards
  • Convert plans, policies and procedures to be NAP compliant

LLNL-PRES-413493

project approach
Project Approach

Consolidation

Integration

  • Consolidate similar plans into broader site-wide plans
  • Document differences in sub-plans
  • Sub-plans inherit security policies from their parent plans
  • Integrate many plans into one
  • Integrate services at the institution level into a single plan
  • Subsume existing similar plans

Phasing the Approach

Project Approach

  • Starting with the site-wide plans
  • Subordinate/program plans follow using well-crafted templates for plans and test plans
  • Classified plans to follow to apply valuable lessons learned from unclas
  • Formalization, structured
  • Led by an experienced PMP
  • Broad reach across the enterprise
  • Reporting and accountability
  • Deliverables and milestones

LLNL-PRES-413493

sharepoint used intensively for project management
SharePoint used intensively for Project Management

Lists in Use

Meeting workspaces

  • Plans
  • Deadlines
  • Calendar
  • Comms Plan
  • Families
  • NAP controls
  • Strategies
  • Subgroup tracking
  • Lessons learned captures
  • Risk Register
  • For project meetings
  • Standing agenda items:
    • Issue Log check
    • Tasks check
    • Plans statusing
  • Posting minutes
  • Recording decisions
  • Planning agenda items well in advance

LLNL-PRES-413493

the plans lifecycle has been created and socialized
The Plans lifecycle has been created and socialized
  • Plan development/review is a 9-month process
  • Urgency of NAPs Implementation requires compressing 9 months into 5-6 months for unclassified plans

LLNL-PRES-413493

document flowdown
Document flowdown

Information

system

accreditation

method

ISSP

NAP

14.1

NAP

14.2

Requirement

LLNL

Policy

CSPP

SPP

Central policy catalog

SPP

IM-1

SPP

IM-1

SPP

IM-2

SPP

IM-3

Procedure

STE-1

STE-1

STE-2

STE-3

ST&E

Local

LLNL-PRES-413493

spp security plan policy and sscl site security configuration library
SPP (Security Plan Policy) and SSCL (Site Security Configuration Library)

SPP

SSCL

  • Key document generated at the institution level
  • Lists for every 14-2.C control:
    • Policy (the NAP text)
    • Supplemental guidance
    • Enhancements
    • Implementation
      • “Dash-One” & “Dash-Two”
    • Potential assessment methods
      • Examine, interview, test
      • 800.53 measures
  • From this derives a plan’s ST&E
  • The SSCL will be used in all security plans
    • Each entry has:
        • Approved configuration
        • Security test script
        • Listing of NAP controls met by each component
    • Process development and prototyping underway
  • Stores authorizations basis, configuration of controls and test tools for all components
  • Ensures NAP-compliance based on NIST, NSA, DISA, CIS and other national standards

LLNL-PRES-413493

llnl naps implementation project nlit 20091

LLNL NAPs Implementation ProjectNLIT 2009

Mark Dietrich, LLNL

LLNL-PRES-413493