"The Laboratory has turned a corner on information-security issues," says NNSA

HSS won't do an assessment in 2010, they'll only come out to assist

NNSA wants to partner to support the Lab's mission

In January 2008, Wayne Jones, the National Nuclear Security Administration's new deputy chief information officer for cyber security, was on a plane from Washington to respond to information-security concerns at the Laboratory. Jones knew then DOE Secretary Bodman had issued Los Alamos a Security Compliance Order in July 2007 that would impose fees of up to $100,000 a day for failure to comply. He wondered what he was heading into.

But Jones had a very different message last week during Cyber Security Day: "The Laboratory has turned a corner on information-security issues. The relationship with Washington and the [Los Alamos] site office is going to evolve from a 'bring me a rock' to a partnership," he said, adding that NNSA wants to partner to support the Lab's mission. "We're all in agreement that's the direction we want to take. You won't see anyone from HSS coming out to do an assessment, they'll only come out to assist in 2010," said Jones.

He went on to say that while the Federal Information Security Act (FISMA) isn't going away, the Lab must find ways to comply with FISMA and yet be more responsive to information security threats — and that means changes in the accreditation process. Jones said this will require an intense effort from the Lab and that he'll be looking to each NNSA lab to figure out how to accomplish this agile defense.

How did the Lab get to this point? A major effort to measure risk, apply National Institute of Standards and Technology controls, certify the use of those controls, and arrive at standard and supported system configurations for Lab systems consumed much of 2008. That effort, involving hundreds of Lab information technology and cyber security staff, culminated December 10, 2008, with concurrence from NNSA that the Compliance Order was successfully completed. But the effort to certify its systems also left the Lab with significant "mortgages" that were due this year, some of which are still due.

Then, auditors from Health, Safety, and Security (HSS) in DOE's Office of Independent Oversight arrived in August of 2009 to review the Lab's information security. The auditors quickly determined that the Lab had made substantial improvements.

"I want to thank everyone at the Laboratory, the teams who worked many long hours to make improvements to cyber security programs and processes, and employees who took the time to understand and implement these changes," said CIO Tom Harper. "This improved oversight relationship with NNSA will only help the Laboratory as we continue to make further improvements in our cyber security."