Thursday, January 11, 2007

 

Update from Doug Beeson (Threat Reduction)

Stuff just keeps on roaring into Grand Central Blog! Stuff just keeps on happening, as Don Rumsfeld was so fond of saying.

--Pat, the patient Dog


-----


NNSA Cybersecurity audit teams found so many problems they gave up and went home. VTRs are "Vault-Type-Rooms" with restricted access. Typically they house secure computers and servers for classified computing. Evidently there was an argument about the evaluation criteria - NNSA had one checklist, LANS had another. Auditors are like that.
--Anonymous


This week the Laboratory hosted audit teams from DOE/NNSA to review vault/VTR, cybersecurity and classified computing operations. During these audits it became clear that there were some problems, including differences in expectations between the auditors and the Laboratory. As a result, the audit teams have ceased their activities while DOE and the Laboratory discuss the expected standards against which these operations should be audited. Currently, the audit is expected to resume the week of Jan. 22.

In the interim, Director Mike Anastasio has asked us to review our vault/VTR and classified computing operations, and ensure that our operations meet current Laboratory guidance. I discussed these actions in a meeting Wednesday with vault custodians, ISSOs, OCSRs and others, and through this message I am sharing my directions and expectations with all of you.

TR will undertake several actions to establish clearly and completely our state of preparedness for classified computing, cybersecurity and vault/VTR operations as measured against the current Laboratory guidance. My goal is to ensure that we can reasonably accomplish our programmatic work and meet the Director's expectations and DOE/Laboratory requirements.
...
Finally, in a November 8 memo, Deputy Secretary of Energy Clay Sell established his expectations for cybersecurity throughout the DOE complex. That memo and associated DOE Order 205.1A are currently a topic of discussion between LANS and DOE/NNSA. It is possible that additional requirements will come from those discussions, and I will share information with you as soon as it is available.

Thank you very much for your continued support. I understand the challenge this effort presents to our conduct of programmatic activity -- but it is vital that we provide DOE/NNSA full assurance that our classified computing and vault/VTR activities are being conducted with the highest degree of attention to security. The nation deserves no less from us.

-Doug Beeson

[Thanks to the anonymous leaker of this memo. We really thank people like you; we need all the intel we can get, since the 'official' sources are so unreliable.
--Pat.]

Comments:
Well I guess this will lead to more training at LLNL and the implementation of more security regulation. It seems that every time LANL gets gigged for a violation of any type LLNL goes into over drive to assure that it will not happen there. Would you guys please stop this. We are tired of having to amend the rules and re-train all of our employees on a monthly basis. We'd really like to get some work done instead of having to take out hours of the day to listen to talks and do on-line training.
 
Welcome to our world. You, too will grow to hate it. Just wait til you get to the mandatory on-line posture training...
 
I predict that very little programmatic work will get done in the secure at LANL this year. The fact that NNSA stopped the audits and went home in frustration is an ominous sign. If your work depends on using a VTR, then you might as well plan on taking a long vacation this winter, perhaps well into the spring thaw. In fact, I suspect a significant portion of the LANL workforce will soon be taking permanent vacations.

It's time to begin questioning whether LANL is the place at which you really want to spend your career. There are many other places at which you can actually do exciting work and not have to put up with the stress and bureaucratic minutiae that now dominates life at LANL.
 
Well look at the bright side: LANL computer security stripped off the course syllabus my TA sent for my distance learning course. At least that security problem is fixed. And you people say that LANL security is good for nothing!
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?