· Overview · Program Management Support · Capital Planning · PRISMA · Return on Investment · Certification and Accreditation · Critical Infrastructure · FISMA and POA&M · Performance Metrics and A-130 Compliance

Situation The United States is in the midst of aggressively securing its information systems. The Federal Information Security Management Act of 2002 requires that all government agencies protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. These systems, and their supporting infrastructures, have direct impact on national security, national economic security, and national health and safety. A comprehensive program of cyber security policy and procedures, system weakness identification, and corrective action tracking was deemed essential to meeting this mandate.

Analysis The Department of Energy (DOE) needed sound documented cyber security policies and plans to ensure adequate and cost effective organizational and system controls. The goal was to delineate a security management structure and clearly assign security responsibilities, laying the foundation to reliably measure progress and compliance. A centralized process to track Plan of Actions and Milestones (POA&M) across the Agency was developed to comply with the FISMA/OMB reporting requirements.

Solution System 1 supported the formulation for DOE of an integrated approach towards cyber security policies and plans, and supported regulatory initiatives such as development of NIST compliant certification and accreditation, and risk management guidelines, as well as policy statements for the use of wireless technology. System 1 supported a governance process to reach agreement on programmatic polices and guidance and to bring consistency to security implementation. System 1 was instrumental in analyzing the regulatory landscape, designing, implementing and maintaining a centralized POA&M database for recording, tracking, and reporting corrective actions for agency systems and for compiling this information for the quarterly report to OMB. System 1 also developed the requirement specification for a centralized Web-based POA&M reporting tool that would link to other corrective action reports such as DARTS and SSIMS.