Berkely Lab Authority to Operate

Summary

Since 2011, Berkeley Lab has operated under a continuous authorization model where authorization is a Laboratory function, based on a risk agreement with the Berkeley Lab Site Office. This model is consistent with the Department of Energy Office of Science Risk Management Approach under DOE Order 205.1C and National Institute of Standards and Technology guidance. 

The continuous authorization model is reaffirmed each year through an annual risk assessment process, as outlined in the Policy on Certification and Accreditation (System Authorization). This website contains the current System Authorization documents that support that risk assessment process.

These documents were updated to NIST 800-53 r5 in 2021. The Berkeley Lab Chief Information Officer reaffirmed continuous authorization to BSO on October 18, 2022. The annual PEMP and RASA processes form the artifact that marks continuous authorization.

Enclaves

The Berkeley Lab CIO has granted Authority to Operate under continuous authorization to the following Berkeley Lab enclaves:

• Research and Operations Enclave (ROE)
• Enterprise Systems and Infrastructure (ESI) Enclave
• Energy Sciences Network (ESnet)
• National Energy Research Scientific Computing (NERSC)

Authorization Documents

The System Authorization Documents are organized into the following six groups:

1. Risk Acceptance and Understanding
2. Planning Documents
3. Testing and Remediation
4. Compliance
5. Security and Controls Catalog
6. References

As part of the continuous authorization model, the System Authorization Documents are subject to ongoing modifications either annually or as needed. 

1. Risk Acceptance and Understanding

• Risk Assessment Self Assessment (RASA)
  This document contains Berkeley Lab's Risk Letter, which defines the level of risk that Berkeley Lab will manage to, as well as Berkeley Lab's annual Risk Assessment / Self Assessment.

• Original signed risk agreement with BSO
• August 2024 Updated Risk Agreement from BSO

• Enclave Certification Letters demonstrate the owner of each enclave has reviewed the enclave security plan and indicated understanding of the risks and controls:

• Letter granting enclaves authority to operate
• Research and Operations Enclave
• Enterprise Systems and Infrastructure (ESI) Enclave
• ESnet
• NERSC

2. Planning Documents

• Cyber Security Program, Assurance, and Monitoring Plan (CSPAM) - Overarching program plan, containing the outlines of the assurance program, risk management approach, and continuous monitoring program.

• Cloud Services Appendix. - Description of overall approach to managing cloud services in the context of Berkeley Lab enclaves.

• Cyber Security Assurance Plan - A component of Berkeley Lab’s overall Assurance program. The assurance plan is specific to cyber security and is referenced by the overall plan.

• Enclave Cyber Security Plans: Each enclave has a cyber security enclave plan that describes their overall approach to cyber security:

• Research and Operations Enclave
• Enterprise Systems and Infrastructure Enclave
• ESnet
• NERSC

• Security Controls Catalog - A comprehensive description of Berkeley Lab common and enclave approaches to security controls (additional detail below). 

• Overall IT Contingency and Disaster Recovery Plan - IT contingency and disaster recovery plan.

3. Testing and Remediation

• Performance Evaluation Management Plan Annual Department of Energy Quality Assurance and Surveillance Plan process to evaluate Berkeley Lab's performance for the most recent year. The performance evaluation provides a standard by which to determine whether the Contractor (i.e. the University of California) is managerially and operationally in control of the Laboratory and is meeting the mission requirement and performance expectations/objectives of the Department as stipulated within this contract. The linked document is PEMP Section 8.2, focused on cybersecurity and information technology. 

• Disaster Recovery Testing Report Letter Documents the results of annual disaster recovery testing for all enclaves.

• 2022 NIST Self-Assessment The Lab cybersecurity team conducted a NIST CSF self-assessment after conducting a thorough program review of NIST 800-53 rev 5. 

4. Compliance

• 800-37 Risk Management Framework - This document shows completion of the Risk Management Framework tasks detailed in NIST 800-37, Appendix E and maps Authority to Operate documentation and processes to the Risk Management Framework.

5. Security Controls Catalog

NIST SP 800-37 permits the grouping of systems that have similar risk factors and that are under that same management control into an accreditation boundary, which the DOE refers to as an enclave.

To determine LBNL's enclaves, we assessed the data processed by each system for confidentiality, integrity, and availability (CIA) in accordance with guidance from FIPS 199 and NIST 800-60 (View FIPS 199 Definitions). We established enclaves based not only on the CIA levels of the systems, but also on the management structure, technical architecture, and mission of the organization. This allows LBNL to group like systems together and to push security responsibility down to organizational managers. For purposes of Certification and Accreditation, the LBNL network is viewed logically as four enclaves.

NIST SP 800-53 Revision 5 requires management, operational, and technical security controls for NIST systems. Both common and enclave-specific controls exist and each control is selected, documented, and implemented appropriate to its FIPS 199 Categorization. Detailed descriptions of these security controls can be found at the following link:

• AC - ACCESS CONTROL

• AT - AWARENESS AND TRAINING

• AU - AUDIT AND ACCOUNTABILITY

• CA - ASSESSMENT, AUTHORIZATION, AND MONITORING

• CM - CONFIGURATION MANAGEMENT

• CP - CONTINGENCY PLANNING

• IA - IDENTIFICATION AND AUTHENTICATION

• IR - INCIDENT RESPONSE

• MA - MAINTENANCE

• MP - MEDIA PROTECTION

• PE - PHYSICAL AND ENVIRONMENTAL PROTECTION

• PL - PLANNING

• PM - PROGRAM MANAGEMENT

• PS - PERSONNEL SECURITY

• PT - PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AND TRANSPARENCY

• RA - RISK ASSESSMENT

• SA - SYSTEM AND SERVICES ACQUISITION

• SC - SYSTEM AND COMMUNICATIONS PROTECTION

• SI - SYSTEM AND INFORMATION INTEGRITY

• SR - SUPPLY CHAIN RISK

6. References

Guidance documents and standards used to develop the ATO.

• NIST Special Publications

  • NIST 800-37 Revision 2: Guide for Applying the Risk Management Framework to Federal Information Systems

  • NIST 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations

• NIST Federal Information Processing Standards (FIPS)

  • FIPS 199: Standards for Security Categorization of Federal Information and Information Systems

  • FIPS 200: Minimum Security Requirements for Federal Information and Information Systems

For questions or comments about this site please contact itpolicy@lbl.gov