Cyber and Security Assessments within the Office of Independent Enterprise Assessments implements the independent security performance monitoring functions for DOE. The other half of the Independent Oversight Program is implemented by the Office of Safety and Emergency Management Evaluations for safety oversight. The independent oversight function performed by these two offices is delineated in DOE Order 227.1, Independent Oversight Program, issued on August 30, 2011. This recently revised Order reflects lessons learned in conducting inspections and incorporates earlier and more frequent line management involvement in the inspection planning process. We welcome an opportunity to discuss our inspection process and potential differences in approach since your last interaction with us.
The Office of Cyber and Security Assessments is organized into two teams - a team that evaluates and provides feedback on safeguards and physical security program matters and one that is focused on cyber security and information assurance programs. Whether the scope is physical or cyber security, our office uses performance testing to evaluate protection measures. Tests are developed based on protocols evolved over two decades of performing inspections and are adapted to site-specific configurations in order to assess intended system functions and capabilities. To this end, our office has developed very sophisticated capabilities that are familiar to most DOE organizations. For example, we conduct protective force-on-force performance testing to assess the protection of nuclear weapons and Category I special nuclear material. To accomplish this independent oversight function, our office sponsors and trains the DOE composite adversary team to role play the postulated adversary during performance tests and exercises. Similarly, for cyber security performance testing, our office operates two cyber security testing facilities that conduct announced penetration tests of DOE computer networks to evaluate external and internal threats. We also perform unannounced penetration tests, conducted by a red team that assumes the role of an adversary, to identify weak links that could expose a network to a cyber attack. The use of rigorous performance testing and the analysis of the results allow us to provide line management and other stakeholders with a snapshot of the overall effectiveness of a site's security posture.
The Office of Cyber and Security Assessments evaluates safeguards and security, including cyber security, policies and programs throughout the Department with special emphasis on the protection of special nuclear material and classified and sensitive information. A special feature of these evaluations is the degree to which the office employs performance-testing to gather and analyze data related to these programs. For example, the office performs large-scale force-on-force performance testing using highly-skilled teams as simulated adversaries, and performs both internal and external penetration testing using state-of-the-art techniques to challenge and probe computer network security. These capabilities comprise a unique resource within DOE.
Performance testing and other aspects of the inspection process are described in detail in our Appraisal Process Protocols.
We hope that you will find this web site helpful in understanding what the Office of Cyber and Security Assessments is all about, and how and why we do the things we do.