Security and Cyber Evaluations within the Office of Enforcement and Oversight implements the independent security performance monitoring functions for DOE. The other half of the Independent Oversight Program is implemented by the Office of Safety and Emergency Management Evaluations for safety oversight. The independent oversight function performed by these two offices is delineated in DOE Order 227.1, Independent Oversight Program, issued on August 30, 2011. This recently revised Order reflects lessons learned in conducting inspections and incorporates earlier and more frequent line management involvement in the inspection planning process. We welcome an opportunity to discuss our inspection process and potential differences in approach since your last interaction with us.
The Office of Security and Cyber Evaluations is organized into two teams - a team that evaluates and provides feedback on safeguards and physical security program matters and one that is focused on cyber security and information assurance programs. Whether the scope is physical or cyber security, our office uses performance testing to evaluate protection measures. Tests are developed based on protocols evolved over two decades of performing inspections and are adapted to site-specific configurations in order to assess intended system functions and capabilities. To this end, our office has developed very sophisticated capabilities that are familiar to most DOE organizations. For example, we conduct protective force-on-force performance testing to assess the protection of nuclear weapons and Category I special nuclear material. To accomplish this independent oversight function, our office sponsors and trains the DOE composite adversary team to role play the postulated adversary during performance tests and exercises. Similarly, for cyber security performance testing, our office operates two cyber security testing facilities that conduct announced penetration tests of DOE computer networks to evaluate external and internal threats. We also perform unannounced penetration tests, conducted by a red team that assumes the role of an adversary, to identify weak links that could expose a network to a cyber attack. The use of rigorous performance testing and the analysis of the results allow us to provide line management and other stakeholders with a snapshot of the overall effectiveness of a site's security posture.
The Office of Security and Cyber Evaluations evaluates safeguards and security, including cyber security, policies and programs throughout the Department with special emphasis on the protection of special nuclear material and classified and sensitive information. A special feature of these evaluations is the degree to which the office employs performance-testing to gather and analyze data related to these programs. For example, the office performs large-scale force-on-force performance testing using highly-skilled teams as simulated adversaries, and performs both internal and external penetration testing using state-of-the-art techniques to challenge and probe computer network security. These capabilities comprise a unique resource within DOE.
Performance testing and other aspects of the inspection process are described in detail in our Appraisal Process Protocols. Our inspection reports provide recommendations on potential enhancements, efficiencies and system upgrades. The intent of these recommendations is to be the step off point from which sites may want to conduct further sensitivity studies, vulnerability analyses, and/or performance test activities. The Office of Security and Cyber Evaluations is poised to assist with these activities upon request.
A few words are in order about other information that is available through this web site. The link to Guidance Documents provides information about the security program elements that our office typically reviews during site visits. Each topic is defined and the principal baseline documents used during the reviews are indicated. The Reports link will guide you to lists of reports issued by our office. Once there, select your area of interest - either Physical Security or Cyber Security. While the great majority of these reports are classified or controlled, individuals with the required access authorization may request them through the appropriate channels.
We hope that you will find this web site helpful in understanding what the Office of Security and Cyber Evaluations is all about, and how and why we do the things we do.