Jul 24, 2007

Directive Distress

Pinky,
This memo was sent to the Lab Directors four days ago after they ambushed him [Secretary Bodman] about crappy directives at the last LD meeting. While EHS is high on their list of hatreds, it's Tom Pyke and LANL alum Bill Hunteman (aka the man who killed NNSA cyber security) who are generating some of the most virulent opposition with their insanely ill-conceived Technical Management Requirements for cyber security. The letter from Bodman shows just how little Boddie understands about what the actual cyber security challenges are, and what laws actually have to be followed by the Contractors - and once again assumes there is any expertise at HQ about any of these issues. That's the fatal flaw in all this Directives insanity - it assumes anyone at HQ knows anything about these issues. They don't. All expertise at DOE is in the Labs, yet is that where they start making policy? Of course not.

Of course, as everyone knows who knows anything, it's DOE HQ and the Feds that have the deepest and most serious problems in cyber. LANL may be in the news, but it's HQ that just got eaten... again. Of course, maybe that wouldn't have happened if they had been working on their own internal cyber security for the last 18 months instead of publishing thousands of pages of "guidance" oh wait "requirements" and next "Directives."

DOE is the worst managed thing of any kind on the planet. I relish going to the DMV as an escape from DOE's management practices. What a disaster.

---------------------------------------------------------------------------------------------------------

JUL 20 2007
The Secretary of Energy
Washington, D.C. 20585
July 19,2007



Dr. Michael R. Anastasio
Director, Los Alamos National Laboratory
P.O. Box 1663, MS A100
Los Alamos, New Mexico 87545

Dear Dr. Anastasio:

Thank you for your May 30,2007, letter providing the laboratory directors'
thoughts on proposals to address systemic issues with the Department of Energy's
directives system. I applaud the effort that was made to develop a collective
response and look forward to working with you on other issues using this new
approach.

I have reviewed your recommendations for transforming the Department's
directives system and have given them serious thought, especially your
conclusion that past improvement efforts have failed because the basic objective
of the directives system was not addressed. Enclosed is a draft memorandum
proposing principles for governing departmental directives. It addresses many of
the concerns cited in your letter and reflects the thoughtful consideration of the
Department's senior staff. I would like to discuss this draft document at our July
26,2007, meeting with the Laboratory Directors' Executive Committee and ask
that the committee members be prepared with any comments.

I have also given consideration to the three specific issues cited in your response
(nanoscale safety, energy savings, and cyber security) and would like to discuss
them with the Executive Committee at our upcoming meeting. Given the
significant risks involved, the most challenging of the three issues is cyber
security.

As you know, the Department is required to follow a multitude of cyber security
requirements, including those promulgated through the Federal Information
Security Management Act, the National Institute of Standards and Technology,
and the Office of Management and Budget. In implementing these requirements
as well as other actions deemed necessary due to the significant threat posed to
the Department's unclassified and national security systems, we have endeavored
to take a risk-based approach to promote a robust cyber security program that
does not impose unnecessary burdens.

I appreciate your offer to develop recommendations for risk-based performance
levels for cyber security and am also interested in your developing the methods
for how the performance levels would be achieved. Enclosed is a paper prepared
by Tom Fyke that elaborates on our approach to meeting the challenge of cyber
security management. To ensure a productive discussion, it would be helpful if
the committee members would review the paper and be prepared to share the
laboratory directors' suggestions for improving the Department's cyber security
management process at the Executive Committee meeting.

Again, I appreciate your thoughtful recommendations on the Department's
directives system. Working together, I am optimistic that we will make positive,
lasting changes that will improve our ability to fulfill the Department's important
mission.

Sincerely,

Samuel W. Bodman
Enclosures

cc:

Samuel H. Aronson
Director, Brookhaven National Laboratory

Dan E. Arvizu
National Renewable Energy Laboratory

Carl O. Bauer
National Energy Technology Laboratory

Steven Chu
E. O. Lawrence Berkeley National Laboratory

Jonathan Dorfan
Director, Stanford Linear Accelerator Center

Alan Goldman
Interim Director, Amcs Laboratory

Robert Goldston
Director, Princeton Plasma Physics Laboratory

John J. Grossenbacher
Director, Idaho National Laboratory

Thomas O. Hunter
Director, Sandia National Laboratories

Michael Kluse
Director, Pacific Northwest National Laboratory

Christopher Leeman
Director, Thomas Jefferson 'National Accelerator Facility

George H, Miller
Director, Lawrence Livemore National Laboratory

Pier Oddone
Director, Fermi National Accelerator Laboratory

Robert Rosner
Director, Argonne National Laboratory

Thom Mason
Director, Oak Ridge National Laboratory

G. Todd Wright
Director, Savannah, River National Laboratory

---------------------------------------------------------------------------------------------------------

The Secretary of Energy
Washington, DC 20585


DRAFT



MEMORANDUM TO HEADS OF DEPARTMENTAL ELEMENTS

FROM: THE SECRETARY

SUBJECT: PRINCIPLES GOVERNING DEPARTMENTAL DIRECTIVES

The Department of Energy uses directives as its primary means to establish, communicate and institutionalize policies, requirements and procedures for Departmental elements and, in some instances, our contractors. Directives help ensure that the Department operates in a safe, secure, efficient and cost-effective manner. They promote operational consistency throughout the DOE complex, foster sound management and facilitate achievement of DOE's strategic goals.

While directives provide an effective means of promulgating requirements, they must be used judiciously to promote rather than stifle productivity, accountability, and innovation. Over the past several years, the number of directives has increased along with the requirements they contain. Too often these requirements are unclear, overly prescriptive, duplicative, or even contradictory. In some instances, they duplicate laws, regulations or national standards resulting in confusion and lost time as employees and contractors try to determine how to comply with conflicting requirements.

To improve the existing system of directives, the following principles will be applied to simplify and clarify directives, reduce unnecessary burden, and ensure that directives support improved Departmental management and mission accomplishment.
  • What vs. How: Directives, especially those that apply to contractors, shall be written to specify the goals and requirements that must be met and, to the extent possible, should refrain from mandating how to fulfill the goals and requirements, thus increasing accountability for results. However, it will sometimes be necessary to specify how requirements are met in directives that cover high risk functions such as safety and security or areas that require consistency such as financial reporting and information technology.
  • Duplication of Laws, Regulations or National Standards: To the maximum extent possible, departmental directives shall be written in a manner that does not duplicate laws, regulations or widely accepted national standards.
  • Improved Planning: The need for a new directive or a major revision to an existing directive must be confirmed early in the planning process. The degree to which proposed directives covering high-risk activities or special circumstances may need to specify how the goals and requirements will be implemented will also be established in the early planning stages. Organizations developing directives will assess the level of risk or particular need for consistency and determine the degree of prescription required. The financial impact of proposed directives will be determined and factored into the decision-making process.
  • Applicability and Tailoring: To avoid a one-size-fits-all approach to directives, organizations will specifically determine which departmental elements will be covered by the directive. Departmental elements and contractors covered by directives should make full use of tailoring and/or waiver provisions, as appropriate, to avoid unnecessary burden.
  • Impasse Process: Understanding that consensus is not always possible, in instances where consensus is not achieved expeditiously, the established impasse process will be used to resolve differences. Issues that cannot be resolved quickly will be elevated to the Deputy Secretary for decision. Dissenting views on directives will also be Included in the review packages to ensure that all senior leaders are aware of differing positions.
  • Unofficial Guidance: On-going requirements that cross organizational lines and apply to contractors will be developed and promulgated through the directives process. Unauthorized or "rogue" directives often have not had the benefit of being analyzed by affected parties and risk being ignored or lost over time. Existing "rogue" directives will be evaluated and formalized through the directive process, as appropriate.
Improving Departmental directives is important and will require the personal involvement of senior managers to ensure that views expressed by departmental elements reflect the position of the principal. This will require your cooperation and active participation in this critical initiative.

I have directed the Office of Management to establish a process to review existing and proposed directives to ensure that they are written and managed in accordance with the principles outlined in this memorandum. Additional information will be provided by the Office of Management in the near future. In the meantime, please contact Ingrid Kolb, Director, Office of Management with any questions.

---------------------------------------------------------------------------------------------------------

Thc DOE Cyber Security Management Process

Rather than have a "one size fits all" policy or directive at the Department level, which is the norm in most of the Government, DOE has established a process for managing cyber security in which each Under Secretary makes risk-based cyber security program decisions and provides the direction to his part of the Department, including the labs within his area of responsibility.

As the Under Secretaries do so, they follow the Federal Information Security Management Act (FISMA), OMB and other Federal directives, and Federal Information Processing Standards signed by the Secretary of Commerce and issued by the National Institute of Standards and Technology, as well as DOE Technical and Management Requirements (TMRs). This process is established in the policy developed last year through the DOE directives process and is contained in DOE Order 205.1A. As required by this Order, TMRs are developed by the DOE Cyber Security Working Group and issued by the Office of the Chief Information Officer.

DOE is subject to substantial constraints in this area, such, as those imposed in the Federal Information Processing Management Act, which mandates that the provisions of the Act be applied by all contractors who operate systems on behalf of the government. The key decisions as to sufficiency of management, operational, and technical controls are to be made based on risk determination by a senior Federal official for each system in the Department, including those systems operated by the DOE National Laboratories.

The DOE Cyber Security Working Group, which develops TMRs and coordinates planning and implementation of DOE-wide cyber security, has members appointed by the Under Secretaries. It works on a consensus basis, with each member ensuring an opportunity for review of proposed Working Group products by the DOE Laboratories and other components within each Under Secretary's organization. The TMRs establish reasonable schedules and parameters within DOE for implementing NIST cyber security technical guidance reports. They also interpret for use by the Under Secretaries new or changed Government-wide and DOE direction based on changing priorities and urgent requirements, such as for the protection of Sensitive Unclassified Information, including Personally Identifiable Information. A National Security Systems Manual prepared by the Working Group was also issued in March 2007 that provides DOE-wide direction for protecting classified systems and data.

A risk-based approach. to cyber security management is taken at every step of the DOE cyber security management process. Throughout this process, the intent is that, to the maximum extent possible, the Under Secretaries give direction to their organizations, including the DOE National Laboratories, in terms of "what," not "how."

10 comments:

Anonymous said...

I don't get it. All you people need are thin, diskless clients on your desktops running solid Microsoft products and nothing else. What's so hard to understand about all this? If it can't be done using MS Office, of what worth is the effort, really? My gosh, you'd think that the staff at LANL were actually thinking of doing some scientific research or something! Banish the thought. All we need do is plan for the Pit Factory and keep an acturate count of the pits. That will be sufficient for our future work.

Anonymous said...

I guess we don't need a Linux User's Group at LANL any more.

Anonymous said...

Yes.. the problems at HQ are horrible. The organization got its bacon saved 1 year ago by Sandia security noticing some stuff that all the expensive HQ sensors didnt catch... Sandia and LANL helped clean it up and got a large 40% cyber-security cut (SNL got the larger one which made it look very punitive).

Hunteman has been putting more and more money into a center in LV to run all cyber-security for the labs. However, they cant fix local problems such as when HQ people will stick in any USB item they find in the parking lot.

My guess is that if HQ got hit again by a foreign power, that SNL/LANL cybersecurity will get another 40% cut.

Anonymous said...

Problems are coming to light with Bechtel, too. This may not pertain directly to LANL but rather it ties to one of our 'mother companies':

http://www.msnbc.msn.com/id/19962288/

U.S. construction giant ripped in audit
Bechtel failed to complete huge chunk of work in Iraq, new report says

Anonymous said...

6:11's story is right on. Bill doesn't like to be around competence. Hence, his giant questionable investment in Las Vegas. Hire a bunch of people with no actual cyber training and give them CIAC's responsibility - that way, HQ stops looking like idiots. Hey, the IG was supposed to be investigating that Las Vegas thing, where are they now???? It would be nice if the IT IG people would actually do something non-useless for a change. (ha, now I'm just dreaming...)

Anonymous said...

6:11PM noted that LANL and Sandia had their Cyber-security budgets cut, Livermore did as well. Maybe it was across the board for the entire complex. After all, how else can they fund the Las Vegas center?

It's actually a neat scheme.

1. Cut the funding hoping that creates a workforce reduction.

2. The remaining cyber security folks get overwhelmed, make mistakes or don't meet deadlines.

3. Point and scream "See they can't do it right" and then move in with the Las Vegas center, take over and pull the thumb out of the pie and say what a good guy am I.

4. Ask for help from the sites to make it work.

Department of EEEDIOTS
(with apoligies to Ren & Stimpy)

Anonymous said...

Did anyone notice this memo that came out of the Director's office? Read the first line of this memo over a couple of times. Sounds rather ominious to me. Is the end game here for LANL? Are DOE and NNSA telling LANS something that the rest of the workforce should know about?

********************


Memorandum

To/MS: All Employees
From/MS: Michael R. Anastasio
Symbol: DIR-07-211
Date: July 23, 2007

Office of the Director

SUBJECT: Senior Management Meeting, July 19-21, 2007


The future of our Laboratory is being questioned and is potentially at risk. The country needs and deserves an efficient, agile, integrated, and effective Los Alamos National Laboratory that delivers premier science, technology, and engineering for national security.

At a leadership offsite last week, the senior management team met to determine whether we are doing everything possible to ensure the overall success of the Laboratory.

The following are outcomes of our meeting:


* We developed a set of actions to enhance our ability as a high performance leadership team.


* Reflecting on the past year, the Laboratory has accomplished a tremendous amount. We re-established that the 12 goals are the right ones for the Laboratory to achieve our vision (to anticipate, innovate, and deliver science and technology that matters).


* We began developing future key commitments associated with the 12 goals.


* We identified barriers to achieving these goals and commitments and developed actions to begin removing them.


Each of us on the senior management team is personally committed to the overall success of the Laboratory, and we will hold each other accountable to ensure this. While each of us brings expertise and experience to individual areas, it is the common vision, shared fate, and integrated execution toward achieving the vision that will ensure institutional success.

We will continue the work we did last week -- collectively carrying out actions, identifying and removing barriers, and holding each other accountable. The need to enhance the level and quality of communications with each other and with you was a topic that pervaded our meeting. In the coming days, your Associate Directors will be visiting with you further about our meeting and the critical nature of our collective performance toward achieving our 12 goals.

Cy:
IRM-RMMSO, A150 DIR-07-211

Anonymous said...

So, here I am, sitting in my air-conditioned office (way, way off site), reading through the DOE memo and "directive directive," and, for some reason, no doubt psychological, I detect the distinctive odor of stale canine feces (you know, that smell some folks' yards have in a mid-winter thaw).

Of course, I tell myself, it's all in my head.

Still, it doesn't smell very good.

Anonymous said...

@9:36 PM. It was a cross the board cut, but Sandia supposedly got a larger cut than the 2 sister labs. It basically gutted the group.

Anonymous said...

DOE has been a disfunctional organization since day one. Any project that they directly controlled has been mismanaged miserably. I know this from personal experience. Most DOE managers are pretty clueless.

LANL and LLNL have been pretty much independent, and DOE got a lot of the credit for their accomplishments. But now we will see more and more of the DOE management mentality. Worse than mediocrity. Shudder.