HSS Logo Department of Energy Seal
Left Tab SEARCH Right Tab TOOLS Right Tab Left Tab HOME Right Tab Left Tab ABOUT US Right Tab Left Tab FUNCTIONS Right Tab Left Tab RESOURCES Right Tab Left Tab NEWSFEEDS Right Tab Left Tab VIDEOS Right Tab Left Tab EVENTS
Independent Oversight
Home
Sub Offices
Security Evaluations
Cyber Security Evaluations
Emergency Management Oversight
Environment, Safety and Health Evaluations
Mission & Functions
Independent Oversight
Security Evaluations
Cyber Security Evaluations
Emergency Management Oversight
Environment, Safety and Health Evaluations
Reports
Safeguards & Security Evaluations
Cyber Security Evaluations
Emergency Management Oversight
Environment, Safety and Health Evaluations
Guidance Documents
Independent Oversight
Security Evaluations
Cyber Security Evaluations
Emergency Management Oversight
Environment, Safety and Health Evaluations
Related Links
DOE
DOE CIO
NNSA
DOE CFO
NTC
Contact Us
HSS Logo

Cyber Security Evaluations



Director's Perspective

Welcome to the Office of Cyber Security Evaluations

James Lund, Acting Director

This office, within HSS's Office of Independent Oversight, serves as the eyes and ears of the Secretary of Energy in overseeing classified and unclassified cyber security programs throughout the DOE complex. In May 1999, the Secretary created this office to increase emphasis on cyber security, reflecting the need for new protection strategies as computers and related information technologies fundamentally changed the way the Department accomplishes its mission. At the same time, the rapid spread of information networks introduced a new set of vulnerabilities that need to be evaluated and controlled. The goal of our evaluations is to provide feedback to senior Department leaders, line management, the Office of the Chief Information Officer, and external stakeholders (e.g., Congress) on the effectiveness of cyber security programs and policies at DOE sites. We work particularly closely with the Office of the Chief Information Officer in a unique relationship that helps them fulfill their information assurance role given their overall responsibility for cyber security within the Department.

To meet this challenge, we conduct rigorous performance testing to evaluate internal and external network protection measures. As part of this effort, we have developed a cadre of technical experts and established two cyber security testing facilities that conduct vulnerability testing of DOE sites over the Internet, and conduct announced and unannounced network penetration tests of sites to evaluate external threats. We also have remote testing platforms that support onsite performance testing to evaluate a site's defense-in-depth. Our ability to evaluate both external and internal threats allows us to identify potential vulnerabilities and provide a snapshot of the overall effectiveness of a site's cyber security protection posture. Our inspection reports are formatted to provide actionable feedback to the sites that can be used to improve their cyber security posture and support their mission.

While we maintain a busy schedule of announced assessments at major DOE sites, we have also established an ongoing, unannounced penetration testing program, conducted by a "red team." While announced inspections provide a more complete picture of the range of vulnerabilities that DOE sites face, along with the effectiveness of essential management processes, the red team assumes the role of adversary in order to identify weak links that could expose a site to a cyber attack. The red team approach also tests how well the site's incident reporting processes perform in detecting, deterring, and reporting cyber attacks.

In addition to programmatic assessments and technical testing, we conduct cyber security reviews and site assistance visits at DOE critical infrastructure sites, science laboratories, and a wide-range of other Departmental sites in order to ensure that the confidentiality, integrity, and availability of all information technology systems is appropriate. I hope that you will find this web site helpful in understanding the roles of our office and the processes we use to fulfill our responsibilities.

   
         
   
     
    




This page was last updated on November 22, 2010