j 'r 1 38 Op - ENT 0F 52 GY can - U S DEPARTMENT OF TABLE OF CONTENTS Message from the Deputy Secretary p 3 Message from the CIO p 4 Introduction p 5 Vision p 7 Principles p 8 Strategic Goals and Objectives p 9 The Way Forward p 15 Appendix Applicable Mandates p 16 DOE CYBER STRATEGY 2 MESSAGE FROM THE DEPUTY S Across the Department of Energy we rely on digital technologies share store and use information that protects national security groundbreaking research and increases the efficiency of our ope Dr Elizabeth Sherwood-Randall Deputy Secretary of Energy Across the Department of Energy our diverse Ultimately it is the 115 000womenand missionsare enabledby digitaltechnolo- men on our nationwide team including ou gies We rely on these technologies to gather Federal Management and Operating M O share store and use information Because andofcontractor workforce who must do th our growing reliance on these technologies work to keep us strong and safe We mus we also increase our vulnerability to therefore cyber partneracrossthe Department threats that put our entire enterprise at risk including DOE Headquarters Program Offices National Laboratories Power Marketing As Chair of the DOE Cyber Council I have Administrations Plants and Sites to effecguided the development and implementation tivelyanticipateand addresscybersecurity of a new DOE Cyber Strategy This new Stratvulnerabilities egy sets forth DOE’s enduring commitment to securing our cyber assets ImplementingThe thispriorities outlined in this important docuStrategy will enhance our ability to protect ment are essentialto realizingour cyber our critical infrastructure and to identify vision and I encourage every member of the team report cyber incidents so that we can respond to read this Strategy and make a commitment promptlyand managetheir consequences to its full implementation Together we ca It will also advance our nationwide efforts transform and strengthen DOE’s cyber enterto work with other Federal agencies prise as well in order to fulfill our vital missions o as with state tribal local territorial behalf privateof the American people sector and international partners DOE CYBER STRATEGY 3 MESSAGE FROM THE CHIEF INF The safe and secure stewardship of the Department’s information assets is our top priority Michael Johnson Chief Information Officer CIO The Department’s success in achieving Four its strategicgoals further articulate critically important national security scienwhat we as an enterprise must do to tific and energy mission rests on our abiladvance DOE’s cyber posture and ensure ity to establish robust information sharing a strong combination of information sharand safeguarding capabilities to ensure ingthe mission enablement and information security of information from increasingly safeguarding mission assurance sophisticated cyber threats The DOE CyberStrategyaddressesthe To achieve the Department’s cyber mission challenges associated with an increasingly objectives we must pursueinformation complex cyber landscape The approach resources modernization and adopt to innoimplementing this strategyrequires vativecapabilities that enableadvanced a transparent inclusive and collaboraanalytic techniques information managetive governance process across DOE Staff ment and cybersecurity best practices Offices and Program Offices National Laboraenhanced partnerships with stakeholders tories Power Marketing Administrations Plants and Sites Furthermore we must The DOE Cyber Strategy is rooted in three successfully recruit develop and retain fundamental principles our most important resource our people • Information is a Departmental asset As CIO I look forward to working with you • Effective information sharing and safeto ensure this strategy’s implementation guarding requires a distributed stanand durable success dards-based risk management approach • Public trust is critical to mission success DOE CYBER STRATEGY 4 INTRODUCTION Cyber poses a constant and dynamic challenge with serious economic and national secu implications for the Department of Energy Department DOE and the United States Thi for DOE Staff Offices Program Offices National Laboratories Power Marketing Administra Plants and Sites that comprise our “Energy Enterprise ” Today’s rapidly evolving cyber landscape presents unprecedented opportunitiesand challenges Achieving a safe secure and resilient cyber environmentdemandsthat we adopt innovative approaches and a full range of best practices The Department’s strategy must be agile and forward leaning We mustcreatean environment that prevents deters detects and is resilient against cyberattacks and minimizes the vulnerability of systems and networks Cyberis an enterprise-wide responsibility that demands an expanded view—beyond traditional cybersecurity—to encompass the broad scope of information sharing and information safeguarding Information sharing mission enablement ensures information is available and accessible those who need it and are authorized to access and use it Information safeguarding miss assurance ensures the protection of information essential to maintaining confidenti authenticity privacy and availability Managing the inherent tension between information sharing and information safeguarding critical to the Department’s mission and vision Building on past successes The DOE Cyber Strategy builds upon the Department’s past successes and accounts for a addresses new and rapidly evolving cyber challenges By employing threat-informed intelligence we will effectively safeguard and manage information as a Departmen national asset Enterprise-wide collaboration is key The DOE Cyber Strategy articulates a compelling vision for the future and a tangible plan realizing it by leveraging diverse perspectives and experience from across the Energy Ent prise By fostering a transparent and collaborative approach we will establish a co DOE CYBER STRATEGY 5 understanding and a culture of accountability tailored to the Department’s unique structu and mission The Strategy identifies three crosscutting principles • Information is a Departmental asset • Effective information sharing and safeguarding requires a distributed standards-based risk management approach • Public trust is critical to mission success The Department will apply these principles across four strategic goals • Share enterprise information more effectively with authorized users • Safeguard information against cyber threats • Win the competition for cyber talent • Mature and strengthen the Department’s cyber posture The success of the Strategy hinges on the Department’s ability to collaborate and innovat Building on this Strategy the DOE Cyber Strategy Implementation Plan provides an essen roadmap with measurable objectives DOE CYBER STRATEGY 6 VISION The Energy Enterprise will adopt a distributed standards-based risk management approach to enable and ensure the Department’s mission Information Sharing and Safeguarding In alignment with the National Strategy for Information Sharing and Safeguarding DOE’s We must strike the proper balance between vision promotes secure and responsible inforsharing information with those who need it to keep mation sharing that goes beyond a cyberseour country safe and safeguarding it from those who curity nexus to encompass all Departmental would do us harm While these two priorities—sharinformation that advances our mission ing Our and safeguarding—are often seen as mutually policies and practices build upon a vision that exclusive in reality they are mutually reinforcing points to a future where the right information Our national security depends on sharing the right is provided to the right people at the right information with the right people at the right time time in a manner that rigorously protects We will therefore keep working to maintain an envinational security privacy and civil liberties ronment in which information is shared in a manner Mission success depends on enterprise-wide that is responsible seamless and secure collaboration By adopting a distributed stanPresident Barack Obama dards-based risk management approach weNational Strategy for Information Sharing and Safeguarding will share information responsibly ensuring the integrity and protection of the Department’s cyber assets DOE CYBER STRATEGY 7 PRINCIPLES Three foundational principles form the basis of our cyber vision Information is a Departmental asset The ability to share information continues to reach unprecedented levels Recognizing that information technology is the true enabler of our mission we view all information as a Departmental asset that must be discoverable and retrievable consistent with necessary legal restrictions and guided by government-wide policies standards and management frameworks Effective information sharing and safeguarding requires a distributed standards-based risk management approach The Department will adopt enterprise risk management best practices including a mature governance structure integrated management coordination and performance measurement Our distributed standards-based risk management approach allows Departmental elements to maintain decision-making authority based on widely accepted Federal and commercial standards while also providing a flexible approach to enterprise-wide transparency and accountability Public trust is critical to mission success Transparency and consistency in the Department’s privacy and civil liberties protection efforts is critical to maintaining the public trust As a result we continue to incorporate the technical legal and policy controls necessary to protect sensitive information in accordance with the law By building protections into the development of information sharing and safeguarding efforts we will ensure consistent application of privacy and civil liberties protections across the enterprise DOE CYBER STRATEGY 8 STRATEGIC GOALS AND OBJEC Strategic Goal 1 Share Enterprise Information More Our national security relies on our ability to share the right information with the right people at the Effectively with Authorized Users right time As the world becomes an increasingly Effectiveinformationsharingunlocksdata networked place addressing the challenges to silos spursinnovation and improvesthe national security—foreign and domestic—requires quality of services we can offer to the Amerisustained collaboration and responsible information can people DOE is committed to meeting sharing the The imperative to secure and protect the informational needs of stakeholders American public is a partnership shared at all levels including Federal state local tribal and territorial Objective 1 1 Improve information sharing to support the mission National Strategy for Information Sharing and Safeguarding The Department will provide stakeholders with discoverable high-quality information whe and where they need it with an emphasis on four key topics • Information Availability Enable discovery and appropriate access to information • Architecture Design and implement modern standards-based information technology and data architectures • Collaboration Facilitate a culture of communication and collaboration • Information Technology Enhancement Provide innovative solutions and enhance existing technologies Objective 1 2 Adopt information management policies guidance and best practices We will transform the value of data by investing in cyber best practices and tools standar existing sharing agreements and providing the necessary frameworks terms and conditi such as • National Information Exchange Model • Cybersecurity Information Exchange Framework • Structured Threat Information Expression • Trusted Automated Exchange Indicator Information • Systems Engineering Body of Knowledge DOE CYBER STRATEGY 9 Objective 1 3 Apply privacy and civil liberties protections to informat sharing operations DOE will continue to strengthen privacy and civil liberties protections through policy reco management process controls and data collection governance for storing disseminating safeguarding information Specifically DOE will • Enhance access management processes consistent with laws regulations and national security interests • Continue to apply legal and policy controls for collecting processing storing using sharing and protecting information Strategic Goal 2 Safeguard Enterprise Information against B oth state and non-state actors are well financed and highly motivated in persistently attempting Cyber Threats to breach both government and non-government Protection of the Department’s mission-critisystems… These attempts are not going away They cal information resources—both information will continue to accelerate on two dimensions first and information technology—is our top priorthe attacks will continue to become more sophistiity DOE continues to implement safeguardcated and secondly as we remediate and strengthing solutionsthroughcontinuousnetwork en our own practices our detection capabilities will monitoring workforce communications and improve That means that we have to be as nimble training and advancedmethodsto idenas aggressive and as well resourced as those who tify report and mitigate insider threats and are trying to break into our systems external intrusions Information safeguarding Tony Scott U S CIO demands continuous vigilance to detect and defend against adversaries Objective 2 1 Use threat-informed cyber intelligence to manage risk The Department is committed to implementing a distributed standards-based risk manag ment approach that uses threat-informed cyber intelligence to assess risk tolerance categorize system readiness and select associated controls We will leverage established lines including the Cybersecurity Capability Maturity Model Cyber Security Evaluation Too and Electricity Subsector Cybersecurity Risk Management Process to provide the c standards and reference points necessary to assess enterprise-wide capabilities and risks Objective 2 2 Develop and implement appropriate enterprise control reduce risk and become more resilient DOE will minimize security risks by increasing the use of strong authentication controls o ileged access audit assessments and Identity Credential and Access Management proce by using a trusted framework and common identity infrastructure Additionally the De DOE CYBER STRATEGY 10 ment will implement a standardized reporting mechanism and provide the workforc communications and training programs on security policies and procedures rules of beha and user awareness As a long-standing participant in the Cybersecurity Cross-Agency Priority CAP Goal Progr DOE will continue to integrate Federal priority cybersecurity capabilities including continu diagnostics and mitigation and Trusted Internet Connections Objective 2 3 Develop tools and processes to accelerate notification of cybersecurity threats In response to increasingly complex cyber threats we must develop the tools nec accelerate threat detection across the energy enterprise Such tools will contribute advancement of the Cybersecurity Risk Information Sharing Program CRISP a public-priv partnership that provides critical infrastructure operators with the ability to share cyber th data and analytics and receive machine-to-machine mitigation measures in real-time The Department’s ongoing collaboration with Information Sharing and Analysis Centers s as the Electricity Information Sharing and Analysis Center will continue to advance situat awareness incident management and communications capabilities Objective 2 4 Rapid analysis of and response to anomalies or suspected events To successfully deter and defend against cyber threats the Department must be equippe accurately detect hostile events In collaboration with Federal and industry partners DOE develop cutting-edge cybersecurity solutions to strengthen and coordinate incident respo capabilities share resources and provide situational awareness To combat advanced threats the Department will implement a cybersecurity Incident Man ment Program IMP equipped with analytical forensics and response tactics The I include automated tools to streamline information technology security improve inci management capabilities and deliver training to frontline operators This program will fos collaboration with industry partners state local and tribal governments as well a Federal agencies—offering a comprehensive approach to incident management and respo Objective 2 5 Develop and implement an incident triage response a recovery process to contain and eliminate cyber threats The Department will minimize the impact of cyber incidents by expanding continuity of op ations reducing recovery time increasing resilience and providing continued mission ope tions to our stakeholders DOE CYBER STRATEGY 11 Strategic Goal 3 Win the Competition for Cyber Talent A high-performance organization needs a workforce with talent multidisciplinary knowledge and Cyber professionals are in high demand It up-to-date is skills in order to achieve its mission To imperative that we attract and retain an elite recruit such a workforce for cybersecurity agencies workforce in science technology engineershould develop recruiting and hiring efforts that are ing and mathematics if the Energy Enterprise tailored to address gaps in the number skills and is to overcome rapidly evolving cyber chalcompetencies of their cybersecurity workforce They lenges To address this need we will modernshould establish an active recruiting program with ize the mechanisms by which the Department involvement from senior leaders and line managers recruits shapes and retains a diverse and and make use of strategies such as outreach to highly capable cyber workforce colleges universities and internships Objective 3 1 Recruit a robust cyber workforce GAO Cyber Security Human Capital In an increasingly competitive environment it is crucial that the Department priori recruitment of leading talent by employing a range of incentives including • Internships • Cyber-based competitions • Student loan repayment programs • Cross-agency exchanges • Executive loan programs Establishing an enterprise-wide baseline will allow us to measure our recruitment efforts tify mission needs and anticipate future personnel requirements These and other efforts attract quality talent to DOE and nurture a sustainable diverse workforce Objective 3 2 Develop cyber personnel We will cultivate a highly capable cyber workforce by providing advanced training program professional development opportunities including cross-agency personnel exchanges exchanges with private industry and fellowships with leading academic institutions Objective 3 3 Retain cyber talent Our deeply committed cyber workforce is afforded the unique opportunity to make a large scale impact to the Department’s critically important mission We will continue to recogni our outstanding performers and encourage innovation The Department will strengthen pr sional development processes including succession planning to facilitate employees’ tra tion into leadership roles DOE CYBER STRATEGY 12 Strategic Goal 4 Mature and Strengthen the Department’s Cyber Posture We will strengthen Department and national missions through crosscutting initiatives that leverage the science technology and engineer- Our governancemechanismsmust be ing capabilities in program offices and the DOE modernized streamlined and strengthened national laboratories The Department will continue to meet the Department’s needs in a rapidly to collaborate with other agencies industry the changingglobal environment Additionally national laboratories and academia to advance its we must evolve how the Department engages missions and to foster technological innovation and with federal state local tribal and territorial technology transfer Secretary Ernest Moniz governments the private sector international DOE Strategic Plan 2014-2018 partners and academic institutions Objective 4 1 Enhance and inform decision-making using streamlined inclusive and transparent governance across the enterprise Recent Federal data breaches highlight the importance of effective governance As we int grate the cyber expertise of Departmental elements we will build a streamlined inclusive and transparent governance structure and eliminate organizational silos To mature and strengthen the Energy Enterprise the DOE Cyber Council is dedicated to improving the Department’s cyber posture in conjunction with the Information Management Governance Board which ensures situational awareness strategic allocation o resources and collaboration across the enterprise This governance structure will • Ensure first-class membership of representatives from across the enterprise • Implement enterprise-wide initiatives that bolster defense capabilities and coordinate responses to cyber threats • Implement the Federal Information Technology Acquisition Reform Act to enhance DOE enterprise transparency • Assess cyber posture to identify gaps and determine effective solutions for information resources management and cyber best practices across the enterprise Objective 4 2 Advance the science of cyber to transform the Energy Enterprise To remain relevant in a rapidly evolving cyber environment the Department will advance the science of cyber by investing in innovative technologies As stewards of the p funds entrusted to us it is our responsibility to establish clear goals and continually evalu ate our progress DOE CYBER STRATEGY 13 Invest in cyber information sharing development • Mission-focused enterprise information architecture • Network services to enable full enterprise visibility and coordination • Secure enterprise information discovery capabilities • Robust information access controls • Enterprise unified data architecture and analytics platform and associated shared se Invest in cyber information safeguarding development • Information safeguarding architecture and solutions to include management and protection of high value assets • Stewardship of key science technology and engineering capabilities • Funding for the Cyber Sciences Laboratory • Integrated cyber operations coordination incident response and intelligence through single integrated Joint Cybersecurity Coordination Center JC3 • Advanced analytics forensic and incident response capabilities • Enterprise licensing of leading cyber defense capabilities Objective 4 3 Foster interagency public-private and international partnerships to strengthen the Energy Enterprise The Department’s future success relies in part on preserving and strengthening partnersh that foster innovative technologies and sharing of best practices In accordance with the D Information Resources Management Strategic Plan the Department will • Collaborate with international partners to capitalize on foreign investments and advancements in cyber • Collaborate with private sector partners to commercialize new ideas in cybersecurity • Develop and implement government-wide information and information technology policies and standards • Engage external partners such as the National Cybersecurity and Communications I gration Center NCCIC to identify and adopt innovative technologies and best practic • Develop knowledge management networks to share cyber expertise Objective 4 4 Measure enterprise cyber mission performance to infor decision-making communicate value and ensure accountability The DOE governance structure will apply consistent performance measurements that ena accountability informed decision making and continuous improvement As the Departme administers the DOE Cyber Strategy Implementation Plan governance bodies will docume and publish progress updates DOE CYBER STRATEGY 14 THE WAY FORWARD As part of the Department’s commitment to serve the nation as a leader in cyber we will fulfill our mission to protect critical infrastructure and sensitive information while safeguarding privacy and civil liberties Implementation Guidance In alignment with the United States Chief Information Officer’s 30-day Cyber Sprint Initiatives and the U S Cyber Strategy and Implementation Plan the DOE Cyber Strate demonstrates the government’s commitment to collaboratively protect Federal information resources and improve the resilience of Federal networks The DOE Cyber Strategy Implementation Plan will • Guide measure and track progress • Prioritize initiatives and future needs • Define desired outcomes • Establish unity of effort enhance transparency and accountability Performance Management Guidance In compliance with Federal law DOE will implement a performance management program that assesses accomplishments facilitates decision-making holds leaders accountab and demonstrates progress towards achievement of the Department’s cyber vision DOE CYBER STRATEGY 15 APPENDIX - APPLICABLE MAND The DOE Cyber Strategy incorporates more than 30 guiding documents including Federal m directives to strengthen information sharing and safeguarding The core list of documents is as follow • 2012-2016 NNSA Implementation Plan • 2015 Report on Configuration Management at the National Laboratories and Plants • 25 Point Implementation Plan to Reform Federal IT Management • Cybersecurity Risk Information Sharing Program • Department of Energy Information Resources Management Strategic Plan FY2014-2018 • Department of Energy Laboratories Leadership in Green IT • Department of Energy National Laboratories and Plants Leadership in Cloud Computing • Department of Energy Office of Electricity Delivery and Energy Reliability Energy Sector Cyberse Framework Implementation Guidance • Department of Energy Office of the Chief Information Officer Strategic Focus Points • Department of Energy Office of the Chief Information Officer Enterprise Roadmap • Department of Energy Office of the Chief Information Officer FY2013 Human Capital Management • Department of Energy Office of the Chief Information Officer 120-Day IT Service Delivery Study • Department of Energy Strategic Plan 2011 • Department of Energy Strategic Plan Update 2012 • Department of Energy Strategic Plan 2014-2018 • Department of Energy Information Technology Modernization Strategy • Department of Homeland Security Information Sharing and Safeguarding Strategy • Digital Government Strategy Report for the Department of Energy • Digital Government Building a 21st Century Platform to Better Serve the American People • Executive Order 13587 Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information • FY2012-2017 Department of Energy Office of the Chief Information Officer Strategic Plan • Government Accountability Office Report to Congressional Requesters Federal Chief Information Officers Reporting to OMB Can Be Improved by Further Streamlining and Better Focusing on Priorit • H R 1232 Federal Information Technology Acquisition Reform Act DOE CYBER STRATEGY 16 • M-16-03 Office of Management and Budget FY2015-2016 Guidance on Federal Information Security and Privacy Management Requirements • M-16-04 Office of Management and Budget Cybersecurity Strategy and Implementation Plan for Federal Civilian Government • Management and Oversight of Federal Information Technology Office of Management and Budget Memorandum for Heads of Executive Departments and Agencies 2015 • National Information Exchange Model • National Institute of Standards and Technology • National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity • Office of the Director of National Intelligence Strategic Intent for Information Sharing • Office of Management and Budget Circular A-130 Management of Federal Information Resources DOE CYBER STRATEGY 17