Office of the Chief Information Officer (2020 Presidential transition)

From USApedia
Book 3 - Organization Overview

DOE 2020 Transition book - Organization Overviews cover.jpg

Entire 2020 DOE Transition book

As of October 2020

File:Depenergy.png
Parent Organization

The Office of the Chief Information Officer (OCIO) delivers value and innovation to enable and secure the mission

The CIO provides Information Technology (IT) services to most federal employees and support contractors at DOE. The office is responsible for securing and responding to cyber security threats to DOE’s IT and Control Systems (CS). The office provides oversight of the Department’s $3.1 Billion IT portfolio, and develops IT and cyber security policy for the Department.

Mission Statement

The mission of the OCIO is to help the Department securely carry out its mission.

Budget

Fiscal Year Budget
FY 2019 enacted $131,624,000
FY 2020 enacted $140,200,000
FY 2021 request $134,800,000

Human Resources

FY 2020 authorized full-time equivalents (FTEs): 124

History

OCIO, formerly known as the Office of Information Management (IM), has been led by a CIO since 2002. In 2017, the CIO was designated as a direct report to the Secretary and Deputy Secretary, satisfying a key requirement of the Federal Information Technology Acquisition Reform Act (FITARA) of 2014. Current CIO Rocky Campione assumed his role in July 2019.

Functions

  1. Implements and provides policy direction consistent with the Federal Information Security Modernization Act (FISMA) of 2014. The head of each agency is responsible for the operation and security of operating information technology (IT) systems, which is delegated through the CIO for implementation.
  2. Sets the strategic direction to protect and modernize DOE’s information technology, information resources, data, and cybersecurity systems across the Department for engagements with internal and external cyber stakeholders for senior departmental DOE officials, White House officials, interagency partners, international colleagues, congressional members, and private sector associates
  3. Manages IT budget-related oversight of DOE’s strategic $3.1B IT investment portfolio, as directed in the FITARA. Coordinates IT budget formulation and IT budget crosscut development of DOE-wide IT and cyber budgets in collaboration with the Office of the Chief Financial Officer.
  4. Coordinates IT governance across the federated environment through the Cyber Council (Chaired by the Deputy Secretary), the Information Management Governance Board (IMGB) (Chaired by the CIO), and Enterprise Architecture Governance Board (EAGB) (Chaired by the Principal Deputy CIO).
  5. Operates the integrated Joint Cybersecurity Coordination Center (iJC3) to provide 24/7 full spectrum cyber incident coordination and response to enable DOE mission essential functions. Ensures operational visibility to cybersecurity sensors across the Department and 53 operational sites.
  6. Leads cybersecurity operations, strategy, policy, authorization, and assessment efforts required to develop and maintain an agency-wide cyber and information security program consistent with FISMA, Office of Management and Budget (OMB) Memoranda, National Institute of Standards and Technology (NIST) Guidance, and Department of Homeland Security (DHS) Cybersecurity Information Security Agency (CISA) requirements.
  7. Coordinates the development and dissemination of cybersecurity threat information with the Office of Intelligence and Counterintelligence (IN).
  8. The CIO serves as the Senior Agency Official for Privacy (SAOP) to implement: a federal privacy program to conduct and publish DOE Privacy Impact Assessments (PIAs) ensuring public transparency of internet facing websites; the management and approval of Privacy Act System of Records Notices (SORNs), which provide the required public notice when DOE collects, uses, maintains, or disseminates information about U.S. persons in an identifiable form; and the Social Security Number (SSN) reduction program. The OCIO also coordinates responses to privacy breaches.
  9. The CIO serves as the DOE Senior Agency Official for Records Management (SAORM), the official recognized by the National Archives and Records Administration as having primary responsibility for the Agency’s compliance with all records management laws, guidelines, and standards. Manages the Department’s records management program, and reduces risk through modernized paperless business processes, the application of technology, and site assistance.
  10. Provides enterprise IT services such as commodity IT, telecommunications, networking services including the DOEnet corporate network, and secure Internet Service Provider service in compliance with the DHS Trusted Internet Connection (TIC) policy; data center infrastructure and cloud migration services for application hosting in virtual cloud data center environments; and service desk services through the Energy IT Services (EITS) team to multiple program offices. Manages the Section 508 Accessibility program. Provide guidance in support of making websites and other IT interfaces across the Department accessible for people with disabilities.

Recent Organization Accomplishments

Maximum Telework Enablement (MTE)

Coordinated the Department’s move to maximum telework, and directly supported MTE for approximately 10,000 customers. This has allowed DOE to continue to function during maximum telework.

Big Data Platform (BDP)

Launched the BDP in FY 2019. This integrates cybersecurity sensor data across the Department to provide timely access to data for identifying and responding to cyber threats.

Capstone Implementation

Implemented the National Archives and Records Administration’s (NARA) “Capstone” approach for the electronic management of email records. All senior officials, also known as High Level Officials (HLO), now have their email held as a permanent record. We are implementing a 7-year temporary records retention for remaining email accounts within the Department.

Enterprise Anti-Phishing Efforts

Upgraded enterprise-wide anti-phishing security awareness training and simulated phishing platform tool, providing enhanced capabilities for sites to conduct simulated phishing exercises. These anti- phishing efforts have helped make DOE’s phish- prone percentage (10%) significantly lower than other, similarly-sized government and industry organizations (26%).

Enterprise Cybersecurity Risk Management

Implemented several new initiatives, including the establishment of an enterprise Supply Chain Risk Management (eSCRM) program to identify and understand potential risks associated with utilization of third party vendors; Crowdsourced Penetration Testing program to provide on-demand, scalable testing capabilities to improve detection and remediation of operational cyber vulnerabilities across the enterprise; and risk assessments using quantified risk estimation methods to help cyber professionals across the enterprise build defensible investment strategies

DOE Order 205.1C (Cybersecurity) Implementation

Implemented DOE Order 205.1C, DOE Cyber Security Program. Released amplification guidance focused on improving the Department’s maturity around Enterprise Cybersecurity Program Planning, Risk Management Methodology, and FISMA Inventory Methodology to assist programs with policy implementation tailored to their mission needs. This is scheduled to be updated in FY21.

Vulnerability Disclosure Program (VDP)

In response to the draft DHS Cybersecurity & Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 20-01, Develop and Publish a Vulnerability Disclosure Policy, the OCIO began development of a Vulnerability Disclosure Policy to be implemented across DOE. The VDP establishes a formal mechanism for the DOE to receive, triage, and mitigate vulnerabilities on internet facing systems reported by third parties.

Leadership Challenges

  • Ensuring federal oversight in a highly federated environment with a mix of Management and Operating (M&O) and federal resources. Ensure mission, operations, and research are speaking with one voice and move collectively, particularly in cybersecurity funding requests and priorities. Existing M&O/contractor resources have inconsistent contract language and program oversight
  • Developing and implementing a Control System (CS) strategy for the protection of critical infrastructure due to increased threats to critical infrastructure.
  • The Department maintains a large collection of control system devices (e.g. SCADA, ICS, OT) which until recently was overlooked under existing FISMA, OMB, DHS, and NIST guidance.
  • Having visibility into the multiple Federal IT systems, not M&O contractor systems, running outside of the OCIO office.
  • Transition the Department into a 100% electronic records management environment, including fully enabling digital signatures.
  • Clarifying operational policy and oversight for classified network operations between DOE and federal partners.

Critical Events and Action Items

5G Catalogue

OCIO is developing a first-ever departmental-wide catalogue of 5G capabilities that will be provided to the White House and interagency in response to the Implementation Plan Framework for the National Strategy to Secure 5G. The catalogue highlights DOE leadership on 5G, presents a unified snapshot of current 5G capabilities, and invites the interagency to fund and collaborate with the National Labs’ 5G efforts.

Budget, FY22/23

OCIO will continue developing and determining budget needs, requirements, and challenges to be reflected in the FY 2022 and FY 2023 budget requests/submissions. OCIO will also collaborate with the Office of the Chief Financial Officer and Departmental Elements to ensure funding for IT priorities such as modernization, cybersecurity, and privacy are reflected in DOE’s budget request.

ICS Hackathon

OCIO will host a new International ICS Hackathon (team-based penetration testing) in partnership with the National Security Council (NSC), bringing together DOE National Laboratory/Power Marketing Administration (PMA) experts, ICS vendors, industry experts, and international partners. [1]

Organizational Chart

File:Image22.png
Organizational Chart

Links

Internal

External

References

  1. DOE. (2021). Transitions 2020: Organizational Overviews. US Department of Energy.
Retrieved from ‘https://openusaproject.com/w/index.php?title=Office_of_the_Chief_Information_Officer_(2020_Presidential_transition)&oldid=16730