Summary of Order
The purpose of DOE O 206.2 Chg 2 (LtdChg) Identity, Credential, and Access Management (ICAM) is to establish baseline requirements to foster the efficient and effective use identity management systems.
LBNL Implementation
| Clause | Implementation | Status | |
|---|---|---|---|
| 1.a | DOE facilities and DOE information systems must meet the requirements of Office of Management and Budget (OMB)M-19-17, which requires that agency implementations align with the Federal Chief Information Officers Council’s Federal Identity Credential Access Management (FICAM) Roadmap and Implementation Guidance and the FICAM Architecture and Continuous Diagnostics and Mitigation (CDM). PIV credentials (where applicable in accordance with OPM requirements) are DOE’s primary means of identification and authentication to Federal information systems and Federally controlled facilities and secured areas by Federal employees and contractors. | Berkeley Lab operates as an unclassified facility and, consistent with DOE’s approach, does not broadly require HSPD-12 credentials. For the limited number of cleared employees or those serving headquarters (fewer than 50 staff), DOE HQ handles the issuance of HSPD-12 credentials, and Berkeley Lab’s detailed Multifactor Authentication Implementation Approach (MFAIA) is available upon request. The implementation plans for DOE O 473.1A Physical Protection Program and DOE O 472.2A Personnel Security address the requirements for an HSPD-12 program and the plans are set for completetion in 2032. In these plans all eligibable LBNL staff members will be required to obtain an HSPD-12 credential by 2032, however logical access to Berkeley Lab systems will not require an HSPD-12 credential. | |
| 1.b | HSPD-12 Credentials. HSPD-12 Credentials are the Federal identification credentials that are compliant with National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, dated 8-2013, or its successor. Contractor employees requiring an HSPD-12 Credential are subject to Personal Identity Verification (PIV) by DOE. | ||
| 1.b.1.a | Local implementation of the requirements under the DOE authorization to issue PIV credentials using the DOE provider, USAccess, may be performed by an M&O contractor. | ||
| 1.b.1.b | An M&O contractor may serve as the sponsor for M&O staff and subcontractors for a PIV credential. | ||
| 1.b.2 | HSPD–12 Credentials must be issued to all Federal employees and contractor employees who require long term (greater than six months) physical access to DOE facilities or information systems. | ||
| 1.b.3 | Issuance of HSPD-12 Credentials to DOE employees or contractor employees who are employed or providing services for less than 6 months is at the discretion of the Lead Program Secretarial Officer (LPSO) and based on a risk analysis. | ||
| 1.c | Identity. Contractors may participate in the enterprise identity management service (EIMS) and should determine participation based on business value and risks. If participating, contractors must: | Optional. Berkeley Lab participates in DOE’s OneID. | ✓ |
| 1.c.1 | Identify their authoritative data sources to the DOE registry of authoritative data sources; and | ||
| 1.c.2 | Make available identity information from authoritative data sources to the EIMS. | ||
| 1.d | Electronic Transactions with DOE. When DOE requires digital signatures or encryption, contractors must enable the use of Public Key Infrastructure (PKI) certificates. | When required by DOE for certain transactions, Berkeley Lab uses DOE’s PKI system, Entrust. | ✓ |
| 1.d.1 | The PKI must comply with the current X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework. | ||
| 1.d.2 | Contractors should use the PKI certificates that are on the HSPD-12 Credential, when practical. | ||
| 2 | DOE INFORMATION SYSTEMS. When operating a DOE information system as defined in this Order, the contractor must meet the following requirements. | The Berkeley Lab CIO is responsible for determining if a system meets the definition of a DOE Information System. Berkeley Lab does not have systems meeting this definition, i.e. systems whose primary purpose is to accomplish a Federal function. | ✓ |
| 2.a | General. DOE information systems must meet the requirements of Office of Management and Budget (OMB) M-19-17, which requires that agency implementations align with the Federal Chief Information Officers Council’s Federal Identity Credential Access Management (FICAM) Roadmap and Implementation Guidance, and the FICAM Architecture and Continuous Diagnostics and Mitigation (CDM). | N/A | |
| 2.b.1 | DOE information systems must ensure that the credential used for authentication meets the minimum level of assurance (LOA) requirements, which are determined by conducting an electronic authentication risk assessment per OMB M-04-04 in conjunction with a FIPS 199 assessment. | N/A | |
| 2.b.1.a | New systems must accept the following credentials if presented by the user and the credential meets or exceeds the LOA of the system: 1 An HSPD-12 Credential for DOE employees and contractor employees who possess an HSPD-12 Credential as required by this Order; 2 An HSPD-12 Credential for Federal employees and contractor employees from other government agencies; DOE O 206.2 Attachment 1 – CRD, Contractors Only 10-28-2024 Page 1-3 (and 1-4) 3 A Personal Identity Verification Interoperability (PIV-I) credential; and 4 A federated identity credential from an identity provider certified under the Trust Framework Provider Adoption Process (TFPAP). | N/A | |
| 2.b.1.b | Existing DOE information systems must be upgraded to accept the credentials in 2b(1)(a), as appropriate, using the Risk Management Approach per DOE O 205.1, Department of Energy Cyber Security Program, current version. | Not a requirement, as LBNL does not manage any DOE information systems. | |
| 2.b.2 | DOE information system owners may issue and manage credentials for authentication ONLY when: | N/A | |
| 2.b.2.a | The individual does not possess or have access to one of the credentials in 2b(1)(a); or | N/A | |
| 2.b.2.b | The DOE information system requires individuals to authenticate with a credential in addition to the credentials in 2b(1)(a). | N/A | |
| 3.a | Access control decisions are based on risk management principles as required by the current versions of DOE O 473.1, Physical Protection Program, and DOE O 470.4, Safeguards and Security Program. | Not a requirement. | |
| 3.b | Contractors must recognize the following credentials as an acceptable credential for verifying a person’s identity as part of the site’s physical access procedure: | Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV. | ✓ |
| 3.b.1 | An HSPD-12 Credential for DOE employees and contractor employees; | Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV. | ✓ |
| 3.b.2 | An HSPD-12 Credential for Federal employees and contractor employees from other government agencies; and | Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV. | ✓ |
| 3.b.3 | A PIV-I credential. | Standard practice. Site access accepts a wide range of credentials, including HSPD-12 and PIV. | ✓ |
| 3.c | Automated access control systems should obtain authoritative data for DOE employees and contractor employees external to the site from the EIMS offered by DOE. | Optional. Berkeley Lab has a very limited set of areas with restricted access. External employees do not gain access to these areas unaccompanied. Therefore there are no business drivers to automate access to external groups. | ✓ |
| 3.d | DOE O 473.1, current version, contains the requirements for access control systems. | Not a requirement. |
in the bottom right or navigate to