The purpose of this Order is to set forth requirements and responsibilities for a Departmental Cyber Security Program (CSP) that protects information and information systems for the Department of Energy (DOE). The CSP requires a Risk Management Approach (RMA) that includes: analysis of threats/risks; risk-based decisions considering security, cost and mission effectiveness; and implementation consistent with guidelines from the National Institute of Standards and Technology (NIST) and Committee on National Security Systems (CNSS) cyber requirements, processes and protections. DOE Oversight is conducted through Assurance Systems that monitor the risk evaluation and protection processes at each level in the organization.
The DOE CSP emphasizes risk management rather than a systems-level "controls compliance" approach. Through the RMA, the Department effectively and efficiently meets its obligations under the Federal Information Security Management Act of 2002 (FISMA) in a manner that improves, rather than impedes the fulfillment of the Department's statutory missions.