Text

January 29, 2018 MEMORANDUM TO:

Dr. Brett M. Baker Assistant Inspector General for Audits Office of the Inspector General FROM:

David J. Nelson /RA/

Chief Information Officer Office of the Chief Information Officer

SUBJECT:

STATUS OF RECOMMENDATIONS: CYBER SECURITY ACT OF 2015 FOR THE NUCLEAR REGULATORY COMMISSION (OIG-16-A-18)

This memorandum responds to the memorandum, dated October 26, 2016, from the Office of the Inspector General (OIG) to the Executive Director for Operations regarding OIG Report (OIG-16-A-18), Cyber Security Act of 2015 for NRC. Enclosed, please find the status update to recommendation 1 of the subject report. Recommendation 2 was closed previously.

Enclosure:

Status of Recommendations to OIG-16-A-18 CONTACT: Allen K. Sullivan, OCIO/GEMSD (240) 415-8950

ML18026A973 (memo); ML16305A111 (pkg)

• via e-mail OFFICE OCIO/GEMSD OCIO/GEMSD OCIO/GEMSD OCIO NAME BC: ASullivan*

DD: JFeibus*

D: JMoses D: DNelson*

DATE 01/26/2018 01/26/2018 01/26/2018 01/29/2018

Audit Report CYBER SECURITY ACT OF 2015 FOR NRC OIG-16-A-18 Status of Recommendations Enclosure Recommendation 1:

Clarify agencywide policies and procedures over national security information systems and assign responsibility for implementing these policies and procedures.

Agency Response Dated September 7, 2016:

Agree. Agencywide policies and procedures over national security information systems are outlined and defined in NRC Management Directive (MD) 12.5 NRC Cybersecurity Program dated October 5, 2015. This MD provides the direction for securing information systems using the Committee on National Security Systems (CNSS) issuances. The CNSS is the intergovernmental organization that sets the policies, instructions, and directives for securing national security information systems. MD 12.2 NRC Classified Information Security Program will be updated to reference MD 12.5 for all classified information processing.

The NRC will issue a Yellow Announcement to convey a policy reminder that prior to any use of an electronic system for storing, transmitting, or processing classified information, that system must have an authority to operate in accordance with MD 12.5.

Target Completion Date: January 31, 2018 Agency Response Dated January 26, 2018 Agencywide policies and procedures over national security information systems are outlined and defined in NRC Management Directive (MD) 12.5 NRC Cybersecurity Program revised on November 2, 2017. Management Directive (MD) 12.5, NRC Cybersecurity Program, is revised to incorporate Controlled Unclassified Information (CUI), reflect current Federal laws and direction, align cybersecurity roles with National Institute of Standards and Technology guidance, and reflect recent NRC organizational changes. MD 12.5 states the Office of Nuclear Security and Incident Response (NSIR) ensures security, operation, and maintenance of NRCs classified computing capability, and acts as owner of all classified information systems at the NRC.

Additionally, on September 20, 2016, the NRC issued Yellow Announcement: YA-16-0105 ML16263A296 (ADAMS Accession Number ML16263A296) Change to NRC Policy for Classified Information Processing to notify all employees that the processing, storage, and transmission of classified information (National Security Information, Restricted Data, and Formerly Restricted Data) must only take place on equipment that is part of the U.S. Nuclear Regulatory

Audit Report CYBER SECURITY ACT OF 2015 FOR NRC OIG-16-A-18 Status of Recommendations Commission (NRC) classified information systems for which NSIR is assuming technical responsibility.

MD 12.2 NRC CLASSIFIED INFORMATION SECURITY PROGRAM is scheduled to be updated by calendar year 2020 at which time the guidance provided in the yellow announcement will be incorporated into the management directive.

The NRC requests that the recommendation be closed.

Target Completion Date: Completed