ML18113A143
| ML18113A143 | |
| Person / Time | |
|---|---|
| Issue date: | 04/23/2018 |
| From: | Baker B NRC/OIG/AIGA |
| To: | Mccree V NRC/EDO |
| References | |
| OIG-17-A-07 | |
| Download: ML18113A143 (6) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL April 23, 2018 MEMORANDUM TO: Victor M. McCree Executive Director for Operations FROM: Dr. Brett M. Baker /RA/
Assistant Inspector General for Audits
SUBJECT:
AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM (OIG-17-A-07)
REFERENCE:
DIRECTOR, OFFICE OF INTERNATIONAL PROGRAMS, MEMORANDUM DATED MARCH 30, 2018 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated March 30, 2018.
Based on this response, recommendation 1 is closed and recommendations 2 and 3 remain resolved. Please provide an updated status of the resolved recommendations by March 4, 2019.
If you have any questions or concerns, please call me at (301) 415-5915, or Beth Serepca, Team Leader at (301) 415-5911.
Attachment:
As stated cc: R. Lewis, OEDO H. Rasouli, OEDO J. Jolicoeur, OEDO J. Bowen, OEDO EDO_ACS Distribution
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 1: Develop a procedural document describing a consistent process for security planning, and for inviting, onboarding, and supervising foreign assignees to support information protection.
Agency Response Dated March 30, 2018: Staff developed a procedural document describing a consistent process for security planning, and for inviting, onboarding, and supervising foreign assignees to support information protection. Enclosed is the updated Desk Guide for Supervisors of Foreign Assignees. The desk guide has been revised to provide NRC personnel with an overview of the Foreign Assignee Program, and a clear understanding of individual roles and responsibilities of NRC staff. In addition, a new section has been added to the desk guide to highlight the importance of protecting NRC information, to ensure the host supervisor and NRC staff who interact with a foreign assignee are aware of their responsibilities to see that the foreign assignee complies with his/her security plan.
Additional resource and contact information is also provided.
Staff believes this action resolves Recommendation 1.
OIG Analysis: OIG reviewed the enclosed updated desk guide and determined that it identifies procedures for a consistent process in security planning, and for inviting, onboarding, and supervising foreign assignees to support information protection. This recommendation is therefore considered closed.
Status: Closed.
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 2: Develop a secure, cost-efficient method to provide foreign assignees an email account which allows for NRC detection and mitigation of inadvertent transmission of sensitive information and seek Commission approval to implement it.
Agency Response Dated March 30, 2018: The NRC Staff was tasked to provide a notation vote paper for the Commission's consideration outlining any proposed changes to the foreign assignee program and the implications associated with such changes, per the SRM COMSY15-0021.
The Foreign Assignee Working Group (FAWG) initiated a process to benchmark other Federal agencies practices with respect to foreign assignees and provided a paper summarizing the results in July 2016, SECY-16-0089. That paper identified the potential for future enhancements through providing foreign assignees with NRC e-mail addresses and Webmail access. This would facilitate electronic communications and calendar scheduling activities. In addition, it would present an opportunity for the NRC to monitor foreign assignees e-mail communication, as is the practice with all NRC government e-mail addresses. In addition to reducing risk, providing foreign assignees with NRC e-mail accounts and Webmail access could benefit staff and foreign assignees by facilitating more appropriate electronic communication and better integrating foreign assignees into the NRC work environment. However, the paper also identified that the NRC would pay a high cost to execute a new task order with the Dell enterprise contract in effect given that the contract was near expiration. Therefore, the proposal was deferred until the Global Infrastructure and Development Acquisition (GLINDA) contract was in place.
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 2: (cont.)
In January 2017, the NRC announced its intent to award several GSA Federal Supply Schedule (FSS) Blanket Purchase Agreements (BPAs) for the NRCs GLINDA multiple acquisition. However, before the NRC could award those BPAs, several unsuccessful offerors protested the award decisions to the General Accountability Office (GAO).
In accordance with the Competition in Contracting Act of 1984 (CICA), award and subsequent utilization of the new BPAs were subject to a mandatory suspension until GAO resolved the protests on May 19, 2017. The multiple month protest period caused a significant delay in NRC's transition of contract services to the GLINDA BPAs and other contract vehicles. There are a number of critical information technology infrastructure enhancements which are planned, including transition to Office 365. The initial due date was set with the expectation that an estimate of cost would be available as soon as the contract was awarded, and paper writing could begin immediately. However, the Office of the Chief Information Officer (OCIO) had identified that a number of these infrastructure enhancements must be completed before the cost estimate is requested.
The protest delayed NRCs overall transition to GLINDA and additional information technology enhancements need to be completed. The new BPA is not expected to be in place until the fourth quarter of FY 2018. Once in place, the staff will need to work with the contractor to develop options and then incorporate those into a Commission vote paper. The recommendations in OIG-17-A-07 will be considered in development of the paper.
Target Completion Date: February 28, 2019
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 2: (cont.)
OIG Analysis: The proposed action meets the intent of the recommendation. This recommendation will be closed when OIG reviews the Commission Paper seeking approval and resources for a secure, cost-efficient method to provide foreign assignees an email account that allows for detection and mitigation of inadvertent transmission of sensitive information.
Status: Resolved.
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 3: When an NRC approved email account is available, develop specific Computer Security Rules of Behavior for foreign assignees using the approved email.
Agency Response Dated March 30, 2018: Agree. Staff will develop Computer Security Rules of Behavior for foreign assignees, subject to Commission approval of staffs proposed approach for responding to Recommendation 2.
Target Completion Date: Staff will complete this action within 6 months following Commission approval.
OIG Analysis: The proposed actions meet the intent of the recommendation. This recommendation will be closed when OIG reviews the aforementioned Commission Paper seeking approval, in part, for Computer Security Rules of Behavior for foreign assignees and confirms these Rules of Behavior have been appropriately developed and implemented.
Status: Resolved.