Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL March 11, 2019 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S.

NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM (OIG-17-A-07)

REFERENCE:

DIRECTOR, OFFICE OF INTERNATIONAL PROGRAMS, MEMORANDUM DATED FEBRUARY 25, 2019 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated February 25, 2019.

Based on this response, recommendations 2 and 3 remain resolved. Recommendation 1 was previously closed. Please provide an updated status of the resolved recommendations by October 7, 2019.

If you have any questions or concerns, please call me at (301) 415-3485, or Eric Rivera, Team Leader, at (301) 415-7032.

Attachment:

As stated cc: R. Lewis, OEDO D. Jackson, OEDO J. Jolicoeur, OEDO S. Miotla, OEDO S. Mroz, OEDO EDO_ACS_Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 2: Develop a secure, cost-efficient method to provide foreign assignees an email account which allows for NRC detection and mitigation of inadvertent transmission of sensitive information and seek Commission approval to implement it.

Agency Response Dated February 25, 2019: Agree. The information technology enhancements needed to support the NRC email addresses for the foreign assignee program will be developed as part of the IT Systems and Network Cross-Cutting Services (SNCC) Blanket Purchase Agreement (BPA) Call under the Global Infrastructure Development Acquisition (GLINDA) contract. The SNCC BPA Call supports the majority of the Agencys IT infrastructure and was awarded on November 27, 2018. The transition to the new contract is currently underway with a scheduled completion date of March 1, 2019. After the transition to the new contract has been completed, the Office of the Chief Information Officer (OCIO) will submit a task order to the GLINDA SNCC contractor to develop options for a secure, cost-efficient method to provide foreign assignees email accounts that can be monitored by the NRC for the inadvertent transmission of sensitive information. The developed options will be incorporated into a Commission vote paper to seek Commission approval for implementation.

Revised Target Completion Date: September 30, 2019 OIG Analysis: The proposed action meets the intent of the recommendation. This recommendation will be closed when OIG reviews the Commission Paper seeking approval of, and resources for, a secure, cost-efficient method to provide foreign assignees an email account that allows for detection and mitigation of inadvertent transmission of sensitive information.

Status: Resolved.

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS FOREIGN ASSIGNEE PROGRAM OIG-17-A-07 Status of Recommendations Recommendation 3: When an NRC approved email account is available, develop specific Computer Security Rules of Behavior for foreign assignees using the approved email.

Agency Response Dated February 25, 2019: Agree. Staff will develop Computer Security Rules of Behavior for foreign assignees, subject to Commission approval of staffs proposed approach for responding to Recommendation 2.

Target Completion Date: Staff will complete this action within 6 months following Commission approval.

OIG Analysis: The proposed actions meet the intent of the recommendation. This recommendation will be closed when OIG reviews the aforementioned Commission Paper seeking approval, in part, for Computer Security Rules of Behavior for foreign assignees and confirms these Rules of Behavior have been appropriately developed.

Status: Resolved.