Text

• Eu Ofliii!ial 14.n Onls Senior Agency Official For Privacy Section Report Nuclear Regulatory Commission

• -Fa: iilfFieial W ii.sly 2017 Annual FISMA Report

Pc: S rn11 I Pro APIJC Section 1: Information _Security Systems 100%

SAOP Report* Annual 2017 Page I of 12.

5 Q§i Ill I g I)

F

&FA1l1l 1'22 Cnfr

!section 2: General Requirements 2a Ha$ the head of the agency designated an SAOP and reported the name, title, and contact information of the current SAOP to 0MB on the MAX website of the _Federal Privacy Council'!

Yes 2b Docs the SAOP have the necessary position, expertise, and authority to serve in the role of SAOP?

Yes 2c Does the SAOP have the necessary role in the agency's policy making, compliance, and risk management activities?

Yes 2d Has the agency developed and maintained a privacy program plan?

Yes 2e Does the agency maintain an inventory of the agency's websites, applications, social media accounts, and other digital services?

Yes 2f Does the agency maintain and post privacy policies on all agency websites, mobile applications, and other digital services, in accorda_nce with the E-Government Act of 2002 and 0MB policy?

Yes 2g Has the agency developed and implemented a process to regularly review and update the privacy policies for each of the agency's websites, mobile applications, and digital services?

Yes.

2h Has the agency developed and implemented a written policy or procedure for the agency's use of social media (indicate "NIA" if the agency does not use social media)?

Yes 2i During the reporting period, did the agency use web management and customization technologies on any website or mobile application?

No 2j During the reporting period, did the agency review the use of'web man~gement and customization technologies to ensure compliance with all laws, regulations, and 0MB guidance (indicate "NI A" if the agency does not use web management and customization technologies)?

NIA

!section 3: Considerations for Managing PH SAOPReport-Annuaf 2017 Sar Official I lee brhr Page 2 of12

F

&FRsial Ysc Buis

!section 3: Considerations for Managing PH 3a

• Does the agency maintain an inventory of the agency's information systems that create, collect, use, proccess, store, maintain, disseminate, disclose, or dispose of PII?

Yes 3b Does the agency ensure, to the extent reasonably practicable, that PII created, collected, used, processed, stored, maintained, disseminated, disclosed, or disposed of is accurate, relevant, timely, and complete?

Yes 3c Does the agency limit the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PU to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of agency functions?

Yes 3d Does the agency have an inventory of the agency's collection and use of Social Security numbers (SSNs)?

Yes 3e Does the agency maintain the inventory of SSNs as part of the agency's inventory of information systems referred to in question 3a (indicate "N/ A" if the agency does not have an inventory of its collection and use of SSNs)?

NIA 3f Has the agency developed and implemented a written policy or procedure to ensure that any new collection or use of SSNs is necessary?

Yes 3g Does the written policy or procedure referred to in question 3f provide specific criteria to use when determining whether the collection or use of SSNs is necessary (Indicate "N/A" if the agency does not have a written policy or procedure)?

Yes 3h Does the written policy or procedure referred to in question 3f provide specific steps to ensure that any collection or use of SSNs associated with agency websites, onlinc forms, mobile applications, and other digital services, is necessary and complies with applicable privacy requirements (indicate "N/A" ffthe agency does not have a written policy or procedure)?

Yes 3i Docs the written policy or procedure referred to in question 3f establish a process to ensure that any necess11ry.collection or use of SSNs remains necessary over time (indicate "NIA" if the agency does not have a written policy or procedure)?

Yes SAOP Report - Annual 2017

• a: 8Flkial Woo ii Is Page3 of12

r, tilFRtlsl Wac e::1;

• jsection 3: Consideraµons for Managing PH 3j Has the agency taken steps during the reporting period to eliminate the unnecessary collection and use ofSSNs (indicate "NIA" if the agency has successfully eliminated all unnecessary collections and uses ofSSNs at the agency)?

Yes jsection 4: Budget and Acquisition 4a Does the agency identify and plan for the resources needed to implement the agency's privacy program?

Yes 4b Does the agency have a process that includes explicit criteria for analyzing privacy risks when considering IT investments?

Yes 4c During the reporting period, did the agency review IT capital investment plans and budgetary requests to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, were explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PH?

Yes -

4d Docs the agency plan and budget to upgrade, replace, or retire any information systems that maintain PU for which protections commensurate with risk cannot be effectively implemented?

Yes 4*e Docs the agency ensure that, in a timely manner, the SAOP is inadc aware of information systems and components that cannot be appropriately protected or secured?

Yes jsection 5: Contractors and Third Parties Sa.

Docs.the agency ensure that terms and conditions in contracts, and other agreements involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of Federal information, incorporate privacy requirements and are sufficient to enable agencies to meet Federal and agency-specific requirements pertaining to the protection of Federal information?

Yes Sb Does the agency, consistent with the agency's authority, ensure that the requirements of the Privacy Act apply to a Privacy Act system of records. when a contractor operates the system of records on behalf of the agency to accomplish an agency function?

Yes SAOP Report-Annual 2017 P's: 8FFiclol Yu 8. lj Page4 of12

Po: 8FHslal lbs 9:.IJ

!section 5: Contractors and Third Parties Sc Does the agency document and implement policies and procedures for privacy oversight of contractors and other entities, to include ensuring appropriate vetting and access control processes for contractors arid others with access to information systems containing Federal information?

Yes_

Sd Docs the agency develop, maintain, and implement mandatory agency-wide privacy awareness and training programs for all contractors?

Yes

!section 6: Privacy Impact Assessments 6a Has the agency developed and implemented a written policy or procedure for determining whether a PIA is required when the agency develops, procures, or uses an IT system?

Yes 6b Has the agency developed and implemented a written policy or procedure to ensure that a PIA is conducted and approved before an IT system that requires a PIA is developed, procured, or used?

Yes 6c Has the agency developed and implemented a written policy or procedure for assessing the quality.and thoroughness of each PIA and performing reviews to ensure that appropriate standards for PIAs are maintained'!

Yes 6d Has the agency developed and implemented a written policy or procedure to ensure that system owners, privacy officials, and IT experts participate in conducting the PIA?

Yes 6e Has.the agency developed and implemented a written policy or procedure for monitoring the agency's IT systems and practices to determine when and bow PIAs should be updated?

Yes 6f Has the agency developed and implemented a written policy or procedure to ensure that PIAs are updated whenever a change to an IT system, a change in agency practices, or another factor aitcrs the privacy risks?

Yes

!section 7: Workforce Management SAOP Report - Annual 2017 Page 5 of 12 Fm 8Hioisl 11

'it I;

Pa: l!IFRelsl 1111 QAly

!section 7: Workforce Management 7a Docs the agency ensure that the agency's privacy workforce has the appropriate knowledge and skill?

Yes 7b Is the SAOP involved in assessing the hiring, training, and professional development needs of the agency witJt respect to privacy?

Yes 7c Has the SAOP participated in developing and maintaining a current workforce planning process?

Yes 7d Has the SAOP participated in developing a set of competency requirements for privacy staff, including program managers and*

privacy leadership positions?

Yes

!section 8: Training and Accountability 8a Has the agency developed, maintained, and implemented mandatory agency-wide privacy awareness and training programs for all employees?

Yes 8b Has the agency provided foundational as well as more advanced levels of privacy training for information system users (including managers, senior executives, and contractors) during the reporting period?

Yes 8c Has the agenc'y ensured that measures arc in place to test the knowledge le,*el of information system users in conjunction with privacy training?

Yes 8d Has the agency provided role-based privacy training during the reporting period for employees and contractors with assigned privacy roles and responsibilities, including managers, before authorizing access to* Federal information or information systems or performing assigned duties?

Yes 8e Has*the agency developed and implemented policies and procedures to ensure that all personnel are held accountable for complying with agency-wide privacy requirements and policies?

Yes SAOP Report - Annual 2017

. P'S. 8flklsl ~SC 8.. ly Page 6 of 12

Ser ?Wsfsl I Isa Onl1r

!section 8: Training and Accountability Sf Has the agency established rules of behavior, including consequences for violating rules of behavior, for employees and contractors that have access to Federal information or information systems, including those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PH?

Yes 8g Docs the agency ensure that employees and contractors have read and agreed to abide by the rules of behavior for the Federal information and information systems for which they require access prior to being granted access (indicate "NIA" if the agency does not have established rules of behavior)?

Yes

\\section 9: Incident Response 9a Does the agency have a breach response plan that includes the agency's policies and procedures for reporting, investigating, and managing a breach?

Yes 9b Did the SAOP review the agency's breach response plan during the reporting period to ensure that the plan is current, accurate, and that it reflects any changes in law, guidance, standards, agency policy, procedures, staffing, and/or technology (indicate "NIA" if the agency does not have a breach response plan)?

Yes 9c Docs the agency have a breach response team composed of agency officials designated by the head of the agency t_hat may be convened to lead the agency's response to a breach?

Yes SAOP Report - Annual 2017 Page 7 of 12 F11 05i1i1I I I 2*1; :

Po. 8FR I I U11 Only

!section 9: Incident Response 9c.1 Submit the names and titles of the individuals on the agency's breach response team and identify those individuals who were removed from the team or added to the.team over the past 12 months.

Name Title Status Charles Watkins I -lnfosec *specialist Active/Current David Offutt

' Situational Awareness & Incident Response Team Lea Active/Current Dennis Chen

! Security Specialist ~ contractor Removed Elizabeth Chew lnfosec Specialist Active/Current Glenn Francis

! Security Specialist - contractor Active/Current Jamar! Cummings I Security Specialist - contractor Active/Current Juan Jimenez I lnfosec Specialist Active/Current I

KevlnThapa lnfosec Specialist Active/Current Mario Gareri

! lnfosec Specialist Active/Current Thorne Graham

IT Security Senior Level Advisory Removed Yael Camacho lnfosec Specialist Active/Current 9d

• Did all members of the agency's breach response team participate in at least one tabletop exercise during the reporting period (indicate "NIA" if the agency does not have a breach response team)?

Yes 9e 9f 9g llb)(7)(F) 9h

!section 10: Risk Management Framework SAOP Report-Annual 2017 P:o: 8fReial I h Anl31 Page 8 of 12

~~--~---

!section 10: Risk Management Framework IOa Has the agency implemented a risk managt?ment framework to guide and inform the categorization of Federal information and information systems; the selection, implementation, and assessment of privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems?

Yes 10b Does the SAOP re,*iew and approve, in accordance with NIST FIPS Publication 199 and NIST Special Publication 800-60, tlie categorization of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII?

Yes*

1 Oc Has the SAOP designated which privacy controls will be treated as program management, common, information system-specific, and hybrid privacy controls at the agency?

Yes 10d Has the agency developed and maintained a privacy plan, reviewed and approved by the SAOP, for agency information systems prior to authorization, reauthorization, or ongoing authorization?

Yes lOe Does the SAOP conduct and document the results of privacy control assessments to verify the continued effectiveness of all privacy controls selected and implemented at the agency across all agency risk management tiers to ensure continued compliance with applicable privacy requirements and manage privacy risks?

Yes

- lOf Has the SAOP developed and maintained a written privacy continuous monitoring strategy?

Yes 1 Og Has the SAOP established and maintained an_ agency-wide privacy continuous monitoring program?

Yes IOh Does the SAOP review authorization packages for information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to ensure compliance with applicable privacy requirements and manage privacy risks, prior to authorizing officials making risk determination and acceptance decisions?

Yes

!Section 11: Privacy Act Ila Has the agency developed and implemented a written policy or procedure for determining whether a SORN is required when the agency collects or maintains information?

Yes SAOP Report - Annual 2017 Pas &rn,r 111, Aslir Page 9 of 12

Po: 8FFislsllh An'lf

!section 11: Privacy Act

• 11 b Has the agency developed and implemented a written policy or procedure for ensuring that information collections include a Privacy Act Statement, if required?

Yes llc Has the agency developed and implemented a written policy or procedure for receiving; processing, and responding to individuals' requests for access to and amendment of records?

Yes lld Has the agency selected, implemented, assessed, and monitored privacy controls for in.formation systems that contain information in a system of records in order to ensure that no system of records includes information about an individual that is not relevant and necessary to accomplish a purpose required by statute or executive order?

Yes 11 e Has the agency selected, implemented, assessed, and monitored privacy controls for information systems that contain information in a system of records in order to ensure that all SORNs remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by 0MB Circular A-108; and that all significant changes to SORNs have been reported to 0MB and Congress?

Yes llf Has the agency selected, implemented, assessed, and monitored privacy controls for information systems that contain information in a system of records in order to ensure that all routine uses remain appropriate and that the recipient's use of the records continues to be compatible with the purpose for,,*hich the information was collected?

Yes 11 g Has the agency selected, implemented, assessed, and monitored privacy controls for information systems that contain information in a system of records in order to ensure that each exemption claimed for a system of records pursuant to 5 U.S.C. § 552a(j) and (k) remains appropriate and necessary?

Yes llh Has the agency selected, implemented, assessed, and monitored privacy controls for information systems that contain information in a system of records in order to ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient and that the applicable requirements in the Privacy Act and 0MB policies are enforceable on the contractor.and its employees?

Yes SAOP Report - Annual 2017 r

grs I I lso Cely Page 10 of 12

Fu OFR1'sf lfsc 02(15

!section 11: Privacy Act lli Has the agency selected, implemented, assessed, and monitored privacy cont.-ols for information systems that contain information in a system of records in order to ensure that the agency's training practices are sufficient and that agency personnel understand the requirements of the Privacy Act, 0MB guidance, the agency's implementing regulations and policies, and any job-specific requirements?

Yes

!section 12: Privacy Program Website 12a Does the agency have a Privacy Program Page located at www.lagencyJ.gov/privacy'!

Yes 12b Docs the agency's Privacy Program Page include a list and provide links to complete, up-to-date versions of all agency SORNs?

Yes 12c Does the agency's Privacy Program Page include a list and provide links to PIAs?

Yes 12d Does the agency's Privacy Program Page include a list and provide links to up-to-date matching notices and agreements for all active matching programs in which the agency participates?

No 12e Does the agency's Privacy Program Page include citations and provide links to the final rules published in the Federal Register that promulgate each Privacy Act exemption claimed for their systems of records?

Yes 12f Does the agency's Privacy Program Page include a list and provide links to all Privacy Act implementation rules promulgated pursuant to 5 U.S.C. § 552a(t)?

Yes 12g Does the agency's Privacy Program Page include a list and provide links to all publicly available agency policies on privacy, including any directives, instructions, handbooks, manuals, or other gu_idance?

Yes 12h Docs the agency's Privacy Program Page include a list and provide links to all publicly available agency reports on privacy?

Yes SAOP Report - Annual 2017 Sor Affslal I Ira Onhr Page 11 of 12

I bl erR Isl II C Pol¥ jsection 12: Privacy Program Website 12i Docs the agency's Privacy Program Page include instructions in clear and plain language for individuals who wish to request access to or amendment of their records pursuant to 5 U.S.C. § 552a(d)?

Yes 12j Does the agency's Privacy Program Page include appropriate agency contact information for individuals who wish to submit a privacy-related question or complaint?

Yes 12k Docs the agency's Privacy Program Page identify the agency's SAOP and include appropriate contact information for his or her office?

Yes SAOP Report - Annual 2017 Fas Official I Isa Oclu Page 12 of 12