Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL November 27, 2019 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)

REFERENCE:

DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED OCTOBER 31, 2019 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated October 31, 2019.

Based on this response, recommendations 3 and 7 remain in open and resolved status.

Recommendations 1, 2, 4, 5 and 6 have been previously closed. Please provide an updated status of recommendations 3 and 7 by May 1, 2020.

OIG issued this report in final on April 1, 2013, and by memorandum dated June 19, 2013, the agency acknowledged agreement with OIG on these recommendations. Office of Management and Budget Circular No. A-123 (M-16-17),

Section C, dated July 15, 2016, states Management has a responsibility to complete action, in a timely manner, on audit recommendations on which agreement with the OIG has been reached. Audit recommendations 3 and 7 have been in resolved status for more than 6 years.

If you have questions or concerns, please call me at (301) 415-5915, or Eric Rivera, Team Leader, at (301) 415-7032.

Attachment:

As stated cc: C. Haney, OEDO D. Jackson, OEDO J. Jolicoeur, OEDO S. Miotla, OEDO S. Hudson, OCFO RidsEdoMailCenter Resource OCFO Rids Mailbox EDO_ACS Distribution

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Agency Response Dated October 31, 2019: The modernization of the Safeguards Information Local Area Network and Electronic Safe (SLES) system is complete. A conceptual plan for reorganizing the SLES folder structure has been discussed. However, due to the complexity of Documentum, which is the underlying database for SLES, actual reorganization of the folder structure requires a Documentum Security Specialist. The Office of the Chief Information Officer (OCIO) has developed a Task Order (T.O.)

for a Documentum Security Specialist to analyze the suggested changes under the Global Infrastructure and Development Acquisition contract. When the Documentum T.O. is awarded (estimated completion date (ECD) late calendar year (CY) 2019 or early CY 2020), the Office of Nuclear Security and Incident Response (NSIR) will work with OCIO and the Documentum Security Specialist to implement the new folder structure in a test environment. The Documentum Security Specialist will complete an analysis to validate best security practices for the revised folder structure and least privilege access (ECD June 30, 2020). Once the revised structure is validated in the test environment by SLES users, OCIO will coordinate deployment of the solution to the SLES production and failover environments. Deployment of the revised structure to these operating environments is estimated to take 3 to 6 months after the revised structure has been validated in a test environment.

Completion of this task is dependent upon the availability of a Documentum Security Specialist contractor.

Target Completion Date: December 31, 2020 1

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3 (cont.):

OIG Analysis: The proposed action meets the intent of the recommendation.

This recommendation will be closed when OIG is provided with documentation verifying that the current folder structure has been evaluated and updated to meet user needs.

Status: Open: Resolved.

2

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7: Develop a structured access process that is consistent with the Safeguards Information (SGI) need-to-know requirement and least privilege principle. This should include:

• Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs).

• Conducting periodic reviews of user access to folders.

• Developing a standard process to grant user access.

Agency Response Dated October 31, 2019: Completion of Recommendation 7 is dependent upon implementation of the new folder structure. Both NSIR and OCIO propose the completion of Recommendation 7 be deferred until the new folder structure is analyzed and implemented. This will enable NSIR and OCIO to determine the new folder structure most suitable to the user-community and ensure that the folder structure provides least privilege access to SGI. In the interim, the NSIR SGI program manager has assumed ownership of the existing folders and makes a need-to-know determination on a case-by-case basis for expanded access to folders.

Upon implementation of the new folder structure, and identification of new folder owners, NSIR and OCIO will address the three sub-bullets above, in a more detailed manner that is consistent with the intent of the recommendation.

Target Completion Date: April 30, 2021 3

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7 (cont.):

OIG Analysis: The proposed action meets the intent of the recommendation.

This recommendation will be closed when OIG evaluates the structured access process and determines (1) it is consistent with the SGI need-to-know requirement and least privilege principle, and (2) it addresses the three sub-bullets noted in the recommendation.

Status: Open: Resolved.

4