ML20050A636
| ML20050A636 | |
| Person / Time | |
|---|---|
| Issue date: | 11/27/1978 |
| From: | Donoghue D NRC OFFICE OF ADMINISTRATION (ADM) |
| To: | Mcintyre J OFFICE OF MANAGEMENT & BUDGET |
| Shared Package | |
| ML20050A634 | List: |
| References | |
| FOIA-81-409 NUDOCS 8204010522 | |
| Download: ML20050A636 (6) | |
Text
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _
SEC CEN FILE 7.4 C'
C7 i c'.
j WOV 2 7197c 4
l Mr. James T. McIntyre, Jr., Director Office of Management and Budget Executive Office of the President g;yps Washington, D.C.
20503
Dear Mr. McIntyre:
Reference is made to Circular No. A-71, Transmittal Memorandum No.1 (TM No.1), " Security of Federal Automated Information Systems," dated July 27, 1978, which asked us to submit our plans and associated resource estimates for implementing this circular.
}
The U.S. Nuclear Regulatory Commission (NRC) fully recognizes the potential for computer fraud and related crimes and the serious need for protection of personal, proprietary and other sensitive data, and
-will take_ all appropriate steps to implement the subject circular.
The following is an outline of the minimum set of controls to be incorporated into the NRC computer security program.
' This outline emphasizes that future plans and estimates of resources may be substantially affected by: (1) the computer security standards and guidelines to be developed and issued by the Department of Commerce (COMi); and (2) the policies and regulations to be issued by the General Services Administration (GSA), including those relating to the physical security of computer rooms.
l.
CURRENT COMPUTER SYSTEMS STATUS a.
Equipment and Software Systems L
The NRC does not have an in-house main-frame computer installation. Over 95% of all NRC computing is performed through time-sharing of other Government resources via p,
Remote Job Entry (RJE). Some minimal use is made of commercial time-sharing for special purposes.
In addition,
~.
four Data General Eclipse series minicomputers have been
~~
acquired for cost-effective processing of some scientific
. computing and selected financial and administrative business systems applications.
hEj.I NRC operates no automatic data processing (ADP) systems J'~
which issue checks, requisition supplies, or perform
'~
similar functions based on programmed criteria with l
little human intervention.
vp yf-]
.,r.c a w
-/ M 8204010522 011204 PDR FOIA SHEARER 81-409 PDR
..g-c
(
Mr. James T. McIntyre, Jr.
2 l
b.
National Security Information and Restricted Data The NRC has a comprehensive program for the protection of national security information and Restricted Data (i.e.,
~
classified information) and this program provides some related protection of personal, proprietary and other m'd sensitive data. The NRC Security Program for classified information involves computer, comunications, personnel, h
physical, information, and technical security measures to a single remote job entry terminal that communicates with a secure computer system located in Oak Ridge, Tennessee.
NRC is therefore well acquainted on an operational basis with the most stringent and sophisticated security measures and techniques required for the protection of classified l
informa tion. NRC can protect, therefore, the rest critice.1 and sensitive non-classified data that may be defined by subsequent policies and regulations to be issued by OMB, COMM, GSA, and other executive departments or agencies to whatever degree is necessary, provided that NRC is authorized the necessary resources.
2.
PLANS FOR THE PROTECTION OF PERSONAL, PROPRIETARY OR OTHER SENSITIVE DATA The following plans are in response to and parallel the items in paragraph 4, Responsibility of the heads of executive agencies, of the circular:
W' a.
Assianment of Responsibility for the Security of Each Computer Installation The overall responsibility for the security of each computer software and hardware system processing personal, proprietary e-or sensitive data, whether operated by an NRC office or NRC contractor, is assigned to the Director, Division of Security.
The line responsibility for implementing the necessary measures for the protection of such data is the responsibility of the Director, Division of Automatic Data Processing. Further,
~
';.a.,
delegaticns of responsibilities to other offices at NRC Head-
'.,.'.1 quarters or Regional Offices will be made,.as required, as
'1 1 sensitive programs are defined by subsequent analysis or
' 4R guidelines and directives that will be received by the
~ 'l executive branch departments or agencies stated in TM No.1.
9' f -
- V
- f 7
ouseamer *
.y. 3 g. y asn >
l c
(
Mr. James T. McIntyre, Jr.
3 b.
Establishment of Personnel Security Policies Current NRC personnel security policies require that we clear individuals who participate in the design, operation j
1 or maintenance of Federal computer systems, which process sensitive data, and individuals who have access to such data in Federal computer systems. These individuals
?
require clearances based on National Agency Checks, National Agency Checks with Inquiries, or on full field background investigations conducted by the Federal Bureau of Investigation, the Civil Service Commission (CSC), etc.
The degree of screening is comensurate with the sensitivity of the data to be handled as well as the risk and magnitude of loss or harm that could be caused by the individual.
Per-sonnel security policies will be consistent with the policies to be issued by the CSC as prescribed in TM No. 1, paragraphs 1.f and 7.
c.
Establishment of Manacement Control Process to Assure Incor-poration of Safeguards into Computer Applications A management control process will be established to assure
~
that appropriate administrative, physical and technical safe-guards are incorporated into all new computer applications, and into all significant modifications to existing computer applications handling sensitive data. For the more sensitive data systems, security specifications based upon appropriate risk analyses will be created and reviewed prior to design,
- *= i programing and application systems tests.
~
ADP system security integrity studies will be done no later than three months after a system becomes operational.
In
~.
specific instances, a study for ADP systems that will process sensitive data will be done prior to the approval of the opera-tion of the system.
The security _ specifications adopted prior to programming, the conduct and approval of design reviews, and application systems tests required prior to operation of the systems will be set U
forth in the integrity study, b
d.
Establishment of Periodic Audit of Sensitive Computer Mj Applications w.4 NRC has already established a program for the conduct of periodic audits, or evaluations, and recertifications of the N4 adequacy of security safeguards for each computer system m diino ci m ified Mrc. ation
'y"]
o' rric
- e.
AQ
- ^"s*
Date w
- s.
t
~
l 1
(..
?.
Mr. James T. McIntyre, Jr.
4 This program will be extended to cover other sensitive information, i.e., personal, proprietary or other sensitive data, as required by subsequent NRC, OMB, CSC, GSA, COMM or other department and agency directives.
e.
Inclusion of Security Requirements in Specifications or
- W
, Acquisition or Operation of Computer Facilities Equipment, Software Packages, or Related Services E
NRC will establish policies and responsibilities to assure that appropriate security requirements are included in speci-
~
fications for the acquisition or operation of computer
~.
facilities, equipment, software packages, or related services that will be used to process sensitive data and that will be procured by the NRC or by the GSA for NRC.
Review and approval of specifications by management officials assigned responsibility for the security of computer installa-tions is currently provided for in NRC policies. These pro-ceduresi will be supplemented wii" additional procedures required by subsequent security standardt and guidelines that will be issued as indicated in TM No. 1.
f.
Assignment to Conduct Periodic Risk Analyses Periodic risk analyses will be done for each computer installa-tion operated by NRC, including installations operated by or on behalf of HRC to uncover and provide for possible vulnerabilities.
Risk analyses will be done prior to approval of design specifi-
~
cations for new computer installations to process sensiti.ve data and upon significant changes affecting such systems.
In any case, risk analyses will be done at periodic intervals not to exceed five years.
g.
Establishment of Contingency plans NRC will establish and maintain contingency plans so that reasonable continuity of data processing support is available on the occurrence of events preventing normal operations of systems processing sensitive data.
Contingency plans will 4,q be reviewed and tested at periodic intervals.
.e. m
- ld
~
- {
OF FICE >
" ~ "'*
9,g..j I
j'
(
(
l-Mr. James T. McIntyre, Jr.
5 3.
RESOURCE ESTIt%TES Man-months Phase I.
Preliminary Analysis a.
Review all security standards and guidelines applicable to personal, proprietary and wga other sensitive data in automated systems.
b.
Establish definitions for degrees of sensi-tivity for each type of system.
Total 12 Phase II. Systems Analysis a.
Provide a requirements analysis and security
, e proposal for each system that meets the sensi-tivity criteria esM blished in Phase I.
b.
Determine what facilities and hardware changes or additional hardware, including communica-tions systems, are required to provide ade-quate protection for sensitive data.
c.
Determine what additional clearance investi-gations are required.
'd.
Determine what total manpower and dollar resources are required to implement the security program for sensitive data.
-~
Total 60 Phase III.
Implementation l
a.
Do the reprogramming defined by Phase II.
C b.
Make the necessary facility and hardware changes defined by Phase II.
c.
Implement the enti~re physical, technical, personal and information security program defined in Phase II, including audits, risk g]
analyses and NRC policy changes.
M
Grand Total 72 Dependent upon the results of Phase II.
No :e : It is impossible to mak 3 a meaningful dollar estimate at this.ti me.
~**#
OFFtC B M
.d
-s
..w
O
(.
C
~
Mr. James T. McIntyre, Jr.
6 Please do not hesitate to contact me-if you have any further questions with regard to this response.
Sincerely, OPJGC? '.L C:0!!3D EX m.;
D:.Q13. Da;tCr.74 y' y
Daniel J. Donoghue, Director Office of Admi'iistration bec:
D. J. Donoghue, ADM C. R. Troutman, ADPS J. M. Felton, DRR D. J. Rienstra, ADM l
FSSB FILE 4-10c SEC CEN FILE 7.2 l
7.4
~
.mc.s,
/
s
- 1: :
'7
~
1
.A DW
- a.
FSSB[dh[
F _j j I,, b,L\\g hDPS DRR ADM ADM br' CRTroutman
..JMFel ton
.PGNorry DJDonoghue
.,y, MRHar,rg,Jp1 CLBrc]_
'l ll/> I/74.,,. _ll/f//78 l_
8 l lL,_L7.8_.._.
1]L. HS llL,_/18 11/ /78 7
a
_ - _ _ _ _ _