Text

i

- w a n _c__. m

,q bfj:rY)i(,j)4'.

- =

I'

?E o*

Q M

March 12,1979 SECY-79-172 d==

20.E,R p

tsM9 COMMISSIONER ACTION i:=-

=.. k For:

The Comissioners

===J rr Thru:

Executive Director for Operations M

m:m From:

Daniel J. Donoghue, Director scs.s7 Office of Administration

.:m:i 22:n

Subject:

RESPONSE TO RECOMMENDATIONS IN GA0 REPORT ENTITLED T3-M "AUT0t1ATED SYSTEMS SECURITY -- FEDERAL AGENCIES 5

SHOULD STRENGTHEN SAFEGUARDS OVER PERSONAL AND U

OTHER SENSITIVE DAl A" t.:5 purpose:

To request Commisdos concurrence or comments on a 35$

proposed ra.sponse to Congress.

4M%

r Me Discussion:

The Legislative Reorganization Act of 1970 requires 3

the Chairman to submit a written statement on actions 25 tden on General Accounting Office (GA0) recommenda-J gi tions to the House Committee on Government Operations a

and the Senate Committee on Governmental Affairs not T2 later than 60 days after the date of the Report.

The

[

subject report, which was issued January 23, 1979,

..mzl requires a response to the Congressional comittees by March 23, 1979.

E l... ~

(The GA0 report was based on a survey of selected

=My agencies in 1977 as a result of a request by Congres-73 sional committees to examine and report on the status

=5 and effectiveness of major Federal agencies' computer

- 4 9

security programs.

The report did not include a review of controls applicable to national security J

data.

"4 q

s

n l

l The report found that " Federal agencies surveyed did l

m;m l....a.f i

not have a centrally directed program to protect

/

i effectively personal and other sensitive data in EE" I

computer systems.

Programs fell short of being com-

.jQ prehensive and top management support was lacking.

'g s

~.. -

Jc.

11. R. Harris, SEC e

.. c. T$ 4 42-74406 3.-

_-s

'.l;*Q. >.

ET- --$

?$!$n Sr.

8204010529 811204

.J :n PDR FOIA e

SHEARER 81-409 PDR

$

+u~~

a.,2 afa;,muw1, -

AM

The Comissioners This was, in part, because upper management either did not recognize or adequately appreciate their responsibilities in this area or recognize the poten-tial for invading the privacy of people or organiza-tions served by the agency and for damage to agency program operations."

Although NRC was not one of the agencies included in the survey, a review of GA0's recomendations indicates that the NRC^should implement a more comprehensive computer security program and should consider certain functional changes to satisfy the recomendations con-tained in the GA0 report.

The proposed response briefly describes what steps have been taken, within NRC to date, in these areas to better protect personal, proprietary and other sensitive information.

The response indicates that it will be necessary to consider some functional, policy and procedural changes within NRC to implement the GA0 report recomendations.

An Information Tech-nology Management Plan Task Force was established in January 1979 by the Director, Office of Administra-l tion, to complete an NRC Information Technology Management Plan to address these and other matters.

The Director, Office of Administration, has appointed his Deputy to chair the Task Force since the Director has overall responsibility for agency-wide Automatic Data Processing (ADP) planning, coordination, control -

and support services.

The proposed responses to GA0's specific recommenda-tions indicate either that policies and procedures i

already exist within NRC to resolve the recommenda-tions or that additional actions are being considered to implement the recommendations.

l;'

Subject to Comission approval, identical letters to the enclosure will be forwarded under the Chairman's signature to the Chairman, Senate Comittee on Govern-mental Affairs; to the Chairman, House Subcomittee on Energy and the Environmentr.the_ Chairman,. Senate Subcomittee on Nuclear Regulation;'the Chairman, House Subcomittee on Energy and Power; the Comptroller General of the U. S. ;

and the Director, Office of Management and Budget.

The Comissioners Recomendation:

That the Comission approve the proposed letters.

~

Coordination:

This paper has been concurred in by the Office of Nuclear _ Regulatory _Res_earch. the Off. ice..of_ the Inspector- --

and Auditor, and the Office of Congressional Affairs. The Office of the Executive Legal Director _.has no legaLobjaction.-i Q.c l y ^ l l* ~

Daniel J. Don'oghue, Direc' tor Office of Administration

Enclosure:

Draft Letter Note:

Comissioner comments should be, provided directly to the Office of the Secretary by close of business Thursday, March 22, 1979 Comission Staff Off'ce coments, if any, should be submitted to the Com-missioners NLT Marci 16, 1979 with an information copy to the Office of the; Secretary.

If additional time is required for analytical review and coment, the Comissioners and Secretariat should be apprised of the time and date when coments may be expected.

Distribution:

Domissioners Comission Staff Offices Exec. Dir. for Operations Secretariat Regional Offices ACRS 1

ASLBP ASLAP j

l 1

r&

t i

The Honorable Jack Brooks Chairman, Comnittee on Government Operations United States House of Representatives Washington, D.C.

20515

Dear Mr. Chairman:

In accordance with Section 236 of the Legislative Reorganization Act of 1970, the U.S. Nuclear Regulatory Commission (NRC) is hereby sub-mitting a statement on the Commission actions being taken with regard to the recommendations made by the U.S. General Accounting Office (GA0) in a report entitled, " Automated Systems Security -- Federal Agencies Should Strengthen Safeguards Over Personal and Other Sensitive Data."

The Commission's general response to the GA0 report and specific responses to each of the GA0 recommendations as they pertain to the NRC are enclosed.

Sincerely, Joseph M. Hendrie Chairman

Enclosure:

Response to GA0 Report cc: The Honorable Frank Horton Ib n

I s

d NRC GENERAL P.ESPONSE TO THE REPORT The Office of Administration of the Nuclear Regulatory Ccmmission (NRC) was assigned, in November 1976, the responsibility for agency-wide plan-ning, coordination, control and support services for automatic data pro-I cessing (ADP) in order to strengthen the NRC organization for compliance with OMB Circular A-71.

Until recently, the NRC as a relatively new agency, had no in-house computer capability and relied almost exclusively on the use of computers, via remote terminals, at other government agencies to perform its ADP operations in accordance with procedures established by those agencies.

In addition, some policies and procedures for the storage and handling of source documents and data were developed for the protection of personal, proprietary and other sensitive data.

For example, NRC Manual Chapter l

0204, " Privacy Act," was issued to implement the provisions of the Privacy

~

Act of 1974 (5 U.S.C. 552a) to control the dissemination of personal in-fonnation about individuals.

At the same time, a secure ADP system using remote job entry techniques was developed and installed at one of the NRC Headquarters facilities to permit the transmission and receipt by cryptographic means of National l

Security Infonnation (NSI) to and from a secure ADP facility at the t

Department of Energy, Oak Ridge, Tennessee.

The secure facility has been used both for the protection of NSI as well as other sensitive data.

Policies and procedures related to the protection of NSI in an ADP system RAn 9

% r\\ q uY l I 1 i

have been issued and are contained in NRC Manual Chapter 2101, "NRC Security Program," primarily Part XII, " Security of Automatic Data Processing Systems."

A variety of factors led to the initiation in January 1979 of an Infor-mation Technology Management Plan Task Force.

The factors prompting the initiation of the Task Force include:

the receipt of CMB Circular A-71, Transmittal Memorandum No.1 and the proposed revision to Circular A-71; the recent acquisitice of four Data General C-330 minicomputers; the intention that the acquired minicomputeFs will process personal, pro-prietary or other sensitive data; and the desire of NRC management to assure that a comprehensive approach is taken within NRC on all aspects of information technology management including resources and applications.

Although the NRC has a computer security program for classified informa.

tion, we recognize we should have a more comprehensive computer security program for personal, proprietary and other sensitive data.

A response to each of the GA0 recomendations follows.

O e

4 I

i DMFT l

3 l

1.

Recomendation Establish an automated systems security administration organiza-tion with independence from computer operations.

This organiza-tion should report directly to or through a principal official who reports directly to the agency head, and it should have authority to discharge the enumerated responsibilities of agency heads as outlined in OMB Circular A-71, TM-1.

NRC Response The Director of the Division of Security, who is independent from computer operations, is responsible for the overall NRC security program, including that relating to automated systems.

The Director of Security reports to the Director of Administration who, in turn, reports directly to the Executive Director for Operations.

6 l

4 8

- - ~

~

hbb

un L

. 2.

Recomendation Develop comprehensive computer data security programs in compliance with OMB Circular A-71 from the total systems perspective--ensure that they provide for security of data in all media and in all stages of the data life-cycle--and consider the need for controls from the perspective of all possible security threats at all loca-tions involved with the agency's data.

f4RC Response The Division of Security, in coordination with affected t1RC Offices and i

Divisions, will develop comprehensive computer data security programs and will consider the need for controls from the perspective of all possible security threats at all locations involved with the agency's t

data.

For~ example, fiRC Manual Chapter 0204, entitled " Privacy Act,"

already contains provisions under Part V.B, " Computer Security Safeguards,"

t for the establishment of ADP safeguards sufficient to prevent careless, l

accidental or unintentional disclosure, modification or destruction of identifiable personal data.

1

& a (;

t j

V _.t\\ V dMi 1 3.

Recommendation Assign to a specific group in the agency the task of ensuring that canprehensive computer data security plans and programs as developed will be documenced, written, and disseminated to all activities and locations involved with the subject data, and that responsibilities for all provisions be clearly delineated.

This definition of responsibility should encompass provision fo: implementing plans and programs further required of sub-ordinate activities.

NRC Response '

The Director, Division of Security, has been assigned the task of ensur.-

ing that comprehensive computer data security plans and programs, as developed, will be documented, written and disseminated to all activities and locations involved with subject data.

This will be accomplished,-in i

e part, by the issuance of an Appendix to NRC Manual Chapter 21 1, "NRC Security Program," entitled " Automated, Systems Security of Personal, i

Proprietary and Other Sensitive Data."

i i

"O f,((

E afd E 4.

Recommendation Require that security programs include a provision for monitoring and reporting to top management on the status and adequacy of the program, and evaluate its implementation and the effectiveness of safeguards, procedures, and other instruments of the program.

NRC Response With respect 'co NRC classified information security programs, provisions already exist to monitor and report to top management on the status and adequacy of these programs.

A new Manual Appendix, " Automated Systems Security of Personal, Proprietary and Other Sensitive Data," which was referenced earlier, will contain adequate provisions for monitoring and reporting to top management and for evaluating the safeguards, procedures and other instruments of the program.

This task may precede or be an out-growth of the Information Technology Management Plan previously mentioned.

I e

DRMI

I 5.

Recommendation Anticipate training and indoctrination needs for raising expertise to the level required to implement requirements of their programs and of OMB.

NRC Response The NRC has a comprehensive security training program that currently involves primarily classified information.

Division of Security per-sonnel have already attended the Department of Defense Computer Institute (D0DCI) and have participated in conferences, such as the Fifth Annual Computer Security Conference and Exhbition in 1978, to enhance their knowledge of. computer security.

However, additional training (e.g.,

in risk assessment) is planned for NRC personnel, with the cooperation of the Management Development and Training Staff.

The security training and indoctrination needs of NRC will be broadened to raise the expertise of all personnel to the level required to imple-ment the requirements of Circular A-71 TM-1.

The Division of Security will also be responsible for implementing the security training and in-doctrination program to satisfy those requirements identified in the NRC Information Technology Management Plan.

l

DPdFi

.J

?,

6.

Recommendation We recommend that heads of departments and agencies ensure that effective safeguards, from the total systems perspective, a this effort in their organizations be directed and monitored by an independent computer data security administration reporting directly to or through a principal official who reports directly to the agency head.

Additio'nally, agencies' security plans should anticipate their increasing training needs, particularly for risk analysis, and make these needs known to the organizational level responsible for training.

NRC Response The NRC has recognized the need for risk a'ssessment to be done on a more consistent and formal basis, particularly with the acquisition of an in-house computer capability.

As a consequence, an individual is being recruited to help perform that function. The Division of Security will monitor F.C's risk analysis activities.

In addition, as noted earlier, members of the NRC organization have attended or will attend courses on risk assessment and on the security of ADP systems at such organiza-tions as the D0DCI.

The increased training needs, particularly for risk analysis for comput-erized security systems and programs, have been made known to the Manage-ment Development and Training Staff.

The NRC is in the process of identi-fying the resources that may be regt. ired to implement the additional security training programs.

I 1

l

i

(" tvd k t

i 7.

Recommendation We recomend that department and agency heads assign priority to developing expertise in independent internal audit organiza-tions which would allow internal audit to assume broader respon-sibilities for assisting management in control of computer and data resources.

Also, we recommend that heads of departments l

and agencies make sure that internal audit plays a continuing f

role in assessing computer security programs and in participating j

in the design of information system controls over data confiden-tiality and integrity.

NRC Response In order to develop expertise in the internal audit function which would allow NRC's internal audit organization, the Office of Inspector and Auditor (OIA), to assist management in the control of computer and data resources, some members of OIA have attended several courses involving computer security.

In addition, OIA has joined the Audit Managers Sub-cobittee, Federal Audit Executive Council, which will be conducting monthly seminars on the various phases of auditing ADP in which OIA will participate.

DIA has also identified other ADP training in which they will participate in the near future and will continue, on a priority basis, to develop their internal auditor's ADP expertise.

01A has' included computer security reviews as part of their ongoing audit in their work plan of NRC's ADP resources and requirements for the current and future years.

These reviews will include computer operations as well

{

as developed information systems.

For new or contemplated information systems, OIA will participate on a continuing basis in security reviews during various stages of the development process.

The purpose will be to i

l N.

d M)

W i

' i' I

I 10 -

ensure that the developers are considering data confidentiality and inte-grity during the design of the information systems.

DIA will also, on a continuing basis, review and evaluate the adequacy of any feasibility l

studies which may be used for the new infonnation systems or the procure-ment of new equipment.

4 l*

+

i i

1 J

i i

I i

1

.n v...

~

-r

.,,,...,_,,n s