Text

-

?' #' %,h f

UNITED ST ATES f

I i '

's f.

' CLEAR REGULATORY COMMISSIC

~

..".. v-( Y $,

y WASHINGTON, D. C. 2055' l

ID

'%l v,e#

March 30, 1979 OFFICE OF THE SECRETARY MEMORANDUM FOR:

Lee V.

Gossick, Executive Director for Operationg 9

Secre,ta:

/ )

FROM:

Samuel J.

Chilk,

SUBJECT:

SECY-79-172 - RESPONSE T6 RECCMMENDATIONS IN GAO REPORT ENTITLED " AUTOMATED SYSTEMS SECURITY -- FEDERAL AGENCIES SHOULD STRENGTHEN SAFEGUARDS OVER PERSONAL AND OTHER SENSITIVE DATA" (COMMISSIONER ACTION ITEM)

This is to advise you that the Commission (with four Commissi6ners concurring and Commissioner Gilinsky noting without objection) has concurred in the staff's recommendations in the. subject paper, subject to modificationsfas noted below and in the attached pages:

1.

The attachment titled "NRC General Response to the Report" should be re-titled "The NRC Computer Security Program" and re-worded as attached.

2.

The NRC Manual Chapter 2101, "NRC Security Prog' ram,"

should be included as an : attachment as indicated in the attached pages.

3.

The letter of transmittal should be modified ar attached.

The staff is requested to prepare the letter of transmittal and attachments for the Chairman's signature.

Attachments:

Modi,fied.pages cc:

Chairman Hendrie Commissioner Gilinsky Commissioner Kennedy l

Commissioner Bradford Commissioner Ahearne General Counsel Acting Director, Policy Evaluation Director, Congressional Affairs LA)

Director, Public Affairs Director, Administration CONTACT:

D l

SJS Parry (204010541 SECY) 41410 0

811204 PDR FOIA SHEARER 81-409 PDR

s

_DRAPT The Honorable Jack Brooks Chairman, Committee on Government Operations i

United States House of Representatives Washington, D.

C.

20515

Dear Mr. Chairman:

In accordance with Section 236 of the Legislative Reorganization i

Act of 1970, the U.S. Nuclear Regulatory Commission (NRC) is hereby submitting a statement on the Commission actions being taken with regard to the recommendations made by the U.S.

General Accounting Office (GAO) in a report entitled, " Automated Systems Security,- Federal Agencies Should Strengthen Safe-guards Over Personal and Other Sensitive Data."

A discussion "N

of the NRC's Computer Security Program and specific responses to each of the GAO recommendations as they pertain to the NRC are endlosed.

Sincerely, Joseph M. Hendrie Chairman

Enclosures:

i 1.

The NRC Computer Security I

Program 2.

Response to the GAO Recommendations "i

3.

NRC Manual Chapter 2101, "NRC Security. Program" The Honorable Frank Horton cc:

.q t

=

o DRATT THE NRC. COMPUTER SECURITY PROGPAM The Office of Administration of the, Nuclear Regulatory i

Commission (NRC) was assigned, in No'vember, 1976,'the responsibility for agency-wide planning, coordination, control and support services for automatic data processing

~i (ADP) in order to strengthen the NRC organization for l

compliance with OMB Circular A-71.

/

Unitl recently, the NRC as a relatively new agent.

had no in-house computer capability and, relied almost exclusively on the use of computers, via rem 2te terminals, at other government agencies to perform its.ADP operations in-accordance with procedures established by those agencies.'

s In addition, some policies and procedures for the storages and handling of source documents and data were developed c

for the protection of personal, pioprietary and other-

~

sensitive data.

For example, NRC Manual Chapter 0204,

~

" Privacy.Act," was issued to implement the provisions of

~

2 the Privacy Act of' 1974 (5 U.S.C.

552af; t'o control the disseminati,on o personal informationgabout individuals.

'r f'

V At the same dime,'a secure ADP system u' sing remote job I

entry techniques was developed and installed at one of the

!TRC Headquarters facilities to permit the transmission and i

receipt by cryptographic neans of National Security a

Information (NSI) to and from a secure ADP facility at the

_=

f=

Department of Energy, Oak Ridge, Tennessee.

The secure j

facility has been used both for the protection of NSI as i

I 4

well as other sensitive data.

Policies and procedures related to the protection of NSI in an ADP system have been issued and are contained in NRC Manual Chapter 2101, 1

j "NRC Security Program," primarily Part XII, " Security of Automatic Data Processing Systems."

A copy of this NRC l

Manual Chapter is_ enclosed.

A variety of factors led to the initiation in January, 1979 of an Information Technology Management Plan Task Force.

The factors prompting the initiation of the Task Force include:

the receipt of OMB Circular A-71, Transmittal Memorandum No. 1 and the proposed revision to Circular A-71; the recent acquisition of four Data General C-330 minicomputers; the intention that the acquired minicomput et will process personal, proprietary or other sensitive data; and the desire of NRC management to assure that a comprehensive approach is taken within NRC on all aspects of information technology management including resources and applications.

l Although the NRC has a computer security program for classified i

1 information, we recognize the need for a more comprehensive computer security program for personal, proprietary and other i

l I

sensitive data and have taken actions to develop and implement such a program.

A response to each of the GAO recommendations follows.

.~