Text

.

l, RELEASED TO THE PDR

/

///o/h h

r g-

<eata '

in:talj 2

...................o....

.g

\\,...../

POLICY ISSUE (Information)

December 14, 1993 SECY-93-341 FOR:

The Comissioners FROM:

James M. Taylor Executive Director for Operations

SUBJECT:

NRC COMPUTER PERSONNEL SECURITY PROGRAM HODIFICATIONS PURPOSE:

To inform the Comissioners of my approval of recomended modifications to the NRC's computer security policies that will significantly strengthen the NRC Computer Security Program.

I DISCUSSION:

The enclosed memorandum from the Director, Office of Information Resources Management, and the Director, Office of Administration, discusses recomended changes to the NRC Computer Personnel Security Program.

The current NRC computer personnel security screening policies are based on government-wide guidance issued by the Office of Management and Budget in 1978 and require only minimal background checks be conducted by NRC computer related contractors on their employees, regardless of their NRC assignments and the level of risk to NRC systems and data.

The NRC investigative requirements are no longer comensurate with the level of contractor access or the degree of risk to these sensitive NRC automated systems which have become critical to the functioning of the agency. Accordingly, I have authorized the Division of Security to assume responsibility to operate a government CONTACT:

NOTE:

TO BE MADE PUBLICLY AVAILABLE J. Skoczlas, IRM IN 10 WORKING DAYS FROM THE 49-28090 DATE OF THIS PAPER J. Dunleavy, SEC 49-27343 g

% n 700073 Q

, mwa

t*

The Commissioners 2

sponsored personnel screening program for computer related contractors that will ensure that the contractor employees are eligible for access to the agency's sensitive ADP systems and data based on the same type of background investigation as NRC employees with comparable access.

I believe that the modifications will ensure a consistent program with uniform standards and procedures to obtain a higher level of assurance that contractor employees are reliable and trustworthy; provide due process; and bring NRC's practices more into line with other Federal agencies.

~

fffl '/

~~

s James M. I lor ecutive Director for Operations

Enclosure:

NRC Computer Personnel Security Program Modifications DISTRIBUTION:

Conunis sioners OGC OCAA OIG OPA EDO SECY 9

l w

j*

pmarco

.,t A

l E k'2h E UNITED STATES e

NUCLEAR REGULATORY COMMISSION l.

5 9 '(/

t h

\\

WASHINGTON, D.C. 20555-0001 December 3, 1993 MEMORANDUM FOR:

James M. Taylor L

Executive Director for Operations

[

FROM:

Gerald F. Cranford, Director Office of Information Resources Management Patricia G. Norry, Director Office of Administration

SUBJECT:

NRC COMPUTER PERSONNEL SECURITY PROGRAM MODIFICATIONS We request your approval of recommended changes to NRC computer personnel security policies that will significantly strengthen the NRC Computer Security Program. The current NRC computer personnel security screening policies are based on government-wide guidance issued by the Office of Management and j

Budget (OMB) in 1978 and require only minimal background checks be conducted by NRC computer related contractors on their employees, regardless of their NRC assignments and the level of risk to NRC systems and data. These NRC' 1

investigative requirements are no longer commensurate with the level of contractor access or the degree of risk to NRC's sensitive automated systems which have become critical to the functioning of the agency.

BACKGROUND:

On July 27, 1978, OMB issued Circular No. A-71, " Security of Federal Automated Information Systems," to reduce or eliminate the risk or magnitude of loss or harm from an individual in a position of trust. At that time, screening contractor personnel was to be the "last line of defense" and undertaken only after administrative, technical, and physical means of safeguarding the data in the Government's computer systems had been employed.

On December 24, 1985, OMB rescinded Circular No. A-71 and superseded it with OMB Circular No. A-130, " Management of Federal Information Resources,"

updating in particular, Appendix III, " Security of Federal Automated Information Resources." One of the purposes of the guidance is to establish a minimum set of controls for Federal automated information systems security programs, including the establishment and management of personnel security policies and procedures.

Our current computer personnel security screening policy in IRM Management Directive (MD) 2301 is based on the original 1978 guidance and requires' only minimal background checks be conducted by the contractor on their employees, regardless of their NRC assignments and the level of risk to NRC systems and data. At the time of its adoption in 1979, NRC's contractor screening program met OMB's personnel screening requirements.

State-of-the-art computing at

u-f James M. Taylor -

that time was performed on large mainframe systems with robust operating i

systems that provided adequate protection from unwarranted access.

However, even the-limited screening required by MD 2301 has not been subject to oversight by NRC to ensure it is being done in a consistent manner.

In August 1990, the Office of Personnel Management (0PM) issued an ~ appraisal report of-the NRC's Personnel Security Program.

One of the recommendations was that IRM implement adequate oversight of the personnel security screening conducted by hRC ADP/ computer contractors.

Public Law 100-235, " Computer Security Act of 1987" requires that each Federal agency identify Federal computer systems that contain sensitive int 'rmation.

IRM and ADM have determined that many of the agency systems are sensitive and either contain privacy type information, or the availability of the system is critical to meet essential mission related requirements.

3 1

DISCUSSION:

As the NRC automates its administrative, adjudicatory, and regulatory processes, automated systems become critical to the functioning of the agency.

In most cases, contractor personnel have designed, developed and programmed the agency's automated systems and also act as data and system administrators for those systems.

For example, local Area Network-(LAN) administrators have unlimited access to agency data resident on the fileservers for which they are responsible; contractor systems programmers design, maintain, and modify sensitive NRC systems / software programs.

Technological advancements at the individual workstation level have outpaced sof tware security development and individual LAN administrators have the ability to gain access-to, remove,

' damage, or destroy agency systems or information.

To research the possible impact of contractor abuse, misuse or sabotage and destruction of-systems and j u data, IRM staff contacted managers or users of financial, administrative and j

regulatory systems.

t in the area of financial systems the integrity of contractor personnel is most important. While system security methods are in place, unscrupulous contractor personnel might be able to bypass those very same security measures.

Il to establish bogus vendor files, obligate funds, and make payment to those bogus accounts.

Unauthorized payments could also be made to existing vendor i

accounts.

Administrative systems in the Office of Administration, Division of Contracts

'j and Property Management, contain data on planned and ongoing procurements. A contractor could, by accessing those files, become privy to a range of information including government cost estimates,' competitor pricing information, profit information, evaluation reports, negotiating strategies, etc.

This information would be extremely valuable to a company in a competitive bid situation.

This type of information could easily be misused for personal or corporate gain.

i l

James M. Taylor.

Data collected by the agency in its regulatory role can provide inform 4 tion about licensees that could be misused by contractor personnel with access to regulatory systems.

For example, it became evident'several years ago that NRC-licensed irradiators were sterilizing increasing numbers of latex gloves as a result of the AIDS epidemic. Changing licensee circumstances like this one are often appropriate topics for comunication within the NRC because of the effect on the licensee's economic viability. However, this particular information could have been used for personal gain because it happened to be an early indicator of dramatic growth in the latex glove market.

These examples demonstrate how misuse of information contained in NRC systems could be used for significant personal gain.

It is easy to envision other scenarios where the sabotage or destruction of NRC systems or data could adversely impact the agency. False data could provide the basis for improper licensing decisions. Sabotage could inflict grave damage on certain emergency systems that would impact the agency's ability to respond to events.

For these reasons, it is necessary to obtain a higher level of assurance that computer related contractor employees are reliable and trustworthy.

Other government agencies including the Department of Energy, Department of Justice and the Department of Agriculture require that their contractor personnel involved with their sensitive automated systems be subject to OPM conducted background investigations. OPM performs either a full field background investigation for ADP Level I ("Q" Level screening) or a national agency check with written inquiries for ADP Level II ("L" Level screening) on these personnel.

i IRM has initially identified those services performed by contractor employees that requi,e a more co:.sprehensive investigation than the limited and inconsistent contractor conducted checks presently required. These include contractor personnel who perform services requiring direct access to or operate agency systems.

IRM has initially identified four "Q" level contractor positions occupied by 64 individuals that require investigations.

These positions, identified below, pose the most risk to the agency's sensitive systems and data.

Computer Systems Procrammers/ Analysts-Are responsible for designing new and modifying existing computer systems. Their position requires direct access to the computers and software which run the agency systems.

Local Area Network Administrators-Are contractor staff that provide ongoing operational and administrative support for the agency's LANs.

Their position allows them direct access to the LAN and the data stored there.

Computer 0 erators and Suoervisors-Computer operators physically operate t

2 the computer equipment including machine start-up and oversight, backing up the data files, distributing printouts, and so forth. Supervisors manage all the activities of the computer facility.

a f

l L

4 James M. Taylor..

Data Administrators-Are responsible for the integrity and the efficient use of the agency's databases. Although the data administrators do not design or run computer programs or systems, they have access to all the information contained in the databases.

Contractor personnel who remotely develop and/or analyze systems and data pose less risk because of the limited direct access to sensitive agency systems and data.

IRM har tally identified four "L" level contractor positions occupied by h iduals that require investigations.

These contractor positions, identi..ed below, need a less extensive investigation than.those above, but still more than what is currently required.

Comcuter Systems Develooers/ Analysts-Design and prepare computer programs to perform specific tasks. Contractors do not require direct access to the computer facility arform their tasks.

Hardware / Software Ins m.ers-Are responsible for the physical setup of the computer equipment and software.

Ccmouter Hardware Maintenance Technicians-Provide regular and preventive maintenance and repairs on the computer equipment.

j Heloline/ Hotline Staff-Respond to verbal requests for help from users by either answering user questions or dispatching installers or technicians 4

to diagnose and fix problem.

The above list is not all inclusive and may have to be modified from time to time as other job categories are identified. The Director, IRM, will modify the list as necessary.

i IRH has considered the option of hiring additional NRC personnel to perform these sensitive tasks; however, FTE constraints preclude this as a viable option. However, two other options have emerged regarding an NRC computer personnel contractor screening policy.

OPTION l' The Division of Security assumes responsibility to operate a government sponsored personnel. screening program for computer related contractors that will ensure that the contractor employees are eligible for access based on an OPM investigation. These individuals will be subject to the same type of background investigation as NRC employees with comparable access.

The contractor personnel will not be granted an NRC "Q" or "L" access authorization (security clearance), but will be approved for ADP Level I or ADP Level II access, respectively.

James M. Taylor.

ffQji:

1.

Will ensure that investigative coverage required is based on level of access or risk.

2.

Will ensure a consistent program with uniform standards and procedures to obtain a higher level of assurance that contractor employees are reliable and trustworthy; provide due process; and provide standardized procedures for conducting contractor screening.

3.

Will provide screening coverage for contractor employees which is identical to the coverage of NRC employees, since both have the same level of access to sensitive data.

CONS:

Will cost 5228,000 initially and there will be continuing costs based on turnover and reinvestigations, as well as additional workload.

OPTION 2 Increase the investigative coverage (e.g., for a background 1

investigation) required of a contractor sponsored personnel screening program commensurate with level of access or risk.

PROS:

1.

Will increase the confidence that investigative coverage required is based on level of access or risk.

2.

Will maintain a contractor run program.

CONS:

1.

Investigators hired by the contractor would not have access to information that would otherwise be available through an OPM investigation, particularly in the criminal justice area.

2.

Will significantly increase contract costs by an estimated j

5325,000 initially with additional continuing costs based on turnover and reinvestigation and will require more stringent oversight by IRM.

3.

Even at the current lower level of screening, the existing IRM contracter-run screening program has been ineffective due to a lack of agency resources to provide oversight and ensure contractor screening is being done in a consistent manner.

I

l James M. Taylor,

We recommend Option 1.

IRM and ADM agree with the requirement to screen ADP contractor personnel through the Division of Security /0PM utilizing the same process used for NRC personnel with (comparable) access to obtain either "Q" or "L" level ADP equivalencies. contains the Sensitivity Criteria for ADP Level I and II. These criteria were developed from the guidance found in OPM's Federal Personnel Manual Chapter 732 and NRC Directive 12.3.

Your approval of Option I will:

1.

Authorize government conducted personnel security background investigations to determine the reliability and trustworthiness of these computer contractors.

2.

Approve the scope of the background investigations that are equivalent to current scope required for "Q" and "L".

j 3.

Approve the enclosed ADP position sensitivity criteria used to l

determine the level of investigations required for any current or future positions.

Upon your approval:

1.

Management Directive 2301, " Systems Security" and Directive 12.3,

" Personnel Security Program" will be amended to reflect this new policy. Due process procedures, analogous to the procedures contained in Exhibit 19, Management Directive 12.3, will be incorporated into Management Directive 12.3.

2.

IRM will prioritize initial submittal to minimize the impact on SEC personnel, i

3.

All existing NRC contracts that contain the previously identified positions will be modified by DCPM and all future computer contracts will be written to reflect the new policy.

j l

Based upon a reassessment of its financial position, ADM is able to initially fund the estimated $228,000 for FY 1994. However, should the number of positions increase or greater than expected turnover occur, ADM may have to request additional funding during the FY 1994 mid-year review.

COORDINATION:

The Office of General Counsel has no legal objection to the recomendation as presented in this memorandum.

j l

l

7 0

James M. Taylor. is a proposed Information Paper informing the Commission of your intention to approve these proposed mod fications and which forwards a copy of this memorandum.

tw

^

m Gerald F. Cran rd, Directo Office of Information Resources Management f7

^

s'8 &

Patricia G. Norry, Director Office of Administration

Enclosures:

1.

Sensitivity Criteria For ADP Level I and II 2.

Information Paper APPROVED:

\\ \\

DISAPPROVED:

\\\\

/ L/'

)

v

[SecutiveDirector ames M. Taflor Date for Operations

ENCLOSURE 1 Sensitivity Criteria For ADP Level I and II ADP I ("0" Level) 1.

Responsibility for the planning, direction and implementation of a computer security program; major responsibility for the direction, planning, and design of a computer system, including the hardware and.

software; or the capability to access a computer system during its operation or maintenance in such a way that could cause.or that has a relatively high risk of causing grave damage; or the capability to-realize a significant personal gain from computer access.

Such positions may involve:

Responsibility for the development and administration of agency computer security programs, and also including direction and control of risk analysis and/or threat assessment.

Significant involvement in life-critical or mission-critical systems.

Responsibility for the preparation or approval of data for input into a system which does not necessarily involve personal access

.i to the system, but with relatively high risk for effecting grave damage or realizing significant personal gain.

Relatively high risk assignments associated with or directly involving the accounting, disbursement, or authorization for disbursement from systems of (1) dollar amounts of $10 million per year or greater, or (2) lesser amounts if the activities of the individual are not subject to technical review by higher authority at the ADP I sensitivity level to insure the integrity of the system.

Positions involving major responsibility for the direction, planning, design, testing, maintenance, operation, monitoring, and/or management of systems hardware and software.

Other positions that involve relatively high risk for effecting grave damage or realizing significant personal gain.

s t

ADP II ("L" Level) 2.

Responsibility for the direction, planning, design, operation, or maintenance of a computer system, and whose work is technically reviewed by a higher authority at the ADP I sensitivity level to insure the integrity of the system. Such positions may involve:

Responsibility for systems design, operation, testing, maintenance, and/or monitoring that is carried out under technical review of higher' authority at the ADP I sensitivity level, to insure the integrity of the system. This includes, but is not limited to:

(i)

Access to and/or processing of proprietary data, information requiring protection under the Privacy Act of 1974, and Government-developed privileged information involving the award of contracts.

(ii) Accounting, disbursement, or authorization for disbursement from systems of dollar amounts less than $10 million per year.

Other positions that involve a degree of access to a system that creates a significant potential for damage or personal gain less than that in ADP I level positions.

All other computer /ADP positions.

h 2