Text

AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG 13-A-16)

STATUS OF RECOMMENDATIONS Recommendation 3: Evaluate and update the current folder structure to meet user needs.

The modernization of the Safeguards Information Local Area Network and Electronic Safe (SLES) system is complete; a conceptual plan for reorganizing the SLES folder structure has been discussed. However, due to the complexity of Documentum, which is the database underpinning SLES, a Documentum Security Specialist (DSS) is required to physically reorganize the folder structure. The Office of the Chief Information Officer (OCIO) has developed a Task Order (T.O.) to enable funds for a DSS to analyze the suggested changes under the Global Infrastructure and Development Acquisition contract. When the Documentum T.O. is awarded (estimated completion date (ECD) mid-CY 2020), the Office of Nuclear Security and Incident Response (NSIR) will work with OCIO and the Documentum Security Specialist to implement the new folder structure in a test environment. The DSS will complete an analysis to validate best security practices for the revised folder structure and least-privilege access (ECD June 30, 2020). Once the revised structure is validated in the test environment by SLES users, OCIO will coordinate deployment of the solution to the SLES production and failover environments. Deployment of the revised structure to these operating environments is estimated to be complete 3 to 6 months after the revised structure has been validated in a test environment.

Completion of this task is dependent upon the availability of a contractor-provided DSS.

OCIO management has approved the T.O. and forwarded it to the NRC Office of Administration to continue the contracting process. If released within the next couple of weeks, a contract award could occur in the May or June timeframe. The DSS could be available as soon as July.

Target Completion Date: December 31, 2020 Point of

Contact:

Robert Norman Recommendation 7: Develop a structured access process that is consistent with the Safeguards Information (SGI) need-to-know requirement and least privilege principle.

This should include:

• Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs).

• Conducting periodic reviews of user access to folders.

• Developing a standard process to grant user access.

Completion of Recommendation 7 is dependent upon implementation of the new folder structure. Both NSIR and OCIO propose the completion of Recommendation 7 be deferred until the new folder structure is Enclosure

analyzed and implemented. This will enable NSIR and OCIO to determine the new folder structure most suitable to the user community and ensure that the folder structure provides least privilege access to SGI. In the interim, the NSIR SGI Program Manager has assumed ownership of the existing folders and makes need-to-know determinations on case-by-case bases for expanded access to folders.

The proposed file folder structure has been forwarded to SLES frequent users for peer review.

Upon implementation of the new folder structure, and identification of new folder owners, NSIR and OCIO will address the three sub-bullets above, in a more detailed manner that is consistent with the intent of the recommendation.

Target Completion Date: April 30, 2021 Point of

Contact:

Robert Norman