Significant Weaknesses Hamper NRC Computer Security Program

ML20127H387
Person / Time
Issue date:	12/15/1992
From:	NRC OFFICE OF THE INSPECTOR GENERAL (OIG)
To:
References
OIG-92A-18, NUDOCS 9301220312
Download: ML20127H387 (28)
v • d • e

Text

- - - _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _.

] _ __

OFFICE OF THE INSPECTOR GENERAL

]

1

^

US NUCLEAR

( ._

REGULATORY COMMISSION SIGNIFICANT WEAKNESSES IIAMPER NkC'S COMI' UTER SECURI'IY PROGRAM h

OIG/92Ad8 December 15,1992 AU:D::T 22 PORT

/p3REcy,A>o&

g vg -

4 b F] i S k , "$

ug;y%g%)g

%*o m - - -

BR2828'"ZRQ

UNITED STATES

((ge -

nng, NUCLEAR REGULATORY COMMISSION I

9, i, . j ;j WASHINGTON, D.C. 206E4

%,.....g/ .

I OFFICE OF THE ,

INSPECTOR GENERAL December 15,1992 MEMOllA DUM FOR: James M. Taylor Executive Director for Operations I

Fl(OM

( Thomas archi Assistant inspector General for Audits I SUllJECT: SIGNIFICANT WEAKNESSES IIAMPElt NRC'S COMPUTEl?. SECURITY PROGRAM l Attached is the Office of the Inspector General's audit report entitled,"Significant Weaknesses llamper NRC's Compater Security Program."

On November 19,1992, the Deputy Executive Director for Nuclear Mcterials Safety, Safeguards and Operations Support provided comments on our draft report. The Deputy Executive Director agreed with our recommendations and stated that actions to I implement the recommendations would be completed by January 31,1993.

Attachment:

As stated I

I I

II

~

emm .

3 Yl J. Cr[g

--- . . ~. . - - _ . .- - - . _ . .- . . _ . _ _ .

I  :

Weaknessos Hampor Computer Security l TAllLE OF CONTENTS '

I g INTR O D U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Dackground ....................................... 1 I FIN D I N G S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 l System Tests and Audits Not Being Performed . . . . . . . . . . . . . 3 Configuration Management Not Exercised for l Se nsitive Syst e ms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Potential Threats to Sensitive and Classified

'l Information not Identified . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Computer Security Policy Outdated . . . . . . . . . . . . . . . . . . . . . 6 I Computer Security Function Understaffed and Organizationally Misplaced . . . . . . . . . . . . . . . . . . . . . . . . 7 Combined Weaknesses Warrant Reporting U n d e r FM FI A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

,I CO NCLUSI ON S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 RECO M MEN D ATI O N S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

,I AG ENCY COM M ENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 APPENDICES

'E-E I Objectives, Scope, and Methodology Agency Conunents on Draft Report g 11 III U.S. NRC Functional Organizational Chart I IV Major Contributors to this Report iI l

I I

'I Weaknesses Hampor Computer Security INTRODUCTION l As part of an ongoing audit of the Office of Informadon Resources hianagement's (IRht) contract management practices, the Office of the g inspector General (010) examined the results of an independent

'B compliance review of the United States Nuclear Regulatory Commission (NRC) computer security program and NRC's actions to implement the I recommendations stemming from that review. Our examination disclosed what we believe to be uncorrected deficiencies which warrant the immediate attention of agency management.

.I For details regarding the objectives, scope and methodology of the review, see Appendix 1.

.I BACKGROUND In fulfilling the agency's mission, NRC management and its technical and administrative staffs depend heavily on data obtained from a number of automated information systems maintained within the agency.

Consequently, protecting these information systems and their data from I theft, abuse, and tampering is vitally important to the NRC.

Organizationally, the Division of Information Support Services (DISS),

IRhi, is responsible for implementing NRC's computer security program.

Numerous Federal policies, procedures, regulations, and guidelines govern the protection of the Government's information resources. The Office of I hianagement and Budget's (OhiB) Circular No. A-130 explains the specific responsibilities of the agencies responsible for governing computer security and describes the minimum controls and requirements agencies shall follow

'g when implementing and operating a computer security program.

Specifically, it requires Federal agencies to (1) provide assurance that there l is adequate security of agency automated information systems and (2) describe any security or other control weakness in their annual internal

!g control report to the President and the Congress, as required under OhiB

'E Circular No. A 123. The Circular prescribes policies and procedures to be followed by Federal agencies for establishing, maintaining, evaluating, g improving, and reporting on internal controls in their program activities, as 3

I M

i Weaknessos Hamper Computer Security required by the Federal Managers' Financial Integrity Act (FMFIA), P4 L 97 255.

In addition, the National Institute of Standards and Technology (NIST),

Department of Commerce, develops and issues Federal Informadon

- Processing Standards and gtudelines necessary to ensure the efficient and effective acquisition, management, security, and use of information l

technology.

Agency policy regarding computer systems security is contained in NRCs Manual Chapter 2301. In response to a General Services Administration g reporting requirement, IRM contracted with the Los Alamos National a Laboratory to perform an independent compliance review of the NRC l

s computer security program during fiscal year 1991. Ims Alamos provided IRM with a report in November of 1991 that noted numerous findings regarding the NRC computer security program.

FINDINGS . . ..

The Ims Alamos findings collectively raise sigmficant concerns regarding the adequacy of NRC's computer security program. The Los Alamos g report made 30 recommendations to address the findings identified in their 5 review. OIG reviewed the Los Alamos findings and anaiyzed the DISS responses for reasonableness in fulfilling the Los Alamos recommendations. We found that 15, or half, of the 30 recommendations have not been implemented by IRM. In our opinion, this leaves little assurance that its computer systems n.nd data are adequately protected against theft, abuse, and tampering.

l DISS forwarded the Los Alamos report and the Division's responses to the Director,IRM. DISS referred three of the recommendations to the Division of Security (SEC), Office of Administration. SECS response to 1RM stated that these three recommendations were IRM's responsibility l

IRM has resolved one of these recommendations and, according to the Director, IRM, is working with SEC to resolve another. However, IRM and SEC have not reached agreement regarding who has responsibility for l

the one remaining recommendation, regarding physical security.

Olo/12A-1A Pege 2

=!

n,

I Weaknesses Hamper Computer Security l

' Die DISS responses to 13 other recommendations indicated sufficient )

implementation. These recommendations were in areas that include I NRCs efforts in network security, contingency planning, personal computer risk assessments, and the identification of sensitive systems.

l -

The remaining 14 recommendations were not implemented by IRM. We believe these open recommendations represent serious weaknesses in NRCs computer security program, and have grouped them into 5 I categories, as described below. In summary, the Los Alamos report disclosed that:

- System tests and audits were not being performed; l - Configuration management was not being exercised for sensitive' systems;

-- NRC had not identified potential threats to its sensitive and 4 classified information; I - "Ihe NRC computer security policy was outdated; and l - The staffing and organizational placement of the computer security function were questionable.

Details of our findings regarding these weaknesses follow:

g SYSTEM TESTS AND AUDITS NOT llEING PERFORMED NRC lacks assurance that its systems and their data are properly secured.

Los Alamos reported that NRC was not performing system security testing Sensitive information includes information whose improper use or disclosure could-adversely affect the ability of an agency to accomplish its mission. It requires protection I due to the risk and magnitude of loss or harm that could result from its inadvertent or deliberate disclosure, alteration, or destruction.

oiarnus n3c g

I Waaknessos Hamper Computer Security or system certification and accreditation' for the agency's sensitive and classified systems. Los Alamos also noted that NRC was not consistently l

reviewing audit trails

• to deact unauthorized activities and, when audit g trails were reviewed, there was no documentutica of the review results, m

. NRC Manual Chapter 2301 contains provisfora for system testing, certification, and accreditation for sensitive systems. The Chapter also l

requires that all systems have a mechanism for user accountability and that g audit trails be used where operating capacity exists. OMB Circidar No. A- 5<

130 requires system testing and certification for all new sensitive systems.

The Circular also requires that such systems be tested and recertliied at g least every 3 years and that audits be performed and documented during 5 ti;e recertification process.

In response to the Ims Alamos report, DISS said that it was unable to I

perform these functions with its current funding and stafting levels. g flowever, IRM does not plan to provide additional resources for computer g security through at least fiscal 1994. Because NRC's systems are not bemg adequately tested, certified, accredited, and audited, the agency lacks g

assurance that its systems and their data are properly secured.

I i

2 Certification is the technical evaluation (made as part of and in support of the g accreditation process) that establishes the extent to which a particular computer system E or network design and implementation meets a pre specified set of security requirements.

' Accreditation is the authorization and approval, granted to an automatic data -

processing system or network to process sensitive data in an operational environment.

The decision is made on the basis of a certification by designated technical personnel of g the extent to which design and implementation of the system meet pre specified technical B requirements for achieving adequate data security.

d An audit trail is a chronological record of system activities sufficient enough to enable the reconstruction, review, and examination of the sequence of environments and activities surrounding or lending to each event in the path of a transaction from its g inception to output of final results. E oronwu rue4 -

=

=

I Weaknesses Hamper Computer Securhy CONFIGUl(ATION hlANAGEMENT NOT EXERCISED FOR SENSITIVE SYSTEMS I

NkC cannot be assured that its sensitive systems are protected against unauthorized modifications. According to the Los Alamos repor*, NRC required the application of configuration management' to NRC systems processing classified information, but did not require the same for systems -

I processing sensitive information. Because the improper use or disclosure of sensitive infortnation could adversely affect the agency's ability to accomplish its mission, we believe configuration management for sensitive systems is a necessary security requirement. OMD Circular No. A-130 states:

l Security of information systems means both the protection of information while it is within the systems and also the assurance that the systems do exactly what they are supposed I to do and nothing more.

in response to the Los Alamos findings, DISS said that it was unable to

I institute configuration management guidelines for systems processing l sensitive information with its current funding and staffing levels. Again, no

'g additional resources are expected in the computer security area through 5 fiscal 1994. As a result, NRC cannot be assured that its sensitive systems are protected against unauthorized modiGeation.

POTENTIAL TilREATS TO SENSITIVE AND CLASSIFIED .-.

INFORMATION .

NOT.. IDENTIFIFD To protect its sensitive and classified systems and data, NRC needs to fully l assess all potential threats to them. In addition, all NRC computer users and contractors need to be aware of potential threats to the sensitive and classified information they are processing in order to properly protect that ll information during processing.

l l

I 5 Configuration management is the use of appropriate procedures for controlling l changes to a system's hardware and software structure for the purpose of insuring that lgm such changes will not lead to a decrease in data security.

I olofnA.is hes I - - . .. .

I Weaknesses Hamper Computer Securny OMil Circular No. A 130 requires the identification of vulnerabilities that could heighten threats to sensitive d.tta or valuable resources. Further, the l

Federal Information Resources Management Regulations,44 CFR Chapter g, 201, requires agencies to: 5, identify security requirements necessary to protect classified a and sensitive information by listing the potential th. tents and I hazards and describing the measures needed to provide protection. . .(and also to provide contractors with) a list of gi<

the anticipated threats and hazards that the contractor must 5' guard against.

Also, NIST Special Publication 500-169,Jixecuti ve Guide to the Protection nUnformation Resources. states:

Risk status should be periodically re-examined to identify new threats, vulnerabilities, or other changes that affect the degree of risk that management has previously accepted.

Los Alamos noted that no guidance was provided to NRC computer users regarding the issues and conceans that should be addressed when assessing g the need for protection of classified and sensitive information. The review team recommended zhat NRC perform an assessment of actual and likely threats to determine the situations that could compromise NRC's ability to perform its mission, or embarrass the NRC, or lead to public distrust of the agency. The review team also recommended that the threat assessment be li provided to all NRC employees and contractors. g In response to the Los Alamos finding DISS said that if necessary funding becomes available, the threat assessment will be performed in fiscal year 1993 and then incorporated into training modules and computer security l

pamphlets.

COMPUTER SECURITY POLICY OUTDNTED The Los amos review team found that NRC Manual Chapter 2301, the agency's computer security policy, was outdated and that IRM had no program to regularly review and update the NRC computer security polky 3 as needed. The Chapter received its last major update in 1987. IRM 5 hopes to update the Chapter in the next year, and plans to follow NRC guidance (NRC Management Directive 1.1) for periodic updates. Those g OlGF.A 18 Page 6 3,

5-

(

Weaknessos Hampor computer security plans are contingent upon the computer security function receiving additional staff, and no staff increase is planned for the computer security program. As the agency's basic computer security guidelines are outdated, I NRC cannot ensure that its computer security program is in compliance with existing Federal requirements.

NIST Special Publication 500-169, Executive Guide to the Protection of jfiformation Resources states:

As agency initiatives and operations change, and as the computer environment evolves, some elements of the I information protection program will require change as well.

Information protection cannot be viewed as a project with a distinct end; rather, it is a process that should be maintained to be realistic and useful to the agency. Procedures for I- review and update of policies and other program elements should be developed and followed.

NRC Management D!rective 1.1 requires Directors of NRC Offices to ensure that NRC policies, requirements, procedures, and management information of continuing relevance pertinent to their program areas are l incorporated in NRC's Management Directives System. While the Directive does not provide specific guidellr.es for the periodic update of l program policy, it does delegate the responsibility for ensuring the accuracy and currency of program policy to the NRC Office Directors. Therefore, it is the responsibility of the Director, IRM, to ensure that the NRC l computer security polic) is regularly reviewed and updated as necessary to remain current and accurate.

COMPUTER SECtJRITY FUNCrlON UNDERSTAFFED AND ORGANIZATIONALLY MISPLACED les Alamos found that the computer security program was understaffed and that its organizational placement within the DISS constrained its effectiveness. DISS attributed its inability to implement several of the Los I' Alamos recommendations to either a lack of staff or funding, or both.

IRM has no plans to provide additional resources to the computer security area through fiscal 1994.

g At the time of the Los Alamos review, the computer security program was g staffed with the equivalent of 1.6 persons.. Further, the program has since onornus rwa I - - - - - - -

I

I Woaknesses Hampor Computer Secudty lost one full time person that has not been replaced. DISS,in response to the Los Alamos finding, recommended an increase of one or two full time l

computer security personnel. As the program is currently staffed at less a than half the needed staffing level, it is apparent that the staffing issue is 5 hampering the effectiveness of the computer security program. In a memo dated April 23,1992, the DISS Division Director advised the Director, g 5

IRM, of the staffing difficulty and its impact on the computer security program. OIG met with the Director,IRM, on September 22,1992. He said that, while he recognized that the computer security program was g understaffed, he does not plan to request additional staff for this area, as 5 his need for additional staff in other IRM areas outweighs the need in computer security.

NIST Special Publication 500169, Executive Guide to_the l'rqlection of JJiformation Resources. states:

The common practice of assigning responsibility for information security to existing staff with other major g responsibilities is often unsuccessful. At least one dedicated a staff member is recommended at the program management level. g Los Alamos also found the effectiveness of the computer security program to be constrained by its placement in DISS and recommended the relocation of the computer security function to an organization l

independent of either IRM division. The Division's response said that the ,,,

computer security personnel need to stay in the technical computer area to g remain knowledgeable of technological changes that affect security.

A U.S. General Accounting Office report' has said: l To be effective, the information security function must be E organizationally located so that it functions independently of g line management and reports directly to senior management.

On September 22,1992, the Director, IRM, said that he was considering modifying the organizational placement of the computer security function and was discussing this issue with another NRC Office Director. He hopes 6

Federalhiformation Systems Rpmain Hichiv Vulnerable to Fraudulent. Wasteful, g Abusive. and Illegal Practices; MASAD'82-18; April 21,1982. E olotnA-ta rw a B

5

I Weaknesses Hamper Computer Security to finalize a joint decision regarding this in a month or two. We believe IRM should continue to carefully consider the organizational placement of I the computer security program while addressing its computer security weaknesses.

COh1HINED WEAKNESSES WARRANT REPORTING UNDER Fh1FIA g

We believe the weaknesses discussed in this report significantly hamper the l NRC computer security program. OhiD Circular No. A 130 requires agencies to describe any security or other control weakness identified during reviews of sensitive applications in the agency's annual internal l control report to the Paesident and the Congress, required under OhiD Circular No. A423 and the FhiFIA. Further,in its definition of a material weakness OhiB Circular No. A-123 includes those weaknesses that would l significantly impair the fulfillment of an agency component's mission, violate statutory or regulatory requirements, or significantly weaken safeguards against waste, loss, unauthorized use or misappropriation of l funds, property or other assets.

CONCLUSIONS Widle IRh1 has implemented 15 of the 30 recommendations made by Los

-E Alamos, we believe many serious weaknesses remain uncorrected.

5 Important controls such as system testing, certification, auditing, and configuration management are not in place. NRC's computer security I policy is outdated, and NRC has not properly identified the potential threats to its sensitive and classified information. In addition, concerns have been raised regarding the staffing and organizational placement of the l computer security function. Until these weaknesses are eliminated, NRC cannot be assured that its computer systems and data are properly safeguarded against theft, abuse, and tampering. We believe a detailed l action plan is necessary to address these weaknesses.

Further, until these weaknesses are climinated, we believe they should be l reported as a material weakness in the agency's annual FhiFIA report to the President and the Congress.

I I

e-s ,.,,

.g g

I Weaknesses Hampor computer security l RECOMMENDATIONS l To strengthen NRC's computer security program we recommend that the g Director, IRM: 5

1. Develop a detailed action plan, with clear milestones for g their completion, to address the remaining weaknesses identified in the Ims Alamos report, including the organizational placement of the computer security program; g and

2. Identify the weaknesses in the computer security program as g a material weakness as required by OMB Circular No. A 123 and Section 2 of the FMFIA, P. L 97-255.

I AGENCY COMMENTS On November 19,1992, the Deputy Executive Director for Nuclear I

Materials Safety, Safeguards and Operations Support (DEDO) provided 3 comments on our draft report. Appendix 11 contains a copy of the 5 DEDO's comments.

The DEDO agreed with our recommendations and stated that actions to implement mem had either already been taken or were underway. The DEDO said that implementation would be completed by January 31,1993. g Ile then provided some detailed comments on our individual findings. We reviewed the comments and did not find anything which necessitated making changes to our report.

l The DEDO's comments noted that there have been no known intrusions, no major virus infections, and no significant losses of data or data integrity resulting from a breech of security at the NRC. OIG did not perform l

audit work verifying or nullifying this claim, as it was not within the scope of our review. However, even given that there have been no known serious breeches of security at this point, the current weaknesses in the NRC l

computer security program severely heighten NRC's vulnerability to such breeches. l The DEDO's comments also noted that both GAO and NIST have found that many Federal agencies are not in compliance veith OMB Circular No. l otornA-ta hseto

'B e

I Weaknessos Hamper Computer Socurtty A 130. We reviewed GAO reports in which GAO found instances of noncompliance with the Circular. In these reports, GAO recommended that the instances of noncompliance be reported as a material weakness I under the FMFIA. Whereas other Federal agencies' computer security programs may also be deficient in meeting basic, Federal requirements, that does not excuse the NRC nor lessen the severity of the problem.

Regarding our finding that systems tests and audits were not being I performed, the DEDO said that this finding vas only partially correct. The DEDO noted that contingency plans for NRC's three most sensitive systems had been developed and tested twice in recent years. lie also I noted that IRM had reviewed and approved 14 security plans last year, and, in many cases, visited the microcomputer sites and audited the sensitive unclassified systems.

In response to this, it is important to note that OMB Circular No. A 130 requires that systems tests be performed prior to placing an application I into operation to assure that the proposed design meets the approved security speciGcations. The Circular states that the objective of such systems tests should be to verify that requised administrative, technical, and l physical safeguards are operationally adequate. The Circular also requires that the results of these tests be fully documented and maintained in the official agency records. The instances of testing noted by the DEDO do l not meet this criteria. In addition, the Circular requims p3 sensitive systems to be audited at least every three years. According to the Los Alamos report, this is not happening at NRC. IRM needs to meet all of l the Circular's requirements in order to fully alleviate this particular weakness in their computer security program.

l The DEDO's comments stated that OMB Circular No. A-130 does not require configuratio< management and NRC Manual Chapter 2301 does not require configuration management for sensitive systems. This was I accurately reDected in the draft report we sent the DEDO. The Los Alamos report recommended that NRC institute configuration management guidelines for its sensitive systems. As NRC cannot be I. assured that its sensitive systems are protected against unauthorized modifications without a system of configuration management, OlG believes such a system is necessary to assure an effective computer security program.

I In response to our finding that NRC had not identified potential threats to its sensitive and classified information, the DEDO stated that IRM has ompnAa r=p u I

I

I Weaknessos Hamper Computer Security completed individual threat assessments on some of NRC's sensitive systems, but has not identified NRC-specific threats. According to the l

DEDO's comments, the identification of NRC-specific threats is currently g being researched by a contractor. As noted in our report, I.os Alamos 3 recommended that NRC perform an assessment of actual and likely threats to NRC information. Threat assessment is required for all systems a 3

containing classified and sensitive information by the Federal Information Resources Management Regulations,44 CFR Chapter 201, and recommended for all systems, in general, by NIST Special Publication 500- g 169, Executive Gulde to the Protection of information Resources. B Regarding our finding that the NRC computer security policy was outdated, g the DEDO said that IRM had contracted for the preparation of a B Management Directive and Ilandbook.11is comments also said that the directive and handbook were expected to be delivered for NRC review g during the third quarter of FY 93. As we discussed in our report, Los 5 Alamos also found that NRC had no program for the regular review and update of the computer security policy. NRC cannot ensure that its 3 computer security program will achieve compliance with Federal 5 requirements unless it takes steps to assure that its computer security policy remains current. g I

I I

I I

I I

- ~"

g E

l

I APPENDIX 1 Weaknesses Hampor Computer Socurity I Ol!JECTIVES, SCOPE, AND METIIODOLOGY I

As noted previously, weaknesses in the computer security program were l -

identified during our ongoing audit of the Office of Information Resources hinnagement's (IRhi) contract management procedures. The details of the I objectives, scope, and methodology of the IRhi contract management audit will be provided in a future report.

g As part of the contracts audit, pertinent aspects of the computer security program were reviewed. Our work included the review of the Los Alamos report and the responses of the Division of Information Support Services l (DISS), IRhi. Our objectives in doing so were to (1) determine whether NRC had adequately responded to the results of the Los Alamos independent computer security compliance review, and (2) determine if any noncompliance I with Federal regulations identified by the review indicated a weakness that should be reported under the Federal hianagers' Financial Integrity Act. We g note that the Office of the Inspector General did not independently verify the merits of the findings and recommendations contained in the Ims Alamos report.

Our review was conducted in accordance with generally accepted Government

'I auditing standards. We interviewed DISS employees responsible for the computer security program. We also compared the findings md the responses to the Iws Alamos report with the pertinent Federal regulations and ll j guidelines.

I I .

lI

-. r ...

l I . -

en-- s v -ss.w L-wms'. --aa.,,-ae,mem,,- mJAds m Aa a k k e. *m sw. Am.m a.4 e4AomodAbe6bw=.m.-,Aam-A,AAA.,4~+-4s44Mk-e-4-4a,-a.r-,n4.,L-a.-M,,4Weetso w u a a34A.mnwnk , ,&ai_---haa-2-sm s _,

Il 1

I: 1 1

I i

I l Ii l I

I I' ,

I I

I g

I I

I I

l l

I l

I 5._

. _ .. _ s - . _ .._.~..... - -_. . ...-___ _.._.. ,

I APPENDIX ll Weaknesses Hamper Cornputer Security I Ses **e UNITE D STATT!

NUCLE AR REGULATORY COMMIS$10N I

[ 3 mounctom.o c.a.ww

(

Noves6er 19,1992

\+.....

MEMoRANDUM FoR Thomas J. barchi Assistant Inspector General for Audits of fice of the Inspector General I FROM: Hugh L. Thompson, Jr.

Deputy Executive Director for Nuclear Materials safety, Safeguards, I

SUBJECT:

and Operations Support REVIEW Of INFORMATION RESOURCES MANAGEMENT'S COMPUTER SECURITY PROGRAM i

This responds to your October 13, 1992, memorandum transmitting a draf t audit report on 'Significant Weaknesses Hamper NRC's l

Computer Security Program

• LOIG/92A-18) . We have reviewed the subject report and are provtding responses to the OIG recommendations. More specific comments on the five areas of i

l veakness identified by the CIC are provided as an attachment to this memorandum.

l" with respect to your specific recommendations, wo submit the l following:

Egeoumendation.1 Develop a detailed action plan, with clear milestones for their completion, to address the remaining weaknesses identified in the j

i I Los Alamos report, including the organizational placement of the computer security-program.

I ErJLD2D12 Agree. IRM staf f has addressed the weaknesses identified in the 1ANL report through a number of proposed actions' [see list of references). In response to the 101C Five Year Plan guidance, the I Division of Information Support Services has included milestones for the computer security activity in its FY 1993 program plan'.

AMhion:1 d: tail up prnvitied in IRM's submittal, to the Internal control Committee, wherein all the areas of work I. required by CMB A-130 were identified along with estimates of statf and contractor resource requirements. IRM is in the process of developing a more comprehensive action plan and vill take remedial action on any weaknesses that have not already been jI addressed.

Completion date: January 31, 1993 g

I

I APPENDIX ll Weaktesses Hamper Computer Securfty 2 Novte6er 19,1992 I

nomas J. Barchi Recommendation 2

- Identify the weaknesses in the computer security program as a material weakness as required by OKB Circular No. A-123 and Section 2 of the TNTIA, P.L.97-255.

Erittanu g Agree. IPw has provided the findings of the IANL report to the NRC Inter,sa. Control Committee. At the recommendation of the Committes, the weaknesses in the computer security program will be reported as material weaknesses under the guidelines of OMB Circular No. A-123 and Section 2 of the TNTIA, P.L.97-255.

Completion dates November 30, 1992 It should be noted that the draft audit report cites the los Alamos National taboratory (LANL) reviev' to identify weaknesses g in the NRC computer security pro 7 ram. Bovaver, the draft audit report does not mention that the IANL review team also "found the 5 computer security personnel in the Codas and Standards Section to be knowledgeable in computer security and highly In motivated addition,to the 3 provide the best possible program for the NRC.6 NRC computer security program was evaluated by a management team 5 from the office of Management and Budget, the National Security Agency, and the National Institute nf Standards and Technology in 3 3991 and, although no formal report was writtan, favorable comments were received informally. Further, there have been no 5 knovn intnisjons, no major virus infections, and no significant losses of data or data integrity resulting from a breech of 3 security at the NRC. These f acts should be integrated into the 5 final report to give a more balanced impression of the computer security program in place at the NRC.

The office of Information Resources Management (IRM) has 3 g

concluded that all requirements of the Computer Security Act ofIn co D87 have been met.

the NRC is progressing well in its program and has reported this g finding to OMB'. Nevertheless, both IRM and IANL recognize that g the cogputer security program hasGeneral Both the not metAccounting all the requirements Office' andof OMB Circular No. A-130.

tne National Institute of Standards and technology s have found l that many of federal agencies are not fully compliant with 3 Circular A-130, especially in the area of certification and accreditation. This may be due to the number of computer security tasks (e.g., risk analysis, validation, verification, E and testing, and security plan development) that must be 3 performed and documented prior to completion of the certification and accreditation process.

E onarnMe I

E a

. _ _ _ _ .____ __~_._ ___ _ _ . _ _ _ . . .. __. _ _ _ _

1 APPENDIX ll Woaknesses Hampor Computer Securtry I l l

notas J. Mrchi 3 November 19,1992 IRM is developing standard procedures to include security

,I

. requirements in the system lifecycle development process. These procedures will rely on guidelines published by the National Institute of standards and Technology'*" and will eventually lead to certification and accreditation of existing sensitive systems, I of sensitive systems presently under development, and of future procurements of sensitive cosputer systems. IRH in-house sof tware development guidance documents will also be modified and amended to reflect these security requirements. I intend to utilize the recently established Senior Information Resource i Management Official (SIRMo) mechanism to communicate these

- requirements agency-wide to ensure that they are included in the sof tware life cycle of non-IRM developed sensitive systems (e.g.,

development performed by DOE National Laboratories) and to require sIRMo participation in the annual review process to reconfirm existing nonsitive systems and to identify newly l developed sensitive systems.

' please contact Gerald F. Cranfor1$ at 492-7585 or me at 504-1713 if you have any questions regarding this response.

I I 1U' Ihg L. Thomp Dr ty Execut; eD ector for uclear Mathria Safety, Gateguards, and Operations Support

Attachment:

As stated I

I I

I

I APPEND (X 11 g Weaknesses Harnpor Computer Security 5 I

KRTEkKncBC

1. George H. Messenger memorandum f or Gerald F. Cranford dated April 23, 1992, on ' Response to t.be los Alamos National

• Laboratory Computer Security Review Recommendations.*

2. George H. Messenger memorandum for Gerald F, Cranford dated October 14, 1992, on " DISC FY 1993 Program Plan,'Section II, Activity 20, *Cosputer Security,' Page 11-62.

3. Corald F. Cranford manorandum for Jesse L. Funches dated September 30, 1992, on "Results of Management control Review

- IRM Computer Security Program.'

4. H.C. Rosenblum and W. J. Huntenan, United States Nucleer Pegulatory Commission Computer Security Progran, Ice Alamos National laboratory Report H-4/CS/91-1255, November 1991.

5. Tevin Pover, You want data protected? Give Us hoDey, feds say, G2Y3rnment corouter News, October 12, 1992.

6. Gerald F. Cranford (IRM) letter for James B. MacRae, Jr.

(OMB) dated May 29, 1992 on OMB Bulletin 92-05.

1. Computer Security - Agencies Reported Baving 1splemented l Most Systen Security Controls, U.S. General Accounting 8 Of fice Report CA0/INTEC-92-45, April 1992.

6. Kevin Pover, BIST o!!icini says agencies must be sold on l security, Government ConDuter News, May 11, 1992. 3

9. D.M. Gilbert and N. Lynch, Sample Statements of Work for .

Federal Computst Security Sazvicest For Use In-Bouse or E Contracting out, National Institute of Standards and 5 Technology NISTIR 4749, December 1991.

10. B. Guttman, Computer Security Considerations in Federal l a

Procurements: .\ cuide for Procuresent initiators, contracting officers, and Cosputer Security officials, National Institute of Standards and Technology 5,pecial Publication 800-4, March 1992.

I.

olop2Ms y, Il I

E-a

I APPENDIX ll Weaknesses Hamper Computer Securtty I Attachment I $PECIFIC COMMENTS ON THE FIVE WLAKXEists IDEXTIFIED BY 016

1. System tests and audits were not t,eing performed This is only partially correct. Contingency plans for our three most I sensitive systems, Personnel, Payroll, and Property and Supply, have been developed acd tested twice in recent years. These documents are available for review. All employee announcement No. 127, September 27, 1991, mentioned that IM would begin to perfom randos unannounced I checks of NRC microcomputers for the presence of unauthorized software or activities. However, due to lack of staff IRM was forced to discontinue this activity. As reported to OM8 in the 92-05 reply, 14 security plans were reviewed and approved last year, in many cases, IP.M staff visited the microcomputer sites and audited the sensitive I unclassified systems. As explained in the sain part of this response, certification and accreditation is the end result of many other subfunctions. Untti recently, the NRC had not accomplished all the subfunctions necessary to begin the final process of certification and I tecteditation. tie are planning to begin this process for the three most sensitive systems Itsted above during FY93. For many of our sensitive systems,especiali those that are atcrocomputer based, there is no audit trail capabt ity.

2. Configuration sanagement was not being exercised for sensitive systems OKB Circular No. A-130 does not require configuration management. There is no requirement for configuration management in Management Otrective 2301 Part 11, relating to sensitive unciassified micro or minicomputer I systems. This directive was written for large scale classified systems, of which the NRC has none. All the NRC sensitive unclassified systems have deve!cped security plans which normally state the specifications ar,d operating procedures for each system. If these change in any way, I the security plan must be updated, e.g., a fors of configuration manageselt. The Systems Development Branch saintains configuration sanagement documentation on all the major sensitive unclassified systems, such as Personnel, Payroll, and Property and Supply, as well as I many smaller ennagement infomation systems they have been developed for individual offices within the agency. Standard documentation is sutaitted by the entire agency for all changes to the programs or systems of programs and saintained in the Change Control Process System.

I DC15 is currently taplementing a new configuration management system for IM use which will track cost and saintenance history on changes.

I I

- r,_

g 4

I

I APPENDIX 11 Woaknesses Hamper Compitar Socurity

3. #1tc had not identified potential threats to its sensitive and classified inforsation The los Alamos report said that the MAC has not developed guldsnce to users regarding threats, Ior every sajor sensitive system that has rectived a rist assessent, threats have been identified, and weaknesets 3 reported to management. leti such reviews wert done in the pst two g years, covering all minicomputers except the Public Document Room, it is not cost-effective to do this tpe of review for an individual stand-alone PC application. However, when a security plan is developed for a g sensitive or classified PC application, generic threats are taken into 3 consideration and safeguards necessary to protect the data are taplemented. The NRC has pubitshed, and distributed to all employees, numerous computer security guides which p,'avide advice and guidance -

against potential threats.

What has not been previously accomplished is to identify MRC specific threats and the order of their estimated impact sa the NRC specifically. l, 1his task is being currently researched by a contractor, and when we 3 have the results, we w111 incorporate then into all security training modules at the ITS Training ab, and into publicity channels for computer security information.

4. The NRC computer tecurity policy ns outdated This has been a~ priority item for seen time. The computer security staff has developed the draft of sev Management Directive 12.5, and on August 19,1992.1stued a RRC fore ITJ, Standard Order for.00E Work, to the Los Alamos Mattonal Laboratory to prepare the Handbook !!.5 for E Management Directive 12.5. We expect this directive and handbook to be 3 delivered by the contractor for our review during the third quarter _of FY93. ..

I

5. The staffing and organizational placement of the computer security functir.n u re questionable As mentioned in the DISS rvsponses to the los Ala:aos report, Item A, the computer security fun-tion needs to reside in the technical cociputer arena in order for the staff to remain knowledgeable of, and responsive -

to, the techMiogirt.1 chn.ges whleh affect security. The Directnr, IRM.

is considering the current placement versus alternstives to the organtrational placement of the cceputer security function.

I-I g

onorr.us y as

-m

I

= APPENDIX lil Weaknessas Hampor Computer Security I. U.S. NRC FUNCTIONAL ORGANIZATION CHART .

I EXECUTN2 DRECTOR FOR I--

OPERATIONS I ASSIST ANT POR OMRAT1044 I I OtWTV E11ct/Tfv1 om&CTO81 Pon DEMffT EXft J1WI Det$CYOR POM wMCf Cd M'JCLIAA W AftasALS SWTTY. NUCLAAA MACTOR R$OulATION. PoWCY PLAMMme

$W4004NJe A eMAATIDh4 SUPPOftT StfEsolsAL oPEhAT8044 4 M5LAACM h l l l l l l omes ce cercace cowws w omes w cepr.:ce twner or eenet or STWit PROGRAAAS EMPCACOOXI $NVESTIGAT40h8 Ma4MA114AftCWd $9JohWB1 Co844900&f3DN TIS CoNTROLUM m s cenes w muctAAn OmCE OF 3 casAovANTAoco susaitsa o*nctrom

#### 7 UNTAN4 AND CM MHWTS ANALMS AhD WUAMN INFORMATiON RESOURCES I

"#'a An "aAprouaAos l os ortmATionAL DATA MAMACEMINT l l

I omes os omes ce REGONAL OFFICES h0CL1AA MSAATORY MUCLIM WiAC7pA -

B MSLAACH AEQULAft0N _

PMLAD41PMA h 7tEWON I MSON S AT W TA MQt04 W C84C ADO FCatO88 N DA4.LAS Mt3ONV SAM fYLAA38CO I  :

AREA AUDfrED

I- . - . <

l i

I I

- ~m, .

I

APPENDIX N

, Weaknessos Hamper Computer Security -

I MAJOR CONTRIBUTORS TO THIS REPORT _

I '

Corenthis B. Ke'lley, Acting Team Leader Program Evaluation Team Judith L I.eonhardt, Auditor g Program Evaluation Team I

I I

I I

I I

I I

I

_-s ~ , , ,

g I-