Text

-_

.-a-M USEC

~

, A Glotsal Energy Company December 18,1998 GDP 98-0260 --

Ms. Francine F. Goldberg Director, Planning and Resource Management Division Office of the ChiefInformation Officer Attention: Document Control Desk U.S. Nuclear Regulatory Commission 1

Washington, D.C. 20555-0001 1

Portsmouth Gaseous D!ffusion Plant (PORTS)

Docket No. 70-7002 Response to Nuclear Regulatory Commission Accreditation of Portsmouth Computer System

Dear Ms. Goldberg:

The Nuclear Regulatory Commission (NRC) provided accreditation of the Portsmouth Gaseous Diffusion Plant (PORTS) system described in Automated Information Systems Security Plan Number NAC-135-PL-320, Revision 1, in Reference 1. This accreditation is contingent upon the incorporation of comments also contained in Reference 1. USEC's response to these comments is provided in Enclosure 1. Any plan revisions discussed in Enclosure 1 will be made in the next revision of the computer security plan.

New commitments contained in this submittal are listed in Enclosure 2. Please contact Mark Lombard at (301) 564-3248 if you have any questions concerning this information.

Sincerely,

s. n.

I Steven A.Toelle k

Nuclear Regulatory Assurance and Policy Manager k

Enclosure:

1. USEC Response to NRC Comments i

2. New Commitments Contained in This Submittal ec: NRC Region Ill Office 040020 k

i NRC Resident Inspector - PGDP NRC Resident Inspector - PORTS 9901040147 981218 l

PDR ADOCK 07007002 '

e, Bethesda. M D 20817-1818 l

C PDR

['

Telephone 30I-564 3200 Fax 301-564-3201 http://www.usec.cmn OMces in Livermore, CA Paducah, KY Portsmouth, Oil Washington, DC r

Ms. Francine F. Goldberg

. GDP 98-0260 '

December 18,1998, Page 2 l

REFERENCES

~ 1. Letter from Francine F. Goldberg (NRC) to Steven A. Toelle (USEC), " Accreditation of a Portsmouth Computer System," October 8,1998.

.l 1

}

f J

\\

l

)

l l

i J

(

\\

1

GDP 98-0260 Page1of2 USEC Responses to NRC Comments NRC Ouestion 1 On page 36, the Security Agreement includes the printed names of" Penny.Marcum" and "Marcus j

Whitt." However, there are no accompanying dated signatures. Since both names appear in Appendix D's Password Receipt Acknowledgment forms, this oversight needs to be corrected.

USEC Response:

As stated in USEC letter GDP 98-0186 dated August 28,1998, "As additional personnel are granted access to the NAC Remote Link Automated Information System, the list of those approved for access to the system will be revised and maintained at the PORTS site along with all associated j

documer tion (e.g., Security Agreement and Password Receipt Acknowledgment forms)." This statement was intended to address the situation where the Security Agreement submitted to the NRC with the revised security plan had printed names ofindividuals that had not signed this form, and the j

Password Acknowledgment forms in Appendix D that were included with the security plan and not i

signed by the pertinent individuals. USEC intends to maintain the signed forms on site so that the security plan does not have to be reissued every time users are added or deleted. The forms in the security plan are intended to be primarily for illustrative purposes to show the format and content of the forms. The security plan will t e revised to indicate the forms in the plan are only intended f

to indicate the format and content of the forms and not to serve as the doctunentation of the approved user of the system.

NRC Ouestion 2 On page 37, the statement "Only the ISSO, with the approval of the ISSM, coordinates the relocation of the Remote Link," needs rectifying. As stated in the NRC cover letter accrediting this security plan: "The system is not to be moved or reconfigured in any way without appropriate updating by USEC and approval by the NRC of a revised security plan and the associated certification and accreditation documentation."

USEC Response:

The process utilized at PORTS requires the Information System Security Manager (ISSM) for the Automated Information Systems Security Plan Number NAC-135-PL-320 to evaluate each proposed computer system change (e.g., movement or reconfiguration of equipment, addition or revision of hardware or software, or a change in the computer system security plan) to the subject computer system to determine if the change constitutes a decrease in effectiveness of the subject computer system security plan. If the ISSM determines that the change constitutes a decrease in effectiveness i

GDP 98-0260 Page 2 of 2 USEC Responses to NRC Comments l

of the subject computer system security plan, the change will be submitted for NRC approval prior to implementation. If the ISSM determines that the change does not constitute a decrease in l

effectiveness of the subject computer system security plan, the change will not be submitted for prior NRC approval but any associated revisions of the computer security plan will be promptly forwarded to the NRC aP.er the change has been processed and approved by the ISSM. This process is similar to that utilized to evaluate changes to the PORTS physical security and classified matter security plans, and has been discussed with the NRC staff.

NRC Ouestion 3 i

The form on page 39 should not only be " prepared when configuration changes (hardware or software) are made to the system," but it should also be duly approved by the NRC.

USEC Response:

See the response to NRC Question 2.

NRC Ouestion 4 And this is a minor point of clarification: On page 32, under the statement " Provide a brief description of the Remote Link PC environment," the phrase " vault-type area" should be changed to " vault-type room."

USEC Response:

This change will be made in the next revision of the security plan.

l l

a l

- -. - ~.

)

GDP 98-0260 Page1of1.

New Commitments Contained in This Submittal I-The following changes will be made to Automated Information Systems Security Plan Number q

i NAC-135-PL-320 in the next revision of the plan:

.(

i 1.' ' The security plan will be revised to indicate the forms in the plan are only intended to indicate the format and content of the forms and not to serve as the documentation of the approved user o

[

of the system.

2. Page 32, under the statement " Provide a brief description of the Remote Link PC environment,"

i the phrase " vault-type area" will be changed to " vault-type room" in the next revision of the plan.

L i

3 l

l I.

l l.

e

.<