ML20283A354
| ML20283A354 | |
| Person / Time | |
|---|---|
| Issue date: | 10/26/2020 |
| From: | Kristine Svinicki NRC/OCM/KLS |
| To: | Vought R US Executive Office of the President, Office of Mgmt & Budget (OMB) |
| Cris Brown, 301-415-8421 | |
| Shared Package | |
| ML20282A651 | List: |
| References | |
| CORR-20-0099, SRM-EDO011121-1 | |
| Download: ML20283A354 (3) | |
Text
ABREGg f yA gpf,
?t g UNITEDSTATES
- Sw W = NUCLEAR REGULATORY COMMISSION
/ WASHINGTON,D.C. 20555-0001 CHAIRMAN October 26,2020 TheHonorableRussell T.Vought Director, OfficeofManagement andBudget 72517th Street,NW Washington, DC 20503
DearMr.Vought:
Onbehalf oftheU.S. Nuclear Regulatory Commission(NRC), Iam pleased toreport thattheFederal Information SecurityModernization Act(FISMA) andPrivacy Management Program documents for fiscal year (FY)2020 have beensubmitted throughCyberScope in accordance with theNovember 19,2019, Office of Management andBudget (OMB)
Memorandum M-20-04, "FiscalYear 2019-2020 Guidance onFederal information Security and Privacy Management Requirements." TheNRC's submittal included thefollowing eight documents:
(1) Chief Information Officer/2020 Quarter 4 AnnualFISMA Report (2) Senior Agency Officialfor P rivacy/2020 Annual FISMA Report (3) Agency Privacy Program Changes (4) Agency Privacy Program Plan (5) Agency Breach Response Plan (6) Agency Privacy Continuous Monitoring Strategy (7) Agency Privacy Program -
Uniform Resource Locator (8) Social SecurityNumber Collection Policy and/or Procedures TheNRC's OfficeoftheInspector General willseparatelysubmit theInspector General Section Report/2020 Annual FISMAReport through CyberScope.
TheNRCcontinues itsefforts towards full compliance withFISMA targets andwith the agency's PrivacyManagement Program. Todate, theNRChasreduced itsnumber of reportable systems to17.During FY2020, the agency completed securityassessments and approved change authorizationsfor each system.
TheNRChadnomajor security incidents during FY2020. TheNRChada total of 10confirmed incidents. TheNRC's Computer Security Response Incident Teamreported six incidents totheU.S. Department ofHomeland Security (DHS) United States Computer Emergency Readiness Team(US-CERT): five improper usageevents andoneattempted access event. US-CERT reported four incidents totheNRC.TheNRCinvestigated, mitigated, andremediated all10incidents.
Asinprior years,theNRCparticipated inthehigh-value asset riskandvulnerability assessments led byDHSandhascompleted mitigation andremediation activities. In accordance withcurrent DHSguidance, theNRCreassessed its high-value assets andreduced thenumber from ninetofive. TheNRCwill continue tocollaborate withDHSinfuture efforts to assess theNRC's protectionofhigh-value assets.
2 -
TheNRCcontinues tomakeprogress toward meeting thecybersecurity cross-agency priority (CAP) goals, asdemonstrated bytheagency's 100-percent achievementoftheFY2020 metric targets. The"CAPGoal Evaluations"table inAppendix A totheNRC's Chief Information Officer/2020 Quarter 4 Annual FISMAReport details theagency's progress.
current Inthe upcoming fiscal year, theNRCwill continue tomakeprogress the inupdating ongoing authorization program, deploying encryption implementing personal atrest, additional identity verification, reducing the risk ofunauthorized software, andaddressing findings.
audit Inaccordancewith theinstructions issued byOMBandDHS,theagency will continue to update your staff onitsprogress onthese initiatives.
Ifyouhaveanyquestions about theFY2020NRCFISMA andPrivacyManagement Program documents, please contact meorhave your staff contactMr.DavidJ.Nelson,Chief Information Officer, at(301) 415-8700.
Sincerely, KristineL. Svinicki
identical letter sentto:
The Honorable RussellT.Vought Director, Office ofManagement andBudget 72517th Street, NW Washington, DC 20503 TheHonorableChad F.Wolf Secretary ofHomeland Security Washington, DC 20528