ML21055A099
| ML21055A099 | |
| Person / Time | |
|---|---|
| Issue date: | 03/01/2021 |
| From: | Mirela Gavrilas NRC/NSIR/DSO/ISB |
| To: | Baker B NRC/OIG |
| Stapleton B | |
| Shared Package | |
| ML20300A475 | List: |
| References | |
| NSIR-20-0534, OEDO-20-00425 | |
| Download: ML21055A099 (2) | |
Text
STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)
Recommendation 3: Evaluate and update the current folder structure to meet user needs.
The modernization of the Safeguards Information Local Area Network and Electronic Safe (SLES) system is complete; a draft folder structure has been prepared and submitted to the Office of the Chief Information Officer (OCIO) for review and feasibility of application. However, due to the complexity of Documentum, which is the database underpinning SLES, a Documentum Security Specialist (DSS) is required to physically reorganize the folder structure. OCIO has developed a task order to enable funds for a DSS to analyze the suggested changes under the Global Infrastructure and Development Acquisition contract, which was awarded on September 30, 2020.
The contractual task order for addressing the finding was delayed due to COVID-19 however NSIR has worked with OCIO in order to put into action the task order and not further delay the resolution of this finding from the report. The new folder structure has been agreed to by the user community and will be implemented within the test environment in order to ensure functionality.
The DSS will complete an analysis to validate best security practices for the revised folder structure and least privilege access. Once the revised structure is validated in the test environment by SLES users, OCIO will coordinate deployment of the solution to the SLES production and failover environments.
Deployment of the revised structure to these operating environments is estimated to be completed 3 to 6 months after the revised structure has been validated in a test environment.
Target Completion Date: October 30, 2021 Point of
Contact:
Bernard Stapleton Recommendation 7: Develop a structured access process that is consistent with the SGI need-to-know requirement and least privilege principle. This should include:
- Establishing folder owners within SLES and providing the owners (as opposed to branch chiefs) the authority to approve the need-to-know authorization.
- Conducting periodic reviews of user access to folders.
- Developing a standard process to grant user access.
Completion of Recommendation 7 is dependent upon implementation of the new folder structure, which is tied to the effort described in our response to recommendation 3. The Enclosure
proposed file folder structure has been forwarded to OCIO for review and feasibility of application. Upon implementation of the new folder structure, and identification of new folder owners, NSIR and OCIO will address the three sub-bullets, in a more detailed manner that is consistent with the intent of the recommendation.
Target Completion Date: December 30, 2021 Point of
Contact:
Bernard Stapleton