ML21074A007

From kanterella
Jump to navigation Jump to search
OIG-13-A-16-Status of Recommendations: Audit of Nrc'S Safeguards Information Local Area Network and Electronic Safe Dated March 15th, 2021
ML21074A007
Person / Time
Issue date: 03/15/2021
From: Baker B
NRC/OIG/AIGA
To: Margaret Doane
NRC/EDO
References
OIG-13-A-16
Download: ML21074A007 (4)
v  d  e


Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL March 15, 2021 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)

REFERENCE:

DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED MARCH 01, 2021 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated March 01, 2021. Based on this response, recommendations 3 and 7 remain in open and resolved status.

Recommendations 1, 2, 4, 5 and 6 have been previously closed. Please provide an updated status of recommendations 3 and 7 by November 15, 2021.

If you have questions or concerns, please call me at (301) 415-5915, or Terri Cooper, Team Leader, at (301) 415-5965.

Attachment:

As stated cc: C. Haney, OEDO S. Miotla, OEDO J. Jolicoeur, OEDO S. Mroz, OEDO RidsEdoMailCenter Resource EDO_ACS Distribution OIG Liaison Resource

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Agency Response Dated March 01, 2021: The modernization of the Safeguards Information Local Area Network and Electronic Safe (SLES) system is complete; a draft folder structure has been prepared and submitted to the Office of the Chief Information Officer (OCIO) for review and feasibility of application. However, due to the complexity of Documentum, which is the database underpinning SLES, a Documentum Security Specialist (DSS) is required to physically reorganize the folder structure. The OCIO has developed a task order (T.O.) to enable funds for a DSS to analyze the suggested changes under the Global Infrastructure and Development Acquisition contract which was awarded on September 30, 2020.

Due to the SGI-nature of the system, it can only be accessed at NRC and not via VPN or Citrix. Restrictions due to the COVID-19 virus have limited NSIR and OCIO ability to access the SLES thin clients. Once the COVID access restrictions are no longer in place, the Office of Nuclear Security and Incident Response (NSIR) will work with OCIO and the DSS to implement the new folder structure in a test environment.

The DSS will complete an analysis to validate best security practices for the revised folder structure and least privilege access (Estimated Completion Date October 2021). Once the revised structure is validated in the test environment by SLES users, OCIO will coordinate deployment of the solution to the SLES production and failover environments. Deployment of the revised structure to these operating environments is estimated to be complete 3 to 6 months after the revised structure has been validated in a test environment.

Target Completion Date: October 30, 2021 1

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3 (cont.):

OIG Analysis: The proposed action meets the intent of the recommendation.

This recommendation will be closed when the OIG is provided with documentation verifying that the current folder structure has been evaluated and updated to meet user needs.

Status: Open: Resolved.

2

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7: Develop a structured access process that is consistent with the Safeguards Information (SGI) need-to-know requirement and least privilege principle. This should include:

  • Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs).
  • Conducting periodic reviews of user access to folders.
  • Developing a standard process to grant user access.

Agency Response Dated March 01, 2021: Completion of Recommendation 7 is dependent upon implementation of the new folder structure which is tied to the effort described in our response to Recommendation 3. The proposed file folder structure has been forwarded to OCIO for review and feasibility of application. Upon implementation of the new folder structure, and identification of new folder owners, NSIR and OCIO will address the three sub-bullets, in a more detailed manner that is consistent with the intent of the Recommendation.

Target Completion Date: December 30, 2021 OIG Analysis: The proposed action meets the intent of the recommendation.

This recommendation will be closed when the OIG evaluates the structured access process and determines (1) it is consistent with the SGI need-to-know requirement and least privilege principle, and (2) it addresses the three sub-bullets noted in the recommendation.

Status: Open: Resolved.

3

Retrieved from "https://kanterella.com/w/index.php?title=ML21074A007&oldid=3413114"