ML21286A684

From kanterella
Jump to navigation Jump to search
Letter to C. Martorana, Tmf, from D. Nelson, NRC, Re Initial Project Proposal for Nuclear Regulatory Commission
ML21286A684
Person / Time
Issue date: 10/28/2021
From: David Nelson
NRC/OCIO
To: Martorana C
US Executive Office of the President, Office of Mgmt & Budget (OMB)
Robb C
References
Download: ML21286A684 (3)
v  d  e


Text

Ms. Clare Martorana, Chair Technology Modernization Board 1800 F St., NW Washington, DC 20405

Dear Ms. Martorana,

The U.S. Nuclear Regulatory Commission (NRC) is responding to the September 8, 2021, memorandum from the Technology Modernization Board. On July 12, 2021, the Technology Modernization Board (Board) considered the Initial Project Proposal titled Modernization of Safeguards Local Area Network and Electronic Safe (SLES) System from NRC. There were four questions the Board asked the NRC to address. The answers to these questions are below.

Items to Address

1. The Board noted that the use case for the project is justified, but it is not clear how investing to meet a defined VMware need is truly a modernization effort beyond a hardware refresh. Explaining the rationale for purchasing more hardware and whether alternative solutions were considered would be beneficial.

NRC Response: This effort will allow the NRC to implement modern, more secure, VMware solutions that improve this High Value Asset (HVAs) overall cybersecurity posture. Most importantly, the investment will allow the SLES system to encrypt data at rest necessary for this HVA system and remediate critical cybersecurity vulnerabilities that cannot be satisfied as the current platform is unsupported.

Additionally, this effort will enable the NRC to modernize test, production, and failover environments, allowing the NRC to test platform and cybersecurity enhancements in an environment that duplicates production and failover. As a result, the NRC will be able to employ additional cybersecurity tools to analyze logs and access the system.

2. The Board would like to see additional information regarding the sustainment approach for this project. It specifically had concerns regarding whether funding would be needed for additional hardware upgrades in the coming years.

NRC Response: The NRC will not require funding in the coming years. The requested funding will be utilized in fiscal year 2022 and satisfy the implementation.

Future modernization and maintenance of this HVA will be included in our budget formulation process. October 28, 2021 C. Martorana 2

3. The Board wanted to know if there is a plan to move to the cloud, or if there is a specific reason why the cloud is not viable or considered by the agency at this time.

NRC Response: The NRC is working to move applications and systems to the cloud, as appropriate. SLES is a system that transmits and stores Safeguards Information (SGI)1 and considered a high-value asset and is treated as a classified system. The NRC is currently evaluating authorized cloud hosting environments that satisfy the cybersecurity requirements.

SGI.

4. One Board member noted that the proposal would better align with the Technology Modernization Fund (TMF) if the requested hardware purchase was one element of a roadmap to a broader modernization effort. Situating this proposal in the context of NRCs technology strategy and roadmap would help clarify the Boards thinking on the project.

NRC Response: The upgrades to the SLES environment represent a single, yet important, initiative supporting the agency's strategic goal of maintaining the security of its information technology assets through continual evolution of its cybersecurity controls to address the ever-changing threat environment. The NRC has a goal to promote the use of modern tools and industry best practices to enable the secure management and use of agency information. This goal is one of the agencys six primary goals in the recently developed NRC IT Strategic Roadmap. To meet this goal, the agency's IT architecture must not only be modernized to enable continued support; it must also be optimized to enable the use of advanced cybersecurity controls and enhancements. Continued modernization of agency systems (including SLES) therefore plays a critical part in the agency's technology strategy and cybersecurity roadmap.

We hope the answers to these questions provide a stronger framework in which to evaluate our request for the TMF funding and appreciate your consideration of our request. If you have any questions, please contact Thomas Ashley, Director for Information Technology Services and Operations Division, Office of the Chief Information Officer at Thomas.Ashley@nrc.gov.

Sincerely, Dave J. Nelson Chief Information Officer Office of the Chief Information Officer 1 SGI is a special category of sensitive, unclassified information required by Section 147 of the Atomic Energy Act to be protected. Although SGI is sensitive, unclassified information, it is marked and protected in many aspects similar to Confidential National Security Information.

Examples include information that has intrinsic security value involving equipment, procedures, communications, analyses, design basis, or response plans used by a licensee or applicant to protect certain special nuclear material, byproduct material, source material, or facilities.

Signed by Nelson, David on 10/28/21

Ltr ML21286A684 OFFICE OCIO/ITSDOD OCIO/ITSDOD/DD OCIO/ITSDOD/D OCIO/D

/DTSB NAME KDunbar KD GHayden GH TAshley TA DNelson DN DATE Oct 13, 2021 Oct 13, 2021 Oct 14, 2021 Oct 28, 2021

Retrieved from "https://kanterella.com/w/index.php?title=ML21286A684&oldid=3744459"