Text

January 13, 2022 MEMORANDUM TO: Daniel H. Dorman Executive Director for Operations FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)

REFERENCE:

DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED NOVEMBER 15, 2021 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated November 15, 2021.

Based on this response, recommendation 3 remains in open and resolved status and recommendation 7 is closed. Recommendations 1, 2, 4, 5 and 6 have been previously closed. Please provide an updated status of recommendation 3 by June 15, 2022.

If you have questions or concerns, please call me at (301) 415-5915, or Terri Cooper, Team Leader, at (301) 415-5965.

Attachment:

As stated cc: S. Miotla, OEDO J. Jolicoeur, OEDO RidsEdoMailCenter Resource EDO_ACS Distribution OIG Liaison Resource NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Agency Response Dated November 15, 2021: The modernization of the Safeguards Information Local Area Network and Electronic Safe (SLES) system is complete; a draft revised folder structure was prepared and submitted to the Office of the Chief Information Officer (OCIO). The OCIO issued a task order to enable funds for Documentum, which is the database underpinning SLES. A Documentum security specialist will analyze the suggested changes under the Global Infrastructure and Development Acquisition contract that was awarded on September 30, 2020. Previous restrictions due to the Coronavirus Disease 2019 (COVID-19) have been lifted, which allows physical access to the SLES thin clients. The revised folder structure will result in increased user efficiencies (search and organization function) and reinforce least privilege access. OCIO will coordinate deployment of the solution to the SLES production and failover environments approximately 3 to 6 months post-validation in the test environment.

Staff point of contact for this recommendation: Bern Stapleton Completed: November 15, 2021 OIG Analysis: The proposed action meets the intent of the recommendation.

This recommendation will be closed when the OIG is provided with documentation verifying that the current folder structure has been evaluated and updated, if necessary, to meet user needs.

Status: Open: Resolved.

1

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7: Develop a structured access process that is consistent with the Safeguards Information (SGI) need-to-know requirement and least privilege principle. This should include:

• Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs).

• Conducting periodic reviews of user access to folders.

• Developing a standard process to grant user access.

Agency Response Dated November 15, 2021: With respect to the SGI need-to-know requirement and least privilege principle, improvements have been made to training, validation of need and increased attention to user access. A policy has been established that requires all users to sign in every 90 days to maintain their access to SGI. The user community has significantly decreased from the initial 600+

users in 2015. The systems need-to-know access screens out 95 percent of NRC employees and contractors.

Pre-COVID-19, there were 173 users of the system; however, many have been disabled due to not logging in. As of October 21, 2021, there were 96 users (90 regular users and 6 system administrators).

Assigning owners to file folders will be partially dependent upon implementation of the revised folder structure identified in recommendation 3. Currently, the SGI senior program manager revises and approves file folder access on an individual basis based on the needs and job position of the user. Periodic reviews of user access to folders are conducted to ensure proper access is maintained. Least privilege is accomplished through several steps, including training and completion of NRC Form 772, Safeguards LAN and Electronic Safe (SLES) New User Account Creation and Account Reactivation Request Form for SLES Viewer.

2

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7 (cont.):

Form 772 requires the information systems security officer, branch chief and SGI senior program manager to verify and limit access based on need-to-know. This procedure applies to system administrators, users, and viewers. Staff applies an acceptable risk management approach to ensure that individuals are properly trained on the SGI need-to-know requirement and least privilege principle.

Specifically:

• Training of users/viewers emphasizes a need-to-know concept. There have been no known leaks of information from authorized users.

• The SLES system meets the intent of NRC Management Directive 12.1, NRC Facility Security Program, definition of need-to-know (in person access vs. access to system).

• Security regarding access rights, least privilege and need-to-know of the SLES system is consistent with classified programs (GOLD, SIPRNet).

Staff point of contact for this recommendation: Bern Stapleton Completed: November 15, 2021 OIG Analysis: The proposed action meets the intent of the recommendation.

The OIG had several follow-up conversations with Mr.

Stapleton and is satisfied that the agency has developed a structured access process that is consistent with the Safeguards Information (SGI) need-to-know requirement and least privilege principle. This recommendation is therefore considered closed.

Status: Closed.

3