Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-1341 Office Instruction

Title:

Short-Term Authorization Process Revision Number:

1.4 Effective Date:

10/26/2020 Primary Contacts:

Jonathan Feibus Responsible Organization: OCIO

==

Description:==

CSO-PROS-1341, Short-Term Authorization Process, defines the steps for obtaining a short-term authorization for deploying new technologies or an external IT service within NRC systems.

A short-term authorization also includes the Authority to Test (ATT).

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-1341 Page i Table of Contents 1

PURPOSE............................................................................................................................................. 1 2

SPECIFIC REQUIREMENTS................................................................................................................ 1 Request Process........................................................................................................................... 3 2.1.1 Additional Software as a Service (SaaS) Requests.............................................................. 3 Assessment Activities (Assessor System Statement of Risk)...................................................... 4 Final Approval............................................................................................................................... 5 3

CONTINUOUS MONITORING REQUIREMENTS............................................................................... 6 4

WORKFLOWS...................................................................................................................................... 6 5

APPENDIX A-FORMS.......................................................................................................................... 8 ATT Questionnaire........................................................................................................................ 8 ATT/Short-Term Monitoring Plan (STAMP).................................................................................. 8

Computer Security Process CSO-PROS-1341 Short-Term Authorization Process 1 PURPOSE CSO-PROS-1341, Short-Term Authorization Process, defines the process for obtaining a short-term authorization and/or an authority to test (ATT) for deploying new technologies or an external Information Technology (IT) service within NRC systems. This includes, but is not limited to, cloud computing through a Cloud Service Provider (CSP) and establishing an interconnection with an IT system that is owned and operated by another government agency.

Not all new technologies need a short-term/ATT depending on the scope/scale and security details surrounding the change. The information system security officer (ISSO) should contact their CSO POC to determine whether the new technology needs a short-term/ATT. For instance, a new cloud service offering or external IT service, would always need a short-term authorization or ATT; in contrast to a new technology deployed internally, accessed by a small number of internal users may not require a short-term authorization or ATT.

A short-term authorization or ATT is granted for a specific time frame. The type of authorization requested drives the level of rigor for testing/assessing the effort, taking into consideration the scope and magnitude of the change. New technologies must be approved through intake prior to requesting a short-term authorization unless specifically requested by the CISO for compelling business needs.

This process is intended to be used in concert with OCIO-CCB-0001, System Change Significance Determination and Notification Process, OCIO-CCB-0002, Change Approval Process, and the ATT Questionnaire1. These documents can be found on the Computer Security Organization (CSO) website.

The information contained in this document is intended to be used by system owners and information system security officers (ISSOs), enterprise and system-specific Configuration Control Board (CCB) change coordinators, and system administrators responsible for the security and operations of NRC systems. This process does not apply to classified or SGI systems.

2 SPECIFIC REQUIREMENTS IT system change requests (CRQs) that fall under the scope of this process can be initiated by delegates of the system owner or the ISSO. CRQs are processed through the Configuration Control Board (CCB). The CCB determines the significance of the change and has the authority 1 The ATT Questionnaire is located in Appendix A of this document.

CSO-PROS-1341 Page 2 to approve a CRQ or defer it to the Chief Information Security Officer (CISO) for recommendation as defined by the CCB Charter.

ATT An ATT is an authorization that can be requested for situations where build out and testing of a technology prior to integrating into a secure IT system is needed. Production data is NOT allowed for an ATT (if production data is needed; a short-term authorization should be pursued).

ATTs must be associated with a FISMA system where the ISSO has overall responsibility for the duration of the ATT. By default, the timeframe for an ATT is six (6) months unless otherwise stated by the CISO or Authorizing Official (AO). ATTs will not be extended beyond a total duration of nine (9) months. If the authorization is still needed after 9 months, the ISSO must request a short-term authorization to replace the ATT.

There are 2 key tasks that must occur when the ATT reaches the 5-month mark:

If the ATT uses a FedRAMP cloud offering that is authorized, the ISSO must submit the necessary paperwork to get NRCs authorization registered with the FedRAMP PMO.

The ISSO must submit a Short-Term Authorization Management Plan (STAMP)2 to the CISO for review and approval. Once the plan is approved, the ISSO has one month to implement that plan.

The CISO can approve an ATT provided that a new high risk is not introduced into the agencys systems. The CISO can promote an ATT to a short-term authorization as long as a new high risk is not found.

Short-Term Authorization A short-term authorization allows the system owner to put their system or service into production as system documentation is being developed, the system is being independently tested, and mitigation strategies for weaknesses are developed. A short-term authorization cannot exceed 24 months. This includes any time that was accrued while the authorization operated under an ATT.

There are 2 key tasks that must occur when the short-term reaches the 5-month mark (including duration of any preexisting ATT):

If the short-term authorization uses a FedRAMP cloud offering that is authorized, the ISSO must submit the necessary paperwork to get NRCs authorization registered with the FedRAMP PMO.

The ISSO must submit a STAMP to the CISO for review and approval. Once the plan is approved, the ISSO has one month to implement that plan.

An initial project or implementation that needs a short-term authorization (as opposed to an ATT), must be approved by the AO.

2 The STAMP is located in Appendix A of this document.

CSO-PROS-1341 Page 3 Request Process The ISSO must email the request for a short-term or ATT authorization to their CSO POC and ensure that all relevant documentation (ATT questionnaire, design docs, FedRAMP package and diagrams as applicable) is provided with the email for proper review.

The CSO POC will review the package and consult with the ISSO for further clarification if necessary. Upon concurrence, the CSO POC will submit the request and associated documentation to the Enterprise Assessor Distribution List at CSO_Enterprise_Assessors for further investigation and risk analysis.

Note: For NRC system changes that are NOT part of the NRC-managed network (contractor sites), the ISSO must notify the CSO POC and CISO about the proposed system change along with any detailed information explaining the change in order for the authorization request process to begin.

2.1.1 Additional Software as a Service (SaaS) Requests For large shared Software as a Service (SaaS) offerings that provide a multitude of functions (i.e., Office 365/Google Apps) the service owner/manager will need to specify the SaaS services to be used as of the initial authorization. This should be documented in the authorization request to help identify new services, document implementation of NRC cybersecurity/privacy control responsibilities, and assist with periodic testing over time.

If the CSP adds new services/features or if the NRC wishes to use additional services, the service owner/manager must follow the normal change control process. Normal changes are not pre-authorized and must follow the complete change management process, including review and approval by the CCB. Depending on the complexity, the CCB and/or Enterprise Assessor may consider the change to be major or feel that it will introduce new high risks and escalate it to the CISO/Deputy Chief Information Security Officer (DCISO); ultimately requiring an AO approval or denial.

In addition, the service owner/manager must send a notification email to the system owner, ISSO, CISO, DCISO, AO, and Secondary AO prior to implementation. This includes notification for new services or major features that come automatically enabled from SaaS.

The notification email must include the following details:

Change Request (CRQ) number Cloud service affected Description of change to service Links to vendor documentation Timing for implementation Status of communication activities (if required)

Status of support management activities (remedy categories, help desk briefing, etc.)

CSO-PROS-1341 Page 4 Any of the individuals notified may ask for an implementation hold while potential impacts (security, operational, or other) are formally discussed and assessed.

Once officially approved, collaboration with the appropriate system ISSO must take place so that the new service/feature can be included in the systems boundary and continuous monitoring testing cycle. In addition, the system ISSO must track which services/features are used for authorized SaaS services as they are added over time.

Assessment Activities (Assessor System Statement of Risk)

The breadth and depth of assessment activities prior to granting a short-term authorization may include, but not limited to the following:

1) Security architecture reviews for a short-term authorization to include the following:

o Gather relevant information that addresses the background/purpose/function of the change o Interview responsible parties o Review of security and design documentation o Review of the FedRAMP authorization package and status for a cloud service o Review of the relevant authorization status for an external IT service run by another federal agency o Connectivity requirements (user and system-to-system connectivity) o Review of inventory o System boundary/boundaries affected (e.g., if the service connects to other cloud services and/or on-premise systems) o Boundary protections o Network ports, protocols, services, and encryption methods involved o Information on NRC and non-NRC users, roles, identification, and authentication o Data types processed/stored/transmitted, including whether it involves privacy or personally identifiable information (PII)

2) Vulnerability scans/security configuration compliance checks as applicable

3) Static or dynamic application security testing (e.g., Veracode)

4) Focused security or privacy control testing (e.g., for changes that are likely to impact multiple NRC systems)

Once testing/assessment activities have been completed, the NRC Enterprise Assessors will review the results and complete the ASSR. The ASSR will include any specific conditions that must be met for the duration of the short-term/ATT authorization. This risk statement provides

CSO-PROS-1341 Page 5 clarity and descriptive information to provide the initial determination of the potential risk, likelihood, and impacts related to the authorization.

Final Approval The Enterprise Assessors will complete an ASSR which documents the results of the risk analysis and any recommendations for the effort. The Enterprise Assessors submit the ASSR results to the ISSO and CSO POC for further clarification if necessary or emailed to the CISO with a recommendation for approval or denial and any proposed conditions. The CISO will review the ASSR, provide feedback, ask questions, modify if necessary and then move forward with the request.

For an ATT, the CISO or AO can approve or deny the request and add approval conditions (as appropriate).

For the short-term authorization request, the CISO provides the ASSR recommendations to the AO for a decision to approve or deny the request.

If tracked conditions are issued with the approval, the ISSO must account for them by creating a Plan of Actions and Milestones (POA&M) for each condition so it can be tracked and managed.

The ISSO must provide the evidence that tracked and specific conditions have been met prior to final authorization.

If the short-term authorization needs to be extended past the initial approval date or if any authorization specific conditions or dates need to be changed, the system ISSO must email the request to the CISO (CISO@nrc.gov) with supporting rationale as to why the condition and or date cannot be met. A completed STAMP must accompany the request for proper analysis and NRC Enterprise Assessor review.

Depending on the scope and nature of the ATT, it can be elevated to a short-term authorization or full authorization request (with an independent assessment) once the testing phase is over.

Similarly, a short-term authorization may be elevated to a full authorization request (ATO) following the completion of the independent assessment and associated activities. Once independent assessment activities have been completed, the system ISSO must request a final approval (ATO) from the AO to be incorporated into the applicable FISMA system boundary and included in continuous monitoring activities.

For those ATT/short-term authorization approvals that involve a FedRAMP Authorized Cloud Service, the system ISSO is required to provide the FedRAMP Program Management Office (PMO) with an ATO letter from the NRC AO. Within 5 months of the ATT/short-term authorization, the ATO letter must be on file for NRC.

Having an ATO letter on file enables ISSO access to the CSPs security and continuous monitoring documentation and allows the FedRAMP office to contact the NRC if FedRAMP obtains relevant security information related to the CSP responsibilities that should be disseminated to the CSP customers.

The FedRAMP ATO letter template can be found on the CSO website.

The ISSO must complete the ATO letter template and prepare it for a digital signature. Once completed, the ISSO sends the letter to the CSO POC for review who then forwards it to the CISO for concurrence. When concurrence is completed, the CISO sends the letter to the AOs

CSO-PROS-1341 Page 6 executive assistant (copying the CSO POC and ISSO). The AO signs and returns the letter to the ISSO so it can be submitted to the FedRAMP PMO at info@fedramp.gov for their file.

The NRC CISO, CSO POC and the POC listed for the Cloud Service Offering on the FedRAMP Marketplace must be copied on the email to FedRAMP so they are aware.

3 CONTINUOUS MONITORING REQUIREMENTS Continuous monitoring activities will be required 6 months from when the authorization was granted to include, but not limited to, the following:

Remediation status of outstanding deficiencies and conditions initially assigned in the ASSR approval email Patching/hardening results of components (as applicable)

Development of supporting security documents, SOPs, FISMA documentation Access control mechanisms Review and analyze FedRAMP continuous monitoring data An ATT/short-term authorization monitoring plan was created for the ISSO to provide detail for the continuous monitoring activities stated above. The STAMP is located in Appendix A-Forms of this document.

Detailed information on NRC continuous monitoring requirements for on premise or cloud NRC systems can be found in CSO-PROS-1323, Information Security Continuous Monitoring Process, located on the CSO website.

4 WORKFLOWS The workflow below provides an overview of the process.

CSO-PROS-1341 Page 7

CSO-PROS-1341 Page 8 5 APPENDIX A-FORMS ATT Questionnaire If an ATT is being requested, the following questionnaire must be completed and included in the initial request email.

ATT/Short-Term Monitoring Plan (STAMP)

ATT-ST%20Authoriz ation%20Monitoring

CSO-PROS-1341 Page 9 CSO-PROS-1341 Change History Date Version Description of Changes Method Used to Announce &

Distribute Training June 10, 2021 Annual review-no revisions needed at this time. No revision number change is necessary.

As needed February 18, 2021 1.4 Minor edits to clarify they type of data allowed for an ATT vs a short-term authorization As needed December 15, 2020 1.3 Minor edits to clarify the intent of the STAMP As needed October 8, 2020 1.2 Minor edits to incorporate the ATT/Short-Term Monitoring Plan As needed July 9, 2020 1.1 Minor edits to the submittal process As needed December 16, 2019 1.0 Initial Issuance As needed