Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-1401 Office Instruction

Title:

Periodic System Scanning Process Revision Number:

2.0 Effective Date:

July 1, 2018 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO

==

Description:==

CSO-PROS-1401, Periodic System Scanning Process, defines the authorized process that must be followed to perform periodic scans on NRC information systems.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-1401 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 3

SPECIFIC REQUIREMENTS................................................................................................................ 1 3.1 AUTHORIZATION TO SCAN................................................................................................................ 2 3.2 SYSTEM INVENTORY........................................................................................................................ 2 3.3 TYPES OF SCANS............................................................................................................................ 2 3.3.1 Vulnerability Scans................................................................................................................ 3 3.3.2 Compliance Scans and Manual Checks............................................................................... 3 3.4 TOOL SELECTION............................................................................................................................ 4 3.5 INITIAL SCAN RESULTS.................................................................................................................... 4 3.6 REMEDIATION.................................................................................................................................. 5 3.6.1 Remediation Scans............................................................................................................... 5 3.6.2 Screen Shots......................................................................................................................... 5 3.7 DELIVERY OF SCAN RESULTS........................................................................................................... 5 APPENDIX A.

ACRONYMS..................................................................................................................... 7 APPENDIX B.

GLOSSARY...................................................................................................................... 8 APPENDIX C.

REFERENCES.................................................................................................................. 9 APPENDIX D.

ROLES AND RESPONSIBILITIES................................................................................. 10 List of Tables Table D-1: Periodic System Scanning Process Roles and Responsibilities.............................................. 10

Computer Security Process CSO-PROS-1401 Periodic System Scanning Process 1 PURPOSE CSO-PROS-1401, Periodic System Scanning Process, provides the Nuclear Requlatory Commission (NRC)-approved process that must be followed to perform periodic scans on NRC information systems in accordance with required continuous monitoring efforts. Scans performed in support of system changes are outside the scope of this process. The scan results provide an indication of the security posture for the NRC system.

The information contained in this document is intended to be used by independent assessors, Information System Security Officers (ISSOs), and system administrators to ensure that NRC systems scans are performed in accordance with the required continuous monitoring efforts.

CSO-PROS-1401 applies to any information system that stores, transmits, receives, or processes unclassified NRC data.

2 GENERAL REQUIREMENTS A critical aspect of the security authorization process is the post-authorization period involving the continuous monitoring of an information systems security controls. The ultimate objective of the continuous monitoring program is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates. Continuous monitoring addresses the security impacts on information systems resulting from changes to the hardware, software, firmware, or operational environment and to determine if the security controls are operating as intended and having the desired effect.

Periodic vulnerability and compliance scanning are part of the continuous monitoring processes.

Vulnerability and compliance scanning are conducted using automated tools which determine if a system can be exploited and/or threatened. In order to determine if threats and exploits exist within a system, the automated tools utilize software which seeks out security flaws based on known flaws, tests the system for the occurrence of these flaws, and generates a report of the findings for remediation.

3 SPECIFIC REQUIREMENTS The following sections address periodic scanning as required for the continuous monitoring of NRC information systems.

CSO-PROS-1401 Page 2 3.1 Authorization to Scan Prior to scanning, the system owner must coordinate with local network leadership and explicitly authorize both the components to be scanned and the dates on which scans will take place.

The system owner may delegate the authority to authorize a system scan to the system ISSO.

Scans will be authorized based on the the following criteria:

Scheduled Scans using Nessus: These scans are pre-approved, performed by the Nessus administrators, and do not require any additional authorization prior to performing scans.

Ad-Hoc Scans for Hosts On the NRC Network: These scans require an approved change request (CRQ) from the NRC Change Control Board (CCB) prior to scans being performed.

Ad-Hoc Scans for Hosts Not On the NRC Network: These scans require an approved CRQ from the NRC CCB of the system being scanned prior to scans being performed.

Scans Performed Using Tools Other than Nessus: The use of a scanning tool other than Nessus requires an approved CRQ from the NRC CCB for the use of the tool and an approved CRQ from the NRC CCB authorizing the hosts to be scanned using the new tool prior to performing scans.

3.2 System Inventory Prior to the scanning effort, the system ISSO will provide the independent assessor with a current system inventory. The system inventory information must include a complete and up-to-date listing of devices that comprise the system, hostnames, Internet Protocol (IP) addresses, operating system identification, and installed software products information for each host.

3.3 Types of Scans Periodic scanning of NRC systems includes the following types of scans:

Vulnerability scans Compliance scans and manual checks Both vulnerability and compliance scans are conducted using the Nessus tool. The independent assessor will access the Nessus tool using either the Tenable Security Center (TSC) or an NRC-issued laptop which the Office of the Chief Information Officer (OCIO) has explicitly approved for performing vulnerability scanning. TSC is used when all components of the system being scanned are accessible from the NRC managed network; however, the independent assessor may utilize either the TSC or an OCIO-approved scanning laptop to access the Nessus tool.

Vulnerability and compliance scans must be conducted in accordance with documented cybersecurity processes, procedures, and standards published by NRC. NRC cybersecurity standards require all system owners to perform vulnerability scans once per quarter. In addition to the quarterly vulnerability scanning requirement, system compliance scans and manual checks must be conducted based on the systems security categorization, as follows:

CSO-PROS-1401 Page 3 High: Semi-annually Moderate: Annually Low: Annually Manual checks are used to determine the results of compliance checks which meet any of the following criteria:

The check requires system-specific information in order to determine the status of the check.

To confirm false positives.

To confirm the status of checks which cannot be assessed using automated methods.

For the quarter in which a system performs vulnerability scans as part of an Authorization System Cybersecurity Assessment (ASCA) or a Periodic System Cybersecurity Assessment (PSCA), the system is not required to perform quarterly continuous monitoring scans.

3.3.1 Vulnerability Scans For all quarterly continuous monitoring scans, including ASCA scans and PSCA scans, the independent assessor conducts vulnerability scans using Nessus for all system components which allow scanning by automated mechanisms.

3.3.2 Compliance Scans and Manual Checks Compliance scans and manual checks are performed according to the frequencies identified in Section 3.3, Types of Scans. The independent assessor will select a sample of system components; the configurations of system components selected for the sample will be tested for compliance with the most recent OCIO-approved configuration checklists.

Compliance scans are conducted using a tool, such as Nessus, to automate compliance checks required by the OCIO-approved configuration checklists. If some or all compliance checks cannot be automated for a particular checklist, or if the independent assessor is unable to successfully perform compliance scans using approved automated mechanisms, the independent assessor must perform each check on the configuration checklist manually.

Configuration checklists used by the NRC include Defense Information Systems Agency (DISA)

Security Technical Implementation Guides (STIGs) and Center for Information Security (CIS)

Benchmarks. DISA STIGs must be used when available. CIS Benchmarks are only used when a DISA STIG does not exist for the required platform. In cases where no DISA STIG or CIS Benchmark exists for a platform, the independent assessor will use vendor guidance. System components may have multiple platforms for each component (i.e., Windows Server, Internet Explorer, and SQL Server). The list of OCIO-approved configuration checklists can be found in the FISMA Repository>Cybersecurity Issuances>FYXX Public Baselines. The list of OCIO-approved configuration checklists are generally updated semi-annually, January and July of each year. In most cases, system ISSOs receive an email notification at least two months prior to the effective date of new standards to be used. There will be instances where a new standard will be released prior to the scheduled update; in these instances the notification period may be less than two months.

CSO-PROS-1401 Page 4 Security Content Automation Protocol (SCAP) and Nessus audit files are platform-specific protocols which are used by Nessus to automate the process for checking system component configurations against OCIO-approved configuration checklists. SCAP and Nessus audit files do not exist for all platforms and may not check all configuration items within a configuration checklist. Based on the sample of components selected for compliance scanning and the inventory provided by the system ISSO, the independent assessor will compile a list of the applicable SCAP and Nessus audit files which are required for each component in the selection.

For components running on the Microsoft Windows operating system, the independent assessor will utilize information collection tools to gather supplemental data from components. The DumpSec Utility and information collection scripts will be used to retrieve information about the users, groups, services, user rights, local policies, auditing, and group policy settings associated with each component.

3.4 Tool Selection The tools used to conduct periodic system scans include, but are not limited to, the following:

CIS Benchmark: Provides standards and metrics to raise the level of security of Internet-based functions.

DISA STIGs: Provides configuration standards and metrics used for securing networks, servers, workstations, laptops, mobile devices, and other enterprise security devices.

DumpSec Utility: A security auditing program for Microsoft Windows operating systems that dumps the permissions and audit settings for the file system, registry, printers, and shares in a concise, readable format.

Information Collection Scripts: Specific scripts used to gather information about the system.

Nessus: A general-purpose scanning tool that provides information on network-based vulnerabilities providing high speed discovery, configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis of the security posture of a system.

The Nessus tool is accessed using either TSC or an NRC-issued scanning laptop which is approved for use with the Nessus tool.

3.5 Initial Scan Results After completing system scanning, the independent assessor will review the scan results and compile the scan findings into a findings tracking sheet (FTS) using an OCIO-approved template. All findings must be recorded and any verified false positives, Program Level Plan of Action and Milestones (POA&Ms), and approved deviations should be noted.

The independent assessor must provide recommendations on the specific actions that must be taken to mitigate the findings. For example:

If a required patch is known and has not been applied, the independent assessor must identify the specific patch that must be applied to correct the deficiency.

CSO-PROS-1401 Page 5 If a required configuration setting has not been applied, the independent assessor must identify the specific configuration settings (e.g., registry value, policy setting, configuration file entry) that must be applied to remedy the finding.

The raw scan results must be available upon request by the system owner or system ISSO.

3.6 Remediation After the initial scan results have been provided, there will be a remediation period for the system owner to correct deficiencies discovered during scanning. Any findings the independent assessor can verify as remediated will be removed from the scan results. Findings that are not corrected/mitigated within the remediation period agreed upon by the independent assessor and system ISSO must appear in the final report. The independent assessor will validate remediation evidence using remediation scans and screen shots.

3.6.1 Remediation Scans After the remediation period, the independent assessor must perform remediation scans using automated methods. The results of the remediation scans can only be used to confirm the closure of findings identified during the initial scan for the current scanning effort. New findings discovered during remediation scans will not be included in the scan results or used as evidence to support findings in subsequent scan results.

Remediation scans may be waived by the system ISSO in cases where there are no fixes that are believed to have been applied. In such cases, all open findings in the initial FTS will be reported in the final FTS.

3.6.2 Screen Shots If evidence of closure cannot be confirmed using automated scans, the system ISSO may provide screen shots to serve as evidence of remediation for the finding. In cases where the same finding was discovered on multiple hosts, the system ISSO may provide a single screen shot as evidence for remediation of the finding on all affected hosts. For this type of evidence to be accepted, the system ISSO must provide the independent assessor with written confirmation that all other hosts affected by the same finding have been remediated.

Each screen shot used as evidence for remediation or closure of findings must include visible indicators of the following:

Host name; Time; Date; and Conclusive evidence (determined by the independent assessor) that the finding no longer exists.

3.7 Delivery of Scan Results Once all remediation evidence has been gathered, the independent assessor must summarize the remaining scan results in a vulnerability assessment report (VAR) using an OCIO-approved

CSO-PROS-1401 Page 6 template. The draft VAR and updated FTS will be delivered via NRC e-mail to the system ISSO.

The system ISSO must review the draft VAR and FTS and provide any feedback to the independent assessor.

The independent assessor must update the VAR and FTS based on the feedback (meeting with the system ISSO, if necessary) and will deliver the final VAR and FTS in Portable Document Format (PDF) via NRC email to the system ISSO and OCIO.

CSO-PROS-1401 Page 7 APPENDIX A.

ACRONYMS ASCA Authorization System Cybersecurity Assessment CCB Change Control Board CIO Chief Information Officer CIS Center for Information Security CISO Chief Information Security Officer CSO Computer Security Organization CRQ Change Request DISA Defense Information Systems Agency FISMA Federal Information Security Management Act FTS Findings Tracking Sheet FIPS Federal Information Processing Standard IP Internet Provider ISSO Information System Security Officer NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer PDF Portable Document Format PSCA Periodic System Cybersecurity Assessment POA&M Plan of Action and Milestones SCAP Security Content Automation Protocol SGI Safeguards Information SP Special Publication STIG Security Technical Implementation Guide TSC Tenable Security Center VAR Vulnability Assessment Report

CSO-PROS-1401 Page 8 APPENDIX B.

GLOSSARY Independent Assessor The individual performing the scan and writing the report. This individual must be authorized by the OCIO and the Computer Security Organization (CSO) to perform system scans.

Compliance Scan A platform-specific automated scanning mechanism which performs configuration checks against a defined configuration checklist for a particular platform.

Configuration Checklist A set of required settings and other implementation guidance prepared by agencies with information security protection oversight (such as the National Institute of Standards and Technology (NIST), non-government organizations with security expertise (such as CIS), and product vendors, describing settings required to appropriately secure a particular platform.

Continuous Monitoring A process used to maintain ongoing awareness of information security, vulnerabilities, and threats which support the NRC risk management decisions for storing or processing NRC information up to and including Safeguards Information (SGI) level.

Findings Tracking Sheet The sheet which is used to define and track vulnerabilities discovered during periodic system scanning. An FTS includes each vulnerability discovered during a system scanning task and includes steps for remediation of each finding.

Manual Checks A manual or automated comparison of a system components current configuration against the required configuration, based on an approved security configuration standard.

Remediation Period The period of time agreed upon by the independent assessor and system ISSO to correct deficiencies identified during scanning.

Vulnerability Assessment Report A report which concisely summarizes the vulnerabilities defined in a FTS and provides analysis of the findings discovered during a scanning task. A VAR provides the system owner and system ISSO with a clear indication of the systems security posture.

Vulnerability Scan An automated scan of an information system component using an approved scanning tool.

CSO-PROS-1401 Page 9 APPENDIX C.

REFERENCES Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347, December 2002 The Privacy Act of 1974, 5 U.S.C. § 552a, as amended Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems NIST Special Publication (SP) 800-18, Guide for Developing Security Plans for Federal Information Systems NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-34, Contingency Planning Guide for Federal Information Systems NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories NIST SP 800-63-1, Electronic Authentication Guideline NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations NRC Management Directive 12.5, "NRC Cyber Security Program"

CSO-PROS-1401 Page 10 APPENDIX D.

ROLES AND RESPONSIBILITIES Table D-1 provides the high-level roles and responsibilities associated with applying the periodic system scanning process.

Table D-1: Periodic System Scanning Process Roles and Responsibilities Role Role Responsibilities Chief Information Officer (CIO)

Oversees NRCs periodic system scanning process at the enterprise level.

As needed, provides system owners with the system-specific scanning period during which they are required to scan their systems.

Reviews and approves the release of the CSO-PROS-1401 and updates to the process.

Director/CISO, OCIO Reviews and approves the release of CSO-PROS-1401 and updates to the process.

OCIO Authorizes independent assessor to perform system scans, if delegated by the system owner.

Approves templates which can be used for reporting compiled results from periodic system scanning activities (VAR and FTS).

Approves configuration checklists and information gathering scripts for use with NRC systems.

Approves laptops to be used for system scanning.

System Owner If needed, delegates the system ISSO to authorize tasks associated with periodic system scanning.

Ensures periodic system scans are conducted in accordance with NRC standards.

Requests recommendations for deviations, if needed.

Requests raw scan results, if needed.

Corrects deficiencies identified during scans during remediation period to avoid the presence of the deficiency on the final VAR.

System ISSO Authorizes the components to be scanned and the dates on which scans will take place, if delegated by system owner.

Provides the independent assessor with current inventory at the time the scan request is submitted.

Approves the remediation period with the independent assessor.

Requests raw scan results, if needed.

Waives the remediation scans in cases where no fixes are believed to have been applied.

Works with the system owner and system administrators to remediate findings from initial scans prior to remediation scans taking place.

For deficiencies which require screen shots for remediation, providesthe independent assessor with screen shots.

In cases where one screen shot is used as remediation evidence for all hosts affected by the same deficiency, ensures that deficiencies affecting multiple hosts are remediated on all affected hosts.

CSO-PROS-1401 Page 11 Role Role Responsibilities Provides feedback to the independent assessor on the draft VAR and FTS.

Independent Assessor Notifies and coordinates scans with the system ISSO and system administrator prior to the scan dates and times.

Selects the sample of system components to be tested for compliance with compliance checklists, when required.

Performs periodic system scans in accordance with this periodic system scanning process and other NRC standards.

Ensures that all configuration items on each configuration checklist is tested for compliance using either automated or manual checks.

Reviews and compiles scan results into the initial FTS using an OCIO-approved template.

Provides recommendations on specific actions which must be taken to mitigate findings.

Conducts remediation scans using automated methods.

Verifies the validity of remediation evidence, including screen shots.

Updates the findings based on remediation evidence and delivers the draft VAR to the system ISSO Updates the draft VAR and FTS, if needed.

Delivers final VAR and FTS to the system ISSO.

System Administrators Ensures that scans conducted by assessors are conducted in accordance with CSO-PROS-1401.

Ensures system components are ready for scanning prior to scans commensing, provides the independent assessor with credentials as needed for scanning system components, and provides assistance to the independent assessor to ensure scans are conducted properly.

Remediates findings during remediation period.

CSO-PROS-1401 Page 12 CSO-PROS-1401 Change History Date Version Description of Change Method Used to Announce & Distribute Training 30-Jul-12 1.0 Initial Release Posting to CSO web page and notification to ISSO forum.

As needed 4-June-18 2.0 Updated to reflect changes to process.

Posting to OCIO web page and notification to ISSO forum.

As needed 10-June-21 Annual review-no updates needed. No version number change was necessary Posting to OCIO web page and notification to ISSO forum.

As needed