Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-2001 Office Instruction

Title:

System Security Categorization Process Revision Number:

1.4 Effective Date:

4/1/2018 Primary Contacts:

Jonathan Feibus, Chief Information Security Officer Responsible Organization:

OCIO Summary of Changes:

CSO-PROS-2001, System Security Categorization Process defines the process that must be followed to determine the security categorization and digital identity and authentication requirements for NRC information and systems.

Training:

As needed ADAMS Accession No.:

ML18022A984 Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

Process CSO-PROS-2001 Page i Table of Contents 1

Purpose................................................................................................................................. 1 2

General Requirements........................................................................................................... 1 2.1 Required Information...................................................................................................... 2 2.2 Outputs........................................................................................................................... 2 3

Determine Security Categorization........................................................................................ 2 3.1 Determine Information Types and Sensitivity Levels...................................................... 3 4

Submit Security Categorization Report.................................................................................. 3 Appendix A NRC Information Types for High Sensitivity Systems.......................................... 6

Computer Security Process CSO-PROS-2001 System Security Categorization Process 1 Purpose CSO-PROS-2001, System Security Categorization Process is the process that must be followed to determine the security categorization and digital identity/authentication requirements for NRC unclassified information and systems. This information is documented in a security categorization report. The results of this process are used to determine the required cybersecurity controls for the system as well as the level of authentication required for publicly accessible authenticated transactions.

The information in this document is intended to be used by system owners, information owners, information system security officers (ISSOs), and cybersecurity oversight personnel and does not apply to classified systems.

2 General Requirements Federal agencies are required to determine the sensitivity of the information that is processed, stored, or transmitted by their systems. This determination is specifically identified in Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Use of this standard applies to all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and to all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2).

System owners must ensure that this process is used to categorize all information processed, stored, or transmitted by their systems, as well as for NRC information processed, stored, or transmitted by another agency system that NRC has authorized to operate for NRC purposes.

The categorization is based on the potential impact that a compromise to the confidentiality, integrity, or availability of information could produce. This categorization does not take into account any controls, but rather poses the question of what is the worst that could happen if the information is available to those that should not have it, if the information is modified to an unauthorized value or deleted, or if the information is not available when it is needed. These impacts can be to mission functions, financial stability, the public, the Nuclear Regulatory Commissions (NRCs) reputation, etc.

The results of this process are documented in a security categorization report in accordance with CSO-TEMP-2001, System Security Categorization Report.

Process CSO-PROS-2001 Page 2 A detailed identity/authentication analysis must be conducted in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subjects digital identity. Federation is a process that allows for the transport of authentication and subscriber attribute information across networked systems.

These guidelines retire the concept of a level of assurance (LOA) as a single ordinal that drives implementation-specific requirements. Rather, by combining appropriate business and privacy risk management side-by-side with mission need, agencies will select an Identity Assurance Level (IAL), Authentication Assurance Level (AAL), and Federated Assurance Level (FAL) as distinct options. While many systems will have the same numerical level for each of IAL, AAL, and FAL, agencies should not assume they will be the same in any given system.

The results of this process are documented in the Digital Authentication Risk Assessment Report in accordance with CSO-TEMP-2000, Digital Authentication Risk Assessment.

If the application has no external network connectivity, is physically isolated, and located in a protected space, a Digital Authentication Risk Assessment is not required.

2.1 Required Information This process is used at three different points in the system life-cycle: new systems, system security categorization and digital identity/authentication revalidation, and system changes.

New system security categorizations and digital identity/authentication requirements must be prepared at project initiation before system design. System security categorization and digital identity/authentication revalidation requirements occur for new systems just prior to system authorization and periodically (e.g., annually) thereafter. System security categorization and digital identity/authentication update or revalidation requirements must also be performed prior to system change implementation.

2.2 Outputs Table 2.2-1: Security Categorization and Digital Identity/Authentication Requirement Determination Outputs identifies the outputs from this process as applicable.

Table 2.2-1: Security Categorization and Digital Identity/Authentication Requirement Determination Outputs Output Description System/subsystem security categorization A determination of the system confidentiality, integrity, and availability sensitivity performed in accordance with FIPS 199.

System/subsystem Digital Authentication Risk Assessment Report A determination of the level of identity and authentication required in accordance with NIST SP 800-63-3, Digital Identity Guidelines 3 Determine Security Categorization Security categories are determined for both information and systems and are based upon the potential impact of compromise of the confidentiality, integrity, and availability of the information

Process CSO-PROS-2001 Page 3 and the system. Security categories provide input to the risk assessment process and are used with vulnerability and threat information to identify system and information risk.

The security categorization process involves the following steps:

Identifying the information types that are stored, processed, or transmitted by the system, using the defined system boundaries.

Identifying the high-water mark (highest value identified) for each of the confidentiality, integrity, and availability aspects of information sensitivity.

Documenting the information sensitivity and system sensitivity in a security categorization report.

3.1 Determine Information Types and Sensitivity Levels Federal Information Processing Standards (FIPS) 199 require agencies to identify all of the applicable information types that are representative of input stored, processed, and/or output data from each system. The identification of information processed on an information system is essential for the proper selection of security controls and ensuring the confidentiality, integrity, and availability of the system and its information. Determining the security category of an information system requires more analysis and must consider the security categories of all information types resident on the information system.

Appendix A provides the information types for NRC systems that process, store or transmit high sensitivity data where unauthorized disclosure, modification or disruption would have a catastrophic adverse effect on NRC operations, assets, or individuals. All other information types will default to moderate, moderate, moderate for the confidentiality, integrity, availability (CIA) of the system or the NIST recommended sensitivity level taking into consideration special factors.

If the system owner requests a sensitivity level to be lowered from the default NIST recommended sensitivity level, an email must be sent to the CISO for approval along with an explanation. Raising the level from the default NIST recommended sensitivity level does not require approval from the CISO unless the system owner is considering a high sensitivity level.

The ISSO summarizes the sensitivity levels across each subsystem (if applicable) and across the system. The high-water mark is used to determine the overall system and subsystem security categorizations.

The system ISSO must document the information types, their sensitivity, and the subsystem/system security categorization in CSO-TEMP-2001, Security Categorization Report Template and obtain concurrence on the documented security categorization from the system owner.

4 Submit Security Categorization Report Once the security categorization report has been completed and approved by the system owner and system ISSO, the document is submitted through NRC email to the applicable Computer Security Organization (CSO) Point of Contact (POC) requesting that a formal review/analysis take place to receive official agency approval. Once the review/analysis is complete, an approval email will be sent to the system owner/designee.

Process CSO-PROS-2001 Page 4

Process CSO-PROS-2001 Page 5 This page intentionally left blank.

Process CSO-PROS-2001 Page 6 Appendix A NRC Information Types for High Sensitivity Systems The following information types are recognized for high baseline NRC systems:

High Information Types Information Type Security Management Information Type (ACCESS-Intrusion Detection System only)

NIST 800-60 ID C.3.1.3 Basis for Selecting Information Type Security Management Information Type was selected because of physical protection devices such as intrusion alarms and distress buttons protecting NRC assets.

Special Factors affecting NRC evaluated impact levels The consequences of unauthorized modification or destruction of security management information may depend on the urgency with which the information is needed or the immediacy with which the information is used. In cases of intrusion indications, security management information can be time-critical resulting in raising the integrity level to high.

The availability of alarm and alert communications is also time-critical. The availability impact level associated with unauthorized modification or destruction of such alarm, alert, and automated process security management information is raised to high.

Impact Level Analysis Confidentiality Integrity Availability NIST Provisional Impact Levels Moderate Moderate Low NRC-Evaluated Impact Levels Moderate

• High

• High Information Type Facilities, Fleet and Equipment Management Information Type (pertains to SGI-SLES only)

NIST 800-60 ID C.3.1.1 Basis for Selecting Information Type Facilities, Fleet, and Equipment management involves the maintenance, administration, certification, and operation of office buildings, fleets, machinery, and other capital assets considered as possessions of the Federal government. Impacts to some information systems associated with facilities, fleet, and equipment management may affect the security of some key national assets (e.g., nuclear power plants, dams, and other government facilities).

Special Factors affecting NRC evaluated impact levels Information associated with maintenance, administration, and operation of key national assets can be of material use to criminals seeking to gain access to Federal facilities to facilitate or perpetrate fraud, theft, or some other criminal activity. Other information, such as Nuclear Regulatory Commission SAFEGUARDS information is not national security information, but must have a high confidentiality impact level.

The integrity of data related to emergency response aspects of disaster management of facilities, fleet and/or equipment must be protected at a moderate impact level.

Impact Level Analysis Confidentiality Integrity Availability NIST Provisional Impact Levels Low Low Low NRC-Evaluated Impact Levels

• High

• Moderate Low

Process CSO-PROS-2001 Page 7 Information Type Energy Supply Information Type (pertains to SGI-SLES only)

NIST 800-60 ID D.7.1 Basis for Selecting Information Type Energy Supply information includes the sale and transportation of commodity fuels such as coal, oil, natural gas, and radioactive materials. Impacts to information systems associated with energy supply may affect the security of critical infrastructures.

Special Factors affecting NRC evaluated impact levels The unauthorized disclosure of supply information may assist terrorists in the theft of energy products or disruption of energy distribution channels. Facilitation of theft of nuclear materials is a particularly catastrophic potential result of unauthorized disclosure of specific types of energy supply information. Therefore, the confidentiality impact is raised to a high impact level.

Impact Level Analysis Confidentiality Integrity Availability NIST Provisional Impact Levels Low Moderate Moderate NRC-Evaluated Impact Levels

• High Moderate Moderate Information Type Nuclear Security Protection Information (pertains to SGI-SLES only)

NIST 800-60 ID N/A Basis for Selecting Information Type This information type pertains to the protection of data concerning nuclear reactors, design, materials, and security measures.

Special Factors affecting NRC evaluated impact levels 10 CFR Part 1017, Identification and Protection of Unclassified Controlled Nuclear Information -establishes the Government-wide policies and procedures for protecting against unauthorized dissemination of Unclassified Controlled Nuclear Information (UCNI). Section 147 of the Atomic Energy Act requires the Nuclear Regulatory Commission to prohibit the unauthorized disclosure of Safeguards Information, which includes a licensees or applicants procedures and security measures for the protection of special nuclear material, source material, or byproduct material. Under section 147, Safeguards Information also includes security measures for the protection of and location of certain plant equipment vital to the safety of production or utilization facilities.

Impact Level Analysis Confidentiality Integrity Availability NIST Provisional Impact Levels N/A N/A N/A NRC-Evaluated Impact Levels High High Low

Process CSO-PROS-2001 Page 8 Information Type Disaster preparedness and planning (pertains to SGI-SLES only)

NIST 800-60 ID D.4.2 Basis for Selecting Information Type Disaster preparedness and planning data involves the development of response programs to be used in case of a disaster. This involves the development of emergency management programs and activities as well as staffing and equipping regional response centers.

Special Factors affecting NRC evaluated impact levels The consequences of unauthorized disclosure of some disaster preparedness and planning information as it relates to key assets (e.g., nuclear power plants, dams, and other government facilities) may include revealing weak or sensitive critical infrastructure characteristics or inadequate security of U.S. targets to terrorists or other adversaries which raises the confidentiality impact level to high.

Unauthorized modification or destruction of data may adversely affect operations and/or public confidence in the agency which raises the integrity impact level to high.

Impact Level Analysis Confidentiality Integrity Availability NIST Provisional Impact Levels Low Low Low NRC-Evaluated Impact Levels

• High

• High Low

• An NRC Evaluated Impact Level marked with an asterisk indicates that the evaluated impact level deviated from the provisional impact level provided in SP 800-60, Volume II.

Process CSO-PROS-2001 Page 9 This page intentionally left blank.

Process CSO-PROS-2001 Page 10 CSO-PROS-2001 Change History Date Version Description of Changes Method Used to Announce & Distribute Training 10-June-21 Annual review and no update needed.

Therefore, a version number change was not necessary Computer security process web page As needed 20-June-19 1.4 Removed references to e-authentication risk assessment and replaced with digital identity FISMA Repository-ISSO/Auditor Course As Needed 09-Feb-18 1.3 Administrative Changes ADAMS As Needed 19 Jan-18 1.2 Revised to reflect overall change of NRC system impact levels from high to moderate Computer security process web page As needed 08-Mar-17 1.1 Added types specified by CUI that NRC uses Computer security process web page As needed 10-Jan-17 1.0 Initial Release Computer security process web page As needed