Text

Nuclear Regulatory Commission Office of the Chief Information Officer (OCIO)

Computer Security Organization (CSO)

Office Instruction:

CSO-PROS-2016 Office Instruction

Title:

Plan of Action and Milestones Process Revision Number:

3.1 Effective Date:

January 1, 2018 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO/CSO

==

Description:==

Details the process for identifying and tracking the status of security weaknesses for program level and system level POA&Ms.

ADAMS Accession No.:

ML13326A241 Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-2016 i

TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 3

SPECIFIC REQUIREMENTS................................................................................................................ 2 3.1 POA&M TIMEFRAMES..................................................................................................................... 2 3.2 POA&M MAINTENANCE REQUIREMENTS.......................................................................................... 2 3.3 POA&M ITEM COMPLETION PROCESS.............................................................................................. 3 3.3.1 POA&M Item Final Closure for IG Findings.......................................................................... 4 3.4 POA&M ITEM DATA ELEMENT REQUIREMENTS................................................................................. 4 APPENDIX A.

ACRONYMS..................................................................................................................... 7 APPENDIX B.

GLOSSARY...................................................................................................................... 8

CSO-PROS-2016 1

Computer Security Process CSO-PROS-2016 Plan of Action and Milestones Process 1 PURPOSE CSO-PROS-2016, Plan of Action and Milestones Process, provides the process that must be followed to identify, track, and report the status of security weaknesses identified within NRC systems storing, transmitting or processing Nuclear Regulatory Commission (NRC) information or that are hosted by the NRC. The purpose of the Plan of Action and Milestones (POA&M) is to assist the agency in identifying, assessing, prioritizing, and monitoring the progress of corrective actions for security weaknesses found in NRC systems.

Federal agencies are required to maintain a cybersecurity program-level POA&M for program-level weaknesses and a system-level POA&M for the weaknesses identified for individual agency systems. A program level POA&M identifies cyber security weaknesses that impact either the entire NRC cyber security program or vulnerability or compliance findings that affect multiple NRC systems. If a program-level POA&M has been established, the system information system security officer (ISSO) should check the program level POA&M to see if the weakness is accounted for in the program level POA&M prior to creating a system-level POA&M. If a program-level POA&M is assigned to a specific NRC system for resolution, it is the ISSOs responsibility to review/update/close the program level POA&M as applicable.

Program-level POA&Ms are maintained by a representative of the Computer Security Organization (CSO) within the Office of the Chief Information Officer (OCIO), and managed the same as a system-level POA&M.

The information contained in this document is intended to be used by system owners, ISSOs, approved security personnel, technical system support staff, OCIO Chief Information Security Officer (CISO) and Deputy Information Security Officer (CSO, Deputy CISO), and the Authorizing Official (AO).

2 GENERAL REQUIREMENTS POA&Ms describe the specific tasks to correct weaknesses found in security controls during various assessment activities, audits, continuous monitoring tasks, etc. The POA&M must describe these weaknesses, the resources required to accomplish the elements of the plan, any milestones in meeting the task, and scheduled completion dates for the milestones. The system ISSO has the responsibility for creating, reviewing and maintaining the system-level POA&Ms and any program-level POA&Ms assigned to their system. The Programmatic POA&M Project Manager (PM) is responsible for creating, reviewing, and maintaining the program-level POA&Ms with input from the impacted system ISSOs. System owners must ensure system POA&Ms are managed in accordance with federally mandated and NRC cybersecurity requirements. Proper maintenance of POA&Ms assists NRC in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses found at the program level and within NRC systems. This also provides an indication of the security state of agency systems and the agency by providing visibility into the status of all known weaknesses.

CSO-PROS-2016 2

The POA&M information is maintained within the approved POA&M template which is stored in a SharePoint repository managed and maintained by the technical system support staff operating under the direction of the CISO. Access controls are in place to allow only those with a need-to-know to access the systems POA&M.

3 SPECIFIC REQUIREMENTS The location where multiple POA&Ms are stored for NRC systems and NRC security program is known as the NRC POA&M repository. The NRC POA&M repository is in SharePoint Online and broken out by office at:

https://usnrc.sharepoint.com/teams/OCIO-CSO/FISMA%20Plan%20of%20Action%20and%20Milestones/Forms/AllItems.aspx Email the OCIO CSO point of contact should you have any problems accessing the POA&M site. The link below provides the appropriate POCs for the various NRC offices:

https://usnrc.sharepoint.com/teams/OCIO-CSO/SitePages/Home.aspx 3.1 POA&M Timeframes When a system or program-level weakness is identified and formally documented, any unresolved weaknesses must be added to the system or program POA&M within 60 calendar days of the final publication date of the document or report that identifies the weakness.

Weaknesses with a critical and high severity level assignment take priority in remediation efforts and must be fixed within 30 calendar days. Moderate severity within 90 days and low severity within 120 days.

3.2 POA&M Maintenance Requirements POA&Ms must be reviewed and maintained quarterly by system ISSOs or CSO program level assigned resource to ensure that identified milestones are completed by the scheduled completion dates. In addition, POA&Ms must be updated whenever activities take place that either identify new weaknesses, demonstrate that weaknesses have been remediated, extend the schedule for remediation, or demonstrate that required continuous monitoring activities have been completed.

Before each quarterly review, system ISSOs or the CSO program level assigned resource must review their POA&Ms to ensure that the following information is up-to-date and reflects all corrective actions that took place during the previous quarter:

All corrective actions conducted during the quarter have been noted in the appropriate data element field.

Agencywide Documents Access and Management System (ADAMS) accession numbers or link (s) to the FISMA Repository have been provided for evidence of remediation and for artifacts supporting completed continuous monitoring activities.

Remediation evidence does not need to be an official agency record.

All POA&M items that have not been mitigated by their scheduled completion date are identified as Delayed with explanations provided in the changes to milestones column.

CSO-PROS-2016 3

In support of the Federal Information Technology Acquisition Reform Act (FITARA), OCIO CSO conducts quarterly reviews of system and program level POA&Ms to ensure they are being maintained as required and to gain insight into the current security state of systems for agency reporting requirements/metrics.

3.3 POA&M Item Completion Process After the POA&M item is completely mitigated (i.e., all milestones have been completed), the system ISSO or Programmatic POA&M PM must generate (or compile) documented evidence that the corrective action has been completed. The evidence must be placed into ADAMS or the FISMA repository. The corresponding ADAMS accession number or the link to the FISMA Repository must be provided in the Comments field of the POA&M item.

For weakness remediation, evidence may take many forms, such as a Vulnerability Assessment Report (VAR) and VAR Findings Tracking Sheet (FTS), ad-hoc scan reports, assessment reports, contingency test reports, Change Requests (CRQs), screenshots of specific configuration settings, updated system artifacts, or AO approved Deviation Requests. All evidence must clearly validate the closure.

Documents and screenshots used as evidence must:

Be readable and clearly demonstrate the weakness has been fixed; Provide the date and time that the screenshot was taken; Provide the vulnerability identification (ID. This can be defined within the document that presents the screenshot; Provide the hostname (preferred) or Internet Protocol (IP) address of the device on which the screenshot was taken; and Illustrate the remediated configuration setting, applied patch, or update where applicable (e.g. deletions would not need illustrations).

To reduce the amount of time needed to capture screenshots for many findings across multiple hosts, the ISSO can provide one screenshot for evidence of closure for manual checks across multiple hosts. The ISSO must make a statement in the body of the evidence document certifying that the configuration(s) shown in the screenshot are identical on all other hosts with the same finding from an assessment. The statement must be explicit as to which server the screenshot is from, and which additional servers received the same change.

After a POA&M item has been remediated, and the appropriate evidence has been placed in ADAMS or the FISMA Repository, the system ISSO or Programmatic POA&M PM can close the POA&M item.

System ISSOs and the Programmatic POA&M PM are responsible for ensuring that the latest system POA&M is available for review in the POA&M repository.

Closed POA&M items must be maintained/tracked for one year after the closure date. Once the year has passed, the system ISSO or CSO program level assigned resource can archive closed items for historical purposes. This is accomplished by moving the items into a separate Archived worksheet within the POA&M Repository.

CSO-PROS-2016 4

3.3.1 POA&M Item Final Closure for IG Findings Closure of weaknesses that were identified during the course of an Office of Inspector General (OIG) audit are handled differently. Evidence of closure/corrective actions are provided to the OIG in separate reports through email. While waiting for OIG response, the system POA&M status is changed to Ready for Approval along with the ADAMS accession number of the evidence by the system ISSO/designee. Once the OIG has reviewed/approved the evidence, a response/results memo is provided by the OIG. At that point, the system POA&M item can be officially closed by the system ISSO/designee with the ML# of the OIG closure memo. This does not need to be an official agency record.

3.4 POA&M Item Data Element Requirements The weakness for each system-level or program-level POA&M item is recorded using the required fields identified in Table 3-1. The Data Element column reflects names used by the Office of Management and Budget (OMB) and by NRC. The data elements that are bolded and highlighted in gray must not be changed after the POA&M item is created and the Scheduled Completion Date is entered.

Table 3-1: Required POA&M Data Elements Data Element Description POA&M ID Unique ID for each POA&M entry created in sequential order. The format for this is YY-XX (e.g., 17-01). The YY represents the fiscal year.

As of FY17 Q1 (October 1, 2016), POA&Ms will no longer be aggregated. There is one host and one weakness per POA&M item.

If the ISSO chooses, there are exceptions for proper aggregation. For example, if a patch/update comes out, that addresses 10-20 total findings, those findings can be aggregated into 1 POA&M item because they are closed with one patch.

If the system contains subsystems, it is highly recommended the POA&M ID contain the name of the subsystem. For example, the format would be either ITI-17-01 (ICAM) or ICAM-17-01. The ISSO can decide which format works best for the situation.

Once the POA&M item is created, this data field must not be changed.

Creation Date The date the POA&M item was created.

Once the POA&M item is created, this data field must not be changed.

CSO-PROS-2016 5

Data Element Description Status Indicates the status of the POA&M item. The valid status values are:

On Track - In alignment with the scheduled completion date.

Delayed - Mitigation will occur after the original scheduled completion date causing the item to be delayed. A new estimated date must be entered in the changes to milestones column.

Closed - Mitigation has occurred, evidence has been provided and the status is changed to closed by the ISSO or CSO program level assigned resource.

Deviation - A Deviation Request has been received by the CISO and is waiting for approval. If the Deviation Request is approved by the AO, the status will be changed to Closed. If the Deviation Request is rejected, the status will be changed to On Track or Delayed, as appropriate.

On Hold - The resources dedicated to a specific mitigation task have been redirected or reprioritized by the AO or other NRC management, and the action has been placed On Hold pending available resources.

Ready for Approval - Mitigation has occurred, and evidence has been provided to the OIG to request closure.

Associated Control ID NIST SP 800-53 control that maps to the weakness.

Affected Host The host that is affected by the weakness. Only one host per POA&M ID is allowed.

For POA&M items that are not related to a scan finding, N/A should be used in this field.

Once the POA&M item is created, this data field must not be changed.

Vulnerability ID This field is used to identify the vulnerability ID of the weakness discovered during scanning and hardening checks. Any weakness discovered during security control assessments that are not related to a scan finding should be marked as N/A.

Once the POA&M item is created, this data field must not be changed.

Severity The severity of the POA&M item is the level of risk imposed by the identified weakness.

Critical, High, and Moderate are used to note the risk. Low risk items are not required to be added to a systems POA&M in accordance with the AO Risk Decision, dated 20 April 2015, ML15085A473.

Once the POA&M item is created, this data field must not be changed.

Weaknesses A brief description of the identified weakness is entered in this field.

Once the POA&M item is created, this data field must not be changed.

Actual Completion Date The date that the POA&M item was closed.

Comments Closure descriptions and the evidence used to close the POA&M item are entered in this field with the ADAMS accession number of the evidence or the link to the FISMA Repository where the evidence is located.

Milestone Descriptions A brief description of key milestones that are used to correct the weakness and the dates by which the milestones will be achieved are entered in this field.

The milestones should encompass all activities required to close the POA&M item.

Once the POA&M item is created, this data field must not be changed.

Changes to Milestones If a POA&M becomes delayed, an explanation must be provided along with a new estimated date for completion. This is necessary since the original milestone dates cannot be changed.

Point of Contact (POC)

The primary contact responsible for remediating the weakness or completing the continuous monitoring activity associated with the POA&M item (e.g., ISMP ISSO or Programmatic POA&M PM)

CSO-PROS-2016 6

Data Element Description Resources Required The current resourcing status as it relates to funding the mitigation of the identified weakness should be entered in this data field. Values of Funded or Unfunded should be used along with any other cost breakouts necessary to show whether funding is available to implement a corrective action.

Scheduled Completion Date Date for mitigating the POA&M item.

The scheduled completion date for each POA&M item is based on the risk level and the resources available for completing the corrective actions required to mitigate the weakness.

Once the POA&M item is created, this data field must not be changed.

Source (Date and Accession Number of the document, if available)

The specific document or activity that identified the weakness, including the date.

Source documents can include audits conducted both by NRC and by other organizations, AO conditions, security control assessments, scans, continuous monitoring activities, etc.

CSO-PROS-2016 7

APPENDIX A.

ACRONYMS ADAMS Agencywide Documents Access and Management System AO Authorizing Official CRQ Change Request CISO Chief Information Security Officer CSO Computer Security Organization FISMA Federal Information Security Management Act FTS Findings Tracking Sheet ID Identification IP Internet Protocol ISSO Information System Security Officer NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OCIO Office of the Chief Information Officer OIG Office of the Inspector General OMB Office of Management and Budget POA&M Plan of Action and Milestone Q

Quarter SP Special Publication STD Standard VAR Vulnerability Assessment Report

CSO-PROS-2016 8

APPENDIX B.

GLOSSARY Critical Severity Weakness whose exploitation could result in compromise of the system where intruders can possibly gain control of the host.

High Severity A weakness whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.

Information System Security Officer Responsible for creating and maintaining the system POA&M.

Moderate Severity A weakness whose exploitation could result in intruders gaining access to specific information stored on the host, including security settings.

Office of the Inspector General Provides independent oversight of the NRC cybersecurity program.

POA&M item A record of a weakness and associated corrective action.

Severity A rating system that represents the theoretical outcome of an exploited weakness (critical, high, moderate). The severity rating does not indicate the likelihood of that outcome.

Weakness A deficiency in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

CSO-PROS-2016 9

CSO-PROS-2016 Change History Date Version Description of Changes Method Used to Announce & Distribute Training 13-Jul-11 1.9.2 Update to the POA&M process to reflect users comments.

The document was emailed to the ISSOs, briefed to the SOs, and posted to the CSO SharePoint site.

As needed 08-Jan-13 1.9.3 The document was revised to depict the POA&M process primarily with the removal of ambiguity. Appendices were added to separate the completion of the POA&M fields and the Checklist and Scorecard.

18-Aug-15 2.0 Revised Process Posting to CSO SharePoint page and notification to ISSO forum.

As needed 02-Oct-17 3.0 Revised Process Internal CSO SharePoint Site As needed 01-Feb-19 3.1 Added text to include program level POA&Ms and FISMA Repository Internal CSO SharePoint Site As needed 10-June-21 Annual review. No updates needed; therefore, the version number was not changed.

Internal CSO SharePoint Site As needed