Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-2030 Office Instruction

Title:

NRC Risk Management Framework (RMF) Process Revision Number:

2.1 Effective Date:

September 1, 2019 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO/CSO Summary of Changes:

CSO-PROS-2030, NRC Risk Management Framework Process, defines the process that must be followed to apply the NIST SP 800-37 Rev 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, to secure NRC information systems.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 3

SPECIFIC REQUIREMENTS................................................................................................................ 2 STEP 1: PREPARE......................................................................................................................................................................... 3 STEP 2: CATEGORIZE.................................................................................................................................................................. 4 STEP 3: SELECT............................................................................................................................................................................ 5 STEP 4: IMPLEMENT..................................................................................................................................................................... 6 STEP 5: ASSESS........................................................................................................................................................................... 6 STEP 6: AUTHORIZE..................................................................................................................................................................... 7 STEP 7: MONITOR......................................................................................................................................................................... 7 APPENDIX A.

CHANGE HISTORY.......................................................................................................... 9

CSO-PROS-2030 Page Computer Security Process CSO-PROS-2030 Risk Management Framework Process 1 PURPOSE CSO-PROS-2030 defines the process that must be followed to apply the guidelines from NIST Special Publication 800-37 Rev 2, Risk Management Framework for Information Systems and Organizations: A Security Life Cycle Approach for Security and Privacy, to secure NRC information systems. Federal information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. The Risk Management Framework (RMF) provides a technology neutral, disciplined, and structured process for managing security and privacy risk that includes information system categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring.

This document describes the steps and tasks required to apply the RMF to NRC information systems and the NRC processes and policies that support them. The information contained in this document is intended to be used by individuals associated with the design, development, implementation, security, operation, maintenance, and disposition of federal information systems.

2 GENERAL REQUIREMENTS Risk management tasks begin early in the system development life cycle (SDLC) and are important in shaping the security capabilities of the information system. If these tasks are not adequately considered during the initiation, development, and acquisition phases of the SDLC, the tasks will, by necessity, be undertaken later in the life cycle and be costlier to implement. In either situation, all tasks are completed before placing the information system into operation to ensure that:

the Authorizing Official (AO) explicitly understands and accepts or denies the risk to NRC operations and assets, individuals, other organizations, and the Nation based on the implementation of a defined set of security controls and the current security state of the system; and system-related security risks are being adequately addressed on an ongoing basis.

The tasks in the RMF are described in a sequential manner. Deviation from that sequential structure to achieve more cost-effective and efficient solutions regarding the execution of the tasks is permissible. Regardless of the task ordering, the last step before an information system is placed into operation is the explicit acceptance of risk by the AO. Certain tasks may be executed during different phases of the SDLC. For example, security control assessments may be carried out during system development, system implementation, system changes, or system operation/maintenance (as part of continuous monitoring).

CSO-PROS-2030 Page Since the RMF is life cycle-based, there will be a need to revisit various tasks over time depending on how changes to the information system and the environment are managed.

Managing information security-related risks for an information system is viewed as part of a larger NRC-wide risk management activity carried out by senior leaders. The RMF must simultaneously provide a disciplined and structured approach for mitigating risks with the flexibility to support the core missions and business operations of the NRC in a highly dynamic operational environment.

3 SPECIFIC REQUIREMENTS The diagram below provides an overview of the disciplined and structured RMF process that integrates information security and risk management activities into the SDLC.

ASSESS IMPLEMENT AUTHORIZE PREPARE SELECT MONITOR CATEGORIZE

CSO-PROS-2030 Page There are seven steps in the RMF; 1) Prepare, 2) Categorize, 3) Select, 4) Implement, 5)

Assess, 6) Authorize, and 7) Monitor. All seven steps are necessary for the successful execution of the RMF.

Step 1: Prepare The purpose of the Prepare step is to carry out essential activities at the organizational level, mission and business process level, and the system level to help prepare the NRC with managing its security and privacy risks.

The Prepare process, at the organizational level, includes identifying and assigning key roles, establishing organizational risk tolerance, developing continuous monitoring strategies, and identifying and documenting common controls. The Prepare step is the responsibility of senior level officials and stakeholders to ensure the specific tasks and structures are developed to best manage security and privacy risks.

The following processes are in place at the agency level to prepare and manage security and privacy risks for NRC systems:

To meet the requirements within Circular A-130, Managing Information as a Strategic Resource, the NRC has established a comprehensive approach to improving the acquisition, management, and protection of information resources, personnel, equipment, funds, personally identifiable information (PII), and supporting infrastructure and services. The NRC Capital Planning & Investment Control (CPIC) process plays a big part in meeting these federal requirements along with the EA-PROS-0100, Systems and Services Inventory Process which connects NRC planning, budgeting, investment management, and architecture disciplines to provide visibility and control over the agencys IT system and service inventory. Together, these processes help reduce the complexity of the NRC IT and operations using enterprise architecture concepts to consolidate, optimize, and standardize NRC systems, applications, and services.

Management Directive (MD) 3.2, Privacy Act, provides procedures and guidelines to ensure that the NRC collects, maintains, uses, and disseminates any record of PII in a secure manner, in compliance with federal and NRC requirements.

The Technical Reference Model (TRM) was created to centralize the IT products and services that are either pending review or have been reviewed by the NRC IT governance boards and tested for operational suitability for the NRC computing environment. Approved items in the TRM are eligible to be acquired and deployed to the NRC computing environment and are subject to standard approval conditions.

CSO-PROS-1323, Information Security Continuous Monitoring Process, defines the information security continuous monitoring (ISCM) strategy and requirements that must be followed to maintain authorizations for NRC systems.

NRC has published the CSO-STD 0021, Common and Hybrid Control Standard for a specific set of controls that can be inherited by multiple systems or programs. The goal is to reduce the workload on individual system owners as well as the cost of system development and asset protection. In addition, NRC developed the NIST 800-53 Rev 4 tailoring baseline based on confidentiality, integrity, and availability impact levels for NRC systems.

CSO-PROS-2030 Page The Prepare process is also implemented at the system level and carried out by the system owner, business owner, privacy officer and information system security officer (ISSO).

Some of the tasks accomplished during the prepare process include identifying and assigning key system roles, identifying system assets, defining the authorization boundary, electing the information types processed, stored, and transmitted by the system, and defining and prioritizing security and privacy requirements. The system owner must coordinate with the agencys AO and Chief Information Security Officer (CISO) and abide by the processes and procedures described above to ensure authorization efforts and risk management activities run smoothly.

NRC system owners must obtain an authorization from the AO in order to use an IT service provided by an external organization or service provider. System owners must ensure that the external IT service provider has already obtained a valid, current authorization issued by another government agency or through the Federal Risk and Authorization Management Program (FedRAMP) for cloud solutions. CSO-PROS-1325, External IT Service Authorization Process, provides the process that must be followed to obtain an authorization for an external IT service used in the NRC environment.

Step 2: Categorize The purpose of the Categorize step is to identify the types of information processed, stored, and transmitted by the system and document the results. The Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, requires federal agencies to assess their information systems to determine the potential impact/risk that a loss of confidentiality, integrity, or availability of the information processed, stored, and submitted would have on organizational operations, organizational assets, or individuals. The result of this risk assessment is rated as low, moderate, or high impact with the most severe rating from any category becoming the information systems overall security categorization. The results of this process are used to determine the minimum-security controls and requirements for the system.

The security categorization process is carried out by the system owner and information owner/steward and the ISSO in cooperation and collaboration with appropriate organizational officials (i.e., senior leaders with mission/business function and/or risk management responsibilities). The security categorization process is conducted as an organization-wide activity, taking into consideration the enterprise architecture and the information security architecture.

Concurrently, systems that collect, maintain, or disseminate PII must conduct a Privacy Impact Assessment (PIA) to ensure PII is protected properly, in compliance with applicable legal, regulatory, and policy requirements. Privacy risks to individuals may create legal liability, reputational risks, or other types of risks for the organization. In certain situations, a PIA may not be required. A Privacy Threshold Analysis (PTA) can be completed and reviewed by the Privacy Act Program Analyst to determine if a PIA is needed. The PIA, if required, must be reviewed, and approved by the Privacy Act Program Analyst prior to the submittal of the security categorization.

The completed security categorization report and the approved PIA/PTA must be submitted to the Computer Security Organization (CSO) point of contact (POC) for analysis and approval. A system cannot move forward in the RMF process without official approval.

CSO-PROS-2030 Page For established systems, the security categorization must be reviewed and updated at least annually and as needed to ensure accuracy and must account for any changes that have been authorized for the system. This requirement is captured/measured according to the CSO-PROS-1323, Continuous Monitoring Process, and reflected in the NRC Cybersecurity Risk Dashboard (CRDB) which identifies incomplete or late submissions.

CSO-PROS-2001, System Security Categorization Process, defines the process that must be followed to determine the security categorization for NRC unclassified information and systems and the level of digital identity assurance for publicly accessible authenticated transactions. The CSO-TEMP-2001, Security Categorization Template is available on the CSO website.

Step 3: Select The purpose of the Select step is to select, tailor, and apply the applicable set of baseline security controls in accordance with the guidance provided in NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations. Organizations are required to adequately mitigate the risk arising from the use of information and information systems while conducting mission and business functions. The challenge for system owners is to determine the most cost-effective, appropriate set of security controls which, if implemented and determined to be effective, would mitigate risk while complying with security requirements defined by applicable federal laws, Executive Orders, regulations, policies, directives, or standards.

After selecting the minimum control baseline as the starting point, the system owner or designee can tailor the controls to align more closely with the specific conditions within the organization.

Tailored baselines complement the initial NIST SP 800-53 control baselines by providing an opportunity to add or eliminate controls to accommodate NRC requirements while continuing to protect information in a way that is commensurate with risk.

To assist the system owner or designee with the control selection process, CSO-STD-0021, Common and Hybrid Security Control Standard, defines the common and hybrid security controls required for NRC systems processing information up to and including the Safeguards Information (SGI) level. In addition, this standard identifies the common and hybrid security control providers and defines the responsibilities for each control. The NRC has also developed an NIST 800-53 Rev 4 tailoring baseline based on the confidentiality, integrity, and availability impact levels for NRC systems.

Once the baseline has been finalized, the security and privacy controls are then documented in the systems system security plan (SSP). The SSP describes how system-specific, hybrid, and common controls are implemented with sufficient detail to enable a compliant implementation of the control. Supporting documentation can be referenced as well. The NRC-approved SSP template with instructions, CSO-TEMP-2007, is available on the CSO website.

For established systems, the SSP must be reviewed and updated at least annually and as needed to ensure accuracy and to account for any changes that have been authorized for the system. This requirement is captured/measured according to the CSO-PROS-1323, Continuous Monitoring Process, and is reflected in the NRC CRDB.

CSO-PROS-2030 Page Step 4: Implement The purpose of the Implement step is to implement the security controls as specified in the SSP for the system. Best practices should be used when implementing controls, including the systems security and privacy engineering methodologies, concepts, and principles. During implementation, it may be determined that common controls previously selected to be inherited by the system do not meet the protection needs of the system. For common controls that do not meet the protection needs of the system, the system owner would identify the compensating or supplementary controls to be implemented. System owners can supplement the common controls with system-specific or hybrid controls to achieve the required protection for their system or accept greater risk with the acknowledgement and approval of the organization.

Step 5: Assess The purpose of the Assess step is to assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The assessment process is carried out by an independent assessor. An assessment plan is developed by the independent assessor based on the implementation information contained in the SSP. The assessment plan provides the objectives and specific assessment procedures for the selected controls. The results of the security control assessments, including recommendations for correcting deficiencies in the implemented controls, are documented in the assessment report by the independent assessor.

CSO-PROS-2102, System Cybersecurity Assessment Process, defines the process that must be followed to conduct a system cybersecurity assessment of an NRC system. The NRC-approved Assessment Plan template, CSO-TEMP-2108, and Assessment Report template, CSO-TEMP-2106, are available on the CSO website.

A Plan of Action and Milestones (POA&M) is prepared based on the findings and recommendations identified in the assessment report in order to track any weaknesses or deficiencies discovered during the assessment. Each weakness must be analyzed, and corrective actions documented. If, after the analysis, the system owner concludes that a weakness cannot or will not be mitigated and the weakness presents an acceptable risk to the organization, the system owner or designee must create a deviation request to itemize and detail the reason and rationale for the request. The system owner or designee must describe the compensating control as an alternative mechanism to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement. CSO-PROS-1324, U.S.

Nuclear Regulatory Commission (NRC) Deviation Request Process, provides detailed information for processing deviation requests, and CSO-PROS-2016, POA&M Process, provides detailed information for creating and managing system POA&Ms.

The deficiencies described within the systems POA&M are captured/measured according to the CSO-PROS-1323, Information Security Continuous Monitoring Process, and Frequencies Document and are reflected in the NRC CRDB.

CSO-PROS-2030 Page Step 6: Authorize The purpose of the Authorize step is to provide security and privacy accountability by requiring a senior management official to determine if the security and privacy risk to organizational operations and assets, individuals, other organizations, or the Nation, based on the operation of a system or the use of common controls, is acceptable. The authorization package is prepared by the system owner or designee and submitted to the AO for an authorization decision. The information in the authorization package is used by the AO to make informed, risk-based decisions. The explicit acceptance of risk is the responsibility of the AO and cannot be delegated to other officials within the agency. The status of NRC system authorizations is captured/measured according to the CSO-PROS-1323, Continuous Monitoring Process, and reflected in the NRC CRDB.

Step 7: Monitor The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the system in support of risk management decisions. The objective of the NRC continuous monitoring program is to determine if the systems security controls continue to be effective over time considering the inevitable changes that occur in the system as well as the environment in which the system operates.

Part of the NRC continuous monitoring strategy is to collect the security-related data required for metrics, assessments, and reporting. Metrics provide meaningful indicators of the security status across all agency tiers. Each tier monitors security metrics and assesses security control effectiveness to support tier-specific decision making.

Tier 1 metrics are developed for supporting governance decisions regarding the organization, its core missions, and its business functions.

Tier 2 metrics are developed to prioritize NRC core mission/business processes with respect to overall goals and objectives while successfully executing the NRC security program strategy.

Tier 3 metrics address risk management from an information system perspective.

Continuous monitoring activities ensure that all system-level security controls, whether located at Headquarters or the Regions, are implemented correctly, operating as intended, producing the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.

The agencys Cybersecurity Performance Index (CPI) is a subset of 4 cybersecurity metrics that are measured quarterly for each NRC Office and Region. It allows executives and staff to see, at a glance, what security posture is for each NRC office or Region. The four risk-drivers critical to minimizing risk to NRC mission are listed below:

1. Computer Security Awareness (CSA) training

2. Role-based training (RBT)

3. Continuous Monitoring (ConMon) metrics

4. FITARA Configuration Non-Compliance

CSO-PROS-2030 Page The metrics for Continuous Monitoring and FITARA Configuration Non-compliance is only applicable to offices with authorized IT systems.

For continuous monitoring metrics, the following activities are tracked, monitored, and reported to ensure NRC is meeting federal requirements:

System Security Plan review and update Quarterly Scan Reports Configuration risk Contingency Plan review and update Contingency Plan testing POA&M review and update Business Impact Analysis review and update Security Categorization review and update PIA/PTA review and update Conduct Periodic System Cybersecurity Assessment Computer Security Awareness training Role-Based training Incident trends (Data compiled from the Security Operations Center [SOC])

Phishing exercise results Completion of AO conditions In support of continuous monitoring activities, CSO holds monthly security meetings with the ISSOs to discuss any ongoing issues and to provide any new guidance. Additionally, CSO provides a POA&M Management Status Report (PMSR) to the ISSOs to provide additional insight and statistics on the progress of their POA&M closure.

In summary, effective risk management plays a crucial role in the agencys security program by identifying potential threats before they occur, responding to risk once determined, and monitoring risk over time.

CSO-PROS-2030 Page APPENDIX A. CHANGE HISTORY Date Version Description of Change Method Used to Announce and Distribute Training 06/13/2019 2.0 Replacement for existing outdated process.

Monthly Office Meetings.

None needed.

03/03/2021 2.1 Minor edits Monthly Office Meetings.

None needed.

06/10/2021 Annual review conducted an no update was needed; therefore, a version number change was not necessary Monthly Office Meetings.

None needed.