Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-2108 Office Instruction

Title:

800-79 Assessment Process Revision Number:

1.0 Effective Date:

01/01/2021 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO

==

Description:==

CSO-PROS-2108, 800-79 Assessment Process, defines the process that must be followed to perform an assessment of the NRCs implementation of the Homeland Security Presidential Directive (HSPD-12) requirements.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-2108 Page i TABLE OF CONTENTS 1

GENERAL REQUIREMENTS............................................................................................................... 1 2

INITIAL AUTHORIZATION................................................................................................................... 1 3

ANNUAL MONITORING....................................................................................................................... 2

CSO-PROS-2108 Page 1 Computer Security Process CSO-PROS-2108 800-79 Assessment Process 1 GENERAL REQUIREMENTS Federal agencies are required to use Personal Identity Verification (PIV) cards for identity credentials, logical access to agency information systems, and physical access to agency facilities by employees and contractors. The sources of these requirements are Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, and Office of Management and Budget (OMB) memoranda including Memorandum M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management.

National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 201-2, "Personal Identity Verification (PIV) of Federal Employees and Contractors" states that Federal departments and agencies must use accredited issuers to issue identity credentials for Federal employees and contractors (per Section 8, Implementations). FIPS 201-2 also states that NIST provided guidelines for the accreditation of PIV card issuers in NIST Special Publication (SP) 800-79-2, "Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)."

CSO-PROS-2108, 800-79 Assessment Process, defines the NRC methodology for assessing the PIV card issuance process to ensure that the credential is established via a formal authorization process and complies with the standards and directives developed under HSPD-

12.

2 Initial Authorization The initial independent assessment activities took place in accordance with the 800-79-2 requirements for achieving a formal authorization of the NRC PCI process by the NRC Authorizing Official (AO).

The assessment consisted of two tasks to determine the extent to which the requirements were being implemented correctly, operating as intended, and producing the desired outcome:

An issuer control assessment was conducted based on the test cases and assessment methods defined in 800-79-2 Assessment of documentation (NRC PIV PCI Operations Plan and supporting documentation)

The assessor created an assessment report which contained the results of the assessment, recommendations for correcting deficiencies and the residual risk to the NRC if deficiencies are not corrected or mitigated. After the initial assessment, an authorization was granted by the agencys AO.

CSO-PROS-2108 Page 2 3 Annual MONITORING The 800-79 PCI authorization is considered a periodic authorization that expires after 3 years.

A new authorization effort must take place with the goal of obtaining a favorable authorization decision from the NRC AO. If the AO does not grant an authorization, the agencys solution for PCI would be considered unauthorized.

The monitoring phase consists of two tasks:

Maintaining the NRC PIV PCI Operations Plan An annual lifecycle walkthrough by an independent assessor NRC PIV PCI Operations Plan The NRC PIV PCI Operations Plan is a comprehensive description of the PIV card issuing services provided by the agency and how they are provided. This document is maintained by the Office of Administration (ADM) and updated as changes occur to the issuers operations.

Annual Lifecycle Walkthrough The lifecycle walkthrough is a monitoring activity conducting annually by an independent assessor. The annual walkthrough covers the PIV cards lifecycle from sponsorship to maintenance, including any issuing facilities responsible for carrying out PIV functions. The assessment methods used are as follows:

Review - An evaluation of documentation to ensure that it is up to date and prepared in accordance with applicable policies, standards, regulations, etc.

Interview - A directed conversation with one or more issuer personnel in which questions are asked, responses documented, and conclusions reached.

Observe - A real-time viewing of PIV processes in operation, including system components involved in the creation, issuance, maintenance and termination of PIV cards. During the walkthrough, the independent assessor observes all processes involving the PIV card, comparing them against the requirements defined in the PIV PCI Operations Plan.

An assessment report is created by the independent assessor documenting assessment results.

Any deficiencies that may have been discovered and their corresponding corrective actions will be addressed in the report. Ultimately, the report is submitted to the AO who then decides if any deficiencies are significant enough to require a change to the authorization status.

CSO-PROS-2108 Page 3 CSO-PROS-2108 Change History Date Version Description of Change Method Used to Announce & Distribute Training 16-Dec-20 1.0 Initial release Posting to CSO web page As needed 10-June-21 Annual review and no updated needed, Therefore, no version number changes was necessary.

Posting to CSO web page As needed