Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-3000 Office Instruction

Title:

Cybersecurity Standards Process Revision Number:

2.0 Effective Date:

September 30, 2019 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO/CSO

==

Description:==

CSO-PROS-3000, Cybersecurity Standards Process, defines the authorized process that must be followed by the Computer Security Organization (CSO) to develop, establish, and maintain cybersecurity standards for information systems that store, transmit, receive, or process NRC information.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-3000 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 2 2.1 ROLES AND RESPONSIBILITIES......................................................................................................... 2 2.2 CYBERSECURITY STANDARDS LIFECYCLE PHASES............................................................................ 3 2.3 CYBERSECURITY STANDARDS PERIODIC REVIEW.............................................................................. 3 2.4 EXPEDITED NEW AND REVISED CYBERSECURITY STANDARDS........................................................... 4 3

SPECIFIC REQUIREMENTS................................................................................................................ 4 3.1 CYBERSECURITY STANDARDS COMPLIANCE...................................................................................... 4 3.1.1 NRC Cybersecurity Standards.............................................................................................. 4 3.1.2 External Standards................................................................................................................ 4 3.2 DEVELOPING NRC CYBERSECURITY STANDARDS............................................................................. 5 3.2.1 Development Process Steps................................................................................................. 5 3.3 REVISING NRC CYBERSECURITY STANDARDS.................................................................................. 7 3.3.1 Revision Process Steps........................................................................................................ 7 APPENDIX A.

ACRONYMS..................................................................................................................... 8 APPENDIX B.

GLOSSARY...................................................................................................................... 9 APPENDIX C.

REFERENCES................................................................................................................ 10 List of Tables Table 2.1-1: Roles and Responsibilities....................................................................................................... 2 Table 2.2-1: Cybersecurity Standards Lifecycle Phases............................................................................. 3 Table 3.2-1: Process for Developing an NRC Cybersecurity Standard....................................................... 5 Table 3.3-1: Process for Revising an NRC Cybersecurity Standard........................................................... 7

Computer Security Process CSO-PROS-3000 Cybersecurity Standards Process 1 PURPOSE CSO-PROS-3000, Cybersecurity Standards Process, provides the process that must be followed to develop, establish, and maintain cybersecurity standards for the Nuclear Regulatory Commission (NRC) information systems that store, transmit, receive, or process NRC information. Cybersecurity standards:

• Ensure that information technology (IT) systems are configured to minimize unauthorized access, use, disclosure, change, deletion, or loss of availability of NRC information; Provide an additional level of protection not afforded by most vendor out-of-the-box default configurations; and Minimize the number of vulnerabilities that attackers can attempt to exploit and minimize the impact of successful attacks.

The Computer Security Organization (CSO) establishes cybersecurity standards to address:

Specific Federal Information Security Modernization Act (FISMA) requirements; Technology/concepts that are both general (e.g., password parameters) and specific (e.g., a specific operating system); and Requirements identified in National Institute of Standards and Technology (NIST)

Special Publications (SPs); Committee on National Security Systems (CNSS) Policies, Directives, and Instructions; Federal Information Processing Standards (FIPS)

Publications (PUBs); Office of Management and Budget (OMB) direction, and Government Accountability Office (GAO) direction, where applicable.

NRC does not develop cybersecurity standards that are specific to individual products (e.g.,

security configuration requirements for a specific operating system). Instead, NRC cybersecurity standards are product-neutral and written to apply regardless of the specific products being used. NRC cybersecurity standards provide enterprise-wide requirements across areas including, but not limited to: strong passwords, remote access, endpoint protection, and cryptography.

NRC uses publications from other sources including Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and Center for Internet Security (CIS) Benchmarks to provide the applicable security configuration baselines for specific products in use within the agency. These publications from external sources are referred to as external standards to differentiate them from NRC cybersecurity standards. In addition to publications from DISA and Certified Information System Auditor (CISA), external standards may include, but are not restricted to, National Security Agency (NSA) Security Configuration Guides, NIST Security Configuration Checklists from the NIST Checklist Repository, and product vendor security configuration guidance.

CSO-PROS-3000 Page 2 The information contained in this document is intended to be used by those developing, reviewing, and updating cybersecurity standards and the NRC system owners, Information System Security Officers (ISSOs), and network, system, and application administrators responsible for implementing and monitoring the configuration of NRC systems and applications.

2 GENERAL REQUIREMENTS Cybersecurity standards are the source of enterprise-wide cybersecurity requirements and security configuration baselines within the agency. Specific examples include mobile devices, operating systems, databases, applications (web, client-server, stand-alone), and network devices.

Cybersecurity standards are mandatory. NRC system owners and ISSOs are responsible for ensuring system compliance with applicable cybersecurity standards as well as applying more stringent controls where warranted (i.e., due to the system environment, information sensitivity, threat environment, and residual risk).

If a system cannot comply with the cybersecurity standard, the NRC system owner must request a deviation from the requirement in accordance with CSO-PROS-1324, Deviation Request Process (as amended).

2.1 Roles and Responsibilities Table 2.1-1 provides the high-level roles and responsibilities associated with applying this process.

Table 2.1-1: Roles and Responsibilities Role(s)

Role Responsibilities Chief Information Security Officer (CISO)

Approves new and updated cybersecurity standards.

CSO Responsible for ensuring appropriate, effective, and efficient NRC-wide integration, direction, and coordination of cybersecurity planning and performance within the framework of the NRC cybersecurity program.

ISSO Forum Consists of NRC office and system ISSOs. Responsible for reviewing and providing feedback on cybersecurity standards.

Standards Working Group (SWG)

Responsible for reviewing, providing feedback, and voting on cybersecurity standards. The SWG is responsible for reviewing all feedback provided by the ISSO Forum for cybersecurity standards.

SWG approval of a cybersecurity standard occurs prior to the final CISO review/approval.

ISSOs and System Owners Responsible for ensuring systems are compliant with cybersecurity requirements.

CSO-PROS-3000 Page 3 2.2 Cybersecurity Standards Lifecycle Phases Table 2.2-1 describes each phase of the cybersecurity standard lifecycle for developing, establishing, maintaining, and retiring a cybersecurity standard.

Table 2.2-1: Cybersecurity Standards Lifecycle Phases Phase Level Phase Name Phase Description 1

Standard Requirement Identification The CSO and/or SWG identifies the need for a cybersecurity standard.

2 Cybersecurity Standard Creation The CSO:

Creates a scoping statement to identify the purpose and scope for the cybersecurity standard.

Creates a working copy of the cybersecurity standard.

3 ISSO Forum Review The CSO provides the ISSO Forum the proposed cybersecurity standard for review and feedback.

4 SWG Review and Approval The CSO provides the SWG the proposed cybersecurity standard for review and feedback. The SWG will also be provided all feedback provided by the ISSO Forum.

The SWG will discuss changes and vote whether to approve the cybersecurity standard.

5 CSO Finalization of Cybersecurity Standard The CSO develops a final version of the cybersecurity standard, which will include any changes the SWG specified were a contingency of the approval vote. The SWG Chair sends the CISO the final version for review and approval.

6 CISO Approval and CSO Issuance of Cybersecurity Standard The CISO provides the final approval of the cybersecurity standard for issuance. The CSO issues the standard.

7 Compliance Compliance with cybersecurity standards is required starting on the effective date specified for the standard.

8 Periodic Review / Updates The CSO and SWG periodically review cybersecurity standards.

The cybersecurity standard is updated as needed for changes in the threat environment, changes to the external standard, and new or emerging requirements (such as the release of a new version of an operating system).

9 Retirement A cybersecurity standard may be retired if the CSO and the CISO determines that there is no longer a need.

2.3 Cybersecurity Standards Periodic Review The CSO and the SWG must periodically review NRC cybersecurity standards and external standards at least bi-annually (once every two years).

The CSO should review cybersecurity standards when any of the following conditions exist:

External publications (e.g., NIST SPs, FIPS PUBs, CNSS Issuances) referenced within the NRC cybersecurity standard are updated and the modifications necessitate a revision to the standard.

CSO-PROS-3000 Page 4 There is a change to a federal mandate (e.g., OMB Memoranda) that requires a revision to the cybersecurity standard.

There is a change to the threat environment that poses a significant risk to the NRC and for which a revision to a cybersecurity standard can mitigate that risk.

A vulnerability is discovered that poses a significant risk to NRC and for which a revision to a cybersecurity standard can mitigate that risk.

2.4 Expedited New and Revised Cybersecurity Standards There are situations when a new or revised cybersecurity standard is needed immediately or in a very short period (e.g., a significant vulnerability is discovered). In these situations, the CISO may specify an effective date shorter than ninety (90) days from issuance.

Urgent changes to cybersecurity standards can be approved by the CISO at any time.

3 SPECIFIC REQUIREMENTS This section provides the criteria that are applied to cybersecurity standards for development, revision, and approval/issuance by CSO in collaboration with the SWG throughout the year.

Approved cybersecurity standards are published through the Office of Chief Information Officer (OCIO)/CSO website.

3.1 Cybersecurity Standards Compliance NRC compliance is required with both NRC cybersecurity standards and external standards.

3.1.1 NRC Cybersecurity Standards Compliance with NRC cybersecurity standards is required according to the following:

The effective date that is specified for an NRC cybersecurity standard should be no less than ninety (90) days after issuance.

3.1.2 External Standards Compliance with external standards is required according to the following:

The OCIO/CSO Cybersecurity Standards website specifies the external standards that system owners and ISSOs must use as the applicable security configuration baselines for specific products/technologies (e.g., operating systems, database servers, web servers, network devices).

If the OCIO/CSO Cybersecurity Standards website does not specify an external standard for a specific product/technology in use within an NRC system, then the following order of precedence for security configuration baselines applies:

DISA STIGs and Checklists CIS Benchmarks

CSO-PROS-3000 Page 5 Product vendor provided guidance (i.e., security configuration guide)

Checklists available at the NIST Checklist Repository Industry best practices All above documents must be finalized versions.

Note: If the applicable security configuration baseline is not clear, ISSOs should contact the CSO point of contact for their office to obtain clarification.

When there is a conflict between a setting in an applicable external standard and an NRC cybersecurity standard, the NRC cybersecurity standard takes precedence. For example, if a DISA STIG were to indicate the password age must not be greater than 60 days while the NRC cybersecurity standard indicates that the requirement is 180 days, then the requirement from the NRC cybersecurity standard applies.

Compliance with new or updated external standards is required on either January 1st or July 1st, whichever comes first after the 90 day period following the publication of the external standard by the external organization (e.g., DISA, CIS).

Per Section 2.4, Expedited New and Revised Cybersecurity Standards, the CISO may set any wait time, even having the standard become effective immediately.

External standards should be specifically identified (where possible) no less than ninety (90) days prior to the applicable effective date (i.e., January 1st, July 1st).

3.2 Developing NRC Cybersecurity Standards If a determination has been made that an NRC cybersecurity standard must be developed, the development process is started.

3.2.1 Development Process Steps Table 3.2-1 describes the process and order for developing an NRC cybersecurity standard.

Table 3.2-1: Process for Developing an NRC Cybersecurity Standard Step Step Name Step Description 1

NRC Cybersecurity Standard Requirement Identification The CSO and/or SWG identifies the need for an NRC cybersecurity standard.

2 NRC Cybersecurity Standard Creation The CSO creates a scoping statement to identify and confirm all points to be addressed in the NRC cybersecurity standard.

The SWG Chair must review and concur on the scoping statement prior to the creation of the standard.

The CSO creates an initial working copy of the cybersecurity standard, based upon the scoping statement, using the CSO cybersecurity standard templates.

The CSO consults, as necessary, with relevant system ISSOs and impacted NRC organizations as the NRC cybersecurity standard is developed (e.g., OCIO IT Services Development & Operations Division [SDOD], Office of Administration [ADM], and Nuclear Security and Incident Response [NSIR]).

CSO-PROS-3000 Page 6 Step Step Name Step Description After all feedback is considered, and, if applicable, incorporated into the working copy, the CSO provides the NRC cybersecurity standard to the SWG and ISSO Forum for review.

3 ISSO Forum Review The CSO must provide the ISSO Forum the proposed NRC cybersecurity standard for review and feedback.

The ISSO Forum must be provided no less than five days to review the NRC cybersecurity standard and provide feedback to the CSO. The ISSO Forum can provide technical feedback on the NRC cybersecurity standard, as well as the anticipated impact of the standard in terms of cost and schedule considerations.

4 SWG Review and Approval The CSO must provide the SWG the proposed NRC cybersecurity standard for review and feedback. The SWG must be provided no less than five days to review the cybersecurity standard.

The SWG must be provided all feedback from the ISSO Forum, which must be discussed by the group.

The CSO must schedule an SWG meeting to discuss and review all feedback received on the NRC cybersecurity standard.

The SWG must review all feedback and suggested changes received for the NRC cybersecurity standard and identify applicable changes to be made for SWG approval.

The SWG shall approve the NRC cybersecurity standard for release using a simple majority vote. Ties shall be broken by the SWG Chair.

5 CSO Finalization of NRC Cybersecurity Standard The CSO must develop a final version of the NRC cybersecurity standard, which must include any changes the SWG specified were a contingency of the approval vote.

The SWG Chair must send the CISO the final version of the NRC cybersecurity standard for review and approval.

6 CISO Approval The CISO must provide a decision indicating whether the NRC cybersecurity standard is approved. If desired, the CISO can provide approval with conditions (i.e., changes that must be incorporated).

7 CSO Issuance of NRC Cybersecurity Standard Following CISO approval of the NRC cybersecurity standard, the CSO shall publish the cybersecurity standard on the OCIO/CSO Cybersecurity Issuances Standards website.

8 Compliance System owners and ISSOs must ensure that NRC systems comply with the NRC cybersecurity standard starting on the effective date specified.

9 Periodic Review / Updates The CSO and the SWG review NRC cybersecurity standards at least bi-annually.

The NRC cybersecurity standard is updated as needed, including for changes in the threat environment, changes to the external standard, and new or emerging requirements.

10 Retirement The NRC cybersecurity standard may be retired if the CISO determines that there is no longer a need.

The SWG may also provide a recommendation to retire an NRC cybersecurity standard.

CSO-PROS-3000 Page 7 3.3 Revising NRC Cybersecurity Standards If a determination has been made that an NRC cybersecurity standard must be updated, the revision process is started.

3.3.1 Revision Process Steps Table 3.3-1 describes the process and order for revising an existing NRC cybersecurity standard.

Table 3.3-1: Process for Revising an NRC Cybersecurity Standard Step Step Name Step Description 1

NRC Cybersecurity Standard Revision Determination The CSO reviews the NRC cybersecurity standard along with any relevant external stimulus (e.g., revised federal direction, a revised external standard, or a new vulnerability) and identifies needed revisions, consulting with relevant system owners, ISSOs, and impacted NRC organizations, as needed.

2 NRC Cybersecurity Revision Scoping Statement The CSO creates a scoping statement to identify and confirm all points to be addressed in the revised NRC cybersecurity standard.

3 NRC Cybersecurity Revision -

Remaining Steps through Issuance After CSO determines the NRC cybersecurity standard needs to be revised and the SWG Chair concurs on the scoping statement, refer to Steps 2-7 in Table 3.2-1, Process for Developing an NRC Cybersecurity Standard.

Whether developing or revising an NRC cybersecurity standard, the steps are the same at this point.

CSO-PROS-3000 Page 8 APPENDIX A. ACRONYMS ADM Office of Administration CIS Center for Internet Security CISO Chief Information Security Officer CNSS Committee on National Security Systems CSO Computer Security Organization DISA Defense Information Systems Agency DoD Department of Defense FIPS Federal Information Processing Standards FISMA Federal Information Security Modernization Act GAO Government Accountability Office ISSO Information System Security Officers IT Information Technology NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission NSA National Security Agency NSIR Nuclear Security and Incident Response OCIO Office of Chief Information Officer OMB Office of Management and Budget PUB Publication SDOD IT Services Development & Operations Division SP Special Publication STIG Security Technical Implementation Guide

CSO-PROS-3000 Page 9 APPENDIX B. GLOSSARY External Standard Document published from another source (e.g., DISA STIG, CIS Benchmark) that provides the applicable security configuration baseline for a specific product in use within the agency.

ISSO Forum A forum established by NRC for the purpose of providing a communication mechanism for CSO staff and ISSOs to communicate, collaborate, and exchange information relevant to the NRC cybersecurity program.

NRC Cybersecurity Standard A product-neutral cybersecurity standard that is written to apply regardless of the specific products being used. NRC cybersecurity standards provide enterprise-wide requirements across areas including strong passwords, remote access, endpoint protection, and cryptography, for example.

Standards Working Group A group approved by an NRC Authorizing Official for the purpose of evaluating, recommending, and communicating information technology standards, checklists, and guidance for use at NRC.

CSO-PROS-3000 Page 10 APPENDIX C. REFERENCES The OCIO/CSO Standards website can be found at:

http://fusion.nrc.gov/OCIO/team/CSO/CSO_FISMA_Repository/Forms/AllItems.aspx?RootFolde r=%2FOCIO%2Fteam%2FCSO%2FCSO%5FFISMA%5FRepository%2FCybersecurity%5FIssu ances%2F01%5FSTANDARDS%2FNRC%5FStandards The OCIO/CSO Standards website organizes External Standards based upon the effective year and date (i.e., January 1st, July 1st). NRC stores a copy of all specifically identified external standards within the website. The SharePoint folder for a specific effective date includes a spreadsheet that lists all external standards that have been specifically identified.

The OCIO/CSO website includes CISO approval informal direction for Cybersecurity Standards.

This direction clarifies what subset of DISA STIG and CIS Benchmark requirements apply to NRC systems based upon the system security categorization. The direction can be found at:

http://fusion.nrc.gov/OCIO/team/CSO/CSO_FISMA_Repository/Cybersecurity_Issuances/00_CI SO_Approved_Informal_Direction/03_Standards.docx Additional references include, but are not limited to the following (as amended):

FISMA of 2014 The Privacy Act of 1974, 5 U.S.C. § 552a, as amended NRC Management Directive 12.5, "NRC Cybersecurity Program" CIS Benchmarks CNSS Issuances Including, but not limited to:

CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems DISA Information Assurance Products Including, but not limited to:

DISA Memo, Department of Defense (DoD) STIG Development Process and Quarterly Release Update Process DISA STIGs NIST Checklist Repository FIPS PUBs - Including, but not limited to:

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems

CSO-PROS-3000 Page 11 SPs - Including, but not limited to:

NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems NIST SP 800-30, Guide for Conducting Risk Assessments NIST SP 800-34, Contingency Planning Guide for Federal Information Systems NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations NIST SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories NIST SP 800-63-3, Digital Authentication Guideline NIST SP 800-70 Revision 4, National Checklist Program for IT Products Guidelines for Checklist Users and Developers NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations NSA Information Assurance Products Including, but not limited to:

NSA Security Configuration Guides

CSO-PROS-3000 Page 12 CSO-PROS-3000 Change History Date Version Description of Change Method Used to Announce & Distribute Training 07-Mar-12 1.0 Initial issuance ISSO Forum announcement and posting to CSO Standards website Upon request 23-May-19 2.0 Updated to address organizational and process changes OCIO/CSO website Upon request