Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction:

CSO-PROS-8001 Office Instruction

Title:

FITARA Cybersecurity Risk Rating and Reporting Process Revision Number:

1.0 Effective Date:

September 30, 2019 Primary Contacts:

Jonathan Feibus Responsible Organization:

OCIO/CSO

==

Description:==

CSO-PROS-8001, FITARA Cybersecurity Risk Rating and Reporting Process, provides the authorized process that must be used at the NRC to perform the Federal Information Technology Acquisition Reform Act (FITARA) compliant Cybersecurity Self-assessment.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-8001 Page i TABLE OF CONTENTS 1

PURPOSE............................................................................................................................................. 1 2

GENERAL REQUIREMENTS............................................................................................................... 1 2.1 ROLES AND RESPONSIBILITIES......................................................................................................... 2 3

SPECIFIC REQUIREMENTS................................................................................................................ 3 3.1 MAJOR IT INVESTMENTS.................................................................................................................. 4 3.2 NRC FITARA CIO EVALUATION OF RISK......................................................................................... 4 3.2.1 Vulnerability Data Evaluated................................................................................................. 5 3.2.2 Evaluation of Risk.................................................................................................................. 5 3.2.3 Reporting of Risk................................................................................................................... 6 APPENDIX A.

ACRONYMS..................................................................................................................... 7 APPENDIX B.

GLOSSARY...................................................................................................................... 9 APPENDIX C.

REFERENCES................................................................................................................ 10 List of Tables Table 2.1-1: Roles and Responsibilities.................................................................................... 2

Computer Security Process CSO-PROS-8001 FITARA Cybersecurity Risk Rating and Reporting Process 1 PURPOSE CSO-PROS-8001, FITARA Cybersecurity Risk Rating and Reporting Process, provides the authorized process that must be used at the Nuclear Regulatory Commission (NRC) to conduct the Federal Information Technology Acquisition Reform Act (FITARA)1 compliant Cybersecurity System and Investment Risk Rating and Reporting.

This process is intended to enhance and improve risk management activities related to information technology (IT) investments in compliance with FITARA and as outlined in the Office of Management and Budget (OMB) Memorandum M-15-14, Management and Oversight of Federal Information Technology, which provides the implementation direction to covered agencies.

The information contained in this document is intended to be used by those performing and reporting FITARA Cybersecurity Risk Rating and Reporting, and the NRC system owners and Information System Security Officers (ISSOs) involved in support and security of NRC systems to ensure that the process by which systems are evaluated and reported is both transparent and consistently applied.

FITARA requires agencies to provide an estimate of risk for agency selected investments. The analytical method for estimating risk is left to the agencys discretion.

2 GENERAL REQUIREMENTS In accordance with Title VIII of the National Defense Authorization Act of Fiscal Year (FY) 2015 Subtitle D, Federal Information Technology Acquisition Reform, commonly referred to as FITARA, agencies must comply with the following requirements for Cybersecurity Risk Rating and Reporting:

FITARA Section 831 requires the OMB, under Capital Planning Guidance, to specify requirements for federal agencies to ensure that the Chief Information Officer (CIO) of the agencies have specific authorities and responsibilities in planning, programming, budgeting, and executing processes related to information technology.

FITARA Section 832 amends Section 11302(c) of title 40, United States Code, Capital Planning and Investment Control (CPIC), requiring the OMB to make the cost, schedule, and performance data of specific IT investments publicly available. It requires the CIO of each agency to categorize the investments according to risk and review those that have a high-level of risk.

1 The National Defense Authorization Act for Fiscal Year 2015, Title VIII-Acquisition Policy, Acquisition Management, and Related Matters, Subtitle D-Federal Information Technology Acquisition Reform, commonly referred to as FITARA.

CSO-PROS-8001 Page 2 FITARA Section 833 Subsection (c)(5) requires a cybersecurity risk assessment and that it be reported in the Federal IT Dashboard (ITDB), per Section 832 Subsection (3)(3)(A).

OMB M-15-14 establishes governmentwide IT management controls that will meet FITARA requirements. It establishes a "Common Baseline" for roles, responsibilities, and authorities of the agency CIO and the roles and responsibilities that other applicable senior agency officials must follow in managing IT as a strategic resource.

OMB M-15-14 specifically requires transparency to be provided via public reporting and improved risk management in IT investments. Where possible, OMB M-15-14 incorporates agency reporting into existing OMB processes, such as PortfolioStat and the Federal ITDB:

PortfolioStat: Designed to help identify and eliminate areas of duplication and waste. It includes metrics focused on protecting federal IT assets and information and draws on topics covered in each agencys Cybersecurity Self-assessment.

Federal ITDB: Designed to provide information on governmentwide IT spending, a breakdown of types of expenditures, and a look at risk ratings for investments. Agencies must provide information to the ITDB, as required by OMBs CPIC guidance, which is issued annually in conjunction with the release of OMB Circular A-11, Planning, Budgeting, and Acquisition of Capital Assets. In accordance with the Federal Information Security Modernization Act of 2014 (FISMA), OMB Circular A-11 supplement, Capital Programming Guide, CIO evaluations must be provided for all major IT investments to reflect the current level of risk, and the investments ability to accomplish its goals.

2.1 Roles and Responsibilities In compliance with OMB M-15-14, NRC published the NRC Common Baseline Self-Assessment and Plan, November 10, 2015. This document explains NRCs implementation of the common baseline of roles and responsibilities of the CIO and other senior agency officials in compliance with FITARA. It demonstrates how the NRC CIO retains overall accountability in the management of IT.

Table 2.1-1 provides the high-level roles and responsibilities associated with the Cybersecurity Risk Rating and Reporting process.

Table 2.1-1: Roles and Responsibilities Role(s)

Role Responsibilities Chief Information Officer Serves as one of the co-chairs on the IT/Information Management (IM) Portfolio Executive Council (IPEC).

Establishes the IT/IM Board (ITB), a management-level investment review board.

Serves as a member of the Strategic Sourcing Group (SSG) which provides oversight of strategic acquisition.

Authorizes IT for operation in compliance with FISMA.

Approves risk evaluation before it is reported externally in compliance with FITARA.

CSO-PROS-8001 Page 3 Role(s)

Role Responsibilities Maintains visibility at all stages of the planning, programming, and budgeting process through involvement in SSG and IPEC.

Chief Information Security Officer (CISO)

Oversees and approves FITARA risk evaluation and reports prior to submission to CIO for acceptance.

Computer Security Organization (CSO)

Oversees FISMA compliance, FISMA assessments, and the CIO evaluation of FITARA IT investment risk.

Executive Director for Operations (EDO)

Ensures that statutory responsibilities regarding IT investments and their oversight are appropriately assigned to the CIO.

Assigns CIO as Authorizing Official (AO) for IT systems to assume formal responsibility for approving the operation of IT systems at an acceptable level of risk based on an agreed-upon set of implemented security controls, in accordance with FISMA.

ISSOs and System Owners Ensures systems are compliant with all cybersecurity requirements.

3 SPECIFIC REQUIREMENTS A key objective of FITARA is to provide visibility and involvement of the agency CIO in the management and oversight of IT resources across the agency to support the successful implementation of cybersecurity policies to prevent interruption or exploitation of program services.

NRC management and oversight of IT is accomplished in accordance with the following:

FISMA: Provides a comprehensive framework for ensuring the effectiveness of information security controls and provides a mechanism for improving oversight of federal agency information security programs.

OMB Circular A-130, Managing Federal Information as a Strategic Resource:

Requires agencies to implement a risk management framework (RMF) for the selection, implementation, and assessment of security and privacy controls, to authorize systems, and to continuously monitor information systems.

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy: Provides a disciplined and structured process that integrates information security and risk management activities into the system development lifecycle. An effective implementation of the RFM ensures that managing information systems-related risk is consistent with the agencys mission or business objectives and overall risk management strategy, and risk tolerance established by the senior leadership through the risk executive function as discussed in NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View.

NRCs IT investment management is accomplished under the NRC CPIC and IT budget processes. The CIO serves as one of the co-chairs on IPEC. IPEC is an executive management body established to determine NRCs strategic direction for IT/IM and to manage

CSO-PROS-8001 Page 4 the agencys IT portfolio by setting current FY priorities and determining the funding of IT investments that effectively integrate into the IT portfolio, as required by the following:

Clinger-Cohen Act of 1996 FISMA FITARA OMB Circular A-130, Managing Federal Information as a Strategic Resource 3.1 Major IT Investments ITDB provides guidance defining Major IT investments as requiring special management attention based on the following:

Importance to the mission or function of the government; Significant program or policy implications; High executive visibility; High development, operating, or maintenance costs; Unusual funding mechanisms; or Defined as major by the agencys CPIC process.

All major automated information systems should be included as defined in 10 U.S.C. 2445a.2 All major acquisitions should be included as defined in OMB Circular A-11.

Investments not considered Major are Non-major.

As required by CPIC guidance, CIO evaluations are reported to the ITDB for all Major IT investments and reflect the CIOs assessment of the current level of risk for each. Public FITARA reports are available at itdashboard.gov.

3.2 NRC FITARA CIO Evaluation of Risk The CIO evaluation of risk is compliant with FISMA requirements and leverages NRCs implementation of the RMF, as outlined in Management Directive (MD) 12.5, NRC Cybersecurity Program.

The method of evaluating risk is an averaged vulnerability analysis, which consists of:

Using FISMA generated vulnerability data, the analysis provides an average per system calculation; and Combining systems into investments, based on the percentage of each systems contribution to the investment.

2 United States Code (U.S.C.), 2006 Edition, Title 10 - ARMED FORCES, Subtitle A - General Military Law, PART IV - SERVICE, SUPPLY, AND PROCUREMENT, CHAPTER 144A - MAJOR AUTOMATED INFORMATION SYSTEM PROGRAMS, Sec. 2445a -

Major automated information system program defined

CSO-PROS-8001 Page 5 Both individual systems and investments receive a risk score and rating.

FISMA data is obtained from the:

NRC official FISMA repository, and Official Vulnerability Assessment Report (VAR) repository.

3.2.1 Vulnerability Data Evaluated The FITARA risk evaluation is based on the following FISMA generated vulnerability data:

System Level Plan of Action and Milestones (POA&Ms): Logs unremediated weaknesses compiled from multiple sources. Each system level POA&M is aggregated by vulnerability. For each system, the total number of aggregated vulnerabilities is divided by the number of assets in the system inventory. The system asset inventory is maintained in the Continuous Diagnostics and Mitigation (CDM) database. This provides the average number of POA&Ms per system. A weighting, due to aging of POA&Ms, is then applied.

Continuous Monitoring Scans: Provides details about missing patches, missing updates, and component weaknesses. For each system, the total number of scan findings is divided by the number of assets scanned. This provides the average number of scan vulnerabilities per system.

Assessments (i.e., Authorization System Cybersecurity Assessment [ASCA], Periodic System Cybersecurity Assessment [PSCA]): Includes validation of system configurations against NRC approved baselines (hardening guides). For each system, the total number of configuration findings is divided by the number of benchmarks used in the assessment. This provides the average number of configuration vulnerabilities per system.

3.2.2 Evaluation of Risk The evaluation of each systems investment risk is based on the following process:

Each systems averaged vulnerabilities are calculated for POA&Ms, continuous monitoring scans, and benchmark configuration compliance.

Each system is scored and rated on a scale of 1-5, with 1 being Very High.

Systems are combined into IT investments and based on the percentage of each systems contribution, the IT investment is scored and rated on a scale of 1-5, with 1 being Very High.

Details of the investment vulnerabilities (broken out by contributing system) are included in the risk reports.

The data and analysis methods used to assess IT investments is always evolving and improving. NRC strives to maximize the amount of useful information from enterprise cybersecurity tools to inform risk ratings.

CSO-PROS-8001 Page 6 3.2.3 Reporting of Risk FITARA risk ratings are reported internally to the:

Chief Information Security Officer (CISO) monthly CIO quarterly; and Deputy Executive Director for Operations (DEDO) bi-annually.

The CIO reports the evaluation of risk in accordance with OMB M-15-14, Section C:

Transparency, Risk Management, Portfolio Review, and Reporting.

CSO-PROS-8001 Page 7 APPENDIX A. ACRONYMS AO Authorizing Official ASCA Authorization System Cybersecurity Assessment CIO Chief Information Officer CISO Chief Information Security Officer CPIC Capital Planning and Investment Control CSO Computer Security Organization DEDO Deputy Executive Director for Operations EDO Executive Director for Operations FISMA Federal Information Security Management Act FITARA Federal Information Technology Acquisition Reform FY Fiscal Year IM Information Management IPEC IT/IM Portfolio Executive Council ISSO Information System Security Officer IT Information Technology ITB IT/IM Board ITDB Federal IT Dashboard MD Management Directive NIST National Institute of Standards and Technology NRC Nuclear Regulatory Commission OMB Office of Management and Budget POA&M Plan of Action and Milestones PSCA Periodic System Cybersecurity Assessment RMF Risk Management Framework SP Special Publication SSG Strategic Sourcing Group

CSO-PROS-8001 Page 8 U.S.C.

United States Code VAR Vulnerability Assessment Report

CSO-PROS-8001 Page 9 APPENDIX B. GLOSSARY Chief Information Security Officer The senior agency official responsible for the agencys Computer Security Program and provides leadership input and oversight for all risk management and IT security activities across the agency. The CISO functions as the NRC risk executive and identifies the overall risk posture based on the aggregate risk from each of the information systems and supporting infrastructures for which the organization is responsible (e.g., security categorizations, common security control identification); which helps ensure consistent risk acceptance decisions.

Information System Security Officer Knowledgeable in security concepts and principles as well as technical security concepts and principles.

Information Technology Any equipment or interconnected system, or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency.

CSO-PROS-8001 Page 10 APPENDIX C. REFERENCES OMB M-15-14, Management and Oversight of Federal Information Technology OMB Circular A-11, Planning, Budgeting, and Acquisition of Capital Assets OMB Circular A-11 supplement, Capital Programming Guide OMB Circular A-130, Managing Federal Information as a Strategic Resource Clinger-Cohen Act of 1996 FISMA 2014 U.S.C., Title 10 - Armed Forces, Subtitle A - General Military Law, Part IV - Service, Supply, And Procurement, Chapter 144a - Major Automated Information System Programs, Sec.

2445a - Major automated information system program defined NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View MD 12.5, NRC Cybersecurity Program, http://www.internal.nrc.gov/MDs/md12.5.pdf

CSO-PROS-8001 Page 11 CSO-PROS-8001 Change History Date Version Description of Change Method Used to Announce & Distribute Training 19-Jul-19 1.0 Initial issuance OCIO/CSO website Upon request