ML22082A105
| ML22082A105 | |
| Person / Time | |
|---|---|
| Issue date: | 04/07/2022 |
| From: | NRC/OCIO |
| To: | |
| Mangefrida M | |
| Shared Package | |
| ML22082A092 | List: |
| References | |
| OEDO-21-00515, OIG-21-A-05 | |
| Download: ML22082A105 (11) | |
Text
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 1: Fully define the NRCs ISA across the enterprise, business processes, and system levels.
Agency Response dated November 12, 2021: The U.S. Nuclear Regulatory Commissions (NRCs) information security architecture (ISA) document was completed and signed by the Deputy Chief Information Officer on July 2, 2021.
Target Completion Date: Completed Point of
Contact:
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524 Status: Closed.
Recommendation 2a: Assess enterprise, business process, and information system level risks.
Agency Response dated April 6, 2022: Conversion of the NRC from a three-tier risk model to a five-tier risk model is underway and being piloted on the Information Technology Infrastructure. This will further align the NRCs practices with those of the National Institute of Standards and Technology (NIST) and with other Federal mandates such as the Federal Information Technology Acquisition Reform Act. The NRC has a planned completion date of the fourth quarter (Q4) of fiscal year (FY) 2022 for this action.
Target Completion Date: Q4 FY 2022 Point of
Contact:
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 2b: Update the list of high value assets, if necessary, based on reviewing the ISA to identify risks from the supporting business functions and mission impacts.
Agency Response dated November 12, 2021: The fully defined ISA (which is a living document) references the NRC mission essential functions and primary mission essential functions as identified in the NRCs Continuity of Operations (COOP) Plan. Leveraging guidance from the Federal Chief Information Security Officer (CISO) Council and reviewing the agencys COOP Plan, the CISO and staff in the Office of the Chief Information Officer (OCIO), Government and Enterprise Management Services Division (GEMS), Cybersecurity Branch (CSB), analyzed the agencys systems and determined that it has five high-value assets (HVAs). This analysis is included in the attached Binding Operational Directive (BOD) 18-02 2020 HVA assessment for reference.
Target Completion Date: Completed Point of
Contact:
Kathryn Harris, OCIO/GEMSD/CSB 301-287-0515 Status: Closed.
Recommendation 2c: If necessary, update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
Agency Response dated April 6, 2022: This action was dependent on completion of the ISA. With the ISA complete, the NRC has revised the completion date to the third quarter (Q3) of FY 2022.
Target Completion Date: Q3 FY 2022 Point of
Contact:
Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 2d: Conduct an organization wide security and privacy risk assessment and implement a process to capture lessons learned and update risk management policies, procedures, and strategies.
Agency Response dated April 6, 2022: The NRC plans to conduct an assessment of the agencys ISA over a 3-year period. The Phase 1 assessment is focused on the Identify Function, is expected to be completed Q3 FY22; this assessment is currently on schedule. The Phase 2 assessment focused on the Protect and Detect Functions, is planned and expected to be completed Q3 FY22. The Phase 3 assessment focused on the Respond and Recover Functions, is planned expected to be completed Q4 FY22.
Target Completion Date: Q3 FY 2022 Points of
Contact:
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524 Sally Hardy, OCIO/GEMSD/CSB 301-415-5607 Status: Open: Resolved.
Recommendation 2e: Consistently assess the criticality of POA&Ms to support why a POA&M is or is not of a high or moderate impact to the Confidentiality, Integrity and Availability (CIA) of the information system, data, and mission.
Agency Response dated April 6, 2022: OCIO will assess the criticality of system plans of action and milestones (POA&Ms) and the risk to the associated systems, data, and mission functions.
Target Completion Date: Q4 FY 2022 Point of
Contact:
Bill Bauer, OCIO/GEMSD/CSB 301-415-5842 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 2f: Assess the NRC supply chain risk and fully define performance metrics in service level agreements and procedures to measure, report on, and monitor the risks related to contractor systems and services.
Agency Response dated April 6, 2022: The NRC has defined an acquisition process, CSO-PROS-0005, Information and Communications Technology Acquisition Process, dated March 18, 2021, available on the internal Cybersecurity Organization (CSO) SharePoint site, to identify contract requirements for the supply chain. Additionally, the NRC is developing a supplemental Supply Chain Risk Assessment process that will provide a basis for measuring and monitoring metrics to assess risks associated with contractor systems and services. The agency plans to complete this action by the third quarter (Q3) of FY 2022.
Target Completion Date: Q3 FY 2022 Points of
Contact:
Kathy Lyons-Burke, OCIO/FO 301-415-6595 Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 3: Continue to monitor the remediation of critical and high vulnerabilities and identify a means to assign and track progress of timely remediation of vulnerabilities.
Agency Response dated November 12, 2021: The NRC is using the agencys approved POA&M process as the means to assign and track the progress of vulnerability remediation activities. The NRC POA&M process is described in CSO-PROS-2016, ADAMS Accession No. ML13326A241.
In addition, the NRC produces a daily situational awareness report that is used to identify, remediate, and monitor vulnerabilities in the NRC networking environment. A sample security report document, Situational Awareness Daily Report 10-26-21.pdf, is available at ADAMS Accession No ML20182A779.
Target Completion Date: Complete Points of
Contact:
Michael Williams, OCIO/SDOD/NSOB 301-287-0660 David Offutt, OCIO/SDOD/NSOB 301-287-0636 Status: Closed.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 4: Centralize system privileged and non-privileged user access review, audit log activity monitoring, and management of Personal Identity Verification (PIV) or Identity Assurance Level (IAL}
3/Authenticator Assurance Level (AAL) 3 credential access to all the NRC systems (findings noted in bullets 1, 3, and 4 above) by continuing efforts to implement these capabilities using the Splunk QAudit, Sailpoint, and Cyberark automated tools.
Agency Response dated April 6, 2022: The NRC will identify a means to centralize the review of privileged and nonprivileged user access, audit log activity monitoring, and manage PIV or IAL 3/AAL 3 credential access to all NRC systems by continuing efforts to implement these capabilities using the Splunk Q-Audit, SailPoint, and CyberArk automated tools. The agency plans to complete this action by Q3 FY 2022.
Target Completion Date: Q3 FY 2022 Points of
Contact:
Michael Williams, OCIO/SDOD/NSOB 301-287-0660 David Offutt, OCIO/SDOD/NSOB 301-287-0636 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 5: Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals being granted access to the NRCs systems and information.
Agency Response dated April 6, 2022: The NRC is evaluating ownership of this function and the need for an associated process update. Once ownership is established, the agency will review the corresponding process to incorporate any additional requirements for granting system access.
Target Completion Date: Q4 FY 2022 Point of
Contact:
Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421 Status: Open: Resolved.
Recommendation 6: Continue efforts to identify individuals having additional responsibilities for PII or activities involving PII and develop role-based privacy training for them to be completed annually.
Agency Response dated April 6, 2022: The NRC will continue to identify individuals with responsibilities or activities involving personally identifiable information (PII) and develop or identify the appropriate training based on Federal Government standards.
Target Completion Date: Q3 FY 2022 Point of
Contact:
Sally Hardy, OCIO/GEMSD/CSB 301-415-5607 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 7: Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable.
Agency Response dated April 6, 2022: The NRC will perform a cost-benefit analysis of the cost of implementing a technical capability versus the risk of maintaining the current process.
Target Completion Date: Q3 FY 2022 Point of
Contact:
Michael Mangefrida, OCIO/GEMSD/CSB 301-298-8913 Status: Open: Resolved.
Recommendation 8: Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.
Agency Response dated April 6, 2022: OCIO will work with the Office of the Chief Human Capital Officer, the National Treasury Employees Union, and other stakeholders to determine whether this would be feasible for the workforce.
Target Completion Date: Q3 FY 2022 Point of
Contact:
Michael Mangefrida, OCIO/GEMSD/CSB 301-298-8913 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 9: Implement metrics to measure and reduce the time it takes to investigate an event and declare it as a reportable or non-reportable incident to US-CERT.
Agency Response dated April 6, 2022: The NRC will implement metrics to measure the effectiveness of the process for investigating an event and determining whether it is an incident reportable to the U.S. Computer Emergency Readiness Team (US-CERT).
Target Completion Date: Q3 FY 2022 Points of
Contact:
Michael Williams, OCIO/SDOD/NSOB 301-287-0660 David Offutt, OCIO/SDOD/NSOB 301-287-0636 Status: Open: Resolved.
Recommendation 10: Conduct an organizational level BIA [business impact assessment] to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.
Agency Response dated April 6, 2022: OCIO will evaluate contingency planning requirements and associated priorities to determine the impact and related updates to policies and procedures.
Target Completion Date: Q3 FY 2023 Point of
Contact:
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 11: For low availability categorized systems complete an initial BIA and update the BIA whenever a major change occurs to the system or mission that it supports. Address any necessary updates to the system contingency plan based on the completion of or updates to the system level BIA.
Agency Response dated April 6, 2022: OCIO will evaluate contingency planning requirements and associated priorities to determine the impact and related updates to policies and procedures.
Target Completion Date: Q3 FY 2023 Point of
Contact:
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681 Status: Open: Resolved.
Recommendation 12: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.
Agency Response dated April 6, 2022: OCIO will evaluate existing metrics for assessing the effectiveness of system contingency plans against related plans. Once assessed, the staff will review and update the corresponding plans accordingly.
Target Completion Date: Q4 FY 2023 Point of
Contact:
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 OIG-21-A-05 Status of Recommendations Recommendation 13: Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans.
Agency Response dated April 6, 2022: The NRC will perform a cost-benefit analysis of the cost of implementing a technical capability versus the risk of maintaining or supplementing the current process.
Target Completion Date: Q4 FY 2023 Point of
Contact:
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681 Status: Open: Resolved.
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION