Text

July 11, 2022 MEMORANDUM TO: Daniel H. Dorman Executive Director for Operations FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)

REFERENCE:

DIRECTOR, OFFICE OF NUCLEAR SECURITY AND INCIDENT RESPONSE, MEMORANDUM DATED JUNE 15, 2021 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated June 15, 2022. Based on this response, recommendation 3 is now closed. Recommendations 1, 2, 4, 5, 6, and 7 were previously closed.

All recommendations are now closed.

If you have questions or concerns, please call me at (301) 415-5915, or Terri Cooper, Team Leader, at (301) 415-5965.

Attachment:

As stated cc: M. Bailey, OEDO E. Stahl, OEDO J. Jolicoeur, OEDO RidsEdoMailCenter Resource EDO_ACS Distribution OIG Liaison Resource NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Agency Response Dated June 15, 2022: On May 2, 2022, the Office of Chief Information Officer (OCIO) recommended closure (ML22138A134) of OIG audit finding 3, Evaluate and update folder structure to meet user needs. OCIO has evaluated the folder structure and made changes to meet users needs. NSIR agrees that the changes warrant closure of the recommendation.

OCIO made the following assessments and adjustments to arrive at this recommendation.

1. There is currently a low number of staff using the system. In 2011, when the OIG audit was performed, there were over 1,200 users of the SGI database. In 2019, changes were made that require the safeguards information local area network and electronic safe (SLES) users to login every 90 days or have their account disabled. This change significantly lowered the user base; there are now approximately 112 SLES users. The remaining users are the most frequent users of the SLES system and are well acquainted with the current structure of the database and how to search within it.

2. A Documentum subject matter expert reviewed the proposed folder changes and did not recommend making the modifications due to the complexity of the changes and the low user base. The complexity and cost of the work required would exceed the return on investment for the small user base.

3. Changes were made to the access control lists (ACLs) to improve access to plant folders. The ACLs in Docket 72 and Docket 50 were refined so that plant level access can be easily granted to users who demonstrate a need to know. The updated ACLs provide improved control over plant documents while enabling SLES staff to grant access to specific plant information when appropriate.

2

Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3 (cont.):

4. Significant adjustments have been made to the SLES database to develop a more refined folder and access level control system that is consistent with the SGI need to know requirement and the least privilege principle. A lending library has been created to allow a user to access specific documents on an individual case-by-case basis. This enables granular control for users at the document level and maintains records of users granted access to individual documents.

With the establishment of the lending library and the refinement of ACLs at the plant level, the SLES system has achieved access which is consistent with the SGI need-to know-requirement and least privileged principle. Additionally, SLES users have expressed positive feedback regarding the plant level access and the ease of document access based on the lending library process.

Based on these adjustments and findings, OCIO and NSIR recommend closure of recommendation 3.

Staff point of contact for this recommendation: Bern Stapleton Completed: May 2, 2022 OIG Analysis: The actions noted above by OCIO meet the intent of the recommendation.

OIG reviewed documentation related to the actions noted and observed the SLES system to corroborate these changes were done as specified. Therefore, this recommendation is now closed.

Status: Closed.

3