Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov MEMORANDUM DATE:

November 8, 2022 TO:

James Biggins Acting Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 (DNFSB-21-A-04)

REFERENCE:

GENERAL MANAGER, DEFENSE NUCLEAR FACILITIES SAFETY BOARD, CORRESPONDENCE DATED AUGUST 23, 2022 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations as discussed in the DNFSBs response dated August 23, 2022. Based on this response, all recommendations (1 through 14) are open and resolved. Please provide an updated status of the open and resolved recommendations by March 1, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc:

T. Tadlock, OEDO

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 2 Recommendation 1:

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Agency Response Dated August 23, 2022:

In response to EO 14028, OMB M-22-09, and other recent OMB Memorandums related to Zero Trust, DNFSB is developing a Zero Trust Architecture (ZTA) Implementation Plan. When completed, this plan will serve as the equivalent of both an Enterprise Architecture and Information Security Architecture, therefore remediating this recommendation.

While the ZTA Implementation Plan is a living document, DNFSB anticipates having a final version developed and approved by end of Q4 FY22.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB has defined an ISA in accordance with the Federal Enterprise Architecture Framework.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 3 Recommendation 2:

Use the fully defined ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;

c. Conduct an organization wide security and privacy risk assessment; and,

d. Conduct a supply chain risk assessment.

Agency Response Dated August 23, 2022:

DNFSB is continuing to refine its risk management processes to document risk for all information systems used by the agency, which will then allow risk to be evaluated at the business process and enterprise level. DNFSB will determine the most effective way to perform an organization wide security and privacy risk assessment given the agencys size and available resources. DNFSB will determine the most effective way to perform a supply chain risk assessment given the agencys size and available resources and then update contingency planning policies and procedures and related supply chain risk management (SCRM) policies and procedures. DNFSB anticipates completing these tasks by Q3 FY23.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSBs fully defined ISA is used in accordance with our recommendation.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 4 Recommendation 3:

Using the results of recommendations one (1) and two (2) above:

a. Collaborate with the DNFSBs Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;

b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) - Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;

c. Implement a centralized view of risk across the organization; and,

d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.

Agency Response Dated August 23, 2022:

DNFSB anticipates completing these tasks by Q4 FY 2023.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB fully completes all four elements in our recommendation.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 5 Recommendation 4:

Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agencys network in near real time. Continue ongoing efforts to apply the Track-It!, ForeScout, and KACE solutions.

Agency Response Dated August 23, 2022:

Since the conclusion of the FY20 FISMA audit, DNFSB has implemented multiple tools that maintain an up-to-date, complete, accurate and readily available Agency-wide view of the security configurations for all GSS components in near real-time. These include:

- Qualys Cloud platform: provided by the DHS CDM program, DNFSB has installed a Qualys scanner on the GSS internal network and installed Qualys agents on all GSS components for which an agent exists, which includes all Windows end-user computers and servers. Qualys performs both uncredentialed IP-based scans of the entire GSS IP address space and credentialed scans of all supported devices. These scans provide a complete asset inventory of all hardware devices connected to the GSS and all software installed on devices with Qualys agents, along with any identified vulnerabilities and misconfigurations. The Qualys data is then used to create DNFSBs CDM Agency Dashboard, which applies scoring algorithms (the AWARE Score) to the Qualys scan data.

- Microsoft 365 Defender Portal: The Microsoft 365 (M365) Defender portal integrates multiple Microsoft security tools including Microsoft Defender for Endpoint (MDE), Microsoft Defender for Identity (MDI), Microsoft Defender for Cloud Apps (MDCA), Microsoft Intune and Azure AD Premium P2. MDE clients are installed on all Windows end-user computers and servers, and all end-user computers and mobile devices (agency-issued iPhones) are managed by Intune. The M365 Defender portal also provides a hardware inventory of all Windows computers and IoT devices connected to the GSS, and all software installed on all Windows computers.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 6 Recommendation 4 (contd.):

- ForeScout CounterAct Appliance: DNFSB continues to refine the configuration of its CounterAct appliance, which provides visibility into all devices that connect to the DNFSB network. CounterAct performs network-based inventory of all devices connected to the GSS using a variety of scanning methods (IP ports & protocols, HTTP, NetBIOS and SNMP).

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB finalized the implementation of a centralized, automated solution for monitoring authorized and unauthorized software and hardware connected to the agencys network in near real-time; and provides documentation of ongoing efforts to apply the Track-It!

ForeScout, and KACE solutions.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 7 Recommendation 5:

Conduct remedial training to re-enforce requirements for documenting CCBs approvals and security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Agency Response Dated August 23, 2022:

DNFSB has developed and delivered remedial training for all members of the IT staff that can submit change requests in the agencys IT help desk ticketing system (Track-IT!) that describes the process for creating change request tickets, documents the requirements for what information must be included in each change request ticket (security impact assessment (SIA) form, testing plan, and rollback procedures), and explains the process for attaching SIA forms to change request tickets. The standard operating procedures for DNFSBs IT support contractors have been updated to perform a monthly review of all change request tickets to ensure that every ticket includes all required information (SIA forms, testing plans & rollback procedures) and that tickets require approval from more than just the submitter of the ticket (except for specific ticket types that only require CIO or CISO approval).

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB conducted remedial training to re-enforce requirements for documenting CCBs approvals and security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 8 Recommendation 6:

Implement procedures and define roles for reviewing configuration change activities to the DNFSBs information system production environment by those with privileged access to verify the activity was approved by the system CCB and executed appropriately.

Agency Response Dated August 23, 2022:

DNFSB has developed and delivered remedial training for all members of the IT staff that can submit change requests in the agencys IT help desk ticketing system (Track-IT!) that describes the process for creating change request tickets, documents the requirements for what information must be included in each change request ticket (security impact assessment (SIA) form, testing plan, and rollback procedures), and explains the process for attaching SIA forms to change request tickets. The standard operating procedures for DNFSBs IT support contractors have been updated to perform a monthly review of all change request tickets to ensure that every ticket includes all required information (SIA forms, testing plans & rollback procedures) and that tickets require approval from more than just the submitter of the ticket (except for specific ticket types that only require CIO or CISO approval).

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB implemented procedures and defined roles for reviewing configuration change activities to the DNFSBs information system production environment by those with privileged access to verify the activity was appropriately approved and executed.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 9 Recommendation 7:

Implement a technical capability to restrict new employees and contractors from being granted access to the DNFSBs systems and information until a non-disclosure agreement is signed and uploaded to a centralized tracking system.

Agency Response Dated August 23, 2022:

DNFSB developed a Security Awareness Training Policy that outlines the requirements for annual IT-security related trainings DNFSB users are required to complete every year.

A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. The annual cybersecurity awareness training and phishing and social engineering awareness training that all DNFSB users must take address privacy and data protection responsibilities, and the role-based privileged user training that all users identified as privileged users must complete contains additional information regarding privacy and data protection responsibilities. In addition, dedicated Annual Privacy Act Training was given to all DNFSB users in August

& September 2021 and is being given again in August &

September of 2022.

DNFSB developed and published New Hire Procedures that require DNFSB Help Desk staff to ensure that new users (federal employees & contractors) have completed all mandatory security-related training (as documented in the Security Awareness Training Policy discussed above) and have submitted a signed DNFSB Information Systems User Agreement/Rules of Behavior + IT Equipment Agreement form prior to network accounts being created and access to these accounts being given to new users.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 10 Recommendation 7 (contd.):

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB implemented a technical capability to restrict new employees and contractors from being granted access to the DNFSBs systems and information until a non-disclosure agreement is signed and uploaded to a centralized tracking system.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 11 Recommendation 8:

Implement the technical capability to require PIV or Identification and Authentication Level of Assurance (IAL) 3 to all DNFSB privileged accounts.

Agency Response Dated August 23, 2022:

DNFSB has implemented the use of FIDO2 tokens (Yubico Yubikey 5 FIPS series tokens), which meets NIST SP 800-63B Authentication Level of Assurance (AAL3) standards, for all Office 365 privileged accounts. This includes privileged accounts for key services such as Exchange Online, SharePoint Online/OneDrive for Business, Teams, Azure AD, and all security related tools in the Microsoft 365 Defender portal. Office 365 privileged users use their agency issued Yubikey tokens to authenticate to their Office 365 privileged roles after logging into their non-privileged user account as described below.

For local on-premise privileged accounts, such as local Active Directory access and Administrator accounts on Windows servers, VMware, etc., all users with privileged accounts must first authenticate (to an agency-issued, hybrid Azure AD-joined computer that contains a TPM chip) using Windows Hello for Business (WHfB), which leverages FIDO2 and WebAuthn standards to create a AAL3-equivalent authentication. WHfB enrollments are unique to each device and use the TPM chips to securely store credential information locally on each device, so a users WHfB credentials do not exist on a centralized identity server that can be compromised. Once a user successfully authenticates to their standard user account using WHfB, they can then elevate to their local privileged accounts. DNFSB is in the process of deploying new certificate authority servers, and once these are put into production, Yubikey tokens will also be able to be required for authenticating to local privileged accounts.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 12 Recommendation 8 (contd.):

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB implemented the technical capability to require PIV or Identification and Authentication Level of Assurance (IAL) 3 to all DNFSB privileged accounts.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 13 Recommendation 9:

Implement automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Agency Response Dated August 23, 2022:

DNFSB has implemented procedures such as setting the expiration date of privileged user accounts to the date of completion of the annual privileged user training, which will automatically disable privileged accounts if privileged user training hasnt been completed again. DNFSB has an automated process for generating alerts for inactive accounts, which are then manually reviewed prior to being disabled. DNFSB has very limited use of emergency accounts (currently only two exist) and any use of the emergency accounts are closely audited. DNFSB has also implemented policies for Office 365 that will automatically block access to any user accounts or user sign-ins that any of the Microsoft Defender tools classify as High risk. DNFSB will pursue a way to automate the disabling or removing privileged accounts, pending availability of funds.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB implemented automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 14 Recommendation 10:

Continue efforts to develop and implement role-based privacy training.

Agency Response Dated August 23, 2022:

DNFSB developed a Security Awareness Training Policy that outlines the requirements for annual IT-security related trainings DNFSB users are required to complete every year.

A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. The annual cybersecurity awareness training and phishing and social engineering awareness training that all DNFSB users must take address privacy and data protection responsibilities, and the role-based privileged user training that all users identified as privileged users must complete contains additional information regarding privacy and data protection responsibilities. In addition, dedicated Annual Privacy Act Training was given to all DNFSB users in August

& September 2021 and is being given again in August &

September of 2022.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB continues developing and implementing role-based privacy training.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 15 Recommendation 11:

Conduct the agencys annual breach response plan exercise for FY21.

Agency Response Dated August 23, 2022:

While DNFSB cannot conduct an annual breach response plan exercise for FY2021, DNFSB will conduct an annual breach response plan exercise before the end of FY 2022.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB conducted the agencys annual breach response plan exercise for FY21.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 16 Recommendation 12:

Continue current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Agency Response Dated August 23, 2022:

DNFSB will publish the updated version of its Risk Management Framework which defines a frequency for conducting risk assessments, by end of Q4 FY22.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB is continuing current efforts to refine existing monitoring and assessment procedures to support more effectively ongoing authorization of the DNFSB system.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 17 Recommendation 13:

Update the DNFSBs incident response plan to include profiling techniques for identifying incidents and strategies to contain all types of major incidents.

Agency Response Dated August 23, 2022:

DNFSB updated its existing Incident Response Plan for the DNFSB GSS that reflects US-CERT incident reporting guidelines. A draft version of the updated document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and a final version has been approved by the DNFSB CIO. During the course of the FY22 FISMA audit fieldwork, the auditors indicated that based on their review of the updated document, they consider this recommendation closed.

DNFSB has also developed and continues to update a Cyber Playbook (currently at V. 1.5). A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request. The Cyber Playbook identifies the most likely types of cyber attacks and documents specific incident response procedures to follow to ensure consistent responses to security incidents.

DNFSB will finalize updates to both of these documents by the end of Q4 FY22.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB updated the agencys incident response plan to include profiling techniques for identifying incidents and strategies to contain all types of major incidents.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 18 Recommendation 14:

Based on the results of the DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update the DNFSBs contingency planning policies and procedures to address ICT supply chain risk.

Agency Response Dated August 23, 2022:

DNFSB will determine the most effective way to perform a supply chain risk assessment given the agencys size and available resources and then update contingency planning policies and procedures and related supply chain risk management (SCRM) policies and procedures. DNFSB anticipates completing these tasks by Q3 FY23.

OIG Analysis:

This recommendation will be closed when the OIG verifies that the DNFSB updated their contingency planning policies and procedures to address ICT supply chain risk, based on the DNFSBs supply chain risk assessment results included in the recommendation for the Identify function.

Status:

Open: Resolved.