Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov MEMORANDUM DATE:

December 29, 2022 TO:

Christopher Roscetti Acting Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 (DNFSB-22-A-07)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED NOVEMBER 1, 2022 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated November 1, 2022.

Based on this response, recommendations 1 through 7 and 10 are open and resolved.

Recommendations 8, 9, and 11 are now closed. Please provide an updated status of the open and resolved recommendations by March 1, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc:

J. Biggins, GM T. Tadlock, OEDO N. Thomas-Hawkins, OEDO

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 2 Recommendation 1:

Implement a process to ensure a security control assessment for the DNFSB GSS is completed and documented on an annual basis.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB is in negotiations with Department of Interiors (DoI) OCIO Information Systems Security Line of Business Center of Excellence (ISSLOB COE) to perform a security control assessment of the DNFSB GSS. DNFSB has submitted an Assessment & Authorization questionnaire along with related documents and network diagrams to enable the ISSLOB COE to develop a pricing proposal for the DNFSB.

Actions planned to be taken: Once DNFSB receives the pricing proposal from ISSLOB COE, DNFSB intends to have a complete security control assessment, along with an assessment of security policies and procedures related to the DNFSB GSS and penetration testing of the DNFSB GSS (pending availability of funds).

Estimated remediation date: 90 days from the execution of a Memorandum of Understanding (MOU)/inter-agency agreement (IAA) with the DOI ISSLOB COE OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB implements a process to ensure a security control assessment for the DNFSB GSS is completed and documented on an annual basis.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 3 Recommendation 2:

Implement a process to validate the DNFSB GSS security authorization is maintained in accordance with DNFSB policy.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB has updated the majority of documents that form the DNFSB GSS authorization package including the DNFSB GSS System Categorization Document (SCD),

the DNFSB GSS System Security Plan (SSP), the DNFSB GSS Privacy Impact Assessment (PIA), and the resulting DNFSB GSS Plan of Actions & Milestones (POA&M), along with other agency-wide security policies. DNFSB is in ongoing negotiations with the Department of Interiors (DoI) OCIO Information Systems Security Line of Business Center of Excellence (ISSLOB COE) to perform a security control assessment of the DNFSB GSS. Once the security control assessment is performed, the resulting security assessment report (SAR) will be included in an updated accreditation package for the DNFSB GSSs authorizing official to review and approve.

Actions planned to be taken: Enter into an IAA with the DOI ISSLOB COE to perform a security control assessment, use the resulting SAR to produce an updated accreditation package for the DNFSB GSS, and present to the DNFSB GSSs AO for review. This will allow the AO to issue an updated authority to operate (ATO) valid for 3 years.

Estimated remediation date: 60 days from the completion of DOIs security control assessment.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 4 Recommendation 2 (continued):

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB implements a process to validate the DNFSB GSS security authorization is maintained in accordance with DNFSB policy.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 5 Recommendation 3:

Enforce existing DNFSB policy requirements to document security impact analyses, test plans, test results and backout plan requirements for each change.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB had all members of the IT staff that can submit change request tickets complete training that covered the process for creating change management tickets, and the requirement for the majority of change management ticket categories to include a security impact assessment (SIA) along with rollback procedures and testing plans. The current practice is for SIA forms to completed as stand-alone documents that are attached to change management tickets, and rollback procedures and testing plans are documented in notes within the change management tickets. In addition to this training, the DNFSB IT support contractors standard operating procedures (SOP) have been updated to include a monthly review of all submitted change management tickets to ensure that all required information (SIA, rollback procedures and testing plans) are included in all change management tickets that require them.

Actions planned to be taken: Continue to follow the SOPs listed above.

Estimated remediation date: DNFSB considers Recommendation 2022-3 to be fully remediated.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB provides documentation of the training and the contractors updated SOPs.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 6 Recommendation 4:

Complete the implementation and consistent performance of monthly reviews to ensure security impact analyses, test plans, test results and backout plans are documented as required for each change.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: The DNFSB IT support contractors standard operating procedures (SOP) have been updated to include a monthly review of all submitted change management tickets to ensure that all required information (SIA, rollback procedures and testing plans) are included in all change management tickets that require them.

Actions planned to be taken: Continue to follow the SOPs listed above.

Estimated remediation date: DNFSB considers Recommendation 2022-4 to be fully remediated.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB provides the contractors updated SOPs.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 7 Recommendation 5:

Complete the implementation of the configuration management training program and provide periodic refreshers to ensure evidence requirements are captured for change tickets.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: The DNFSB IT support contractors standard operating procedures (SOP) have been updated to include a monthly review of all submitted change management tickets to ensure that all required information (SIA, rollback procedures and testing plans) are included in all change management tickets that require them.

Actions planned to be taken: Continue to follow the SOPs listed above.

Estimated remediation date: DNFSB considers Recommendation 2022-4 to be fully remediated.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC assesses the NRC supply chain risk and fully defines performance metrics in service level agreements and procedures to measure, report on, and monitor the risks related to contractor systems and services.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 8 Recommendation 6:

Update the current change process, the Track-It! tool or both to enforce segregation of duties controls for a requestor and an approver of a change (e.g., requiring a second approver signature for all non-emergency changes, when the requester is eligible to be an approver).

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: Based on revisions to the DNFSB Configuration Management Policy, all change requests require a minimum of 3 approvals prior to implementation. There are ongoing efforts to revise the Track-It! ticket types to reflect this change.

Actions planned to be taken: Continue to follow the SOPs listed above.

Estimated remediation date: DNFSB considers Recommendation 2022-6 to be fully remediated.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG reviewed an example of the new ticket of a request for change but not the revisions to the DNFSB Configuration Management Policy. The OIG will close this recommendation when the DNFSB provides the updated policy for the change process.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 9 Recommendation 7:

Create procedures for vulnerability and compliance management based on risk and level of effort involved to mitigate confirmed vulnerabilities case-by-case such as:

a. Prioritizing mitigation in accordance with all requirements specified by CISA BOD 22 Reducing the Significant Risk of Known Exploited Vulnerabilities and Emergency Directives, as applicable.

b. Opening plans of action and milestones to track critical and high vulnerabilities that cannot be addressed within 30 days.

c. Preparing risk-based decisions in unusual circumstances when there is a technical or cost limitation making mitigation of a critical or high vulnerability infeasible with documented, effective compensating controls coupled with a clear timeframe for planned remediation.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB began prioritizing the remediation of Known Exploited Vulnerabilities (KEVs), as they are required to be patched within 14 days of being added to CISAs KEV Catalog. The Qualys scanner provides a dashboard view that makes it easy to identify which vulnerabilities are KEVs so that they can be targeted for remediation.

Actions planned to be taken: DNFSBs draft System and Information Integrity (SI) policy contains the following statement: Security-relevant software and firmware updates shall be installed within 30 days of the release of the updates. For those vulnerabilities that are classified by the Cybersecurity and Infrastructure Security Agency (CISA) as a Known Exploited Vulnerability (KEV), the required updates shall be installed within 14 days of release. The Common Vulnerability Scoring System (CVSS) v3 severities shall be used to prioritize all other vulnerability patching.

Estimated remediation date: December 31, 2022.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 10 Recommendation 7 (continued):

Actions planned to be taken: DNFSBs draft System and Information Integrity (SI) policy contains the following statement: Flaw remediation shall be incorporated into the organizational configuration management process. Security-relevant software and firmware updates that are unable to be installed within their appropriate remediation window shall be documented in a Plan of Actions and Milestones (POA&M). DNFSB will start creating POA&M items for critical and high vulnerabilities that cannot be patched within 30 days upon publication of the SI policy.

Estimated remediation date: December 31, 2022.

Actions taken by October 31, 2022: DNFSB updated its Risk Management Framework (RMF) Handbook on September 29, 2022. The RMF Handbook contains the following language: The assessor and CISO must review the results of the security control assessment to determine the appropriate steps to address the weakness(es). The CISO and designated officials may determine an assessment result identified as Other than Satisfied is inconsequential to the security of the system and is a candidate for risk acceptance.

There may also be situations where a weakness exists, but the CISO deems that remediation is not cost efficient or in some cases not possible without adversely impacting the system operations. In such cases the CISO, with approval from the Risk Executive function, should recommend the POA&M for risk acceptance to the AO. Other findings may be determined to have an impact to the system and be considered for remediation. Remediation priorities are set based on High, Medium, or Low risk levels.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 11 Recommendation 7 (continued):

Actions planned to be taken: DNFSB will add specific language to existing policies and procedures that provides clear guidance for the creation and approval of risk acceptance memos whenever there is a technical or cost limitation making mitigation of a critical or high vulnerability infeasible with documented, effective compensating controls coupled with a clear timeframe for planned remediation.

Estimated remediation date: December 31, 2022.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB completes its procedures for vulnerability and compliance management based on risk and level of effort involved to mitigate confirmed vulnerabilities in the listed cases.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 12 Recommendation 8:

Implement a solution to gradually automate, orchestrate and centralize patching for each device.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB has automated the patching for all agency-issued workstations using a combination of Microsoft Intune and Kace patch management tools; workstations are assigned to various deployment rings and patches are automatically applied according to a set schedule based on the ring each workstation belongs to. Intune enforces an update policy for all agency-issued mobile devices that makes the latest version of iOS available for update, but due to restrictions imposed by the manufacturer (Apple) there is no way to force iOS updates (it relies on end-user actions). All agency Windows servers have patches and updates automatically downloaded via WSUS, which are then reviewed and installed by the DNFSB IT staff. DNFSB has determined automated patching of Windows Servers accepts an unacceptable risk.

Actions planned to be taken: DNFSB will continue to refine its automated patch management SOPs as new tools become available.

Estimated remediation date: DNFSB considers Recommendation 2022-8 to be fully remediated.

OIG Analysis:

The OIG reviewed the update rings, iOS update and compliance policies, a report of the current compliance status of DNFSB iPhones, and an example of the email sent to users of non-compliant phones. These actions fulfill the recommendation and, therefore, this recommendation is now closed.

Status:

Closed.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 13 Recommendation 9:

Develop and implement a data consistency and quality plan or similar procedure to help test and monitor data accuracy and quality of information coming from their implementation of CDM.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSBs implementation of CDM consists of two components -

the first component are the tools that scan DNFSB assets to provide the data for the core CDM capabilities (hardware asset management, software asset management, configuration settings management, software vulnerability management and mobile threat defense). Currently these scanning tools consist of Qualys (provided by CDM) and DNFSBs instance of Microsoft Intune. The second component is the CDM programs Federal and Agency Dashboards that CDM creates using the collected data. DNFSB has visibility into and control over most of the scanning tools component, but no direct control over the second component.

To ensure data quality, DNFSB has implemented weekly reviews of the Qualys scan results to remove any duplicate entries and to add any missing tags (such as the system boundary tag), and similar reviews of the mobile device data contained in Intune. This ensures that the data ingested by the CDM program regarding DNFSB assets is as accurate as possible. DNFSB has continued to observe discrepancies between the raw scan data collected by the scanning tools and the data presented in DNFSBs Agency Dashboard. DNFSB has documented these discrepancies and submitted them to the CDM program office and been told that there are issues with the tool used by CDM that ingests the raw scan data from multiple sources to provide the consolidated data shown in the Agency Dashboard.

CDM has acknowledged this is an on-going issue and has pledged to continue trying to resolve the data quality issues in the Agency Dashboard.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 14 Recommendation 9 (continued):

Actions planned to be taken: Continue to follow the SOPs listed above.

Estimated remediation date: DNFSB considers the portion of Recommendation 2022-9 under DNFSBs control to be fully remediated. DNFSB will continue to document any data quality issues in the Agency Dashboard and submit them to the CDM program office and request they be remediated.

OIG Analysis:

The OIG reviewed screenshots from Qualys, a Weekly Vulnerability Report, and emails from the DNFSB to CDM to remediate discrepancies in the Qualys data and the CDM dashboard data. These actions fulfill the recommendation and, therefore, this recommendation is now closed.

Status:

Closed.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 15 Recommendation 10:

Document and implement system and information integrity and systems and communications protection policies and procedures in accordance with DNFSB policy.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB has begun drafting both System and Information Integrity (SI) and Systems and Communications (SC) Protection policies and procedures.

Actions planned to be taken: DNFSB will finalize and internally publish its System and Information Integrity (SI) and Systems and Communications (SC) Protection policies and procedures.

Estimated remediation date: December 31, 2022.

OIG Analysis:

The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB finalizes its System and Information Integrity (SI) and Systems and Communications (SC)

Protection policies and procedures.

Status:

Open: Resolved.

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07) 16 Recommendation 11:

Document and implement a process to validate that the DNFSB GSS ISCP is tested annually, and any issues discovered during the contingency plan test are remediated timely.

Agency Response Dated November 1, 2022:

Actions taken by October 31, 2022: DNFSB conducted and documented a tabletop exercise of the DNFSB GSS Information System Contingency Plan (ISCP) on September 29, 2022. Moreover, DNFSB conducted several ISCP tests in FY22 where critical systems were successfully restored from backups. DNFSB has also started a quarterly backup test from backup at the COOP site to verify that backups from HQ can be fully restored if needed. The first such COOP restore was conducted in October 2022 with the next scheduled in January.

Actions planned to be taken: DNFSB will test the DNFSB GSS ISCP at least annually in FY 2023.

Estimated remediation date: DNFSB considers Recommendation 2022-11 to be fully remediated.

OIG Analysis:

The OIG reviewed documentation of the tabletop exercise, two quarterly tests, and the COOP plan and determined that the DNFSB has satisfied this recommendation. This recommendation is therefore closed.

Status:

Closed.