Text

MEMORANDUM DATE: April 26, 2023 TO: Tara Tadlock Associate Director for Board Operations Office of the Executive Director of Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (DNFSB-20-A-05)

REFERENCE:

ASSOCIATE DIRECTOR FOR BOARD OPERATIONS, DEFENSE NUCLEAR FACILITIES SAFETY BOARD, CORRESPONDENCE DATED MARCH 1, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations discussed in the DNFSBs response dated March 1, 2023. Based on this response, recommendations 3, 5, and 7 through 11 remain open and resolved.

Recommendations 1, 2, 4, and 6 were closed previously. Please provide an updated status of the open and resolved recommendations by August 30, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: J. Biggins, GM N. Thomas-Hawkins, OEDO NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 3: Using the results of recommendations one (1) and two (2) above:

a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIOs Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.

b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.

c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.

d. Implement a centralized view of risk across the organization.

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONS memo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

2

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 3 (contd.):

OIG Analysis: This recommendation will be closed when the DNFSB fully completes all four elements in Recommendation 3 and the OIG verifies completion.

Status: Open: Resolved.

3

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 5: Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agencys Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONS memo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

OIG Analysis: These actions meet the intent of the recommendation. The recommendation will be closed when the OIG verifies that DNFSB has developed and delivered remedial training.

Status: Open: Resolved.

4

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 7: Complete and document a risk-based justification for not implementing an automated solution (e.g., Splunk) to help maintain an up-to-date, complete, accurate, and readily available view of the security configurations for all information system components connected to the organizations network.

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONSmemo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

OIG Analysis: This recommendation will be closed when the OIG verifies that the DNFSB has implemented solutions to maintain an up-to-date, complete, accurate and readily available view of the security configurations for all information system components.

Status: Open: Resolved.

5

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 8: Continue efforts to meet milestones of the DNFSB ICAM Strategy necessary for fully transitioning to DNFSBs to-be" ICAM architecture.

Agency Response Dated March 1, 2023: DNFSB continues to work towards implementation of a stronger ICAM architecture. A new certificate authority (CA) server has been implemented which as facilitated the use of local multifactor authentication (MFA) on privileged accounts within the DNFSB GSS.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork OIG Analysis: This recommendation will be closed when the OIG verifies that the DNFSB has continued efforts to meet milestones of the DNFSB ICAM strategy.

Status: Open: Resolved.

6

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 9: Complete current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONS memo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

OIG Analysis: This recommendation will be closed when the OIG reviews the DNFSBs efforts to refine existing monitoring and assessment procedures to support ongoing authorization of the DNFSB system more effectively.

Status: Open: Resolved.

7

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 10: Identify and fully define requirements for the incident response technologies DNFSB plans to utilize in the specified areas and how these technologies respond to detected threats (e.g., cross-site scripting, phishing attempts, etc.).

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONS memo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

OIG Analysis: This recommendation will be closed when the OIG reviews the finalized versions of the documents in draft that identify and fully define requirements for the incident response technologies DNFSB plans to utilize in the specified areas and how these technologies respond to detected threats.

Status: Open: Resolved.

8

Evaluation Report INDEPENDENT EVALUATION OF DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05)

Recommendation 11: Based on the results of DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update DNFSBs contingency planning policies and procedures to address ICT supply chain risk.

Agency Response Dated March 1, 2023: DNFSB requested this recommendation be closed in CLOSURE OF FY19 AND FY20 FISMA AUDIT RECOMMENDATIONS memo dated 8/23/22.

Awaiting OIG validation as part of the FY 23 FISMA Audit fieldwork.

OIG Analysis: This recommendation will be closed when the DNFSB addresses ICT supply chain risk in their contingency planning policies and procedures, based on the results of the DNFSBs supply chain risk assessment included in the recommendation for the Identify function.

Status: Open: Resolved.

9