Text

MEMORANDUM DATE: April 26, 2023 TO: Tara Tadlock Associate Director for Board Operations Office of the Executive Director of Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 (DNFSB-22-A-07)

REFERENCE:

ASSOCIATE DIRECTOR FOR BOARD OPERATIONS, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED MARCH 1, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated March 1, 2023. Based on this response, recommendations 1 through 7 and 10 are open and resolved.

Recommendations 8, 9, and 11 were closed previously. Please provide an updated status of the open and resolved recommendations by August 30, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: J. Biggins, GM N. Thomas-Hawkins, OEDO NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 1: Implement a process to ensure a security control assessment for the DNFSB GSS is completed and documented on an annual basis.

Agency Response Dated March 1, 2023: DNFSB began an engagement with DOI in February 2023 and anticipates completing the external security assessment of the DNFSB GSS in Q3 FY23.

OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB implements a process to ensure a security control assessment for the DNFSB GSS is completed and documented on an annual basis.

Status: Open: Resolved.

2

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 2: Implement a process to validate the DNFSB GSS security authorization is maintained in accordance with DNFSB policy.

Agency Response Dated March 1, 2023: RMF Handbook has been completed and approved.

Implementation proof will consist of external validation of system; DNFSB anticipates completing the external security assessment of the DNFSB GSS in Q3 FY23.

OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the DNFSB implements a process to validate the DNFSB GSS security authorization is maintained in accordance with DNFSB policy.

Status: Open: Resolved.

3

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 3: Enforce existing DNFSB policy requirements to document security impact analyses, test plans, test results and backout plan requirements for each change.

Agency Response Dated March 1, 2023: DNFSB considers Recommendation 2022-3 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides documentation of the security impact analyses, test plans, test results and backout plan requirements for each change.

Status: Open: Resolved.

4

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 4: Complete the implementation and consistent performance of monthly reviews to ensure security impact analyses, test plans, test results and backout plans are documented as required for each change.

Agency Response Dated March 1, 2023: DNFSB has implemented a quarterly review of all change request tickets.

DNFSB considers Recommendation 2022-4 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides documentation of the monthly reviews to ensure security impact analyses, test plans, test results and backout plans are documented as required for each change.

Status: Open: Resolved.

5

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 5: Complete the implementation of the configuration management training program and provide periodic refreshers to ensure evidence requirements are captured for change tickets.

Agency Response Dated March 1, 2023: DNFSB considers Recommendation 2022-5 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides documentation of the implementation of the configuration management training program and documentation of periodic refreshers to ensure evidence requirements are captured for change tickets.

Status: Open: Resolved.

6

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 6: Update the current change process, the Track-It! tool or both to enforce segregation of duties controls for a requestor and an approver of a change (e.g., requiring a second approver signature for all non-emergency changes, when the requester is eligible to be an approver).

Agency Response Dated March 1, 2023: DNFSB considers Recommendation 2022-6 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides the updated policy for the change process.

Status: Open: Resolved.

7

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 7: Create procedures for vulnerability and compliance management based on risk and level of effort involved to mitigate confirmed vulnerabilities case-by-case such as:

a. Prioritizing mitigation in accordance with all requirements specified by CISA BOD 22 Reducing the Significant Risk of Known Exploited Vulnerabilities and Emergency Directives, as applicable.

b. Opening plans of action and milestones to track critical and high vulnerabilities that cannot be addressed within 30 days.

c. Preparing risk-based decisions in unusual circumstances when there is a technical or cost limitation making mitigation of a critical or high vulnerability infeasible with documented, effective compensating controls coupled with a clear timeframe for planned remediation.

Agency Response Dated March 1, 2023: DNFSB published OP 412.2-1, Vulnerability Management Operating Procedures, on 2/21/23.

DNFSB considers Recommendation 2022-7 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides its procedures for vulnerability and compliance management, and OIG determines it is based on risk and level of effort involved to mitigate confirmed vulnerabilities in the listed cases.

Status: Open: Resolved.

8

Audit Report AUDIT OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (DNFSB-22-A-07)

Recommendation 10: Document and implement system and information integrity and systems and communications protection policies and procedures in accordance with DNFSB policy.

Agency Response Dated March 1, 2023: DNFSB published its System and Communications Protection Policy and its System and Information Integrity Policy, both on 11/29/22.

DNFSB considers Recommendation 2022-10 to be fully remediated. DNFSB will request closure of this Recommendation.

OIG Analysis: The OIG will close this recommendation when the DNFSB provides its System and Information Integrity (SI) and Systems and Communications (SC) Protection policies and procedures.

Status: Open: Resolved.

9