Text

MEMORANDUM DATE: August 10, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 (OIG-22-A-14)

REFERENCE:

DEPUTY EXECUTIVE DIRECTOR, OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS MEMORANDUM DATED JUNE 13, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated June 13, 2023. Based on this response, recommendations 1 through 7 are in open and resolved status. Please provide an updated status of the open and resolved recommendations by February 2, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: M. Bailey, AO M. Meyer, DAO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 1: Review and update the ITI Core Services SSP System Interconnections tab and related security control implementation to ensure system interconnection details reflect the current system environment.

Agency Response Dated June 15, 2023: The U.S. Nuclear Regulatory Commission (NRC) converted the Information Technology Infrastructure System (ITI) Core Services System Security Plan (SSP) from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, issued April 2013, to SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020. Although the NRC has made updates to the SSP Interconnections tab, in order to document all external connections, including cloud services, the NRC requests a new target completion date of the fourth quarter (Q4) of fiscal year (FY) 2023.

Target Completion Date: FY 2023 Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC updates the ITI Core Services SSP System Interconnections tab and related security control implementation to ensure system interconnection details reflect the current system environment.

Status: Open: Resolved.

2

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 2: Implement a process to verify that remaining external interconnections noted in the ITI Core Services SSP have documented, up-to-date ISA/MOUs or SLAs in place as applicable.

Agency Response Dated June 15, 2023: The NRCs annual Periodic Security Control Assessment (PSCA) process includes a review of the external interconnections, interconnection security agreement (ISA)/memoranda of understanding (MOUs), and service level agreements (SLAs) within the ITI Core Services SSP Interconnection tab. The NRC will analyze its PSCA process and implement improvements to ensure that external interconnections noted in the ITI Core Services SSP are verified to be current and accurate. The NRC requests a new target completion date of the first quarter (Q1) of FY 2024.

Target Completion Date: FY 2024 Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements improvements to ensure that external interconnections noted in the ITI Core Services SSP are verified to be current and accurate.

Status: Open: Resolved.

3

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 3: Update the ITI inventory to correct any discrepancies and incorrect information listed for ITI devices tracked in the Common Computing Services, Peripherals, Unified Communications and Voice over Internet Protocol subsystem inventories.

Agency Response Dated June 15, 2023: The NRC will ensure that the ITI inventory detail is updated and will correct any discrepancies and incorrect information identified for ITI assets in the Common Computing Services, Peripherals, Unified Communications, and Voice over Internet Protocol subsystem inventories.

Target Completion Date: FY 2023 Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC updates the ITI inventory to correct any discrepancies and incorrect information listed for ITI devices tracked in the Common Computing Services, Peripherals, Unified Communications and Voice over Internet Protocol subsystem inventories.

Status: Open: Resolved.

4

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 4: Document and implement a periodic review of subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate.

Agency Response Dated June 15, 2023: Due to the size and complexity of the ITI system covered by the Federal Information Security Modernization Act of 2014 (FISMA), the NRC will capitalize on its existing Office of the Chief Information Officer (OCIO) Service Model to assign primary ITI asset inventory responsibilities to the associated service area role. Service area role information technology asset inventory responsibilities will be defined, and metrics developed to ensure accuracy. The NRC requests a new target completion date of FY 2024 Q1.

Target Completion Date: FY 2024 Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC documents and implements a periodic review of subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate.

Status: Open: Resolved.

5

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 5: Implement a process to document the supply chain risk management requirements within the NRC information systems system security plans.

Agency Response Dated June 15, 2023: The NRC is currently transitioning its organization-defined values to align with NIST SP 800-53, Revision 5, which incorporates supply chain risk management requirements within agency information system security plans. The NRC anticipates migrating all Federal Information Security Modernization Act systems to compliance with NIST SP 800-53, Revision 5, by the first quarter (Q1) of FY 2024.

Target Completion Date: FY 2024 Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements a process to document the supply chain risk management requirements within the NRC information systems system security plans.

Status: Open: Resolved.

6

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 6: Implement a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.

Agency Response Dated June 15, 2023: The NRC maintains an authoritative list of users with privileged level responsibilities as well as a database of associated role-based training. The Office of the Chief Information Officer (OCIO) and the Office of the Chief Human Capital Officer employ a collaborative process to ensure that all role-based training is completed by the annual target date of September 1. The process includes Training Management System reporting and continuous outreach to individual users and their respective supervisors and contracting officers representatives. The NRC recently strengthened the accuracy of its authoritative list of users with privileged level responsibilities by implementing a weekly update process to capture new users as well as a redundant monthly update process to ensure completeness. As a result of this process, in FY 2022, 94 percent of users completed the training by the target date of September 1 and 98 percent completed the training by September 30. The NRC will analyze this process to identify and implement any further improvements that will increase its effectiveness. In order to perform its analysis of the process, the NRC is requesting a new target completion date of FY 2024 Q1.

Target Completion Date: FY 2024 Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.

Status: Open: Resolved.

7

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14)

Recommendation 7: Implement a process to validate that all new contractors complete their initial security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment and to subsequently ensure completion of annual security awareness training and renewal of rules of behavior is tracked.

Agency Response Dated June 15, 2023: Providing security awareness training, which contains sensitive information, to new contractors outside the NRCs secure network would require the creation and ongoing maintenance of a separate secure system. The NRC does not believe that the benefit of new contractors completing the training before gaining access to the NRC network outweighs the costs of a separate secure system. Instead, the NRC plans to add streamlined security training that contains the Rules of Behavior but does not contain sensitive information to its onboarding process, which occurs before contractors gain access to the NRC network. In addition, the NRC will strengthen its process after onboarding to ensure that new contractors complete all required security awareness training, including acknowledging the Rules of Behavior, within the required 30-day timeframe. In order to implement this process for contractor personnel, the NRC is requesting a new target completion date of the second quarter (Q2) of FY 2024.

Target Completion Date: FY 2024 Q2 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC streamlines security training that contains the Rules of Behavior that occurs before contractors gain access to the NRC network.

Status: Open: Resolved.

8