ML23272A121

From kanterella
Jump to navigation Jump to search
OIG-23-A-10 Audit of the U.S. Nuclear Regulatory Commission'S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023
ML23272A121
Person / Time
Issue date: 09/29/2023
From: Virkar H
NRC/OIG/AIGA
To: Dan Dorman
NRC/EDO
References
OIG-23-A-10
Download: ML23272A121 (1)
v  d  e


Text

MEMORANDUM DATE: September 29, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (OIG-23-A-10)

The Office of the Inspector General (OIG) contracted with CliftonLarsonAllen LLP (CLA) to conduct the Audit of the U.S. Nuclear Regulatory Commissions (NRC)

Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023. Attached is CLAs final report on the audit. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the NRC. The findings and conclusions presented in this report are the responsibility of CLA. The OIGs responsibility is to provide oversight of the contractors work in accordance with the generally accepted government auditing standards.

The report presents the results of the subject audit. Following the exit conference, the agencys staff indicated that they had no formal comments for inclusion in this report.

For the period October 1, 2022, through June 30, 2023, CLA found that although the NRC established an effective agency-wide information security program and practices, there are weaknesses that may have some impact on the agencys ability to optimally protect the NRCs systems and information.

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Please provide information on actions taken or planned on each of the recommendations within 30 calendar days of the date of this report. Actions taken or planned are subject to OIG follow-up as stated in Management Directive 6.1. We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: M. Bailey, AO M. Meyer, DAO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution 2

Audit of the U.S. Nuclear Regulatory Commissions Implementation of the Federal Information Security Modernization Act of 2014 Fiscal Year 2023 Final Report

CliftonLarsonAllen LLP CLAconnect.com Inspector General U.S. Nuclear Regulatory Commission CliftonLarsonAllen LLP (CLA) conducted a performance audit of the U.S. Nuclear Regulatory Commissions (NRC) information security program and practices for fiscal year (FY) 2023 in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). The FISMA requires agencies to develop, implement, and document an agency-wide information security program. In addition, the FISMA requires Inspectors General (IGs) to conduct an annual independent evaluation of their agencys information security program and practices.

The objective of this performance audit was to assess the effectiveness of the information security policies, procedures, and practices of the NRC.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

For this years review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 -

Managed and Measurable, and Level 5 - Optimized. To be considered effective, the NRCs information security program must be rated Level 4 - Managed and Measurable.

The audit included an assessment of the NRCs information security programs and practices consistent with the FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for a sample of systems in the NRCs FISMA inventory of information systems. Audit fieldwork covered the NRCs headquarters located in Rockville, MD from January 2023 to June 2023.

The audit covered the period from October 1, 2022, through June 30, 2023.

We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 - Managed and Measurable maturity level; therefore, the NRC has an effective information security program. Although we concluded that the NRC implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.

1 The function areas are further broken down into nine domains.

CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer.

Our work did not include an assessment of the sufficiency of internal control over financial reporting or other matters not specifically outlined in this report. CLA cautions that projecting the results of our performance audit to future periods is subject to the risks that conditions may materially change from their current status. The information included in this report was obtained from the NRC on or before September 13, 2023. We have no obligation to update our report or to revise the information contained therein to reflect events occurring subsequent to September 13, 2023.

The purpose of this audit report is to report on our assessment of the NRCs compliance with the FISMA and is not suitable for any other purpose. Additional information on our findings and recommendations are included in the accompanying report.

CliftonLarsonAllen LLP Arlington, Virginia September 13, 2023

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Table of Contents EXECUTIVE

SUMMARY

.................................................................................................. 1 Audit Results ............................................................................................................... 2 AUDIT FINDINGS ............................................................................................................. 2

1. Weaknesses in the NRCs Plan of Action and Milestones (POA&M)

Management Process ........................................................................................ 2

2. Weaknesses in the NRCs Vulnerability Management Program ......................... 3
3. Weaknesses in the NRCs Inactive Account Management ................................. 3
4. Weaknesses in the NRCs Event Logging Maturity ............................................ 4 APPENDIX I: BACKGROUND ......................................................................................... 7 APPENDIX II: OBJECTIVE, SCOPE, AND METHODOLOGY ...................................... 10 APPENDIX III: STATUS OF PRIOR RECOMMENDATIONS ........................................ 14 APPENDIX IV: NRCS MANAGEMENT COMMENTS ................................................... 30

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA EXECUTIVE

SUMMARY

The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. The FISMA also requires agency Inspectors General (IGs) to assess the effectiveness of their agencys information security program and practices. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued guidance for federal agencies to follow. In addition, NIST issued the Federal Information Processing Standards (FIPS) to establish agency baseline security requirements.

The United States (U.S.) Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG) engaged CliftonLarsonAllen LLP (CLA) to conduct a performance audit in support of the FISMA requirement for an annual independent evaluation of the NRCs information security program and practices. The objective of this performance audit was to assess the effectiveness of the information security policies, procedures, and practices of the NRC.

The OMB and the Department of Homeland Security (DHS) annually provide instructions to federal agencies and IGs for preparing FISMA reports. On December 2, 2022, the OMB issued Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements.2 According to that memorandum, each year the IGs are required to complete IG FISMA Reporting Metrics3 to independently assess their agencies information security program. The OMB selected a core group of metrics4 that Inspectors General must evaluate annually and a selection of 20 Supplemental IG FISMA Reporting Metrics that must be evaluated during FY 2023.5 The remainder of standards and controls will be evaluated on a two-year cycle.

For this years review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area.6 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, an agencys information security program must be rated Level 4 -

Managed and Measurable. See Appendix I for additional information on the FISMA reporting requirements.

The audit included an assessment of the NRCs information security program and practices consistent with the FISMA and reporting instructions issued by the OMB. In addition, we reviewed selected controls from NIST Special Publication (SP) 800-53, 2 See OMB M-23-03 online here.

3 See FY 2023 - FY 2024 IG FISMA Reporting Metrics online here. We submitted our responses to the FY 2023 IG FISMA Reporting Metrics to NRC OIG as a separate deliverable under the contract for this audit.

4 Core Metrics represent a combination of Administration priorities, high-impact security processes, and essential functions necessary to determine security program effectiveness.

5 Supplemental Metrics represent important activities conducted by security programs and contribute to the overall evaluation and determination of security program effectiveness.

6 The function areas are further broken down into nine domains.

1

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Revision 5, Security and Privacy Controls for Information Systems and Organizations, mapped to the FY 2023 IG FISMA Reporting Metrics for a sample of three of 15 information systems7 in the NRCs FISMA inventory of information systems as of January 2023.8 The scope also included an independent vulnerability assessment and external penetration test (technical assessment) of the NRC headquarters network.9 We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Audit Results We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 - Managed and Measurable maturity level; therefore, the NRC has an effective information security program.10 For example, the NRC:

  • Maintained an effective continuous monitoring program including periodic security control assessments and dashboards for tracking risk management posture.
  • Integrated the privacy program with other security areas and business processes as well as embedded the privacy program into daily decision making to help identify and manage privacy risks.
  • Maintained an effective incident response program.

Table 1 below shows a summary of the overall assessed maturity levels for each function area and domain in the FY 2023 IG FISMA Reporting Metrics.

Table 1: Maturity Levels for FY 2023 IG FISMA Reporting Metrics Cybersecurity Framework Maturity Level by Maturity Level by Metric Domains Security Function Domain Functions Identify Level 4: Managed Risk Management Level 4: Managed and Measurable and Measurable Supply Chain Risk Level 3:

Management Consistently Implemented Protect Level 4: Managed Configuration Level 4: Managed and Measurable Management and Measurable 7 According to NIST, an information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

8 NRCs FISMA inventory of information systems details a list of NRCs FISMA reportable systems.

9 Detailed results of the technical assessment are presented in a separate report under limited distribution due to the sensitive nature of the results.

10 In the FY 2022 FISMA audit, the results were based on the 20 metric questions. The FY 2023 FISMA audit results are based on 40 metric questions.

2

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Cybersecurity Framework Maturity Level by Maturity Level by Metric Domains Security Function Domain Functions Identity and Access Level 4: Managed Management and Measurable Data Protection and Level 5: Optimized Privacy Security Training Level 3:

Consistently Implemented Detect Level 4: Managed Information Security Level 4: Managed and Measurable Continuous and Measurable Monitoring Respond Level 4: Managed Incident Response Level 4: Managed and Measurable and Measurable Recover Level 3: Contingency Level 3:

Consistently Planning Consistently Implemented Implemented Overall Level 4: Managed and Measurable - Effective Although we concluded that the NRC implemented an effective information security program, overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics (see Table 2 below).

As a result of the weaknesses noted, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.11 Table 2 also includes weaknesses where the NRC has prior year recommendations that remain open related to the FY 2023 IG FISMA Reporting Metrics.

11 See appendix III for status of prior year recommendations.

3

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Table 2: Weaknesses Mapped to Cybersecurity Framework Security Functions and Domains in the FY 2023 IG FISMA Reporting Metrics Cybersecurity FY 2023 IG FISMA Framework Security Reporting Metrics Weaknesses Noted Function Domain Identify Risk Management Weaknesses in the NRCs Plan of Action and Milestones (POA&M)

Management Process (Finding 1).

Supply Chain Risk Open prior year recommendations Management related to documenting supply chain risk management in all system security plans.12 Protect Configuration Weaknesses in the NRCs Vulnerability Management Management Program (Finding 2).

Identity and Weakness in the NRCs Inactive Access Account Management (Finding 3).

Management Open prior year recommendations related to completing access agreements before granting access.

Data Protection No weaknesses noted.

and Privacy Security Training Open prior year recommendations related to completion of security awareness and role-based training.

Detect Information No weaknesses noted.

Security Continuous Monitoring Respond Incident Response Weaknesses in the NRCs Event Logging Maturity (Finding 4).

Recover Contingency Open prior year recommendations Planning related to organization level business impact analysis and contingency plan testing integration with information and communications technology (ICT) supply chain providers.

The following sections provide a detailed discussion of the audit findings. Appendix I provides background information on the FISMA. Appendix II describes the audit objective, scope, and methodology. Appendix III provides the status of the prior years recommendations.

12 See appendix III for the status of the prior years open recommendations.

1

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA AUDIT FINDINGS

1. Weaknesses in the NRCs Plan of Action and Milestones (POA&M) Management Process Cybersecurity Framework Security Function: Identify FY 2023 IG FISMA Reporting Metrics Domain: Risk Management We noted 686 of 4,775 open Information Technology Infrastructure (ITI) system POA&Ms did not have current milestone dates to meet their updated scheduled completed dates.

Updates to POA&Ms rely on active communication with System Administrators and other parties, which falters in some cases.

NRCs Computer Security Organization (CSO)-Computer Security Process (PROS)-2016, Plan of Action and Milestones Process, Section 3.4, states, "POA&Ms must be reviewed and maintained at least quarterly by system ISSOs or CSO program level assigned resource to ensure that identified milestones are completed by the scheduled completion dates. In addition, POA&Ms must be updated whenever activities take place that either identify new weaknesses, demonstrate that weaknesses have been remediated, extend the schedule for remediation, or demonstrate that required continuous monitoring activities have been completed. Before each quarterly review, system ISSOs or the CSO program level assigned resource must review their POA&Ms to ensure that the following information is up-to-date and reflects all corrective actions that took place during the previous quarter."

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, security control CA Plan of Action and Milestones, states:

a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and,
b. Update existing plan of action and milestones [Assignment:

organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

Without timely completion of ITI POA&Ms, the NRC ITI subsystems and other information systems that rely on ITI security controls through inheritance or hybrid implementations could remain susceptible to significant system security risks. In addition, without sufficient information about the ongoing status of open ITI POA&Ms, the NRC may not accurately know and have full visibility into the status of vulnerabilities and risks on their systems.

Recommendation 1: We recommend that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.

2

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA

2. Weaknesses in the NRCs Vulnerability Management Program Cybersecurity Framework Security Function: Protect FY 2023 IG FISMA Reporting Metrics Domain: Configuration Management The scope of the FY 2023 FISMA audit included an independent vulnerability assessment and external penetration test (technical assessment) performed under executed rules of engagement in accordance with NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. The technical assessment noted that a vulnerability management process and procedures have been established. However, the NRCs implementation of certain vulnerability management program requirements was not fully achieved with regards to remediation timeframes established by NRCs policy. For more information, please refer to the restricted FY 2023 Vulnerability Assessment and External Penetration Test Results Memo with limited distribution due to the sensitive nature of the results.

This finding is included as a reference within this report since the Configuration Management domain and vulnerability management related controls of the IG FISMA Reporting Metrics are within the scope of the FY 2023 FISMA audit.

NRC OIG intends to follow-up on NRC managements corrective actions taken as part of the FY 2024 FISMA audit of NRCs information security program and practices.

3. Weaknesses in the NRCs Inactive Account Management Cybersecurity Framework Security Function: Protect FY 2023 IG FISMA Reporting Metrics Domain: Identity and Access Management The ITI Core Services13 90-day account disablement script was not consistently capturing all inactive accounts. Specifically, we noted that ITI Core Services had nine (9) non-privileged and twenty-four (24) privileged Active Directory users with active accounts that were inactive for more than 90-days.

NRC management indicated the ITI Core Services 90-day account disablement script was not configured to capture and disable certain Active Directory accounts.

The NRC Common Control Catalog for NIST SP 800-53 Revision 5, security control implementation details for AC-2 (3): Account Management - Disable Accounts, states:

The organization disables accounts within [no more than 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />s] when the accounts:

1. Have expired;
2. Are no longer associated with a user or individual;
3. Are in violation of organizational policy; or,
4. Have been inactive for [no more than 90-days].

13 ITI Core Services is a subsystem of ITI that includes Microsofts Active Directory.

3

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Without a consistent script to disable all inactive or otherwise unnecessary Active Directory accounts, there is a greater potential risk of individuals gaining unauthorized access to the NRC network environment.

Recommendation 2: We recommend NRC management implement a revised ITI Core Services 90-day account disablement script to ensure all non-privileged and privileged Active Directory accounts are captured and disabled in accordance with NRC policies.

After notification of the audit finding, NRC management implemented a revised ITI Core Services 90-day account disablement script. The effectiveness of the revised script will be assessed during the next audit period.

4. Weaknesses in the NRCs Event Logging Maturity Cybersecurity Framework Security Function: Respond FY 2023 IG FISMA Reporting Metrics Domain: Incident Response The NRC assessed their Event Logging (EL) maturity against the requirements in the Office of Management and Budget (OMB) Memorandum M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021), and reported their current EL maturity level as EL0, 14 not-effective.

While the NRC is developing a plan to assist with reaching compliance with OMB M 31 requirements, the NRC did not reach EL115 and EL216 maturity levels by OMBs required due dates. Specifically, the NRC did not:

  • Within one year of the date of OMB M-21-31, or by August 27, 2022, reach EL1 maturity level.
  • Within 18 months of the date of OMB M-21-31, or by February 27, 2023, achieve EL2 maturity level.

Further, the NRC did not document any risk-based decisions, including compensating controls, for not meeting the requirements in OMB M-21-31.

NRC management indicated that they were constrained by their current Security Information and Event Management (SIEM) tool licensing level and unavailability of funding to adequately support the procurement, onboarding, and implementation of EL1 and EL2 maturity level requirements by the required deadlines.

OMB M-21-31 addresses the logging requirements in the Executive Order 14028, Improving the Nations Cybersecurity17 (May 12, 2021). OMB M-21-31 establishes a maturity model to guide the implementation of requirements across EL tiers as shown below that are designed to help agencies prioritize their efforts and resources to achieve 14 Per OMB M-21-31, EL0 maturity level signifies logging requirements of highest criticality are either not met or are only partially met. See OMB M-22-18 online here.

15 Per OMB M-21-31, EL1 maturity level signifies only logging requirements of highest criticality are met.

16 Per OMB M-21-31, EL2 maturity level signifies logging requirements of highest and intermediate criticality are met.

17 See Executive Order 14028 online here.

4

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA full compliance with requirements for implementation, log categories, and centralized access. OMB M-21-31 further requires that agencies forward all required event logs, in near real-time and on an automated basis, to centralized systems responsible for SIEM.18 The maturity model to guide the implementation of requirements is summarized below:

Tier EL0, Rating - Not Effective The agency or one or more of its components have not implemented the following requirement:

  • Ensuring that the Required Logs categorized as Criticality Level 0 are retained in acceptable formats for specified timeframes, per technical details described in OMB M-21-31, Appendix C (Logging Requirements - Technical Details).

Tier EL1, Rating - Basic (to be met by August 27, 2022)

The agency and all of its components meet the following requirements, as detailed in Table 2 (EL1 Basic Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):

  • Basic Logging Categories
  • Minimum Logging Data
  • Time Standard
  • Event Forwarding
  • Protecting and Validating Log Information
  • Passive DNS [Domain Name System]
  • Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigations Access Requirements
  • Logging Orchestration, Automation, and Response - Planning
  • User Behavior Monitoring - Planning
  • Basic Centralized Access Tier EL2, Rating - Intermediate (to be met by February 26, 2023)

The agency and all of its components meet the following requirements, as detailed in Table 3 (EL2 Intermediate Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):

  • Meeting EL1 maturity level
  • Intermediate Logging Categories
  • Publication of Standardized Log Structure
  • Inspection of Encrypted Data
  • Intermediate Centralized Access Tier EL3, Rating - Advanced (to be met by August 27, 2023) 18 SIEM tools are a type of centralized logging software that can facilitate aggregation and consolidation of audit log records from multiple information system components. SIEM tools automate the collection of audit log records from tools and reporting them to a management console in a standardized format and facilitate audit record correlation and analysis.

5

U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA The agency and all its components meet the following requirements, as detailed in Table 4 (EL3 Advanced Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):

  • Meeting EL2 maturity level
  • Advanced Logging Categories
  • Logging Orchestration, Automation, and Response - Finalizing Implementation
  • User Behavior Monitoring - Finalizing Implementation
  • Application Container Security, Operations, and Management
  • Advanced Centralized Access Further, OMB M-21-31, Section II: Agency Implementation Requirements, requires agencies to perform the following:
  • Within 60 calendar days of the date of OMB M-21-31 [or by October 26, 2021]

memorandum, assess their maturity against the maturity model in OMB M-21-31 and identify resourcing and implementation gaps associated with completing each of the requirements listed below. Agencies will provide their plans and estimates to their OMB Resource Management Office and Office of the Federal Chief Information Officer desk officer.

  • Within one year of the date of OMB Memorandum 21-31 [or by August 27, 2022],

reach EL1 maturity.

  • Within 18 months of OMB M-21-31 [or by February 26, 2023], achieve EL2 maturity.
  • Within two years of OMB Memorandum 21-31 [or by August 27, 2023], achieve EL3 maturity.
  • Provide, upon request and to the extent consistent with applicable law, relevant logs to the CISA and Federal Bureau of Investigations. This sharing of information is critical to defend federal information systems.
  • Share log information, as needed and appropriate, with other federal agencies to address cybersecurity risks or incidents.

Cyber-attacks underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats. By not achieving EL1 and EL2 maturity levels, the NRC is not meeting logging requirements of highest criticality. NRC maturity is currently at EL0 maturity; therefore, their event logging capabilities are not effective based on OMB M-21-31.

Further, the NRC may not correlate audit log records across different repositories in a complete or risk-based manner as defined by OMB M-21-31, which may increase the risk that the NRC may not collect all meaningful and relevant data on suspicious events. This may, in turn increase the risk that the NRC may inadvertently miss the potential scope or veracity of suspicious events or attacks.

Recommendation 3: We recommend that NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

6

Appendix I U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA BACKGROUND Overview The Energy Reorganization Act of 1974 created the NRC, and the NRC began operations on January 19, 1975. The NRC is headed by a five-member Commission, with one member designated by the President to serve as Chair. The NRCs mission is to license and regulate the Nations civilian use of radioactive materials to protect public health and safety, promote the common defense and security, and protect the environment. The NRCs broad areas of responsibility include reactor safety oversight and license renewal for existing plants, materials safety oversight and licensing for a variety of purposes, and oversight of the management and disposal of both high-level waste and low-level radioactive waste.

Federal Information Security Modernization Act of 2014 (FISMA)

The FISMA provides a comprehensive framework for ensuring effective security controls over information resources supporting federal operations and assets. The FISMA requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source.

The statute also provides a mechanism for improved oversight of Federal agency information security programs. The FISMA requires agency heads to take the following actions, among others:19

1. Be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; complying with applicable governmental requirements and standards; and ensuring information security management processes are integrated with the agencys strategic, operational, and budget planning processes.
2. Ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control.
3. Delegate to the agency Chief Information Officer the authority to ensure compliance with FISMA.
4. Ensure that the agency has trained personnel sufficient to assist the agency in complying with FISMA requirements and related policies, procedures, standards, and guidelines.
5. Ensure that the Chief Information Officer reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.
6. Ensure that senior agency officials carry out information security responsibilities.
7. Ensure that all personnel are held accountable for complying with the agency-wide information security program.

19 44 U.S.C. § 3554, Federal agency responsibilities.

7

Appendix I U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Agencies must also report annually to the OMB and to congressional committees on the effectiveness of their information security program. In addition, the FISMA requires agency IGs to assess the effectiveness of their agencys information security program and practices.

National Institute of Standards and Technology (NIST) Security Standards and Guidelines The FISMA requires NIST to provide standards and guidelines pertaining to Federal information systems. The prescribed standards establish minimum information security requirements necessary to improve the security of Federal information and information systems. The FISMA also requires that Federal agencies comply with Federal Information Processing Standards issued by NIST. In addition, NIST develops and issues Special Publications as recommendations and guidance documents.

FISMA Reporting Requirements The OMB and the DHS annually provide instructions to Federal agencies and IGs for preparing FISMA reports. On December 2, 2022, OMB issued Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements.20 This memorandum described key changes to the methodology for conducting FISMA audits, as well as the processes for Federal agencies to report to the OMB, and where applicable, the DHS. Key changes to the methodology included:

  • The OMB selected a core group of metrics that Inspectors General must evaluate annually and a selection of 20 Supplemental IG FISMA Reporting Metrics that must be evaluated during FY 2023.21 The remainder of standards and controls will be evaluated on a two-year cycle.
  • In previous years, IGs have been directed to utilize a mode-based scoring approach to assess maturity levels. In FY 2023, ratings were focused on calculated averages, wherein the average of the metrics in a particular domain would be used by IGs to determine the effectiveness of individual function areas (Identity, Protect, Detect, Respond, and Recover). IGs were encouraged to focus on the calculated averages of the 20 Core IG FISMA Reporting Metrics, as these tie directly to the Administrations priorities and other high-risk areas. In addition, OMB M-23-03 indicated that IGs should use the calculated averages of the Supplemental IG FISMA Reporting Metrics and progress addressing outstanding prior year recommendations as data points to support their risk-based determination of overall program and function level effectiveness. The calculated averages can be found in the FY 2023 IG FISMA Reporting Metrics, which was provided to the agency separate from this report.

The FY 2023 IG FISMA Reporting Metrics provided the reporting requirements across key areas to be addressed in the independent assessment of agencies information security programs.

20 See OMB M-23-03 online here.

21 See FY 2023 - FY 2024 IG FISMA Reporting Metrics online here.

8

Appendix I U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA For this years review, IGs were to assess the 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics in the five security function areas to assess the maturity level and effectiveness of their agencys information security program. The IG FISMA Reporting Metrics are designed to assess the maturity of the information security program and align with the five functional areas in the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), version 1.1:

Identify, Protect, Detect, Respond, and Recover, as highlighted in Table 3.

Table 3: Alignment of the Cybersecurity Framework Security Functions to the Domains in the FY 2023 IG FISMA Reporting Metrics Cybersecurity Domains in the FY 2023 Framework Security IG FISMA Reporting Metrics Functions Identify Risk Management, Supply Chain Risk Management Protect Configuration Management, Identity and Access Management, Data Protection and Privacy, and Security Training Detect Information Security Continuous Monitoring Respond Incident Response Recover Contingency Planning The foundational levels of the maturity model in the IG FISMA Reporting Metrics focus on the development of sound, risk-based policies, and procedures, while the advanced levels capture the institutionalization and effectiveness of those policies and procedures. The table below explains the five maturity model levels. A functional information security area is not considered effective unless it achieves a rating of Level 4, Managed and Measurable.

Table 4: IG Evaluation Maturity Levels Maturity Level Maturity Level Description Level 1: Ad-hoc Policies, procedures, and strategy are not formalized; activities are performed in an ad-hoc, reactive manner.

Level 2: Defined Policies, procedures, and strategy are formalized and documented but not consistently implemented.

Level 3: Consistently Policies, procedures, and strategy are consistently Implemented implemented, but quantitative and qualitative effectiveness measures are lacking.

Level 4: Managed Quantitative and qualitative measures on the effectiveness of and Measurable policies, procedures, and strategy are collected across the organization and used to assess them and make necessary changes.

Level 5: Optimized Policies, procedures, and strategy are fully institutionalized, repeatable, self-generating, consistently implemented, and regularly updated based on a changing threat and technology landscape and business/mission needs.

9

Appendix II U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA OBJECTIVE, SCOPE, AND METHODOLOGY Objective The objective of this audit was to assess the effectiveness of the information security policies, procedures, and practices of the NRC.

Scope We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

For this years review, IGs were to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area. The maturity levels range from lowest to highest Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, and Optimized.

The FY 2023 IG FISMA Reporting Metrics introduced a calculated average scoring model for FY 2023 and FY 2024 FISMA audits. As part of this approach, Core IG FISMA Reporting Metrics and Supplemental IG FISMA Reporting Metrics were averaged independently to determine a domains maturity calculation and provide data points for the assessed program and function effectiveness. To provide IGs with additional flexibility and encourage evaluations that are based on agencies risk tolerance and threat models, calculated averages were not automatically rounded to a particular maturity level. In determining maturity levels and the overall effectiveness of the agencys information security program, the OMB strongly encouraged IGs to focus on the results of the Core IG FISMA Reporting Metrics, as these tie directly to Administration priorities and other high-risk areas. It was recommended that IGs use the calculated averages of the Supplemental IG FISMA Reporting Metrics as a data point to support their risk-based determination of overall program and function level effectiveness.

We utilized the FY 2023 IG FISMA Reporting Metrics guidance22 to form our conclusions for each Cybersecurity Framework domain, function, and the overall agency rating.

Specifically, we focused on the calculated average of the Core IG FISMA Reporting Metrics. Additionally, we considered other data points, such as the calculated average of the Supplemental IG FISMA Reporting Metrics and progress made addressing outstanding prior year recommendations, to form our risk-based conclusion.

22 The FY 2023 IG FISMA Reporting Metrics provided the agency IG the discretion to determine the rating for each of the Cybersecurity Framework domains and functions and the overall agency rating based on the consideration of agency-specific factors and weaknesses noted during the FISMA audit. Using this approach, IGs may determine that a particular domain, function area, or agencys information security program is effective at a calculated maturity lower lever than level 4.

10

Appendix II U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA The scope of this performance audit was to assess the NRCs information security program and practices consistent with the FISMA and reporting instructions issued by the OMB and the DHS for FY 2023. The scope also included assessing selected controls from NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, mapped to the FY 2023 IG FISMA Reporting Metrics, for a sample of three of 15 information systems in the NRCs FISMA inventory of information systems as of January 4, 2023 (Table 5).

Table 5: Description of System Selected for Testing System Description Name Information The NRC ITI is a General Support System (GSS) that supports the Technology agency's mission by providing the networking backbone, connectivity, Infrastructure office automation, remote access services, and information security (ITI) System functions to include intrusion detection, malicious code protection, vulnerability scanning and system monitoring, and miscellaneous technical support for the NRC. The ITI system includes information up to and including Sensitive Unclassified Non-Safeguards Information (SUNSI). Classified and Safeguards Information (SGI) are not permitted on the ITI.

Agencywide ADAMS is used to manage content created by the staff and external Documents stakeholders and is the NRCs official record management system.

Access and There is publicly accessible ADAMS and an inward facing version that Management contains documents marked as Official Use Only (OUO).

System (ADAMS)

Business BASS provides a common platform for the operations and maintenance Applications of several NRC applications, including: Reactor Program System (RPS),

Support Operator License Tracking System (OLTS), General License Tracking System System (GLTS) and Case Management System Web (CMSW).

(BASS)

In addition, an independent vulnerability assessment and external penetration test was performed under executed rules of engagement prepared in accordance with the NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Detailed results of the technical assessment of the NRCs network infrastructure, servers, workstations, applications, and routers accessible internally from the NRCs network and accessible externally from the public Internet are presented in a separate report under limited distribution due to the sensitive nature of the results.

The audit also included an evaluation of whether the NRC took corrective action to address open recommendations from the FY 2022 FISMA audit23 and FY 2021 FISMA evaluation.24 23 Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022 (Report No. OIG-22-A-14, issued September 29, 2022).

24 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (Report No. OIG-22-A-04, issued December 20, 2021).

11

Appendix II U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Audit fieldwork covered the NRCs headquarters located in Rockville, Maryland from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.

Methodology To determine if the NRC implemented an effective information security program, we conducted interviews with NRC officials and reviewed legal and regulatory requirements stipulated in the FISMA. Also, we reviewed documents supporting the information security program. These documents included, but were not limited to, the NRCs (1) information security policies and procedures; (2) incident response policies and procedures; (3) access control procedures; (4) patch management procedures; (5) change control documentation; and (6) system generated account listings. Where appropriate, we compared documents, such as the NRCs IT policies and procedures, to requirements stipulated in NIST SPs. We also performed tests of system processes to determine the adequacy and effectiveness of those controls. Finally, we reviewed the status of FISMA prior year recommendations. See Appendix III for the status of prior year recommendations.

In addition, our work in support of the audit was guided by applicable NRC policies and Federal criteria, including, but not limited to, the following:

  • Government Auditing Standards (April 2021).
  • OMB Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements (December 2, 2022).
  • OMB Memorandum M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021).
  • OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (September 14, 2022).
  • CISAs BOD 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.
  • FY 2023 IG FISMA Reporting Metrics (February 10, 2023).
  • NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for specification of security controls (December 10, 2020).
  • NIST SP 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, for the assessment of security control effectiveness.
  • NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems (November 11, 2011).
  • NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, for the risk management framework controls (December 2018).
  • NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) (February 2014).
  • NRCs policies and procedures, including but not limited to:

12

Appendix II U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA o NRC Common Controls (NRCcc)-Information Security Program Plan (ISPP);

o NRC ITI, ADAMS, and BASS System Security Plans (SSPs);

o NRC ITI, ADAMS, and BASS Configuration Management Plans; o NRC ITI, ADAMS, and BASS Information System Contingency Plans (ISCPs);

o NRC Enterprise Risk Management Plan; o NRC Risk Management Framework Process; o NRC Supply Chain Risk Management Strategy; o NRC Privacy Program Plan; o NRC Computer Security Process (CSO-PROS)-1323 Information Security Continuous Monitoring Process; and o NRC Computer Security Incident Response Team Standard Operating Procedures.

We selected three NRC information systems from the total population of 15 FISMA reportable systems for testing. The three systems were selected based on risk, date of last evaluation and criticality. Specifically, ITI was selected based on risk since it is categorized as a moderate impact system25 and supports the NRCs applications that reside on the network. ADAMS was selected because it is categorized as a moderate impact system and was last evaluated in 2019. The third system selected for testing was BASS, a moderate impact system that was last evaluated in 2017. We tested the three systems selected security controls to support our responses to the FY 2023 IG FISMA Reporting Metrics.

In testing for the adequacy and effectiveness of the security controls, we exercised professional judgment in determining the number of items selected for testing and the method used to select them. We considered relative risk and the significance or criticality of the specific items in achieving the related control objective. In addition, the severity of a deficiency related to the control activity and not the percentage of deficient items found compared to the total population available for review was considered. In some cases, this resulted in selecting the entire population.

25 The selected systems were categorized as moderate impact based on NIST Federal Information Processing Standards Publication 199 Standards for Security Categorization of Federal Information and Information Systems.

13

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA STATUS OF PRIOR RECOMMENDATIONS The table below summarizes the status of the open prior recommendations from the FY 2022 FISMA audit and FY 2021 FISMA evaluation.26 At the time of testing and IG FISMA Reporting Metric submission, there remained 21 out of 24 open prior FISMA recommendations from the audit and evaluation referenced above. The NRC OIG gathered feedback from NRC stakeholders in support of Status of Recommendations Memorandums issued March 6, 2023 and February 15, 2023, which are reflected here as part of the NRCs status. The Auditors Position on Status is based on inspection of evidence received during fieldwork. A follow-up on the open recommendations recorded in this report will occur during the next audit cycle or via the NRC OIGs status of recommendations process.

Auditors Position Report No. Recommendation NRCs Status on Status OIG-22-A-14 FY 2022 Recommendation 1: Review and This recommendation is resolved. Open FY 2022 FISMA update the Information Technology Audit Infrastructure System (ITI) Core Services The NRC has converted the ITI The ITI Core Services System Security Plan (SSP) System SSP from NIST SP 800-53, SSP security control Interconnections tab and related security Revision 4 to Revision 5. The implementation details control implementation to ensure system NRC will ensure that related for CA-3 System interconnection details reflect the current security control implementation Interconnections notes system environment. details reflect the current system that ITI has multiple environment. connections with other systems in which the Estimated target completion date: connection FY 2023 Quarter 2. agreements are either expired or have not yet been created. Also, the ITI POA&M detail report indicates related POA&M ITI-17-2397 is open.

OIG-22-A-14 FY 2022 Recommendation 2: Implement a This recommendation is resolved. Open FY 2022 FISMA process to verify that remaining external Audit interconnections noted in the ITI Core Same comments as 26 See footnotes 22 and 23.

14

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status Services SSP have documented, up-to-date The NRCs annual Periodic above.

Interconnection Security Agreement (ISA) / Security Control Assessment Memorandums of Understanding (MOUs) or (PSCA) process includes a review Service Level Agreements (SLAs) in place as of the external interconnections, applicable. ISA/MOUs, and SLAs within the ITI Core Services SSP Interconnection tab. The NRC will analyze its PSCA process and implement improvements to ensure that external interconnections noted in the ITI Core Services SSP are verified to be current and accurate.

Estimated target completion date:

FY 2023 Quarter 3.

OIG-22-A-14 FY 2022 Recommendation 3: Update the ITI This recommendation is resolved. Open FY 2022 FISMA inventory to correct any discrepancies and Audit incorrect information listed for ITI devices The NRC will ensure that the ITI The ITI Core Services tracked in the Common Computing Services, inventory detail is updated and will SSP security control Peripherals, Unified Communications and correct any discrepancies and implementation details Voice over Internet Protocol subsystem incorrect information identified for for CM-8 System inventories. ITI assets in the Common Component Inventory Computing Services, Peripherals, notes an Unified Communications, and implementation status Voice over Internet Protocol of planned and states:

subsystem inventories. During various PSCA efforts, it was revealed Estimated target completion date: that the ITI inventory FY 2023 Quarter 4. has multiple discrepancies and incorrect information listed for ITI devices.

Also, the ITI POA&M 15

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status detail report indicates related POA&M ITI 2401 is open.

OIG-22-A-14 FY 2022 Recommendation 4: Document and This recommendation is resolved. Open FY 2022 FISMA implement a periodic review of subsystem Audit inventories to verify information maintained The NRC will update the ITI PSCA Same comments as for each ITI subsystem is current, complete, process to include a verification above.

and accurate. that the associated IT asset inventory is current, complete, and accurate. All inventory inaccuracies will be documented, along with a recommended plan of action.

Estimated target completion date:

FY 2023 Quarter 4.

OIG-22-A-14 FY 2022 Recommendation 5: Implement a This recommendation remains Open FY 2022 FISMA process to document the supply chain risk open.

Audit management requirements within the NRC For one (1) of three (3) information systems system security plans. Estimated target completion date: systems selected for FY 2024 Quarter 1. testing, Supply Chain Risk Management (SR) controls were not documented.

Specifically, Business Applications Support System (BASS) was not incorporating NIST 800-53, Revision 5 controls for five (5) of its subsystems.

OIG-22-A-14 FY 2022 Recommendation 6: Implement a This recommendation is resolved. Open FY 2022 FISMA process to validate that all personnel with 16

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status Audit privileged level responsibilities complete The NRC maintains an For a sample of four annual security awareness and role-based authoritative list of users with (4) privileged network training. privileged level responsibilities as users from the well as a database of associated population of 41 role-based training. The Office of privileged network the Chief Information Officer users with (OCIO) and the Office of the Chief whenCreated dates Human Capital Officer employ a since October 1, 2022, collaborative process to ensure we noted that three (3) that all role-based training is privileged network completed by the annual target users did not complete date of September 1. The process required role-based includes Training Management training course System reporting and continuous assignments within outreach to individual users and one year of testing; their respective supervisors and and one (1) privileged contracting officers network user did not representatives. The NRC recently complete their initial strengthened the accuracy of its role-based training authoritative list of users with within one week of privileged level responsibilities by gaining access to their implementing a weekly update privileged account.

process to capture new users as well as a redundant monthly update process to ensure completeness. As a result of this process, in FY 2022, 94 percent of users completed the training by the target date of September 1 and 98 percent completed the training by September 30. The NRC will analyze this process to identify and implement any further 17

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status improvements that will increase its effectiveness.

Estimated target completion date:

FY 2023 Quarter 3.

OIG-22-A-14 FY 2022 Recommendation 7: Implement a This recommendation is resolved. Open FY 2022 FISMA process to validate that all new contractors Audit complete their initial security training Providing security awareness For a sample 11 new requirements and acknowledgement of rules training, which contains sensitive network users from the of behavior prior to accessing the NRC information, to new contractors population of 121 environment and to subsequently ensure outside the NRCs secure network enabled network user completion of annual security awareness would require the creation and accounts created since training and renewal of rules of behavior is ongoing maintenance of a separate October 1, 2022 tracked. secure system. The NRC does not (employees and believe that the benefit of new contractors), we noted contractors completing the training that two (2) new users before gaining access to the NRC did not complete their network outweighs the costs of a initial security training separate secure system. Instead, requirements and the NRC plans to add streamlined acknowledgement of security training that contains the rules of behavior prior Rules of Behavior but does not to accessing the NRC contain sensitive information to its environment. The onboarding process, which occurs identified users were before contractors gain access to contractors.

the NRC network. In addition, the NRC will strengthen its process after onboarding to ensure that new contractors complete all required security awareness training, including acknowledging the Rules of Behavior, within the required 30-day timeframe.

18

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status Estimated target completion date:

FY 2023 Quarter 3.

OIG-22-A-04 FY 2021 Recommendation 1: Reconcile This recommendation is resolved. Open FY 2021 FISMA mission priorities and cybersecurity Evaluation requirements into profiles to inform the The NRC will reconcile mission Evidence to support prioritization and tailoring of controls (e.g., priorities and cybersecurity closure was not High Value Assets (HVA) control overlays) to requirements to derive profiles to provided during support the risk-based allocation of resources inform the prioritization and fieldwork.

to protect the NRC's identified Agency level tailoring of controls to support the and/or National level HVAs. risk-based allocation of resources to protect the agencys identified agency- and national-level HVAs.

Estimated target completion date:

FY 2023 Quarter 2.

OIG-22-A-04 FY 2021 Recommendation 2: Continue This recommendation remains Open FY 2021 FISMA current Agencys efforts to update the open.

Evaluation Agencys cybersecurity risk register to (i) aggregate security risks, (ii) normalize In order to continue to aggregate cybersecurity information across security risks, normalize organizational units, and (iii) prioritize cybersecurity risk information operational risk response. across organizational units, and prioritize operational risk responses, the NRC is implementing a centralized and automated application that will aggregate cybersecurity POA&M risks for all FISMA systems, including the agencys programmatic cybersecurity POA&Ms. The application will also 19

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status prioritize cybersecurity POA&M risks across organizational units.

Estimated target completion date:

FY 2024 Quarter 1.

OIG-22-A-04 FY 2021 Recommendation 3: Update This recommendation remains Open FY 2021 FISMA procedures to include assessing the impacts open.

Evaluation to the organizations Information Security Architecture prior to introducing new The NRC plans to propose the information systems or major system changes resources necessary to support into the Agencys environment. this recommendation during formulation of the FY 2025 budget.

The first full annual review is expected to occur in the fourth quarter (Q4) of FY 2025.

Estimated target completion date:

FY 2025.

OIG-22-A-04 FY 2021 Recommendation 4: Develop and This recommendation remains Open FY 2021 FISMA implement procedures in the POA&M process open.

Evaluation to include mechanisms for prioritizing completion and incorporating this as part of The NRC is assessing strategies to documenting a justification and approval for modify its POA&M and business delayed POA&Ms. processes to include mechanisms for prioritizing completion and incorporating this as part of documenting a justification and approval for delayed POA&Ms.

Estimated target completion date:

FY 2024 Quarter 1.

OIG-22-A-04 FY 2021 Recommendation 5: Assess the The NRC recommends closure of Closed FY 2021 FISMA NRC supply chain risk and fully define this item.

20

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status Evaluation performance metrics in service level The OIG reviewed a agreements and procedures to measure, finalized and two in-report on, and monitor the risks related to draft procedures that contractor systems and services. the Supplemental Supply Chain Risk Assessment (SCRA) process provides a basis for measuring and monitoring metrics to assess risks associated with contractor systems and services. Therefore, this recommendation is considered closed.

OIG-22-A-04 FY 2021 Recommendation 6: Document and This recommendation is resolved. Open FY 2021 FISMA implement policies and procedures for Evaluation prioritizing externally provided systems and The NRC has developed two draft Evidence to support services or a risk-based process for computer security processes in closure was not evaluating cyber supply chain risks CSO-PROS-0008 Process to provided during associated with third party providers. Assess, Respond, and Monitor ICT fieldwork.

Supply Chain Risks and CSO-PROS-0007 Process to Use SCR Investigation Service to Determine Information and Communications Technology (ICT) Supply Chain Risk Associated with an Offeror, issued August 8, 2022, that are currently being utilized to determine the supply chain risk associated with an ICT product or service and perform appropriate responsive actions and monitor the 21

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status risk over time. NRC will finalize the processes once a sufficient number of assessments are performed to determine the effectiveness of the evaluations.

Estimated target completion date:

FY 2023 Quarter 3.

OIG-22-A-04 FY 2021 Recommendation 7: Implement This recommendation remains Open FY 2021 FISMA processes for continuous monitoring and open.

Evaluation scanning of counterfeit components to include configuration control over system The NRC is assessing approaches components awaiting service or repair and to implement the processes for the serviced or repaired components awaiting continuous monitoring and return to service. scanning of counterfeit components, to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Estimated target completion date:

FY 2023 Quarter 4.

OIG-22-A-04 FY 2021 Recommendation 8: Develop and This recommendation remains Open FY 2021 FISMA implement role-based training with those who open.

Evaluation hold supply chain risk management roles and Evidence to support responsibilities to detect counterfeit system Pursuant to the Supply Chain closure was not components. Security Training Act of 2021, Pub. provided during L. 117-145, General Services fieldwork.

Administration (GSA) is required to develop training for federal officials with supply chain risk management 22

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status responsibilities. The NRC will leverage this training, which will be implemented by Office of Management and Budget (OMB),

when it becomes available.

Estimated target completion date:

FY 2023 Quarter 1.

OIG-22-A-04 FY 2021 Recommendation 10: Centralize The NRC recommends closure of Closed FY 2021 FISMA system privileged and non-privileged user this item.

Evaluation access review, audit log activity monitoring, The OIG met with and management of Personal Identity OCIO to view the Verification (PIV) or Identity Assurance Level centralized system (IAL) 3/Authenticator Assurance Level (AAL) privileged and non-3 credential access to all NRC systems privileged user access (findings noted in bullets a, and c, above) by review, audit log continuing efforts to implement these activity monitoring, and capabilities using the Splunk QAudit, management of PIV or SailPoint, and CyberArk automated tools. IAL 3 / AAL 3 credential access to all NRC systems.

Therefore, this recommendation is considered closed.

OIG-22-A-04 FY 2021 Recommendation 11: Update user The NRC recommends closure of Open FY 2021 FISMA system access control procedures to include this item.

Evaluation the requirement for individuals to complete a The NRC should non-disclosure and rules of behavior The NRC implemented an updated update user system agreements prior to the individual being procedure that requires users to access control granted access to NRC systems and complete nondisclosure and rules procedures to include information. of behavior agreements as part of the requirement for the onboarding process prior to individuals to complete being granted access to NRC a non-disclosure and 23

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status systems and information. The rules of behavior NRC Office of Administration agreements prior to the began using the new process, individual being which is part of Personal Identity granted access to NRC Verification (PIV) card enrollment, systems and on December 9, 2020. information.

Specifically, for a sample 11 new network users from the population of 121 enabled network user accounts created since October 1, 2022 (employees and contractors), we noted that two (2) new users did not complete their initial security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment. The identified users were contractors.

OIG-22-A-04 FY 2021 Recommendation 12: Conduct an This recommendation remains Open FY 2021 FISMA independent review or assessment of the open.

Evaluation NRC privacy program and use the results of The NRC has not yet these reviews to periodically update the The NRC will conduct an in-depth, completed an privacy program. independent assessment of the independent review or agencys privacy program. Using assessment of the the results of the assessment, the NRC privacy program and used the results of 24

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status NRC will periodically update the these reviews to privacy program. periodically update the privacy program. The Estimated target completion date: NRC has engaged a FY 2024 Quarter 1. contractor to perform an independent assessment of the NRCs Privacy Program. However, the assessment was ongoing at the time of our review.

OIG-22-A-04 FY 2021 Recommendation 13: Implement the This recommendation is resolved. Open FY 2021 FISMA technical capability to restrict access or not Evaluation allow access to the NRCs systems until new The NRC will perform an analysis For a sample 11 new NRC employees and contractors have to determine the best and most network users from the completed security awareness training and economical path forward to population of 121 role-based training as applicable or administer computer security enabled network user implement the technical capability to capture training to new NRC employees accounts created since NRC employees and contractors initial login and contractors before they gain October 1, 2022 date so that the required cybersecurity access to the agencys systems. (employees and awareness and role-based training can be contractors), we noted accurately tracked and managed by the Estimated target completion date: that two (2) new users current process in place. FY 2023 Quarter 3. did not complete their initial security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment. The identified users were contractors.

25

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status For a sample of four (4) privileged network users from the population of 41 privileged network users with whenCreated dates since October 1, 2022, we noted that three (3) privileged network users did not complete required role-based training course assignments within one year of testing; and one (1) privileged network user did not complete their initial role-based training within one week of gaining access to their privileged account.

OIG-22-A-04 FY 2021 Recommendation 14: Implement the This recommendation is resolved. Open FY 2021 FISMA technical capability to restrict NRC network Evaluation access for employees who do not complete The NRC has implemented the Same comments as annual security awareness training and, if technical capability to restrict NRC above.

applicable, their assigned role-based security network access for employees who training. do not complete annual security awareness training. To date, this capability has been deployed to restrict NRC network access for contract personnel who do not complete annual security 26

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status awareness training on time.

Deploying this capability for NRC employees, however, would require alignment with several agency stakeholders. The NRC closely tracks the timely completion of training by its employees resulting in the majority of employees completing the training on time. In light of these factors, the NRC is continuing to assess the need to deploy this capability for employees.

Estimated target completion date:

FY 2023 Quarter 3.

OIG-22-A-04 FY 2021 Recommendation 15: Implement The NRC recommends closure of Closed FY 2021 FISMA metrics to measure and reduce the time it this item.

Evaluation takes to investigate an event and declare it as The OIG reviewed the a reportable or non-reportable incident to updated standard United States Computer Emergency operating procedure Readiness Team (US-CERT). and an incident reporting form that is used to input information into the database for tracking and metric measurement.

Therefore, this recommendation is considered closed.

OIG-22-A-04 FY 2021 Recommendation 16: Conduct an This recommendation remains Open FY 2021 FISMA organizational level Business Impact Analysis open.

27

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status Evaluation (BIA) to determine contingency planning requirements and priorities, including for The NRC will conduct an mission essential functions/high value assets, organization-level BIA to determine and update contingency planning policies and contingency planning requirements procedures accordingly. and priorities, including for mission essential functions and HVAs, and update contingency planning policies and procedures accordingly. Due to limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024.

Estimated target completion date:

FY 2024 Quarter 3.

OIG-22-A-04 FY 2021 Recommendation 17: Integrate This recommendation remains Open FY 2021 FISMA metrics for measuring the effectiveness of open.

Evaluation information system contingency plans with information on the effectiveness of related The NRC will integrate metrics for plans, such as organization and business measuring the effectiveness of process continuity, disaster recovery, incident information system contingency management, insider threat implementation, plans with information on the and occupant emergency plans, as effectiveness of related plans, such appropriate, to deliver persistent situational as organization and business awareness across the organization. process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization. Due to limited resources and other priority 28

Appendix III U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA Auditors Position Report No. Recommendation NRCs Status on Status operational and cybersecurity work, the NRC is now targeting completion for FY 2024.

Estimated target completion date:

FY 2024 Quarter 4.

OIG-22-A-04 FY 2021 Recommendation 18: Update and This recommendation remains Open FY 2021 FISMA implement procedures to coordinate open.

Evaluation contingency plan testing with ICT supply chain providers. The NRC is assessing approaches to implement procedures to coordinate contingency plan testing with ICT supply chain providers.

Due to limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024.

Estimated target completion date:

FY 2024 Quarter 4.

29

Appendix IV U.S. Nuclear Regulatory Commission FY 2023 Audit of the NRCs Implementation of the FISMA NRCs MANAGEMENT COMMENTS An exit briefing was held with the agency on August 30, 2023. Prior to this meeting, NRC management reviewed a discussion draft and provided editorial comments that have been incorporated into this report as appropriate. As a result, NRC management stated their general agreement with the findings and recommendations of this report and chose not to provide formal comments for inclusion in this report.

30

Retrieved from "https://kanterella.com/w/index.php?title=ML23272A121&oldid=3620209"