ML23272A154
| ML23272A154 | |
| Person / Time | |
|---|---|
| Issue date: | 09/29/2023 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Herrera K NRC/EDO |
| References | |
| DNFSB-23-A-04 | |
| Download: ML23272A154 (1) | |
Text
MEMORANDUM DATE: September 29, 2023 TO: Katherine Herrera Acting Executive Director of Operations FROM: Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits
SUBJECT:
AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (DNFSB-23-A-04)
The Office of the Inspector General (OIG) contracted with CliftonLarsonAllen LLP (CLA) to conduct the Audit of the Defense Nuclear Facilities Safety Boards (DNFSB)
Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023. Attached is CLAs final report on the audit. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB. The findings and conclusions presented in this report are the responsibility of CLA. The OIGs responsibility is to provide oversight of the contractors work in accordance with the generally accepted government auditing standards.
The report presents the results of the subject audit. Following the exit conference, agency staff indicated that they had formal comments for inclusion in this report.
For the period October 1, 2022, through June 30, 2023, CLA found that the DNFSB did not establish an effective agency-wide information security program, and there were weaknesses that impact the agencys ability to adequately protect the DNFSBs system and information.
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov
Please provide information on actions taken or planned on each of the recommendations within 30 calendar days of the date of this report. Actions taken or planned are subject to OIG follow-up as stated in Management Directive 6.1. We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.
Attachment:
As stated cc: T. Tadlock, OEDO 2
Audit of the Defense Nuclear Facilities Safety Boards Implementation of the Federal Information Security Modernization Act of 2014 Fiscal Year 2023 Final Report
CliftonLarsonAllen LLP CLAconnect.com Inspector General Defense Nuclear Facilities Safety Board CliftonLarsonAllen LLP (CLA) conducted a performance audit of the Defense Nuclear Facilities Safety Boards (DNFSB) information security program and practices for fiscal year (FY) 2023 in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires agencies to develop, implement, and document an agency-wide information security program. In addition, FISMA requires Inspectors General (IGs) to conduct an annual independent evaluation of their agencys information security program and practices. The objective of this performance audit was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB.
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
For this years review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, DNFSBs information security program must be rated Level 4 - Managed and Measurable.
The audit included an assessment of the DNFSBs information security programs and practices consistent with FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for the DNFSB General Support System (GSS).
Audit fieldwork covered the DNFSBs headquarters located in Washington, DC from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.
We concluded that the DNFSB did not implement effective information security policies, procedures and practices, since it achieved an overall Level 3 - Consistently Implemented maturity level. A Level 3 designation reflects that although an agencys policies, procedures, and strategy are consistently implemented, quantitative and qualitative effectiveness measures are lacking. Therefore, the DNFSB did not have an effective information security program.
We noted new and repeat weaknesses in seven of the eight domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made 1 new recommendation to assist the DNFSB in strengthening its information security program. Additionally, 35 prior year recommendations remain open dating back to FY 2019.
1 The function areas are further broken down into nine domains.
CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer.
i
Our work did not include an assessment of the sufficiency of internal control over financial reporting or other matters not specifically outlined in this report. CLA cautions that projecting the results of our performance audit to future periods is subject to the risks that conditions may materially change from their current status. The information included in this report was obtained from the DNFSB on or before September 15, 2023. We have no obligation to update our report or to revise the information contained therein to reflect events occurring subsequent to September 15, 2023.
The purpose of this audit report is to report on our assessment of the DNFSBs compliance with FISMA and is not suitable for any other purpose. Additional information on our findings and recommendations are included in the accompanying report.
CliftonLarsonAllen LLP Arlington, Virginia September 15, 2023 ii
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Table of Contents EXECUTIVE
SUMMARY
.................................................................................................. 1 Audit Results ............................................................................................................... 2 AUDIT FINDINGS ............................................................................................................. 5
- 1. Weaknesses in DNFSBs Event Logging Maturity .............................................. 5 EVALUATION OF MANAGEMENT COMMENTS ........................................................... 8 APPENDIX I: BACKGROUND ......................................................................................... 9 APPENDIX II: OBJECTIVE, SCOPE, AND METHODOLOGY ...................................... 12 APPENDIX III: STATUS OF PRIOR RECOMMENDATIONS ........................................ 16 APPENDIX IV: DNFSBS MANAGEMENT COMMENTS .............................................. 46 iii
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA EXECUTIVE
SUMMARY
The Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agency Inspector Generals (IGs) to assess the effectiveness of their agencys information security program and practices. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued guidance for Federal agencies to follow. In addition, NIST issued the Federal Information Processing Standards (FIPS) to establish agency baseline security requirements.
The Nuclear Regulatory Commission and Defense Nuclear Facilities Safety Board (DNFSB)
Office of the Inspector General (OIG) engaged CliftonLarsonAllen LLP (CLA) to conduct a performance audit in support of the FISMA requirement for an annual independent evaluation of the DNFSBs information security program and practices. The objective of this performance audit was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB.
The OMB and the Department of Homeland Security (DHS) annually provide instructions to Federal agencies and IGs for preparing FISMA reports. On December 2, 2022, the OMB issued Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements.2 According to that memorandum, each year the IGs are required to complete IG FISMA Reporting Metrics3 to independently assess their agencies information security program. The OMB selected a core group of metrics4 that Inspectors General must evaluate annually and a selection of 20 Supplemental IG FISMA Reporting Metrics that must be evaluated during FY 2023.5 The remainder of standards and controls will be evaluated on a two-year cycle.
For this years review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area.6 The maturity levels are: Level 1
- Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, an agencys information security program must be rated Level 4 - Managed and Measurable. See Appendix I for additional information on the FISMA reporting requirements.
The audit included an assessment of the DNFSBs information security program and practices consistent with FISMA and reporting instructions issued by the OMB. In addition, we reviewed selected controls from NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, mapped to the FY 2023 IG FISMA Reporting Metrics for the DNFSB General Support System (GSS).
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, 2 See OMB M-23-03 online here.
3 See FY 2023 - FY 2024 IG FISMA Reporting Metrics online here. We submitted our responses to the FY 2023 IG FISMA Reporting Metrics to DNFSB OIG as a separate deliverable under the contract for this audit.
4 Core Metrics represent a combination of Administration priorities, high-impact security processes, and essential functions necessary to determine security program effectiveness.
5 Supplemental Metrics represent important activities conducted by security programs and contribute to the overall evaluation and determination of security program effectiveness.
6 The function areas are further broken down into nine domains.
1
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Audit Results We concluded that the DNFSB did not implement effective information security policies, procedures and practices, since it achieved an overall Level 3 - Consistently Implemented maturity level, and therefore the DNFSB did not have an effective information security program.7 To be considered effective, DNFSBs information security program must be rated Managed and Measurable (Level 4). Table 1 below shows a summary of the overall assessed maturity levels for each function area and domain in the FY 2023 IG FISMA Reporting Metrics.
Table 1: Maturity Levels for FY 2023 IG FISMA Reporting Metrics Cybersecurity Maturity Level by Maturity Level by Framework Security Metric Domains Function Domain Functions Identify Level 2: Defined Risk Management Level 3: Consistently Implemented Supply Chain Risk Level 1: Ad-Hoc Management Protect Level 3: Configuration Level 3: Consistently Consistently Management Implemented Implemented Identity and Access Level 4: Managed Management and Measurable Data Protection and Level 3: Consistently Privacy Implemented Security Training Level 4: Managed and Measurable Detect Level 2: Defined Information Security Level 2: Defined Continuous Monitoring Respond Level 3: Incident Response Level 3: Consistently Consistently Implemented Implemented Recover Level 3: Contingency Planning Level 3: Consistently Consistently Implemented Implemented Overall Level 3: Consistently Implemented - Not Effective In evaluating the effectiveness of the DNFSBs information security program, we considered the following factors:
The DNFSBs size, complexity, and control environment were taken into consideration in the aggregate to raise the overall assessed maturity level.
The OMB considers the 20 Core Metrics to be the most critical to determine the effectiveness of an Agencys information security program. The 20 FY 2023 supplemental metrics represent 7 In the FY 2022 FISMA audit, the results were based on the 20 metric questions. The FY 2023 FISMA audit results are based on 40 metric questions.
2
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA additional important activities conducted by security programs. Taken together, these metrics support assessment of the adoption of current administration priorities and contribute to the overall determination of DNFSBs security program effectiveness.
The DNFSB has a significant number of open prior year recommendations. Since last year, the agency demonstrated actions to close 21 of the 56 open prior FISMA recommendations since FY 2019. In addition, there were prior year recommendations with significant impact to the FY 2023 IG FISMA Reporting Metrics which remain outstanding. The number of remaining prior year recommendations signifies that DNFSB has not gained momentum in addressing the underlying root causes of these security weaknesses.
To fully progress towards Managed and Measurable, the DNFSB will need to address new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, data protection and privacy, information security continuous monitoring, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics (see Table 2 below). As a result of the weaknesses noted, we made 1 new recommendation to assist the DNFSB in strengthening its information security program. Additionally, we noted 35 prior year recommendations remain open.8 Table 2 also includes weaknesses where DNFSB has prior year recommendations that remain open related to the FY 2023 IG FISMA Reporting Metrics.
Table 2: Weaknesses Mapped to Cybersecurity Framework Security Functions and Domains in the FY 2023 IG FISMA Reporting Metrics Cybersecurity FY 2023 IG FISMA Framework Security Reporting Metrics Weaknesses Noted Function Domain Identify Risk Management Open prior year recommendations related to security assessment authorization process.9 Supply Chain Risk Open prior year recommendation related to Management the supply chain risk management strategy.
Protect Configuration Open prior year recommendations related Management to the vulnerability management program.
Identity and Access Open prior year recommendation related to Management completing access agreements prior to granting system access.
Data Protection and Open prior year recommendation related to Privacy role-based privacy training.
Security Training No weaknesses noted.
Detect Information Security Open prior year recommendations related Continuous to security assessment and risk Monitoring management processes.
Respond Incident Response Weaknesses in DNFSBs Event Logging Maturity (Finding 1).
8 See appendix III for status of prior year recommendations.
9 See appendix III for status of prior year open recommendations.
3
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Cybersecurity FY 2023 IG FISMA Framework Security Reporting Metrics Weaknesses Noted Function Domain Recover Contingency Prior year recommendations open related Planning to business impact analysis and contingency planning role-based training.
In order to demonstrate measurable improvements towards an effective information security program, the DNFSB needs to focus attention on remediating prior year recommendations in a timely manner and prioritizing those recommendations that relate to the Core Metrics.
Implementing more of these recommendations will help the DNFSB to mature its information security program and bring it closer to effectiveness. In addition, DNFSB could consider developing a strategy to include resource commitments to address corrective actions necessary to show steady, measurable improvement in the DNFSBs information security program.
Developing such a strategy may require the DNFSB to allocate sufficient resources, including staffing, to be responsible for remediating audit recommendations in a timely manner.
The following section provides a detailed discussion of the audit findings. Appendix I provides background information on FISMA. Appendix II describes the audit objective, scope, and methodology. Appendix III provides the status of prior year recommendations. Appendix IV includes DNFSBs management comments.
4
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA AUDIT FINDINGS
- 1. Weaknesses in DNFSBs Event Logging Maturity Cybersecurity Framework Security Function: Respond FY 2023 IG FISMA Reporting Metrics Domain: Incident Response DNFSB assessed their Event Logging (EL) maturity against the requirements in the OMB Memorandum M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021), and reported their current EL maturity level as EL0, 10 not-effective.
While DNFSB is developing a plan to assist with reaching compliance with OMB M-21-31 requirements, DNFSB did not reach EL111 and EL212 maturity levels by OMBs required due dates.
Specifically, DNFSB did not:
Within one year of the date of OMB M-21-31, or by August 27, 2022, reach EL1 maturity level.
Within 18 months of the date of OMB M-21-31, or by February 27, 2023, achieve EL2 maturity level.
Further, DNFSB did not document any risk-based decisions, including compensating controls, for not meeting the requirements in OMB M-21-31.
DNFSB management indicated that due to resource issues they were unable to adequately support the procurement, onboarding and implementation of EL1 and EL2 maturity level requirements by the required deadlines.
OMB M-21-31 addresses the logging requirements in the Executive Order 14028, Improving the Nations Cybersecurity13 (May 12, 2021). OMB M-21-31 establishes a maturity model to guide the implementation of requirements across EL tiers as shown below that are designed to help agencies prioritize their efforts and resources to achieve full compliance with requirements for implementation, log categories, and centralized access. OMB M-21-31 further requires that agencies forward all required event logs, in near real-time and on an automated basis, to centralized systems responsible for Security Information and Event Management (SIEM).14 The maturity model to guide the implementation of requirements is summarized below:
Tier EL0, Rating - Not Effective The agency or one or more of its components have not implemented the following requirement:
10 Per OMB M-21-31, EL0 maturity level signifies logging requirements of highest criticality are either not met or are only partially met. See OMB M-22-18 online here.
11 Per OMB M-21-31, EL1 maturity level signifies only logging requirements of highest criticality are met.
12 Per OMB M-21-31, EL2 maturity level signifies logging requirements of highest and intermediate criticality are met.
13 See Executive Order 14028 online here.
14 SIEM tools are a type of centralized logging software that can facilitate aggregation and consolidation of audit log records from multiple information system components. SIEM tools automate the collection of audit log records from tools and reporting them to a management console in a standardized format and facilitate audit record correlation and analysis.
5
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Ensuring that the Required Logs categorized as Criticality Level 0 are retained in acceptable formats for specified timeframes, per technical details described in OMB M-21-31, Appendix C (Logging Requirements - Technical Details).
Tier EL1, Rating - Basic (to be met by August 27, 2022)
The agency and all of its components meet the following requirements, as detailed in Table 2 (EL1 Basic Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):
Basic Logging Categories Minimum Logging Data Time Standard Event Forwarding Protecting and Validating Log Information Passive DNS [Domain Name System]
CISA and Federal Bureau of Investigations Access Requirements Logging Orchestration, Automation, and Response - Planning User Behavior Monitoring - Planning Basic Centralized Access Tier EL2, Rating - Intermediate (to be met by February 26, 2023)
The agency and all of its components meet the following requirements, as detailed in Table 3 (EL2 Intermediate Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):
Meeting EL1 maturity level Intermediate Logging Categories Publication of Standardized Log Structure Inspection of Encrypted Data Intermediate Centralized Access Tier EL3, Rating - Advanced (to be met by August 27, 2023)
The agency and all its components meet the following requirements, as detailed in in Table 4 (EL3 Advanced Requirements) within OMB M-21-31, Appendix A (Implementation and Centralized Access Requirements):
Meeting EL2 maturity level Advanced Logging Categories Logging Orchestration, Automation, and Response - Finalizing Implementation User Behavior Monitoring - Finalizing Implementation Application Container Security, Operations, and Management Advanced Centralized Access Further, OMB M-21-31, Section II: Agency Implementation Requirements, requires agencies to perform the following:
Within 60 calendar days of the date of OMB M-21-31 [or by October 26, 2021]
memorandum, assess their maturity against the maturity model in OMB M-21-31 and identify resourcing and implementation gaps associated with completing each of the requirements listed below. Agencies will provide their plans and estimates to their OMB 6
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Resource Management Office and Office of the Federal Chief Information Officer desk officer.
Within one year of the date of OMB Memorandum 21-31 [or by August 27, 2022], reach EL1 maturity.
Within 18 months of OMB M-21-31 [or by February 26, 2023], achieve EL2 maturity.
Within two years of OMB Memorandum 21-31 [or by August 27, 2023], achieve EL3 maturity.
Provide, upon request and to the extent consistent with applicable law, relevant logs to the CISA and Federal Bureau of Investigations. This sharing of information is critical to defend federal information systems.
Share log information, as needed and appropriate, with other federal agencies to address cybersecurity risks or incidents.
Cyber-attacks underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation, and remediation of cyber threats. By not achieving EL1 and EL2 maturity levels, DNFSB is not meeting logging requirements of highest criticality. DNFSB maturity is currently at EL0 maturity; therefore, their event logging capabilities are not effective based on OMB M-21-31. Further, DNFSB may not correlate audit log records across different repositories in a complete or risk-based manner as defined by OMB M-21-31, which may increase the risk that DNFSB may not collect all meaningful and relevant data on suspicious events. This may, in turn increase the risk that DNFSB may inadvertently miss the potential scope or veracity of suspicious events or attacks.
Recommendation 1: We recommend that DNFSBs Chief Information Security Officer acquire resources to adequately support the procurement, onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.
7
Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA EVALUATION OF MANAGEMENT COMMENTS In response to a draft of this report, DNFSB agreed with the OIGs assessment of the current state of its information security program. In addition, DNFSB recognized that 21 prior year recommendations were closed based on inspection of evidence received during fieldwork for the FY 2023 FISMA audit. DNFSB management stated that another 8 prior year recommendations were closed; however, evidence required to verify closure of these recommendations was not provided during fieldwork. A follow-up on the open recommendations recorded in this report will occur during the next audit cycle or via the OIGs status of recommendation process. DNFSBs comments are included in Appendix IV.
8
Appendix I Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA BACKGROUND Overview The DNFSB, an independent executive branch agency, is charged with providing technical safety oversight of the Department of Energys (DOE) defense nuclear facilities and activities in order to provide adequate protection for the health and safety of the public and workers. DNFSBs primary mission is to promote the protection of public health and safety by ensuring implementation of safety standards at DOE defense nuclear facilities and operations. In addition to conducting safety oversight on hundreds of existing hazardous nuclear operations, the DNFSB is obligated by law to conduct in-depth reviews of new DOE defense nuclear facilities during both design and construction.
Federal Information Security Modernization Act of 2014 (FISMA)
FISMA provides a comprehensive framework for ensuring effective security controls over information resources supporting Federal operations and assets. FISMA requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source.
The statute also provides a mechanism for improved oversight of Federal agency information security programs. FISMA requires agency heads to take the following actions, among others:15
- 1. Be responsible for providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; complying with applicable governmental requirements and standards; and ensuring information security management processes are integrated with the agencys strategic, operational, and budget planning processes.
- 2. Ensure that senior agency officials provide information security for the information and information systems that support the operations and assets under their control.
- 3. Delegate to the agency Chief Information Officer the authority to ensure compliance with FISMA.
- 4. Ensure that the agency has trained personnel sufficient to assist the agency in complying with FISMA requirements and related policies, procedures, standards, and guidelines.
- 5. Ensure that the Chief Information Officer reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions.
- 6. Ensure that senior agency officials carry out information security responsibilities.
- 7. Ensure that all personnel are held accountable for complying with the agency-wide information security program.
Agencies must also report annually to the OMB and to congressional committees on the effectiveness of their information security program. In addition, FISMA requires agency IGs to assess the effectiveness of their agencys information security program and practices.
15 44 USC § 3554, Federal agency responsibilities.
9
Appendix I Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA National Institute of Standards and Technology (NIST) Security Standards and Guidelines FISMA requires NIST to provide standards and guidelines pertaining to Federal information systems. The prescribed standards establish minimum information security requirements necessary to improve the security of Federal information and information systems. FISMA also requires that Federal agencies comply with Federal Information Processing Standards issued by NIST. In addition, NIST develops and issues Special Publications as recommendations and guidance documents.
FISMA Reporting Requirements The OMB and the DHS annually provide instructions to Federal agencies and IGs for preparing FISMA reports. On December 2, 2022, OMB issued Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements.16 This memorandum described key changes to the methodology for conducting FISMA audits, as well as the processes for Federal agencies to report to OMB, and where applicable, DHS. Key changes to the methodology included:
The OMB selected a core group of metrics that Inspectors General must evaluate annually and a selection of 20 Supplemental IG FISMA Reporting Metrics that must be evaluated during FY 2023.17 The remainder of standards and controls will be evaluated on a two-year cycle.
In previous years, IGs have been directed to utilize a mode-based scoring approach to assess maturity levels. In FY 2023, ratings were focused on calculated averages, wherein the average of the metrics in a particular domain would be used by IGs to determine the effectiveness of individual function areas (Identity, Protect, Detect, Respond, and Recover). IGs were encouraged to focus on the calculated averages of the 20 Core IG FISMA Reporting Metrics, as these tie directly to the Administrations priorities and other high-risk areas. In addition, OMB M-23-03 indicated that IGs should use the calculated averages of the Supplemental IG FISMA Reporting Metrics and progress addressing outstanding prior year recommendations as data points to support their risk-based determination of overall program and function level effectiveness. The calculated averages can be found in the FY 2023 IG FISMA Reporting Metrics, which was provided to the Agency separate from this report.
The FY 2023 IG FISMA Reporting Metrics provided the reporting requirements across key areas to be addressed in the independent assessment of agencies information security programs.
For this years review, IGs were to assess the 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics in the five security function areas to assess the maturity level and effectiveness of their agencys information security program. The IG FISMA Reporting Metrics are designed to assess the maturity of the information security program and align with the five functional areas in the NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), version 1.1: Identify, Protect, Detect, Respond, and Recover, as highlighted in Table 3.
16 See OMB M-23-03 online here.
17 See FY 2023 - FY 2024 IG FISMA Reporting Metrics online here.
10
Appendix I Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Table 3: Alignment of the Cybersecurity Framework Security Functions to the Domains in the FY 2023 IG FISMA Reporting Metrics Cybersecurity Domains in the FY 2023 Framework Security IG FISMA Reporting Metrics Functions Identify Risk Management, Supply Chain Risk Management Protect Configuration Management, Identity and Access Management, Data Protection and Privacy, and Security Training Detect Information Security Continuous Monitoring Respond Incident Response Recover Contingency Planning The foundational levels of the maturity model in the IG FISMA Reporting Metrics focus on the development of sound, risk-based policies and procedures, while the advanced levels capture the institutionalization and effectiveness of those policies and procedures. The table below explains the five maturity model levels. A functional information security area is not considered effective unless it achieves a rating of Level 4, Managed and Measurable.
Table 4: IG Evaluation Maturity Levels Maturity Level Maturity Level Description Level 1: Ad-hoc Policies, procedures, and strategy are not formalized; activities are performed in an ad-hoc, reactive manner.
Level 2: Defined Policies, procedures, and strategy are formalized and documented but not consistently implemented.
Level 3: Consistently Policies, procedures, and strategy are consistently Implemented implemented, but quantitative and qualitative effectiveness measures are lacking.
Level 4: Managed Quantitative and qualitative measures on the effectiveness of and Measurable policies, procedures, and strategy are collected across the organization and used to assess them and make necessary changes.
Level 5: Optimized Policies, procedures, and strategy are fully institutionalized, repeatable, self-generating, consistently implemented, and regularly updated based on a changing threat and technology landscape and business/mission needs.
11
Appendix II Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA OBJECTIVE, SCOPE, AND METHODOLOGY Objective The objective of this audit was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB.
Scope We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
For this years review, IGs were to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas Identify, Protect, Detect, Respond, and Recover to determine the effectiveness of their agencies information security program and the maturity level of each function area. The maturity levels range from lowest to highest Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, and Optimized.
The FY 2023 IG FISMA Reporting Metrics introduced a calculated average scoring model for FY 2023 and FY 2024 FISMA audits. As part of this approach, Core IG FISMA Reporting Metrics and Supplemental IG FISMA Reporting Metrics were averaged independently to determine a domains maturity calculation and provide data points for the assessed program and function effectiveness. To provide IGs with additional flexibility and encourage evaluations that are based on agencies risk tolerance and threat models, calculated averages were not automatically rounded to a particular maturity level. In determining maturity levels and the overall effectiveness of the agencys information security program, OMB strongly encouraged IGs to focus on the results of the Core IG FISMA Reporting Metrics, as these tie directly to Administration priorities and other high-risk areas. It was recommended that IGs use the calculated averages of the Supplemental IG FISMA Reporting Metrics as a data point to support their risk-based determination of overall program and function level effectiveness.
We utilized the FY 2023 IG FISMA Reporting Metrics guidance18 to form our conclusions for each Cybersecurity Framework domain, function, and the overall agency rating. Specifically, we focused on the calculated average of the Core IG FISMA Reporting Metrics. Additionally, we considered other data points, such as the calculated average of the Supplemental IG FISMA Reporting Metrics and progress made addressing outstanding prior year recommendations, to form our risk-based conclusion.
The scope of this performance audit was to assess the DNFSBs information security program 18 The FY 2023 IG FISMA Reporting Metrics provided the agency IG the discretion to determine the rating for each of the Cybersecurity Framework domains and functions and the overall agency rating based on the consideration of agency-specific factors and weaknesses noted during the FISMA audit. Using this approach, IGs may determine that a particular domain, function area, or agencys information security program is effective at a calculated maturity lower lever than level 4.
12
Appendix II Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA and practices consistent with FISMA and reporting instructions issued by the OMB and the DHS for FY 2023. The scope also included assessing selected controls from NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, mapped to the FY 2023 IG FISMA Reporting Metrics, for the DNFSB GSS.
Table 5: Description of System Selected for Testing System Description Name DNFSB GSS The purpose of the system is to provide a common set of services (user authentication, file & print, backup, etc.) that support the mission of the agency as well as all applications operated by DNFSB. All of DNFSBs organizations (Office of the General Counsel (OGC), Office of the General Manager (OGM), Office of the Technical Director (OTD), on-site contractors, as well as DNFSB members themselves are users of the system.
The audit also included an evaluation of whether the DNFSB took corrective action to address open recommendations from the FY 2022 FISMA audit,19 FY 2021 FISMA evaluation,20 FY 2020 FISMA evaluation,21 and FY 2019 FISMA evaluation.22 Audit fieldwork covered the DNFSBs headquarters located in Washington, D.C. from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.
Methodology To determine if the DNFSB implemented an effective information security program, we conducted interviews with DNFSB officials and reviewed legal and regulatory requirements stipulated in FISMA. Also, we reviewed documents supporting the information security program. These documents included, but were not limited to, DNFSBs (1) information security policies and procedures; (2) incident response policies and procedures; (3) access control procedures; (4) patch management procedures; (5) change control documentation; and (6) system generated account listings. Where appropriate, we compared documents, such as the DNFSBs IT policies and procedures, to requirements stipulated in NIST SPs. We also performed tests of system processes to determine the adequacy and effectiveness of those controls. Finally, we reviewed the status of FISMA prior year recommendations. See Appendix III for the status of prior year recommendations.
In addition, our work in support of the audit was guided by applicable DNFSB policies and Federal criteria, including, but not limited to, the following:
Government Auditing Standards (April 2021).
19 Audit of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022 (Report No. DNFSB-22-A-07, issued September 29, 2022).
20 Independent Evaluation of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (Report No. DNFSB-22-A-04, issued December 21, 2021).
21 Independent Evaluation of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report No. DNFSB-21-A-04, issued March 25, 2021).
22 Independent Evaluation of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019 (Report No. DNFSB-20-A-05, issued March 31, 2020).
13
Appendix II Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Executive Order 14028, Improving the Nations Cybersecurity (May 12, 2021).
OMB Memorandum M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements (December 2, 2022).
OMB Memorandum M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021).
OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (September 14, 2022).
CISAs BOD 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.
FY 2023 IG FISMA Reporting Metrics (February 10, 2023).
NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for specification of security controls (December 10, 2020).
NIST SP 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations, for the assessment of security control effectiveness.
NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems (November 11, 2011).
NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, for the risk management framework controls (December 2018).
NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) (February 2014).
DNFSBs policies and procedures, including but not limited to:
o DNFSB GSS System Security Plan (SSP) o DNFSB GSS Information System Contingency Plan (ISCP) o DNFSB Directive D-411.2 Information Systems Security Program o DNFSB GSS Continuous Monitoring Policies and Procedures Guide o DNFSB Risk Management Framework Handbook o DNFSB Risk Assessment Policy o DNFSB Supply Chain Risk Management Strategic Plan o DNFSB Operating Procedures OP-412.2-1 Vulnerability Management o DNFSB Configuration Management Policy o DNFSB Access Control Policy o DNFSB Security Awareness Training Policy o DNFSB Incident Response Process Guide Cyber Playbook o DNFSB Contingency Planning Policy o DNFSB Directive D-260.2 Privacy Program o DNFSB System and Communications Protection Policy We selected the DNFSB GSS information system from the total population of one DNFSB internal systems for testing. The DNFSB GSS is categorized as a moderate impact system, based on NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems. We tested the DNFSBs GSSs selected security controls to support our responses to the FY 2023 IG FISMA Reporting Metrics.
In testing for the adequacy and effectiveness of the security controls, we exercised professional judgment in determining the number of items selected for testing and the method used to select them. We considered relative risk and the significance or criticality of the specific items in 14
Appendix II Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA achieving the related control objective. In addition, the severity of a deficiency related to the control activity and not the percentage of deficient items found compared to the total population available for review was considered. In some cases, this resulted in selecting the entire population.
15
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA STATUS OF PRIOR RECOMMENDATIONS The table below summarizes the status of the open prior recommendations from the FY 2022 FISMA audit, FY 2021 FISMA evaluation, FY 2020 FISMA evaluation and FY 2019 FISMA evaluation.23 At the time of testing and IG FISMA Reporting Metric submission, there remained 35 out of 56 open prior FISMA recommendations from the audit and evaluations referenced above. In March 1, 2023, DNFSB issued a memo on the Status of DNFSB Open Audit Recommendations to the DNFSB Office of the Inspector General (OIG) demonstrating their progress on audit recommendation remediation. The Auditors Position on Status is based on inspection of evidence received during fieldwork. A follow-up on the open recommendations recorded in this report will occur during the next audit cycle or via the OIGs status of recommendation process.
Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-07 FY 2022 Recommendation 1: Implement a This recommendation is resolved. Open FY 2022 FISMA process to ensure a security control Audit assessment for the DNFSB General Support DNFSB began an engagement in At the time of our System (GSS) is completed and documented February 2023 and anticipates review, the security on an annual basis. completing the external security control assessment for assessment of the DNFSB GSS in the DNFSB GSS was Quarter 3 FY 2023. not yet completed.
Specifically, an annual security control assessment was not completed for FY 2021
- 2022 and was not completed for over nine months of FY 2023 (October 1, 2022
- June 30, 2023).
DNFSB-22-A-07 FY 2022 Recommendation 2: Implement a This recommendation is resolved. Open FY 2022 FISMA process to validate the DNFSB GSS security Audit authorization is maintained in accordance The DNFSB Risk Management The security with DNFSB policy. Framework Handbook has been authorization was completed and approved. expired as of 23 See footnotes 19, 20, 21, and 23.
16
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Implementation proof will consist of November 8, 2018, external validation of system; and was not DNFSB anticipates completing the maintained in external security assessment of the accordance with DNFSB GSS in Quarter 3 FY 2023. DNFSB policy. At the time of our review, an external security assessment to receive an updated authorization was not yet completed.
DNFSB-22-A-07 FY 2022 Recommendation 3: Enforce DNFSB requests closure of this Closed FY 2022 FISMA existing DNFSB policy requirements to recommendation.
Audit document security impact analyses, test For a sample of ten plans, test results and backout plan changes from the requirements for each change. population of 67 changes from October 1, 2022, to February 13, 2023, no exceptions were noted related to the enforcement of existing DNFSB policy requirements to document security impact analyses, test plans, test results and backout plan requirements for each change as applicable.
DNFSB-22-A-07 FY 2022 Recommendation 4: Complete the DNFSB requests closure of this Closed FY 2022 FISMA implementation and consistent performance recommendation.
Audit of monthly reviews to ensure security impact Quarterly reviews were 17
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status analyses, test plans, and backouts plans are implemented in place documented as required for each change. of the recommended monthly reviews; however, verified that reviews to ensure change requirements are met were performed.
DNFSB-22-A-07 FY 2022 Recommendation 5: Complete the DNFSB requests closure of this Open FY 2022 FISMA implementation of the configuration recommendation.
Audit management training program and provide Specific evidence of a periodic refreshers to ensure evidence DNFSB required all members of dedicated configuration requirements are captured for change tickets. the IT team that are authorized to management training submit change request tickets to program was not take remedial CCB and Change provided; however, we Request Training in August 2022 noted that change and then take an updated remedial tickets sampled for training in December 2022 that testing were more addressed changes to the Change consistent overall in Control Board and Security Impact compliance with policy Analysis form process. requirements and a quarterly requirement review was implemented to reinforce, monitor for and remediate as needed any potential gaps in change policy compliance.
DNFSB-22-A-07 FY 2022 Recommendation 6: Update the DNFSB requests closure of this Closed FY 2022 FISMA current change process, the Track-It! Tool or recommendation.
Audit both to enforce segregation of duties controls For a sample ten for a requestor and an approver of a change changes from the 18
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status (e.g., requiring a second approver signature population of 67 for all non-emergency changes, when the changes from October requester is eligible to be an approver). 1, 2022, to February 13, 2023, we noted that all Track-It! tickets sampled for testing required multiple configuration control board approvers (i.e.,
three) to vote to approve a change.
DNFSB-22-A-07 FY 2022 Recommendation 7: Create DNFSB published OP 412.2-1, Open FY 2022 FISMA procedures for vulnerability and compliance Vulnerability Management Audit management based on risk and level of effort Operating Procedures, on 2/21/23. DNFSB continues not involved to mitigate confirmed vulnerabilities to remediate identified case-by-case such as: DNFSB considers critical and high
- a. Prioritizing mitigation in accordance with Recommendation 2022-7 to be vulnerabilities in all requirements specified by CISA BOD fully remediated. DNFSB requests accordance with 22 Reducing the Significant Risk of closure of this Recommendation. timeframes required by Known Exploited Vulnerabilities and DNFSB policy.
Emergency Directives, as applicable.
- b. Opening plans of action and milestones to track critical and high vulnerabilities that cannot be addressed within 30 days.
- c. Preparing risk-based decisions in unusual circumstances when there is a technical or cost limitation making mitigation of a critical or high vulnerability infeasible with documented, effective compensating controls coupled with a clear timeframe for planned remediation.
19
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-07 FY 2022 Recommendation 8: Implement a DNFSB requests closure of this Closed FY 2022 FISMA solution to gradually automate, orchestrate, recommendation.
Audit and centralize patching for each device. The OIG reviewed the update rings, iOS update and compliance policies, a report of the current compliance status of DNFSB iPhones, and an example of the email sent to users of non-compliant phones.
DNFSB-22-A-07 FY 2022 Recommendation 9: Develop and DNFSB requests closure of this Closed FY 2022 FISMA implement a data consistency and quality recommendation.
Audit plan or similar procedure to help test and The OIG reviewed monitor data accuracy and quality of screenshots from information coming from their implementation Qualys, a Weekly of Continuous Diagnostics and Mitigation Vulnerability Report, (CDM). and emails from the DNFSB to CDM to remediate discrepancies in the Qualys data and the CDM dashboard data.
DNFSB-22-A-07 FY 2022 Recommendation 10: We DNFSB requests closure of this Closed FY 2022 FISMA recommend DNFSB management document recommendation.
Audit and implement system and information Inspected system and integrity and systems and communications information integrity protection policies and procedures in (SI) and systems and accordance with DNFSB policy. communications protection (SC) policies and noted that DNFSB documented and 20
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status implemented them in accordance with DNFSB policy.
DNFSB-22-A-07 FY 2022 Recommendation 11: We DNFSB requests closure of this Closed FY 2022 FISMA recommend that DNFSB management recommendation.
Audit documents and implements a process to Inspected the validate that the DNFSB GSS Information Contingency Planning System Contingency Plan (ISCP) is tested Policy and noted that annually, and any issues discovered during DNFSB management the contingency plan test are remediated has documented timely. requirements to test the ISCP annually with correction of any identified issues timely.
Also verified that DNFSB management has also created a new process for performing and documenting restoration testing of the DNFSB GSS ISCP.
DNFSB-22-A-04 FY 2021 Recommendation 1: Update the This recommendation remains Open FY 2021 FISMA Information Security Architecture (ISA) and open. Estimated target completion Evaluation use the updated ISA to: date: FY 2023 Quarter 4. Remains a work in
- a. Assess enterprise, business process, and progress. See information system level risks; and DNFSBs estimated
- b. Update enterprise, business process, and target completion date.
information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
21
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-04 FY 2021 Recommendation 2: Using the This recommendation remains Open FY 2021 FISMA results of recommendations one above: open. Estimated target completion Evaluation a. Utilizing guidance from the National date: FY 2023 Quarter 4. DNFSB has not Institute of Standards and Technology completed addressing (NIST) Special Publication (SP) 800-55 the related, dependent (Rev. 1) - Performance Measurement recommendation Guide for Information Security to establish above. Also, see performance metrics to manage and DNFSBs estimated optimize all domains of the DNFSB target completion date.
information security program more effectively;
- b. Implement a centralized view of risk across the organization; and
- c. Implement formal procedures for prioritizing and tracking Plans of Action and Milestones (POA&Ms) to remediate vulnerabilities.
DNFSB-22-A-04 FY 2021 Recommendation 3: Update the DNFSB requests closure of this Open FY 2021 FISMA Risk Management Framework to reflect the recommendation.
Evaluation current roles, responsibilities, policies, and The DNFSB Risk procedures of the current DNFSB Management environment, to include: Framework Handbook
- a. Defining a frequency for conducting Risk does not define a Assessments to periodically assess frequency for agency risks to integrate results of the conducting Risk assessment to improve upon mission and Assessments to business processes. periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.
22
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Note: The DNFSB Risk Assessment Policy approved 1/18/2023 documents a frequency; however, policy guidance on risk assessment performance is inconsistent and is not followed (i.e., no updated risk assessment or control assessment for the GSS).
DNFSB-22-A-04 FY 2021 Recommendation 4: Define a DNFSB requests closure of this Open FY 2021 FISMA Supply Chain Risk Management strategy to recommendation.
Evaluation drive the development and implementation of DNFSB did not define policies and procedures for: a Supply Chain Risk
- a. How supply chain risks are to be Management strategy managed across the agency; to drive the
- b. How monitoring of external providers development and compliance with defined cybersecurity implementation of and supply chain requirements; and policies and
- c. How counterfeit components are procedures for items prevented from entering the DNFSB a-c.
supply chain.
DNFSB-22-A-04 FY 2021 Recommendation 5: Conduct DNFSB requests closure of this Open FY 2021 FISMA remedial training to re-enforce requirements recommendation.
Evaluation for documenting security impact assessments Although we noted an for changes to the DNFSBs system in improvement in accordance with the agencys Configuration change documentation Management Plan. for our sampled changes, DNFSB did 23
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status not provide evidence supporting the development and delivery of remedial training for all members of the IT staff to re-enforce requirements for documenting security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.
DNFSB-22-A-04 FY 2021 Recommendation 6: Integrate the DNFSB requests closure of this Closed FY 2021 FISMA Configuration Management Plan with risk recommendation.
Evaluation management and continuous monitoring Inspected the DNFSB programs and utilize lessons learned to make Risk Management improvements to this plan. Framework Handbook, DNFSB Risk Assessment Policy, and the DNFSB GSS Continuous Monitoring Policies and Procedures Guide to determine aspects of configuration management (e.g.,
baseline compliance, patching, change control, etc.) are integrated with risk 24
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status management and continuous monitoring programs.
DNFSB-22-A-04 FY 2021 Recommendation 7: Implement DNFSB has procedures in place to Open FY 2021 FISMA automated mechanisms (e.g., machine- automate the process of identifying Evaluation based, or user-based enforcement) to support privileged accounts that are DNFSB will request a the management of privileged accounts, inactive but wants to have a formal risk acceptance for this including for the automatic removal/disabling approval process for disabling or recommendation.
of temporary, emergency, and inactive deleting privileged accounts; given accounts, as appropriate. the small number of privileged users at the DNFSB, this is an acceptable risk.
DNFSB will request a risk acceptance for this recommendation by Quarter 3 FY 2023.
DNFSB-22-A-04 FY 2021 Recommendation 8: Continue This recommendation remains Open FY 2021 FISMA efforts to implement data loss prevention open. Estimated target completion Evaluation functionality for the Microsoft Office 365 date: FY 2023 Quarter 3. In the Status of Open environment. Recommendations provided by DNFSB, noted that the IT team will continue to work with the Records Management staff in the Division of Operational Services to better define the data loss prevention policies in DNFSBs Office 365 tenant.
25
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-04 FY 2021 Recommendation 9: Update agency This recommendation remains Open FY 2021 FISMA strategic planning documents to include clear open. Estimated target completion Evaluation milestones for implementing strong date: No estimated completion Please refer to authentication, the Federal Identity, date available until CDM finalizes DNFSBs Status.
Credential, and Access Management (ICAM) their ICAM service offerings.
architecture and Office of Management and Budget (OMB) Memorandum (M)-19-17, and phase 2 of DHS's CDM program.
DNFSB-22-A-04 FY 2021 Recommendation 10: Conduct the DNFSB requests closure of this Open FY 2021 FISMA agencys annual breach response plan recommendation.
Evaluation exercise for FY 2021. This recommendation has been overcome by current events (i.e.,
conducting the exercise for FY 2021).
However, evidence of a more recent breach response plan exercise was not provided. Also, inspected the incident response and contingency planning exercises completed and noted they did not include an evaluation of the breach response plan.
DNFSB-22-A-04 FY 2021 Recommendation 11: Continue DNFSB requests closure of this Open FY 2021 FISMA efforts to develop and implement role-based recommendation.
Evaluation privacy training for users with significant In reply to Status of privacy or data protection related duties. Recommendations:
Independent Evaluation of the DNFSBs 26
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Implementation of the Federal Information Security Modernization Act of 2014 For Fiscal Year 2021 (DNFSB-22-A-04),
DNFSB management stated: In addition, dedicated Annual Privacy Act Training was given to all DNFSB users in August & September 2021 and is being given again in August
& September of 2022.
However, upon inspection of the training records provided, evidence of all DNFSB users completing Privacy Act Training was not provided and specific role-based training was not called out either.
DNFSB-22-A-04 FY 2021 Recommendation 12: Formally DNFSB requests closure of this Closed FY 2021 FISMA document requirements and procedures for recommendation.
Evaluation completion of role-based training and The Security enforcement methods for individuals who do DNFSB published its Security Awareness Training not complete role-based training. Awareness Training Policy in Policy formally August 2022 that contains documents the requirements for role-based requirements and 27
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status training and enforcement actions procedures for for individuals that do not complete completion of role-required role-based training. based training and enforcement methods for individuals that do not complete it.
DNFSB-22-A-04 FY 2021 Recommendation 13: Continue This recommendation is resolved. Open FY 2021 FISMA current efforts to refine existing monitoring Evaluation and assessment procedures to more DNFSB began an engagement in Progress has been effectively support ongoing authorization of February 2023 and anticipates made in refining the DNFSB system. completing the external security procedures such as assessment of the DNFSB GSS in the DNFSB GSS Quarter 3 FY 2023. Continuous Monitoring Policies and Procedures Guide to support adoption of an ongoing authorization model. However, ongoing authorization of the DNFSB GSS is not yet in place.
Specifically, the last traditional ATO lasted for three years from the date of signature, expiring November 8, 2018. Also, at the time of our review, an external security assessment to receive an updated authorization was not yet completed.
28
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-04 FY 2021 Recommendation 14: Update the DNFSB requests closure of this Closed FY 2021 FISMA DNFSB Information Security Continuous recommendation.
Evaluation Monitoring (ISCM) policies and procedures Inspected the DNFSB clearly defining what needs to be monitored GSS Continuous at the system and organization level. Monitoring Policies and Procedures Guide and the DNFSB Risk Management Framework Handbook and noted that DFNSB has updated its policies and procedures to clearly define what needs to be monitored at the system and organization level.
DNFSB-22-A-04 FY 2021 Recommendation 15: Define This recommendation remains Closed FY 2021 FISMA standard operating procedures for the use of open. Estimated target completion Evaluation the agencys continuous monitoring tools or date: FY 2023 Quarter 4. Inspected the DNFSB update the continuous monitoring plan to GSS Continuous include the use of new monitoring tools. Monitoring Policies and Procedures Guide to determine the use of the agencys continuous monitoring tools is documented.
DNFSB-22-A-04 FY 2021 Recommendation 16: Defined the DNFSB requests closure of this Closed FY 2021 FISMA qualitative and quantitative performance recommendation.
Evaluation measures that will be used to assess the Inspected the DNFSB effectiveness of its ISCM program. GSS Continuous Monitoring Policies and Procedures Guide and 29
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status noted that DNFSB has defined qualitative and quantitative performance measures that will be used to assess the effectiveness of its ISCM program in Appendix C Continuous Monitoring Reports.
DNFSB-22-A-04 FY 2021 Recommendation 17: Define DNFSB requests closure of this Closed FY 2021 FISMA handling procedures for specific types of recommendation.
Evaluation incidents, processes and supporting Inspected the DNFSB technologies for detecting and analyzing Incident Response incidents, including the types of precursors Process Guide Cyber and indicators and how they are generated Playbook and noted and reviewed for prioritizing incidents. that DNFSB has defined handling procedures for specific types of incidents, processes and supporting technologies for detecting and analyzing incidents, including the types of precursors and indicators and how they are generated and reviewed for prioritizing incidents.
30
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-22-A-04 FY 2021 Recommendation 18: Consistently DNFSB requests closure of this Closed FY 2021 FISMA test the incident response plan annually. recommendation.
Evaluation DNFSB tested the incident response plan through a tabletop exercise on May 24-25 and produced evidence of lessons learned in the Hotwash section of the exercise report.
DNFSB-22-A-04 FY 2021 Recommendation 19: Update the DNFSB requests closure of this Closed FY 2021 FISMA Agencys incident response plan to reflect recommendation.
Evaluation United States Computer Emergency Inspected the DNFSB Readiness Team (US CERT) incident Incident Response reporting guidelines. Plan to determine DNFSBs process for analyzing, documenting, and reporting security incidents is based on US-CERT guidelines.
DNFSB-22-A-04 FY 2021 Recommendation 20: Allocate and DNFSB requests closure of this Open FY 2021 FISMA train staff with significant incident response recommendation.
Evaluation responsibilities. Inspected the DNFSB GSS System Security Plan (SSP) Incident Response (IR)-2 Incident Response Training security control implementation details to determine:
Currently the DNFSB 31
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status is reviewing incident response training options to select a fitting option. Once complete, this control will be implemented.
Also inspected the DNFSB GSS Incident Response Plan and DNFSB Incident Response Process Guide Cyber Playbook to determine incident response training was not covered in detail.
DNFSB-22-A-04 FY 2021 Recommendation 21: Configure all DNFSB requests closure of this Closed FY 2021 FISMA incident response tools in place to be recommendation.
Evaluation interoperable, can collect and retain relevant Inspected the SIEM and meaningful data that is consistent with tool configuration and the incident response policy, plans and determined it is procedures. interoperable with other incident response tools in place.
DNFSB-22-A-04 FY 2021 Recommendation 22: Develop and This recommendation remains Open FY 2021 FISMA track metrics related to the performance of open. Estimated target completion Evaluation contingency planning and recovery related date: FY 2023 Quarter 3. Evidence supporting activities. implementation of metrics related to performance of contingency planning and recovery related activities was not 32
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status provided. Examples include:
Establish qualitative or quantitative metrics/dashboards to ensure the effectiveness of the contingency planning. (e.g., up-to-date business impact analysis with functional recovery exercise measuring whether established recovery point and time objectives were met).
Evidence of use of performance metrics/dashboards Evidence of verification and validation of data feeding the metrics/dashboard.
DNFSB-22-A-04 FY 2021 Recommendation 23: Conduct a This recommendation remains Open FY 2021 FISMA business impact assessment within every two open. Estimated target completion Evaluation years to assess mission essential functions date: FY 2023 Quarter 2. DNFSB has not and incorporate the results into strategy and conducted an annual mitigation planning activities. Business Impact Assessment of its GSS. The last BIA 33
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status was conducted in FY 2018.
DNFSB-22-A-04 FY 2021 Recommendation 24: Implement This recommendation remains Open FY 2021 FISMA role-based training for individuals with open. Estimated target completion Evaluation significant contingency planning and disaster date: FY 2023 Quarter 2. Although the DNFSB recovery related responsibilities. Contingency Planning Policy requires the provision of training and although testing was conducted during the audit period for two exercises, evidence of the implementation and completion of role-based training for individuals with significant contingency planning and disaster recovery related responsibilities was not provided.
DNFSB-21-A-04 FY 2020 Recommendation 1: Define an ISA This recommendation remains Open FY 2020 FISMA in accordance with the Federal Enterprise open. Estimated target completion Evaluation Architecture Framework. date: FY 2023 Quarter 4. Remains a work in progress. See DNFSBs estimated target completion date.
DNFSB-21-A-04 FY 2020 Recommendation 2: Use the fully This recommendation remains Open FY 2020 FISMA defined ISA to: open. Estimated target completion Evaluation a. Assess enterprise, business process, and date: FY 2023 Quarter 4. Remains a work in information system level risks; progress. See
- b. Formally define enterprise, business DNFSBs estimated process, and information system level risk target completion date.
34
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;
- c. Conduct an organization wide security and privacy risk assessment; and
- d. Conduct a supply chain risk assessment.
DNFSB-21-A-04 FY 2020 Recommendation 3: This recommendation remains Open FY 2020 FISMA Using the results of recommendations one (1) open. Estimated target completion Evaluation and two (2) above: date: FY 2023 Quarter 4. Remains a work in
- a. Collaborate with the DNFSBs progress. See Cybersecurity Team to establish DNFSBs estimated performance metrics in service level target completion date.
agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;
- b. Utilize guidance from the NIST SP 800-55 (Rev. 1) - Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;
- c. Implement a centralized view of risk across the organization; and
- d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.
DNFSB-21-A-04 FY 2020 Recommendation 4: DNFSB requests closure of this Open FY 2020 FISMA Finalize the implementation of a centralized recommendation.
Evaluation automated solution for monitoring authorized Evidence of detection and unauthorized software and hardware Only iPhones purchased through of unauthorized connected to the agencys network in near Apple Business Manager program hardware and of the real time. Continue ongoing efforts to apply can be enrolled in Intune, so no capability to deny 35
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status the Track-It!, ForeScout, and KACE solutions. unauthorized mobile hardware can access to agency connect to DNFSBs IT resources. enterprise services when security and Users cannot install unauthorized operating system software (all software on iPhones updates have not been must be approved and installed applied for mobile through Intune; users cannot devices within a given access the Apple App Store). period based on agency policy or guidance was not provided.
DNFSB-21-A-04 FY 2020 Recommendation 5: DNFSB requests closure of this Open FY 2020 FISMA Conduct remedial training to re-enforce recommendation.
Evaluation requirements for documenting Change Although we noted an Control Boards (CCBs) approvals and DNFSB required all members of improvement in security impact assessments for changes to the IT team that are authorized to change documentation the DNFSBs system in accordance with the submit change request tickets to for our sampled agencys Configuration Management Plan. take remedial CCB and Change changes, DNFSB did Request Training in August 2022 not provide evidence and then take an updated remedial supporting the training in December 2022 that development and addressed changes to the Change delivery of remedial Control Board and Security Impact training for all Analysis form process. members of the IT staff to re-enforce requirements for documenting CCBs approvals and security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration 36
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Management Plan.
DNFSB-21-A-04 FY 2020 Recommendation 6: DNFSB requests closure of this Closed FY 2020 FISMA Implement procedures and define roles for recommendation.
Evaluation reviewing configuration change activities to Inspected the DNFSB the DNFSBs information system production Configuration environment by those with privileged access Management Policy to verify the activity was approved by the and determined it system CCB and executed appropriately. documents roles/responsibilities for reviewing configuration change activities and stipulates approvals required for each requested change. Also, for a sample of ten changes from the population of 67 changes from October 1, 2022, to February 13, 2023, noted that all sampled changes were approved by the CCB and executed as appropriate in accordance with the DNFSB Configuration Management Policy.
DNFSB-21-A-04 FY 2020 Recommendation 7: DNFSB requests closure of this Open FY 2020 FISMA Implement a technical capability to restrict recommendation.
Evaluation new employees and contractors from being Evidence supporting granted access to the DNFSBs systems and implementation of the information until a non-disclosure agreement technical capability 37
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status is signed and uploaded to a centralized restricting granting of tracking system. access until after a non-disclosure agreement is signed and uploaded was not provided.
Also, for a sample of six non-privileged users from the population of 17 created since October 1, 2022, we noted:
For one new user, the agreements were signed after access was provisioned.
For two of the new users, we were unable to verify when the agreements were signed as they did not include the date next to the wet signatures / were not digital signatures with a date/timestamp.
DNFSB-21-A-04 FY 2020 Recommendation 8: DNFSB requests closure of this Closed FY 2020 FISMA Implement the technical capability to require recommendation.
38
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Evaluation Personal Identity Verification (PIV) or Inspected multifactor Identification and Authentication Level of authentication Assurance (IAL) 3 to all DNFSB privileged configuration settings accounts. and determined that DNFSB has implemented strong authentication mechanisms to authenticate to applicable organizational systems and facilities, such as PIV and Windows Hello.
DNFSB-21-A-04 FY 2020 Recommendation 9: DNFSB will request a risk Open FY 2020 FISMA Implement automated mechanisms (e.g., acceptance for this Evaluation machine-based, or user-based enforcement) recommendation by Quarter 3 FY DNFSB will request a to support the management of privileged 2023. risk acceptance for this accounts, including for the automatic recommendation.
removal/disabling of temporary, emergency, and inactive accounts, as appropriate.
DNFSB-21-A-04 FY 2020 Recommendation 10: DNFSB requests closure of this Open FY 2020 FISMA Continue efforts to develop and implement recommendation.
Evaluation role-based privacy training. Upon inspection of the training records provided, evidence of all DNFSB users completing Privacy Act Training was not provided and specific role-based privacy training was not called out either.
39
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status DNFSB-21-A-04 FY 2020 Recommendation 11: DNFSB requests closure of this Open FY 2020 FISMA Conduct the agencys annual breach recommendation.
Evaluation response plan exercise for FY 2021. Inspected the incident response and contingency planning exercises completed and noted they did not include an evaluation of the breach response plan.
DNFSB-21-A-04 FY 2020 Recommendation 12: DNFSB requests closure of this Open FY 2020 FISMA Continue current efforts to refine existing recommendation.
Evaluation monitoring and assessment procedures to Progress has been more effectively support ongoing made in refining authorization of the DNFSB system. procedures such as the DNFSB GSS Continuous Monitoring Policies and Procedures Guide to support adoption of an ongoing authorization model. However, ongoing authorization of the DNFSB GSS is not yet in place.
Specifically, the last traditional ATO lasted for three years from the date of signature, expiring November 8, 2018. Also, at the time of our review, an external security 40
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status assessment to receive an updated authorization was not yet completed.
DNFSB-21-A-04 FY 2020 Recommendation 13: DNFSB requests closure of this Closed FY 2020 FISMA Update the DNFSBs incident response plan recommendation.
Evaluation to include profiling techniques for identifying Inspected the DNFSB incidents and strategies to contain all types of Incident Response major incidents. Process Guide Cyber Playbook and determined it includes profiling techniques for incident identification and strategies for containing them.
DNFSB-21-A-04 FY 2020 Recommendation 14: This recommendation remains Open FY 2020 FISMA Based on the results of the DNFSBs supply open. Estimated target completion Evaluation chain risk assessment included in the date: Quarter 4 FY 2023. ICT supply chain risk recommendation for the Identify function was not addressed in above, update the DNFSBs contingency DNFSBs contingency planning policies and procedures to address planning policies and Information and Communications Technology procedures, Supply (ICT) supply chain risk. Chain Risk Management Strategic Plan or in the DNFSB GSS SSP.
DNFSB-20-A-05 FY 2019 Recommendation 3: Using the DNFSB requests closure of this Open FY2019 FISMA results of recommendations one (1) and two recommendation.
Evaluation (2) above: DNFSB has not
- a. Implement an automated solution to help completed the maintain an up-to-date, complete, recommended items.
accurate, and readily available Agency- See respective wide view of the security configurations conclusions 41
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status for all its GSS components; Cybersecurity documented in FY Team exports metrics and vulnerability 2021 Recommendation reports and sends them to the Chief 2 and FY 2020 Information Security Officer (CISO) and Recommendation 3 Chief Information Officer (CIO)s Office above. As noted in monthly for review. Develop a centralized those related prior year dashboard that Cybersecurity Team and recommendations, the CISO can populate for real-time DNFSB anticipates assessments of compliance and security completing these tasks policies. by Quarter 4 FY 2023.
- b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
- c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
- d. Implement a centralized view of risk across the organization.
DNFSB-20-A-05 FY 2019 Recommendation 5: DNFSB requests closure of this Open FY2019 FISMA Management should re-enforce requirements recommendation.
Evaluation for performing DNFSBs change control Neither the DNFSB procedures in accordance with the agencys DNFSB required all members of Configuration Configuration Management Plan by defining the IT team that are authorized to Management Policy consequences for not following these submit change request tickets to nor the DNFSB GSS procedures and conducting remedial training take remedial CCB and Change SSP security control as necessary. Request Training in August 2022 implementation details and then take an updated remedial for Configuration training in December 2022 that Management (CM) 42
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status addressed changes to the Change family controls define Control Board and Security Impact consequences for not Analysis form process. adhering to change control requirements or DNFSBs User Agreement/Rules of reflect details about Behavior form that all users are conduct of remedial required to sign includes the training as necessary language I understand that non- for change control compliance with the DNFSBs requirement directives and policies may be reinforcement.
cause for disciplinary action up to and including system privilege Additionally, DNFSB revocation, dismissal from the did not provide DNFSB or removal from contract, evidence supporting and criminal and/or civil penalties. the completion of configuration management training.
DNFSB-20-A-05 FY 2019 Recommendation 7: DNFSB requests closure of this Closed FY2019 FISMA Complete and document a risk-based recommendation.
Evaluation justification for not implementing an Inspected evidence automated solution (e.g., Splunk) to help supporting the maintain an up-to-date, complete, accurate, implementation of a and readily available view of the security suite of automated configurations for all information system solutions and components connected to the organizations determined that a view network. of security configurations for information system components connected to DNFSBs network is now in place.
DNFSB-20-A-05 FY 2019 Recommendation 8: DNFSB requests closure of this Open FY2019 FISMA Continue efforts to meet milestones of the recommendation.
43
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status Evaluation DNFSB ICAM Strategy necessary for fully DNFSB has continued transitioning to DNFSBs to-be" ICAM efforts to meet architecture. milestones in its ICAM strategy and has begun the effort to adopt zero trust architecture as it transitions towards its to-be architecture.
DNFSB-20-A-05 FY 2019 Recommendation 9: DNFSB requests closure of this Open FY2019 FISMA Complete current efforts to refine existing recommendation.
Evaluation monitoring and assessment procedures to Progress has been more effectively support ongoing made in refining authorization of the DNFSB system. procedures such as the DNFSB GSS Continuous Monitoring Policies and Procedures Guide to support adoption of an ongoing authorization model. However, ongoing authorization of the DNFSB GSS is not yet in place.
Specifically, the last traditional ATO lasted for three years from the date of signature, expiring November 8, 2018. Also, at the time of our review, an external security assessment to receive 44
Appendix III Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA Auditors Position Report No. Recommendation DNFSBs Status on Status an updated authorization was not yet completed.
DNFSB-20-A-05 FY 2019 Recommendation 10: DNFSB requests closure of this Closed FY2019 FISMA Identify and fully define requirements for the recommendation.
Evaluation incident response technologies DNFSB plans Inspected the DNFSB to utilize in the specified areas and how these Incident Response technologies respond to detected threats Process Guide Cyber (e.g., cross-site scripting, phishing attempts, Playbook and etc.). determined requirements for incident response technologies are specified in conjunction with how they will be used to respond to detected threats.
DNFSB-20-A-05 FY 2019 Recommendation 11: DNFSB requests closure of this Open FY2019 FISMA Based on the results of DNFSBs supply recommendation.
Evaluation chain risk assessment included in the ICT supply chain risk recommendation for the Identify function was not addressed in above, update DNFSBs contingency DNFSBs contingency planning policies and procedures to address planning policies and ICT supply chain risk. procedures, Supply Chain Risk Management Strategic Plan or in the DNFSB GSS SSP.
45
Appendix IV Defense Nuclear Facilities Safety Board FY 2023 Audit of the DNFSBs Implementation of the FISMA DNFSBs MANAGEMENT COMMENTS 46