Text

MEMORANDUM DATE: October 2, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (OIG-20-A-06)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED JULY 25, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated July 25, 2023. Based on this response, recommendation 2.a is closed. Recommendations 2.c-f, and 4 - 7 are in open and resolved status. Recommendations 1, 2.b, and 3 were closed previously.

Please provide an update on the status of the open and resolved recommendations by April 1, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: M. Bailey, AO M. Meyer, DAO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2.a: Use the fully defined ISA to assess enterprise, business process, and information system level risks.

Agency Response Dated July 25, 2023: The U.S. Nuclear Regulatory Commission (NRC) completed its assessment of its risks at the enterprise, business process, and information system levels. This assessment used the fully defined information security architecture (ISA) and was executed in conjunction with the NRCs recent conversion from a three-tier to a five-tier risk model. This is consistent with the NRCs response to OIG-21 A-05, recommendation 2a in March 2023.

Target Completion Date: The NRC recommends closure.

OIG Analysis: In April 2023, the OIG reviewed the NRCs Information Security Architecture and determined the assessment satisfied the recommendation. This recommendation is closed.

Status: Closed.

1

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2.c: Use the fully defined ISA to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Agency Response Dated July 25, 2023: The NRC has transitioned 11 of its 15 information systems to National Institute of Standards and Technology SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020. The transition of the remaining 4 systems to Revision 5 is expected to be completed in fourth quarter (Q4) of fiscal year (FY) 2024. Therefore, the NRC requests a new target completion date of FY 2024 Q4.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the NRC transitions the remaining 4 systems to the National Institute of Standards and Technology SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

2

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2.d: Use the fully defined ISA to conduct an organization-wide security and privacy risk assessment.

Agency Response Dated July 25, 2023: The NRC used its fully defined ISA to conduct an organization wide security risk assessment, as well as an assessment of privacy risks. Due to resource constraints, the organization-wide security risk assessment covers one-third of the ISA every year. The remaining two-thirds of the organization wide security risk assessment will be completed in, the fourth quarter (Q4) of FY 2024.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the NRC completes the remaining two-thirds of the organization-wide security risk assessment. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

3

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2.e: Use the fully defined ISA to conduct a supply chain risk assessment.

Agency Response Dated July 25, 2023: The NRC is in the process of using its fully defined ISA to conduct a supply chain risk assessment. The NRC requests a new target completion date of FY 2024, third quarter (Q3).

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the agency uses the fully defined ISA to conduct a supply chain risk assessment. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

4

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2.f: Use the fully defined ISA to identify and update NRC risk management policies, procedures, and strategy.

Agency Response Dated July 25, 2023: Based on the fully defined ISA, the NRC evaluated its cybersecurity policy and risk management strategy and determined that no updates were required. Because of competing priorities, the NRC requests a new target completion date of FY 2024, first quarter (Q1), to complete its update of agency cybersecurity processes.

Target Completion Date: FY 2024, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. OIG will close the recommendation when the NRC completes its update of agency cybersecurity processes. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

5

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 4: Perform an assessment of role-based privacy training gaps.

Agency Response Dated July 25, 2023: The NRC will perform an assessment of role-based privacy training gaps. This assessment will identify NRC employees and contract personnel who have roles that require specific privacy training. Because of resource priorities, the NRC is requesting a new target completion date of FY 2024, second quarter (Q2).

Target Completion Date: FY 2024, Q2 OIG Analysis: The proposed action meets the intent of the recommendation. The OIG will close this recommendation when the agency provides an assessment of role-based privacy training gaps. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

6

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 5: Identify individuals having specialized role-based responsibilities for PII or activities involving PII and develop role-based privacy training for them.

Agency Response Dated July 25, 2023: Based on the results of the assessment referenced in recommendation 4, the NRC will update and develop annual role-based privacy training. The assessment is scheduled to be completed in Q2 of FY 2024. The agency plans to complete the associated training development and implementation by FY 2025, Q1.

Target Completion Date: FY 2025, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the NRC identifies individuals having specialized role-based responsibilities for PII and develops role-based privacy training for them. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

7

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 6: Based on NRCs supply chain risk assessment results, complete updates to the NRCs contingency planning policies and procedures to address supply chain risk training for them.

Agency Response Dated July 25, 2023: The NRC estimates that the agency will need 6 months to complete this task. Because this task is dependent on the completion of recommendation 2e, the NRC's new target date for completion is FY2025 Q1.

Target Completion Date: FY 2025, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the NRC uses the results from the supply chain risk assessment to complete updates to the NRCs contingency planning policies and procedures to address supply chain risk. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

8

Evaluation Report INDEPENDENT EVALUATION OF THE NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 7: Continue efforts to conduct agency and system level business impact assessments to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Agency Response Dated July 25, 2023: The NRC will evaluate the finalized ISA and the agencys contingency planning requirements to determine the impact and related necessary updates to policies and procedures.

Due to limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion for FY 2024, Q4.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation when the NRC evaluates the finalized ISA and the agencys contingency planning requirements to determine the system level impacts and updates the related policies and procedures. Therefore, this recommendation remains open and resolved.

Status: Open: Resolved.

9