Text

MEMORANDUM DATE: November 6, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (OIG-22-A-04)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED JULY 26, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated July 26, 2023. Based on this response, recommendation 1 is closed and recommendations 2 through 4, 6 through 9, 11 through 14, and 16 through 18 remain in open and resolved status.

Recommendations 5, 10, and 15 were closed previously. Please provide an updated status of the open, resolved recommendations by January 26, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc: M. Bailey, OEDO M. Meyer, OEDO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 1: Reconcile mission priorities and cybersecurity requirements into profiles to inform the prioritization and tailoring of controls (e.g., HVA control overlays) to support the risk-based allocation of resources to protect the NRCs identified Agency level and/or National level HVAs.

Agency Response Dated July 26, 2023: The NRC has implemented a control tailoring process that incorporated mission priorities and cybersecurity requirements. The tailoring process is used by all assessors when selecting controls to assess agency HVA systems. In addition, the NRC has prioritized specific, "core" controls that are used when assessing HVA systems. Finally, the agency employs an automated system, Risk and Continuous Authorization Tracking System (RCATS), to support its control prioritization efforts by prioritizing POA&Ms associated with controls.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed Computer Security Process CSO-PROS-7002, Security Control Tailoring Process, revision 1.4, effective March 9, 2023, and Computer Security Process CSO-PROS-2109, Cybersecurity Assessment IT Component and Control Selection Process, revision 2.0, effective October 1, 2023. These documents prove that the NRC has implemented a control tailoring process that incorporates mission priorities and cybersecurity requirements to support the risk-based allocation of resources to protect the NRCs identified Agency level and/or National level HVAs. This recommendation is closed.

Status: Closed.

2

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 2: Continue current Agencys efforts to update the Agencys cybersecurity risk register to (i) aggregate security risks, (ii) normalize cybersecurity risk information across organizational units, and (iii) prioritize operational risk response.

Agency Response Dated July 26, 2023: In order to continue to aggregate security risks, normalize cybersecurity risk information across organizational units, and prioritize operational risk responses, the NRC is implementing a centralized and automated application that will aggregate cybersecurity plan of action and milestone (POA&M) risks for all Federal Information Security Modernization Act of 2014 systems, including the agencys programmatic cybersecurity POA&Ms. The application will also prioritize cybersecurity POA&M risks across organizational units.

Target Completion Date: FY 2024, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements a centralized and automated application that aggregates cybersecurity POA&M risks for all FISMA systems and prioritizes them across organizational units.

Status: Open: Resolved.

3

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 3: Update procedures to include assessing the impacts to the organizations ISA prior to introducing new information systems or major system changes into the Agencys environment.

Agency Response Dated July 26, 2023: When new information systems and major system changes are introduced into the environment, an assessment is conducted to ensure that the new system or major change meets the requirements of the agencys cybersecurity and privacy programs. The introduction of new systems or major changes does not impact the information system architecture (ISA). Therefore, the NRC recommends closure of this item.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: This recommendation relates to the IG FISMA Reporting Metrics Question 6, To what extent does the organization use an information security architecture to provide a disciplined and structured methodology for managing risk, including risk from the organizations supply chain. To meet the Consistently Implemented maturity level, System security engineering principles are followed and include assessing the impacts to the organizations information security architecture prior to introducing information system changes into the organizations environment.

Accordingly, OIG will close this recommendation when the agency provides a copy of the updated procedures that include how to assess the impacts to the agencys ISA prior to introducing new information systems or major system changes to the agencys environment.

Status: Open: Resolved.

4

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 4: Develop and implement procedures in the POA&M process to include mechanisms for prioritizing completion and incorporating this as part of documenting a justification and approval for delayed POA&Ms.

Agency Response Dated July 26, 2023: The NRC assesses the criticality of POA&Ms according to CSO-PROS-2030, NRC Risk Management Framework (RMF) Process, issued June 14, 2023, specifically step 5.

The NRC employs RCATS to manage the status and assignment of POAMs. RCATS uses the criticality of each POA&M, along with other factors such as age and association with high value assets, for prioritization. The agency continuously tracks and prioritizes all POA&Ms and does not explicitly delay the mitigation of any POA&Ms. POA&Ms that are not mitigated by their scheduled completion date continue to be tracked, prioritized, and mitigated when appropriate. To date, 13 out of 15 FISMA systems have been migrated to RCATS for POA&M management. The NRC expects to migrate the remaining two systems to RCATS by FY 2023, third quarter (Q3).

Target Completion Date: FY 2024, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC migrates the remaining two FISMA systems to RCATS for POA&M management.

Status: Open: Resolved.

5

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 6: Document and implement policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third party providers.

Agency Response Dated July 26, 2023: The NRC has developed two draft computer security processes in CSO-PROS-0008 Process to Assess, Respond, and Monitor ICT Supply Chain Risks and CSO-PROS-0007 Process to Use SCR Investigation Service to Determine Information and Communications Technology (ICT) Supply Chain Risk Associated with an Offeror, issued August 8, 2022, that are currently being utilized to determine the supply chain risk associated with an ICT product or service and perform appropriate responsive actions and monitor the risk over time. NRC will finalize the processes once a sufficient number of assessments are performed to determine the effectiveness of the evaluations. The NRC is requesting a new target completion date of FY 2024, Q3 to allow for a sufficient number of assessments to be performed.

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC performs a sufficient number of assessments to determine the effectiveness of the evaluations.

Status: Open: Resolved.

6

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 7: Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Agency Response Dated July 26, 2023: The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRCs environment are not available. However, in April 2021, the NRC developed CSO-PROS-0006, Counterfeit and Compromised ICT Product Detection Process, to ensure that counterfeit products are detected before being added to the NRCs environment. In addition, Section 6, After Acceptance, of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC-controlled physical space. The appropriate NRC staff generally vet any third-party service personnel and replacement parts. The NRC plans to update CSO-PROS-0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components from being added to its environment. The NRC recommends closure of this item.

OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when NRC updates CSO-PROS-0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components from being added to its environment.

Status: Open: Resolved.

7

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 8: Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

Agency Response Dated July 26, 2023: Pursuant to the Supply Chain Security Training Act of 2021, Pub. L. 117-145, GSA is required to develop training for federal officials with supply chain risk management responsibilities. NRC will leverage this training, which will be implemented by OMB, when it becomes available. The NRC requests a new target completion date of FY 2024 Q4.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC begins leveraging the GSA training implemented by OMB.

Status: Open: Resolved.

8

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 11: Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.

Agency Response Dated July 26, 2023: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agencys systems and information. The clearance waiver process is wholly contained within the NRCs onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance.

Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRCs Form 176A, Security Acknowledgment. Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of FY 2024, Q3.

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements an updated version of the NRCs Form 176A, Security Acknowledgement.

Status: Open: Resolved.

9

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 12: Conduct an independent review or assessment of the NRC privacy program and use the results of these reviews to periodically update the privacy program.

Agency Response Dated July 26, 2023: The NRC will conduct an in-depth, independent assessment of the agencys privacy program. Using the results of the assessment, the NRC will periodically update the privacy program. Because of resource priorities, the NRC is requesting a new target completion date of FY 2024, Q3.

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC conducts an in-depth, independent assessment of the agencys privacy program and uses the results to periodically update the privacy program.

Status: Open: Resolved.

10

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 13: Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractors initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.

Agency Response Dated July 26, 2023: The creation of a separate, secure system to perform this security awareness and role-based training activity is not deemed cost effective since it would require the duplication of existing hardware, software, and support services and it would redirect staff from other network operations and maintenance tasks that could cause security and operational issues to the main network and reduce the NRCs ability to provide mission-focused services. The NRC estimates that this would increase costs across the Information Technology/Information Management Business Line, including hardware, software, operational maintenance, and NRC staff and contractual support resources, by nearly

$1 million annually. In addition, this estimated cost does not include any changes that would be required by the Office of the Chief Human Capital Officer for its training system or resources. Instead, the NRC plans to add streamlined security training that contains the Rules of Behavior but does not contain sensitive information to its onboarding process, which occurs before employees and contractors gain access to the NRC network. The agency will also strengthen its post-onboarding process to ensure that new employees and contractors complete all required security awareness and role-based training, including acknowledging the Rules of Behavior, within the required timeframe. These changes, 11

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 13 (Contd):

along with the personnel security processing that occurs prior to onboarding, make this a low risk to NRC systems.

Based on this analysis, the NRC requests that this recommendation be closed.

OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC adds streamlined security training that contains the Rules of Behavior but does not contain sensitive information to its onboarding process, before employees and contractors gain access to the NRC network; and the agency provides documentation to show it has strengthened its post-onboarding process to ensure that new employees and contractors complete all required security awareness and role-based training, including acknowledging the Rules of Behavior, within the required timeframe.

Status: Open: Resolved.

12

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 14: Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Agency Response Dated July 26, 2023: The Office of the Chief Information Officer (OCIO) will analyze the agencys security awareness and role-based training records to better inform its response to this recommendation. OCIO staff will also consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

To perform this analysis and develop a solution, the NRC requests a new target completion date of FY 2024, third quarter (Q3).

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC performs an analysis and develops a solution to implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Status: Open: Resolved.

13

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 16: Conduct an organizational level Business Impact Assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Agency Response Dated July 26, 2023: The NRC will conduct an organization-level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions and HVAs, and update contingency planning policies and procedures accordingly. Due to limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024, Q3.

Target Completion Date: FY 2024, Q3 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC conducts an organizational level BIA to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and updates contingency planning policies and procedures accordingly.

Status: Open: Resolved.

14

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 17: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Agency Response Dated July 26, 2023: The NRC will integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC integrates metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans.

Status: Open: Resolved.

15

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 18: Update and implement procedures to coordinate contingency plan testing with ICT supply chain providers.

Agency Response Dated July 26, 2023: The NRC is assessing approaches to implement procedures to coordinate contingency plan testing with ICT supply chain providers. Due to limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024, Q4.

Target Completion Date: FY 2024, Q4 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC updates and implements procedures to coordinate contingency plan testing with ICT supply chain providers.

Status: Open: Resolved.

16