ML23324A354
| ML23324A354 | |
| Person / Time | |
|---|---|
| Issue date: | 11/20/2023 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Dan Dorman NRC/EDO |
| References | |
| OIG-23-A-10 | |
| Download: ML23324A354 (1) | |
Text
MEMORANDUM DATE: November 20, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (OIG-23-A-10)
REFERENCE:
DEPUTY EXECUTIVE DIRECTOR FOR MATERIALS, WASTE, RESEARCH, STATE, TRIBAL, COMPLIANCE, ADMINISTRATION, AND HUMAN CAPITAL PROGRAMS OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS MEMORANDUM DATED OCTOBER 30, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated October 30, 2023. Based on this response, recommendation 2 is now closed, and recommendations 1 and 3 remain open and resolved. Please provide an updated status of the open, resolved recommendations by June 14, 2024.
If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.
Attachment:
As stated cc: M. Bailey, AO M. Meyer, DAO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations OIG-23-A-10 Recommendation 1: We recommend that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.
Agency Response Dated October 30, 2023: The U.S. Nuclear Regulatory Commission (NRC) employs its Risk and Continuous Authorization Tracking System (RCATS) to manage the status, assignment, and accuracy of plan of action and milestones (POA&Ms). POA&M information in RCATS is regularly examined by an automated data integrity application named the POA&M Management Status Report that performs multiple validation algorithms to identify incorrect or inconsistent POA&M information. NRC personnel take corrective actions based on the results of the report. To further address this recommendation, the NRC plans to enhance RCATS to ensure that if corrective actions have not been taken by the scheduled completion date, then the POA&M is examined, and based on that examination, a revised scheduled completion date is established. To date, 13 out of 15 systems covered by the Federal Information Security Modernization Act of 2014 have been migrated to RCATS for active POA&M management. To allow time for the NRC to transition the active management of the remaining two systems to RCATS and to develop and implement the required enhancements, the NRC's target completion date is the fourth quarter (Q4) of fiscal year (FY) 2024.
Target Completion Date: FY 2024, Q4 OIG Analysis: The actions described in the staff response meet the intent of this recommendation. The OIG will close this recommendation after confirmation that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective 2
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations OIG-23-A-10 Recommendation 1 (c0ntinued):
actions, including changes to scheduled completion dates and confirmation of all 15 systems migrated to RCATS for active POA&M management. This recommendation remains open and resolved.
Status: Open: Resolved.
3
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations OIG-23-A-10 Recommendation 2: We recommend NRC management implement a revised ITI Core Services 90-day account disablement script to ensure all non-privileged and privileged Active Directory accounts are captured and disabled in accordance with NRC policies.
Agency Response Dated October 30, 2023: The NRC is pleased to report that the NRC Information Technology Infrastructure (ITI) Core Services account disablement script has been updated and is now configured to ensure that all non-privileged and privileged Active Directory accounts are captured and disabled in accordance with NRC policies.
Target Completion Date: The NRC recommends closure of this item.
OIG Analysis: The actions described in the staff response meet the intent of this recommendation. Based on supporting information, this recommendation is now closed.
Status: Closed.
4
Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations OIG-23-A-10 Recommendation 3: We recommend that NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all Event Logging (EL) maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.
Agency Response Dated October 30, 2023: The NRC has increased the Security Information and Event Management (SIEM) tool licensing level and acquired funding to adequately support procurement and onboarding.
The NRC plans to implement all requirements across EL maturity tiers EL1, EL2 and EL3 to ensure events are logged and tracked in accordance with Office of Management and Budget (OMB) M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents, dated August 27, 2021, by FY 2025, Q4.
Target Completion Date: FY 2025, Q4 OIG Analysis: The actions described in the staff response meet the intent of this recommendation. The OIG will close this recommendation when NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all Event Logging (EL) maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved.
Status: Open: Resolved.
5