Text

MEMORANDUM DATE: January 25, 2024 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS:

INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 (OIG-21-A-05)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED NOVEMBER 28, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations as discussed in the agencys response dated November 28, 2023.

Recommendations 2(a), 4, and 7 were closed previously and have been removed from the list. Based on this response, recommendations 2(d), and 11 are closed. Based on this response, recommendations 2 (c), 2(e), 5, 6, 8, 10, 12, and 13 remain open and resolved. Please provide an updated status of the open, resolved recommendations by July 31, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Avinash Jaigobind, Acting Team Leader, at 301.415.5402.

Attachment:

As stated cc: M. Bailey, ADO T. Govan, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 2(c): If necessary, update enterprise, business process, and information system-level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Agency Response Dated November 28, 2023: The U.S. Nuclear Regulatory Commission (NRC) has transitioned all of its Federal Information Security Modernization Act of 2014 (FISMA) system security plans to National Institute of Standards and Technology Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020. The NRC will update the enterprise, business process, and information system level risk tolerance and appetite levels if necessary.

Target Completion Date: Fiscal year (FY) 2024, first quarter (Q1)

OIG Analysis: The OIG will close this recommendation after confirming the evidence that NRC updates enterprise, business process, and information system-level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions, if necessary.

Status: Open: Resolved.

2

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 2(d): Conduct an organization wide security and privacy risk assessment and implement a process to capture lessons learned and update risk management policies, procedures, and strategies.

Agency Response Dated November 28, 2023: The NRC uses the results of its system-level risk assessments, along with other inputs, to perform and maintain organization wide cybersecurity and privacy risk assessments. The deficiencies identified in these assessments are documented in the Risk and Continuous Authorization Tracking System (RCATS), which presents qualitative and quantitative metrics that provide indicators of cybersecurity risk. The risks are integrated into enterprise-level dashboards and reporting frameworks. In addition, the agency consistently monitors the effectiveness of risk responses to ensure that risk tolerances are maintained at an appropriate level. The NRC ensures that information is obtained accurately, consistently, and in a reproducible format and is used to (1) quantify and aggregate security risks, (2) normalize cybersecurity and privacy risk information across organizational units, and (3) prioritize operational risk response.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: OIG reviewed and confirmed that identified risks are assessed and documented in Risk and Continuous Authorization Tracking System (RCATS), and risks are integrated in enterprise-level dashboards and reporting frameworks. In order to ensure that risk tolerances are maintained at an appropriate level, the NRC stated that they utilize the Risk Management Strategy process, which provides a comprehensive approach for framing, assessing, responding to, and monitoring risks associated with Agency information systems in accordance with Federal laws, regulations, and requirements. NRC also stated that Risk Management policies, procedures, and strategies are reviewed periodically and updated as appropriate/as necessary. OIG reviewed and confirmed that lessons learned are captured in the document 3

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 2(d) (continued)

Summary and Lessons Learned Privacy Program Assessment 2023. Based on the evidence provided this recommendation is closed.

Status: Closed.

4

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 2(e): Consistently assess the criticality of plans of action and milestones (POA&Ms) to support why a POA&M is or is not of a high or moderate impact to the confidentiality, integrity, and availability (CIA) of the information system, data, and mission.

Agency Response Dated November 28, 2023: The NRC consistently assesses the criticality of POA&Ms by ensuring that information systems security officers and assessors adhere to CSO-PROS-2030, NRC Risk Management Framework (RMF) Process, specifically step 5. CSO-PROS-2030 further prescribes that assessors follow CSO-PROS-2102, System Cybersecurity Assessment Process, when performing security assessments. Additionally, CSO-STD-0020, System Security and Privacy Controls Standard, prescribes the organizationally defined frequency by which all such testing is performed. Finally, RCATS employs a POA&M management component that requires all POA&Ms to be assigned a criticality (severity) at the time of creation. To date, 13 out of 15 FISMA systems have been migrated to RCATS. The NRC expects to migrate the remaining two systems to RCATS by FY 2024, Q1.

Target Completion Date: FY 2024, Q1 OIG Analysis: OIG will close this recommendation after confirmation that plans of action and milestones (POA&Ms) are consistently assessed to support why a POA&M is or is not of a high or moderate impact to the confidentiality, integrity, and availability (CIA) of the information system, data, and mission.

Status: Open: Resolved.

5

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 5: Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals being granted access to the NRCs systems and information.

Agency Response Dated November 28, 2023: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRCs systems and information. The clearance waiver process is wholly contained within the NRCs onboarding process and will inherit the updated procedures.

The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRCs Form 176A, Security Acknowledgment.

Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of FY 2024, third quarter (Q3).

Target Completion Date: FY 2024, Q3 OIG Analysis: The OIG will close this recommendation after confirming that NRC updates user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporates the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals being granted access to the NRCs systems and information.

Status: Open: Resolved.

6

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 6: Continue efforts to identify individuals having additional responsibilities for PII (Personal Identifiable Information) or activities involving PII and develop role-based privacy training for them to be completed annually.

Agency Response Dated November 28, 2023: The NRC will identify individuals with privacy roles defined in Management Directive 3.2, Privacy Act, dated November 15, 2021. These individuals with privacy roles have PII responsibilities. The agency will then analyze the activities of these individuals to determine whether existing training, which includes privacy issues, adequately covers their activities. If gaps exist, then existing training will be updated or new training developed.

Target Completion Date: FY 2025, Q1 OIG Analysis: OIG will close this recommendation after confirming that NRC continues its efforts to identify individuals having additional responsibilities for PII (Personal Identifiable Information) or activities involving PII and develop role-based privacy training for them to be completed annually.

Status: Open: Resolved.

7

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 8: Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Agency Response Dated November 28, 2023: The Office of the Chief Information Officer (OCIO) will analyze the agencys security awareness and role-based training records to better inform its response to this recommendation. The OCIO staff will also consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training. To perform this analysis and develop a solution, the NRC requests a new target completion date of the second quarter (Q2) of FY 2024.

Target Completion Date: FY2024, Q2 OIG Analysis: The OIG will close this recommendation after confirming that NRC implements the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Status: Open: Resolved.

8

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 10: Conduct an organizational level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions/high-value assets, and update contingency planning policies and procedures accordingly.

Agency Response Dated November 28, 2023: The NRC will conduct an organizational-level BIA to determine contingency planning requirements and priorities, including for mission-essential functions/high value assets, and update contingency planning policies and procedures accordingly. The NRCs new target completion date is FY 2024, Q1.

Target Completion Date: FY 2024, Q1 OIG Analysis: OIG will close this recommendation after confirming that NRC conducts an organizational level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions/high-value assets, and update contingency planning policies and procedures accordingly.

Status: Open: Resolved.

9

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 11: For low availability categorized systems complete an initial BIA and update the BIA whenever a major change occurs to the system or mission that it supports. Address any necessary updates to the system contingency plan based on the completion of or updates to the system level BIA.

Agency Response Dated November 28, 2023: The NRC Chief Information Security Officer waived the BIA requirement for low-availability systems, and the NRC updated CSO-PROS-1323 to state that low-availability systems do not have to create/document a BIA. The NRC recommends closure of this item.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis OIG reviewed CSO-PROS-1323, Information Security Continuous Monitoring Process, for minimum required frequencies for continuous monitoring activities for all NRC systems regardless of System Categorization. OIG noted that document states that systems with low impact level for availability are not required to create a Business Impact Analysis (BIA).

Hence, this recommendation must be closed.

Status: Closed.

10

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 12: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Agency Response Dated November 28, 2023: The NRC coordinated with the Office of the Inspector General to clarify the scope of this recommendation. Based on that clarification, the NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The new target completion date is FY 2025, Q1.

Target Completion Date: FY 2025, Q1 OIG Analysis: OIG will close this recommendation after reviewing the evidence that demonstrates and confirms that the agency integrates metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Status: Open: Resolved.

11

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05)

Recommendation 13: Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans.

Agency Response Dated November 28, 2023: The NRC will analyze its contingency plans to identify candidates for automated testing. Based on that analysis, if automated testing is feasible and cost effective, then the NRC will develop plans to implement those measures and coordinate with all associated information communication technology (ICT) supply chain providers. The new target completion date is FY 2025, Q1.

Target Completion Date: FY 2025, Q1 OIG Analysis: OIG will close this recommendation after confirming that the agency implements automated mechanisms to test system contingency plans, updates and implements procedures to coordinate contingency plan testing with ICT supply chain providers and implements an automated mechanism to test system contingency plans.

Status: Open: Resolved.

12