Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

MEMORANDUM DATE:

February 5, 2024 TO:

Mary Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATION: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (DNFSB-23-A-04)

REFERENCE:

ASSOCIATE DIRECTOR FOR BOARD OPERATIONS, OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS MEMORANDUM DATED DECEMBER 04, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendation as discussed in the agencys response dated December 04, 2023.

Based on this response, recommendation 1 remains open and resolved. Please provide an updated status of the open, resolved recommendation by March 31, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc:

T. Tadlock, OEDO G. Garvin, OEDO

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendation (DNFSB-23-A-04) 2 Recommendation 1:

We recommend that DNFSBs Chief Information Security Officer acquire resources to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

Agency Response Dated December 04, 2023:

Partially Agree.

DNFSB disagrees with the recommendation to the extent that it recommends that the CISO acquire resources. The CISO does not have the authority or ability to acquire resources. Resources for each agency program, including cyber security, must be authorized and appropriated by Congress, coordinated through the budgetary process with the Office of Management and Budget, and allocated by the agency based upon its budgetary formulation and execution processes. The agency must allocate its limited resources across all of its programs and administrative functions to accomplish its mission. The CISO has no independent authority to acquire resources. DNFSB agrees with the recommendation to the extent that, subject to available resources, the DNFSB will implement the logging requirements of OMB M-21-31.

Corrective Action Plan: DNFSB intends to take the following actions to achieve compliance with the corresponding EL Tiers from OMB M-21-31:

Tier EL1 - Basic:

Since the conclusion of the FY 2023 FISMA Audit, DNFSB is ensuring that Required Logs categorized as Criticality Level 0 are being retained in acceptable formats for specified timeframes, per the technical details described in Appendix C of OMB M-21-31. Based on these actions, DNFSB is now meeting the requirements of the EL1 Event Logging Tier.

Tier EL2 - Intermediate:

To meet the requirements of the EL2 Event Logging Tier, in

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendation (DNFSB-23-A-04) 3 Recommendation 1 (continued) addition to being at the EL1 maturity level, DNFSB must also meet the following requirements:

• Intermediate Logging Categories

• Publication of Standardized Log Structure

• Inspection of Encrypted Data

• Intermediate Centralized Access Based on the resources and level of effort required, DNFSB anticipates being able to meet all of the requirements needed to reach the EL2 maturity level by Q4 FY 2024, with the exception of the requirement for 72-hour full packet capture (both decrypted plaintext and cleartext) of all network traffic data. Based on discussions with multiple industry sources and other government agencies, there does not appear to be any viable or available government or commercial solutions for meeting this requirement that are not prohibitively expensive. This challenge has been discussed in OMB CyberStat sessions, as many agencies are struggling to satisfy this requirement. Until a viable solution becomes available, DNFSB does not intend to meet the unfunded 72-hour full packet data capture requirement.

Tier EL3 - Advanced:

To meet the requirements of the EL3 Event Logging Tier, in addition to being at the EL1 and EL2 maturity levels, DNFSB must also meet the following requirements:

• Advanced Logging Categories

• Logging Orchestration, Automation, and Response -

Finalizing Implementation

• User Behavior Monitoring - Finalizing Implementation

• Application Container Security, Operations, and Management

• Advanced Centralized Access Subject to available resources and the level of effort required, DNFSB also anticipates being able to meet all of the requirements needed to reach the EL3 maturity level by Q2 FY 2025.

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARD IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendation (DNFSB-23-A-04) 4 Recommendation 1 (continued):

Target Completion Date to Reach EL3 Maturity Level:

March 31, 2025 OIG Analysis:

The OIG will close the recommendation after confirming and reviewing the evidence that demonstrates DNFSBs Chief Information Security Officer acquires resources to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

Status:

Open: Resolved.