Text

MEMORANDUM TO:

Those on the Attached List FROM:

Scott C. Flanders, CIO Office of the Chief Information Officer

SUBJECT:

FISCAL YEAR 2025 CYBERSECURITY RISK MANAGEMENT ACTIVITIES In this climate of new and expanded uses of technology in mission and corporate space, adapting and increasing cybersecurity measures is paramount in securing the agencys IT assets through continual evolution of cybersecurity controls. I want to express my appreciation for your continued efforts to improve the cybersecurity posture of the U.S. Nuclear Regulatory Commission (NRC) and our goal to minimize security risks. The improvements have been achieved through the hard work of you and your staff and are reflected in our quarterly Federal Information Security Modernization Act of 2014 (FISMA) reporting, annual Federal Information Technology Acquisition Reform Act ratings, responses to Office of Management and Budget (OMB) and Cybersecurity and Infrastructure Security Agency (CISA) directives, and audits conducted by the Government Accountability Office and our Inspector General. These improvements come with additional scrutiny and tightly scheduled responses to a variety of mandated actions outlined in OMB and CISA objectives. Further, we need to maintain focus and efforts to monitor systems and ensure that issues do not reemerge after mitigation, such that our risk posture and the security controls over the NRCs information systems and data are not negatively impacted in light of the constantly changing threat landscape.

The FISMA legislation and our implementing framework delineate the risk management activities that we are required to conduct periodically. We also must continue our focus on the agencys high-value asset systems, which garner further attention due to the sensitivity of the information they process, making them an attractive target for our Nations adversaries. The National Institute of Standards and Technology has introduced expanded guidance through the release of Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020. These control enhancements include a focus on supply chain risk management as well as additional privacy considerations, among other outcome-based controls. The enhancements include the following:

system security categorization privacy threshold analysis and privacy impact assessment updates system cybersecurity assessments periodic reviews and risk management reporting CONTACT: Garo Nalabandian, OCIO/CISO 301-415-8421 September 16, 2024 Signed by Flanders, Scott on 09/16/24

2 contingency planning and testing continuous monitoring of NRC FISMA systems role-based cybersecurity and privacy awareness training cybersecurity role-based training Additionally, given Executive Order 14028, Improving the Nations Cybersecurity, dated May 12, 2021, and the related OMB directives, agencies must modernize and implement cybersecurity standards, transition to secure cloud services, adopt a zero-trust architecture, and enable endpoint detection and response as well as enhanced logging throughout systems and networks. These activities will call for additional investments and cross-office coordination to meet the increased requirements.

Succeeding in such important efforts requires support from all NRC office directors, Regional Administrators, and system owners. The agencys success also depends on completion of the risk management activities outlined in the enclosed Cybersecurity Risk Management Activities Instructions, Fiscal Year 2025. These instructions provide detailed guidance on the required activities, such as making the specified documentation available to required staff, including the Office of the Inspector General.

Contract vehicles are available to NRC Headquarters and regional offices to support these activities. If you need contract support, please ensure that sufficient resources and time are available by coordinating requirements with your designated contracting officers representative for cybersecurity program support services.

As the agency navigates the Accelerating Deployment of Versatile Advanced Nuclear for Clean Energy (ADVANCE) Act, we will need to seek further methods for streamlining cybersecurity processes and automating controls to support greater efficiencies and resource utilization.

Further, I will continue to focus on ensuring that the agency identifies needed resources in the budget formulation process for all aspects of required cybersecurity for the life of its systems, including plans for hardware and software upgrades, maintenance, and system changes.

Please feel free to contact Garo Nalabandian or me with questions. As always, I expect and appreciate your support as we work to jointly accomplish the agencys mission and minimize cybersecurity risk to the NRC.

Enclosure:

Cybersecurity Risk Management Activities Instructions, Fiscal Year 2025

3

SUBJECT:

FISCAL YEAR 2025 CYBERSECURITY RISK MANAGEMENT ACTIVITIES DATED: SEPTEMBER 16, 2024 DISTRIBUTION See Next Page ADAMS Accession Number: ML24213A330 (pkg)

• via email OFFICE OCIO/CISD/COT QTE

• OCIO/Acting D/CISO OCIO/D NAME TTruong JDougherty (KDAK)

GNalabandian SFlanders DATE 8/5/2024 8/9/2024 9/4/2024 9/16/2024 OFFICIAL RECORD COPY

4 MEMORANDUM TO THOSE ON THE ATTACHED LIST DATED: SEPTEMBER 16, 2024

SUBJECT:

FISCAL YEAR 2025 CYBERSECURITY RISK MANAGEMENT ACTIVITIES E-Mail/Mail Stops Scott W. Moore, Executive Director, Advisory Committee on Reactor Safeguards RidsACRS_MailCTR Resource E. Roy Hawkens, Chief Administrative Judge, Atomic Safety and Licensing Board Panel RidsAslbpManagement Resource Brooke Clark, General Counsel RidsOgcMailCenter Resource Jared Heck, Acting, Office of Commission Appellate Adjudication RidsOcaaMailCenter Resource Owen F. Barwell, Chief Financial Officer RidsOcfoMailCenter Resource Robert J. Feitel, Inspector General RidsOigMailCenter Resource David L. Skeen, Director, Office of International Programs RidsOipMailCenter Resource Eugene Dacus, Director, Office of Congressional Affairs RidsOcaMailCenter Resource Hal Pittman, Director, Office of Public Affairs RidsOpaMail Resource Carrie Safford, Secretary of the Commission RidsSecyMailCenter Resource RidsSecyCorrespondenceMCTR Resource Mirela Gavrilas, Executive Director for Operations RidsEdoMailCenter Resource TDB, Deputy Executive Director for Materials, Waste, Research, State, Tribal, Compliance, Administration, and Human Capital Programs, OEDO RidsEdoMailCenter Resource Scott A. Morris, Deputy Executive Director for Reactor and Preparedness Programs, OEDO RidsEdoMailCenter Resource Jody C. Martin, Associate Director for Operations, OEDO RidsEdoMailCenter Resource James C. Corbett, Director, Office of Administration RidsAdmMailCenter Resource Scott C. Flanders, Chief Information Officer RidsOCIO Resource (I)

RidsOcioMailCenter Resource (A)

David L. Pelton, Director, Office of Enforcement RidsOeMailCenter Resource Thomas G. Ashley, Director, Office of Investigations RidsOiMailCenter Resource Jennifer M. Golder, Chief Human Capital Officer RidsOchcoMailCenter Resource John W. Lubinski, Director, Office of Nuclear Material Safety and Safeguards RidsNmssOd Resource Andrea D. Veil, Director, Office of Nuclear Reactor Regulation RidsNrrOd Resource (I)

RidsNrrMailCenter Resource (A)

John Tappert, Acting Director, Office of Nuclear Regulatory Research RidsResOd Resource (I)

RidsResPmdaMail Resource (A)

Vonna L. Ordaz, Director, Office of Small Business and Civil Rights RidsSbcrMailCenter Resource Craig Erlanger, Acting Director, Office of Nuclear Security and Incident Response RidsNsirOd Resource (I)

RidsNsirMailCenter Resource (A)

Raymond K. Lorson, Regional Administrator, Region I RidsRgn1MailCenter Resource Laura A. Dudes, Regional Administrator Region II RidsRgn2MailCenter Resource John B. Giessner, Regional Administrator, Region III RidsRgn3MailCenter Resource John D. Monninger, Regional Administrator, Region IV RidsRgn4MailCenter Resource (I) Information Items (A) Action Items