DNFSB-24-A-05 - Recommendation Closure, Dated, September 30, 2024

ML24274A305
Person / Time
Issue date:	09/30/2024
From:	Virkar H NRC/OIG/AIGA
To:	Buhler M NRC/EDO/AO
References
DNFSB-24-A-05
Download: ML24274A305 (1)
v • d • e

Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

September 30, 2024 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

RECOMMENDATION CLOSURE

REFERENCE:

PERFORMANCE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BAORDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 (DNFSB-24-A-05)

Attached is the Office of the Inspector Generals (OIG) closure of recommendations in response to the audit report titled: Performance Audit of the Defense Nuclear Facilities Safety Boards Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Biggins, GM T. Reddish, DGM T. Tadlock, OEDO G. Garvin, OEDO

Audit Report PERFORMANCE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 RECOMMENDATION CLOSURE (DNFSB-24-A-05) 2 The following prior year recommendations are closed based on fieldwork performed during the Performance Audit of the Defense Nuclear Facilities Safety Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024.

FY 2020 FISMA Evaluation (DNFSB-21-A-04)

Recommendation 4: Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agencys network in near real time. Continue ongoing efforts to apply the Track-It!, ForeScout and KACE solutions.

Recommendation 7: Implement a technical capability to restrict new employees and contractors from being granted access to the DNFSBs systems and information until a non-disclosure agreement is signed and uploaded to a centralized tracking system.

Recommendation 10: Continue efforts to develop and implement role-based privacy training.

Recommendation 14: Based on the results of the DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update the DNFSBs contingency planning policies and procedures to address Information and Communication Technology (ICT) supply chain risk.

FY 2021 FISMA Evaluation (DNFSB-22-A-04)

Recommendation 1: Update the Information Security Architecture (ISA) and use the updated ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Recommendation 2: Using the results of recommendations one above:

a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) -

Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;

b. Implement a centralized view of risk across the organization;

Audit Report PERFORMANCE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 RECOMMENDATION CLOSURE (DNFSB-24-A-05) 3 Recommendation 2 (continued):

c. Implement formal procedures for prioritizing and tracking Plan of Action and Milestones (POA&Ms) to remediate vulnerabilities.

Recommendation 3: Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:

a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Recommendation 7: Implement automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Recommendation 8: Continue efforts to implement data loss prevention functionality for the Microsoft Office 365 environment.

Recommendation 10: Conduct the agencys annual breach response plan exercise for FY 2021.

Recommendation 20: Allocate and train staff with significant incident response responsibilities.

Recommendation 22: Develop and track metrics related to the performance of contingency planning and recovery related activities.

Recommendation 24: Implement role-based training for individuals with significant contingency planning and disaster recovery related responsibilities.

FY 2022 FISMA Evaluation (DNFSB-22-A-07)

Recommendation 1: Implement a process to ensure a security control assessment for the DNFSB General Support System (GSS) is completed and documented on an annual basis.

Recommendation 7: Create procedures for vulnerability and compliance management based on risk and level of effort involved to mitigate confirmed vulnerabilities case-by-case such as:

a. Prioritizing mitigation in accordance with all requirements specified by Cybersecurity and Infrastructure Security Agencys Binding Operational

Audit Report PERFORMANCE AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 RECOMMENDATION CLOSURE (DNFSB-24-A-05) 4 Recommendation 7 (continued):

Directive (CISA BOD) 22 Reducing the Significant Risk of Known Exploited Vulnerabilities and Emergency Directives, as applicable.

b. Opening plans of action and milestones to track critical and high vulnerabilities that cannot be addressed within 30 days.

c. Preparing risk-based decisions in unusual circumstances when there is a technical or cost limitation making mitigation of a critical or high vulnerability infeasible with documented, effective compensating controls coupled with a clear timeframe for planned remediation.