Text

Enclosure The U.S. Government Accountability Office ReportCloud Computing:

Agencies Need to Address Key OMB Procurement Requirements September 2024 (GAO24-106137)

The U.S. Government Accountability Office (GAO), in its report GAO-24-106137, Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements, issued September 2024, provided recommendations to the U.S. Nuclear Regulatory Commission (NRC) with regard to the procurement of cloud computing services. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

GAO Recommendation 37:

The Chairman of NRC should ensure that the CIO [Chief Information Officer] of NRC develops guidance to put a cloud Service Level Agreement (SLA) in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMBs four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance.

Status:

The NRC plans to review its existing guidance noted below and update SLAs as applicable to ensure OMB required elements are met.

The NRC employs information security requirements for acquisition of information technology, which incorporates language reflective of the Office of Management and Budgets (OMBs) four required elements for SLAs including, continuous monitoring over assets, definition of roles and responsibilities, establishment of performance metrics, and remediation plans for non-compliance.

All new technology services, to include cloud-based services, are initially evaluated through the agency's Information Technology Governance process to determine agency suitability, which includes cybersecurity review. If the service is deemed cloud-based, the service undergoes a comprehensive assessment prior to receiving authorization, and the related High Value Asset (HVA) continuous monitoring activities are codified in the agencys process document, CSO-PROS-1323, Information Security Continuous Monitoring Process. NRC's Management Directive (MD) 12.5, "NRC Cybersecurity Program," and MD 12.6, "NRC Controlled Unclassified Program," require that these related processes are specifically aligned to the Federal Risk and Authorization Management Program (FedRAMP) authorization requirements, which are fully enforceable contractually in terms of holding cloud service providers accountable.

Additionally, the NRC utilizes a performance Statement of Work (SOW) template that prescribes recommended language and other resources for the procurement of information technology contracts including cloud computing services. NRC acquisitions involving cloud services are typically procured through a reseller. Cloud Service Provider SLAs flow through the reseller via a roles and responsibilities clause as described in the contract document template.

This effort is targeted for completion by the third quarter of fiscal year 2025 (FY 2025 Q3).

This GAO recommendation remains open.

2 GAO Recommendation 38:

The Chairman of NRC should ensure that the CIO of NRC develops guidance regarding standardizing cloud SLAs.

Status:

The NRC adheres to the OMB Federal Cloud Computing Strategy as the foundation for acquiring cloud-based solutions, ensuring alignment with FedRAMP requirements for continuous awareness of cloud-based assets. To maintain consistency across applicable contracts, the NRC employs standardized contract clauses and SOW templates that reinforce SLAs.

Currently, the NRC is reviewing existing documentation to ensure SLAs for all cloud-based assets are standardized. This effort includes incorporating language that strengthens quality assurance, continuous visibility, security, and operational efficiency. The planned updates are scheduled for implementation by FY 2025 Q3.

This GAO recommendation remains open.

GAO Recommendation 39:

The Chairman of NRC should ensure that the CIO of NRC develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset.

Status:

The NRC maintains an internal procedure, CSO-PROS-1323, Information Security Continuous Monitoring Process, that the staff must follow to perform continuous monitoring on systems owned and used by the NRC. This existing guidance, which applies to the agencys HVA systems, currently aligns with Cybersecurity and Infrastructure Security Agency (CISA) direction for protecting and operating HVA information systems, including cloud-based services. Existing NRC FedRAMP contract requirements stipulate that cloud services must undergo security and risk assessments, continuous monitoring and alerting, and access controls through identity, credential, and access management capabilities. All new technology services, including cloud-based services, are initially evaluated through the agency's IT Governance process to determine agency suitability. This process includes cybersecurity review. The services undergo a comprehensive risk assessment before receiving authorization, and the related HVA continuous monitoring activities are codified in the agencys process document, CSO-PROS-1323. Please see the highlighted sections on pages 3, 5-6, 8, 10, 12, 13, and 19 in the attached CSO-PROS-1323-Copy.pdf file for guidance on the continuous visibility requirements.

The NRCs MD 12.5, "NRC Cybersecurity Program," requires that the associated processes be explicitly aligned with the FedRAMP authorization requirements. These requirements are contractually enforceable, ensuring accountability for cloud service providers. Please see the highlighted sections on pages 7, 9, 28, 37, 38, 60, 74, 75, 78, and 87 in the attached Management Directive 12.5 - copy.pdf file for further information.

The NRC considers this GAO recommendation to be closed.

3 GAO Recommendation 40:

The Chairman of NRC should ensure that the CIO of NRC updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMBs requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMBs requirement upon option exercise or issuance of a new award.

Status:

NRC contracts governing HVA systems that are managed and operated in cloud environments currently provide for continuous visibility of assets. The requirements are enforced through agency policy and in accordance with FedRAMP guidance. The specific language in NRC contracts has been updated to reflect the most recent OMB FedRAMP guidance and is now integrated within CSO-PROS-1323, Information Security Continuous Monitoring Process and NRCs MD 12.5, "NRC Cybersecurity Program," and is associated with applicable NRC HVA contracts.

The NRC considers this GAO recommendation to be closed.