Text

MEMORANDUM

DATE: April 22, 2024

TO: Raymond V. Furstenau Acting Executive Director for Operations

FROM: H r u t a Vi r k a r, CP A /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (OIG-20-A-06)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED MARCH 25, 2024.

Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations as discussed in the agencys response dated March 20, 2024. Based on this response, recommendations 2d, 2e, 2f, and 4 are closed. Based on this response, recommendations 2c, 5, 6, and 7 remain open and resolved. Please provide an updated status of the open, resolved recommendations by October 11, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated

cc: J. Martin, Acting ADO T. Govan, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2c: Use the fully defined ISA [Information Security Architecture]

to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Agency Response Dated March 20, 2024: The U.S. Nuclear Regulatory Commission (NRC) has transitioned and assessed 11 of its 15 information systems to National Institute of Standards and Technology Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, issued September 2020. The agency expects to complete the transition and assessment of the remaining four systems to Revision 5 in the fourth quarter (Q4) of fiscal year (FY) 2024.

Target Completion Date: FY 2024, Q4

OIG Analysis: The OIG will close this recommendation after confirming that NRC has used the fully defined ISA [Information Security Architecture] to formally define enterprise, business process, information system level risk tolerance, and appetite levels necessary for prioritizing and guiding risk management decisions.

Status: Open: Resolved.

2 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2d: Use the fully defined ISA to conduct an organization-wide security and privacy risk assessment.

Agency Response Dated March 20, 2024: The NRC used its fully defined ISA to conduct an organization-wide security and privacy risk assessment. This is consistent with the NRCs response in November 2023 to recommendation 2d in OIG-21-A-05, Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020, dated March 19, 2021.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence and confirmed that the NRC has used the fully defined ISA to conduct an organization-wide security and privacy risk assessment. As per the agency, assessments are performed in a 3-cycle review process covering all five NIST CSF functions. The first cycle of review covered the Identify function, second cycle covered the Protect and Detect function, and the third cycle would be performed in the current year, and it would cover the Respond and Recover. The evidence that was provided pertains to the second cycle. Hence, this recommendation is closed.

Status: Closed.

3 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2e: Use the fully defined ISA to conduct a supply chain risk assessment.

Agency Response Dated March 20, 2024: The NRC used its fully defined ISA to conduct a supply chain risk assessment. The NRCs priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The NRC has established and implemented the processes to identify, assess, and manage supply chain risks.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence and confirmed that the agency has used the fully defined ISA to conduct a supply chain risk assessment. Based on the evidence provided, the OIG closes this recommendation.

Status: Closed.

4 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 2f: Use the fully defined ISA to identify and update NRC risk management policies, procedures, and strategy.

Agency Response Dated March 20, 2024: The NRC used its fully defined ISA to identify and update the NRC Risk Management Framework process in June and August 2023. The recent updates to that process include details of the NRCs risk assignment and the Senior Agency Official for Privacys role in the security and privacy control assessments.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence MSC# CSO-PROS-2030_Risk_Management_Framework_Process_v2.4_ and confirmed that the NRC has used its fully defined ISA to identify and update the NRC Risk Management Framework process in June and August 2023. Based on the evidence provided, the OIG closes this recommendation.

Status: Closed.

5 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 4: Perform an assessment of role-based privacy training gaps.

Agency Response Dated March 20, 2024: The NRC performed an assessment of role-based privacy training gaps in October 2023. As a result of the assessment, the NRC will identify individuals having specialized role-based responsibilities for PII [personally identifiable information] or activities involving PII and develop role-based privacy training for them.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence and confirmed that the NRC had performed an assessment of the role-based privacy training gaps. Hence, this recommendation is closed.

Status: Closed.

6 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 5: Identify individuals having specialized role-based responsibilities for PII [personally identifiable information]

or activities involving PII and develop role-based privacy training for them.

Agency Response Dated March 20, 2024: As a result of the assessment referenced in recommendation 4, the NRC will identify individuals having specialized role-based responsibilities for PII or activities involving PII and develop role-based privacy training for them. The agency plans to complete the associated training development and implementation by the first quarter (Q1) of FY 2025.

Target Completion Date: FY 2025, Q1

OIG Analysis: The OIG will close this recommendation after getting assurance from evidence that the agency has identified individuals having specialized role-based responsibilities for PII [personally identifiable information] or activities involving PII and has developed role-based privacy training for them.

Status: Open: Resolved.

7 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 6: Based on NRCs supply chain risk assessment results, complete updates to the NRCs contingency planning policies and procedures to address supply chain risk.

Agency Response Dated March 20, 2024: The NRC will incorporate the supply chain risk assessment results to complete updates to the NRCs contingency planning policies and procedures and address supply chain risk.

Target Completion Date: FY 2025, Q1

OIG Analysis: The OIG will close this recommendation after confirming that the NRC has completed updates to the agencys contingency planning policies and procedures to address supply chain risk based on its supply chain risk assessment results.

Status: Open: Resolved.

8 INDEPENDENT EVALUTION OF U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (OIG-20-A-06)

Recommendation 7: Continue efforts to conduct agency and system level business impact assessments to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Agency Response Dated March 20, 2024: The NRC will conduct agency-and system-level business impact assessments to determine contingency planning requirements and priorities, including for mission-essential functions/high-value assets, and update contingency planning policies and procedures accordingly.

Target Completion Date: FY 2024, Q4

OIG Analysis: The OIG will close this recommendation after confirming that the agency has continued its efforts to conduct agency-and system-level business impact assessments to determine contingency planning requirements and priorities, including for mission-essential functions/high-value assets, and the updated contingency planning policies and procedures accordingly.

Status: Open: Resolved.

9