OIG-20-A-09, Status of Recommendations - Independent Evaluation of NRCs Potential Compromise of Systems- Social Engineering, Dated, February 5, 2024
| ML24036A323 | |
| Person / Time | |
|---|---|
| Issue date: | 02/05/2024 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Scott Flanders, Raymond Furstenau NRC/EDO |
| References | |
| OIG-20-A-09 | |
| Download: ML24036A323 (1) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
February 5, 2024 TO:
Raymond V. Furstenau Acting Executive Director for Operations Scott C. Flanders, Acting Chief Information Officer FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS POTENTIAL COMPROMISE OF SYSTEMS (SOCIAL ENGINEERING)
REFERENCE:
CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED JANUARY 2, 2024 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated January 2, 2024. Based on this response, recommendations 9 and 11 are closed. In addition, recommendations 1-3, 4-8, 10 and 12-13 were closed in a previous response. All recommendations related to this audit report are now closed, and the audit is considered closed.
If you have questions or concerns, please call me at 301.415.5915 or Avinash Jaigobind, Acting Team Leader, at 301.415.5402.
Attachment:
As stated Cc: J. Martin, Acting ADO T. Govan, Acting DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution
Evaluation Report INDEPENDENT EVALUATION OF NRCS POTENTIAL COMPROMISE OF SYSTEMS (SOCIAL ENGINEERING)
Status of Recommendations (OIG-20-A-09) 2 Recommendation 9:
Within the next year, perform follow-on checks to determine if passwords are being protected.
Agency Response Dated January 2, 2024:
As part of its Operation Security (OpsSec) program, which is owned by the Office of Administration, the U.S. Nuclear Regulatory Commission (NRC) performs monthly checks to ensure NRC personnel are not writing passwords onto note cards, sticky notes, or other open, visible surfaces.
Target Completion Date: Recommends closure of this item.
OIG Analysis:
The agencys corrective actions described above appear reasonable and meet the intent of the recommendation. The OIG reviewed and verified monthly checks to determine if passwords are being protected. This recommendation is, therefore, closed.
Status:
Closed.
Evaluation Report INDEPENDENT EVALUATION OF NRCS POTENTIAL COMPROMISE OF SYSTEMS (SOCIAL ENGINEERING)
Status of Recommendations (OIG-20-A-09) 3 Recommendation 11:
Perform periodic spot checks for employees away during the 15-minute window before the screen locks to ensure that PCs are being protected from unauthorized viewing.
Agency Response Dated January 2, 2024:
As part of its OpsSec program, which is owned by the Office of Administration, the NRC performs monthly spot checks to ensure that NRC personnel have locked their workstation screens while unattended to prevent unauthorized viewing and network access.
Target Completion Date: Recommends closure of this item.
OIG Analysis:
The agencys corrective actions described above appear reasonable and meet the intent of the recommendation. The OIG reviewed and verified monthly spot checks to ensure that PCs are being protected from unauthorized viewing.
This recommendation is, therefore, closed.
Status:
Closed.