OIG-22-A-04, Status of Recommendations: Independent Evaluation of the Nrc’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021, Dated, February 21, 2024

From kanterella
(Redirected from OIG-22-A-04)
Jump to navigation Jump to search
OIG-22-A-04 Status of Recommendations: Independent Evaluation of the Nrc’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021, Dated, February 21, 2024
ML24052A379
Person / Time
Issue date: 02/21/2024
From: Virkar H
NRC/OIG/AIGA
To: Raymond Furstenau
NRC/EDO
References
OIG-22-A-04
Download: ML24052A379 (1)
v  d  e


Text

MEMORANDUM

DATE: February 21, 2024

TO: Raymond V. Furstenau Acting Executive Director for Operations

FROM: H r u t a Vi r k a r, CP A /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (OIG-22-A-04)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED JANUARY 22, 2024

Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendation as discussed in the agencys response dated January 19, 2024. Based on this response, recommendations 2, 3, 4, and 12 are closed. Based on this response, recommendations 6, 7, 8, 11, 13, 14, 16, 17, and 18 remain open and resolved. Please provide an updated status of the open, resolved recommendations by August 30, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated

cc: J. Martin, Acting ADO T. Govan, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

2 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 2: Continue current Agencys efforts to update the Agencys cybersecurity risk register to (i) aggregate security risks, (ii)

Normalize cybersecurity risk information across organizational units and (iii) prioritize operational risk response.

Agency Response Dated January 19, 2024: In order to continue to aggregate security risks, normalize cybersecurity risk information across organizational units, and prioritize operational risk responses, the U.S. Nuclear Regulatory Commission (NRC) has implemented a centralized and automated application that aggregates cybersecurity plan of action and milestone (POA&M) risks for all Federal Information Security Modernization Act of 2014 (FISMA) systems, including the agencys programmatic cybersecurity POA&Ms. The application prioritizes cybersecurity POA&M risks across organizational units.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence and confirmed that the agency has implemented a centralized and automated application that aggregates cybersecurity plan of action and milestone (POA&M) risks for all Federal Information Security Modernization Act of 2014 (FISMA) systems, including the agencys programmatic cybersecurity POA&Ms to aggregate security risks, normalize cybersecurity risk information across organizational units, and prioritize operational risk responses. The application prioritized cybersecurity POA&M risks across organizational units.

Based on the evidence provided, the OIG closed this recommendation.

Status: Closed.

3 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 3: Update procedures to include assessing the impacts to the organizations ISA prior to introducing new information systems or major system changes into the Agencys environment.

Agency Response Dated January 19, 2024: When a new information system or major system change is introduced into the environment, an assessment is conducted to ensure that the new system or major change meets the requirements of the agencys cybersecurity and privacy programs. The introduction of a new system or major change occurs at a system level and does not impact the information system architecture (ISA). Therefore, the NRC recommends closure of this item.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the evidence and confirmed that when a new information system or major system change is introduced into the environment, an assessment is conducted to ensure that the new system or major change meets the requirements of the agencys cybersecurity and privacy programs. The introduction of a new system or major change occurs at a system level and does not impact the information system architecture (ISA). Based on the evidence provided this recommendation is closed.

Status: Closed.

4 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 4: Develop and implement procedures in the POA&M process to include mechanisms for prioritizing completion and incorporating this as part of documenting a justification and approval for delayed POA&Ms.

Agency Response Dated January 19, 2024: The NRC assesses the criticality of POA&Ms according to CSO-PROS-2030, NRC Risk Management Framework (RMF) Process, dated June 14, 2023, specifically step 5.

The NRC employs RCATS to manage the status and assignment of POA&Ms. To prioritize, RCATS uses the criticality of each POA&M, along with other factors such as age and association with high-value assets. The agency continuously tracks and prioritizes all POA&Ms and does not explicitly delay the mitigation of any POA&Ms. POA&Ms that are not mitigated by their scheduled completion date continue to be tracked, prioritized, and mitigated when appropriate. To date, all FISMA systems have been migrated to RCATS for POA&M management.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed and confirmed that the NRC assesses the criticality of POA&Ms according to CSO-PROS-2030, NRC Risk Management Framework (RMF) Process. The OIG also confirmed that the agency has employed RCATS to manage the status and assignment of POA&Ms. The OIG noted that CSO-PROS-1701, Plan of Action and Milestones Prioritization Process, effective date June 16, 2023, provides the details regarding the process for prioritizing security weaknesses for program level and system level POA&Ms. Based on the evidence provided, the OIG closed this recommendation.

Status: Closed.

5 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 6: Document and implement policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third party providers.

Agency Response Dated January 19, 2024: The NRC has developed two draft computer security processes in CSO-PROS-0008, Process to Assess, Respond, and Monitor ICT Supply Chain Risks, and CSO-PROS-0007, Process to Use SCR Investigation Service to Determine Information and Communications Technology (ICT) Supply Chain Risk Associated with an Offeror, both dated August 8, 2022, that are currently being used to determine the supply chain risk associated with an ICT product or service and to perform appropriate responsive actions and monitor the risk over time. The NRC will finalize the processes once a sufficient number of assessments have been performed to determine the effectiveness of the evaluations.

Target Completion Date: Fiscal year (FY) 2024, third quarter (Q3)

OIG Analysis: The OIG will close this recommendation after confirming that NRC has documented and implemented policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third party providers.

Status: Open: Resolved.

6 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 7: Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Agency Response Dated January 19, 2024: The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRCs environment are not yet available.

However, in April 2021, the NRC developed CSO-PROS-0006, Counterfeit and Compromised ICT Product Detection Process, to ensure that counterfeit products are detected before they are added to the NRCs environment. In addition, Section 6, After Acceptance, of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC-controlled physical space. The appropriate NRC staff members generally vet any third-party service personnel and replacement parts. The NRC will update CSO-PROS 0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components and prevent them from being added to its environment.

Target Completion Date: FY 2025, first quarter (Q1)

OIG Analysis: The OIG will close this recommendation after confirming that NRC has implemented processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Status: Open: Resolved.

7 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 8: Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

Agency Response Dated January 19, 2024: Pursuant to the Supply Chain Security Training Act of 2021 (Public Law 117-145), the General Services Administration is required to develop training for Federal officials with leverage this training, which will be implemented by the Office of Management and Budget, when it becomes available.

Target Completion Date: FY 2024, Q3

OIG Analysis: The OIG will close this recommendation after confirming that NRC has developed and implemented role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

Status: Open: Resolved.

8 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 11: Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.

Agency Response Dated January 19, 2024: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agencys systems and information. The clearance waiver process is wholly contained within the NRCs onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance.

Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRCs Form 176A, Security Acknowledgment. Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the target date has been adjusted.

Target Completion Date: FY 2024, Q3

OIG Analysis: The OIG will close this recommendation after confirming that NRC has updated user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.

Status: Open: Resolved.

9 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 12: Conduct an independent review or assessment of the NRC privacy program and use the results of these reviews to periodically update the privacy program.

Agency Response Dated January 19, 2024: The NRC has conducted an in-depth, independent assessment of the agencys privacy program. Using the results of the assessment, the NRC will use these reviews to periodically update the privacy program.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG has reviewed and confirmed that the NRC has conducted an in-depth, independent assessment of the agencys privacy program. Using the results of the assessment, the NRC used these reviews to periodically update the privacy program. Hence, this recommendation is closed.

Status: Closed.

10 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 13: Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractors initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.

Agency Response Dated January 19, 2024: The creation of a separate, secure system to perform this security awareness and role-based training activity is not deemed cost effective since it would require the duplication of existing hardware, software, and support services. It would also redirect staff from other network operations and maintenance tasks, which could cause security and operational issues to the main network and reduce the NRCs ability to provide mission-focused services. The NRC estimates that this would increase costs across the Information Technology/Information Management Business Line, including hardware, software, operational maintenance, and NRC staff and contractual support resources, by nearly $1 million annually. This estimated cost does not include any changes that would be required by the Office of the Chief Human Capital Officer for its training system or resources. Rather than implement this specific recommendation, the NRC plans to add to its onboarding process streamlined security training that contains the Rules of Behavior but does not contain sensitive information. The onboarding process occurs before employees and contractors gain access to the NRC network. The agency will also strengthen its post-onboarding process to ensure that new employees and contractors complete all required security awareness and role-based training, including acknowledging the Rules of Behavior, within the required timeframe. These changes, along with the personnel security processing that occurs before onboarding, make this a low risk to NRC systems. The NRC will provide more information upon request.

11 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 13 (continued):

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis: The OIG reviewed the sample of analysis that showed the creation of a separate, secure system to perform this security awareness and role-based training activity is not deemed cost effective since it would require the duplication of existing hardware, software, and support services. The agency also mentioned that it would redirect staff from other network operations and maintenance tasks, which could cause security and operational issues to the main network and reduce the NRCs ability to provide mission-focused services. The NRC estimated that this would increase costs across the Information Technology/Information Management Business Line, including hardware, software, operational maintenance, and NRC staff and contractual support resources, by nearly $1 million annually. The NRC stated that they are in the process of completing an enterprise-wide change (not a separate network) that will ensure all new users have electronic access to the required training upon onboarding. Based on the evidence and response provided, this recommendation remains open as the OIG is seeking to receive evidence that must demonstrate the NRC has a process in place and provides the OIG assurance to close this recommendation.

Status: Open: Resolved.

12 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 14: Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Agency Response Dated January 19, 2024: The NRC Office of the Chief Information Officer (OCIO) staff will consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training. The NRC requests a new target completion date of FY 2024, Q3.

Target Completion Date: FY 2024, Q3

OIG Analysis: The OIG will close this recommendation after confirming that the agency has implemented the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Status: Open: Resolved.

13 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 16: Conduct an organizational level BIA to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Agency Response Dated January 19, 2024: The NRC will conduct an organization-level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions and high-value assets, and update contingency planning policies and procedures accordingly. Because of limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024, Q3.

Target Completion Date: FY 2024, Q3

OIG Analysis: The OIG will close this recommendation after confirming that the agency has conducted an organizational level BIA to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Status: Open: Resolved.

14 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 17: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Agency Response Dated January 19, 2024: The NRC will integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Target Completion Date: FY 2024, fourth quarter (Q4)

OIG Analysis: The OIG will close this recommendation after confirming that agency has integrated metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Status: Open: Resolved.

15 Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04)

Recommendation 18: Update and implement procedures to coordinate contingency plan testing with ICT supply chain providers.

Agency Response Dated January 19, 2024: The NRC is assessing approaches to implement procedures to coordinate contingency plan testing with ICT supply chain providers.

Target Completion Date: FY 2024, Q4

OIG Analysis: The OIG will close this recommendation after confirming that the agency has updated and implemented procedures to coordinate contingency plan testing with ICT supply chain providers.

Status: Open: Resolved.

16

Retrieved from "https://kanterella.com/w/index.php?title=OIG-22-A-04,_Status_of_Recommendations:_Independent_Evaluation_of_the_Nrc’S_Implementation_of_the_Federal_Information_Security_Modernization_Act_of_2014_for_Fiscal_Year_2021,_Dated,_February_21,_2024&oldid=3680687"