OIG-21-A-05, OEDO-21-00515 - Enclosure - Status of Recommendations: Independent Evaluation of the NRCs Implementation of the Fisma of 2014 for the Fiscal Year 2020 (OIG-21-A-05): Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
 
Line 1: Line 1:
{{Adams
#REDIRECT [[OIG-21-A-05, Status of Recommendations: Independent Evaluation of the Nrc’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020, Dated, August 13, 2024]]
| number = ML22082A105
| issue date = 04/07/2022
| title = OEDO-21-00515 - Enclosure - Status of Recommendations: Independent Evaluation of the NRCs Implementation of the Fisma of 2014 for the Fiscal Year 2020 (OIG-21-A-05)
| author name =
| author affiliation = NRC/OCIO
| addressee name =
| addressee affiliation =
| docket =
| license number =
| contact person = Mangefrida M
| case reference number = OEDO-21-00515, OIG-21-A-05
| package number = ML22082A092
| document type = System Documentation
| page count = 11
}}
 
=Text=
{{#Wiki_filter:OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 1: Fully define the NRCs ISA across the enterprise, business processes, and system levels.
 
Agency Response dated November 12, 2021: The U.S. Nuclear Regulatory Commissions (NR Cs) information security architecture (ISA) document was completed and signed by the Deputy Chief Information Officer on July 2, 2021.
 
Target Completion Date: Completed
 
Point of
 
==Contact:==
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524
 
Status: Closed.
 
Recommendation 2a: Assess enterprise, business process, and information system level risks.
Agency Response dated April 6, 2022: Conversion of the NRC from a three-tier risk mod el to a five-tier risk model is underway and being piloted on the Information Technology Infrastructure. This will further align the NRCs practices with those of the National Institute of Standards and Technology (NIST) and with other Federal mandates such as the Federal Information Technology Acquisition Reform Act. The NRC has a planned completion date of the fourth quarter (Q4) of fiscal year (FY) 2022 for this action.
 
Target Completion Date: Q4 FY 2022
 
Point of
 
==Contact:==
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 2b: Update the list of high value assets, if necessary, based on reviewing the ISA to identify risks from the supporting busines s functions and mission impacts.
 
Agency Response dated November 12, 2021: The fully defined ISA (which is a living doc ument) references the NRC mission essential functions a nd primary mission essential functions as identified in the NRCs Continuity of Operations (COOP) Plan. Leveraging guidance from the Federal Chief Information Security Officer (CISO) Council and reviewing the agencys COOP Plan, the CISO and staff in the Office of the Chi ef Information Officer (OCIO), Government and Enterprise Management Services Division (GEMS), Cybersecurity Branch (CSB), analyzed the agencys systems and determined that it has five high-value assets (HVAs). This analysis is included in th e attached Binding Operational Directive (BOD) 18-02 2020 HVA assessment for reference.
 
Target Completion Date: Completed
 
Point of
 
==Contact:==
Kathryn Harris, OCIO/GEMSD/CSB 301-287-0515
 
Status: Closed.
 
Recommendation 2c: If necessary, update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decision s.
 
Agency Response dated April 6, 2022: This action was dependent on completion of the I SA. With the ISA complete, the NRC has revised the completion date to the third quarter (Q3) of FY 2022.
 
Target Completion Date: Q3 FY 2022
 
Point of
 
==Contact:==
Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 2d: Conduct an organization wide security and privacy risk assessment and implement a process to capture lessons learned and update risk management policies, procedures, and strategies.
 
Agency Response dated April 6, 2022: The NRC plans to conduct an assessment of the ag encys ISA over a 3-year period. The Phase 1 assessment is focused on the Identify Function, is expected to be completed Q3 FY22; this assessment is currently on schedule. The Phase 2 assessment focused on the Protect and Detect Functions, is planned and expected to be completed Q3 FY22. The Phase 3 assessment focused on the Respond and Recover Functions, is planned expected to be completed Q4 FY22.
 
Target Completion Date: Q3 FY 2022
 
Points of
 
==Contact:==
Bill Dabbs, OCIO/GEMSD/CSB 301-415-0524
 
Sally Hardy, OCIO/GEMSD/CSB 301-415-5607
 
Status: Open: Resolved.
 
Recommendation 2e: Consistently assess the critica lity of POA&Ms to support why a POA&M is or is not of a high or moderate impact to the Confidentiality, Integrity and Availability (CIA) of the inform ation system, data, and mission.
 
Agency Response dated April 6, 2022: OCIO will assess the criticality of system plans of action and milestones (POA&Ms) and the risk to the associated systems, data, and mission functions.
 
Target Completion Date: Q4 FY 2022
 
Point of
 
==Contact:==
Bill Bauer, OCIO/GEMSD/CSB 301-415-5842
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 2f: Assess the NRC supply chain risk and fully define performance metrics in service level agreements and procedures to measure, report on, and monitor the risks related to contractor systems and services.
 
Agency Response dated April 6, 2022: The NRC has defined an acquisition process, CSO -PROS-0005, Information and Communications Technology Acquisition Process, dated March 18, 2021, available on the internal Cybersecurity Organization (CSO) SharePoint site, to identify contract requirements for the supply chain. Additionally, the NRC is developing a supplemental Supply Chain Risk Assessment process that will provide a basis for measuring and monitoring metrics to assess risks associated with contractor systems and services. The agency plans to complete this action by the thir d quarter (Q3) of FY 2022.
 
Target Completion Date: Q3 FY 2022
 
Points of
 
==Contact:==
Kathy Lyons-Burke, OCIO/FO 301-415-6595
 
Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 3: Continue to monitor the remediation of critical and high vulnerabilities and identify a means to assign and track progre ss of timely remediation of vulnerabilities.
 
Agency Response dated November 12, 2021: The NRC is using the agencys approved POA&M process as the means to assign and track the progress of vulnerability remediation activities. The NRC POA&M process is described in CSO-PROS-2016, ADAMS Accession No. ML13326A241.
 
In addition, the NRC produces a daily situational awareness r eport that is used to identify, remediate, and monitor vulnerabilitie s in the NRC networking environment. A sample security report document, Situational Awareness Daily Report 10-26-21.pdf, is available at ADAMS Accession No ML20182A779.
 
Target Completion Date: Complete
 
Points of
 
==Contact:==
Michael Williams, OCIO/SDOD/NSOB 301-287-0660
 
David Offutt, OCIO/SDOD/NSOB 301-287-0636
 
Status: Closed.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 4: Centralize system privileged and non-privileged user access review, audit log activity monitoring, and management of Person al Identity Verification (PIV) or Identity Assurance Level (IAL}
3/Authenticator Assurance Level (AAL) 3 credential access to al l the NRC systems (findings noted in bullets 1, 3, and 4 above) b y continuing efforts to implement these capabilities using the Sp lunk QAudit, Sailpoint, and Cyberark automated tools.
 
Agency Response dated April 6, 2022: The NRC will identify a means to centralize the review of privileged and nonprivileged user access, audit log activity monitoring, and manage PIV or IAL 3/AAL 3 credential access to all NRC systems by continuing efforts to implement these capabilities using the Splunk Q-Audit, SailPoint, and CyberArk automated tools. The agency plans to complete this action by Q3 FY 2022.
 
Target Completion Date: Q3 FY 2022
 
Points of
 
==Contact:==
Michael Williams, OCIO/SDOD/NSOB 301-287-0660
 
David Offutt, OCIO/SDOD/NSOB 301-287-0636
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 5: Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals bein g granted access to the NRCs systems and information.
 
Agency Response dated April 6, 2022: The NRC is evaluating ownership of this functio n and the need for an associated process update. Once ownership is established, the agency will review the corresponding process to incorporate any additional requirements fo r granting system access.
 
Target Completion Date: Q4 FY 2022
 
Point of
 
==Contact:==
Garo Nalabandian, OCIO/GEMSD/CSB 301-415-8421
 
Status: Open: Resolved.
 
Recommendation 6: Continue efforts to identify individuals having additional responsibilities for PII or activities involving PII and develo p role-based privacy training for them to be completed annually.
 
Agency Response dated April 6, 2022: The NRC will continue to identify individuals w ith responsibilities or activities involving personally identifiable information (PI I) and develop or identify the appropriate training based on Federal Government standards.
 
Target Completion Date: Q3 FY 2022
 
Point of
 
==Contact:==
Sally Hardy, OCIO/GEMSD/CSB 301-415-5607
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 7: Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable.
 
Agency Response dated April 6, 2022: The NRC will perform a cost-benefit analysis of the cost of implementing a technical capabili ty versus the risk of maintaining the current process.
 
Target Completion Date: Q3 FY 2022
 
Point of
 
==Contact:==
Michael Mangefrida, OCIO/GEMSD/CSB 301-298-8913
 
Status: Open: Resolved.
 
Recommendation 8: Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.
 
Agency Response dated April 6, 2022: OCIO will work with the Office of the Chief Hum an Capital Officer, the National Treasury Employees Union, and other stakeholders to determine whether this would be feasible for the workforce.
 
Target Completion Date: Q3 FY 2022
 
Point of
 
==Contact:==
Michael Mangefrida, OCIO/GEMSD/CSB 301-298-8913
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 9: Implement metrics to measure and reduce the time it takes to investigate an event and declare it as a reportable or non-reportable incident to US-CERT.
 
Agency Response dated April 6, 2022: The NRC will implement metrics to measure the e ffectiveness of the process for investigating an event and determining whether it is an incident reportable to the U.S. Computer Emergency Readiness Team (US-CERT).
 
Target Completion Date: Q3 FY 2022
 
Points of
 
==Contact:==
Michael Williams, OCIO/SDOD/NSOB 301-287-0660
 
David Offutt, OCIO/SDOD/NSOB 301-287-0636
 
Status: Open: Resolved.
 
Recommendation 10: Conduct an organizational level BIA [business impact assessment] to determine contingency planning requirements and priorities, including for mission essential functions/high valu e assets, and update contingency planning policies and procedures accordingly.
 
Agency Response dated April 6, 2022: OCIO will evaluate contingency planning require ments and associated priorities to determine the impact and related updat es to policies and procedures.
 
Target Completion Date: Q3 FY 2023
 
Point of
 
==Contact:==
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 11: For low availability categorized systems complete an initial BIA and update the BIA whenever a major change occurs to the system or mission that it supports. Address any necessary updates to the system contingency plan based on the completion of or updates to the system level BIA.
 
Agency Response dated April 6, 2022: OCIO will evaluate contingency planning require ments and associated priorities to determine the impact and related updat es to policies and procedures.
 
Target Completion Date: Q3 FY 2023
 
Point of
 
==Contact:==
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681
 
Status: Open: Resolved.
 
Recommendation 12: Integrate metrics for measuring the effectiveness of informat ion system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider thr eat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.
 
Agency Response dated April 6, 2022: OCIO will evaluate existing metrics for assessi ng the effectiveness of system contingency plans against related plans. Once assessed, the staff will review and update the corresponding pl ans accordingly.
 
Target Completion Date: Q4 FY 2023
 
Point of
 
==Contact:==
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION
 
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
 
OIG-21-A-05
 
Status of Recommendations
 
Recommendation 13: Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans.
 
Agency Response dated April 6, 2022: The NRC will perform a cost-benefit analysis of the cost of implementing a technical capabili ty versus the risk of maintaining or supplementing the current process.
 
Target Completion Date: Q4 FY 2023
 
Point of
 
==Contact:==
Debra Reyes, OCIO/SDOD/DCTSB 301-287-0681
 
Status: Open: Resolved.
 
OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION}}

Latest revision as of 13:33, 24 November 2024

Redirect to:

Retrieved from "https://kanterella.com/w/index.php?title=OIG-21-A-05,_OEDO-21-00515_-_Enclosure_-_Status_of_Recommendations:_Independent_Evaluation_of_the_NRCs_Implementation_of_the_Fisma_of_2014_for_the_Fiscal_Year_2020_(OIG-21-A-05)&oldid=3751338"