|
|
| Line 1: |
Line 1: |
| {{Adams
| | #REDIRECT [[OIG-19-A-13, Status of Recommendations: Audit of NRCs Cyber Security Inspections at Nuclear Power Plants Dated September 15th, 20]] |
| | number = ML19232A122
| |
| | issue date = 08/20/2019
| |
| | title = OIG-19-A-13-Status of Recommendations: Audit of NRCs Cyber Security Inspections at Nuclear Power Plants Dated August 20, 2019
| |
| | author name = Baker B
| |
| | author affiliation = NRC/OIG/AIGA
| |
| | addressee name = Doane M
| |
| | addressee affiliation = NRC/EDO
| |
| | docket =
| |
| | license number =
| |
| | contact person =
| |
| | case reference number = OIG-19-A-13
| |
| | document type = Memoranda, OIG Audit Resolution
| |
| | page count = 6
| |
| }}
| |
| | |
| =Text=
| |
| {{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL August 20, 2019 MEMORANDUM TO:
| |
| Margaret M. Doane Executive Director for Operations FROM:
| |
| Dr. Brett M. Baker /RA/
| |
| Assistant Inspector General for Audits
| |
| | |
| ==SUBJECT:==
| |
| STATUS OF RECOMMENDATIONS: AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS (OIG-19-A-13)
| |
| | |
| ==REFERENCE:==
| |
| DEPUTY EXECUTIVE DIRECTOR FOR REACTOR AND PREPAREDNESS PROGRAMS, OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS, MEMORANDUM DATED JULY 3, 2019 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated July 3, 2019. Based on this response, recommendation 1 is closed and recommendation 2 remains open and resolved. Please provide an updated status of recommendation 2 by October 28, 2019.
| |
| If you have questions or concerns, please call me at (301) 415-5915, or Paul Rades, Team Leader, at (301) 415-6228.
| |
| | |
| ==Attachment:==
| |
| As stated cc:
| |
| C. Haney, OEDO D. Jackson, OEDO J. Jolicoeur, OEDO S. Miotla, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution Resource
| |
| | |
| Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 1:
| |
| Concurrent with developing any changes to the cyber security inspection program, use the Strategic Workforce Planning initiative to identify critical skill gap and closure strategies for future cyber security inspection staffing, such as:
| |
| a) Hiring flexibilities, b) Internal rotations, c) Competency modeling, d) Availability of outside training and continuous training, and e) Appropriate numbers and roles of staff.
| |
| Agency Response Dated July 3, 2019:
| |
| The staff agrees with the recommendation. The enhanced Strategic Workforce Planning (SWP) program is an agency-wide initiative that enables the NRC to recruit, retain and develop a skilled and diverse workforce having the competencies and agility to address emerging demands and workload fluctuations to accomplish the agency mission. As a part of this program, senior agency leaders and first-line supervisors continuously assess the changing industry and regulatory landscape, the forecasted workload over a rolling 5-year period, and resource capacity (demand/supply) to identify where reshaping of the workforce may be necessary, and to address resource and skill gaps or coverages in the workforce.
| |
| During fiscal year (FY) 2018, an SWP pilot was implemented and jointly led by the Office of the Executive Director for Operations (OEDO) and the Office of the Chief Human Capital Officer (OCHCO). The pilot was an outcome of a tasking memorandum from the Executive Director for Operations, Enhancing Strategic Workforce Planning, dated January 19, 2017. The pilot offices included the Office of Regulatory Research (RES), the Office of the Chief Financial Officer (OCFO), and Region II. Following the success of the pilot, Phase II of the SWP program was implemented in August 2018, and expanded to include the following offices:
| |
| | |
| Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 1(cont.):
| |
| * Phase I Pilot Offices (RES, OCFO, and Region II)
| |
| * Program Offices (Office of Nuclear Materials Safety and Safeguards, Office of New Reactors, Office of Nuclear Reactor Regulation, and Office Nuclear Security and Incident Response (NSIR)
| |
| * Regions I, III, IV
| |
| * Office of the Chief Information Officer As an outcome of this effort, program offices at NRC headquarters and Regions I-IV are developing strategies to sustain a robust cyber security inspection workforce informed by the insights drawn from the SWP process and any other fact of life changes. Implementation of the strategies will be monitored by the respective program offices and Regions, and by OCHCO and OEDO. The SWP process will be implemented on an annual cycle and, in FY 2020, progress towards addressing these strategies in cyber security will be assessed, and adjustments will be considered based on information collected through the SWP process each year.
| |
| Additionally, NSIR is utilizing internal and external training activities to further develop the skills of inspectors. The staff will continue the routine tele-training of specific key areas to enhance inspector understanding and expertise. Furthermore, NSIR is working with outside cyber security training specialists to provide in-house training for NRC cyber security specialist and inspectors. This will support the SWP initiatives to further develop our cyber security skills.
| |
| Therefore, the staff considers Recommendation 1 to be complete.
| |
| Target date for completion: Completed June 28, 2019 Point of
| |
| | |
| ==Contact:==
| |
| Anthony Bowers, NSIR/DPCP/CSB 301-415-1955
| |
| | |
| Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 1 (cont.):
| |
| OIG Analysis:
| |
| Upon review of the agencys response, OIG determined that more information was needed to verify the completion of this recommendation. At a meeting on July 25, 2019, OIG and agency representatives discussed the actions described in the staff response. OIG has reviewed additional documentation provided by staff as a result of the meeting and verified that staff have implemented this recommendation. This recommendation is closed.
| |
| Status:
| |
| Closed.
| |
| | |
| Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2:
| |
| Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.
| |
| Agency Response Dated July 3, 2019:
| |
| The staff agrees with the recommendation. The staff has completed an assessment of the Power Reactor Cyber Security Program, which collected feedback and lessons learned from stakeholders regarding the cyber security rule, associated guidance, licensee implementation, and NRC inspections. The staff is finalizing the assessment report to be complete in July 2019 and developing an action plan (due September 2019) to evaluate and implement appropriate program enhancements (e.g., new or revised program implementation guidance for licensees and adjustments to the oversight program). The assessment action plan will consider feedback from the assessment itself, ongoing cyber security plan full-implementation inspections, and proposed enhancements to the cyber security program presented to NRC by industry in a closed public meeting on May 29, 2019.
| |
| The industry-proposed enhancements included an initiative to improve the cyber security inspection program using various methods, including input from licensee ongoing performance monitoring processes and the establishment of performance indicators.
| |
| Target date for completion:
| |
| Issuance of the NRC Assessment Report: Fourth Quarter of FY 2019 Issuance of the NRC Action Plan: Fourth Quarter of FY 2019 Point of
| |
| | |
| ==Contact:==
| |
| Anthony Bowers, NSIR/DPCP/CSB 301-415-1955
| |
| | |
| Audit Report AUDIT OF NRCS CYBER SECURITY INSPECTIONS AT NUCLEAR POWER PLANTS OIG-19-A-13 Status of Recommendations Recommendation 2 (cont.):
| |
| OIG Analysis:
| |
| The actions proposed by the agency meet the intent of the recommendation. OIG will close this recommendation after verifying that NRC, through the assessment report and action plan, has developed and implemented suitable cyber security performance measure(s).
| |
| Status:
| |
| Open: Resolved.}}
| |