Text

and progress of mitigating it (avoids minor increases in risk causing large % changes within Offices with scores close to zero)

overalleach

• Note that ConMon and CNC are only applicable to offices with authorized NRC IT systems (e.g. ADM, ASLBP, CFO, NMSS, NRO, NSIR, OCHCO, OCIO, RES, RIII, and RIV)*ConMon measures the % completion of 10 required OMB/FISMA activities including: Contingency Plan (CP) Test, Periodic Security Control Assessment (PSCA), Vulnerability Assessment Report (VAR), System Security Plan (SSP), Information System Security Officer (ISSO), Authority to Operate (ATO), and Designated Approving Official (DAA) conditions. Note: In FY18Q4, ContingencyPl an (CP) and Business Impact Assessment (BIA) were added in response to IG findings. Security Impact Assessments (SIA) were added in FY19Q1.

Where:Target %'s are: Q1&Q2 = 0%; Q3

= 30%; Q4 = 96%. The actual % is taken from OCHCO websiteActual % = #roles trained/#roles requiring training (source: OCIO tracking spreadsheet)Activities include: CP Test, PSCA, VAR, SSP, ISSO, ATO, BIA, CP and DAA Conditions (and SIA in FY19)For CNC scoring methodology, please contact OCIO/GEMS/CSO for the latest guidance.Due to large numbers, CSA and FITARA CNC are weighted .5 and .05, respectively. Note: as of 19Q2, CNC is no longer weighted due to greatly reduced numbers resulting from the new FITARA methodology.

Acronyms are defined on previous

pages Status: Green --Q3 target of -6% (or better) reachedPlease see note on previous page regarding updated weighting of FITARA configuration risk.