ML20151P332
| ML20151P332 | |
| Person / Time | |
|---|---|
| Issue date: | 07/27/1988 |
| From: | Zech L NRC COMMISSION (OCM) |
| To: | Bowsher C, Breaux J, Brooks J, Glenn J, John Miller, Sharp P, Udall M GENERAL ACCOUNTING OFFICE, HOUSE OF REP., ENERGY & COMMERCE, HOUSE OF REP., GOVERNMENT OPERATIONS, HOUSE OF REP., INTERIOR & INSULAR AFFAIRS, OFFICE OF MANAGEMENT & BUDGET, SENATE, ENVIRONMENT & PUBLIC WORKS, SENATE, GOVERNMENTAL AFFAIRS |
| References | |
| CCS, NUDOCS 8808090320 | |
| Download: ML20151P332 (12) | |
Text
. . - _ _
n etovi#
.[o
'y'
- o n
UNITED STATES NUCLEAR REGULATORY COMMISSION s.g g 1 WASHINGTON, D. C. 20555 h
July 27, 1988 9
% . . . . . #' /g9'g CHAIRMAN g i
The Honorable John Glenn, Chairman Committee on Governmental Affairs United States Senate Washington, D.C. 20510
Dear Mr. Chairman:
In accordance with the statutory obligation to respond to recommendations by the General Accounting Office (GAO) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GA0 recommendations are presented in the enclosure.
Sincerely, N- .
Lando W. Zec Jr.
Enclosure:
Responses to GA0 Recommendations cc: Sen. William V. Roth, Jr.
l
)
l l
l 1
l 8808090320 880727 PDR I
COMMS NRCC CORRESPONDENCE PDC
'S
,[,' S Kf0tj'%
UNITED STATES NUCLEAR REGULATORY COMMISSION l y,, g WASHINGTON, D. C 20555 3 :j
\, . .... ] Juif 27, 1988 CHAIRMAN The Honorable Jack Brooks, Chairman Committee on Governmental Operations United States House of Representatives Washington, D.C. 20515
Dear Mr. Chairman:
In accordance with the statutory obligation to respond to recomrrendations by the General Accounting Office (GA0) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GAO recommendations are presented in the enclosure.
Sincerely, 6v. ,
Lando W. Zec Jr.
Enclosure:
Responses to GA0 Recommendations cc: Rep. Frank Horton
. - - - ._ ~ . - - _
p.vr,,
a no t UNITED STATES
- 5-# ',[f). ;i NUCLEAR REGULATORY COMMISSION-o WASHINoTON, D.C. 20566
\ ' <> g'p [
CHAIR AN '
The Honorable John B._Breaax, Chairman Subecmmittee en Nuclear Pegulation Committee on Environment and Public Works United States Senate Washington, D.C. 20510
Dear Mr. Chairman:
In accordance with the statutory obligation to respond to recommendations by the General Accounting Office (GAO) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GAO recommendations are presented in the enclosure.
Sincerely, IN.
Lando W. Zec Jr. [N
Enclosure:
Respcnses to GA0 Recommendations cc: Sen. Alan K. Simpson l
l l
p.asaatori,<, '
'O N UNITED STATES l
5 kD)/ 7,i z NUCLEAR REGULATORY COMMISSION o, , [ WASHIN GTON. D.C. 20566 5 '..,<
o CHAIR N Y '
The Honorable Morris K. Udall, Chairman Subecmmittee on Energy and the Environment Committee on Interior and Insular Affairs United States House of Representatives Washington, D.C. 20515
Dear Mr. Chairman:
In accordance with the statutory obligation to respond to recommendations by the General Accountinn Office (GAO) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls Du ri ng Devel op:nen t. "
Specific comments on the GA0 recommendations are presented in the enclosure.
Sincere'y, W.
Lando W. Zec Jr.
Enclosure:
Responses to GAO Recommendations cc: Rep. Manuel Lujan, Jr.
i
(
. g %q
'[.. i '., UNITED STATES NUCLEAR REGULATORY COMMISSION 3 J #!)j f'o]g ..,, j' i WASHINGTON. o.C. 20556 July 27,1988-CHAIRMAN The Honorable Philip R. Sharp, Chairman Subecmmittee on Energy and Power Committee en Energy and Commerce United States House of Representatives Washington, D.C. 20515
Dear Mr. Chairman:
In accordance with the statutory oblication to respond to recommendations by the General Accounting Office (GAO) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GAO recommendations are presented in the enclosure.
Sincerely, bw. )
Lando W. Zec Jr.
Enclosure:
Responses to GA0 Pecommendations cc: Rep. Carlos J. Moorhead i
l l
1
f *%e e' 5 UNITED STATES 3 'M )/'[i-o
.I NUCLEAR REGULATORY COMMISSION WASHINoTON, D.C. 20E5
%, ;.J J CH IR N Y '
The Honorable Charles A. Bowsher Comptroller General of the United States General Accounting Office Washington, D.C. 20548
Dear Mr. Bowsher:
In accordance with the statutory obligation to respond to recommenoations by the General Accounting Office (GA0) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled.
"Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GAO recommendations are' presented in the enclosure.
Sincerely, r
$4 h. ,
Lando W. Zech Jr.
Enclosure:
Responses to GA0 Recommendations r
h 4
I e
v - - - - ,
p9"%e t
~\- $ UNITED STATES I D )r-if .
NUCLEAR REGULATORY COMMISSION
'o,M gu ; /j WASHINGTON. D.C. 20566
- July 27,1988 CHAIRMAN The Honorable James C. Miller III Director Office of Management and Budget Washington, D.C. 20503
Dear Mr. Miller:
In accordance with the statutory obligation to respond to recommendations by the General Accounting Office (GAO) within 60 days of publication, we hereby submit our responses to the recommendations made by the GA0 in their report entitled, "Information Systems: Agencies Overlook Security Controls During Development."
Specific comments on the GAO recommendations are presented in the enclosure.
Sincerely, IN. ,
Lando W. Ze ,Jr
Enclosure:
Responses to GA0 Recommendations 3
I 4
l l
l )
l
.- l s t 4'
Enclosure 1 l
l Response to Recommendations Chapter 4 The GA0 stated that many automated information systems currently in operation at civilian agencies are subject to a range of potential security problems because they do not incorporate appropriate security controls.
- 1. GA0 Recomendation: "That the heads of agencies evaluate their current agency policies and procedures governing the development of sensitive information systems to determine if revisions or extensions are necessary to assure that systems are developed with appropriate security controls."
NRC Response: On March 23, 1987, the NRC approved and adopted NRC Manual Chapter 2301, "Systems Security." This Chapter and its Appendix Parts set forth the responsibilities, authorities, requirements, standards, policies, and procedures of the NRC Systems Security Program. The management directive has as one of its prime objectives:
The safeguarding of sensitive unclassified information (e.g.,
personal, proprietary, unclassified Safeguards Information, and other sensitive information) processed, stored, or produced on stand-alone, personal computer, or shared logic word processing systems; processed, stored or produced on automated information systems; or comunicated over telecommunications systems.
The Comission believes that this NRC management directi,e contains adequate policies and procedures governing the development of sensitive information systems with appropriate security controls.
- 2. GA0 Recomendation: "That heads of agencies review sensitive information i systems that are currently under development to evaluate to what extent a ;
sound security foundation has been laid for their implementation. I Consideration of these evaluations should be included in the formulation !
of agency information security plans required by the Computer Security !
Act of 1987." l l
NRC Ressonse: The NRC is presently identifying information systems that are eitler in the design stage or under development to determine if they will involve sensitive information. Consistent with the provisions of the Computer Security Act of 1987, these reviews will be completed by ;
July 31, 1988. The Commis icn agrees that a greater emphasis needs to l be placed upon the inclusion of cost-effective security controls into l systems under design and development, and will address and evaluate '
security issues in the early stages of any system design and development.
Consideration will be given to these evaluations in the NRC formulation of infomation security plans required by the Computer Security Act of 1987.
I
.-. .-