Text

ppREGo f O fp , afg UNITEDSTATES sA a s NUCLEAR REGULATORY COMMISSION

• o(j@l / WASHINGTON;D.C. 20555-0001 4** W CHAIRMAN October 26,2020 TheHonorableChad F.Wolf Secretary ofHomeland Security Washington, DC 20528

Dear Mr. Wolf:

Onbehalf oftheU.S. Nuclear Regulatory Commission (NRC), Iam pleased toreport thattheFederal Information Security Modernization Act(FISMA) andPrivacy Management Program documents forfiscalyear (FY) 2020 have been submittedthrough CyberScope in accordance with theNovember 19,2019, Office ofManagement andBudget (OMB)

Memorandum M-20-04, "Fiscal Year 2019-2020 Guidance onFederal Information Security and Privacy Management Requirements." The NRC's submittal includedthe following eight documents:

(1) Chief InformationOfficer/2020 Quarter 4 Annual FISMA Report (2) Senior Agency Officialfor P rivacy/2020 Annual FISMA Report (3) Agency Privacy Program Changes (4) Agency Privacy Program Plan (5) Agency Breach Response Plan (6) Agency PrivacyContinuous Monitoring Strategy (7) Agency PrivacyProgramUniform Resource Locator (8) Social SecurityNumber C ollection Policy and/or Procedures TheNRC's OfficeoftheInspector General will separatelysubmit theInspector General Section Report/2020 Annual FISMA Report through CyberScope.

TheNRCcontinues itsefforts towards fullcompliance withFISMAtargets and with the agency's Privacy Management Program. Todate, theNRChasreduced itsnumber of reportable systems to17.During FY2020, theagency completed security assessments and approved change authorizationsfor eachsystem.

TheNRChadnomajor security incidents during FY2020. TheNRChada total of 10confirmed incidents.TheNRC's Computer Security IncidentResponse Teamreported six incidents totheU.S. Department ofHomeland Security (DHS) United States Computer Emergency Readiness Team(US-CERT): five improper usage eventsandoneattempted access event. US-CERT reported four incidents totheNRC.TheNRCinvestigated, mitigated, andremediated all10incidents.

Asinprior years,theNRCparticipated inthehigh-value assetrisk andvulnerability assessments led byDHSandhascompleted mitigation andremediation activities. In accordance with currentDHSguidance, theNRCreassessed itshigh-value assets andreduced thenumber from ninetofive. TheNRCwill continue tocollaboratewith DHSinfuture efforts to assess theNRC's protectionofhigh-value assets.

2 -

TheNRCcontinues tomakeprogress toward meeting cross-agency thecybersecurity priority (CAP) goals, as demonstrated by the a gency's 100-percent oftheFY2020 achievement metric targets. The"CAPGoal Evaluations" table inAppendix A tothe NRC's Information Chief Officer/2020 Quarter 4 Annual FISMAReport details theagency's progress.

current Inthe upcoming fiscal year, theNRCwill continue tomakeprogress inupdating the ongoing authorization program, deploying encryption atrest, additional implementing personal identity verification, reducing therisk ofunauthorized software, andaddressing findings.

audit inaccordance with theinstructions issued byOMBandDHS,theagency will continue to update your staff onitsprogress onthese initiatives.

Ifyouhaveanyquestions about theFY2020NRCFISMAandPrivacy Management Program documents, please contact me orhave your staff contact J.Nelson, Mr.David Chief Information Officer, at(301) 415-8700.

Sincerely, KristineL. Svinicki

identical letter sentto:

The Honorable RussellT.Vought Director, Office ofManagement andBudget 725 17th Street, NW Washington, DC 20503 TheHonorableChad F.Wolf Secretary ofHomeland Security Washington, DC 20528