ML22053A056

From kanterella
Revision as of 21:59, 15 March 2022 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Enclosure 5 - Agency Privacy Continuous Monitoring Strategy
ML22053A056
Person / Time
Issue date: 02/28/2022
From:
Governance & Enterprise Management Services Division
To:
Crouch N
Shared Package
ML22049A083 List:
References
SRM-LTR-17-0401-1, M-21-02
Download: ML22053A056 (25)
v  d  e


Text

Nuclear Regulatory Commission Office of the Chief Information Officer Computer Security Process Office Instruction: CSO-PROS-1323 Office Instruction

Title:

Information Security Continuous Monitoring Process Revision Number: 2.7 Effective Date: June 15, 2018 Primary Contacts: Jonathan Feibus Responsible Organization: OCIO

==

Description:==

CSO-PROS-1323, Information Security Continuous Monitoring Process, defines the process that must be followed to perform continuous monitoring on systems owned and used by the NRC.

Office Owner Primary Agency Official OCIO/CSO Jonathan Feibus Chief Information Security Officer (CISO)

CSO-PROS-1323 Page i Table of Contents 1 PURPOSE ............................................................................................................................................. 1 2 GENERAL REQUIREMENTS............................................................................................................... 2 NRC Governance Level: Tier 1 .................................................................................................... 2 Mission/Business Process Level: Tier 2 ...................................................................................... 3 Information System Level: Tier 3 ................................................................................................. 3 3 SPECIFIC REQUIREMENTS................................................................................................................ 4 Initial Authorization/Re-authorization/Periodicc ............................................................................ 4 Ongoing Authorizations ................................................................................................................. 4 System Change Authorization....................................................................................................... 4 Authorization of Standalone IT Resources ................................................................................... 5 Authorization of External IT Services ............................................................................................ 5 4 CONTINUOUS MONITORING REQUIREMENTS FOR NRC INFORMATION SYSTEMS ................. 5 Periodic System Cybersecurity Assessments ............................................................................... 6 Vulnerability and Configuration Compliance Scans ...................................................................... 6 Maintain System Security Documentation .................................................................................... 7 Maintain System POA&Ms ............................................................................................................ 7 Remediate Authorization Conditions ............................................................................................. 7 Test the Systems Contingency Plan ............................................................................................ 7 Security Reviews and Risk Management Status .......................................................................... 8 Cybersecurity training requirements ............................................................................................. 8 Cybersecurity Incidents ................................................................................................................. 9 5 CONTINUOUS MONITORING REQUIREMENTS FOR EXTERNAL IT SERVICES ........................... 9 6 METRICS ............................................................................................................................................ 11 APPENDIX A. ACRONYMS ................................................................................................................... 16 APPENDIX B. GLOSSARY .................................................................................................................... 17 APPENDIX C. MINIMUM REQUIRED FREQUENCIES FOR CONTINUOUS MONITORING ACTIVITIES 19

CSO-PROS-1323 Page 1 Computer Security Process CSO-PROS-1323 Information Security Continuous Monitoring Process 1 PURPOSE CSO-PROS-1323, Information Security Continuous Monitoring Process, defines the information security continuous monitoring (ISCM) strategy and requirements that must be followed to maintain authorizations of Nuclear Regulatory Commission (NRC) information systems (including the Regions and the Technical Training Center [TTC]) storing or processing NRC information up to, and including, the Safeguards Information (SGI) level. The direction in this document applies to all NRC systems operated and maintained by contractors, cloud-based systems, FedRAMP systems, and any other non-NRC federal agency systems partially managed by the NRC. This process also pertains to third party external IT services (EITS) provided by a cloud service provider or another government agency where the NRC has no technical responsibility to maintain the service. Certain external IT services may qualify to be part of the NRCs Third-Party System (TPS). TPS provides the management framework for external IT services that are hosted by other government agencies, or FedRAMP-authorized cloud services where there are no IT components for the NRC to manage. The development and testing of any 800-53 controls with NRC responsibility is required for external IT services.

Continuous monitoring activities must be performed in accordance with the process and frequencies identified in Appendix C: Minimum Required Frequencies for Continuous Monitoring Activities.

The ultimate objective of the continuous monitoring program is to determine if the security controls in the information system continue to be effective over time considering the inevitable changes that occur in the system as well as the environment in which the system operates.

ISCM facilitates ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. Security controls, evolving threats, and response to new vulnerabilities are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect NRC information. An effective risk management program and related continuous monitoring (CM) activities, support the shift from a static snapshot of an NRC systems security posture to a near real-time, dynamic security status.

The information contained in this document is intended to be used by system owners and Information System Security Officers (ISSOs) to ensure effective system level continuous monitoring activities are performed to support the NRC continuous monitoring strategy. This also assists the Computer Security Organization (CSO) in implementing the NRC Cybersecurity Program as defined in Management Directive MD 12.5, NRC Cyber Security Program.

CSO-PROS-1323 Page 2 2 GENERAL REQUIREMENTS An effective ISCM program is essential to support NRC risk management and is a critical component of the NRCs risk management program. In accordance with OMB Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, and NIST 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, the NRC ISCM program addresses how the agency conducts ongoing authorizations of NRC systems and the environments in which those systems operate, including external IT services. Information obtained through ISCM activities provides the NRC with risk information that is critical for risk management decisions regarding system changes, system authorizations, budget priorities, and activity priorities.

Furthermore, the Risk Management Framework (RMF) developed by NIST Special Publication (SP) 800-37, as amended, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach describes continuous monitoring as a disciplined and structured process that integrates information security and risk management activities into the system development life cycle once authorization has been granted. Through the employment of comprehensive continuous monitoring processes, critical information is updated on an ongoing basis, which provides the Authorizing Official (AO), system owners, and ISSOs with an up-to-date status of the security state of NRC systems and environments of operation.

NIST 800-37 describes an agencywide approach to continuous monitoring that supports risk-related decision making at the following tier levels:

  • NRC Governance Level (Tier 1)
  • Mission/Business Processes Level (Tier 2)
  • Information Systems Level (Tier 3)

NRC Governance Level: Tier 1 Tier 1 ISCM risk activities relate to the agencywide governance structure that addresses agencywide risk, including core mission and business functions. ISCM, at the Tier 1 level, defines how NRC assesses, monitors, and mitigates risk on an ongoing basis, including agency oversight, to ensure the strategy is effective.

Types of risk of concern to the agency at Tier 1 would include:

  • Program/acquisition risk (cost, schedule, performance)
  • Compliance and regulatory risk
  • Financial risk
  • Legal risk
  • Operational (mission/business) risk
  • Political risk

CSO-PROS-1323 Page 3

  • Project risk
  • Reputational risk
  • Safety risk As part of the overall governance structure established by the agency, the risk management strategy is disseminated to personnel with programmatic, planning, developmental, acquisition, operational, and oversight responsibilities.

Mission/Business Process Level: Tier 2 Tier 2 addresses risk from a mission and business process perspective as guided by decisions made at the Tier 1 level. Officials with responsibility for those mission or business processes must oversee the associated risk management activities for those processes. Tier 2 includes the NRC Cybersecurity Program as defined in MD 12.5, NRC Cybersecurity Program. The Chief Information Security Officer (CISO) has overall responsibility for the NRC Cybersecurity Program and ensures that risk acceptance decisions are consistent across the agency. The CISO and Business Line Leads work together to determine the level of risk tolerance with respect to their business areas and the Cybersecurity Program respectively.

Information System Level: Tier 3 Tier 3 addresses risk from an information system perspective and is guided by the risk decisions at Tier 1 and Tier 2. Risk decisions at Tiers 1 and 2 impact the selection and deployment of security controls and safeguards at the system level. System owners must ensure that security controls are in place, operating as intended, and having the desired effect. Tier 3 officials include system owners, information owners, and common/hybrid control providers.

The system owner is responsible for the security of an NRC IT system and is accountable for the security risk associated with operating the system. A system owner is an office director, regional administrator, or an Office of the Chief Information Officer (OCIO) division director that has overall responsibility for the security of NRC systems owned by the organization or operated on behalf of the organization by another agency or a contractor. The system owner must develop and maintain a continuous monitoring of system controls, in compliance with agency requirements, to maintain an understanding of the effectiveness and status of the cybersecurity control. To maximize communication and facilitate security planning, system owners must appoint a primary and alternate system ISSO as their security representatives for the system via memorandum using CSO-TEMP-0001, System ISSO Appointment Email Template, version 2.0.

Continuous monitoring tasks cannot be achieved through manual processes or automated processes alone. While many CM tasks require human interaction, automated solutions are preferable in order to reduce the cost and effort, resulting in more frequent data (real-time) and the ability to adjust security controls based upon new threats and vulnerabilities. Tools used to support cybersecurity risk assessment must be constantly evaluated to ensure the tools are assessing the risk based upon NRC requirements.

CSO-PROS-1323 Page 4 3 SPECIFIC REQUIREMENTS Appendix C defines the timeframes for continuous monitoring requirements for NRC systems, EITSs, and third party EITSs.

Initial Authorization/Re-authorization/Periodicc System owners must obtain an authorization before placing a system into the operational environment or using that system in any way for NRC purposes. All NRC IT resources must belong to an NRC IT system, and must therefore be part of a system authorization before being placed into operation. This includes all new systems and modifications to existing systems. To maintain a system authorization, the system owner must conduct continuous monitoring activities and ensure that the system adheres to any specified authorization conditions.

At any point in time, the AO can require that a system/subsystem undergo a re-authorization or an ad hoc (periodic) assessment effort. This requirement is typically based upon the risk associated with a system either due to a changing threat environment, a system compromise, or a lack of sufficient continuous monitoring.

Ongoing Authorizations An ongoing authorization is an authority to operate granted for an indefinite period of time. An ongoing authorization is granted at the completion of a full authorization effort.

Continuous monitoring is even more critical for systems in an ongoing authorization state since there isnt a fixed period of time when all controls will be fully assessed again. This state depends upon an ongoing assessment of the security controls to determine if they are in place, operating as intended, and having the desired effect. Continuous monitoring supports the current reality of constantly changing environments, threats, and technologies, and ensures that new threat or vulnerability information is evaluated as it becomes available. This evaluation then drives adjustments to security requirements or individual controls as needed to maintain authorization decisions.

System Change Authorization Except for minor changes, system changes must have a change authorization prior to deploying to the production (NRC-managed network) environment following the Configuration Control Board (CCB) approval process and using the agencys automated change control tool. OCIO-CCB-0001, System Change Significance Determination and Notification Process, defines the process by which the CCB determines the change significance, both business and cybersecurity, to authorized NRC systems and its operating environment. The CCB has been delegated the authority to determine the risk significance of proposed changes (both pre-production and production) and has been authorized by the AO to approve change requests determined to be of minor or moderate significance as long as the change meets the requirements outlined in OCIO-CCB-001.

Change significance depends on the severity of the change and the associated level of potential adverse security and/or business impact to a system. The greater the change significance, the more likely that a system or subsystem reauthorization effort may be required. Any changes outside the authority of the CCB will be processed by the CSO Point of Contact (POC) for the

CSO-PROS-1323 Page 5 affected Federal Information Security Management Act (FISMA) system through the AO.

Additional information can be found in OCIO-CCB-0002, Change Approval Process.

For NRC systems that are not on the NRC-managed network (contractor sites, Regional office-network components), the ISSO must notify the CSO POC and CISO by email of the proposed system change prior to implementation.

In the case of specialized environments/circumstances that are not on the NRC-managed network, systems changes considered moderate or higher must be supported by a risk assessment performed by an independent assessor. The ISSO may provide supporting input, however, the final determination of risk must be documented by the independent assessor and approved by the CSO POC and CISO prior to implementing the change.

Under certain circumstances, a short-term authorization is granted for a specified amount of time while testing is completed, and documentation is created to prepare for a full authorization.

CSO-PROS-1341, Short-Term Authorization Process, defines this process in totality.

Authorization of Standalone IT Resources All NRC standalone IT resources must belong to an authorized system. Standalone IT resources can be integrated into an authorized system as part of a system change effort or during a periodic system cybersecurity assessment (PSCA). Once approved, the standalone IT resource will be incorporated into the systems continuous monitoring process.

Authorization of External IT Services NRC system owners and office POCs must obtain authorization from the AO in order to use an IT service where the delivery of services is provided by an external organization or service provider. System owners must ensure that the external IT service provider has already obtained a valid, current authorization issued either by another government agency or through the Federal Risk and Authorization Management Program (FedRAMP) for cloud solutions. The NRC will not issue an authorization for an external IT service without a valid authorization.

External IT services include, but are not limited to, cloud computing through a cloud service provider (CSP) and interconnection with an IT system that is owned and operated by another government agency or third-party provider including public facing web applications.

4 CONTINUOUS MONITORING REQUIREMENTS FOR NRC INFORMATION SYSTEMS Once an authorization has been granted, the information system moves to the monitoring phase of the Risk Management Framework.

Continuous monitoring tasks are performed concurrently. For example, system personnel respond to risks that were identified during periodic vulnerability scans, maintain information within the system Plan of Action and Milestones (POA&M), and maintain system documentation on an ongoing basis. Internal and independent assessments of the implementation of security controls are also conducted throughout the cycle. The output of one task typically drives the activities required during other tasks.

CSO-PROS-1323 Page 6 Periodic System Cybersecurity Assessments To satisfy annual FISMA security control assessment requirements, PSCAs are conducted by an independent assessment team at least annually to determine an information systems compliance with defined security requirements in an environment of sophisticated and changing threats. The frequency of a PSCA is based on the systems authorization state and the NRCs determination of:

  • the volatility of each control (the likelihood of the control changing over time after its implementation), and
  • the criticality of the function supported by each security control.

CSO-PROS-2102, System Cybersecurity Assessment Process, defines the process that must be followed to conduct a system cybersecurity assessment of an NRC system. The systems security categorization must be reviewed at least annually to ensure proper identification of all information types and ensure any changes to the authorization boundary have been documented. In addition, the Privacy Threshold Analysis/Privacy Impact Assessment must be reviewed at least annually to ensure proper protection of the agencys personally identifiable information.

Vulnerability and Configuration Compliance Scans Regular vulnerability scanning allows an ISSO to determine whether the security controls implemented to protect their system from known exploits and threats continue to be effective.

Automated scanning tools are available that seek out any weaknesses (based on known security flaws, missing patches/updates), test system components and hosted applications to determine whether the flaws exist, and then generate a report of any detected weakness that will need to be remediated. If a CSO specific standard does not exist, the system must be configured in accordance with Defense Information Systems Agency (DISA) standards, checklists, and guidance. In the absence of both CSO standards and DISA requirements, the Center for Internet Security (CIS) benchmarks must be used. In the absence of CSO standards, DISA requirements, and the Center for Internet Security (CIS) benchmarks, industry and vendor best practices must be used. Formal vulnerability scan reports are required to be submitted to CSO at the NRC required frequency, however, the ISSO is responsible for maintaining the required configuration and should monitor as frequently as necessary to ensure vulnerabilities are identified and mitigated appropriately.

System vulnerability remediation must be prioritized according to the significance of the vulnerability (e.g., how easily the vulnerability could be exploited), the criticality of the assets that could be exploited, and the potential impact of compromise of the information that could be compromised. System owners must patch, scan, check the security of their systems, and remediate findings with the rigor and frequency appropriate for the system sensitivity level.

System patching, vulnerability scans, and remediation must be performed in accordance with CSO-PROS-1401, Periodic System Scanning Process, and in accordance with the continuous monitoring requirements. System ISSOs must conduct remediation within the timeframes established for the RA-5 control in CSO-STD-0020, Organization Defined Values for System Security Controls.

CSO-PROS-1323 Page 7 A history of regular vulnerability scans (and the timely remediation of identified weaknesses) demonstrates that an NRC office is proactive in maintaining the security state of its systems on an ongoing basis.

If weaknesses are identified that the system owner believes should not be remediated due to an adverse impact to system operations, an adverse impact to organization business processes, or because the cost of remediation exceeds the risk posed by a potential security incident, the system owner must obtain AO approval via the deviation process CSO-PROS-1324, NRC Deviation Request Process.

Maintain System Security Documentation System ISSOs must routinely maintain the system security documentation that provides organization officials with the system security information needed to make informed recommendations and risk-based decisions concerning their systems. A history of consistent, ongoing maintenance of system security documentation, including policies and procedures, demonstrates that an organization is proactive. All system security documentation must be maintained in accordance with NRC frequency requirements as defined in Appendix C. All system security documentation must be developed and maintained in accordance with NRC-issued templates (available in the FISMA Repository).

CSO-PROC-2104, System Artifact Examination Procedure provides the examination criteria to be applied to each documentation artifact to ensure completeness.

Maintain System POA&Ms CSO-PROS-2016, Plan of Action and Milestones Process, defines the process that must be followed to identify, track, prioritize and report the status of security weaknesses identified within NRC systems including those operated by or on behalf of the NRC. The purpose of a POA&M is to assist the agency in identifying, assessing, prioritizing, and monitoring the progress of corrective actions for security weaknesses found during testing/monitoring activities.

POA&Ms must be reviewed and maintained quarterly by the system ISSO to ensure that identified milestones are completed by the scheduled completion dates. In addition, POA&Ms must be updated whenever activities take place that either identify new weaknesses or demonstrate that weaknesses have been remediated.

Remediate Authorization Conditions Any concerns that were listed in the authorization email must be noted in the systems POA&M and remediated within the timeframe that was documented in the email.

Test the Systems Contingency Plan Contingency Plan (CP) testing validates recovery capabilities, identifies potential weaknesses in the CP, and improves the overall organizational preparedness to execute the plan. An annual contingency test provides assurance that the plan remains current with system and organizational changes. A CP Test Report must be submitted before the date of the systems last CP Test Report.

CSO-PROS-1323 Page 8 CSO-STD-0020, Organization-Defined Values for System Security and Privacy Controls, provides the required frequency, type of test (table-top, functional exercise, or actual test), and specific test requirements for systems with low, moderate, or high availability system sensitivity levels.

The following list identifies major milestones that must be incorporated into the system CP testing schedule:

  • Review and update the Business Impact Analysis (BIA) as needed
  • Develop a Contingency Test Plan for testing the CP
  • Conduct annual CP training for staff with contingency planning roles and responsibilities
  • Coordinate testing with affected organizations
  • Execute CP testing according to the Contingency Test Plan
  • Develop a Contingency Test Report to document the results of testing
  • Ensure that weaknesses identified through CP testing are incorporated into the systems POA&M, as applicable System ISSOs must document contingency plan test results using CSO-TEMP-2024, Contingency Test Report Template, and update the contingency plan as required based upon the contingency test results.

Security Reviews and Risk Management Status Periodic reviews of NRC IT systems are conducted to provide senior officials with an NRC-wide view of the agencys cybersecurity posture. System Owners and the NRC AO are periodically briefed on various cybersecurity metrics, continuous monitoring progress, and identified risks.

Status reports and metrics are also analyzed to determine if there are any security trends that suggest changes to the monitoring strategy may be necessary.

This information is reflected in the NRC Cybersecurity Risk Dashboard (CRDB), which in turn provides executives and their staff with the status on the security posture of their respective offices, regions, and systems. Cybersecurity risk management activities are not only required by FISMA and OMB, but support the ability of the NRC to identify, manage, and minimize risk to the agency mission. The system owner must ensure that all required continuous monitoring reporting is submitted to CSO by emailing the RidsOCIO.Resource@nrc.gov, CISO, and CSO Office POC.

The status of any upcoming continuous monitoring activities and/or incomplete activities is provided monthly by CSO and reviewed with system ISSOs and office staff at continuous monitoring status meetings.

Cybersecurity training requirements OMB Circular A-130, Management of Federal Information Resources, and FISMA require agencies to ensure all individuals receive security awareness training and specialized training focused on their cybersecurity role and responsibilities. All office directors and regional

CSO-PROS-1323 Page 9 administrators must ensure that all staff and contractors complete the annual computer security awareness course before July 31st. In addition, they must ensure that personnel assigned to cybersecurity roles complete required training as defined within the Training and Awareness SharePoint site.

Cybersecurity Incidents When a system breach occurs, the breach must be reported to the NRC Computer Security Incident Response Team (CSIRT) at 301-415-6666 or via email at CSIRT@nrc.gov. Office directors and regional administrators must ensure appropriate counseling is provided after any staff unauthorized releases of information or other staff generated cybersecurity incidents.

Repeat offenders may be subject to agency stipulated consequences. As part of the FISMA 2014 requirements, NRC must provide the procedures for detecting, reporting, and responding to security incidents, including notification to Congress of any major incident, along with a summary report.

When significant issues are identified, CSO staff reach out to system representatives to ensure they are aware of the issues. If issues become more significant or are not addressed in a reasonable and timely manner, they are raised to higher management levels of system responsibility.

CSO presents a cybersecurity awareness briefing to the AO and senior officials daily to discuss any new critical security vulnerabilities that may have occurred. The goal is to maintain an up-to-date awareness of any threats to NRCs IT infrastructure. Statuses for any systems that are deficient in continuous monitoring activities are also presented for comment.

5 CONTINUOUS MONITORING REQUIREMENTS FOR EXTERNAL IT SERVICES All NRC IT resources and IT external services used by the NRC must be accounted for in an NRC-authorized FISMA system. System owners must ensure the security controls the NRC is responsible for are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements. Continuous monitoring activities for external IT services are proportionate to the number of NRC-specific security controls that are selected as part of the NRC baseline (i.e., the more security controls for which the NRC is responsible, the more continuous monitoring activities the ISSO will have to perform).

Continuous monitoring responsibilities will also increase if the NRC is directly responsible for managing any of the components, either within the external IT service itself (e.g., in an Infrastructure-as-a-Service [IaaS] or Platform-as-a-Service [PaaS] cloud service model) or directly within the NRC environment. NRC is not responsible for continuous monitoring for security controls that are solely provided by the external IT service provider. However, system owners/ISSOs are responsible for ensuring that external IT service providers comply with all continuous monitoring requirements mandated by the sponsoring government agency (i.e., the agency that issued the authorization) or with FedRAMP continuous monitoring and ongoing authorization requirements provided in the FedRAMP Continuous Monitoring Strategy and Guide.

CSO-PROS-1323 Page 10 CSPs have daily, weekly, monthly and annual requirements they must meet to maintain their authorization. The CSP must demonstrate the efficacy of its continuous monitoring program through the evidence it provides. CM deliverables are posted to OMB MAX on a monthly basis to ensure mandatory requirements are met and to ensure that the security risk posture of the system is acceptable. This includes but is not limited to the following:

  • Ensuring POA&Ms are being addressed in accordance with FedRAMP requirements.
  • Reviewing the Risk Exposure Table produced for the annual assessment (paying particular attention to weaknesses related to Trusted Internet Connection [TIC]),

deficiencies related to PIV, and deficiencies related to FIPS.

  • Reviewing deviation requests and significant changes as appropriate The NRC ISSO must review these documents monthly and notify the CSO POC if there are concerns, and if necessary, raise those concerns to the System Owner and CISO to determine the appropriate course of action. This could include contacting the vendor, FedRAMP PMO, and (if applicable) the sponsoring agency in order to gather additional details. Ultimately, the AO decides if the security risk posture remains acceptable and if the authorization issued by the NRC for the system/service is still valid. In addition, continuous monitoring activities must be performed in accordance with this process and the frequencies identified in Appendix C for all components and the processes and procedures for which the NRC system owner is at least partially responsible for managing.

The ISSO or designee must incorporate external IT services security control information into the NRC information systems security documentation including any process and procedural documents that are necessary to facilitate the NRCs implementation and usage of the external IT service.

This may include but is not limited to:

  • Security Categorization Report
  • Privacy Threshold Analysis/Privacy Impact Assessment
  • Digital Authentication Risk Assessment
  • Configuration Management Plan
  • Incident Response Plan
  • Documented Configurations
  • System Inventory
  • System Architecture Document
  • Operational Support Procedures
  • Business Impact Analysis (details can be incorporated into the parent systems BIA)
  • Contingency Plan (details can be incorporated into the parent systems CP)

CSO-PROS-1323 Page 11 System owners/ISSOs must also ensure that the external IT service provider is complying with all contractual obligations related to IT security and meeting all service levels as documented in the service level agreement (SLA). The NRC AO and CISO must be notified of material changes to any Memorandums of Understanding (MOU) within 30 days.

6 METRICS Part of the NRC ISCM strategy is to collect the security-related data required for metrics, assessments, and reporting. Metrics provide meaningful indicators of the security status across all agency tiers. Each tier monitors security metrics and assesses security control effectiveness to support tier-specific decision making.

Tier 1 metrics are developed for supporting governance decisions regarding the organization, its core missions, and its business functions.

Tier 2 metrics are developed to prioritize agencywide core mission/business processes with respect to overall goals and objectives while successfully executing the NRC security program strategy.

Tier 3 metrics address risk management from an information system perspective. Continuous monitoring activities ensure that all system-level security controls are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.

The NRC ISCM strategy established the following performance metrics to be monitored to meet NRC and federal requirements:

  • System Security Plan review and update
  • Quarterly Scan Reports
  • Configuration risk
  • Contingency Plan review and update
  • Conduct Contingency Plan test
  • POA&M review and update o CSO examines consolidated POA&M information to determine if there are common weaknesses/deficiencies among the NRCs information systems to analyze risk and make adjustments to the ISCM strategy.
  • Business Impact Analysis review and update
  • Security Categorization review and update
  • PIA/PTA review and update
  • System Architecture Document
  • Conduct Periodic System Cybersecurity Assessment

CSO-PROS-1323 Page 12

  • Computer Security Awareness training
  • Role-Based training
  • Incident trends (Data compiled from the Security Operations Center (SOC)
  • Phishing Exercise results
  • Completion of AO conditions
  • Number of assets
  • Number of users
  • Number of privileged users
  • Number of Authorized systems
  • Number of NRC systems leveraging a Cloud Provider
  • Number of external IT services used by NRC The AO and senior executives make risk management decisions based on these performance metrics. The monitoring strategy is regularly reviewed for relevance and accuracy in reflecting NRC risk tolerances, correctness of measurements, applicability of metrics, and effectiveness in supporting risk management decisions.

These performance metrics are also used in providing monthly CyberScope reports to DHS, quarterly reports to DHS for FISMA metrics (M-18-02), and to fulfill Federal Information Technology Acquisition Reform Act (FITARA) scoring requirements.

CSO-PROS-1323 Page 13 Tier 3 System Level Metrics Metric 1 Authorized NRC Systems Description This metric provides the number of authorized NRC systems and then presented to Department of Homeland Security on a monthly basis.

Assessment Method Review of authorization status Frequency Monthly Data Source NRC system inventory Reporting Format CyberScope Metric 2 Authorized Contractor Systems Description This metric provides the number of authorized Contractor systems that operate on behalf of NRC. This data is then presented to Department of Homeland Security on a monthly basis.

Assessment Method Review of authorization status Frequency Monthly Data Source NRC system inventory Reporting Format CyberScope Metric 3 Authorized Government Shared Services Provider Description This metric provides the number of authorized Government Shared Services Providers that NRC uses to conduct business. This data is then presented to Department of Homeland Security on a monthly basis.

Assessment Method Review of authorization status Frequency Monthly Data Source NRC system inventory Reporting Format CyberScope Metric 4 PIV Card used for Privileged Users Description This metric provides the number of privileged users that use their PIV card to authenticate.

Assessment Method Review statistics of privileged users using PIV authentication Frequency Monthly Data Source Active Directory Reports Reporting Format CyberScope

CSO-PROS-1323 Page 14 Metric 5 PIV Card used for Non-privileged Users Description This metric provides the number of non-privileged users that use their PIV card to authenticate.

Assessment Method Review statistics of non-privileged users using PIV authentication Frequency Monthly Data Source Active Directory Reports Reporting Format CyberScope Metric 6 Computer Security Training Completion Description This metric provides the number of NRC users that participated in annual computer security training exercises to increase awareness.

Assessment Method Data is obtained from Talent Management course completions Frequency Metric is gathered monthly Data Source TMS reports Reporting Format CRDB & Annual FISMA Report Metric 7 Role-Based Training Completion Description This metric provides the number of NRC users with different roles that require additional role-based training to fulfill NRC requirements.

Assessment Method Data is obtained from Talent Management and internal/external course completion certificates provided to OCIO.

Frequency Continuous Data Source TMS reports Reporting Format CRDB Metric 8 Phishing Exercises Description This metric provides the number of NRC users that fall prey and click embedded links or attachments.

Assessment Method Phishing emails are sent to 25% of the workforce each quarter Frequency Quarterly Data Source Phishing software database Reporting Format PhishMe Reports and CRDB Metric 9 Cybersecurity vulnerabilities Description This metric measures the number of missing patches/updates.

Assessment Method Pull vulnerability results from Tenable Security Center Frequency Monthly Data Source Tenable Security Center Reporting Format CRDB and FITARA

CSO-PROS-1323 Page 15 Metric 10 Configuration non-compliance Description This metric measures the number of configuration settings that are not in compliance with Security Content Automation Protocol (SCAP) validated products.

Assessment Method Pull SCAP results from Tenable Security Center Frequency Monthly Data Source Tenable Security Center Reporting Format CRDB and FITARA Metric 11 POA&M weaknesses Description This metric provides the number of open POA&M items per system and compares progress from the previous quarter.

Assessment Method Data is pulled from Systems POA&M spreadsheet Frequency Quarterly Data Source Data comes from various assessment efforts and scan reports.

Reporting Format CRDB and FITARA Metric 12 Continuous Monitoring Metrics for fully authorized systems Description This metric provides compliance results for various continuous monitoring requirements such as contingency testing, system security plan updates, conducting PSCAs, continuous monitoring scans, ATO, etc.

Assessment Method Metric calculates the degree to which continuous monitoring requirements are met.

Frequency Continuous Data Source Various artifacts that are submitted to OCIO/CSO Reporting Format CRDB Metric 13 Continuous Monitoring Metrics for fully authorized external systems Description This metric provides compliance results for various continuous monitoring requirements such as system security plan updates, conducting PSCAs, ATO, etc.

Assessment Method Metric calculates the degree to which continuous monitoring requirements are met.

Frequency Continuous Data Source Various artifacts that are submitted to OCIO/CSO Reporting Format CRDB

CSO-PROS-1323 Page 16 APPENDIX A. ACRONYMS AO Authorizing Official ASCA Authorization System Cybersecurity Assessment BIA Business Impact Analysis CISO Chief Information Security Officer CP Contingency Plan CRDB Cybersecurity Risk Dashboard CSO Computer Security Organization DISA Defense Information Systems Agency FIPS Federal Information Processing Standard FISMA Federal Information Security Modernization Act ISA Interconnection Security Agreement ISCM Information Security Continuous Monitoring ISSO Information System Security Officer IT Information Technology NIST National Institute for Standards and Technology NRC Nuclear Regulatory Commission PIA Privacy Impact Assessment PII Personally Identifiable Information POA&M Plan of Action and Milestones POC Point of Contact PSCA Periodic System Cybersecurity Assessment SCAP Security Content Automation Protocol SLA Service Level Agreement

CSO-PROS-1323 Page 17 APPENDIX B. GLOSSARY Authorization System Cybersecurity A full cybersecurity control assessment of the Assessment (ASCA) system or subsystem that supports an authorization decision.

Business Area Leaders A business area leader is an office director, a regional administrator, or a deputy executive director responsible for an NRC business area, such as nuclear reactor regulation. A business area leader has inherent Government authority, must be a Government employee, and is responsible for the following as it relates to cybersecurity:

  • Identifying mission, business, operational requirements, and IT resources necessary for the business area to support the mission and for compliance with cybersecurity requirements;
  • Identifying resources required for critical business processes and determining the impact of unavailability of those resources;
  • Performing a business area risk assessment; and
  • Developing a business continuity plan (BCP) for the business area.

Information Owner Provides requirements to IT system owners regarding the security controls for the IT systems where the information resides. The information owner is an agency official who has inherent U.S.

Government authority and must be a Government employee.

Periodic System Cybersecurity A cybersecurity control assessment of the system Assessment (PSCA) that occurs on a periodic basis and supports continuous monitoring requirements.

Standalone Laptop, Tablet, and A standalone device is one that is not connected Personal Computer to any other computer or to a network.

System Owner An office director, regional administrator, or OCIO division director that has overall responsibility for the security of NRC systems owned by his or her organization or operated on behalf of his or her organization by another agency or by a contractor.

The system owner is an agency official who has inherent U.S. Government authority and must be a Government employee.

CSO-PROS-1323 Page 18 This page intentionally left blank.

CSO-PROS-1323 Page 19 APPENDIX C. MINIMUM REQUIRED FREQUENCIES FOR CONTINUOUS MONITORING ACTIVITIES All continuous monitoring submissions must be sent to the RidsOCIO.Resource@nrc.gov, CISO, and CSO Office POC.

Minimum Frequencies for all NRC Systems regardless of System Categorization

  1. Activity Name Frequency Notes
1. Business Impact Analysis (BIA) At least annually - review and update as needed (e.g., External IT services (EITS) recovery information if the system has undergone a change that impacts can be included in the parent systems BIA.

disaster recovery planning). Ideally, prior to the systems contingency test to ensure accuracy of Availability/recovery requirements for Third Party information. System (TPS) subsystems are defined within the TPS BIA.

Please note: systems with a Low impact level for availability DO NOT have to create/document a BIA. System with Low availability are not required to create a Business Impact Analysis.

2. Contingency Plan (CP) Update At least annually - review the systems Contingency EITS CP information can be included in the Plan and update as needed. Ideally, prior to the parent systems CP.

systems contingency test to ensure accuracy of information. Recovery information for TPS subsystems is defined within the TPS CP.

3. Contingency Plan Training At least annually - provide training prior to conducting the systems contingency test.
4. Contingency Test Plan Must be updated prior to conducting the systems Testing for EITS and TPS will be limited based contingency test. on NRC responsibilities.
5. Contingency Test Must be performed annually for all baselines. Testing for EITS and TPS will be limited based on NRC responsibilities.
6. Contingency Plan Test Report Annually - must be completed no later than the same quarter as the previous year, or with an Authorizing Official (AO) or CISO-approved delay.

CSO-PROS-1323 Page 20 Minimum Frequencies for all NRC Systems regardless of System Categorization

  1. Activity Name Frequency Notes
7. Interconnection Security Agreement This is required between NRC and external entities; (ISA) not between internal NRC systems.

Provide most recent ISA (if any) and confirm terms are reviewed annually and carried out accordingly by June 15.

8. Memoranda of Understanding (MOU) This is required between NRC and external entities; not between internal NRC systems.

Provide most recent MOU (if any) and confirm terms are reviewed annually and carried out accordingly by June 15.

9. ISSO Appointment (System) Must be identified within 15 business days of being assigned the role.
10. External IT Services Notify the AO within 15 business days of an MOU/ISA/Authorization Notifications authorization expiration or termination, significant changes, unacceptable risks or any changes to the MOU/ISA.
11. Periodic System Cybersecurity Annually - must be completed by an independent Assessment (PSCA) assessment team no later than the same quarter as the previous year, or with an AO or CISO-approved delay.
12. Plan of Action and Milestones For NRC systems, quarterly updates are required by For EITS and TPS:

(POA&M) Updates December 15, March 15, June 15, and September 15 of each fiscal year. It is the NRC ISSOs responsibility to review and analyze the CSPs POA&M evidence on monthly basis to ensure mandatory requirements are conducted and meet an acceptable level of risk.

13. System Security Plan (SSP) At least annually - review and update as needed to For EITS and TPS:

ensure accuracy and account for any changes that have been authorized for the system. Must be dated At least annually - review and update as needed within one year after the date of the last annual (e.g., as needed if the document is impacted by update. Ideally, prior to the PSCA to ensure accuracy a change to the external IT service and/or NRC of information. responsibilities).

CSO-PROS-1323 Page 21 Minimum Frequencies for all NRC Systems regardless of System Categorization

  1. Activity Name Frequency Notes
14. Supporting documentation may At least annually - review and update as needed to Not all supporting documentation will be include but not limited to: ensure accuracy and account for any changes that applicable to EITS and TPS.

have been authorized for the system. Ideally, prior to

  • Security Categorization the PSCA to ensure accuracy of information. See Section 5 and 6 in the CSO-PROS-1323 for Report more information.
  • Privacy Threshold Analysis/Privacy Impact Assessment
  • Digital Authentication Risk Assessment (DARA)
  • Configuration Management Plan
  • Incident Response Plan
  • Documented Configurations
  • System Inventory
  • System Architecture Document
  • Operational Support Procedures

CSO-PROS-1323 Page 22 Minimum Frequencies for all NRC Systems regardless of System Categorization

  1. Activity Name Frequency Notes
15. Vulnerability Scanning All systems/subsystems must conduct vulnerability Applicable to EITS if NRC has responsibility for scans once per quarter. vulnerability scanning.

In addition to the quarterly vulnerability scanning Not applicable to TPS.

requirement, system compliance scans and manual checks must be conducted based on the systems If available, system ISSO is responsible for security categorization, as follows: reviewing EITS continuous monitoring scans monthly to ensure it is being conducted and High: Semi-annually findings are being remediated.

Moderate: Annually Low: Annually 16 Wireless Scanning Annually - if the wireless network only supports guests Not applicable to EITS and TPS and only provides connectivity to the Internet (external IP addresses only)

Quarterly - if the wireless network allows users to access the NRC internal network or NRC public sites in any way (includes MaaS, Outlook Web Access, Virtual Private Networking, NRC-encrypted guest network and Citrix)

CSO-PROS-1323 Page 23 CSO-PROS-1323 Change History Date Version Description of Changes Method Used to Training Announce &

Distribute 21-June-21 2.7 Added clarifying text to Section 3.3, System CSO web page and As needed Change Authorization. email distribution to ISSO forum 03-March-21 2.6 Added DARA to Appendix D CSO web page and As needed email distribution to ISSO forum 12-Jun-20 2.5 Added Appendix C: Minimum Required CSO web page and As needed Frequencies for Continuous Monitoring Activities email distribution to ISSO forum 30-Jan-20 2.4 Revised Section 5 to add detail to CM CSO web page and As needed requirements for external IT systems/services email distribution to ISSO forum 29-Jul-19 2.3 Added SAD to document requirements CSO web page and As needed email distribution to ISSO forum 09-May-18 2.2 Revised to include external IT services and to CSO web page and As needed reflect changes to other processes and email distribution to organizational structures ISSO forum 28-Sep-16 2.1 Revised to add metrics in accordance with the CSO web page and As needed GAO high-risk systems audit and to reflect email distribution to changes to other processes and organizational ISSO forum structures.

24-Nov-14 2.0 Revised to reflect current continuous monitoring CSO web page and As needed requirements email distribution to ISSO forum 19-Aug-11 1.5 Revised CM plan criteria to remove reference to plan update and minor edits for clarification.

09-Jul-10 1.4 Revised criteria and scoring methodology based on lessons learned from previous review, replaced letter grade with color grade, added criteria ID numbers, and provided more directions for document updates.

25-Jun-10 1.3 Revised to incorporate CSO comments from concurrence meeting 06-Apr-10 1.2 Revisions to reflect CISO and SITSO comments /

CSO staff 11-Jan-10 1.1 Revisions to reflect feedback from ASLBP review and Gartner comments and November 2009 revision to NIST SP 800-37 / CSO staff and risk-based scoring method 28-Sep-08 1.0 Initial Issuance

Retrieved from "https://kanterella.com/w/index.php?title=ML22053A056&oldid=3432664"