Text

September 17, 2020 MEMORANDUM TO: Those on the Attached List Signed by Nelson, David FROM: David J. Nelson on 09/17/20 Chief Information Officer Office of the Chief Information Officer

SUBJECT:

FISCAL YEAR 2021 CYBERSECURITY RISK MANAGEMENT ACTIVITIES I want to express my appreciation for your continued efforts to improve the U.S. Nuclear Regulatory Commissions (NRCs) cybersecurity posture and to fulfill the agencys goal to minimize security risks. We have been successful in implementing many improvements through the hard work of you and your staff, and these are reflected in our quarterly Federal Information Security Management Act of 2014 (FISMA) ratings and audits by the Government Accountability Office and our Inspector General.

FISMA and our implementation framework delineate the risk management activities that we are required to conduct periodically for all NRC systems, including our high-value assets. These activities include the following:

cybersecurity awareness training cybersecurity role-based training continuous monitoring system cybersecurity assessment system security categorization privacy threshold analysis and privacy impact assessments periodic reviews and risk management reporting Achieving success on such important efforts requires support from all NRC Office Directors, Regional Administrators, and system owners. The agencys success also depends on completion of the risk management activities outlined in the enclosed Cybersecurity Risk Management Activities Instructions, Fiscal Year 2021. The instructions provide detailed guidance on the required activities, such as making the specified documentation available to the required staff, including the Office of the Inspector General.

CONTACT: Jonathan Feibus, OCIO 301-415-0717

Those on the attached list 2 Contract vehicles are available to NRC Headquarters and regional offices to support these activities. If you require contract support, please ensure sufficient resources and time are available by coordinating requirements with your designated contracting officers representative for cybersecurity program support services.

Additionally, I will continue to focus on ensuring that the agency identifies needed resources in the budget formulation process for all aspects of required cybersecurity for the life of our systems, including plans for hardware and software upgrades, maintenance, and system changes.

Please feel free to contact Jonathan Feibus, Chief Information Security Officer or me with questions. As always, I expect and appreciate your support as we work to jointly accomplish the agencys mission and minimize cybersecurity risk to the NRC.

Enclosure:

Cybersecurity Risk Management Activities Instructions, Fiscal Year 2021

MEMORANDUM TO THOSE ON THE ATTACHED LIST, DATED: September 17, 2020.

SUBJECT:

FISCAL YEAR 2021 CYBERSECURITY RISK MANAGEMENT ACTIVITIES E-Mail Mail Stops Chairman Svinicki Send a Hard Copy to O-16B33 Commissioner Baran Send a Hard Copy to O-16B33 Commissioner Caputo Send a Hard Copy to O-16B33 Commissioner Wright Send a Hard Copy to O-16B33 Commissioner Hanson Send a Hard Copy to O-16B33 Scott W. Moore, Executive Director, Advisory Committee RidsACRS_MailCTR Resource on Reactor Safeguards E. Roy Hawkens, Chief Administrative Judge, Atomic Safety RidsAslbpManagement Resource and Licensing Board Panel Marian L. Zobler, General Counsel RidsOgcMailCenter Resource Jody C. Martin, Director, Office of Commission RidsOcaaMailCenter Resource Appellate Adjudication Cherish K. Johnson, Chief Financial Officer RidsOcfoMailCenter Resource Robert J. Feitel, Inspector General RidsOigMailCenter Resource Nader L. Mamish, Director, Office of International Programs RidsOipMailCenter Resource Eugene Dacus, Director, Office of Congressional Affairs RidsOcaMailCenter Resource David A. Castelveter, Director, Office of Public Affairs RidsOpaMail Resource Annette L. Vietti-Cook, Secretary of the Commission RidsSecyMailCenter Resource RidsSecyCorrespondenceMCTR Resource Margaret M. Doane, Executive Director for Operations RidsEdoMailCenter Resource Darrell J. Roberts, Deputy Executive Director for Materials, RidsEdoMailCenter Resource Waste, Research, State, Tribal, Compliance, Administration, and Human Capital Programs, OEDO Daniel H. Dorman, Deputy Executive Director for Reactor RidsEdoMailCenter Resource and Preparedness Programs, OEDO Catherine Haney, Assistant for Operations, OEDO RidsEdoMailCenter Resource Jennifer M. Golder, Director, Office of Administration RidsAdmMailCenter Resource David J. Nelson, Chief Information Officer RidsOCIO Resource George A. Wilson, Director, Office of Enforcement RidsOeMailCenter Resource Edward Shuttleworth, Director, Office of Investigations RidsOiMailCenter Resource Miriam L. Cohen, Chief Human Capital Officer RidsOchcoMailCenter Resource John W. Lubinski, Director, Office of Nuclear Material Safety RidsNmssOd Resource and Safeguards Ho K. Nieh, Director, Office of Nuclear Reactor RidsNrrOd Resource (I)

Regulation RidsNrrMailCenter Resource (A)

Raymond V. Furstenau, Director, Office of Nuclear Regulatory RidsResOd Resource (I)

Research RidsResPmdaMail Resource (A)

Vonna L. Ordaz, Director, Office of Small Business and Civil RidsSbcrMailCenter Resource Rights Brian E. Holian, Director, Office of Nuclear Security RidsNsirMailCenter Resource (A) and Incident Response RidsNsirOd (I)

David C. Lew, Regional Administrator, Region I RidsRgn1MailCenter Resource Laura A. Dudes, Regional Administrator Region II RidsRgn2MailCenter Resource John B. Giessner, Regional Administrator, Region III RidsRgn3MailCenter Resource Scott A. Morris, Regional Administrator, Region IV RidsRgn4MailCenter Resource

Those on the Attached List 4 Fiscal Year 2021 Cybersecurity Risk Management Activities DATE September 17, 2020 DISTRIBUTION:

RidsACRS_MailCTRResource, ACRS RidsAslbpManagementResource, ASLBP RidsOgcMailCenterResource, OGC RidsOcaaMailCenterResource, OCAA RidsOcfoMailCenterResource, OCFO RidsOigMailCenterResource, OIG RidsOipMailCenterResource, OIP RidsOcaMailCenterResource, OCA RidsOpaMailResource, OPA RidsSecyMailCenterResource, SECY RidsEdoMailCenterResource, EDO RidsAdmMailCenterResource, ADM RidsOCIOResource, OCIO RidsOeMailCenterResource, OE RidsOiMailCenterResource, OI RidsOchcoMailCenterResource, OCHCO RidsNmssOdResource, NMSS RidsNrrOdResource, NRR RidsResOdResource, RES RidsSbcrMailCenterResource, SBCR RidsNsirOdResource, NSIR RidsRgn1MailCenterResource, RGN I RidsRgn2MailCenterResource, RGN II RidsRgn3MailCenterResource, RGN III RidsRgn4MailCenterResource, RGN IV ADAMS Accession No.: ML20246G646; ML20246G645 OCIO/GEMSD/CSB OCIO/GEMSD/DPRB OFFICE ADM/PMAE/DAET OCIO/GEMSD/CSB

/CSOT /IMIT NAME ASage AS KAzariah-Kribbs KA CBrown CB AMullins AM DATE Sep 9, 2020 Sep 9, 2020 Sep 10, 2020 Sep 11, 2020 OFFICE OCIO/CISO OCIO/GEMSD/D OCIO/GEMSD/DD OCIO/DD NAME JFeibus JF JMoses JM BSanford BS SFlanders SF DATE Sep 14, 2020 Sep 15, 2020 Sep 15, 2020 Sep 16, 2020 OFFICE OCIO/D NAME DNelson DN

DATE Sep 17, 2020 OFFICIAL RECORD COPY