U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Report Information

Date Issued
Report Number
DNFSB-22-A-04
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Update the ISA and use the updated ISA to:a. Assess enterprise, business process, and information system level risks;b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Status: Open: Resolved. 1.a. A centralized view of risk across the organization will be possible once the agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant. <br />
1.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.<br />

Using the results of recommendations one above:a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;b. Implement a centralized view of risk across the organization;c. Implement formal procedures for prioritizing and tracking POA&amp;Ms to remediate vulnerabilities.

Status: Open: Resolved. 2.a. DNFSB will review existing policies &amp; procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024. <br />
2.b. A centralized view of risk across the organization will be possible once the agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant. 2.c. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &amp; Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024.<br />

Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Status: Open: Resolved. DNFSB published the Risk Assessment Policy in January 2023, which included defined frequencies for risk assessments and integrating those results into mission and business processes. As part of the external security assessment of the GSS, a risk assessment and control assessment were performed by an external auditor. DNFSB completed an external security assessment in June of 2023 and issued an updated ATO for the DNFSB GSS in July 2023. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.

Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:a. How supply chain risks are to be managed across the agency;b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;c. How counterfeit components are prevented from entering the DNFSB supply chain.

March 31, 2025: OIG Analysis: The DNFSB did not provide an updated response for this recommendation.<br />
On September 20, 2023, the agency provided the following response:<br />
Supply Chain Risk will be addressed in an upcoming<br />
Supply Chain Risk Management Program Operating<br />
Procedure. The estimated completion is Q4 FY 2023.<br />
The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit. Status: Open: Resolved. <br />
<br />
Supply Chain Risk will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023.

Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.