U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Report Information

Date Issued
Report Number
DNFSB-21-A-04
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Agency Response Dated February 27, 2025: The requested ISA is incorporated in DNFSB’s Enterprise Architecture that was published in December 2024. <br />
OIG Analysis: The OIG confirmed that the agency has defined an ISA in accordance with the Federal Enterprise Architecture Framework. Hence, this recommendation is now closed.<br />
<br />
Status: Open: Resolved. DNFSB has completed development of our Zero Trust Implementation Plan and is actively working towards its implementation. This plan is the equivalent of an Information Security Architecture. Based on actions already taken, DNFSB’s position is that this Recommendation needs to be closed

Use the fully defined ISA to: a. Assess enterprise, business process, and information system level risks;b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;c. Conduct an organization wide security and privacy risk assessment; and,d. Conduct a supply chain risk assessment.

OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 2a and 2b.<br />
On September 20, 2023, the agency provided the following response:<br />
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.<br />
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c <br />
and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address<br />
Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.<br />
<br />
Status: Open: Resolved. 2.a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
2.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management make more informed risk management decisions. No target date for all four parts.<br />
2.c. DNFSB will conduct an organization wide security and privacy risk assessment once the ERM program has been established.<br />
2.d. DNFSB will conduct a supply chain risk assessment in Q2 FY2024.<br />

Using the results of recommendations one (1) and two (2)above:a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;c. Implement a centralized view of risk across the organization; and,d. Implement formal procedures for prioritizing and tracking POA&amp;M to remediate vulnerabilities.

OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 3b and 3d. On September 20, 2023, the agency provided the following response:<br />
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and a process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.<br />
b. DNFSB will review existing policies &amp; procedures against the recommendation in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024.<br />
d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &amp;<br />
Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024. The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3a and 3c. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 3a through 3d during its FY25 FISMA audit.<br />
<br />
Status: Open: Resolved. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.<br />
3.a. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.<br />
3.b. DNFSB will review existing policies &amp; procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY2024.<br />
3.c. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.<br />
3.d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &amp; Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY2024.<br />

Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agency’s network in near real time. Continue ongoing efforts to apply the Track-It!, ForeScout, and KACE solutions.

Status: Open: Resolved. DNFSB has implemented Qualys, Intune, and Microsoft Defender as hardware/software monitoring platforms. These systems have dashboards which provide a near real time view of hardware and software on the network. Track-It! and KACE have been implemented and their configurations are refined as needed. Device compliance policies, enforced by Microsoft Intune, identify devices (Agency laptops and iPhones) that are not running the current versions of Operating Systems. Only iPhones purchased through Apple Business Manager (formerly DEP) program can be enrolled in Intune, so no unauthorized mobile hardware can connect to DNFSB’s IT resources (no BYOD devices allowed). Users cannot install unauthorized software (all software on iPhones must be approved and installed through Intune; users cannot access the Apple App Store).<br />
Based on actions already taken, DNFSB’s position is that this Recommendation needs to be closed.<br />

Conduct remedial training to re-enforce requirements for documenting CCB’s approvals and security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.