U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Report Information

Date Issued
Report Number
DNFSB-21-A-04
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Implement procedures and define roles for reviewing configuration change activities to the DNFSB’s information system production environment by those with privileged access to verify the activity was approved by the system CCB and executed appropriately.

Implement a technical capability to restrict new employees and contractors from being granted access to the DNFSB’s systems and information until a non-disclosure agreement is signed and uploaded to a centralized tracking system.

Status: Open: Resolved. DNFSB and the OIG have changed their processes and no longer require any users to sign a non-disclosure agreement in addition to the DNFSB IT User Agreement/Rules of Behavior form, which every user must sign prior to being granted access to<br />
DNFSB resources. DNFSB relies on documented procedures to ensure that users are not granted access to DNFSB information systems prior to completion of required training &amp; signing of the IT User Agreement/Rules of Behavior form. DNFSB has created a new System Authorization Access Request (SAAR) process and automated workflow in SharePoint to streamline the new account creation process and is also in the process of acquiring an agency-wide automated ticketing solution, which will be used to more fully automate standard processes such as account provisioning/de-provisioning. When this new system is implemented, DNFSB will be able to close this Recommendation. DNFSB plans to acquire this new ticketing system in Q4 2023 and put it into production by Q2 2024.<br />

Implement the technical capability to require PIV or Identification and Authentication Level of Assurance (IAL) 3 to all DNFSB privileged accounts.

Implement automated mechanisms (e.g. machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit. <br />
<br />
Status: Open: Resolved. DNFSB has determined that automated management of privileged accounts presents a higher risk than the current manual process of account review. DNFSB has implemented a manual review of account activity based on automated reports sent from the Varonis tool weekly. Administrators review this data and act in accordance with DNFSB policies and procedures.<br />
DNFSB will request a risk acceptance for this recommendation by Q4 FY23.<br />

Continue efforts to develop and implement role-based privacy training.

Status: Open: Resolved. DNFSB provides role-based privacy training within its required annual Cyber Awareness training. Topics such as Social Networking, handling of Controlled Unclassified Information (CUI) and Classified data, website use, and Social Engineering are all covered by this training. Each user is required to complete this training prior to accessing DNFSB systems. DNFSB further requires all users to take annual Controlled Unclassified Information (CUI) training, and all Federal employees with DOE clearances must take an annual clearance holder training, both of which address requirements for accessing, storing, and transmitting sensitive information. DNFSB has developed updated Privacy training and will deliver it to agency users by the end of Q1 FY2024. DNFSB needs the OIG to define which roles it feels require additional role-based privacy training in order to resolve this Recommendation;<br />
any additional privacy training will need to be coordinated with the Senior Agency Official for Privacy (SAOP).<br />