Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021
Report Information
Recommendations
Document and implement policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third party providers.
Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.
Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.
Continue to monitor the remediation of critical and high vulnerabilities and identify a means to assign and track progress of timely remediation of vulnerabilities.
Centralize system privileged and non-privileged user access review, audit log activity monitoring, and management of Personal Identity Verification (PIV) or Identity Assurance Level (IAL) 3/Authenticator Assurance Level (AAL) 3 credential access to all NRC systems (findings noted in bullets a, and c, above) by continuing efforts to implement these capabilities using the Splunk QAudit, SailPoint, and CyberArk automated tools.