Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021
Report Information
Recommendations
Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.
Conduct an independent review or assessment of the NRC privacy program and use the results of these reviews to periodically update the privacy program.
Implement the technical capability to restrict access or not allow access to the NRC’s systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractor’s initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.
Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.
Implement metrics to measure and reduce the time it takes to investigate an event and declare it as a reportable or non-reportable incident to US-CERT.