U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of NRC's Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Report Information

Date Issued
Report Number
OIG-21-A-05
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Fully define the NRC’s ISA across the enterprise, business processes, and system levels.

a. Assess enterprise, business process, and information system level risks.
b. Update the list of high value assets, if necessary, based on reviewing the ISA to identify risks from the supporting business functions and mission impacts.
c. If necessary, update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
d. Conduct an organization wide security and privacy risk assessment and implement a process to capture lessons learned and update risk management policies, procedures, and strategies.
e. Consistently assess the criticality of POA&Ms to support why a POA&M is or is not of a high or moderate impact to the Confidentiality, Integrity and Availability (CIA) of the information system, data, and mission.
f. Assess the NRC supply chain risk and fully define performance metrics in service level agreements and procedures to measure, report on, and monitor the risks related to contractor systems and services.

2c Status: Open: Resolved.<br />
2.c. The NRC has transitioned all of its information systems to National Institute of Standards and Technology SP 800-53, Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” issued September 2020, except for Office of Nuclear Security and Incident Response Federal Information Security Modernization Act of 2014 (FISMA) systems. The transition of these systems to Revision 5 is expected to be funded in the third quarter (Q3) of fiscal year (FY) 2023. Therefore, the NRC is requesting a new Target Completion date of FY2024, Q1.<br />
<br />
2e. The NRC consistently assesses the criticality of Plans of Action and Milestones (POA&amp;Ms) by ensuring that information systems security officers and assessors adhere to CSO-PROS-2030, “NRC Risk Management Framework (RMF) Process,” specifically step 5. CSO-PROS-2030 further prescribes that assessors follow CSO-PROS-2102, “System Cybersecurity Assessment Process,” when performing security assessments. Additionally, CSO-STD-0020, “System Security and Privacy Controls Standard,” prescribes the organizationally defined frequency by which all such testing is performed. Finally, the Risk and Continuous Authorization Tracking System (RCATS) employs a POA&amp;M management component that requires all POA&amp;Ms to be assigned a criticality (severity) at the time of creation. To date, 13 out of 15 FISMA systems have been migrated to RCATS. The NRC expects to migrate the remaining two systems to RCATS by FY 2023, Q3.<br />

Conduct an organization wide security and privacy risk assessment and implement a process to capture lessons learned and update risk management policies, procedures, and strategies.

Continue to monitor the remediation of critical and high vulnerabilities and identify a means to assign and track progress of timely remediation of vulnerabilities.

Centralize system privileged and non-privileged user access review, audit log activity monitoring, and management of Personal Identity Verification (PIV) or Identity Assurance Level (IAL) 3/Authenticator Assurance Level (AAL) 3 credential access to all the NRC systems (findings noted in bullets 1, 3, and 4 above) by continuing efforts to implement these capabilities using automated tools.