Independent Evaluation of NRC’s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2012
Report Information
Recommendations
Update the rack diagrams for each NRC remote location.
Provide refresher training to all staff responsible for implementing NRC’s POA&M process.
Configure the agency’s automated POA&M tool to do the following: (i) prevent scheduled completion dates from being changed, (ii) prevent weaknesses from being created without a scheduled completion date or weakness source, (iii) prevent weaknesses from being closed without specifying an actual date closed, (iv) prevent users from entering actual completion dates in the future, (v) prevent users from entering an actual completion date when the status is not closed, and (vi) automatically change the weakness status from on track to delayed once the scheduled completion date has passed.
Update the IT environment contingency plan to include procedures for responding to short-term disruptions (those that last less than 24 hours), such as restoring components using alternate equipment or performing some or all of the affected business processes using alternate processing (manual) means.
Update the IT environment contingency plan to update contingency planning procedures specific to NRC remote locations that are not up-to-date. Specifically, update the list of IT environment servers supporting NRC remote locations that are referenced in Appendix H of the IT environment contingency plan and update the contingency plans for NRC remote locations that are attached to the IT environment contingency plan.