Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov MEMORANDUM DATE:

April 26, 2023 TO:

Tara Tadlock Associate Director for Board Operations Office of the Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (DNFSB-22-A-04)

REFERENCE:

ASSOCIATE DIRECTOR FOR BOARD OPERATIONS, DEFENSE NUCLEAR FACILITIES SAFETY BOARD, CORRESPONDENCE DATED MARCH 1, 2023 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agency response dated March 1, 2023. Based on these responses, all recommendations are open and resolved. Please provide an updated status of all recommendations by August 30, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Terri Cooper, Team Leader, at 301.415.5965.

Attachment:

As stated cc:

J. Biggins, GM N. Thomas-Hawkins, OEDO

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 2 Recommendation 1:

Update the Information Security Architecture (ISA) and use the updated ISA to:

a. Assess enterprise, business process, and information system level risks;

b. Update enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Agency Response Dated March 1, 2023:

In response to EO 14028, OMB M-22-09, and other recent OMB Memorandums related to Zero Trust, DNFSB has developed a Zero Trust Architecture (ZTA) Implementation Plan. This plan will serve as the equivalent of both an Enterprise Architecture and Information Security Architecture.

DNFSB anticipates completing these actions by end of Q4 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the ISA to assess risk and update risk tolerance and appetite levels necessary for prioritizing and guiding risk management on the enterprise, business process, and information system levels.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 3 Recommendation 2:

Using the results of recommendations one above:

a. Utilizing guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) - Performance Measurement Guide for Information Security to establish performance metrics to manage and optimize all domains of the DNFSB information security program more effectively;

b. Implement a centralized view of risk across the organization;

c. Implement formal procedures for prioritizing and tracking POA&Ms to remediate vulnerabilities.

Agency Response Dated March 1, 2023:

DNFSB anticipates completing these tasks by Q4FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the ISA to utilize guidance from NIST to establish metrics to manage and optimize all domains of the DNFSB information security program more effectively; implement a centralized view of risk across the organization; and, implement formal procedures for prioritizing and tracking plan of actions and milestones (POA&Ms) to remediate vulnerabilities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 4 Recommendation 3:

Update the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, to include:

a. Defining a frequency for conducting Risk Assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Agency Response Dated March 1, 2023:

DNFSB published the updated version of its Risk Management Framework on 9/29/22, which defines a frequency for conducting risk assessments.

DNFSB will request this Recommendation be closed.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the Risk Management Framework to reflect the current roles, responsibilities, policies, and procedures of the current DNFSB environment, including defining a frequency for conducting risk assessments to periodically assess agency risks to integrate results of the assessment to improve upon mission and business processes.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 5 Recommendation 4:

Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:

a. How supply chain risks are to be managed across the agency;

b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;

c. How counterfeit components are prevented from entering the DNFSB supply chain.

Agency Response Dated March 1, 2023:

DNFSB requested this recommendation be closed in CLOSURE OF FY21 AND FY22 FISMA AUDIT RECOMMENDATIONS memo dated 8/19/22.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines a supply chain risk management strategy to drive the development and implementation of policies and procedures for the items in bullets a. through c. above.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 6 Recommendation 5:

Conduct remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Agency Response Dated March 1, 2023:

DNFSB requested this recommendation be closed in CLOSURE OF FY21 AND FY22 FISMA AUDIT RECOMMENDATIONS memo dated 8/19/22.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork.

OIG Analysis:

The OIG will close this recommendation when the DNFSB conducts remedial training to re-enforce requirements for documenting security impact assessments for changes to the DNFSBs system in accordance with the agencys Configuration Management Plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 7 Recommendation 6:

Integrate the Configuration management plan with risk management and continuous monitoring programs and utilize lessons learned to make improvements to this plan.

Agency Response Dated March 1, 2023:

DNFSB recently updated its Configuration Management Plan, Continuous Monitoring Policies and Procedures Guide, and Risk Management Framework. These three documents are now integrated.

DNFSB will request this Recommendation be closed.

OIG Analysis:

The OIG will close this recommendation when the DNFSB integrates the configuration management plan with risk management and continuous monitoring programs and utilizes lessons learned to make improvements to this plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 8 Recommendation 7:

Implement automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Agency Response Dated March 1, 2023:

DNFSB has procedures in place to automate the process of identifying privileged accounts that are inactive but wants to have a formal approval process for disabling or deleting privileged accounts; given the small number of privileged users at the DNFSB, this is an acceptable risk.

DNFSB will request a risk acceptance for this recommendation by Q3 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB implements automated mechanisms to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 9 Recommendation 8:

Continue efforts to implement data loss prevention functionality for the Microsoft Office 365 environment.

Agency Response Dated March 1, 2023:

The IT team will continue to work with the Records Management staff in the Division of Operational Services (DOS) to better define the data loss prevention policies in DNFSBs Office 365 tenant.

DNFSB anticipates completing this task by end of Q3 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues its efforts to implement data loss prevention functionality for the Microsoft Office 365 environment.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 10 Recommendation 9:

Update agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal ICAM architecture and OMB M-19-17, and phase 2 of DHS's Continuous Diagnostics and Mitigation (CDM) program.

Agency Response Dated March 1, 2023: Requirements for strong authentication and federated identities (ICAM) will be included in the Zero Trust Architecture (ZTA) Implementation Plan discussed above, which DNFSB completed.

DNFSB is participating with the CDM programs planning efforts for ICAM capabilities, and will participate once the CDM ICAM capabilities are finalized; no estimated completion date available until CDM finalizes their ICAM service offerings.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal ICAM architecture and OMB M-19-17, and phase 2 of DHS's Continuous Diagnostics and Mitigation (CDM) program.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 11 Recommendation 10:

Conduct the agencys annual breach response plan exercise for FY 2021.

Agency Response Dated March 1, 2023:

DNFSB updated the current Breach Response Plan on 9/29/22 to ensure it meets the requirements laid out in OMB M-17-12 and then performed a formal exercise that specifically includes activating the Breach Response Plan (also on 9/29/22).

DNFSB will request closure of this Recommendation.

OIG Analysis:

The OIG will close this recommendation when the DNFSB provides documentation that they conducted the agencys annual breach response plan exercise for FY 2022.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 12 Recommendation 11:

Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Agency Response Dated March 1, 2023:

DNFSB requested this recommendation be closed in CLOSURE OF FY21 AND FY22 FISMA AUDIT RECOMMENDATIONS memo dated 8/19/22.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 13 Recommendation 12:

Formally document requirements and procedures for the completion of role-based training and enforcement methods in place for individuals who do not complete role-based training.

Agency Response Dated March 1, 2023:

DNFSB requested this recommendation be closed in CLOSURE OF FY21 AND FY22 FISMA AUDIT RECOMMENDATIONS memo dated 8/19/22.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork.

OIG Analysis:

Based on subsequent discussions with the Executive Director of Operations (EDO) and documentation provided by the DNFSB, this recommendation is open and resolved. The OIG will close this recommendation when the DNFSB formally documents in DNFSB guidance and/or directives the requirements and procedures for the completion of role-based training and enforcement methods in place for individuals who do not complete the role-based training.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 14 Recommendation 13:

Continue current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Agency Response Dated March 1, 2023:

DNFSB will consider this recommendation closed once an external assessment of the DNFSB is performed and an updated Authority to Operate (ATO) is granted for the DNFSB GSS per the updated assessment procedures contained in the updated version of the RMF Handbook.

DNFSB began an engagement with DOI in February 2023 and anticipates completing the external security assessment of the DNFSB GSS in Q3 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB continues current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 15 Recommendation 14:

Update the DNFSB ISCM policies and procedures clearly defining what needs to be monitored at the system and organization level.

Agency Response Dated March 1, 2023:

Procedures for conducing security control assessments at the system or organization level are included in the Risk Management Framework Handbook not the Continuous Monitoring Policies and Procedures Guide and DNFSB has updated its Risk Management Framework (RMF) Handbook to refine existing monitoring and assessment procedures to support ongoing authorization of DNFSB information systems more effectively. A draft version of this document was provided to the FISMA auditors during their fieldwork in response to a PBC item request and subsequent updates have been made and is pending formal approval by the DNFSB CIO.

DNFSB updated its Continuous Monitoring Policies and Procedures Guide and Risk Management Framework Handbook on 9/29/22. DNFSB will request closure of this Recommendation.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates its DNFSB ISCM policies and procedures clearly defining what needs to be monitored at the system and organization levels.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 16 Recommendation 15:

Define standard operating procedures for the use of the agencys continuous monitoring tools or update the continuous monitoring plan to include the use of new monitoring tools.

Agency Response Dated March 1, 2023:

DNFSB updated its Continuous Monitoring Policies and Procedures Guide to document the specific monitoring tools in use.

DNFSB anticipates SOPs for the use of all CM tools by Q4 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines standard operating procedures for the use of the agencys continuous monitoring tools or updates the continuous monitoring plan to include the use of new monitoring tools.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 17 Recommendation 16:

Define the qualitative and quantitative performance measures that will be used to assess the effectiveness of its ISCM program.

Agency Response Dated March 1, 2023:

DNFSB has updated documents supporting the ISCM program and will request closure of this Recommendation.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines the qualitative and quantitative performance measures that will be used to assess the effectiveness of its ISCM program.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 18 Recommendation 17:

Define handling procedures for specific types of incidents, processes and supporting technologies for detecting and analyzing incidents, including the types of precursors and indicators and how they are generated and reviewed for prioritizing incidents.

Agency Response Dated March 1, 2023:

DNFSB updated its Cyber Playbook v 1.5 document on 9/29/22 which lays out step-by-step response actions to take for different types of incidents, including identifying precursors for different event types. DNFSB will request closure of this Recommendation.

OIG Analysis:

The OIG will close this recommendation when the DNFSB defines handling procedures for specific types of incidents, processes and supporting technologies for detecting and analyzing incidents, including the types of precursors and indicators and how they are generated and reviewed for prioritizing incidents.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 19 Recommendation 18:

Consistently test the incident response plan annually.

Agency Response Dated March 1, 2023:

DNFSB tested its incident response plan on 9/29/22.

DNFSB provided evidence of this testing during the course of the audit. DNFSB will request closure of this Recommendation.

Note: This recommendation was rejected by OGM OIG Analysis:

This response meets the intent of the recommendation. The OIG will close this recommendation when the DNFSB consistently test the incident response plan.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 20 Recommendation 19:

Update the Agencys incident response plan to reflect the USCERT incident reporting guidelines.

Agency Response Dated March 1, 2023:

DNFSB requested this recommendation be closed in CLOSURE OF FY21 AND FY22 FISMA AUDIT RECOMMENDATIONS memo dated 8/19/22.

Awaiting OIG validation as part of the FY23 FISMA Audit fieldwork.

OIG Analysis:

The OIG will close this recommendation when the DNFSB updates the agencys incident response plan to reflect the USCERT incident reporting guidelines.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 21 Recommendation 20:

Allocate and train staff with significant incident response responsibilities.

Agency Response Dated March 1, 2023:

DNFSB will identify appropriate training for staff with significant incident response responsibilities (including staff outside of the IT division) and ensure they complete the agency-defined training.

DNFSB anticipates completing this task by end of Q2 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB allocates and trains staff with significant incident response responsibilities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 22 Recommendation 21:

Configure all incident response tools in place to be interoperable, can collect and retain relevant and meaningful data that is consistent with the incident response policy, plans and procedures.

Agency Response Dated March 1, 2023:

DNFSB has deployed Microsoft Sentinel as its centralized Security Incident and Event Management (SIEM) tool.

DNFSB will request closure of this Recommendation.

OIG Analysis:

The OIG will close this recommendation when the DNFSB configures all incident response tools in place to be interoperable, can collect and retain relevant and meaningful data that is consistent with the incident response policy, plans and procedures.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 23 Recommendation 22:

Develop and track metrics related to the performance of contingency planning and recovery related activities.

Agency Response Dated March 1, 2023:

DNFSB will develop metrics related to contingency planning and recovery related activities by Q3 FY23.

Note: This recommendation was rejected by OGM.

OIG Analysis:

Based on subsequent discussions with the EDO, and DNFSB acknowledgment that it will consider the best process to develop and track metrics for the performance of contingency planning and recovery related activities, this recommendation is open and resolved. The OIG will close this recommendation when the DNFSB documents in its guidance and/or directives metrics and a tracking mechanism related to the performance of contingency planning and recovery related activities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 24 Recommendation 23:

Conduct a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Agency Response Dated March 1, 2023:

DNFSB will conduct a BIA by Q2 FY23.

OIG Analysis:

The OIG will close this recommendation when the DNFSB conducts a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Status:

Open: Resolved.

Evaluation Report INDEPENDENT EVALUATION OF THE DNFSBS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 25 Recommendation 24:

Implement role-based training for individuals with significant contingency planning and disaster recovery related responsibilities.

Agency Response Dated March 1, 2023:

At the DNFSB, the same staff that have significant incident response capabilities also have contingency planning and disaster recovery responsibilities, so DNFSB will identify appropriate training for staff with significant contingency planning and disaster recovery responsibilities (including staff outside of the IT division) and ensure they complete the agency-defined training.

DNFSB anticipates completing this task by end of Q2 FY 2023.

OIG Analysis:

The OIG will close this recommendation when the DNFSB implements role-based training for individuals with significant contingency planning and disaster recovery related responsibilities.

Status:

Open: Resolved.