On this Page:
- Computer Security Office
- Policy, Compliance and Training Team
- Cyber Situational Awareness, Analysis, and Response Team
Director/Chief Information Security Officer: Thomas Rich
Responsible for planning, directing, and overseeing the implementation of a comprehensive, coordinated, integrated and cost-effective NRC Information Technology (IT) Security Program, consistent with applicable laws, regulations, Commission, Executive Director for Operations and Deputy Executive Director for Corporate Management direction, management initiatives and policies. Agency-level liaison with external entities on mutual cybersecurity interests; formulates and oversees a cybersecurity program budget; and proposes and successfully advocates appropriate agency-level cybersecurity guidelines.
Director of CSO functions as the NRC's Chief Information Security Officer (CISO). Ensures appropriate, effective, and efficient NRC-wide integration, direction and coordination of IT security planning and performance within the framework of the NRC IT Security Program and with related Office of Information Services activities. Provides vision, leadership, and oversight in developing and promulgating an end-to-end, comprehensive cybersecurity architecture, which is integrated with NRC's enterprise architecture. Provides credible, cogent, and timely advice and counsel to the Chairman, Commission, and NRC senior management on programmatic, infrastructure, and administrative aspects of cybersecurity. Guides security process maturity within the NRC; advocates these concepts to NRC organizations; and makes necessary adjustments to components of the cybersecurity program to counter the evolving threat to information technology.
Policy, Compliance and Training Team
Senior IT Security Officer/Team Leader: Kathy Lyons-Burke
Develops, coordinates, and maintains the NRC cybersecurity policies (Management Directives & Handbook); develops policies in support of new requirements such as those required by the National Institutes of Standards and Technology (NIST) publications, Homeland Security Presidential Directives, etc.; communicates cybersecurity policies, directives, and requirements to NRC staff; develops, coordinates, and maintains comprehensive computer security awareness training and the tracking of mandatory training programs; leads the program for the agency's Information System Security Officers; and chairs the Standards Working Group. Conducts IT security risk analyses and reviews and ensures that actions are taken by system owners to address any vulnerabilities identified. Serves as the Designated Representative to the Designated Approval Authority (DAA) for Systems Certification and Accreditation (C&A) activities. Reviews systems certification packages submitted for accreditation and makes recommendations to the DAA (three Deputy Executive Directors). Tracks and provides oversight and support for the C&A efforts across NRC. Reviews and approves security categorization documents. Oversees and assists organizations in completing and maintaining their individual C&A programs. Tracks and validates Plan of Action and Milestones (POA&M) items; and analyzes POA&M's for quality of content and practicality of remediation. Conducts risk assessments, security testing, provides in-depth oversight and analysis, and ensures that all programs are making consistent progress in mitigating identified weaknesses, in conjunction with system owners. Provides system security technical information, advice, support and consultation services to system owners in the area of computer security and compliance during system development or accreditation activities. Provides authoritative assistance, consultation, and guidance in the area of computer security and compliance and ensures that agency programs comply with Federal guidance including, but not limited to the Federal Information Security Management Act, Office of Management and Budget (OMB), and General Accounting Office guidance.
Cyber Situational Awareness, Analysis, and Response Team
Senior IT Security Officer/Team Leader: Thorne Graham
Serves as the focal point for the NRC for receiving, tracking, monitoring, and reporting of computer security incidents. Monitors NRC's IT security vulnerabilities, maintains an awareness of the threat to NRC's IT infrastructure, and provides appropriate information to senior NRC officials so they maintain an up-to-date awareness of the threat and NRC's vulnerability to that threat. Provides a centralized capability for reporting of cyber-related security incidents against NRC's internal information technology infrastructure. Monitors the NRC intrusion detection and intrusion prevention systems. Maintains an information security incident response report database, conducts trending analysis of events, and recommends actions to minimize or prevent releases. Reviews actions and conducts root cause analysis of NRC information security incidents. Directly interfaces with the Infrastructure and Computer Operations Division and other IT staff within the NRC on patch review and applicability of patches to ensure prioritization. Coordinates activities and responses to internal NRC cyber-related security incidents with appropriate offices. Communicates relevant computer security information such as security alerts, advisories and bulletins, software vulnerability data and reports, vendor patch notifications, virus alerts and other relevant security information. Provides an electronic clearinghouse for information assurance tools, anti-virus software, recommended or best practice security guidelines. Serves as the primary reporting authority to the United States Computer Emergency Readiness Team, OMB, law enforcement and criminal investigative groups in the reporting of cyber-related attacks against NRC's infrastructure. Serves as NRC Observer to the Committee on National Security Systems. Participates in relevant Federal computer security groups such as the National Cyber Response Coordination Group and Government Forum of Incident Response and Security Teams. Conducts penetration testing and vulnerability scanning of NRC's network.