OIG/97A-06 - Survey of NRC Actions to Secure its Sensitive Information Systems
- Report Synopsis
- Results of Survey
- Objectives, Scope, and Methodology
- Major Contributors to this Report
- Glossary: Office of the Inspector General Products
Office of the Inspector General
U.S. Nuclear Regulatory Commission
Washington, D.C. 20555-0001
March 21, 1997
|Memorandum To:||Anthony J. Galante
Chief Information Officer
|From:||Thomas J. Barchi
Assistant Inspector General for Audits
|Subject:||Survey of NRC Actions to Secure its Sensitive Information Systems|
Attached is the Office of the Inspector General's (OIG) audit report entitled "Survey of NRC Actions to Secure its Sensitive Information Systems". In December 1992, OIG issued an audit report entitled "Significant Weaknesses Hamper NRC's Computer Security Program" which contained recommendations for strengthening the program. This work focused on (1) following up on the implementation of those recommendations and (2) gathering current information on NRC's protection of its sensitive information systems.
Our work found that NRC has implemented our prior recommendations and taken initiatives to strengthen the computer security program. Given the NRC initiatives and other Government activities underway in the computer security area, we have decided not to perform further work at this time. Because we are making no recommendations to the agency regarding our findings, we are issuing this report without obtaining formal agency comments.
Los Alamos National Laboratory performed an independent review of the Nuclear Regulatory Commission's (NRC) computer security program in 1991 which identified significant weaknesses regarding the protection of NRC sensitive information systems. In December 1992, the Office of the Inspector General (OIG) noted that many of these weaknesses had not been corrected. OIG issued an audit report entitled "Significant Weaknesses Hamper NRC's Computer Security Program"(1) which recommended that NRC (1) develop a detailed action plan to address the Los Alamos findings, and (2) identify the weaknesses as material in the annual report required by the Federal Managers' Financial Integrity Act. NRC developed and implemented a plan to address the weaknesses, and reported all weaknesses as corrected in November 1994.
The objectives of this survey were to follow up on the 1992 recommendations and to gather current information on NRC's protection of its sensitive information systems. Our survey found that actions taken by NRC are complete and appear to have strengthened the security of NRC's sensitive information systems. We also found that there are a number of Government-wide and NRC initiatives underway in the computer security area. Given the status of these initiatives, we have decided not to conduct further work at this time. However, we will follow up at a later date when these efforts are complete.
In December 1992, the Office of the Inspector General (OIG) issued an audit report entitled "Significant Weaknesses Hamper NRC's Computer Security Program"(2). This report was based on information from an independent review of the Nuclear Regulatory Commission's (NRC) computer security program by the Los Alamos National Laboratory. Los Alamos reported significant findings regarding the protection of NRC sensitive information systems(3). To strengthen the NRC computer security program, OIG recommended that the Director, Office of Information Resources Management (IRM), (1) develop a detailed action plan to address the Los Alamos findings, and (2) identify the weaknesses in the computer security program as a material weakness as required by Office of Management and Budget (OMB) Circular No. A-123 and Section 2 of the Federal Managers' Financial Integrity Act (FMFIA), P.L. 97-255.
NRC undertook a series of corrective actions to improve its computer security program, and reported that all actions were complete as of November 1994. The objectives of this survey were to (1) follow up on the implementation of the 1992 recommendations and (2) gather current information on NRC's protection of its sensitive information systems. Additional information regarding the objectives, scope, and methodology can be found in Appendix I of this report.
In fulfilling the agency's mission, NRC management and its technical and administrative staffs depend heavily on data obtained from automated information systems maintained within the agency. Consequently, protecting these information systems and their data from theft, abuse, and tampering is vitally important to the NRC. This is particularly true for sensitive information systems. The Financial Management, Computer Security, and Administrative Support Staff, IRM, is responsible for managing NRC's computer security program.
In November 1991, Los Alamos National Laboratory completed an independent compliance review of NRC's computer security program. Los Alamos reported numerous findings which raised significant concerns regarding the adequacy of NRC's computer security program. While NRC had implemented half of the recommendations, the agency did not have an implementation plan for the remaining weaknesses which raised serious concerns about the protection of NRC's sensitive information systems:
Configuration management(6) guidelines were not established;
NRC had not identified potential threats;
The NRC computer security policy was outdated; and
The staffing and organizational placement of the computer security function were questionable.
NRC reported these conditions as a material weakness in its 1992 FMFIA report and, in January 1993, developed a plan to address the weaknesses. The plan was fully implemented and the material weakness was closed in November 1994. The following table details how the weaknesses were addressed:
|Systems tests, certification and accreditation were not performed.||Under contract, Los Alamos developed a methodology for systems tests of differing computing environments. These minimum controls were included in the revised computer security policy, Management Directive 12.5 Handbook.||Included in draft Management Directive in July 1993. Sensitive systems were certified and accredited as of November 1994. Management Directive was finalized in May 1995.|
|Configuration management guidelines did not exist.||Under contract, Los Alamos established criteria for configuration management changes for systems processing sensitive data. This criteria was included in the revised computer security policy, Management Directive 12.5 Handbook.||Included in draft Management Directive in July 1993. Management Directive was finalized in May 1995.|
|Threats were not identified.||Under contract, the National Institute for Standards and Technology developed a threat profile and training materials.||Threat analysis study delivered in July 1993. Training materials delivered in August 1993.|
|Computer security policy was outdated.||Under contract, Los Alamos developed NRC Management Directive 12.5 Handbook.||Management Directive draft delivered in July 1993. Management Directive finalized in May 1995.|
|Staffing and organizational placement of the computer security function was questionable.||IRM reorganized; computer security function reports directly to the Director, IRM.||February 1994.|
Results of Survey
Our survey found that NRC has satisfactorily completed its actions to remediate the weaknesses identified by Los Alamos. The systems we sampled had documentation regarding systems testing, threats, configuration management, certification, and accreditation. NRC has developed a threat analysis and has included threat information in Management Directive 12.5 as well as in the annual computer security awareness training. This training is mandatory for all agency employees. The revised Management Directive and reorganization of IRM have addressed the security concerns raised by the Los Alamos study. We reviewed a sample of NRC's sensitive information systems and found that the Management Directive guidance was followed.
Currently, there are a number of Government-wide and NRC initiatives underway in the computer security area. In recognition of the potential threats to national defense and the country's economic security, the President has established a Commission to address both physical and cyber threats to the country's critical infrastructure(7). In addition, OMB is developing guidelines to give updated direction regarding the protection of Government information. Further, NRC has on-going and planned initiatives addressing various computer security concerns. NRC has recently tested the security of its local and wide area network and is addressing the findings of those tests through its network upgrade. Also, NRC is studying the possibility of developing networks that can safely process classified information.
We believe the actions taken by NRC have adequately addressed our prior recommendations and go a long way to strengthen the security of NRC's sensitive information systems. On-going initiatives in this area may significantly affect NRC's computer security program in the future. As guidance and recommendations may be forthcoming from the Presidential Commission, as well as from OMB or as a result of a NRC initiative, we have decided not to conduct further work at this time. We will, however, follow up on this area at a later date, when NRC initiatives and Executive-level guidance are complete.
Objectives, Scope, and Methodology
The objectives of this survey were (1) to follow up on prior audit recommendations(8) regarding the NRC computer security program and (2) to gather current information on NRC's protection of its sensitive information systems. We interviewed officials in the Offices of Information Resources Management, Nuclear Reactor Regulation, Nuclear Materials Safety and Safeguards, Comptroller, Personnel, and Administration. We reviewed the current Office of Management and Budget guidance, the Computer Security Act of 1987, Executive Order 13010, and the Information Technology Management Reform Act of 1996.
We examined the management controls for NRC's information systems security program. To evaluate these controls, we reviewed NRC Management Directive and Handbook 12.5, "NRC Automated Information Systems Security Program", and tested its implementation on a sample of sensitive information systems.
This survey was performed in accordance with generally accepted Government auditing standards during the period December 1996 through January 1997 at NRC Headquarters.
Major Contributors to this Report
Corenthis B. Kelley, Team Leader
Judith L. Leonhardt, Senior Auditor
Glossary: Office of the Inspector General Products
1. Investigative Report - White Cover
An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.
2. Event Inquiry - Green Cover
The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.
3. Management Implications Report (MIR) - Memorandum
MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.
4. Audit Report - Blue Cover
An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.
5. Special Evaluation Report - Burgundy Cover
A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.
6. Regulatory Commentary - Brown Cover
Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.
1. Significant Weaknesses Hamper NRC's Computer Security Program, OIG/92A-18, December 15, 1992.
2. Significant Weaknesses Hamper NRC's Computer Security Program, OIG/92A-18, December 15, 1992.
3. Sensitive information includes information that, if improperly used or disclosured, could adversely affect the ability of an agency to accomplish its mission. It requires protection due to the risk and magnitude of loss or harm that could result from its inadvertent or deliberate disclosure, alteration, or destruction.
4. Certification is the technical evaluation (made as part of and in support of the accreditation process) that establishes the extent to which a particular computer system or network design and implementation meets a pre-specified set of security requirements.
5. Accreditation is the authorization and approval granted to an automatic data processing system or network to process sensitive data in an operational environment. The decision is made on the basis of a certification by designated technical personnel of the extent to which design and implementation of the system meet pre-specified technical requirements for achieving adequate data security.
6. Configuration management is the use of appropriate procedures for controlling changes to a system's hardware and software structure for the purpose of ensuring that such changes will not lead to a decrease in data security.
7. The Commission on Critical Infrastructure Protection established by Executive Order 13010. Infrastructure includes telecommunications, electrical power systems, transportation systems, emergency services, and continuity of Government.
8. Significant Weaknesses Hamper NRC's Computer Security Program, OIG/92A-18, December 15, 1992.