The Nuclear Regulatory Commission is failing to perform required continuous monitoring measures and update other security weaknesses it’s known about for years, a new report from NRC’s Office of the Inspector General found.
With the help of a third-party independent auditor, the OIG found that NRC continues to improve its IT system security and apply recommendations from prior Federal Information Security Management Act-based evaluations. Despite that, the commission still lacks many vital security practices and therefore “NRC cannot ensure the effectiveness of information security controls for NRC systems and cannot identify and control risk,” the report states.
Of most concern is NRC’s struggle with continuous monitoring. The IG report found the commission failed to comply with updated continuous monitoring standards, in particular neglecting to complete annual security control assessments. Likewise, NRC did not update its systems to reflect the new standards in the National Institute of Standards and Technology’s Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” released in April 2013.
“For systems operating under [a continuous authorization to operate], continuous monitoring is essential for determining risk associated with systems and for ensuring risk-based decisions are made concerning continued system operation,” the OIG report states. “If continuous monitoring activities are not performed as required, NRC cannot ensure the effectiveness of the information security controls for NRC systems and cannot identify and control risk.”
To remedy the situation, the OIG recommends NRC update all noncompliant continuous monitoring operations to reflect the NIST standard.
The OIG also was troubled that a few recommendations from prior FISMA evaluations were still not in place. The audit found issues with the consistent configuration management of several NRC systems, an issue addressed in prior reports. These vulnerabilities were discovered in a fiscal year 2011 report and many still linger. The report shows the agency was aware of the configuration issues.
“Vulnerability scanning performed as part of security control assessment activities identified numerous vulnerabilities that demonstrate non-compliance with required baseline configurations in half of NRC’s operational systems,” the report says. “These are vulnerabilities that have been identified by the agency as actual weaknesses requiring remediation and most are being tracked on the agency’s [plan of action].”
Additionally, NRC failed to address all known security vulnerabilities in its FISMA- and NIST-required plan of action and milestones documentation. And when the weaknesses were documented, the report says they weren’t dealt with in a timely manner. The report recommends NRC address this issue based on its findings in 2012 and 2013 audits; without the plan of action, it says corrective efforts cannot measure the program’s effectiveness.
A commission spokesman said NRC is reviewing the report and plans to respond to the Office of Inspector General.
“The NRC takes its information security responsibilities seriously,” the spokesman said. “While we are pleased that the report’s conclusions are mostly positive, we value any recommendations for improving our performance in this important arena.”