Skip Links

Nation's nuclear power watchdog comes up short on FISMA compliance

By George V. Hulme, CSO
December 20, 2011 10:20 AM ET

CSO - Like most big organizations with complex infrastructures, the Nuclear Regulatory Commission (NRC ) is having trouble consistently maintaining its vulnerability and risk management programs.

That was the key takeaway of a recently published report that detailed the findings of an independent audit conducted by Richard S. Carson & Associates, Inc., that examined the NRC's implementation of the Federal Information Security Management Act (FISMA), which requires federal agencies to develop and maintain an information security program.

According to the report, the U.S. nuclear reactor safety and security watchdog has made some improvements in its IT security efforts, but also has much more work to do. "While the agency has continued to make improvements in its information system security program and has made progress in implementing the recommendations resulting from previous FISMA evaluations, the independent evaluation identified three information system security program weaknesses," the report said.

Areas in need of improvement include bolstering its Plan of Action and Milestones, development of an organization-wide risk management strategy, and consistently implementing its configuration management procedures.

The NRC did manage to make considerable headway in FY 2011. The report said the agency completed security assessment and authorization of a number of additional agency and contractor systems, as well as progress in the areas of security planning, annual security control testing, annual contingency plan testing, as well as numerous security process and standards updates.

Based on the findings of this year's audit, however, the Office of the Inspector General recommended a number of improvements in the report:

  • 1. Develop and implement an organization-wide risk management strategy that is consistent with NIST SP 800-37 and NIST SP 800-39.
  • 2. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure standard baseline configurations are implemented for all systems.
  • 3. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure baseline configurations are documented for all systems.
  • 4. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure software compliance assessments, including vulnerability assessments, are performed as required: (i) before a system is connected to the NRC production environment, (ii) during security test and evaluation of systems, and (iii) as part of the agency's continuous monitoring environment.
  • 5. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure all systems components are included in requisite software compliance assessments.
  • 6. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure all identified vulnerabilities, including configuration-related vulnerabilities, scan findings, and security patch-related vulnerabilities, are remediated in a timely manner in accordance with the timeframes established by NRC.

Although the NRC has not yet reached the level of FISMA compliance it must, experts don't think that necessarily means its systems are not secure.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News