- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CSO - Like most big organizations with complex infrastructures, the Nuclear Regulatory Commission (NRC ) is having trouble consistently maintaining its vulnerability and risk management programs.
That was the key takeaway of a recently published report that detailed the findings of an independent audit conducted by Richard S. Carson & Associates, Inc., that examined the NRC's implementation of the Federal Information Security Management Act (FISMA), which requires federal agencies to develop and maintain an information security program.
According to the report, the U.S. nuclear reactor safety and security watchdog has made some improvements in its IT security efforts, but also has much more work to do. "While the agency has continued to make improvements in its information system security program and has made progress in implementing the recommendations resulting from previous FISMA evaluations, the independent evaluation identified three information system security program weaknesses," the report said.
Areas in need of improvement include bolstering its Plan of Action and Milestones, development of an organization-wide risk management strategy, and consistently implementing its configuration management procedures.
The NRC did manage to make considerable headway in FY 2011. The report said the agency completed security assessment and authorization of a number of additional agency and contractor systems, as well as progress in the areas of security planning, annual security control testing, annual contingency plan testing, as well as numerous security process and standards updates.
Based on the findings of this year's audit, however, the Office of the Inspector General recommended a number of improvements in the report:
Although the NRC has not yet reached the level of FISMA compliance it must, experts don't think that necessarily means its systems are not secure.