Independent Evaluation of the DNFSB’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Submitting OIG:

Nuclear Regulatory Commission OIG

Date Issued:

Thursday, March 25, 2021

Agency Reviewed / Investigated:

Defense Nuclear Facilities Safety Board

Submitting OIG-Specific Report Number:

DNFSB-21-A-04

Type of Report:

Inspection / Evaluation

Questioned Costs:

Funds for Better Use:

View Document:

Attachment	Size
DNFSB-21-04-DNFSB-FISMA-FY-2020-FINALBXK.pdf	391.73 KB

Recommendation Number	Recommendation Status	Significant Recommendation
1	Open	Yes
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE DNFSB’S IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020
1	Open	Yes
Define an ISA in accordance with the Federal Enterprise Architecture Framework.
2	Open	Yes
Use the fully defined ISA to: a. Assess enterprise, business process, and information system level risks; b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions; c. Conduct an organization wide security and privacy risk assessment; and, d. Conduct a supply chain risk assessment.
3	Open	Yes
Using the results of recommendations one (1) and two (2) above: a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations; b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program; c. Implement a centralized view of risk across the organization; and, d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.
4	Open	Yes
Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agency’s network in near real time. Continue ongoing efforts to apply the Track-It!, ForeScout, and KACE solutions.
5	Open	Yes
Conduct remedial training to re-enforce requirements for documenting CCB’s approvals and security impact assessments for changes to the DNFSB’s system in accordance with the agency’s Configuration Management Plan.
6	Open	Yes
Implement procedures and define roles for reviewing configuration change activities to the DNFSB’s information system production environment by those with privileged access to verify the activity was approved by the system CCB and executed appropriately.
7	Open	Yes
Implement a technical capability to restrict new employees and contractors from being granted access to the DNFSB’s systems and information until a non-disclosure agreement is signed and uploaded to a centralized tracking system.
8	Open	Yes
Implement the technical capability to require PIV or Identification and Authentication Level of Assurance (IAL) 3 to all DNFSB privileged accounts.
9	Open	Yes
Implement automated mechanisms (e.g. machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

Open

Yes

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE DNFSB’S IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020

Open

Yes

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Open

Yes