| 7 |
Yes |
$0 |
$0 |
Agency Response Dated August 22, 2024 (ADAMS Accession No: ML24285A157): The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRC’s environment are not yet available. However, in April 2021, the NRC developed CSO-PROS�0006, “Counterfeit and Compromised ICT Product Detection Process,” to ensure that counterfeit products are detected before they are added to the NRC’s environment. In addition, Section 6, “After Acceptance,” of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC-controlled physical space. The appropriate NRC staff members generally vet any third-party service personnel and replacement parts. The NRC will update CSO-PROS 0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components and prevent them from being added to its environment. Target Completion Date: FY 2025, first quarter (Q1)
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has implemented processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.
Status: Open: Resolved. The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRC’s environment are not yet available. However, in April 2021, the NRC developed CSO-PROS-0006, “Counterfeit and Compromised ICT Product Detection Process,” to ensure that counterfeit products are detected before they are added to the NRC’s environment. In addition, Section 6, “After Acceptance,” of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC controlled physical space. The appropriate NRC staff members generally vet any third-party service personnel and replacement parts. The NRC will update CSO-PROS 0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components and prevent them from being added to its environment. Target Completion Date: FY 2025, first quarter (Q1). |
|
Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.
|
| 8 |
Yes |
$0 |
$0 |
Agency Response Dated August 22, 2024: Pursuant to the Supply Chain Security Training Act of 2021 (Public Law 117-145), the General Services Administration is required to develop training for Federal officials with supply chain management responsibilities. The NRC will leverage this training for role holders, which will be implemented by the Office of Management and Budget, when it becomes available. Additionally, in April 2021, the NRC developed CSO-PROS-0006, aimed at those who hold supply chain risk management roles and responsibilities to ensure that
counterfeit products are detected before being added to the NRC’s environment. Target Completion Date: FY 2025, Q3
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has developed and implemented role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.
Status: Open: Resolved. Pursuant to the Supply Chain Security Training Act of 2021 (Public Law 117-145), the General Services Administration is required to develop training for Federal officials with leverage this training, which will be implemented by the Office of Management and Budget, when it becomes available. Target Completion Date: FY 2024, Q3. |
|
Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.
|
| 11 |
Yes |
$0 |
$0 |
Agency Response Dated August 22, 2024: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agency’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security
Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A. Target Completion Date: FY 2025, Q3
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has updated user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.
Status: Open: Resolved. The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agency’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the target date has been adjusted. Target Completion Date: FY 2024, Q3. |
|
Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.
|
| 13 |
Yes |
$0 |
$0 |
Agency Response Dated August 22, 2024: The NRC will implement a technical capability to capture NRC employees’ and contractor personnel initial login dates or equivalent so that the process currently in place can accurately track and manage the required cybersecurity
awareness and role-based training. Target Completion Date: FY 2025, Q3
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has implemented the technical capability to restrict access or not allow access to the NRC’s systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractor’s initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.
Status: Open: Resolved. The creation of a separate, secure system to perform this security awareness and role-based training activity is not deemed cost effective since it would require the duplication of existing hardware, software, and support services. It would also redirect staff from other network operations and maintenance tasks, which could cause security and operational issues to the main network and reduce the NRC’s ability to provide mission-focused services. The NRC estimates that this would increase costs across the Information Technology/Information Management Business Line, including hardware, software, operational maintenance, and NRC staff and contractual support resources, by nearly $1 million annually. This estimated cost does not include any changes that would be required by the Office of the Chief Human Capital Officer for its training system or resources. Rather than implement this specific recommendation, the NRC plans to add to its onboarding process streamlined security training that contains the Rules of Behavior but does not contain sensitive information. The onboarding process occurs before employees and contractors gain access to the NRC network. The agency will also strengthen its post-onboarding process to ensure that new employees and contractors complete all required security awareness and role-based training, including acknowledging the Rules of Behavior, within the required timeframe. These changes, along with the personnel security processing that occurs before onboarding, make this a low risk to NRC systems. The NRC will provide more information upon request. Target Completion Date: The NRC recommends closure of this item. |
|
Implement the technical capability to restrict access or not allow access to the NRC’s systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractor’s initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.
|
