Like most big organizations with complex infrastructures, the Nuclear Regulatory Commission (NRC ) is having trouble consistently maintaining its vulnerability and risk management programs.
That was the key takeaway of a recently published report that detailed the findings of an independent audit conducted by Richard S. Carson & Associates, Inc., that examined the NRC's implementation of the Federal Information Security Management Act (FISMA), which requires federal agencies to develop and maintain an information security program.
According to the report, the U.S. nuclear reactor safety and security watchdog has made some improvements in its IT security efforts, but also has much more work to do. "While the agency has continued to make improvements in its information system security program and has made progress in implementing the recommendations resulting from previous FISMA evaluations, the independent evaluation identified three information system security program weaknesses," the report said.
Areas in need of improvement include bolstering its Plan of Action and Milestones, development of an organization-wide risk management strategy, and consistently implementing its configuration management procedures.
The NRC did manage to make considerable headway in FY 2011. The report said the agency completed security assessment and authorization of a number of additional agency and contractor systems, as well as progress in the areas of security planning, annual security control testing, annual contingency plan testing, as well as numerous security process and standards updates.
Based on the findings of this year's audit, however, the Office of the Inspector General recommended a number of improvements in the report:
- 1. Develop and implement an organization-wide risk management strategy that is consistent with NIST SP 800-37 and NIST SP 800-39.
- 2. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure standard baseline configurations are implemented for all systems.
- 3. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure baseline configurations are documented for all systems.
- 4. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure software compliance assessments, including vulnerability assessments, are performed as required: (i) before a system is connected to the NRC production environment, (ii) during security test and evaluation of systems, and (iii) as part of the agency's continuous monitoring environment.
- 5. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure all systems components are included in requisite software compliance assessments.
- 6. Revise existing configuration management procedures to include performance measures and/or monitoring procedures to ensure all identified vulnerabilities, including configuration-related vulnerabilities, scan findings, and security patch-related vulnerabilities, are remediated in a timely manner in accordance with the timeframes established by NRC.
Although the NRC has not yet reached the level of FISMA compliance it must, experts don't think that necessarily means its systems are not secure.
"I doubt that minor deviations from FISMA standards would result in more incidents and compromises," says Pete Lindstrom, research director at Spire Security. Many times, especially when it comes to measuring end point configuration compliance, non-standard applications can throw the program sideways. "If you try to be compliant and it breaks applications or workflow, then you end up stepping back from compliance. The problem is, too often, the folks working in the trench don't understand the workarounds you put in place to mitigate risk. It often has nothing to do with measuring actual security," he says. George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.
Read more about pci and compliance in CSOonline's PCI and Compliance section.