NRC Lacks Secure Procedures: OIG

Thursday, August 25, 2016 @ 06:08 PM gHale


The Nuclear Regulatory Commission (NRC) currently lacks “clear and effective” agency-wide policy and procedures for national security systems, the Office of Inspector General (OIG) said in a report.

“Classified information may be vulnerable or subject to unauthorized disclosure,” the OIG said in the report.

RELATED STORIES
DHS Looks to Fund CoE
Federal Cyber Incident Response Plan
DHS Seeks Input to Protect Mobile Devices
DHS Awards Funding for Security R&D

The report carries two major recommendations.

One recommendation is the NRC should clarify policies and procedures over national security information systems “and assign responsibility for implementing these policies and procedures.”

The other recommendation is the NRC should complete a comprehensive inventory of all national security information systems and review it at appropriate intervals.

“NRC has national security systems that were operating without the required authorizations to operate, contrary to federal and internal requirements,” OIG said in the report. “This happened because agency wide policies and procedures governing national security systems were not clear or well understood. Without agency wide policies and procedures, classified information may be vulnerable or subject to unauthorized disclosure.”

A NRC representative said the regulator is already addressing issues raised in the report.

“We have started taking action to ensure that all applicable systems identified in the audit are properly authorized,” said NRC spokesman David McIntyre. “We have verified that all National Security Systems have strong physical access controls in place, and there is no indication that the lack of proper authorizations led to any loss of classified information,” McIntyre said.

When it comes to handling sensitive information, NRC officials use three different types of categories of national security systems to process and store classified information.

• A standalone laptop or desk computer not connected to a network.
• A subscriber system where the sponsoring agency manages the logical access controls. An example of this type of system is the Homeland Secure Data Network (HSDN).
• A shared service system where the sponsoring agency has part of the controls, but NRC owns the directory services and maintains the terminals used to access the system.

NRC does not have a classified network of its own – it relies upon the networks of other federal agencies. “However, it has standalone computers that process and store classified information,” OIG said in the report. “All NRC personnel with access to any system or network (to include a stand-alone system or network) on which classified information resides must be an NRC authorized classifier.”