On July 25, 2019, the United States Government Accountability Office (GAO) released GAO-19-384, a report to congressional requesters analyzing the cybersecurity risk management of 23 civilian agencies—including the Nuclear Regulatory Commission (NRC). Using key elements such as risk tolerance and risk mitigation strategies, GAO examined the extent to which all agencies established a cybersecurity risk management program; what challenges, if any, agencies identified in developing and implementing such programs; and what steps the Office of Management and Budget (OMB) and the US Department of Homeland Security (DHS) have taken to meet their risk management responsibilities to address any challenges agencies face in this area. In its analysis, GAO compared policies and procedures from the 23 civilian agencies to key federal cybersecurity risk management practices, attained the agencies’ own views on challenges they faced, identified and analyzed actions taken by the OMB and DHS to determine whether such actions address agency challenges, and interviewed responsible agency officials.
Seven agencies, including the NRC, acknowledged that they had not developed a cybersecurity risk management strategy that included the key elements identified in the GAO report. GAO reported that according to agency officials, this was due to the federated nature of the agency or difficulty in establishing an agency-wide understanding of risk tolerance, among other factors. Further, these agencies stated that they intended to develop such a strategy or were considering doing so.
GAO recommended to the OMB that it, in coordination with DHS, establish guidance to facilitate the sharing of successful approaches among agencies in order to address challenges in managing, implementing, and establishing cybersecurity risk management. Seventeen agencies, including the NRC, concurred with GAO’s recommendations and described steps that are planned or under way to address them.
Shortly before the release of GAO’s report, NRC staff released a publicly available executive summary of the Power Reactor Cyber Security Program Assessment conducted between January and May 2019. As previously described on Up & Atom, the main area identified for improvement through the Assessment is the scoping of Critical Digital Assets. In the summary, the NRC staff notes that it will work to develop an action plan to prioritize recommended cybersecurity program changes. An enclosure to the summary containing detailed licensee-specific assessment feedback is not publicly available. Additionally, in its Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13), the Office of the Inspector General recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing and develop and implement cybersecurity performance measures, through which licensees can demonstrate sustained program effectiveness.
We will continue to monitor developments for cybersecurity at the NRC.