The Nuclear Regulatory Commission’s (NRC) Office of Inspector General (OIG) found in an April 2 Federal Information Security Modernization Act (FISMA) report that NRC should improve its software and network management and security.
Although OIG said that NRC’s information security program and practices were generally adequate for FY2017, NRC needed to make improvements in three specific areas, including the agency’s management of non-standard software use, efforts to remove unsupported software vulnerabilities, and mitigation of high-risk vulnerabilities on NRC networks.
The report found that NRC policies allow the use of non-standard software on NRC devices, and 57 instances of non-standard software on NRC’s network. Furthermore, OIG found 64 instances of unsupported software that could expose NRC to vulnerabilities, and it found 13 high-risk vulnerabilities on NRC networks.
OIG made six recommendations to NRC in light of the shortfalls the office found:
- Develop and implement a process to remove all unauthorized non-standard software;
- Create a process to manage non-standard software to ensure it’s properly approved and inspected for security weaknesses before it’s installed on NRC’s network;
- Monitor the approved software on NRC’s network for vulnerabilities, and mitigate any found;
- Develop and establish processes and procedures to govern non-standard software installation, especially in determining the impact to operations or cybersecurity;
- Implement a process to remove unsupported software from NRC networks; and
- Create a process to mitigate known high-risk vulnerabilities.
NRC has 30 days from the issuance of the report to respond to how it plans to act upon OIG’s recommendations.