The Nuclear Regulatory Commission has agreed to implement five Government Accountability Office (GAO) recommendations for improving high-impact system controls, according to documents released Tuesday.
High-impact systems are characterized as federal security systems that hold sensitive information, which if lost could cause “catastrophic harm” to individuals, the government, or the country, according to the documents. A GAO report from May, which surveyed 24 federal agencies, offered five recommendations to NRC. They were:
- “Update security plans for selected systems to ensure that all controls specific to high-impact systems are addressed.”
- “Provide and track specialized training for all individuals who have significant security responsibilities.”
- “Re-evaluate security control assessments to ensure that they comprehensively test technical controls.”
- “Update remedial action plans for selected systems, to include responsible organization, estimated funding, funding source, and scheduled completion dates.”
- “Update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.”
NRC Executive Director for Operations Victor McCree sent a letter to the GAO in April, before the report was released, saying the agency agrees with all five recommendations and has taken steps to ensure implementation. According to McCree, NRC actions include the validation of staff lists and required training; and implementation of a new vulnerability/configuration scanning tool that enhances NRC’s ability to perform comprehensive system technical control assessments, among other improvements.
