WIXLIB

Audit of NRC’sNetwork SecurityOperations CenterOIG-16-A-07January 11, 2016All publicly available OIG reports (including this report)are accessible through NRC’s Web site sp-gen

UNITED STATESNUCLEAR REGULATORY COMMISSIONWASHINGTON, D.C. 20555-0001OFFICE OF THEINSPECTOR GENERALJanuary 11, 2016MEMORANDUM TO:Victor M. McCreeExecutive Director for OperationsFROM:Stephen D. Dingbaum /RA/Assistant Inspector General for AuditsSUBJECT:AUDIT OF NRC’S NETWORK SECURITY OPERATIONSCENTER (OIG-16-A-07)Attached is the Office of the Inspector General’s (OIG) audit report titled Audit of NRC’sNetwork Security Operations Center.The report presents the results of the subject audit. Following the January 5, 2016, exitconference, agency staff indicated that they had no formal comments for inclusion in thisreport.Please provide information on actions taken or planned on each of the recommendationswithin 30 days of the date of this memorandum. Actions taken or planned are subject to OIGfollowup as stated in Management Directive 6.1.We appreciate the cooperation extended to us by members of your staff during the audit. Ifyou have any questions or comments about our report, please contact me at (301) 415-5915or Beth Serepca, Team Leader, at (301) 415-5911.Attachment: As stated

Office of the Inspector GeneralU.S. Nuclear Regulatory CommissionDefense Nuclear Facilities Safety BoardResults in BriefWhy We Did This ReviewThe U.S. Nuclear RegulatoryCommission’s (NRC) NetworkSecurity Operations Center(SOC) is responsible for securingthe agency’s networkinfrastructure and monitoringthe network for suspiciousactivity. The SOC accomplishesthis through the use ofautomated security tools,analysis of network activity data,and participation in incidentresponse efforts. The SOC isprimarily staffed by contractorsworking under the InformationTechnology InfrastructureSupport Services (ITISS)contract.Robust SOC capabilities areparticularly crucial given thesensitivity of the unclassifiedinformation processed on NRC’snetwork, and the increasingvolume of attacks carried outagainst Federal Governmentcomputer systems.The audit objective was todetermine whether NRC’snetwork SOC meets operationalrequirements, and to assess theeffectiveness of SOCcoordination with otherorganizations that have a role insecuring NRC’s network.OIG-16-A-07January 11, 2016Audit of NRC’s Network Security Operations CenterWhat We FoundNRC’s network SOC currently meets operational securityrequirements stipulated in the ITISS contract. However, thecurrent contract is not optimized to meet NRC’s needs, andopportunities exist to improve the SOC’s range of capabilities andcoordination with other NRC stakeholders.Performance-based contracting is the preferred approach toFederal contracting. In this approach, the Government customerdefines its needs in terms of the results it is seeking, in addition tometrics for measuring contractor performance, rather thandescribing the process that the contractor will use.NRC staff described several areas in which the SOC does not meetagency needs, including proactive analysis and timely, detailedreports. This occurs because although the contract performancecriteria are aligned with National Institute of Standards andTechnology and NRC internal guidance, the contract does notclearly define SOC performance goals and metrics that can be usedto determine whether agency needs are being met.Additionally, SOC staff and NRC stakeholders expressed differingexpectations of SOC roles and responsibilities. This occurs due to alack of adequate definitions in agency policies and undifferentiatedfunctional descriptions between different entities responsible forsecuring NRC’s network.What We RecommendThis report makes recommendations to improve SOC performanceand capabilities through better definitions of contractrequirements and improving clarity in organizational roles andresponsibilities. Agency management stated their generalagreement with the findings and recommendations in this report.

Audit of NRC’s Network Security Operations CenterTABLE OF CONTENTSABBREVIATIONS AND ACRONYMS . iI. BACKGROUND . 1II. OBJECTIVE . 2III. FINDINGS. 2A. Current Contract Limits Needed Capabilities . 2Recommendations . 7B. SOC and Stakeholder Relationships Need Clearer Definition . 7Recommendations . 9IV. CONSOLIDATED LIST OF RECOMMENDATIONS . 10V. AGENCY COMMENTS . 10APPENDIXOBJECTIVE, SCOPE, AND METHODOLOGY . 11TO REPORT FRAUD, WASTE, OR ABUSE . 13COMMENTS AND SUGGESTIONS . 13

Audit of NRC’s Network Security Operations CenterABBREVIATIONS AND ACRONYMSITISSInformation Technology Infrastructure Support ServicesNRCNuclear Regulatory CommissionOIGOffice of the Inspector GeneralSOCSecurity Operations Centeri

Audit of NRC’s Network Security Operations CenterI. BACKGROUNDThe U.S. Nuclear Regulatory Commission’s (NRC) network SecurityOperations Center (SOC) secures the agency’s network infrastructure andmonitors the network for suspicious activity. To support this mission, theSOC uses automated security tools, analyzes network activity data, andparticipates in incident response efforts. Robust SOC capabilities areparticularly crucial given the sensitivity of unclassified informationprocessed by NRC’s network, 1 and the increasing volume of attackscarried out against Federal Government computer systems. 2NRC’s SOC is staffed primarily by contractors working under theInformation Technology Infrastructure Support Services (ITISS) contract.This contract provides NRC a broad range of network operations andsupport services that include security as well as desktop computing,printing, and mobile devices. The ITISS contract took effect in February2011 and will expire in May 2017. Its ceiling is approximately 252.1million. However, as of November 2015, NRC projects contractrequirements may exceed the ceiling by approximately 10.6 million.NRC staff anticipate that the ITISS contract will reach the ceiling byDecember 2016, and are developing a solicitation for a new contract thatwould take effect when the contract expires.NRC staff from the Office of the Chief Information Officer OperationsDivision oversee and work with SOC contractor staff. The SOC supportsNRC’s Information Security Directorate by providing information onnetwork security incidents 3 and data required for Federal InformationSecurity Modernization Act compliance reporting to the Office ofManagement and Budget. In addition, the SOC provides information toinvestigators from NRC’s Office of the Inspector General.1Classified and Safeguards Information processing is not permitted on NRC’s main information technologyinfrastructure system.2From Fiscal Year 2013 to Fiscal Year 2014, NRC experienced an 18-percent increase in computer security incidentsreported to the Department of Homeland Security. This exceeds Federal Governmentwide trend data, which showan increase of approximately 9.7 percent during the same period. These incidents include unauthorized access;malicious code; social engineering; policy violations; and scans, probes, and other access attempts.3The Information Security Directorate collects data on NRC network security incidents and reports it to theDepartment of Homeland Security’s U.S. Computer Emergency Readiness Team.1

Audit of NRC’s Network Security Operations CenterII. OBJECTIVEThe audit objective was to determine whether NRC’s network SOC meetsits operational requirements, and to assess the effectiveness of SOCcoordination with organizations that have a role in securing NRC’snetwork. The report appendix describes the audit’s scope andmethodology.III. FINDINGSNRC’s network SOC provides a range of capabilities to protect the agencyagainst cybersecurity threats, and contractors who help run the SOC aremeeting security operational requirements stipulated in NRC’s primaryinformation technology support contract. However, auditors found thatSOC capabilities could be improved through better definition of contractualrequirements. Additionally, auditors found that SOC coordination withother NRC stakeholders could benefit from a clearer definition oforganizational roles and responsibilities.A. Current Contract Limits Needed CapabilitiesFederal internal control and procurement guidance emphasizes theimportance of contracts delivering goods and services that meet agencyneeds. However, NRC’s current ITISS contract does not provide someneeded SOC capabilities. This occurs because the ITISS contract doesnot clearly define SOC performance objectives or functional requirements.As a result, NRC’s SOC is not optimized to protect the agency’s networkin the current cyber threat environment.2

Audit of NRC’s Network Security Operations CenterWhat Is RequiredContracts Should Help Meet Agency NeedsFederal and NRC guidance asserts that contracts for goods and servicesshould deliver what the agency needs. For example, the U.S.Government Accountability Office Standards for Internal Control in theFederal Government 4 states that clear communication of agencyrequirements is an important internal control responsibility of managementrelative to acquisitions contracts. Management may contract with aservice organization to perform an organizational role. Nevertheless,management must communicate the expectations, responsibilities, andauthorities for that role to the contractor, and enforce accountability.Additionally, performance-based contracting is the preferred approach toFederal contracting. In performance-based contracting, the Governmentcustomer defines the results it is seeking, rather than the process thecontractor will use. The Government customer also determines standardsfor measuring contractor performance. To define the desired results, anagency should analyze its needs. Requirements can then be brokendown into clear functions and tasks. Staffing needs and performancemetrics are, in turn, based on these requirements.Lastly, NRC Management Directive 11.1, NRC Acquisition of Supplies andServices, states that acquisition of supplies and services to meet NRC’smission should be effective. This internal guidance reinforces the FederalAcquisition Regulation, which is intended to ensure that products orservices will satisfy Government customers (principally end-users and linemanagers) in terms of cost, quality, and timeliness of the delivered productor service.What We FoundITISS Contract Does Not Deliver Some Needed SOC CapabilitiesNRC staff described ways that the SOC does not meet agency needs.4GAO-14-704G, Standards for Internal Control in the Federal Government, September 2014.3