Cyber

Nuke commission operated several systems without authorization — audit

The Nuclear Regulatory Commission operated several national security systems without authorization, potentially making classified information vulnerable or subject to unauthorized disclosure, according to an agency watchdog.

By Samantha Ehlinger

September 22, 2016

The recently released Cybersecurity Act of 2015 audit of the NRC found seven national security systems did not have authorization to operate. The problem stemmed from a “lack of clarity in the agencywide policies and procedures over the systems and no integrated process across relevant offices,” according to the NRC inspector general’s report on its audit findings.

The IG found additionally that four national security systems did not have an “authority to use,” which NRC grants to systems owned by another agency (the agency would issue authority to operate as well); and two laptops were used without an authorization to operate.

Those laptops are no longer being used and will be taken out of service, the report noted

On top of all of this, the inspector general noted there was no agencywide inventory of national security systems.

“A national security system is any information system (including any telecommunications system)… which involves intelligence and cryptologic activities, control of military forces, and weapons,” according to the report.

The report noted the IG didn’t find any instances of unauthorized access to classified information, but it cautioned that “without the appropriate level of protection, there is also a potential risk of unauthorized access to classified information.”

The report also explained the authorization process’ importance for analyzing the level of risk to information in a system.

“If a system is not characterized correctly, it may not have the appropriate level of protection,” the report explains. “For example, if a hard drive with classified information is put into a computer only authorized for unclassified information, there could be an information spill and the information may be vulnerable because the computer does not have the proper protections in place.”

The report recommends NRC clarify “agencywide policies and procedures over national security information systems” and assign responsibilities for implementing them. The IG also recommended the agency complete an inventory of its national security systems and periodically review it.

NRC management generally agreed with the report.

Nuke commission operated several systems without authorization — audit

More Like This

Federal data, security leaders release zero-trust guide ahead of White House deadline

Agencies face ‘inflection point’ ahead of looming zero-trust deadline, CISA official says

Trump’s Schedule F would have hurt govtech recruitment, OPM official says

Top Stories

Federal data management career path needs improvement, CDO Council vice chair says

OpenAI further expands its generative AI work with the federal government

DOJ employees wary of doxxing threats call on leadership for stronger response

EPA CIO Vaughn Noga details slew of new modernization efforts underway

Former GSA, FDIC IT official headed to Railroad Retirement Board

USAID updated policy to allow use of Signal, Telegram in some circumstances

More Scoops

Commerce looking to publish AI-ready data guidance in coming months

Nuclear Regulatory Commission has eliminated all legacy systems, CIO says

MITRE’s Federal AI Sandbox will focus on critical infrastructure, weather modeling, social services

Data, talent, funding among top barriers for federal agency AI implementation

CISA aims for inventory clarity with post-quantum cryptography guidance

Tax watchdog says IRS hasn’t completed key IPv6 modernization requirements

Watchdog flags major incidents for VA’s electronic health record system

Latest Podcasts

A look at next week’s hearing on unidentified anomalous phenomena; Space Force expands top secret intel-sharing program to support new mission areas

DOJ employees call on leadership for stronger response to doxxing; Scale AI unveils ‘Defense Llama’ large language model

Exclusive interviews from CyberTalks 2024 w/ Federal CIO Clare Martorana, Federal CISO Michael Duffy

The Biden administration releases a new zero-trust data guide; How the GSA is working to teach federal employees about AI prompt engineering

Tech

Defense

Cyber

FedScoop TV