Remediation of cybersecurity vulnerabilities continues to remain a problem at the Nuclear Regulatory Commission, says a recently released annual audit of agency systems conducted under the Federal Information Security Management Act.

The annual audit, done under contract to the NRC inspector general by Bethesda, Md.-based Richard S. Carson & Associates, finds that NRC plans of action and milestones for the remediation of cyber vulnerabilities often remain open past their due date and that agency staff sometimes declare the vulnerabilities to be resolved without sufficient evidence.

Commission policy calls for the remediation of vulnerabilities within 7 to 120 calendars days, depending on the degree of risk associated with the vulnerability (with higher risk problems receiving less time for resolution).

However, a security test and evolution of one system--NRC has 22 operational information systems, the audit says--found that many components had never been security hardened and that many patches had not been installed. Another system had similar problems regarding patches, suggesting either that the agency's enterprisewide patching solution hasn't been properly configured, or that personnel responsible for those system components haven't manually requested downloads of the patches from the enterprisewide system, the report says.

Not all known vulnerabilities become a part of the POA&M management system, which until the fourth quarter of fiscal 2011 was manual, the report adds.

However, the report does say that NRC has made progress within its cybersecurity efforts, noting that all 22 systems have, for the first time, a current authorization to operate.

For more:
- download the report, OIG-12-A-04 (.pdf)

Related Articles:
Inactive users outnumber active users in NRC online system
DOT continues to lag on resolving cybersecurity problems
GSA not implementing cybersecurity policies, says IG