Summary: GAO reviewed the Nuclear Regulatory Commission's (NRC) policies and practices regarding intrusion detection and response capabilities in the federal government.
GAO noted that: (1) overall, GAO found that NRC has instituted an integrated network and security management program to detect and respond to anomalies that may indicate computer network intrusions and misuse for the systems that support its daily operations; (2) positive aspects of NRC's program include well-designed controls over user access, well-protected network boundaries to prevent intruders, and frequent testing of the network for security deficiencies; (3) GAO found that NRC has: (a) the capability to respond quickly to specific computer attacks once they have been detected; and (b) a variety of tools that can be used to isolate, delay, confuse, and stop intruders; (4) in addition, NRC's security managers regularly report on computer security incidents by providing monthly summary reports to management on the number and type of incidents; (5) further, GAO found that NRC's security managers communicate frequently with outside organizations in order to stay abreast of the latest hacker techniques--knowledge that helps them anticipate and defend against attacks; (6) GAO noted, however, three areas that pose a significant risk to systems supporting NRC operations: (a) NRC's security management activities do not extend to the automated systems that NRC would rely on to facilitate an initial response to a nuclear emergency; as a result, NRC would have to depend on other means of communication, which could diminish the agency's effectiveness; (b) while NRC protects its network boundaries from intruders with a strong firewall, it places less emphasis on monitoring internal network activity; as a result, if an intruder successfully breached the firewall without detection, there is a risk that NRC would not promptly detect his or her activity on the system; and (c) NRC's oversight of its security specialists is somewhat limited; and (7) security risk management requires a continuing reassessment of risk, and reviews such as GAO's can serve as a useful means of highlighting risk factors that are significant enough to merit NRC management's ongoing attention.