April 12, 2013
Management of Naval Reactors' Cyber Security Program
The Naval Reactors Program (Naval Reactors), an organization within the National Nuclear Security Administration, provides the military with safe and reliable nuclear propulsion plants to power warships and submarines. Naval Reactors maintains responsibility for activities supporting the United States Naval fleet nuclear propulsion systems, including research and design, operations and maintenance and the ultimate disposition of the nuclear propulsion plants. Both the Department of Energy and the Department of Navy fund Naval Reactors. To fulfill its mission, Naval Reactors utilizes numerous information systems that reside on both classified and unclassified networks. Previous Office of Inspector General reviews of Naval Reactors related to our Federal Information Security Management Act of 2002 evaluations identified certain security weaknesses related to access controls and contingency planning. We found that Naval Reactors' vulnerability management controls and processes were not fully effective in applying security patches for all desktop and network applications. For example, although the program had taken action to correct the vast majority of vulnerabilities identified during scans performed in July 2011, our current review disclosed 335 high and medium risk vulnerabilities. Naval Reactors officials were unable to provide us with information regarding the age of the identified weaknesses due to the lack of an adequate corrective action tracking mechanism. Naval Reactors had made a number of enhancements to its cyber security program over the past several years, however, we identified weaknesses related to vulnerability management, access controls, incident response and security awareness training that could negatively affect its security posture. For instance, controls over access to information and systems at Naval Reactors were not always operating effectively. The weaknesses identified occurred, in part, because Naval Reactors had not ensured that necessary cyber security controls were fully implemented. Specifically, officials had not fully developed and/or implemented policies and procedures related to vulnerability management, access controls, incident response and cyber security training. In addition, Naval Reactors had not always effectively utilized Plans of Action and Milestones to track, prioritize and remediate cyber security weaknesses. In response, management generally concurred with the report's recommendations and indicated that corrective actions had been taken or were planned to address the weaknesses identified.
Topic: National Security & Safety