The Office of Inspector General issued a report Aug. 8 saying that the Nuclear Regulatory Commission currently lacks “clear and effective” agency-wide policy and procedures for national security systems.
As a result, “classified information may be vulnerable or subject to unauthorized disclosure,” the OIG said in the report.
The report carries two major recommendations.
For starters, it says NRC should clarify policies and procedures over national security information systems “and assign responsibility for implementing these policies and procedures.”
Secondly, OIG called upon NRC to complete a comprehensive inventory of all national security information systems and review it at appropriate intervals.
“NRC has national security systems that were operating without the required authorizations to operate, contrary to federal and internal requirements,” OIG said in the report. “This happened because agency wide policies and procedures governing national security systems were not clear or well understood. Without agency wide policies and procedures, classified information may be vulnerable or subject to unauthorized disclosure.”
A NRC representative said the regulator is already addressing issues raised in the OIG report.
“We have started taking action to ensure that all applicable systems identified in the audit are properly authorized,” said NRC spokesman David McIntyre. “We have verified that all National Security Systems have strong physical access controls in place, and there is no indication that the lack of proper authorizations led to any loss of classified information,” McIntyre added.
For national security systems owned by other agencies, the owning agency issues an authorization to operate and NRC must issue an authority to use, OIG said in the report.
Classification is a means of identifying information concerning the national defense and foreign relations of the United States that requires protection against disclosure to unauthorized people. Classification restricts access to only properly cleared and authorized people who require access to the information to perform official duties, OIG notes.
NRC staff work primarily with two types of classified information.
One is national security information, classified by an executive order, which if compromised “would cause some degree of damage to the national security,” according to the OIG report.
The other is “restricted data.” This includes data concerning design, manufacture or use of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy — but not in cases where the data has been “or removed from the Restricted Data category pursuant to section 142 of the Atomic Energy Act, as amended.”
When it comes to handling sensitive information, NRC officials use three different types of categories of national security systems to process and store classified information.
“-A standalone laptop or desk computer not connected to a network.
“-A subscriber system where the sponsoring agency manages the logical access controls. An example of this type of system is the Homeland Secure Data Network (HSDN).
“-A shared service system where the sponsoring agency has part of the controls, but NRC owns the directory services and maintains the terminals used to access the system.
NRC does not have a classified network of its own — it relies upon the networks of other federal agencies. “However, it has standalone computers that process and store classified information,” OIG said in the report. “All NRC personnel with access to any system or network (to include a stand-alone system or network) on which classified information resides must be an NRC authorized classifier.”
“A discussion draft of this report was provided to NRC prior to an exit conference held on August 4, 2016. NRC management provided comments that have been incorporated into this report, as appropriate. As a result, NRC management stated their general agreement with the report and will not provide formal comments.”
OIG conducted this performance audit at NRC headquarters in Rockville, Maryland from March to June of this year. “OIG also reviewed and analyzed internal controls related to the audit objective. Throughout the audit, auditors were aware of the possibility of fraud, waste, and abuse in the program,” OIG said in the report.