An independent audit focused on the Nuclear Regulatory Commission found that one of its main offices may have network vulnerabilities and recommends more-frequent updates of the commission’s cybersecurity policies and procedures.
The NRC is split into four regional offices across the country; Region IV’s office is located in Arlington, Texas. Overall the audit, conducted in July 2017 by Richard S. Carson & Associates on behalf of NRC’s Office of the Inspector General, found that Region IV’s IT security program was “generally effective,” but did find lapses in a handful of areas that have left the network vulnerable to cyber intruders.
One of the problems discovered was that the office has been lax in updating its IT security policy guidelines. The NRC is required to periodically update its 110 policy guides, annually for some and every three years for others. The audit found four policy guides around IT and security that had gone more three years without review or update, and another three that had gone more than a year, including the region’s main IT security guideline. Auditors also found that the region’s procedures for backing up critical systems and data were out of step with NIST guidelines.