Information Security:
NRC's Computer Intrusion Detection Capabilities
AIMD-99-273R: Published: Aug 27, 1999. Publicly Released: Aug 27, 1999.
Additional Materials:
- Full Report:
Contact:
(202) 512-4841
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
GAO reviewed the Nuclear Regulatory Commission's (NRC) policies and practices regarding intrusion detection and response capabilities in the federal government.
GAO noted that: (1) overall, GAO found that NRC has instituted an integrated network and security management program to detect and respond to anomalies that may indicate computer network intrusions and misuse for the systems that support its daily operations; (2) positive aspects of NRC's program include well-designed controls over user access, well-protected network boundaries to prevent intruders, and frequent testing of the network for security deficiencies; (3) GAO found that NRC has: (a) the capability to respond quickly to specific computer attacks once they have been detected; and (b) a variety of tools that can be used to isolate, delay, confuse, and stop intruders; (4) in addition, NRC's security managers regularly report on computer security incidents by providing monthly summary reports to management on the number and type of incidents; (5) further, GAO found that NRC's security managers communicate frequently with outside organizations in order to stay abreast of the latest hacker techniques--knowledge that helps them anticipate and defend against attacks; (6) GAO noted, however, three areas that pose a significant risk to systems supporting NRC operations: (a) NRC's security management activities do not extend to the automated systems that NRC would rely on to facilitate an initial response to a nuclear emergency; as a result, NRC would have to depend on other means of communication, which could diminish the agency's effectiveness; (b) while NRC protects its network boundaries from intruders with a strong firewall, it places less emphasis on monitoring internal network activity; as a result, if an intruder successfully breached the firewall without detection, there is a risk that NRC would not promptly detect his or her activity on the system; and (c) NRC's oversight of its security specialists is somewhat limited; and (7) security risk management requires a continuing reassessment of risk, and reviews such as GAO's can serve as a useful means of highlighting risk factors that are significant enough to merit NRC management's ongoing attention.
Jul 31, 2018
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Jun 14, 2018
-
Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding PositionsGAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
May 14, 2018
-
Protecting Classified Information:
Defense Security Service Should Address Challenges as New Approach Is PilotedGAO-18-407: Published: May 14, 2018. Publicly Released: May 14, 2018.
Apr 24, 2018
-
Cybersecurity:
DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector NetworksGAO-18-520T: Published: Apr 24, 2018. Publicly Released: Apr 24, 2018.
Mar 7, 2018
-
Cybersecurity Workforce:
DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill RequirementsGAO-18-430T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Feb 6, 2018
-
Cybersecurity Workforce:
Urgent Need for DHS to Take Actions to Identify Its Position and Critical Skill RequirementsGAO-18-175: Published: Feb 6, 2018. Publicly Released: Feb 6, 2018.
Sep 28, 2017
-
Federal Information Security:
Weaknesses Continue to Indicate Need for Effective Implementation of Policies and PracticesGAO-17-549: Published: Sep 28, 2017. Publicly Released: Sep 28, 2017.
Aug 3, 2017
-
Information Security:
OPM Has Improved Controls, but Further Efforts Are NeededGAO-17-614: Published: Aug 3, 2017. Publicly Released: Aug 3, 2017.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
