Information Security:
NRC's Computer Intrusion Detection Capabilities
AIMD-99-273R: Published: Aug 27, 1999. Publicly Released: Aug 27, 1999.
Additional Materials:
- Full Report:
Contact:
(202) 512-4841
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
GAO reviewed the Nuclear Regulatory Commission's (NRC) policies and practices regarding intrusion detection and response capabilities in the federal government.
GAO noted that: (1) overall, GAO found that NRC has instituted an integrated network and security management program to detect and respond to anomalies that may indicate computer network intrusions and misuse for the systems that support its daily operations; (2) positive aspects of NRC's program include well-designed controls over user access, well-protected network boundaries to prevent intruders, and frequent testing of the network for security deficiencies; (3) GAO found that NRC has: (a) the capability to respond quickly to specific computer attacks once they have been detected; and (b) a variety of tools that can be used to isolate, delay, confuse, and stop intruders; (4) in addition, NRC's security managers regularly report on computer security incidents by providing monthly summary reports to management on the number and type of incidents; (5) further, GAO found that NRC's security managers communicate frequently with outside organizations in order to stay abreast of the latest hacker techniques--knowledge that helps them anticipate and defend against attacks; (6) GAO noted, however, three areas that pose a significant risk to systems supporting NRC operations: (a) NRC's security management activities do not extend to the automated systems that NRC would rely on to facilitate an initial response to a nuclear emergency; as a result, NRC would have to depend on other means of communication, which could diminish the agency's effectiveness; (b) while NRC protects its network boundaries from intruders with a strong firewall, it places less emphasis on monitoring internal network activity; as a result, if an intruder successfully breached the firewall without detection, there is a risk that NRC would not promptly detect his or her activity on the system; and (c) NRC's oversight of its security specialists is somewhat limited; and (7) security risk management requires a continuing reassessment of risk, and reviews such as GAO's can serve as a useful means of highlighting risk factors that are significant enough to merit NRC management's ongoing attention.
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here