The Nuclear Regulatory Commission operated several national security systems without authorization, potentially making classified information vulnerable or subject to unauthorized disclosure, according to an agency watchdog.
The recently released Cybersecurity Act of 2015 audit of the NRC found seven national security systems did not have authorization to operate. The problem stemmed from a “lack of clarity in the agencywide policies and procedures over the systems and no integrated process across relevant offices,” according to the NRC inspector general’s report on its audit findings.
The IG found additionally that four national security systems did not have an “authority to use,” which NRC grants to systems owned by another agency (the agency would issue authority to operate as well); and two laptops were used without an authorization to operate.
Those laptops are no longer being used and will be taken out of service, the report noted.
On top of all of this, the inspector general noted there was no agencywide inventory of national security systems.
“A national security system is any information system (including any telecommunications system)… which involves intelligence and cryptologic activities, control of military forces, and weapons,” according to the report.
The report noted the IG didn’t find any instances of unauthorized access to classified information, but it cautioned that “without the appropriate level of protection, there is also a potential risk of unauthorized access to classified information.”
The report also explained the authorization process’ importance for analyzing the level of risk to information in a system.
“If a system is not characterized correctly, it may not have the appropriate level of protection,” the report explains. “For example, if a hard drive with classified information is put into a computer only authorized for unclassified information, there could be an information spill and the information may be vulnerable because the computer does not have the proper protections in place.”
The report recommends NRC clarify “agencywide policies and procedures over national security information systems” and assign responsibilities for implementing them. The IG also recommended the agency complete an inventory of its national security systems and periodically review it.
NRC management generally agreed with the report.