The audit, performed by Richard S. Carson & Associates on behalf of the NRC Inspector General, found that the commission’s plans of action and milestones for the remediation of information security vulnerabilities often did not contain all known security vulnerabilities and remained open past their due date. In addition, agency staff sometimes declared the vulnerabilities to be resolved without sufficient evidence.
A security test found that many network components had never been security hardened and that many patches had not been installed. The problems with patching indicated either that the agency's patching solution had not been properly configured or that personnel responsible for those system components had not requested downloads of the patches from the enterprise-wide patching system, the audit said.
The fact that the problems have been identified with the timely remediation of security vulnerabilities in more than one operational system “indicates the agency needs to improve its configuration management procedures to ensure all identified vulnerabilities, including configuration-related vulnerabilities, scan findings, and security patch-related vulnerabilities, are remediated in a timely manner”, the audit stressed.
In addition, the audit found that the agency had not developed an organization-wide risk management strategy.