Nuclear Regulatory Commission Computer Security Office CSO Office Instruction



Similar documents
Nuclear Regulatory Commission Computer Security Office Enterprise Security Architecture Working Group Charter

Cybersecurity Risk Management Activities Instructions Fiscal Year 2015

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Overview. FedRAMP CONOPS

MD 12.5 NRC CYBER SECURITY PROGRAM DT-13-15

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

2014 Audit of the Board s Information Security Program

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Value to the Mission. FEA Practice Guidance. Federal Enterprise Architecture Program Management Office, OMB

Information System Security Officer (ISSO) Guide

State of Minnesota. Enterprise Security Program Policy. Office of Enterprise Technology. Enterprise Security Office Policy. Version 1.

DIRECTIVE TRANSMITTAL

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Information System Security Officer (ISSO) Guide

Baseline Cyber Security Program

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Project Monitoring and Control

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Policy on Information Assurance Risk Management for National Security Systems

Project Start Up. Start-Up Check List. Why a Project Check List? What is a Project Check List? Initial Release 1.0 Date: January 1997

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

The Fast Track Project Glossary is organized into four sections for ease of use:

Office of Inspector General Corporation for National and Community Service

Program Lifecycle Methodology Version 1.7

Table of Contents PERFORMANCE REVIEWS STRATEGIC REVIEWS

GAO MAJOR AUTOMATED INFORMATION SYSTEMS. Selected Defense Programs Need to Implement Key Acquisition Practices

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

NASA OFFICE OF INSPECTOR GENERAL

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

FEDERAL INFORMATION SECURITY. Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Audit of the Department of State Information Security Program

Review of the SEC s Systems Certification and Accreditation Process

Security Control Standard

Security Authorization Process Guide

HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

Audit of NRC s Network Security Operations Center

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION. Air Traffic Organization Policy

BPA Policy Cyber Security Program

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

ITS Project Management

for Information Security

INFORMATION SECURITY

Lots of Updates! Where do we start?

Information Security Guide For Government Executives. Pauline Bowen Elizabeth Chew Joan Hash

CMS Policy for Information Technology (IT) Investment Management & Governance

Highlights & Next Steps

ClOP CHAPTER Departmental Information Technology Governance Policy TABLE OF CONTENTS. Section 39.1

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Information Security for Managers

2012 FISMA Executive Summary Report

OPM System Development Life Cycle Policy and Standards. Table of Contents

Section 37.1 Purpose Section 37.2 Background Section 37.3 Scope and Applicability Section 37.4 Policy... 5

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

Strategic Plan Network Optimization & Transport Services

LMI Aerospace PROJECT MANAGEMENT PLAN ACCESS REQUEST PROCESS IMPROVEMENT FEBRUARY 7, 2012

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

Audit of the Data Center Consolidation Initiative at NARA. OIG Draft Audit Report No May 10, 2012

2.0 ROLES AND RESPONSIBILITIES

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Company A Project Plan

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

Program Management Professional (PgMP) Examination Content Outline

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

GTA Board of Directors September 4, 2014

Develop Project Charter. Develop Project Management Plan

U.S. Department of Education Federal Student Aid

Introduction to the ITS Project Management Methodology

The NIST Cybersecurity Framework

SECURITY ASSESSMENT AND AUTHORIZATION

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011

Publication 805-A Revision: Certification and Accreditation

ORACLE PROJECT MANAGEMENT

Subject Area 1 Project Initiation and Management

Concept of Operations for Line of Business Initiatives

Recommended Roadmap for Shared Inspection Management Solutions

GAO DATA CENTER CONSOLIDATION. Agencies Need to Complete Inventories and Plans to Achieve Expected Savings. Report to Congressional Requesters

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

CITY OF HOUSTON. Executive Order. Information Technology (IT) Governance

Project Management Professional (PMP) Examination Content Outline

SENTINEL AUDIT V: STATUS OF

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

Compliance Risk Management IT Governance Assurance

Transcription:

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction Office Instruction: Office Instruction Title: CSO-PLAN-0100 Enterprise Risk Management Program Plan Revision Number: 1.0 Effective Date: October 25, 2013 Primary Contacts: Responsible Organization: Summary of Changes: Training: ADAMS Accession No.: Kathy Lyons-Burke, SITSO CSO/PST CSO-PLAN-0100, Enterprise Risk Management Program Plan, provides the high-level plan to implement and maintain an NRC Cyber Security Enterprise Risk Management Program. As needed ML13266A290 Concurrences Primary Office Owner Policy, Standards, and Training Responsible SITSO Kathy Lyons-Burke Date of Concurrence Directors CSO Tom Rich /RA/ 07-Oct-13 PST Kathy Lyons-Burke /RA/ 07-Oct-13 FCOT Kathy Lyons-Burke /RA/ 07-Oct-13 CSA Thorne Graham /RA/ 07-Oct-13 Concurrence Meeting Conducted on 07-Oct-13 Attendees: Thomas Rich Jon Feibus Kathy Lyons-Burke

U.S. Nuclear Regulatory Commission NRC Enterprise Risk Management (ERM) Program Plan Version 1.0 October 7, 2013

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page ii Contents 1 Introduction... 1 1.1 Purpose... 1 1.2 Scope... 1 1.3 Relationship to Other Cyber Security Risk Activities... 1 1.4 Approach... 1 1.4.1 Develop an ERMP Communication Plan... 1 1.4.2 Develop an ERM Blueprint... 2 1.4.3 Execute ERM Implementation Phases... 2 1.5 References... 3 2 Program Overview... 3 2.1 Overall Goal and Objectives... 4 2.2 Phase 1: Agency-wide Cyber Security Oversight Activities... 4 2.3 Phase 2: IT Infrastructure Implementations... 5 2.4 Phase 3: Regional Implementations... 5 2.5 Phase 4: Remaining NRC Cyber Risk Related Activities... 5 2.6 Work Breakdown Structure... 5 2.7 Program Deliverables... 8 3 Program Organization... 9 3.1 Program Roles and Responsibilities... 9 3.2 Stakeholders... 9 Appendix A Acronyms... 12

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 1 1 INTRODUCTION This plan explains how the Computer Security Office (CSO) plans to implement the Enterprise Risk Management (ERM) Program at the Nuclear Regulatory Commission (NRC) such that the program complies with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, Managing Information Security Risk, Organization, Mission, and Information System View. 1.1 Purpose The purpose of the ERM Program (ERMP) is to enable the agency to manage enterprise cyber security risk more effectively. The ERMP addresses the use of NRC cyber systems and cyber relevant assets from a risk management perspective, ensuring the safe, reliable, and costeffective use of cyber throughout the agency to achieve mission objectives. 1.2 Scope The ERMP addresses all risk management capabilities and responsibilities related to cyber systems and cyber-relevant capabilities within NRC. Capabilities may include, but are not limited to, policies, processes, procedures, technologies, standards, and training. Initially, the ERMP efforts focus on agency-wide cyber security oversight activities, with the intent of achieving cost-effective and efficient reduction of risk to the NRC. The ERMP effort then gradually expands to address the next greatest area of risk, until all aspects of cyber security risk at NRC have been addressed. 1.3 Relationship to Other Cyber Security Risk Activities The ERMP examines all existing cyber security risk activities for improvements and ensures that NRC effectively employs cyber risk capabilities such as system authorization, continuous monitoring, the cyber risk dashboard, the business area risk assessments, and continuous diagnostics and mitigation activities. 1.4 Approach A blueprint detailing the individual elements of a NIST compliant ERM Program will be developed. The blueprint will be used and refined as each phase of the ERM Program implementation is executed. 1.4.1 Develop an ERMP Communication Plan A communication plan outlining methods that will be used to communicate implementation of ERM capabilities and changes to existing process, procedures, etc. will be developed. Methods that will be used for communication include, but are not limited to the following: Designated Approving Authority (DAA) briefings IPEC briefings Information Technology (IT) Architecture Council briefings One-page summaries for office directors ISSO Forum briefings CSO web page and SharePoint postings

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 2 1.4.2 Develop an ERM Blueprint An ERM Blueprint will be developed, as described in Section 2.7 Program Deliverables. Initially, the blueprint will identify high-level elements of the ERM Program; as each phase is executed, additional details will be provided based on lessons learned and information obtained during execution of previous phases. The objective of the blueprint is to show how individual elements of the program support other elements, and ultimately, to define the target state of the ERM Program. The blueprint will provide context to ERM stakeholders and program practitioners for key program activities. 1.4.3 Execute ERM Implementation Phases CSO will implement the ERM Program in four iterative phases. Each phase will build on the previous phase, adding appropriate representatives and applying lessons learned as the program is implemented throughout the agency. The first four phases of the ERM Program will be implemented as follows: Phase 1: Agency-wide Cyber Security Oversight Activities Phase 2: IT Infrastructure Implementations Phase 3: Regional Implementations Phase 4: Remaining NRC Cyber Risk Related Activities The following activities will be conducted during each of the four implementation phases: Expand the ERM Blueprint: Expand the ERM Blueprint to provide details concerning program implementation for each phase. As details are provided for each phase, the ERM Blueprint will increasingly describe the target state of the ERM Program. This activity results in a report that identifies the ERM elements that must exist within the NRC to achieve an effective and compliant risk management program. An iterative version of the report is produced after each phase. Document the ERM Baseline and Assess Gaps: Evaluate current risk management capabilities for each activity during each phase. Determine the degree to which existing capabilities already satisfy those required in the ERM Blueprint, and identify any gaps that remain. This results in a report that identifies the baseline and the gaps between the baseline and the blueprint. Within each phase, a report is produced identifying the baseline first, and then the report is augmented to identify the gaps. Develop ERM Program Portfolio: Develop a portfolio of programs and alternatives to be used to address the identified gaps; prioritize the programs and alternatives, sequence them for dependencies, and present them to senior leadership for approval. The ERM Program Portfolio is comprised of discrete programs during which tasks are completed for the purpose of implementing CSO approved recommendations identified in the ERM Gap Analysis Report. The programs are defined and sequenced so that as any one is completed it provides benefit to the agency and that cumulative benefit is achieved as related programs are completed. Address Gaps: As programs and alternatives are approved by senior leadership, coordinate and oversee the execution of each program or alternative to ensure that each objective is accomplished (i.e., gap is closed) within the planned timeframes.

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 3 Plan Next Phase: Planning for the next phase (e.g., developing program plans and scheduling required activities) will take place concurrent with gap closure. After Phase 4 is complete, the ERM Program will enter a fifth phase during which the mechanisms for long-term maintenance and continuous improvement of the program will be established. Once established, this program is complete and the ERMP transitions to ongoing maintenance. 1.5 References At a minimum, the following resources will be used when developing the ERMP: NIST SP 800-18 (Revision 1) Guide for Developing Security Plans for Federal Information Systems, February 2006 NIST SP 800-30 (Revision 1) Guide for Conducting Risk Assessments, September 2012 NIST SP 800-37 (Revision 1) Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010 NIST SP 800-39 Managing Information Security Risk Organization, Mission, and Information System View, March 2011 NIST SP 800-53 (Revision 4) Recommended Security Controls for Federal Information Systems and Organizations, May 2013 NIST SP 800-53A (Revision 1) Guide for Assessing the Security Controls in Federal Information Systems and Organizations, June 2010 NIST SP 800-60 (Revision 1) Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008 NIS SP 800-70 (Revision 2) National Checklist Program for IT Products Guidelines for Checklist Users and Developers, February 2011 FIPS PUB-199 Standards for Security Categorization of Federal Information and Information Systems, February 2004 FIPS PUB-200 Minimum Security Requirements for Federal Information and Information Systems, March 2006 The following resources may also be used when relevant and appropriate: ISO-31000:2009 Risk Management Principles and Guidelines DHS Risk Lexicon, 2010 Edition, September 2010 Risk Management Fundamentals, Homeland Security Risk management Doctrine, April 2011 2 PROGRAM OVERVIEW This section provides an overview of CSO s ERMP.

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 4 2.1 Overall Goal and Objectives The primary goal of the NRC ERMP is to enable more consistent, complete, agile, and costeffective risk management practices throughout the agency by unifying and standardizing risk management activities related to cyber systems and cyber-relevant capabilities. Objectives include: Ensuring that the organization s risk management capabilities are repeatable and effectively used throughout the agency s information systems; Fostering an organizational climate where information security risks are considered within the context of the agency s mission and business processes; Guiding individuals responsible for deployment and maintenance of cyber systems to better understand how information security risk can impact them, their systems, other systems, and the agency as a whole; and, Identifying and implementing processes that allow for consistent feedback and continuous improvement of the ERMP. 2.2 Phase 1: Agency-wide Cyber Security Oversight Activities The goal of the first phase is to identify the ERM cyber security oversight capabilities that can maximize the value of the ERMP as a whole. The ERM Team will identify and implement the risk management capabilities that may require the least effort with maximum risk management benefits to the agency. Implementation of these capabilities will demonstrate the value of the ERMP throughout the agency. The ERM Team will also focus on high priority activities, including: Development of formal, agency-specific mission impact definitions; Development of refined security categorization definitions and guidance; Development of enhanced CSO processes, procedures, and templates, to include: - Identifying those that do not exist. - Identifying those that need to be revised. - Developing processes, procedures and templates that support efficient execution of cyber security tasks. Identification of standards, processes, procedures, and templates that should be removed; Identification of high impact risks that can be resolved with the least amount of effort (using data available within CSO); Identification of more streamlined user friendly capabilities that better enable staff to complete cyber security tasks; Identification through an analysis of aggregated Plans of Actions and Milestones (POA&M) of patterns and trends, including those that result in the greatest agency risk; Identification through an analysis of aggregated risk assessments of patterns and trends, including those that result in the greatest agency risk; Identification of improvements in cyber security control implementation;

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 5 Identification of additional functionality that could be incorporated into existing tools to more efficiently execute cyber security tasks; Establishing processes to ensure increased consistency during cyber security testing, tool usage, and tool-configuration settings; Supporting increased automation for security control assessment on an ongoing basis to reduce the manual burden and to enable increased assessment frequency; Developing a more comprehensive set of standardized system security requirements; and, Increasing efficiency by linking the standardized system security requirements to the standardized controls. 2.3 Phase 2: IT Infrastructure Implementations The goal of the second phase is to identify the ERM capabilities that can be implemented within IT infrastructure activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate IT infrastructure representatives and will order the infrastructure implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. IT infrastructure staff will implement the most advantageous capabilities in collaboration with CSO. 2.4 Phase 3: Regional Implementations The goal of the third phase is to identify the ERM capabilities that can be implemented within regional activities and operations with the intent to reduce cyber security risk. The ERM Team will incorporate regional representatives and will order the regional implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Regional staff will implement the most advantageous capabilities in collaboration with CSO. 2.5 Phase 4: Remaining NRC Cyber Risk Related Activities The goal of the last phase is to identify the ERM capabilities that can be implemented within cyber security relevant activities across all part of NRC with the intent to reduce cyber security risk. The ERM Team will incorporate cross-agency representatives and will order the implementation risk management capabilities that require the least effort with maximum risk management benefits to the agency to those with the lowest cost-benefit ratio. Approproate staff will implement the most advantageous capabilities in collaboration with CSO. 2.6 Work Breakdown Structure This section provides an overview of the key tasks involved in implementing the ERM program. Planning and Preparation 1. Develop ERM Plan a. Develop the initial ERM Plan. b. Conduct an internal CSO review of the plan. c. Obtain approval of the initial ERM Plan from the Policy, Standards, and Training (PST) Senior IT Security Officer (SITSO) and the Chief Information Security Officer (CISO).

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 6 2. Finalize ERM Blueprint a. Complete the initial ERM Blueprint using NIST SP 800-39 Managing Information Security Risk: Organization, Mission and Information System View, March 2011 as the primary resource. b. Conduct an internal CSO review of the blueprint. c. Obtain approval of the initial ERM Blueprint from the PST SITSO and the CISO. Phase 1: Agency-wide Cyber Security Oversight Activities 1. Update the ERM Blueprint with CSO specific elements a. Identify the CSO-specific elements of the ERM Blueprint that must be evaluated to address ERM within the CSO. b. Describe each element and define requirements specific to the CSO that must be met to fully satisfy the element. c. Facilitate a CSO review of the defined elements. d. Finalize the CSO-elaborated version of the ERM Blueprint. 2. Document the Baseline and Assess Gaps for CSO a. Gather information already available to the contractor, and conduct interviews with the contractor s team to identify the current ERM baseline for CSO. b. Assess the CSO baseline against the requirements defined for each CSO specific element identified in the ERM Blueprint. i. Identify the degree to which the ERM Blueprint requirements are already satisfied by the CSO baseline, and identify any gaps that remain. ii. Provide options and recommendations for addressing and remediating the gaps. c. Facilitate a CSO review of the gap analysis. 3. Develop an ERM Program Portfolio for CSO a. Sequence and prioritize the CSO gap remediation recommendations, and identify them as short-, mid-, or long-term efforts. b. Establish a portfolio of discrete programs defined to implement the CSO approved recommendations. For each program: i. Estimate timeframes. ii. Identify tasks and dependencies. iii. Identify CSO staff that may be required to perform the task. c. Facilitate a CSO review. d. Formalize each program. e. Obtain approval to execute the program. 4. Execute the CSO ERM programs to address gaps a. Monitor and coordinate efforts throughout the program portfolio. For each program:

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 7 i. Engage the appropriate CSO leads. ii. Identify a program lead and practitioners. iii. Facilitate a kick-off meeting. iv. Conduct periodic program status reviews. v. Monitor schedule, budget, and outcomes. vi. Ensure consistency throughout the program portfolio. 5. Plan Phase 2: IT Infrastructure Implementations a. Revise the ERM Plan for implementation throughout IT Infrastructure Implementations. i. Consider lessons learned during Phase 1. ii. Update the program schedule. b. Facilitate a CSO review. c. Engage OIS and coordinate the activities required for Phase 2. Phase 2: IT Infrastructure Implementations 1. Update the ERM Blueprint with OIS specific elements. 2. Document the OIS baseline and conduct a gap analysis of the OIS portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for OIS. 4. Execute the OIS ERM programs to address gaps. 5. Plan Phase 3: Regional Implementations. Phase 3: Regional Implementations 1. Update the ERM Blueprint with Region specific elements. 2. Document the baseline for the NRC Regions and conduct a gap analysis of the Regionbased portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the NRC Regions. 4. Execute the Regional ERM programs to address gaps. 5. Plan Phase 4: ERM Implementation for the Remaining NRC Cyber Risk Related Activities. Phase 4: Remaining NRC Cyber Risk Related Activities 1. Update the ERM Blueprint with organization specific elements. 2. Document the baseline for the NRC regions and conduct a gap analysis of each organization s portion of the target state defined by the ERM Blueprint. 3. Develop an ERM Program Portfolio for the organizations.

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 8 4. Execute the organizational ERM programs to address gaps. Phase 5: ERM Planning and Maintenance Phase 1. Finalize all ERM Program documentation. 2. Plan for ongoing maintenance and continuous improvement of the ERMP. ERM Ongoing Maintenance and Continuous Improvement 1. Identify long-term custodian(s) for the ERMP. 2. Develop and/or refine business processes to ensure continuous improvement of ERM. 3. Implement the processes and/or process changes. 2.7 Program Deliverables Table 1 lists the ERM Program deliverables. Table 1: ERM Program Deliverables Deliverable ERM Program Plan Initial ERM Program Plan: November 29, 2013 Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD ERM Communication Plan Initial ERM Communication Plan: December 16, 2013 ERM Blueprint Phase 2-4 ERM Program Plan Updates: TBD Initial ERM Blueprint: January 30, 2014 Phase 1 ERM Blueprint: March 28, 2014 Phase 2-4 ERM Program Plan Updates: TBD ERM Baseline Portion of Gap Analysis Report Phase 1 ERM Baseline Report: February 28, 2014 ERM Gap Analysis Report Phase 2-4 ERM Baseline: TBD CSO specific Results and Recommendations: March 17, 2014

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 9 Table 1: ERM Program Deliverables Deliverable ERM Program Portfolio Target Delivery Date Phase 2-4 ERM Program Plan Updates: TBD CSO specific Program Portfolio: April 30, 2014 Phase 2-4 ERM Program Plan Updates: TBD 3 PROGRAM ORGANIZATION This section defines the ERM roles, responsibilities, and stakeholders for Phase 1 of the ERM Program. Roles, responsibilities, and stakeholders will be reviewed and revised as needed during each phase of program implementation. 3.1 Program Roles and Responsibilities Table 2 lists the roles and responsibilities for Phase 1 of the ERM Program. Table 2: ERM Program Roles and Responsibilities CISO Roles PST SITSO ERM Project Team Leader Technical Program Manager CSO Members CSO Support Contractor Program Responsibilities Provides executive leadership of the ERMP and acts as the ERMP champion. The PST SITSO oversees the ERMP; approves ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. The ERM Team Project Leader leads the ERMP implementation; tracks and provides oversight and support for ERM-related activities; reviews ERM-related plans, processes, and procedures; and supports senior management stakeholder activities. Establishes and implements program plan, with the goal of keeping the program on schedule and within budget, and notifies the ERM Team Leader of any schedule or budget concerns. The Technical Program Manager also communicates business and technical requirements, tasks, and deliverables to the CSO Support Contractor; provides budget updates and requests to the ERM Team Leader; reviews contractor deliverables; provides comment prior to submitting to CSO senior management for review and approval; and supports technical staff stakeholder activities. Support the Technical Program Manager with requirements identification, ERM related process and procedure updates, gap analysis, and review of contractor deliverables. Also supports technical staff stakeholder activities. Supports the Technical Program Manager with requirements identification, ERM related process and procedure updates, and gap analysis. 3.2 Stakeholders Stakeholders for Phase 1 of the ERM Program are the DAA, Chief Information Officer (CIO), CISO, CSO, and system owners.

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 10 Stakeholders for subsequent phases will be identified in this plan as each phase takes place, and will include OIS, System Owners (SOs), the DAA, and agency Lines of Businesses (LOB).

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 11 CSO Enterprise Risk Management Program Plan Change History Date Version Description of Changes Method Used to Announce & Distribute Training 06-Nov-13 1.0 Initial issuance Posting on CSO web page Upon request

CSO Plan CSO-PLAN-0100 Enterprise Risk Management Program Plan Page 12 Appendix A Acronyms Term CIO CISO CSO DAA ERM ERMP IPEC IT LOB NRC OIS POA&M PST SITSO SO Definition Chief Information Officer Chief Information Security Officer Computer Security Office Designated Approving Authority Enterprise Risk Management Enterprise Risk Management Program IT/IM Portfolio Executive Council Information Technology Line of Business Nuclear Regulatory Commission Office of Information Services Plan of Action and Milestones Policy, Standards & Training Senior Information Technology Security Officer System Owners

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information