How Can You Comply With NRC RG 5.71?

What Is The NRC RG 5.71?

Due to the lack of specific regulatory guidance provided in 10 CFR 73.54, the NRC developed and published RG (Regulatory Guide) 5.71 in order to cover many aspects surrounding access control, auditing, accountability, incident response, system and information integrity.

Where Can I Find The Relevant NRC Forms?

On the NRC's official website, you will find editable PDF documents of all the forms and documents that you will need to fill out and submit. If you use Adobe Reader, you will be able to view or print the blank forms as well as print out the completed forms after entering your text.

What Is Observability?

It is commonly believed that observability is a property of a system. As a gauge of the observability of a system, observability is often defined as the ease with which a system can be observed. There is a risk that a system becomes less observable as its complexity increases. Observability allows your teams to focus on what's actually significant in a constantly changing environment, and the signal-to-noise ratio in monitoring can be improved thanks to correctly implemented observability.

In general, observability is a measure of how well and accurately we are able to predict a system's internal state based on its external outputs. Based on this principle, it can be reliably inferred that the internal state of a system is highly observable when we can accurately monitor the external output of that system to provide a conclusion (these outputs can take the form of logs, metrics, or traces).

When an application is sufficiently observable, all failures within that application should be contextualised sufficiently in order to facilitate the troubleshooting of any failures. The result of this should prove to be extremely helpful in fixing system problems, as well as any other bugs that may arise.

The idea of monitoring and the concept of observability is an attribute that has become more and more significant when it comes to ensuring cybersecurity and operational security within an organisation.

How Does Log Management & Observability Help Ensure NRC Compliance?

As described in NRC RG 5.71, and as recommended in its guidelines, log data should be captured, monitored, reviewed, and retained in a manner that is effective and efficient to meet NRC compliance demands.

In order to comply with many of the National Research Council RG 5.71 guidelines, log data needs to be collected, managed, and analysed. Using a robust log management system will give you a better chance of meeting many of the NRC’s recommendations. It will also reduce the cost of meeting other guidelines if you are willing to implement a comprehensive solution.

As a result of the fact that hundreds of thousands of individual log entries can be generated daily, it can be extremely difficult for a systems administrator to keep track of all this information on a regular basis. A large number of organisations face the problem of manual processes that are inadequate to ensure compliance due to a lack of formal log data analytics and observability systems.

Which Are Examples Of NRC Control Guidelines That Can Be Met Through Observability?

B.1.2 - Account Management - Managing critical digital asset accounts is an imperative responsibility of the organisation, including authorising, creating, activating, modifying, reviewing, disabling, and removing accounts, reviewing critical digital asset accounts, and initiating necessary actions on critical digital asset accounts.

B.1.3 - Access Enforcement - It is the responsibility of the organisation to ensure that the assigned authorisations are enforced correctly to ensure the control of access to critical digital assets in accordance with established policies and procedures.

B.1.5 - Separation of Functions - It is the organisation's responsibility to ensure the separation of critical digital asset functions with the implementation of assigned access authorisations to ensure that the separation is enforced.

B.1.6 - Least Privilege - It is the responsibility of the organisation to configure and enforce the most restrictive set of rights and privileges of access needed to enforce the protection of its digital assets.

B.1.7 - Unsuccessful Login Attempts - As part of the organisation's security controls, the organisation ensures that there is a limit on the number of invalid access attempts made by a user. A critical digital asset's number of failed logins may vary over a specific period of time depending on how many attempts were made at logging in. In most organisations, the lock-out mode is enforced automatically through the system that the organisation uses.

B.1.11 - Supervision and Review— Access Control - It is the organisation's responsibility to document, supervise, and review the activities of users as it relates to the enforcement and use of access controls within their organisation.

B.1.15 - Network Access Control - In order to secure critical digital assets, the organisation employs and documents mitigation techniques, including media access control address locking, physical or electrical isolation, static tables, encryption, or monitoring of these assets.

B.1.17 - Wireless Access Restrictions - Among the responsibilities of the organisation are the establishment of usage restrictions and guidelines for wireless technologies, as well as documenting, justifying, authorising, monitoring, and controlling wireless access to critical digital assets, as well as ensuring that the restrictions on wireless access are in accordance with the defence strategies and models.

B.1.22 - Use of External Systems - The organisation is responsible for prohibiting users from accessing critical digital assets or from processing, storing, or transmitting organisation-controlled information through an external system unless the organisation verifies that equivalent security measures have been taken on the external system and that those measures have been implemented.

B.2.4 - Audit Storage Capacity - The organisation allocates space to store audit records that meet NRC record retention requirements, and configures auditing in such a way that it reduces the likelihood of exceeding this capacity.

B.2.6 - Audit Review, Analysis, and Reporting - The organisation is responsible for reviewing and analysing the critical digital asset audit records [no less frequently than once every 30 days] for indications of inappropriate or unusual activity and reporting these findings to the designated organisation officials.

B.2.9 - Protection of Audit Information - It is the organisation's responsibility to ensure that audit information and audit tools are protected against unauthorised access, modifications, and deletion, in a manner that is consistent with the security requirements for critical digital assets.

With the help of a platform such as Logit.io, you will be able to collect, archive, and recover logs, metrics and audit information across your entire IT infrastructure. This will enable you to more readily automate the process of complying with NRC guidelines.

It is imperative to note that the Logit.io platform directly helps to meet many of the requirements that are integral to the NRC 5.71 guidelines regarding the collection, management, and analysis of log data. With Logit.io, it is possible to demonstrate compliance with the specifications listed in the NRC RG 5.71 for the following ID numbers: B.1.2, B.1.3, B.1.5, B.1.6, B.1.7, B.1.11, B.1.15, B.1.17, B.1.22, B.2.4, B.2.6 and B.2.9.

To review all of the NRC’s guidelines in their entirety please refer to this guide.

If you found this article informative then why not read our guide to observability vs monitoring or see the leading New Relic competitors next?