Text

CHAIRMAN UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 October 18, 2021 The Honorable Alejandro Mayorkas Secretary of Homeland Security Washington, DC 20528

Dear Mr. Mayorkas:

On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am pleased to report that the agency has submitted its Federal Information Security Modernization Act (FISMA) and Privacy Management Program documents for fiscal year (FY) 2021 through CyberScope in accordance with Office of Management and Budget (0MB) Memorandum M-21-02, "Fiscal Year 2020-2021 Guidance on Federal Information Security and Privacy Management Requirements,"

dated November 9, 2020. The NRC submitted the following eight documents:

(1)

Chief Information Officer/2021 Quarter 4 Annual FISMA Report (2)

Senior Agency Official for Privacy/2021 Annual FISMA Report (3)

Agency Privacy Program Plan (4)

Agency Privacy Program Changes (5)

Agency Breach Response Plan (6)

Agency Privacy Continuous Monitoring Strategy (7)

Agency Privacy Program-Uniform Resource Locator (8)

Social Security Numbers Eliminated and Progress Report The NRC's Office of the Inspector General will submit the Inspector General Section Report/2021 Annual FIMSA Report separately through CyberScope.

The NRC continues its efforts towards full compliance with FISMA targets and with the agency's Privacy Management Program. To date, the NRC has 17 reportable systems. During FY 2021, the agency completed security assessments and approved change authorizations for each system.

The NRC had no major security incidents during FY 2021. The NRC had a total of 11 confirmed incidents. The NRC's Computer Security Incident Response Team reported those 11 incidents to the U.S. Department of Homeland Security (OHS) Cybersecurity and Infrastructure Security Agency (CISA) with the following threat vectors: 7 Improper Usage, 1 Loss or Theft of Equipment, 2 Web, and 1 Unknown. CISA did not report any incidents to the NRC. The NRC investigated, mitigated, and remediated all 11 incidents.

As in prior years, the NRC participated in the high-value asset risk and vulnerability assessments led by the OHS and has completed mitigation and remediation activities. In accordance with the current OHS guidance, the NRC reassessed its high-value assets and will remain at five systems. The NRC will continue to collaborate with the OHS in future efforts to assess the NRC's protection of high-value assets.

2 The NRC continues to make progress toward meeting the cybersecurity cross-agency priority (CAP) goals, as demonstrated by the agency's 100-percent achievement of the FY 2021 metric targets. The "CAP Goal Evaluations" table in Appendix A to the NRC's Chief Information Officer/2021 Quarter 4 Annual FISMA Report details the agency's current progress.

In the upcoming FY, the NRC will continue to make progress in updating the ongoing authorization program, deploying encryption at rest, implementing additional personal identity verification, reducing the risk of unauthorized software, and addressing audit findings.

In accordance with the instructions issued by 0MB and OHS, the agency will continue to update your staff on its progress on these initiatives.

If you have any questions about the FY 2021 NRC FISMA and Privacy Management Program documents, please contact me or have your staff contact Mr. David J. Nelson, Chief Information Officer, at (301) 415-8700.

Sincerely, Co

• Christopher T. Hanson