Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON , D.C. 20555-0001 October 26, 2022 The Honorable Alejandro Mayorkas Secretary of Homeland Security Washington, DC 20528

Dear Secretary Mayorkas:

On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am pleased to report that the agency has submitted its Federal Information Security Modernization Act (FISMA) and Privacy Management Program documents for fiscal year (FY) 2022 through CyberScope in accordance with Office of Management and Budget (0MB) Memorandum M-22-05, "Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements,"

dated December 6, 2021. The NRC submitted the following eight documents:

(1) Chief Information Officer/2022 Quarter 4 Annual FISMA Report (2) Senior Agency Official for Privacy/2022 Annual FISMA Report (3) Agency Privacy Program Plan (4) Agency Privacy Program Changes (5) Agency Breach Response Plan (6) Agency Privacy Continuous Monitoring Strategy (7) Agency Privacy Program-Uniform Resource Locator (8) Social Security Numbers Eliminated and Progress Report The NRC's Office of the Inspector General will submit the Inspector General Section Report/2022 Annual FIMSA Report separately through CyberScope.

The NRC continues its efforts towards full compliance with FISMA targets and with the agency's Privacy Management Program. To date, the NRC has 15 reportable systems. During FY 2022, the agency completed security assessments and approved change authorizations for each system.

The NRC had no major security incidents during FY 2022. The NRC had a total of four confirmed incidents. The NRC's Computer Security Incident Response Team reported those four incidents to the U.S. Department of Homeland Security (OHS) Cybersecurity and Infrastructure Security Agency (CISA) with the following threat vectors: three Improper Usage and one Malicious Code. CISA reported two incidents to the NRC. The NRC investigated, mitigated, and remediated all incidents.

As in prior years, the NRC participated in the high-value asset risk and vulnerability assessments led by OHS and has completed mitigation and remediation activities. In accordance with the current OHS guidance, the NRC reassessed its high-value assets and reduced the number from five to four. The NRC will continue to collaborate with OHS in future efforts to assess the NRC's protection of high-value assets.

2 In the upcoming fiscal year, the NRC will continue to make progress in updating the ongoing authorization program, deploying encryption at rest, implementing additional personal identity verification, reducing the risk of unauthorized software, and addressing audit findings.

Additionally, NRC will continue efforts to implement a zero-trust architecture, expand endpoint detection and response deployment, and enhance log management maturity.

In accordance with the instructions issued by 0MB and OHS, the NRC will continue to update your staff on its progress on these initiatives.

If you have any questions about the FY 2022 NRC FISMA and Privacy Management Program documents, please contact me or have your staff contact David J. Nelson, Chief Information Officer, at (301) 415-8700.

Sincerely, CQ__~ ~

Christopher T. Hanson