Text

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 CHAIR The Honorable Alejandro Mayorkas Secretary of Homeland Security Washington, DC 20528

Dear Secretary Mayorkas:

October 30, 2023 On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am pleased to report that the agency has submitted its Federal Information Security Modernization Act (FISMA) and Privacy Management Program documents for fiscal year (FY) 2023 through CyberScope, in accordance with Office of Management and Budget (0MB) Memorandum M-23-03, "Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements," dated December 2, 2022. The NRC submitted the following eight documents:

(1) Chief Information Officer/2023 Quarter 4 Annual FISMA Report (2) Senior Agency Official for Privacy/2023 Annual FISMA Report (3) Agency Privacy Program Plan

( 4) Agency Privacy Program Changes (5) Agency Breach Response Plan (6) Agency Privacy Continuous Monitoring Strategy (7) Agency Privacy Program-Uniform Resource Locator (8) Social Security Numbers Eliminated and Progress Report The NRC's Office of the Inspector General will submit the Inspector General Section Report/2023 Annual FISMA Report separately through CyberScope.

The NRC continues its efforts towards full compliance with FISMA targets and with the agency's Privacy Management Program. To date, the NRC has 15 reportable systems. During FY 2023, the agency completed security assessments and approved change authorizations for each system.

The NRC had no major security incidents during FY 2023. The agency had a total of six confirmed incidents. The NRC's Computer Security Incident Response Team reported four incidents to the U.S. Department of Homeland Security (OHS) Cybersecurity and Infrastructure Security Agency (CISA), and CISA reported two incidents to the NRC, with the following threat vectors: one Improper Usage, one Malicious Code, one Denial of Service Attack, and three Investigation. The NRC investigated, mitigated, and remediated all incidents.

As in prior years, the NRC participated in the high-value asset risk and vulnerability assessments led by the OHS and has completed mitigation and remediation activities. In accordance with the current OHS guidance, the NRC reassessed its high-value assets and

2 remained at four systems in FY 2023. The NRC will continue to collaborate with the OHS in future efforts to assess the NRC's protection of high-value assets.

In the upcoming FY, the NRC will continue to make progress in updating the ongoing authorization program, deploying encryption at rest, implementing additional personal identity verification, reducing the risk of unauthorized software, and addressing audit findings.

Additionally, the NRC will continue efforts to implement a zero-trust architecture, expand endpoint detection and response deployment, and enhance log management maturity.

In accordance with the instructions issued by the 0MB and the OHS, the NRC will continue to update your staff on its progress on these initiatives.

If you have any questions about the FY 2023 NRC FISMA and Privacy Management Program documents, please contact me or have your staff contact David J. Nelson, Chief Information Officer, at (301) 415-8700.

Sincerely, Christopher T. Hanson