Text

MEMORANDUM

DATE: May 6, 2024

TO: Raymond V. Furstenau Acting Executive Director for Operations

FROM: Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S.

NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023, REGION II: ATLANTA, GEORGIA (OIG-24-A-04)

REFERENCE:

ACTING CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED MARCH 5, 2024

Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendation as discussed in the agencys response dated March 5, 2024. Based on this response, recommendation 2 is now closed. Recommendation 1 remains open and resolved. Please provide an updated status of the open, resolved recommendation by August 2, 2024.

If you have any questions or concerns, please call me at 301.415.1982 or Michael Blair, Team Leader, at 301.415.8399.

Attachment:

As stated

cc: J. Martin, Acting ADO T. Govan, Acting DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 REGION II: ATLANTA, GEORGIA Status of Recommendations (OIG-24-A-04)

Recommendation 1: We recommend NRC management define and implement a process to conduct reviews and removal of unnecessary badged access for its Regions.

Agency Response Dated February 29, 2024: The U.S. Nuclear Regulatory Commission (NRC) already has an effective process in place to conduct reviews and removal of unnecessary badged access at Headquarters, Regional Offices, and the Technical Training Center. Specifically, as described in MD 12.1, NRC Facility Security Program: The NRC access control system is managed and maintained by DFS. It is used to ensure that only authorized individuals are granted physical access. Access lists (a list of individuals with authorized access) are required for administratively controlled, limited access, and security-controlled areas and must be reviewed and approved by the rooms designated owner (i.e., the Access Reviewing Official) at least annually.

An assessment of access needs is conducted with every badge renewal. The NRC recommends closure of this item.

OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRCs management of the defined and implemented process for removing unnecessary badged access for its Headquarters, Regional Offices, and Technical Training Center. This recommendation remains open and resolved.

Status: Open: Resolved.

2 Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 REGION II: ATLANTA, GEORGIA Status of Recommendations (OIG-24-A-04)

Recommendation 2: We recommend NRC management remediate the Region II identified vulnerabilities in accordance with NRCs defined timeframes and document risk acceptances with mitigating controls for vulnerabilities that cannot be remediated within the defined timeframes.

Agency Response Dated February 29, 2024: The NRC reviewed and remediated the Region II identified vulnerabilities in accordance with the NRCs defined timeframes and documented risk acceptances with mitigating controls for vulnerabilities that cannot be remediated within the defined timeframes. The NRC recommends closure of this item.

OIG Analysis: The OIG confirmed the review and remediation for Region II, which identified vulnerabilities in accordance with the NRCs defined timeframes and documented risk acceptances with mitigating controls for vulnerabilities that cannot be remediated within the defined timeframes. This recommendation is now closed.

Status: Closed.

3