Text

CHAIR UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 October 23, 2024 The Honorable Alejandro Mayorkas Secretary of Homeland Security Washington, DC 20528

Dear Secretary Mayorkas:

On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am pleased to report that the agency has submitted its Federal Information Security Modernization Act (FISMA) and Privacy Management Program documents for fiscal year (FY) 2024 through CyberScope, in accordance with Office of Management and Budget (0MB) Memorandum M-24-04, "Fiscal Year 2024 Guidance on Federal Information Security and Privacy Management Requirements," dated December 4, 2023. The NRC submitted the following eight documents:

(1) Chief Information Officer I FY 2024 Quarter 4 Annual FISMA Report (2) Senior Agency Official for Privacy/ FY 2024 Annual FISMA Report (3) Agency Privacy Program Plan (4) Agency Privacy Program Changes (5) Agency Breach Response Plan (6) Agency Privacy Continuous Monitoring Strategy (7) Agency Privacy Program-Uniform Resource Locator (8) Social Security Numbers Eliminated and Progress Report The NRC's Office of the Inspector General will submit the Inspector General Section of the FY 2024 Annual FISMA Report separately through CyberScope.

The NRC continues its efforts towards full compliance with FISMA targets and with the agency's Privacy Management Program. To date, the NRC has 15 reportable systems. During FY 2024, the agency completed security assessments and approved change authorizations for each system.

The NRC had no major security incidents during FY 2024. However, the NRC had a total of eight confirmed reportable incidents. The NRC's Computer Security Incident Response Team reported six incidents to the U.S. Department of Homeland Security (OHS) Cybersecurity and Infrastructure Security Agency (CISA), and CISA reported two incidents to the NRC, with the following threat vectors: four Improper Usage, two Web-based, and two Other. The agency fully investigated, mitigated, and remediated all incidents.

The NRC also performs vulnerability assessments over its high-value assets (HVA) in alignment with OHS guidance to ensure control maturity and remediation of vulnerabilities. The NRC continues to promote its partnership with CISA and the HVA community, participating in multiple subcommittee groups to help enhance the Federal HVA program. Additionally, in

2 FY 2024, CISA assessed NRC's Tier 1 HVA system, 1 the Agencywide Document and Management System. This assessment was a collaborative effort between CISA and NRC, resulting in an accurate depiction of the system environment and associated controls.

In the upcoming fiscal year, the NRC will continue to enhance the ongoing authorization program to incorporate additional control parameters for cloud services based on recently revised Federal Risk and Authorization Management Program guidance, including implementing additional personal identity verification, reducing the risk of unauthorized software, mitigating supply chain risks, and addressing audit findings. Additionally, the NRC will further efforts to implement a zero-trust architecture, transition to post quantum cryptography, expand endpoint detection and response deployment, and enhance log management maturity.

In accordance with the instructions issued by the 0MB and the OHS, the NRC will continue to update your staff on its progress on these initiatives.

If you have any questions about NRC's FY 2024 FISMA and Privacy Management Program documents, please contact me or have your staff contact Scott Flanders, Chief Information Officer, at (301) 415-6717.

Sincerely, Co

-1..

Christopher T. Hanson 1 Tier 1 HVA systems represent systems of critical impact to both the agency and the nation.