Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

November 21, 2024 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S.

NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 (OIG-24-A-11)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED OCTOBER 24, 2024 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations, as discussed in the agencys response dated October 16, 2024.

Based on this response, recommendations 2 and 3 are now closed. Recommendations 1 and 4 remain open and resolved. Please provide an updated status of the open, resolved recommendations by June 13, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO S. Miotla, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 2 Recommendation 1:

Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either Trusted Workforce (TW) or U.S. Department of Defense Continuous Vetting (DoD CV) until such time as their enrollment is complete.

Agency Response Dated October 16, 2024:

The U.S. Nuclear Regulatory Commission (NRC) will engage the Defense Counterintelligence and Security Agency (DCSA) on a more frequent basis to ensure NRC records of enrollment match those of the DCSA. If a reinvestigation is needed for enrollment of an individual, that process will be initiated promptly. The DCSA is implementing an automated system that will enroll individuals into continuous vetting when the clearance is granted by the NRC, eliminating the manual review process and negating the possibility of individuals failing to be enrolled.

Target Completion Date: Fiscal Year (FY) 2025, Quarter 2 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has implemented a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either TW or DoD CV until such time as their enrollment is complete.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 3 Recommendation 2:

Complete enrollment of the identified employees and contractors in continuous vetting through TW.

Agency Response Dated October 16, 2024:

The NRC has identified and completed enrollment of the 214 employees and contractor personnel in continuous vetting through TW as of June 21, 2024. Individuals who are not enrolled, due to the age of their previous investigation or security documents, will be reinvestigated.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG has reviewed the evidence and confirms that the agency has completed enrollment of the identified employees and contractors in continuous vetting through TW. Hence this recommendation is closed.

Status:

Closed

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 4 Recommendation 3:

Review and update the organizationally defined timeframe for completion of security training in NRC Management Directive (MD) 12.5.

Agency Response Dated October 16, 2024:

The NRC has reviewed and updated the organizationally defined timeframe for completion of security training in NRC MD 12.5, NRC Cybersecurity Program. The revised guidance (ML24198A139) specifies that NRC employees shall receive an initial cybersecurity awareness briefing. All NRC authenticated users (employees and contractor personnel) are required to take the Computer Security Awareness course within 20 business days of obtaining access to NRC systems, and annually thereafter.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG has verified that the agency has reviewed and updated the organizational defined timeframe for completion of the security training in NRC MD 12.5. Hence, this recommendation is closed.

Status:

Closed

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 5 Recommendation 4:

Implement a technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process.

Also, as part of this recommendation, consider reviewing the current configuration of the Enterprise Identity Hub (EIH) and Talent Management System (TMS) integrationas well as the logic in TMS itself, as necessaryto ensure training assignments are retained (not cancelled) due to inactivity.

Agency Response Dated October 16, 2024:

The NRC has reviewed the relevant configuration settings within the EIH and TMS. The technical teams are working to determine an appropriate set of configuration and system interconnection updates to support resolution of the finding.

Initial solutioning work is underway. Some potential solutions include the use of attributes other than an initial login date to ensure that training assignments are both assigned appropriately and retained even through periods of inactivity.

Target Completion Date: FY 2025, Quarter 3 OIG Analysis:

The OIG will close this recommendation after verifying that the agency has implemented a solution or an appropriate set of configuration and system interconnection updates to support resolution of the finding that meets the technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process and has reviewed the current configuration of the EIH and TMS integration - as well as the logic in TMS itself, as necessary - to ensure training assignments are retained (not cancelled) due to the inactivity.

Status:

Open: Resolved