Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

January 8, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S.

NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (OIG-23-A-10)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED DECEMBER 13, 2024 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations, as discussed in the agencys response dated December 10, 2024.

Recommendation 2 was previously closed. Based on this response, recommendations 1 and 3 remain open and resolved. Please provide an updated status of the open, resolved recommendations by July 18, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO S. Miotla, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

Evaluation Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations (OIG-23-A-10) 2 Recommendation 1:

We recommend that U.S. Nuclear Regulatory Commission (NRC) management reviews all Information Technology Infrastructure (ITI) plans of action and milestones (POA&Ms) to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.

Agency Response Dated December 10, 2024:

NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. In August 2024, the NRC Chief Information Security Officer (CISO) directed the formation of the POA&M Reduction Working Group to review all ITI POA&Ms to ensure that they are accurate. Analysis by the POA&M Reduction Working Group found that over half of the 6,000 ITI POA&Ms listed in the Risk and Continuous Authorization Tracking System were associated with endpoints that had been decommissioned or were related to operating systems that are no longer in use. The CISO approved the closure of these POA&Ms for findings that were no longer relevant, and the count of open ITI POA&Ms has been reduced by more than 50 percent to the current number of 2,505. The POA&M Reduction Working Group continues to review the remaining ITI POA&Ms and is developing methods to improve the efficiency of POA&M management through automation. Corrective actions for the remaining 2,505 ITI POA&Ms are ongoing, with expected completion in the second quarter (Q2) of fiscal year (FY) 2025.

Target Completion Date: FY 2025, Q2 OIG Analysis:

The OIG will close this recommendation after confirming that NRC management has reviewed all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.

Status:

Open: Resolved

Evaluation Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations (OIG-23-A-10) 3 Recommendation 3:

We recommend that NRC management increases the current Security Information and Event Management (SIEM) tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all Event Logging (EL) maturity tiers to ensure events are logged and tracked in accordance with the U.S. Office of Management and Budget (OMB)

Memorandum (M)-21-31.

Agency Response Dated December 10, 2024:

The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG has reviewed the evidence and confirms that the agency has increased the current SIEM tool licensing level and acquired funding. A month after the OIGs audit fieldwork ended for the FY 2024 FISMA audit, NRC management informed the OIG that the agency has achieved EL1 maturity. The OIG will close this recommendation after verifying that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure events are logged and tracked in accordance with OMB M-21-31.

Status:

Open: Resolved