Text

The U.S. Government Accountability Office Report Nuclear Regulatory Commission Summary of NRC Actions - Response to GAO Reports Enclosure

2

SUMMARY

OF NRC ACTIONS - RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98).........3 Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330).......5 Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468).......8 Preventing a Dirty Bomb: Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials (GAO-22-103441).....9 Nuclear Regulatory Commission: NRC Needs to Take Additional Actions to Prepare to License Advanced Reactors (GAO-23-105997)...11 Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO-24-105658)...13 High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use (GAO-24-105998)......14 Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements (GAO 106137).....16 Nuclear Power Plants: NRC Should Take Actions to Fully Consider the Potential Effects of Climate Change (GAO-24-106326).18 IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements (GAO-25-107041)..20

3 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)

The U.S. Government Accountability Office (GAO), in its report, Nuclear Regulatory Commission:

NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as the NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

In January 2020, partially in response to this recommendation, NRC staff submitted a revised NUREG/BR-0058, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission, to the Commission for consideration (ML19261A280). The NRC staff revised NUREG/BR-0058 to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. The revision also addressed relevant best practices provided by GAO, as of the submission date to the Commission, and feedback from licensees and other stakeholders provided in a request for public comments on the draft. Lastly, the revision consolidated guidance documents, incorporated recommendations from the GAO report on the NRC's cost estimating practices and cost estimating best practices from the GAO Cost Guide, and captured best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, "Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses" (ML15063A568).

In addition, the NRC staff developed Appendices K-L, which provide guidance on the monetary valuation of nonfatal cancer risk used in cost-benefit analysis and replacement energy costs. The NRC issued the draft appendices for public comment in July 2022 and held a public meeting in August 2022 to answer stakeholder questions and facilitate public comment on the appendices. The final draft appendices were provided to the Commission for review and approval in February 2023.

In November 2023, the Office of Management and Budget (OMB) issued a revised Circular No. A-4, which contains guidance for Federal agencies on the development of regulatory analysis. In addition, while the revised NUREG/BR-0058 was under consideration by the Commission, GAO revised its cost estimating guide, in 2020. In order to address the revised guidance from OMB and

4 GAO, the NRC staff requested to withdraw NUREG/BR-0058 and its appendices from Commission consideration. In May 2024, the Commission issued SRM-SECY-20-0008, directing staff to update NUREG/BR-0058 to be consistent with the revised OMB and GAO guidance (ML24124A088). The Commission also directed staff to consolidate the guidance into a single manuscript for issuance, with the exception of an appendix related to the staffs consideration of qualitative factors in regulatory decision-making. Finally, the Commission directed that this appendix be submitted separately to the Commission for notational vote. Further, the Commission directed staff to solicit and respond to public feedback before transmitting the revised NUREG/BR-0058 to the Commission.

Following Commission review, staff will issue the final NUREG/BR-0058 and reference it on the NRC public website. Staff will do the same for the accompanying appendix, dependent on Commission review and approval.

This GAO recommendation remains open.

5 The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

The U.S. Government Accountability Office (GAO), in its report, "Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain," made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them.

Specifically, the NRC should take the steps needed to include category 3 sources in the National Source Tracking System and add Agreement State category 3 licenses to the Web-based Licensing (WBL) System as quickly as reasonably possible.

Status:

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY-17-0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001,"the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the Licensee Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

6 The Commission did not direct the staff to include category 3 sources in the National Source Tracking System.

On December 19, 2022, the staff submitted the draft proposed rule, SECY-22-0112, "Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103), to the Commission for its consideration, addressing the Commissions direction in SRM-SECY 0083. As documented in SRM-SECY-22-0112, (March 8, 2024) the Commission was unable to reach a decision on the staffs recommended proposed rule; therefore, the proposed rule was not approved.

The regulations in 10 CFR Parts 30, 40, and 70 currently require, before the transfer of byproduct materials, that the licensee transferring the material verify that the transferee's license authorizes the receipt of the type, form, and quantity of byproduct material to be transferred. To ensure the validity of an unknown applicant for a license, NRC and Agreement State regulators implement a pre-licensing checklist during site visits for all unknown entities to provide a basis for confidence that a new applicant (i.e., an entity that has never had a license or is unknown) requesting a specific license, or a licensee requesting transfer of control to a new applicant, will store and use radioactive materials at locations as specified on the license. Agreement States may elect to use the WBL system, as the NRC has made it available for Agreement State use; however, adoption of WBL is not mandatory, and Agreement States may use their own systems. There are currently 13 Agreement States that have elected to use WBL as their primary licensing system.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, at least until such time that category 3 licenses can be verified using LVS, require that transferors of category 3 quantities of radioactive materials confirm the validity of a would-be purchaser's radioactive materials license with the appropriate regulatory authority before transferring any category 3 quantities of licensed materials.

Status:

The NRC staff in SECY-22-0112 recommended amending the regulations in 10 CFR to require licensees transferring category 3 quantities of radioactive material to verify licenses through the NRC License Verification System or by contacting the regulatory authority. As documented in SRM-SECY-22-0112, the Commission was unable to reach a decision on the staffs recommended proposed rule; therefore, the proposed rule was not approved.

The NRC staff continues to engage licensees and the Agreement States on the issues identified by this GAO report. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses. The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or the Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and encouraged

7 the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on their responses to NRC communications and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of the NRC working groups meeting to develop enhancements to the pre-licensing requirements for category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

Status:

The NRC issued a revision to its pre-licensing guidance, which is used by NRC and Agreement State staff to conduct pre-licensing site visit and other pre-licensing activities. The revised guidance emphasizes licenses should not be hand-delivered during any pre-licensing site visit.

Moreover, the guidance outlines the processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate. The NRC has also updated its licensing and inspection courses and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

This GAO recommendation remains open.

8 The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO-19-468)

The U.S. Government Accountability Office (GAO), in its report, Combating Nuclear Terrorism:

NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, made three recommendations to the U.S. Nuclear Regulatory Commission (NRC) related to the security of radioactive material. Two of these recommendations have been previously reported as recommendations that would not be implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 2:

The Chairman of the NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

Status:

In SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001, the NRC staff provided the Commission the results of an analysis of threat, vulnerability, and consequence data related to aggregation of category 3 sources to a category 2 quantity of radioactive material. In the staffs analysis, the NRC staff concluded that the costs to both the regulatory authorities and licensee population were not justified in the absence of current information and operating experience to demonstrate a need for the amendment of security requirements related to aggregation. The Commission, in SRMSECY170083, approved the staffs recommendation not to amend the regulations to: a) require inclusion of category 3 sources in the National Source Tracking System; or b) impose security requirements to prevent aggregation of category 3 sources to a category 2 quantity of radioactive material.

This GAO recommendation remains open.

9 The U.S. Government Accountability Office Report Preventing a Dirty Bomb: Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials July 2022 (GAO-22-103441)

The U.S. Government Accountability Office (GAO), in its report, "Preventing a Dirty Bomb:

Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials," made two recommendations to the NRC related to the security of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

The Chairman of the NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory authority.

Status:

On December 19, 2022, the staff submitted a draft proposed rule with recommendations for license verification to the Commission for its consideration. As documented in SRMSECY220112, the Commission was unable to reach a decision on the staffs recommended proposed rule. Therefore, the proposed rule was not approved. The draft proposed rule and supporting content can be found in SECY-22-0112, "Proposed Rule:

Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103)."

The NRC staff continue to engage licensees and Agreement States on the issues identified by this GAO report. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses. The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and encouraged the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on their responses to NRC communications and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 2:

The Chairman of the NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing.

10 Status:

In SECY-17-0083, the NRC staff assessed the use of anti-counterfeiting measures for paper licenses and did not provide a recommendation to the Commission at that time. Currently, the NRC staff is exploring implementation of security features for radioactive materials documents that may also be considered for implementation for all categories of NRC licenses. The NRC staff has completed an evaluation of the advantages and disadvantages of security features such as two factor authentication, non-fungible tokens, data tokens, and QR codes.

Tokenization and QR codes demonstrated the most promise of security improvement within reasonable implementation cost. A path towards adoption of tokenization and QR codes security features is being developed and will be tested for integration into radioactive materials documents by the end of FY 2025.

This GAO recommendation remains open.

11 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Take Additional Actions to Prepare to License Advanced Reactors July 2023 (GAO-23-105997)

The U.S. Government Accountability Office (GAO), in its report, Nuclear Regulatory Commission: NRC Needs to Take Additional Actions to Prepare to License Advanced Reactors, made four recommendations to further enhance the NRCs ability to review advanced reactors. In 2024, the NRC notified GAO that it would not implement Recommendation 1 and that it had taken action to address Recommendation 4. The NRC considers these recommendations closed. The status of the actions taken by the NRC in response to the remaining GAO recommendations is provided below.

Recommendation 2:

The Chairman of NRC should direct staff to finalize draft preapplication guidance to clarify the extent to which advanced reactor developers should participate in preapplication activities.

Status:

Although engagement in preapplication activities at the NRC is voluntary and not required for licensing, communicating expectations on preapplication engagement with prospective applicants continues to be a priority for the agency. Preapplication engagement can support the establishment of licensing review schedules that are shorter than the generic milestones. This has been demonstrated through engagement with several developers, including TerraPower and Kairos Power, LLC. The NRC considered the experience gained from these activities in developing the final version of its preapplication guidance document, which was issued in March 2024, as Appendix A to Interim Staff Guidance DANU-ISG-2022-01, Review of Risk-Informed, Technology-Inclusive Advanced Reactor Applications-Roadmap (ML23277A139). This guidance addresses how to optimize preapplication engagements, including the topical report process and potential technical matters for prospective applicants to target; safety review meeting, audit, and white paper interactions; environmental activities; preapplication readiness assessments; and safeguards information plans. The draft version of this document was discussed in several public meetings and formally issued for public comment to seek stakeholder feedback before it was issued as final. The NRC continues to encourage advanced reactor developers to engage in preapplication interactions with the NRC, especially on new or novel issues.

This NRC considers this GAO recommendation closed.

Recommendation 3:

The Chairman of NRC should direct staff to establish benchmarks and measures to assess its recruitment, relocation, and retention incentives and strategies to determine their effectiveness to help NRC retain and hire the staff necessary to license advanced reactors.

12 Status:

The NRC is currently developing the new Strategic Workforce Planning process and application based on recommendations from the evaluation completed on the previous Strategic Workforce Planning process. The new Strategic Workforce Planning process is expected to better inform decisions for our recruitment, relocation, and retention programs. The Office of the Chief Human Capital Officer (OCHCO) is also piloting the development of Program Profiles. These profiles will be used to define each of the programs within OCHCO, including performance indicators and measures to measure the health of each program. OCHCO is beginning the pilot with the development of program profiles for the recruitment, retention, staffing, and on-boarding programs. The new Strategic Workforce Planning process and application, as well as the initial program profiles, will be completed by the fourth quarter of fiscal year 2025.

To date, staffing challenges have not impacted the NRCs ability to complete advanced reactor licensing reviews on or ahead of schedule. However, the agency has experienced some challenges with hiring and attrition. This has required agency leadership to employ creative near-term solutions to manage the current workload, including employing rehired annuitants, engaging available contractor support, and leveraging staff in other offices for select short-term assignments. Based on industry projections, the volume of advanced reactor licensing work is expected to increase based on industry plans; therefore, the agencys ability to achieve a commensurate increase in dedicated staffing resources with the requisite knowledge, critical skill sets, and experience to perform the essential work will be critical to sustaining its ability to conduct timely reviews.

The NRC staff routinely monitors and refines benchmarks and measures to assess the effectiveness of its recruitment, relocation, and retention strategies to ensure alignment with agency hiring goals. Furthermore, agency leadership continues to work with the OCHCO to maximize opportunities to fill mission critical, priority vacancies in a strategic, efficient, and informed manner to best ensure there are no adverse impacts to the agencys ability to fulfill its regulatory mission.

This GAO recommendation remains open.

13 The U.S. Government Accountability Office Report Cybersecurity: Federal Agencies Made Progress, But Need to Fully Implement Incident Response Requirements December 2023 (GAO-24-105658)

The U.S. Government Accountability Office (GAO), in its report, "Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements,"

recommended that the Nuclear Regulatory Commission should ensure that the agency fully implements all event logging requirements as directed by OMB guidance. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement agency-wide programs to provide security for the information and information systems that support their operations and assets. FISMA requires that agency information security programs include procedures for detecting, reporting, and responding to security incidents and that agencies report annually on the total number of information security incidents to OMB and Congress. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements all event logging requirements as directed by OMB guidance.

Status:

The NRC has increased the software licensing levels for the enterprise log management system and Security Information and Event Management (SIEM) solution and acquired funding to adequately support procurement and onboarding. The NRC plans to implement all requirements across event logging (EL) maturity tiers EL1, EL2 and EL3 to ensure events are logged and tracked in accordance with Office of Management and Budget (OMB) M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents, dated August 27, 2021, by the fourth quarter of fiscal year 2025.

The NRC successfully completed the implementation of the EL1 (Basic) tier event logging requirements on July 31, 2024. Additionally, the NRC successfully implemented the Security, Orchestration, Automation, and Response (SOAR) and User Behavior Analytics (UBA) implementation requirements as defined in tier EL3 on October 31, 2024. The NRC is planning to complete all the remaining requirements for EL2 (Intermediate) by March 31. 2025 and EL3 (Advanced) by August 1, 2025.

This GAO recommendation remains open.

14 The U.S. Government Accountability Office Report High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use November 2023 (GAO-24-105998)

The U.S. Government Accountability Office (GAO), in its report, "High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use," made two recommendations to the NRC related to the storage of foreign-origin americium-241 and minimizing the time that disused sources are in licensees' possession. GAO also made a separate recommendation to the U.S. Department of Energy regarding foreign-origin americium-241. The status of the NRC actions is provided below.

Recommendation 2:

The Chairman of the NRC, in coordination with DOE and in consultation with other relevant stakeholders, should conduct an analysis to evaluate options and take action to facilitate long-term storage, within agency authorities, to better secure foreign-origin americium-241 until a permanent disposal or viable recycling option is available.

Status:

Current regulations and oversight programs facilitate the long term safe storage of by licensees of sources awaiting a disposal pathway. NRC regulations do not distinguish between foreign-and domestic-origin americium-241. Long term, safe storage by licensees of sources awaiting a disposal pathway is facilitated by current NRC regulations and oversight programs. The NRC will continue to participate in interagency activities to further a disposition solution for foreign-origin americium-241. However, the NRC would not be the appropriate lead agency to conduct the analysis described in the recommendation. DOE is primarily responsible for managing high-level waste, while the NRC regulates the storage and disposal of this waste when it is subject to long-term storage, and issues licenses for facilities that store this waste. The NRC staff will continue to communicate with DOE/National Nuclear Security Administration (NNSA) staff during NNSAs evaluation of storage, disposal, or viable recycling recovery options for foreign-origin americium-241 under NNSAs Off-Site Source Recovery Program. The NRC and DOE/NNSA staff previously collaborated on a common position statement regarding disposal of foreign-origin americium-241. If a license application for a facility to store, dispose of, or recycle foreign-origin americium-241 is submitted, the NRC would conduct a review of that license application.

The DOE, as a member of the Task Force on Radiation Source Protection and Security, has been investigating options for disposition of foreign-origin americium-241 under activities pursuant to Recommendation 5 from the 2010 Task Force report. The recommendation is still considered open by the Task Force, which provides a vehicle to regularly update the Administration and Congress on this item.

This GAO recommendation remains open.

15 Recommendation 3:

The Chairman of the NRC should comprehensively assess leading practices that, if implemented, would minimize the time that disused sources are in a licensee's possession.

These practices include financial assurances for all category 1, 2, and 3 sources; tracking of category 3 sources; possession time limits or fees for disused sources; and orphan source funds.

Status:

The NRC Staff acknowledges GAOs recommendation to comprehensively assess leading practices that, if implemented, would minimize the time that disused sources are in a licensee's possession. The NRC staff is assessing the merits and practicalities of possession time limits and/or fees for sources not actively being used and stored on site for extended periods. The NRC staff is also evaluating the utility of an orphan source fund, and whether administering such a fund is within the NRCs statutory authority. NRC and Agreement State safety and security requirements provide adequate protection for radioactive byproduct material sources and licensees are required to comply with these requirements while in possession of the materials regardless of the time they are stored on site. While in possession of the materials, licensees are also subjected to regulatory oversight to ensure compliance with requirements.

In December 2021, the Commission directed the NRC staff to conduct a rulemaking to expand the NRC's financial assurance requirements in Title 10 of the Code of Federal Regulations 30.35, "Financial Assurance and Recordkeeping for Decommissioning, to require financial assurance for disposition of category 1 and 2 byproduct material radioactive sealed sources. As part of the rulemaking, the Commission also directed the staff to consider and seek public comments on whether financial assurance requirements should be extended to category 3 sources. The staff is currently developing a regulatory basis for a financial assurance rule.

Regarding the recommendation to track category 3 sources, the Commission, in SRM-SECY-17-0083, approved the staffs recommendation not to direct the staff to amend the regulations to require inclusion of category 3 sources in the National Source Tracking System.

This GAO recommendation remains open.

16 The U.S. Government Accountability Office Report - Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements June 2019 (GAO-24-106137)

The U.S. Government Accountability Office (GAO), in its report Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements, made recommendations to government entities, including the NRC, to ensure cloud computing addresses key OMB procurement requirements. The status of the actions taken by the NRC in response to the GAO recommendations that remain open as of the NRCs last report is provided below.

Recommendation 37:

The Chairman of NRC should ensure that the CIO [Chief Information Officer] of NRC develops guidance to put a cloud Service Level Agreement (SLA) in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance.

Status:

The NRC plans to review its existing guidance noted below and update SLAs as applicable to ensure OMB required elements are met.

The NRC employs information security requirements for acquisition of information technology, which incorporates language reflective of the Office of Management and Budgets (OMBs) four required elements for SLAs including, continuous monitoring over assets, definition of roles and responsibilities, establishment of performance metrics, and remediation plans for non-compliance.

All new technology services, to include cloud-based services, are initially evaluated through the agency's Information Technology Governance process to determine agency suitability, which includes cybersecurity review. If the service is deemed cloud-based, the service undergoes a comprehensive assessment prior to receiving authorization, and the related High Value Asset (HVA) continuous monitoring activities are codified in the agencys process document, CSO-PROS-1323, Information Security Continuous Monitoring Process. NRC's Management Directive (MD) 12.5, "NRC Cybersecurity Program," and MD 12.6, "NRC Controlled Unclassified Program," require that these related processes are specifically aligned to the Federal Risk and Authorization Management Program (FedRAMP) authorization requirements, which are fully enforceable contractually in terms of holding cloud service providers accountable. Additionally, the NRC utilizes a performance Statement of Work (SOW) template that prescribes recommended language and other resources for the procurement of information technology contracts including cloud computing services. NRC acquisitions involving cloud services are typically procured through a reseller. Cloud Service Provider SLAs flow through the reseller via a roles and responsibilities clause as described in the contract document template.

This effort is targeted for completion by the third quarter of fiscal year 2025 (FY 2025 Q3).

This GAO recommendation remains open.

17 Recommendation 38:

The Chairman of NRC should ensure that the CIO of NRC develops guidance regarding standardizing cloud SLAs.

Status:

The NRC adheres to the OMB Federal Cloud Computing Strategy as the foundation for acquiring cloud-based solutions, ensuring alignment with FedRAMP requirements for continuous awareness of cloud-based assets. To maintain consistency across applicable contracts, the NRC employs standardized contract clauses and SOW templates that reinforce SLAs.

Currently, the NRC is reviewing existing documentation to ensure SLAs for all cloud-based assets are standardized. This effort includes incorporating language that strengthens quality assurance, continuous visibility, security, and operational efficiency. The planned updates are scheduled for implementation by FY 2025 Q3.

This GAO recommendation remains open.

Recommendation 39:

The Chairman of NRC should ensure that the CIO of NRC develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset.

Status:

The NRC maintains an internal procedure, CSO-PROS-1323, Information Security Continuous Monitoring Process, that the staff must follow to perform continuous monitoring on systems owned and used by the NRC." This existing guidance, which applies to the agencys HVA systems, currently aligns with Cybersecurity and Infrastructure Security Agency (CISA) direction for protecting and operating HVA information systems, including cloud-based services. Existing NRC FedRAMP contract requirements stipulate that cloud services must undergo security and risk assessments, continuous monitoring and alerting, and access controls through identity, credential, and access management capabilities. All new technology services, including cloud-based services, are initially evaluated through the agency's IT Governance process to determine agency suitability. This process includes cybersecurity review. The services undergo a comprehensive risk assessment before receiving authorization, and the related HVA continuous monitoring activities are codified in the agencys process document, CSO-PROS-1323. Please see the highlighted sections on pages 3, 5-6, 8, 10, 12, 13, and 19 in the attached CSO-PROS-1323-Copy.pdf file for guidance on the continuous visibility requirements.

The NRCs MD 12.5, "NRC Cybersecurity Program," requires that the associated processes be explicitly aligned with the FedRAMP authorization requirements. These requirements are contractually enforceable, ensuring accountability for cloud service providers. Please see the highlighted sections on pages 7, 9, 28, 37, 38, 60, 74, 75, 78, and 87 in the attached The NRC considers this GAO recommendation to be closed. Management Directive 12.5 -

copy.pdf file for further information.

18 The NRC considers this GAO recommendation to be closed.

Recommendation 40:

The Chairman of NRC should ensure that the CIO of NRC updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award.

Status:

NRC contracts governing HVA systems that are managed and operated in cloud environments currently provide for continuous visibility of assets. The requirements are enforced through agency policy and in accordance with FedRAMP guidance. The specific language has been updated to reflect the most recent OMB FedRAMP guidance and is now integrated within CSO-PROS-1323, Information Security Continuous Monitoring Process and NRCs MD 12.5, "NRC Cybersecurity Program," and is associated with applicable NRC HVA contracts.

The NRC considers this GAO recommendation to be closed.

19 The U.S. Government Accountability Office Report - Nuclear Power Plants: NRC Should Take Actions to Fully Consider the Potential Effects of Climate Change April 2024 (GAO-24-106326)

The U.S. Government Accountability Office (GAO), in its report, Nuclear Power Plants: NRC Should Take Actions to Fully Consider the Potential Effects of Climate Change, made three recommendations, including that NRC assess whether its existing processes adequately address climate risks and develop and implement a plan to address any gaps identified. The status of the NRC actions is provided below.

Recommendation 1:

The Chair of the NRC should direct NRC staff to assess whether its licensing and oversight processes adequately address the potential for increased risks to nuclear power plants from climate change.

Status:

NRC staff has contracted support from Pacific Northwest National Laboratories for the review of the Fifth National Climate Assessment (NCA5) and supporting technical literature under NRCs Process for the Ongoing Assessment of Natural Hazards Information (POANHI). Staff has additionally commenced a survey of existing relevant NRC regulatory guidance to determine which should be reviewed for potential updates related to climate change. NRCs review of NCA5 will inform whether gaps exist in the licensing and oversight of existing licensed power plants. The NCA5 review will include updating published climate reports associated with the NRCs Probabilistic Flood Hazard Assessment Research Program as was done after the publication of NCA4 in 2018. It may also include regional or site-specific reviews of some or all climate-related hazard changes for existing licensed nuclear power plants. In addition, the NCA5 review will inform the NRC staffs development and guidance updates for the licensing of new facilities, as described in response to GAOs Recommendation 3. This work is expected to be a multi-year effort.

This GAO recommendation remains open.

Recommendation 2:

The Chair of the NRC should direct NRC staff to develop, finalize, and implement a plan to address any gaps identified in its assessment of existing processes.

Status:

The NRC staff will assess the safety significance of any gaps, if identified, through the staffs NCA5 review or through any subsequent or related activities conducted in response to GAOs Recommendation 1. Pursuant to staffs existing processes, staff will address any risk significant gaps, that are identified. This is a continuation of the work discussed in the status for Recommendation 1 and is expected to be a multi-year effort.

This GAO recommendation remains open.

20 Recommendation 3:

The Chair of the NRC should direct NRC staff to develop and finalize guidance on incorporating climate projections data into relevant processes, including what sources of climate projections data to use and when and how to use climate projections data.

Status:

The NRC staff is conducting a comprehensive survey of existing relevant NRC regulatory guidance to determine what needs to be reviewed for updates to include considerations related to climate change. The NRC staffs NCA5 review will also support a determination of whether new dedicated guidance related to use of climate projections is warranted. The NRC plans to implement these actions as part of our existing process of periodically reviewing regulatory guides. This work is expected to be a multi-year effort.

This GAO recommendation remains open.

21 The U.S. Government Accountability Office Report - IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements November 2024 (GAO-25-107041)

The U.S. Government Accountability Office (GAO), in its report, IT Portfolio Management: OMB and Agencies Are Not Fully Addressing Selected Statutory Requirements, made recommendations to numerous agencies, including NRC, to improve their IT portfolio processes. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 39:

The Chairman of the Nuclear Regulatory Commission should direct its agency CIO to work with OMB to ensure that the annual reviews of their IT portfolio are conducted in conjunction with the Federal CIO and the Chief Operating Officer or Deputy Secretary (or equivalent), as prescribed by FITARA.

Status:

The GAO report was issued on November 14, 2024. The NRC is evaluating the report and assessing necessary actions and will respond to GAO and Congress within 180 days of the report date.

This GAO recommendation remains open.