Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

February 18, 2025 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 (DNFSB-24-A-05)

REFERENCE:

OFFICE OF THE GENERAL MANAGER, EMAIL DATED NOVEMBER 7, 2024 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated November 7, 2024.

Based on this response, the OIG requested additional evidence from the DNFSB. The DNFSB provided a second response to the OIGs request on February 18, 2025. Based on the DNFSBs updated response, recommendations 1, 2, and 3 are now closed.

Recommendation 4 remains open and resolved. Please provide an updated status of the open, resolved recommendation by June 20, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: T. Tadlock, OEDO J. Biggins, GM G. Garvin, OEDO

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 2 Recommendation 1:

We recommend that the Defense Nuclear Facilities Safety Board (DNFSB) implement the DNFSBs Vulnerability Management Standard Operating Procedure for vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis, such as:

Remediating vulnerabilities in accordance with the DNFSB Vulnerability Management Standard Operating Procedure.

Opening plans of action and milestones to track critical and high-risk vulnerabilities that the DNFSB cannot address within 30 days.

Preparing risk-based decisions in unusual circumstances in which a technical or cost limitation makes it infeasible to mitigate a critical or high-risk vulnerability, including identifying documented, effective compensating controls coupled with a clear timeframe for planned remediation.

Agency Response Dated November 7, 2024: DNFSB approved OP-411.1-16, System and Information Integrity Operating Procedure on September 17, 2024, which replaces OP-412.2-1, Vulnerability Management.

DNFSB is currently organizing the vulnerability data from the month of October 2024 to create a vulnerability Plan of Actions & Milestones (POA&M) in accordance with OP-411.1-16.

Agency Response Dated February 18, 2025: Please see FY24 Recommendation 1 - Vulnerability POAMs Using Updated Procedures.zip that contains updated vulnerability POAMs implemented using updated procedures for November 2024, December 2024 and January 2025.

OIG Analysis:

The OIG reviewed and confirmed the evidence provided by DNFSB management of implementation of OP-411.1-16, System and Information Integrity Operating Procedure, for

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 3 Recommendation 1 (continued):

vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis and the vulnerability POA&Ms created in accordance with OP-411.1-16. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 4 Recommendation 2:

We recommend that the DNFSB (1) ensure that personnel complete privacy awareness and literacy training upon initial hire and annually thereafter, and (2) maintain training records in accordance with the DNFSB Security and Privacy Awareness and Training Program Standard Operating Procedure.

Agency Response Dated November 7, 2024: DNFSB used the AgLearn LMS to deliver the following course to agency staff:

Privacy Awareness As a federal employee, you have access to citizens' personal information "federally employed or not" and you're responsible for its protection and safe keeping. In this course, you'll learn about Personally Identifiable Information, or "PII" what it is, and how to identify it. This includes personal information about both federal employees and private citizens. This course will help federal employees follow federal privacy laws and ensure Fair Information Principles, or FIPs, are followed.

Agency Response Dated February 18, 2025: There have been significant changes in how we deliver and track completion for most of the Information Technology (IT) security-related courses as we have expanded the use of AgLearn and are trying to deliver as many trainings as possible using this learning management system. For example, we can now provide trainings to all federal employees and all contractors (which we could not do last year). The first example of this new training process is the annual security and phishing awareness trainings, the training window for which is closing this Friday, February

14. Please see 2025.02.13 Info Sec Awareness Certification Status.xlsx as a sample of this new process.

OIG Analysis:

The OIG reviewed and confirmed the evidence that the DNFSB used AgLearn LMS to deliver the training course to agency staff electronically and maintains training records in accordance with the DNFSB Security and Privacy Awareness

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 5 Recommendation 2 (continued):

and Training Program Standard Operating Procedure. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 6 Recommendation 3:

We recommend that the DNFSB update and finalize the Incident Response Plan and Incident Response Process Guide Cyber Playbook to incorporate lessons learned from incident response exercises.

Agency Response Dated November 7, 2024: OP-411.1-21, Incident Response Plan Operating Procedure and OP 411.1-22, Cyber Playbook, have both been updated with lessons learned from FY24s incident response exercises and are currently undergoing internal management review.

Agency Response Dated February 18, 2025: Please see copies of OP-411.1-21, Incident Response Plan Operating Procedure, and OP 411.1-22, Cyber Playbook which were approved by the DNFSBs internal management (by Toni Reddish, Authorizing Official).

OIG Analysis:

The OIG reviewed and confirmed the evidence that OP-411.1-21, Incident Response Plan Operating Procedure, and OP 411.1-22, Cyber Playbook, have both been updated with lessons learned from FY24s incident response exercises and approved by the DNFSBs internal management. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (DNFSB-24-A-05) 7 Recommendation 4:

We recommend that the DNFSB ensure all personnel with incident response responsibilities participate in incident response exercises.

Agency Response Dated November 7, 2024: DNFSB ensured that all members of the Incident Response Team (as defined in OP-411.1-21, Incident Response Plan Operating Procedure) participated in the agencys annual incident response exercise that was held in September 2024.

Agency Response Dated February 18, 2025: Please see Additional Evidence for FY2024-04.docx for the list of all positions with incident response responsibilities, along with the specific names of people assigned to those positions.

Please see Memo - September 2024 Incident Response +

Breach Response TTE Participants 2-23-25.pdf for the list of everyone that participated in the agencys annual incident response tabletop exercise that was held on September 19, 2024. Also see EXERCISE EXERCISE EXERCISE -

Security Incident Meeting - Attendance report 9-19-24.csv for the Teams Attendance Log for evidence of who participated in the tabletop exercise. Note that some of the participant listed in the memo such as Barry Breland and Chris Still participated in person and did not join the Teams meeting, since we were all in the same room at the Germantown COOP site for the tabletop exercise.

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence that the DNFSB ensured that all members of the Incident Response Team (as defined in OP-411.1-21, Incident Response Plan Operating Procedure) participated in the agencys annual incident response exercise. This recommendation remains open and resolved.

Status:

Open: Resolved