Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

February 28, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE (OIG-NRC-25-A-04)

REFERENCE:

DEPUTY EXECUTIVE DIRECTOR FOR NUCLEAR MATERIALS, ADMINISTRATIVE, AND CORPORATE PROGRAMS OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS, MEMORANDUM DATED FEBRUARY 18, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations, as discussed in the agencys response dated February 10, 2025.

Recommendations 1 through 6 remain open and resolved. Please provide an updated status of the open, resolved recommendation by July 18, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO_ACS Distribution

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 2 Recommendation 1:

We recommend that the U.S. Nuclear Regulatory Commission (NRC) Office of the Chief Information Officer (OCIO) management, in coordination with Office of the Chief Human Capital Officer (OCHCO) and Office of Administration (ADM), evaluate the NRCs separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees accounts to ensure that the NRC terminates these accounts in a timely manner.

Agency Response Dated February 10, 2025: The management of the NRC OCIO, in coordination with the OCHCO and the ADM, will evaluate the NRCs separation policies and procedures, and re-engineer the related business processes and the automation used to disable separated employees accounts to ensure that the NRC terminates these accounts in a timely manner.

Target Completion Date: Fiscal year (FY) 2026, second quarter (Q2)

OIG Analysis:

The OIG will close this recommendation after confirming that the management of NRC OCIO, in coordination with OCHCO and ADM evaluate the NRCs separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees accounts to ensure that the NRC terminates these accounts in a timely manner. This recommendation remains open and resolved.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 3 Recommendation 2:

We recommend that Technical Training Center (TTC) and NRC management evaluate the TTC system authority to operate (ATO) memorandum for revision and update it to reflect the current operating environment.

Agency Response Dated February 10, 2025: The NRC and TTC management will evaluate the TTC system authority to operate (ATO) memorandum for revision and update it to reflect the current operating environment.

Target Completion Date: FY 2026, Q1 OIG Analysis:

The OIG will close this recommendation after confirming the NRC and TTC management evaluated the TTC system ATO memorandum for revision and updated it to reflect the current operating environment. This recommendation remains open and resolved.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 4 Recommendation 3:

We recommend that the NRCs TTC management install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel.

Agency Response Dated February 10, 2025: The NRCs TTC management will install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel. In addition, OCHCO will coordinate with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility.

Target Completion Date: FY 2026, Q2 OIG Analysis:

The OIG will close this recommendation after confirming the NRCs TTC management installed a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel while the OCHCO coordinates with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility. This recommendation remains open and resolved.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 5 Recommendation 4:

We recommend that the NRCs TTC management install protective covers over the emergency power shut-off switches throughout the facility.

Agency Response Dated February 10, 2025: The NRCs TTC management will purchase and install either protective covers or extended collars over the emergency power shut-off switches throughout the facility, which will stop accidental pushing of the power shut-off switch.

Target Completion Date: FY 2025, Q4 OIG Analysis:

The OIG will close this recommendation after confirming that the NRCs TTC management purchased and installed either protective covers or extended collars over the emergency power shut-off switches throughout the facility, which will prevent accidental pushing of the power shut-off switch. This recommendation remains open and resolved.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 6 Recommendation 5:

We recommend that NRC management define and implement a risk-based process for regularly reviewing users who have badged access to the NRC general access group and restricting badged access to the Regions based on business needs.

Agency Response Dated February 10, 2025: The NRCs ADM management will define the risk-based determination and mitigations for including the regions in the NRC general access group.

Target Completion Date: FY 2025, Q2 OIG Analysis:

The OIG will close this recommendation after confirming that the NRCs ADM management defined and implemented a risk-based process for regularly reviewing users who have badged access to the NRC general access group and define the risk-based determination and mitigations for including regions in the NRC general access group. This recommendation remains open and resolved.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024, TECHNICAL TRAINING CENTER: CHATTANOOGA, TENNESSEE Status of Recommendations (OIG-NRC-25-A-04) 7 Recommendation 6:

We recommend that NRC management perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.

Agency Response Dated February 10, 2025: The NRCs ADM management will perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities; and as a part of this risk-based analysis, will define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.

Target Completion Date: FY 2025, Q2 OIG Analysis:

The OIG will close this recommendation after confirming that NRC management performs a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities. This recommendation remains open and resolved.

Status:

Open: Resolved