Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

March 18, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 REGION IV: ARLINGTON, TEXAS (OIG-NRC-25-A-05)

REFERENCE:

OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED MARCH 13, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated March 13, 2025. Based on this response, recommendation 2 is now closed. Recommendation 1 remains open and resolved. Please provide an updated status of the open, resolved recommendation by November 21, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 REGION IV: ARLINGTON, TEXAS Status of Recommendations (OIG-NRC-25-A-05) 2 Recommendation 1:

We recommend that the U.S. Nuclear Regulatory Commission (NRC) management investigate methods of identifying inactive user accounts and improving its internal controls over inactivity to ensure that it disables network user accounts after 90 days of inactivity.

Agency Response Dated March 13, 2025:

The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for recently departed individuals are manually re-enabled for temporary content preservation purposes. The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case.

Target Completion Date: Fiscal Year 2026, Quarter 1 OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence that NRC management investigated methods of identifying inactive user accounts and improved its internal controls over inactivity to ensure that network user accounts are disabled after 90 days of inactivity.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 REGION IV: ARLINGTON, TEXAS Status of Recommendations (OIG-NRC-25-A-05) 3 Recommendation 2:

We recommend that Region IV management ensure that the Region IVSensitive Area Access Review includes the data center and that Region IV management maintains evidence of this review.

Agency Response Dated March 13, 2025:

Region IV management ensured that the Region IV Sensitive Area Access Review included the data center, and that Region IV management maintained evidence of the review. The NRC suggests closure of this recommendation.

OIG Analysis:

The OIG reviewed and confirmed the evidence that the Region IVSensitive Area Access Review includes the data center, and that Region IV management maintains evidence of this review. This recommendation is now closed.

Status:

Closed