Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

March 31, 2025 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (DNFSB-22-A-04)

REFERENCE:

OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, MEETING DATED FEBRUARY 26, 2025, AND EMAIL CORRESPONDENCE DATED FEBRUARY 27, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations, as discussed in a meeting between the OIG and the Defense Nuclear Facilities Safety Board (DNFSB) on February 26, 2025, as well as the DNFSBs email correspondence dated February 27, 2025. Recommendations 1, 2, 3, 7, 8, 10, 20, 22, and 24 were closed in the audit titled, Performance Audit of the Defense Nuclear Facilities Safety Boards Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (DNFSB-24-A-05). Recommendations 5, 6, 12 to 19, and 21 were previously closed. Based on this response, Recommendations 4, 9, 11, and 23 remain open and resolved. Please provide an updated status of the open, resolved recommendations by July 11, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 2 Recommendation 4:

Define a Supply Chain Risk Management strategy to drive the development and implementation of policies and procedures for:

a. How supply chain risks are to be managed across the agency;

b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;

c. How counterfeit components are prevented from entering the DNFSB supply chain.

OIG Analysis:

The DNFSB did not provide an updated response for this recommendation.

On September 20, 2023, the agency provided the following response:

Supply Chain Risk will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023.

The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.

Status:

Open: Resolved

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 3 Recommendation 9:

Update agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal Identity, Credential, and Access Management (ICAM) architecture and Office of Management and Budget (OMB) Memorandum (M) 17, and phase 2 of Department of Homeland Securitys (DHS) Continuous Diagnostics and Mitigation (CDM) program.

Agency Response Dated February 27, 2025:

DNFSB published its Enterprise Architecture that includes the agencys to-be ICAM architecture in December 2024 and published OP 411.1-7, Identification and Authentication Operating Procedures in September 2024.

OIG Analysis:

The OIG reviewed the evidence and concluded that it is not sufficient to show corrective actions have been taken to address this recommendation. The OIG will close this recommendation when the DNFSB provides evidence demonstrating the clear milestones for implementing strong authentication, Federal ICAM, OMB M-19-17, and CDM Phase 2, and actions taken by the agency to support the achievement of these requirements and CDM Phase 2.

Status:

Open: Resolved

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 4 Recommendation 11:

Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Agency Status:

In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, the DNFSB is currently in the process of developing role-based privacy training, based on their testing.

OIG Analysis:

The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation.

The OIG notified the DNFSB that, ultimately, the agency should define this themselves (i.e., who/what roles require additional privacy role-based training). Therefore, to close this recommendation, the DNFSB would need to demonstrate identification of the roles that are required to take additional privacy role-based training, show evidence of the development and/or acquisition/rollout of privacy role-based training program materials, and show the implementation of the privacy role-based training (i.e., that the required personnel have taken the training).

The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.

Status:

Open: Resolved

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 5 Recommendation 23:

Conduct a Business Impact Analysis (BIA) within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Agency Status:

In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, corrective action is ongoing, and the DNFSB is currently establishing an enterprise risk management program. Once established, this program will conduct a BIA.

OIG Analysis:

The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation.

To close this recommendation, the DNFSB will need to demonstrate they have conducted a DHS Federal Emergency Management Agency (FEMA) Federal Continuity Directive (FCD) 2 process-based BIA in 2025 and show that they have incorporated the results into their contingency planning strategy and mitigation planning activities. Preferably, updates to a system-based BIA supporting the DNFSB General Support Systems (GSS) Information System Contingency Program (ISCP) would be completed in parallel to ensure the most current information was reflected in the DNFSBs contingency planning at the Mission Essential Functions (MEF), Primary Mission Essential Functions (PMEF), and system levels. It would also be preferable if regular, process-and system-level BIA updates were incorporated as part of the ISCP program / National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Monitor step in accordance with DHS FEMA FCD 2 Annex D and NIST Special Publication (SP) 800-34, Section 3.6, requirements.

The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.

Status:

Open: Resolved