ML25090A241
| ML25090A241 | |
| Person / Time | |
|---|---|
| Issue date: | 03/31/2025 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Buhler M NRC/EDO |
| References | |
| DNFSB-21-A-04 | |
| Download: ML25090A241 (1) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
March 31, 2025 TO:
Mary J. Buhler Executive Director of Operations FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits & Evaluations
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 (DNFSB-21-A-04)
REFERENCE:
OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, MEETING DATED FEBRUARY 26, 2025, AND EMAIL CORRESPONDENCE DATED FEBRUARY 27, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in a meeting between the OIG and the Defense Nuclear Facilities Safety Board (DNFSB) on February 26, 2025, as well as the DNFSBs email correspondence dated February 27, 2025. Based on this response, recommendations 1 and 11 are now closed. Recommendations 4, 7, 10, and 14 were closed in the audit titled, Performance Audit of the Defense Nuclear Facilities Safety Boards Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (DNFSB-24-A-05). Recommendations 5, 6, 8, 12, and 13 were previously closed.
Recommendations 2, 3, and 9 remain open and resolved. Please provide an updated status of the open, resolved recommendations by July 11, 2025.
If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.
Attachment:
As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 2 Recommendation 1:
Define an Information Security Architecture (ISA) in accordance with the Federal Enterprise Architecture Framework.
Agency Response Dated February 27, 2025:
The requested ISA is incorporated in DNFSBs Enterprise Architecture that was published in December 2024.
OIG Analysis:
The OIG confirmed that the agency has defined an ISA in accordance with the Federal Enterprise Architecture Framework. Hence, this recommendation is now closed.
Status:
Closed
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 3 Recommendation 2:
Use the fully defined ISA to:
- a. Assess enterprise, business process, and information system level risks;
- b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;
- c. Conduct an organization wide security and privacy risk assessment; and,
- d. Conduct a supply chain risk assessment.
OIG Analysis:
The agency did not provide an updated response pertaining to Recommendation 2a and 2b.
On September 20, 2023, the agency provided the following response:
- a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSBs existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSBs existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
- b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSBs ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 4 Recommendation 3:
Using the results of recommendations one (1) and two (2) above:
- a. Collaborative with the DNFSBs Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and service being monitored by Information Technology (IT) operations;
- b. Utilize guidance from the National Institute Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev.
- 1) - Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;
- c. Implement a centralized view of risk across the organization; and
- d. Implement formal procedures for prioritizing and tracking Plan of Actions and Milestones (POA&M) to remediate vulnerabilities.
OIG Analysis:
The agency did not provide an updated response pertaining to Recommendation 3b and 3d.
On September 20, 2023, the agency provided the following response:
DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and a process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.
- b. DNFSB will review existing policies & procedures against the recommendation in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024.
- d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &
Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024.
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 5 Recommendation 3 (continued):
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3a and 3c. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 3a through 3d during its FY25 FISMA audit.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 6 Recommendation 9:
Implement automated mechanisms (e.g., machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.
OIG Analysis:
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation.
It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (DNFSB-21-A-04) 7 Recommendation 11:
Conduct the agencys annual breach response plan exercise plan for FY 2021.
Agency Response Dated February 27, 2025:
DNFSB conducted an annual breach response plan exercise in September 2024. Evidence related to this exercise includes the tabletop exercise plan, after action report, attendance list and other information related to the exercise.
OIG Analysis:
The OIG confirmed that the agency conducted its annual breach response exercise plan. Hence, this recommendation is now closed.
Status:
Closed