ML25090A267
| ML25090A267 | |
| Person / Time | |
|---|---|
| Issue date: | 03/31/2025 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Buhler M NRC/EDO |
| References | |
| DNFSB-20-A-05 | |
| Download: ML25090A267 (1) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
March 31, 2025 TO:
Mary J. Buhler Executive Director of Operations FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits & Evaluations
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (DNFSB-20-A-05)
REFERENCE:
OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, MEETING DATED FEBRUARY 26, 2025, AND EMAIL CORRESPONDENCE DATED FEBRUARY 27, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in a meeting between the OIG and the DNFSB on February 26, 2025, and the DNFSBs email correspondence dated February 27, 2025.
Based on this response, recommendation 8 is now closed. Recommendations 1, 2, 3 a, 4, 6, 7, 9, and 10 were previously closed. Recommendations 3 b-d, 5, and 11 remain open and resolved. Please provide an updated status of the open, resolved recommendations by July 11, 2025.
If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.
Attachment:
As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 2 Recommendation 3:
Using the results of recommendations one (1) and two (2) above:
- b. Collaborate with Defense Nuclear Facilities Safety Board (DNFSB) Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
- c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
- d. Implement a centralized view of risk across the organization.
OIG Analysis:
DNFSB did not provide an updated response pertaining to recommendation 3b and 3c.
On September 20, 2023, the agency provided the following response:
- b. DNFSB needs clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
- c. DNFSB needs more clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.
The OIG clarified on November 01, 2023, that subsection b of this recommendation will require the DNFSB to provide evidence of established performance metrics in service level agreements for the contractor systems and services monitored by Information Technology (IT) Operations.
Subsection c of this recommendation will require the DNFSB to utilize guidance from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-55, Performance Measurement Guide for Information Security, to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 3 Recommendation 3 (continued):
The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 4 Recommendation 5:
Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agencys Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.
OIG Analysis:
The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 5 Recommendation 8:
Continue efforts to meet milestones of the DNFSB Identity, Credential, and Access Management (ICAM) Strategy necessary for fully transitioning to DNFSBs to-be" ICAM architecture.
Agency Response Dated February 27, 2025:
The DNFSB published its Enterprise Architecture that includes the agencys to-be ICAM architecture in December 2024 and published OP 411.1-7, Identification and Authentication Operating Procedures, in September 2024.
OIG Analysis:
The OIG confirmed that the agency has met the milestones of the DNFSB ICAM Strategy necessary for fully transitioning to DNFSBs to-be" ICAM architecture. Hence, this recommendation is now closed.
Status:
Closed
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 6 Recommendation 11:
Based on the results of DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update DNFSBs contingency planning policies and procedures to address Information and Communication Technology (ICT) supply chain risk.
OIG Analysis:
The DNFSB did not provide an updated response.
On September 20, 2023, the agency provided the following response:
Supply Chain Risk, including ICT, will be addressed in an upcoming Supply Chain Risk Management Program Operating Procedure. The estimated completion is Q4 FY 2023.
The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.
Status:
Open: Resolved