ML25113A223
| ML25113A223 | |
| Person / Time | |
|---|---|
| Issue date: | 04/23/2025 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Mirela Gavrilas NRC/EDO |
| References | |
| OIG-21-A-05 | |
| Download: ML25113A223 (1) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
April 23, 2025 TO:
Mirela Gavrilas Acting Executive Director for Operations FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits & Evaluations
SUBJECT:
STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 (OIG-21-A-05)
REFERENCE:
OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED FEBRUARY 14, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated February 14, 2025.
Recommendations 5, 6, 8, 12, and 13 remain open and resolved. Recommendations 1 through 4, 7, and 9 through 11 were previously closed. Please provide an updated status of the open, resolved recommendations by July 25, 2025.
If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.
Attachment:
As stated cc: J. Martin, ADO D. Lewis, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 2 Recommendation 5:
Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the U.S. Nuclear Regulatory Commission (NRC) systems and information.
Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys onboarding procedures prior to these individuals being granted access to the NRCs systems and information.
Agency Response Dated February 14, 2025: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRCs systems and information. The clearance waiver process is wholly contained within the NRCs onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance.
Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRCs Form 176A, Security Acknowledgment. Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of fiscal year (FY) 2025, third quarter (Q3).
Target Completion Date: FY 2025, Q3 OIG Analysis:
The OIG will close this recommendation after confirming the NRC updated the user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process and that contractors and employees completed the non-disclosure agreements as part of the agencys onboarding procedures prior to being granted access to the NRCs systems and information.
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 3 Recommendation 5 (continued):
This recommendation remains open and resolved.
Status:
Open: Resolved
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 4 Recommendation 6:
Continue efforts to identify individuals having additional responsibilities for Personal Identifiable Information (PII) or activities involving PII and develop role-based privacy training for them to be completed annually.
Agency Response Dated February 14, 2025: The NRC completed an independent assessment of the Privacy Program in October 2023 and identified training gaps with regard to personnel who have privacy roles requiring role-based training. Since that time, the NRC has created the role-based privacy training content for system managers, privacy custodians, and the Core Management Group (senior executive officers). The NRC is working with the contractors on developing the format of presentation.
Due to project constraints, the new target completion date is the second quarter (Q2) of FY 2025.
Target Completion Date: FY 2025, Q2 OIG Analysis:
The OIG will close this recommendation after confirming the continued efforts of the NRC in identifying individuals who have additional responsibilities for PII or activities involving PII and developed a role-based privacy training for them to complete annually.
Status:
Open: Resolved
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 5 Recommendation 8:
Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.
Agency Response Dated February 14, 2025: Due to constraints outlined by the National Treasury Employees Union (NTEU), the NRC is unable to implement a technical capability specifically to restrict NRC network access for the Federal employees. However, the agency has implemented a technical capability to restrict NRC network access for contractors who do not complete the annual security awareness training and their assigned role-based security training. In addition, the NRC has reviewed and updated the organizationally defined timeframe for the completion of security training in NRC Management Directive 12.5, NRC Cybersecurity Program. The revised guidance (Agencywide Documents Access and Management System Accession No. ML24198A139) specifies NRC employees shall receive an initial cybersecurity awareness briefing. All NRC authenticated users (employees and contractors) are required to take the Computer Security Awareness course within 20 business days of obtaining access to NRC systems, and annually thereafter.
Target Completion Date: The NRC suggests closure of this recommendation.
OIG Analysis:
The OIG reviewed and confirmed the updated defined timeframe for the completion of security training in the NRC Management Directive 12.5, NRC Cybersecurity Program.
However, the OIG will close this recommendation after reviewing and confirming evidence that the NRC implemented the technical capability to restrict NRC network access for contractors who have not completed the annual security awareness training, their assigned role-based security training, and a documented risk acceptance form or risk-based decision regarding non-restriction of NRC employee network access related to training requirements
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 6 Recommendation 8 (continued):
due to NTEU constraints. This recommendation remains open and resolved.
Status:
Open: Resolved
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 7 Recommendation 12:
Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.
Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The new target completion date is the fourth quarter (Q4) of FY 2025.
Target Completion Date: FY 2025, Q4 OIG Analysis:
The OIG will close this recommendation after reviewing the evidence that demonstrates and confirms the NRC integrated metrics for measuring the effectiveness of information system contingency plans and its relation to other plans such as the organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization. This recommendation remains open and resolved.
Status:
Open: Resolved
Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 8 Recommendation 13:
Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with information and communication technology (ICT) supply chain providers and implement an automated mechanism to test system contingency plans.
Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify candidates for automated testing. Based on that analysis, if automated testing is feasible and cost effective, then the NRC will develop plans to implement those measures and coordinate with all associated ICT supply chain providers.
The new target completion date is FY 2025, Q2.
Target Completion Date: FY 2025, Q2 OIG Analysis:
The OIG will close this recommendation after confirming that the NRC implemented automated mechanisms to test system contingency plans, then updated and implemented procedures to coordinate contingency plan testing with ICT supply chain providers. This recommendation remains open and resolved.
Status:
Open: Resolved