Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

June 10, 2025 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (DNFSB-20-A-05)

REFERENCE:

OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, EMAIL CORRESPONDENCE DATED JUNE 2, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations based on the email correspondence dated June 2, 2025. Based on this response, recommendation 5 is now closed. Recommendations 1, 2, 3a, 4, and 6-10 were previously closed. Recommendations 3 b-d and 11 remain open and resolved.

Please provide an updated status of the open, resolved recommendations by December 5, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 2 Recommendation 3:

Using the results of recommendations one (1) and two (2) above:

b. Collaborate with Defense Nuclear Facilities Safety Board (DNFSB) Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.

c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.

d. Implement a centralized view of risk across the organization.

Agency Response Dated June 2, 2025:

As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 3b, 3c, and 3d.

However, the agency provided an update to the target completion date.

Estimated Target Completion Date: Fiscal Year (FY) 2025 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has established performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by the Cybersecurity Team. Additionally, the OIG will verify evidence that demonstrates the agency has established performance metrics to manage and optimize all domains of the agencys information security program more effectively and has implemented a centralized view of risk across the organization.

Status:

Open: Resolved

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 3 Recommendation 5:

Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agencys Configuration Management (CM) Plan by defining consequences for not following these procedures and conducting remedial training as necessary.

Agency Response Dated June 2, 2025:

The DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. This document is currently under review. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided.

OIG Analysis:

During the fieldwork phase of the Audit of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years outstanding FISMA recommendations. The OIG verified that the DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes.

The CM Operating Procedure and CM Plan identify that the DNFSB has incorporated requirements for remedial training.

The agencys corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 4 Recommendation 11:

Based on the results of DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update DNFSBs contingency planning policies and procedures to address Information and Communication Technology (ICT) supply chain risk.

Agency Response Dated June 2, 2025:

As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date.

Estimated Target Completion Date: FY 2025, Quarter 4 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has updated its contingency planning policies and procedures to address ICT supply chain risk based on the results of the agencys supply chain risk assessment.

Status:

Open: Resolved