ML25213A064
| ML25213A064 | |
| Person / Time | |
|---|---|
| Issue date: | 07/31/2025 |
| From: | Virkar H NRC/OIG |
| To: | Buhler M NRC/EDO |
| References | |
| DNFSB-20-A-05 | |
| Download: ML25213A064 (1) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
July 31, 2025 TO:
Mary J. Buhler Executive Director of Operations FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits & Evaluations
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 (DNFSB-20-A-05)
REFERENCE:
OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, MEMORANDUM DATED JULY 15, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations, as discussed in the agencys response dated July 15, 2025. Based on this response, recommendation 11 is now closed. Recommendations 1, 2, 3 a, and 4-10 were previously closed. Recommendation 3 b-d remains open and resolved. Please provide an updated status of the open, resolved recommendations by January 30, 2026.
If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.
Attachment:
As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 2 Recommendation 3:
Using the results of recommendations one (1) and two (2) above:
- b. Collaborate with Defense Nuclear Facilities Safety Board (DNFSB) Cybersecurity Team Support to establish performance metrics in service level agreements (SLA) to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
- c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.
- d. Implement a centralized view of risk across the organization.
Agency Response:
[During the fieldwork phase of the Audit of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year (FY) 2025, the DNFSB provided the following updated status:]
The DNFSB continues to work toward closure. It has established SLA metrics but is currently in the process of refining these metrics. The DNFSB is also in the process of establishing an enterprise risk management program, which will provide a centralized view of risk across the organization. The Directive and operating procedure are currently under review by management.
Estimated Target Completion Date: FY 2025 OIG Analysis:
The OIG will close this recommendation after confirming that the agency has established performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by the Cybersecurity Team. Additionally, the OIG will verify evidence that demonstrates the agency has established performance metrics to manage and optimize all domains of its information security program more effectively and has implemented a centralized view of risk across the organization.
Status:
Open: Resolved
Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2019 Status of Recommendations (DNFSB-20-A-05) 3 Recommendation 11:
Based on the results of DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update DNFSBs contingency planning policies and procedures to address Information and Communication Technology supply chain risk.
Agency Response Dated July 15, 2025:
Key Supporting Documentation was provided to the Auditor.
DNFSB request closure of this recommendation, based on the status update and documentation provided above.
OIG Analysis:
During the fieldwork phase of the Audit of the DNFSBs Implementation of FISMA for FY 2025, the OIG and its contractors inspected DNFSBs General Support System Contingency Plan, Supply Chain Strategic Plan, and Supply Chain Risk Management Operating Procedure, and noted that the contingency plan references the supply chain risk management plans and procedures. We noted that the DNFSB discusses supply chain risk management in the Supply Chain Strategic Plan and Supply Chain Risk Management Operating Procedure. This recommendation is now closed.
Status:
Closed