Text

.

MEMORANDUM TO:

Russell Vought, Director Office of Management and Budget FROM:

Jonathan R. Feibus Senior Agency Official for Privacy IT Services Development and Operations Division Office of the Chief Information Officer

SUBJECT:

THE U.S. NUCLEAR REGULATORY COMMISSIONS FISCAL YEAR 2025 PRIVACY PROGRAM Consistent with Office of Management and Budget (OMB) Memorandum M-25-04, Fiscal Year 2025 Guidance on Federal Information Security and Privacy Management Requirements, dated December 4, 2023, this memorandum describes the changes made to the U.S. Nuclear Regulatory Commissions (NRCs) Privacy Program during fiscal year (FY) 2025, including changes in leadership, staffing structure, and organization.

The NRC continues to maintain an effective Privacy Program and strives to actively enhance the program by developing and implementing measures to ensure the proper use and protection of personally identifiable information in accordance with statutory mandates and to properly safeguard the privacy of individuals.

In FY 2025, the NRC launched a role-based privacy training curriculum for System Managers, System Owners, and Privacy Custodians, and achieved a 99 percent completion rate. The agency updated key program documents, including the Privacy Program Plan, Breach Notification Plan, and Privacy Impact Assessment templates, and performed an independent assessment of the Privacy Program and found no weaknesses in the Privacy Program. The NRC also coordinated with credit monitoring contract support to enhance incident response procedures, developed new routine uses and guidance under Executive Orders 14243 and 14249, and enhanced security over external sharing requests through transition from the BOX content management platform to Microsoft SharePoint External Sharing.

Pursuant to the NRCs Management Directive 3.2, Privacy Act, dated November 15, 2021, the Chief Information Officer has delegated the authorities and responsibilities of the Senior Agency Official for Privacy (SAOP) to the acting division director of the IT Services Development and Operations Division (SDOD) in the Office of the Chief Information Officer (OCIO). As SAOP, CONTACT: Sally Hardy, Privacy Officer (301) 415-5607 November 20, 2025 Signed by Feibus, Jonathan on 09/30/25

R. Vought 2

the SDOD division director has the overall responsibility and accountability for ensuring the NRCs implementation of information privacy protections, including the agencys full compliance with Federal laws, regulations, and policies relating to information privacy. The SAOP designates the Privacy Officer, the official responsible for implementing and administering the Privacy Program, in accordance with NRC regulations.

Below is the list of current staff supporting the Privacy Program of the FY 2025 reporting period, and reflecting recent organizational changes:

OCIO, Senior Agency Official for Privacy, Jonathan Feibus OCIO, Cyber and Information Security Division, Acting Division Director, Garo Nalabandian OCIO, Cyber and Information Security Division, Acting Chief Information Security Officer, Garo Nalabandian OCIO, Cyber and Information Security Division, Acting Deputy Director, Kathryn (Katie) Harris OCIO, Cyber and Information Security Division, Information Assurance and Oversight Branch, Acting Branch Chief, Sean Ray OCIO, Cyber and Information Security Division, Privacy Officer, Sally A. Hardy OCIO, Cyber and Information Security Division, Security Operations Branch, Acting Branch Chief, James Peyton OCIO, Cyber and Information Security Division, Security Engineering and Operations Team, Senior Information Technology Specialist, Yael Camacho