Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

September 30, 2025 TO:

Michael F. King Acting Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 (OIG-NRC-25-A-14)

The Office of the Inspector General (OIG) contracted with Sikich CPA LLC (Sikich) to conduct the Performance Audit of the U.S. Nuclear Regulatory Commissions Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025. Attached is Sikichs final report on the audit. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission (NRC). The findings and conclusions presented in this report are Sikichs responsibility. The OIGs responsibility was to oversee the contractors work in accordance with generally accepted government auditing standards.

Based on its assessment for the period of October 1, 2024, through June 30, 2025, Sikich found that although the NRC established an effective agency-wide information security program and practices, there were weaknesses that may impact the agencys ability to protect the NRCs systems and information optimally.

Please provide information on actions taken or planned on each of the recommendations within 30 calendar days of the date of this report. Actions taken or planned are subject to OIG follow-up as stated in Management Directive 6.1.

2 We appreciate the cooperation extended to us by members of your staff during the audit. If you have any questions or comments about our report, please contact me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO_ACS Distribution

PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 SUBMITTED TO THE OFFICE OF THE INSPECTOR GENERAL FOR THE U.S. NUCLEAR REGULATORY COMMISSION PERFORMANCE AUDIT REPORT SEPTEMBER 30, 2025

September 30, 2025 The Honorable Robert J. Feitel Inspector General U.S. Nuclear Regulatory Commission and Defense Nuclear Facilities Safety Board

Dear Mr. Feitel:

Sikich CPA LLC (Sikich) is pleased to submit the attached report detailing the results of our performance audit of the U.S. Nuclear Regulatory Commissions (NRCs) information security program and practices for Fiscal Year (FY) 2025 in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). FISMA requires federal agencies, including the NRC, to perform an annual independent evaluation of their information security program and practices. FISMA states that the evaluation is to be performed by the agencys Inspector General (IG) or by an independent external auditor as determined by the IG. The Office of the Inspector General for the NRC engaged Sikich to conduct this performance audit.

The audit covered the period from October 1, 2024, through June 30, 2025. We performed the work from January through June 2025.

We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards, issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We describe our objective, scope, and methodology in Appendix B: Objective, Scope, and Methodology.

We appreciate the assistance provided by NRC management and staff.

Sincerely, Sikich CPA LLC

U.S. Nuclear Regulatory Commission Audit of the NRCs Implementation of FISMA Performance Audit Report i

TABLE OF CONTENTS I.

EXECUTIVE

SUMMARY

................................................................................................ 1 II.

AUDIT RESULTS........................................................................................................... 3 SECURITY FUNCTION: GOVERN......................................................................................... 3 FINDING 1: THE NRC HAS NOT DEVELOPED CSF 2.0 PROFILES......................................... 4 FINDING 2: THE NRC DID NOT COLLECT SOFTWARE SELF-ATTESTATION FORMS FOR ALL SOFTWARE...................................................................................................................... 5 SECURITY FUNCTION: IDENTIFY......................................................................................... 7 SECURITY FUNCTION: PROTECT........................................................................................ 8 SECURITY FUNCTION: DETECT.......................................................................................... 9 SECURITY FUNCTION: RESPOND......................................................................................10 SECURITY FUNCTION: RECOVER......................................................................................10 APPENDIX A: BACKGROUND................................................................................................12 APPENDIX B: OBJECTIVE, SCOPE, AND METHODOLOGY.................................................14 APPENDIX C: STATUS OF PRIOR-YEAR RECOMMENDATIONS.........................................17 APPENDIX D: MANAGEMENT RESPONSE...........................................................................28

U.S. Nuclear Regulatory Commission Audit of the NRCs Implementation of FISMA Performance Audit Report 1

I. EXECUTIVE

SUMMARY

The Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. FISMA also requires agency Inspectors General (IGs) to assess the effectiveness of their agencys information security program and practices. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have issued guidance for federal agencies to follow. In addition, NIST issued the Federal Information Processing Standards to establish agency baseline security requirements.

The Office of the Inspector General (OIG) for the U.S. Nuclear Regulatory Commission (NRC) engaged Sikich CPA LLC (Sikich) to conduct a performance audit in support of the FISMA requirement for an annual independent evaluation of the NRCs information security program and practices. The objective of this performance audit was to assess the effectiveness of the NRCs information security policies, procedures, and practices.

The OMB and the Department of Homeland Security (DHS) annually provide federal agencies and IGs with instructions for preparing FISMA reports. On January 15, 2025, the OMB issued Memorandum M-25-04, Fiscal Year 2025 Guidance on Federal Information Security and Privacy Management Requirements.1 This memorandum provides reporting guidance for Fiscal Year (FY) 2025 in accordance with FISMA. Each year, IGs are required to complete the IG FISMA Reporting Metrics to assess the effectiveness of their agencys information security program and practices. The OMB, the Council of the Inspectors General on Integrity and Efficiency (CIGIE), and other stakeholders collaborated to develop the FY 2025 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics v2.0 (FY 2025 IG FISMA Reporting Metrics).2 The FY 2025 IG FISMA Reporting Metrics require us to assess the maturity of six function areas in the agencys information security program and practices. For this years review, the FY 2025 IG FISMA Reporting Metrics required IGs to assess 20 core3 and 5 supplemental4 IG FISMA Reporting Metrics across 6 function areasGovern,5 Identify, Protect, Detect, Respond, and Recoverto determine the effectiveness of their agencys information security program and the maturity level of each function area. The maturity levels are Level 1: Ad Hoc, Level 2: Defined, Level 3: Consistently Implemented, Level 4: Managed and Measurable, and Level 5: Optimized.

To be considered effective, an agencys information security program must be rated Level 4:

Managed and Measurable or higher. See Appendix A for background information on the FISMA reporting requirements.

1 See OMB M-25-04 online here.

2 See the FY 2025 IG FISMA Reporting Metrics online here.

3 Core metrics are assessed annually and represent a combination of administration priorities, high-impact security processes, and essential functions necessary to determine the effectiveness of a security program. The core metrics can be found in the FY 2025 IG FISMA Reporting Metrics online here.

4 Supplemental metrics are assessed at least once every 2 years; they represent important activities conducted by security programs and contribute to the overall evaluation and determination of the effectiveness of the security program. The supplemental metrics can be found in the FY 2025 IG FISMA Reporting Metrics online here.

5 In February 2024, NIST published the NIST Cybersecurity Framework (CSF) 2.0, highlighting the critical role that governance plays in managing cybersecurity risks and incorporating cybersecurity into an entitys enterprise risk management strategy. As such, the FY 2025 IG FISMA Reporting Metrics added a new IG FISMA function (Govern) that includes a new domain (Cybersecurity Governance) to align with CSF 2.0.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 2

For this audit, Sikich reviewed selected controls from NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, supporting the FY 2025 IG FISMA Reporting Metrics, for a sample of 3 out of 15 information systems6 in the NRCs FISMA reportable system inventory as of January 29, 2025. The audit covered the period from October 1, 2024, through June 30, 2025. We performed the audit fieldwork from January to June 2025.

We concluded that the NRC has implemented effective information security policies, procedures, and practices. Specifically, the NRC achieved an overall maturity of Level 4:

Managed and Measurable. Table 1 below summarizes the overall maturity levels for each Cybersecurity Framework (CSF) function and domain in the FY 2025 IG FISMA Reporting Metrics. We determined that two CSF functions achieved a Level 5: Optimized maturity level, three CSF functions achieved a Level 4: Managed and Measurable maturity level, and one CSF function achieved a Level 3: Consistently Implemented maturity level. To be considered effective, the NRCs information security program must be rated Level 4: Managed and Measurable.

Table 1: Maturity Levels for FY 2025 IG FISMA Reporting Metrics Cybersecurity Framework Functions7 Maturity Level by Function Domain Maturity Level by Domain Govern Level 3: Consistently Implemented Cybersecurity Governance Level 4: Managed and Measurable Cybersecurity Supply Chain Risk Management Level 2: Defined Identify Level 4: Managed and Measurable Risk and Asset Management Level 4: Managed and Measurable Protect Level 4: Managed and Measurable Configuration Management Level 2: Defined Identity and Access Management Level 4: Managed and Measurable Data Protection and Privacy Level 5: Optimized Security Training Level 5: Optimized Detect Level 4: Managed and Measurable Information Security Continuous Monitoring Level 4: Managed and Measurable Respond Level 5: Optimized Incident Response Level 5: Optimized Recover Level 5: Optimized Contingency Planning Level 5: Optimized Overall Level 4: Managed and Measurable (Effective)

Source: Sikichs assessment of the NRCs information security program controls and practices based on the FY 2025 IG FISMA Reporting Metrics.

We found that the NRC established a number of information security program controls and practices that were consistent with FISMA requirements, OMB policy and guidelines, and applicable NIST standards and guidelines. For example, the NRC:

Demonstrated progress in implementing Event Logging (EL) requirements.

Maintained an effective continuous monitoring program, including periodic security control assessments, dashboards for tracking risk posture, and metrics for situational awareness.

6 According to the NIST Glossary, an information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

7 See Appendix A, Tables 2 and 3, for the definitions and explanations of the CSF functions and domains and the IG FISMA Reporting Metrics maturity levels, respectively.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 3

Maintained an effective incident response program that utilizes both qualitative and quantitative performance measures for data-driven decision making on incident handling.

Demonstrated progress in employing automated mechanisms to enhance the testing of system contingency plans and in coordinating testing efforts with external stakeholders.

Notwithstanding these actions, this report describes security control weaknesses that reduced the effectiveness of the NRCs information security program and practices, as follows:

The NRC Has Not Developed CSF 2.0 Profiles (Finding 1: Govern Function - Cybersecurity Governance Domain).

The NRC Did Not Collect Software Self-Attestation Forms For All Software (Finding 2:

Govern Function - Cybersecurity Supply Chain Risk Management Domain).

In addition, the NRC has outstanding prior-year recommendations that impact the IG FISMA Reporting Metrics. Specifically, at the beginning of FY 2025, the NRC had 25 open recommendations from prior FISMA evaluations and audits dating from 2019 through 2024.

During our FY 2025 audit, we determined that the NRC took corrective actions to address 20 of these recommendations, and we consider those recommendations closed. Corrective actions are in progress for the five recommendations that remain open.8 As a result of the weaknesses noted in this audit, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, five prior-year recommendations remain open.9 The following section provides a detailed discussion of the audit results. Appendix A provides background information on FISMA. Appendix B describes the audit objective, scope, and methodology. Appendix C provides the status of prior-year recommendations. Appendix D includes managements response.

II. AUDIT RESULTS The following section of the report describes the key controls underlying each function and domain and our assessment of the NRCs implementation of those controls. We have organized our conclusions and ratings by function area and domain to help orient the reader to deficiencies as categorized by NIST CSF 2.0.

Security Function: Govern The objective of the Govern Function is to establish, communicate, and monitor an organizations cybersecurity risk management strategy, expectations, and policy. We determined that the maturity level of the NRCs Govern function is Level 3: Consistently Implemented.

Cybersecurity Governance An agency with an effective cybersecurity governance program (1) monitors and reports on its progress in reaching target profiles and refines its organizational profiles periodically based on known risk exposure; (2) uses qualitative and quantitative data to assess the effectiveness of its 8 See Appendix C for the status of prior-year recommendations.

9 See Appendix C for the status of prior-year recommendations.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 4

cybersecurity risk management and integrates the cybersecurity risk management program into the organizations enterprise risk management strategy; and (3) ensures that it has allocated adequate resources commensurate with cybersecurity responsibilities and uses qualitative and quantitative performance measures on the effectiveness of cybersecurity risk management roles.

We determined that the maturity level of the NRCs Cybersecurity Governance domain is Level 4: Managed and Measurable. We identified a weakness in the NRCs Cybersecurity Governance domain related to developing CSF profiles (refer to Finding 1 below).

Finding 1: The NRC Has Not Developed CSF 2.0 Profiles The NRC has not adopted NIST CSF 2.0 (February 26, 2024),10 including guidance for activities such as developing and maintaining both current and target cybersecurity profile(s).11 NRC management stated that due to resource availability constraints and information technology (IT) focus area prioritization, the NRC has delayed the full implementation of CSF 2.0 and the corresponding updates to the Information Security Architecture (ISA). In addition, NRC management noted that the NRC has made significant cybersecurity improvements over the past several years, aligning strongly with the focus areas of CSF 2.0 (e.g., enterprise scope of solutions, continuous security control implementation). As efforts to update the ISA continue, the NRC is reassessing timelines for implementation and the need to incorporate additional updates due to recently released federal guidance or directives. As a result, the NRC is in the process of implementing key CSF 2.0 requirements such as the development and maintenance of current and target CSF profiles.

Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (May 11, 2017), states:

Each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework)12 developed by NIST, or any successor document, to manage the agency's cybersecurity risk.

The absence of current and target CSF profiles increases the risk that the NRC may not appropriately plan for or address cybersecurity risks. It may also increase the risk that a bad actor may exploit breaches, system interruptions, and vulnerabilities.

Recommendation 1: We recommend that the NRC complete the implementation of CSF 2.0 requirements, and develop and maintain current and target CSF profiles that anticipate changes in the NRCs cybersecurity posture.

10 See NIST CSF 2.0 online here.

11 NIST CSF 2.0 (February 26, 2024) provides guidance to assist with managing cybersecurity risks. Section 3.1 offers guidance on the use of cybersecurity profiles to understand, tailor, assess, prioritize and communicate cybersecurity objectives. A CSF Organizational Profile describes an organizations current and/or target cybersecurity posture in terms of the CSF cores outcomes. The CSF core is a taxonomy of high-level cybersecurity outcomes that can help organizations manage their cybersecurity risks. The CSF core components are a hierarchy of functions, categories, and subcategories that detail each outcome.

12 Before version 2.0, the Cybersecurity Framework was called the Framework for Improving Critical Infrastructure Cybersecurity. This title is not used for NIST CSF 2.0.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 5

Cybersecurity Supply Chain Risk Management An agency with an effective cybersecurity supply chain risk management program (1) reports qualitative and quantitative performance measures on the effectiveness of its supply chain risk management program, and (2) has incorporated supplier risk evaluations into its continuous monitoring practices.

We determined that the maturity level of the NRCs Cybersecurity Supply Chain Risk Management domain is Level 2: Defined. Specifically, we noted improvements in the NRCs Cybersecurity Supply Chain Risk Management domain such as ensuring policies, procedures, and processes are implemented for assessing and reviewing the supply chain-related risks associated with suppliers or contractors.

However, we identified a new weakness in this domain related to collecting software self-attestation forms from software providers (refer to Finding 2 below). Further, we noted that the NRC has one open prior-year recommendation13 related to developing and implementing role-based training for those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

Finding 2: The NRC Did Not Collect Software Self-Attestation Forms For All Software The NRC did not collect the DHS Cybersecurity and Infrastructure Agency (CISA) Secure Software Development Attestation Forms14 for all of the software end products that it used, as required by OMB Memorandum M-23-16, Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (June 9, 2023). Specifically, we reviewed the NRCs EO-Critical Software15 inventory and found that the NRC did not obtain completed software self-attestation forms from 27 out of 66 software producers. In addition, the NRC did not request an extension or a waiver from the OMB in accordance with OMB Memorandum M-23-16.

NRC management noted that the NRC has been unable to obtain evidence of compliance with the NIST Secure Software Development Framework (SSDF) in the form of self-attestation letters or applicable Plan of Actions and Milestones (POA&Ms) for the software producers. As a result, NRC management opened a POA&M on September 20, 2024, to track the weakness that the NRC has not collected all attestation letters from vendors for Critical Software as requested in OMB M-22-18.

NRC management informed us that on June 6, 2025, EO Sustaining Select Efforts to Strengthen the Nations Cybersecurity and Amending EO 13694 and EO 14144, struck 13 Recommendation 8, Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (Report No. OIG-22-A-04, December 20, 2021). See Appendix C for additional information regarding this prior-year recommendation.

14 The DHS CISA Secure Software Development Attestation Form Instructions indicate that the self-attestation form identifies the minimum secure software development requirements a software producer must meet, and attest to meeting, before federal agencies may use software subject to the requirements of OMB Memoranda M-22-18 and M-23-16. Software producers use this form to attest that they developed their software in conformity with specified secure software development practices.

15 Per the NIST Definition of Critical Software Under EO 14028 (October 13, 2021) found here:

EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: is designed to run with elevated privilege or manage privileges; has direct or privileged access to networking or computing resources; is designed to control access to data or operational technology; performs a function critical to trust; or, operates outside of normal trust boundaries with privileged access.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 6

subsections (a) and (b) of EO 14144, Strengthening and Promoting Innovation in the Nations Cybersecurity (January 16, 2025), which mandated that the OMB require agencies to use only software from producers that attest to secure software development practices. However, the EO does not remove the requirement to collect self-attestations as described in EO 14028, Improving the Nations Cybersecurity (May 12, 2021), subsection (4)(e) on enhancing supply chain security. Further, the EO does not rescind related requirements from OMB Memoranda M-23-16 and M-22-18, the CISA Secure Software Development Attestation Form Instructions, or NIST guidance regarding EO-critical software and software supply chain security under EO 14028.

OMB Memorandum M-23-16, Update to Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (June 9, 2023), states:

EO 14028, Improving the Nations Cybersecurity (May 12, 2021), focuses on the security and integrity of the software supply chain and emphasizes the importance of secure software development environments. The EO directs agencies to take a variety of actions that enhance the security of the software supply chain. In accordance with the EO, NIST has released the NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance (hereinafter, referred to collectively as NIST Guidance). OMB Memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-22-18) (September 14, 2022), requires agencies to comply with that NIST Guidance.

Pursuant to M-22-18, agencies must only use software that is provided by software producers who can attest to complying with Government-specified minimum secure software development practices.

This memorandum reinforces the requirements established in M-22-18, reaffirms the importance of secure software development practices, and extends the timelines for agencies to collect attestations from software producers. Additionally, this memorandum provides supplemental guidance on the scope of M-22-18s requirements and on agencies use of plan of actions and milestones (POA&Ms) when a software producer cannot provide the required attestation, but plans to do so. To the extent any provision of this memorandum may be read to conflict with any provision of M-22-18, this memorandum is controlling.

Further, OMB Memorandum M-23-16 contains the following requirements:

Consistent with EO 14028,16 agencies must collect attestations from the producers of software end products the agency uses because the producer of that end product is best positioned to ensure the security of the product.

If a software producer cannot attest to one or more practices identified in the attestation form, an agency may still use the software if the producer identifies the practices to which it cannot attest, documents practices it has in place to mitigate associated risks, and submits a satisfactory POA&M.

The producer of a given software application must identify the practices to which it cannot attest, document practices it has in place to mitigate the associated risks, and submit a POA&M to the agency. If the agency finds the documentation satisfactory, it may continue 16 NIST Software Supply Chain Security Guidance Under Executive Order (EO) 14028, Section 4e (February 4, 2022) can be found here.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 7

using the software but must concurrently seek an extension of the deadline for attestation from the OMB. Extension requests submitted to the OMB must include a copy of the software producers POA&M.

Without Secure Software Development Attestation Forms, or POA&Ms for security software practices to which the software producers cannot attest, the NRC cannot ensure that the software it uses complies with NISTs specified secure software development practices. As such, the NRC may be at an increased risk of using less-secure software that may expose its systems and networks to vulnerabilities and exploits by bad actors.

In addition, without requesting an extension or a waiver from the OMB and documenting a plan for mitigating any potential risk of noncompliance with the OMBs current software self-attestation requirements, the NRC is not in full compliance with the current OMB Memorandum M-23-16 requirements and the related EO 14028 requirements regarding software self-attestation.

Recommendation 2: We recommend that the NRC coordinates with its software producers to obtain Secure Software Development Attestation Forms. If the NRC is unable to obtain the self-attestation forms, it should request POA&Ms from the software producers and submit them to the OMB, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.

Recommendation 3: We recommend that the NRC request an extension or a waiver from the OMB for continued use of the producers software when a self-attestation is not provided, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.

Security Function: Identify The objective of the Identify Function is to ensure that the organization understands its cybersecurity risks. We determined that the maturity level of the NRCs Identify function is Level 4: Managed and Measurable.

Risk and Asset Management An agency with an effective risk and asset management program maintains an accurate inventory of information systems, hardware assets, and software assets; consistently implements its risk management policies, procedures, plans, and strategy at all levels of the organization; and monitors, analyzes, and reports qualitative and quantitative performance measures on the effectiveness of its risk and asset management program.

We determined that the maturity level of the NRCs Risk and Asset Management domain is Level 4: Managed and Measurable. The NRC demonstrated strengths in this area by employing automation to help track hardware and software assets and by maximizing the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of steps associated with the risk management framework. The NRC has also developed policies and procedures, created initial inventories of data, and working on tools and related processes to develop their metadata inventory to meet the FY 2026 deadlines mandated by OMB Memorandum M-25-05, Phase 2 Implementation of the Foundations for Evidence-Based

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 8

Policymaking Act of 2018: Open Government Data Access and Management Guidance (January 15, 2025).17 Security Function: Protect The objective of the Protect Function is to ensure that organizations use safeguards to manage their cybersecurity risks. We determined that the maturity level of the NRCs Protect function is Level 4: Managed and Measurable.

Configuration Management An agency with an effective configuration management program employs automation to maintain an accurate view of the security configurations for all information system components connected to the agencys network; centrally manages its flaw remediation process; and monitors, analyzes, and reports qualitative and quantitative performance measures on the effectiveness of its configuration management program.

We determined that the maturity level of the NRCs Configuration Management domain is Level 2: Defined. We noted that while the NRC has shown some improvements in its vulnerability management program by implementing a process to manage the remediation of aged vulnerabilities through the POA&M process on a case-by-case basis, the NRC continues to have numerous on-going POA&Ms related to remediating aged vulnerabilities for in-scope systems.

Identity and Access Management An agency with an effective identity and access management program ensures that all privileged and non-privileged users employ strong authentication for accessing organizational systems and uses automated mechanisms to assist in managing privileged accounts.

We determined that the maturity level of the NRCs Identity and Access Management domain is Level 4: Managed and Measurable. The NRC demonstrated strengths in this area by achieving intermediate event logging requirements in accordance with OMB Memorandum M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021) and by continuing to onboard systems to their single sign on solution.

However, we found that the NRC has an opportunity to improve its Identity and Access Management program by completing the implementation of two open prior-year recommendations in this area. Specifically, one recommendation18 is related to the implementation of advanced event logging requirements in accordance with OMB Memorandum M-21-31, necessary to meet Level 5: Optimized criteria. The other recommendation19 is related to the implementation of a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting. Although this 17 OMB Memorandum M-25-05, Phase 2 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Open Government Data Access and Management Guidance, defines metadata as structural or descriptive information about data such as content, format, source, rights, accuracy, provenance, frequency, periodicity, granularity, publisher or responsible party, contact information, method of collection, and other descriptions.

18 Recommendation 3, Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023 (Report No. OIG-23-A-10, September 29, 2023). See Appendix C for additional information regarding this prior-year recommendation.

19 Recommendation 1, Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (Report No. OIG-24-A-11, September 30, 2024). See Appendix C for additional information regarding this prior-year recommendation.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 9

prior-year recommendation remains open, the FY 2025 IG FISMA Reporting Metrics did not rely on this control to evaluate the identity and access management domain.

Data Protection and Privacy An agency with an effective data protection and privacy program maintains the confidentiality, integrity, and availability of its data; is able to assess its security and privacy controls, as well as its breach response capacities; and reports on qualitative and quantitative data protection and privacy performance measures.

We determined that the maturity level of the NRCs Data Protection and Privacy domain is Level 5: Optimized. The NRC demonstrated strengths in this area by developing and implementing a role-based privacy training program and protecting data throughout its life cycle (i.e., at rest, in transit, and through destruction).

Security Training An agency with an effective security training program identifies and addresses gaps in security knowledge, skills, and abilities through training or talent acquisition.

We determined that the maturity level of the NRCs Security Training domain is Level 5:

Optimized. We noted improvements in the NRCs Security Training domain related to enforcing completion of annual security awareness and role-based training and addressing identified knowledge, skills, and abilities gaps in its workforce through training, rotation or talent acquisition. We also found that the NRC has an opportunity to enhance its Security Training program by completing the implementation of one open prior-year recommendation in this area.20 Although this prior-year recommendation remains open, the FY 2025 IG FISMA Reporting Metrics did not rely on this control to evaluate the security training domain.

Security Function: Detect The objective of the Detect Function is to ensure that organizations identify and analyze possible cybersecurity attacks and compromises. We determined that the maturity level of the NRCs Detect function is Level 4: Managed and Measurable.

Information Security Continuous Monitoring An agency with an effective information security continuous monitoring program maintains ongoing authorizations of information systems; uses up-to-date cyber threat intelligence when analyzing logs; automates its inventory collection and anomaly detection to detect unauthorized devices; and consistently collects, monitors, and analyzes qualitative and quantitative performance measures on the effectiveness of its information security continuous monitoring policies, procedures, plans, and strategies.

We determined that the maturity level of the NRCs Information Security Continuous Monitoring domain is Level 4: Managed and Measurable. The NRC demonstrated strengths in the area by implementing advanced information security continuous monitoring technologies for analysis of trends and identification of potentially adverse events and adjusting its information security continuous monitoring processes and security measures accordingly.

20 Recommendation 4, Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (Report No. OIG-24-A-11, September 30, 2024). See Appendix C for additional information regarding this prior-year recommendation.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 10 Security Function: Respond The objective of the Respond Function is to ensure that organizations take action regarding a detected cybersecurity incident. We determined that the maturity level of the NRCs Respond function is Level 5: Optimized.

Incident Response An agency with an effective incident response program:

Uses profiling techniques to measure the characteristics of expected network and system activities so it can more effectively detect security incidents.

Manages and measures the impact of successful incidents.

Uses incident response metrics to measure and manage the timely reporting of incident information to organizational officials and external stakeholders.

Consistently collects, monitors, and analyzes qualitative and quantitative performance measures on the effectiveness of its incident response policies, procedures, plans, and strategies.

Meets event logging maturity requirements.

We determined that the maturity level of the NRCs Incident Response domain is Level 5:

Optimized. The NRC has demonstrated improvements in this area by making progress in implementing advanced requirements for event logging.

Security Function: Recover The objective of the Recover Function is to ensure that organizations restore assets and operations affected by a cybersecurity incident. We determined that the maturity level of the NRCs Recover function is Level 5: Optimized.

Contingency Planning An agency with an effective contingency planning program ensures that it integrates the results of business impact analyses (BIAs) with its enterprise risk management processes and uses these results to make senior-level decisions; employs automated mechanisms to thoroughly and effectively test system contingency plans; and communicates metrics on the effectiveness of recovery activities to relevant stakeholders.

We determined that the maturity level of the NRCs Contingency Planning domain is Level 5:

Optimized. The NRC has demonstrated strengths in this area by integrating its BIA and asset management processes, employing automated mechanisms to test system contingency plans, and coordinating plan testing with external stakeholders (e.g., Information and Communications Technology (ICT) supply chain partners/providers), as appropriate. We also found that the NRC has an opportunity to enhance its Contingency Planning program by completing the implementation of one open prior-year recommendation in this area.21 The recommendation is related to the integration of metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans. Although this prior-21 Recommendation 12, Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report No. OIG-21-A-05, March 19, 2021). See Appendix C for additional information regarding this prior-year recommendation.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 11 year recommendation remains open, the FY 2025 IG FISMA Reporting Metrics did not rely on this control to evaluate the contingency planning domain.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 12 APPENDIX A: BACKGROUND Federal Information Security Modernization Act of 2014 FISMA requires federal agencies to develop, document, and implement an agency-wide information security program to protect their information and information systems, including those provided or managed by another agency, contractor, or other source. Agencies must also report annually to the OMB and Congressional committees on the effectiveness of their information security program and practices. In addition, FISMA requires agency IGs to assess the effectiveness of their agencys information security program and practices.

NIST Security Standards and Guidelines FISMA requires NIST to provide standards and guidelines pertaining to federal information systems. The standards prescribed include information security standards that provide the minimum information security requirements necessary to improve the security of federal information and information systems. FISMA also requires that federal agencies comply with the Federal Information Processing Standards issued by NIST. In addition, NIST develops and issues SPs as recommendations and guidance documents.

FISMA Reporting Requirements The OMB and the DHS annually provide federal agencies and IGs with instructions for preparing FISMA reports. On January 15, 2025, the OMB issued Memorandum M-25-04, Fiscal Year 2025 Guidance on Federal Information Security and Privacy Management Requirements.

This memorandum provides reporting guidance for FY 2025 in accordance with FISMA. Each year, IGs are required to complete the IG FISMA Reporting Metrics to assess the effectiveness of their agencys information security program and practices. As a result, the OMB, CIGIE, and other stakeholders collaborated to develop these metrics.

One of the goals of the annual FISMA evaluation is to assess agencies progress toward achieving objectives that strengthen Federal cybersecurity. The FY 2025 IG FISMA Reporting Metrics were updated to reflect recent developments:

NIST published CSF 2.0 in February 2024, highlighting the critical role that governance plays in managing cybersecurity risks and incorporating cybersecurity into an organizations enterprise risk management strategy. As such, a new IG FISMA function (Govern) was added that includes a new domain (Cybersecurity Governance) to align with NIST CSF 2.0.

To align with NIST CSF 2.0, the Supply Chain Risk Management domain moved from the Identify function to the Govern function, to better reflect agency oversight of supply chain risk.

A new domain, Risk and Asset Management, was introduced in the Identify function to group metrics on system inventory and hardware, software, and data management.

Five supplemental metrics are in scope for the FY 2025 IG FISMA evaluation, including two new supplemental metrics that are focused on system-level risk management practices critical to achieving Zero Trust Architecture objectives.

The core metric on information system-level risk management was revised to focus on the maturity of agencies implementation of the NIST Risk Management Framework.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 13 As highlighted in Table 2, the FY 2025 IG FISMA Reporting Metrics are designed to assess the maturity of an agencys information security program and practices and align with the six function areas in NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover.

Table 2: Alignment of the CSF Functions to the Domains in the FY 2025 IG FISMA Reporting Metrics Cybersecurity Framework Function Area Function Area Objective Domain(s)

Govern The organizations cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

Cybersecurity Governance and Cybersecurity Supply Chain Risk Management Identify The organizations current cybersecurity risks are understood.

Risk and Asset Management Protect Safeguards to manage the organizations cybersecurity risks are used.

Configuration Management, Identity and Access Management, Data Protection and Privacy, and Security Training Detect Possible cybersecurity attacks and compromises are found and analyzed.

Information Security Continuous Monitoring Respond Actions regarding a detected cybersecurity incident are taken.

Incident Response Recover Assets and operations affected by a cybersecurity incident are restored.

Contingency Planning Source: Sikichs analysis of NIST CSF 2.0 and the FY 2025 IG FISMA Reporting Metrics The foundational levels of the maturity model in the IG FISMA Reporting Metrics focus on the development of sound, risk-based policies and procedures, while the advanced levels capture the institutionalization and effectiveness of those policies and procedures. Table 3 below explains the five maturity model levels. A functional information security area is not considered effective unless it achieves a rating of at least Level 4 - Managed and Measurable.

Table 3: IG Evaluation Maturity Levels Maturity Level Maturity Level Description Level 1: Ad-hoc Policies, procedures, and strategies are not formalized; activities are performed in an ad-hoc, reactive manner.

Level 2: Defined Policies, procedures, and strategies are formalized and documented but not consistently implemented.

Level 3: Consistently Implemented Policies, procedures, and strategies are consistently implemented, but quantitative and qualitative effectiveness measures are lacking.

Level 4: Managed and Measurable Quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies are collected across the organization and used to assess the policies and procedures and make necessary changes.

Level 5: Optimized Policies, procedures, and strategies are fully institutionalized, repeatable, self-generating, consistently implemented, and regularly updated based on a changing threat and technology landscape and business/mission needs.

Source: FY 2025 IG FISMA Reporting Metrics

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 14 APPENDIX B: OBJECTIVE, SCOPE, AND METHODOLOGY Objective The objective of this performance audit was to assess the effectiveness of the NRCs information security policies, procedures, and practices.

Scope The scope of this performance audit covered the NRCs information security program and practices consistent with FISMA and reporting instructions that the OMB and the DHS issued for FY 2025. The scope also included assessing selected controls from NIST SP 800-53, Revision 5, supporting the FY 2025 IG FISMA Reporting Metrics, for a sample of 3 out of 15 information systems in the NRCs FISMA reportable system inventory as of January 29, 2025 (Table 4).

Table 4: Description of the Systems Selected for Testing System Name Description Information Technology Infrastructure (ITI)

System ITI is a General Support System (GSS) that supports the NRC's mission by providing the networking backbone, connectivity, office automation, remote access services, and information security functions to include intrusion detection, malicious code protection, vulnerability scanning and system monitoring, and miscellaneous technical support for the NRC. The ITI system includes information up to and including Sensitive Unclassified Non-Safeguards Information. Classified and Safeguards Information are not permitted on the ITI.

Nuclear Material FISMA Systems (NMFS)

NMFS supports the NRCs goals of ensuring adequate safety and security for radioactive materials, including transactions involving radioactive materials, and the materials licensing process. NFMS encompasses the Integrated Source Management Portfolio (ISMP) and High-Performance Computing (HPC) workstations, which comprise a set of automated tools to house and maintain information on licensees, nationally tracked sources possessed by licensees, licensee transactions, and scientific research.

Office of Nuclear Security and Incident Response (NSIR) FISMA System (NFS)

NFS supports the NRCs role in protecting the health and safety of the public. NFS encompasses: the Emergency Response Data System (ERDS) used to provide emergency responders with real-time environmental and operational conditions of U.S. nuclear power plants; the Operations Center Information Management System (OCIMS) used to support exchanges of information and communication between NRC and licensees, such as nuclear power plant statuses and events; and the Criminal History System (CH) used to support criminal history background checks from the Federal Bureau of Investigations (FBI).

Source: NRC ITI, NMFS and NFS System Security Plans For this years review, IGs were required to assess 20 core and 5 supplemental IG FISMA Reporting Metrics across 6 function areasGovern, Identify, Protect, Detect, Respond, and Recoverto determine the effectiveness of their agencys information security program and the maturity level of each function area.

The audit also included an evaluation of whether the NRC took corrective actions to address open recommendations from the FY 2024 FISMA Audit,22 FY 2023 FISMA audit,23 FY 2022 22 Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (Report No. OIG-24-A-11, September 30, 2024).

23 Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023 (Report No. OIG-23-A-10, September 29, 2023) and NRCs Vulnerability Assessment and External Penetration Test (Report No. OIG-23-A-11, September 29, 2023).

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 15 FISMA audit,24 FY 2021 FISMA evaluation,25 FY 2020 FISMA evaluation,26 and FY 2019 FISMA evaluation.27 The audit covered the period from October 1, 2024, through June 30, 2025. We performed audit fieldwork from January to June 2025.

Methodology We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards, issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.

To accomplish our audit objectives, we completed the following procedures:

Evaluated key components of the NRCs information security program and practices, consistent with FISMA and reporting instructions that the OMB and the DHS issued for FY 2025.

Focused our testing activities on assessing the maturity of the 20 core and 5 supplemental IG FISMA Reporting Metrics.

Inspected security policies, procedures, and documentation.

Performed inquiries and walkthroughs with NRC management and staff.

Considered guidance contained in OMBs Memorandum M-25-04, Fiscal Year 2025 Guidance on Federal Information Security and Privacy Management Requirements, when planning and conducting our work.

Evaluated select security processes and controls at the program level, as well as for a non-statistical sample of 3 out of 15 information systems in the NRCs FISMA reportable system inventory. The ITI, NMFS and NFS systems are each agency-owned, moderate-impact systems, based on NIST Federal Information Processing Standard 199, Standards for Security Categorization of Federal Information and Information System.

Analyzed the ITI, NMFS and NFS, including reviewing selected system documentation and other relevant information, as well as testing selected security controls to support the IG FISMA Reporting Metrics.

Reviewed the status of prior-year FISMA recommendations. See Appendix C for the status of the prior-year recommendations.

The FY 2023-2024 IG FISMA Reporting Metrics introduced a calculated average scoring model that was continued for the FY 2025 FISMA audit. As part of this approach, IGs must average 24 Audit of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022 (Report No. OIG-22-A-14, September 29, 2022).

25 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2021 (Report No. OIG-22-A-04, December 20, 2021).

26 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020 (Report No. OIG-21-A-05, March 19, 2021).

27 Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019 (Report No. OIG-20-A-06, April 29, 2020).

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 16 the ratings for core and supplemental IG FISMA Reporting Metrics independently to determine a domains maturity level and provide data points for the assessed effectiveness of the program and function. To provide IGs with additional flexibility and encourage evaluations that are based on agencies risk tolerance and threat models, calculated averages were not automatically rounded to a particular maturity level. In determining maturity levels and the overall effectiveness of the agencys information security program, the OMB strongly encouraged IGs to focus on the results of the core IG FISMA Reporting Metrics, as these tie directly to administration priorities and other high-risk areas. The OMB recommended that IGs use the calculated averages of the supplemental IG FISMA Reporting Metrics as a data point to support their risk-based determination of the overall effectiveness of the program and function.

We used the FY 2025 IG FISMA Reporting Metrics guidance28 to form our conclusions for each CSF domain and function, as well as for the overall agency rating. Specifically, we focused on the calculated average scores of the core IG FISMA Reporting Metrics. Additionally, we considered other data points, such as the calculated average scores of the supplemental IG FISMA Reporting Metrics and progress that the NRC has made in addressing outstanding prior-year recommendations, to form our risk-based conclusion.

Our work did not include assessing the sufficiency of internal controls over the NRCs information security program or other matters not specifically outlined in this report.

28 The FY 2025 IG FISMA Reporting Metrics provide the agency IG with the discretion to determine the rating for each of the CSF domains and functions and the overall agency rating based on the consideration of agency-specific factors and weaknesses noted during the FISMA audit. Using this approach, IGs may determine that a particular domain, function area, or agencys information security program is effective at a calculated maturity level lower than level 4.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 17 APPENDIX C: STATUS OF PRIOR-YEAR RECOMMENDATIONS The table below summarizes the status of the open prior-year recommendations from the FY 2024 FISMA audit, FY 2023 FISMA audit, FY 2022 FISMA audit, FY 2021 FISMA evaluation, FY 2020 FISMA evaluation, and FY 2019 FISMA evaluation.29 At the time of testing and IG FISMA Reporting Metric submission, 5 of the 25 prior-year recommendations from the audits and evaluations referenced above remained open.

The NRC issued memoranda on the Status of NRC Open Audit Recommendations (based on audit year) to the NRC OIG demonstrating its progress in remediating the audit recommendations. The NRCs Status column of the following table summarizes these memoranda. The Auditors Position on Status column is based on our inspection of evidence received during fieldwork. The auditors will follow up on the open prior-year recommendations recorded in this report during the next audit cycle or through the OIGs status of recommendations process. Additionally, this table maps the prior-year recommendation to the affected IG FISMA Reporting Metric domains.

Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 OIG-24-A-11 FY 2024 FISMA Audit Recommendation 1 Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either Trusted Workforce or U.S.

Department of Defense Continuous Vetting until such time as their enrollment is complete.

This recommendation remains open.

Estimated target completion date: FY 2025 Quarter (Q) 4 The NRC will continue to work with the Defense Counterintelligence and Security Agency (DCSA) to remediate the recommendation and has extended the target completion date, as noted above.

Open We inspected the NRC Status of OIG Recommendations workbook and determined that corrective action is on-going.

During the exit conference on September 8, 2025, the NRC stated that additional progress was made to resolve this recommendation. However, since this occurred outside the audit period, verification of corrective action(s) to support the request for closure will take place as part of either the next FISMA audit cycle or through the OIGs status of recommendations process.

Identity and Access Management 29 See footnotes 22, 23, 24, 25, 26, and 27.

30 All prior-year recommendations were mapped to specific affected IG FISMA Reporting Metric domains based upon the nature of each recommendation. In some cases, the nature of the recommendation may affect multiple domains.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 18 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 OIG-24-A-11 FY 2024 FISMA Audit Recommendation 2 Complete enrollment of the identified employees and contractors in continuous vetting through Trusted Workforce.

The NRC requested closure of this recommendation.

The NRC completed enrollment of the identified employees and contractors in continuous vetting through Trusted Workforce.

Closed The NRC OIG31 verified that the agency completed enrollment of the identified employees and contractors in continuous vetting through Trusted Workforce.

Identity and Access Management OIG-24-A-11 FY 2024 FISMA Audit Recommendation 3 Review and update the organizationally defined timeframe for completion of security training in NRC Management Directive (MD) 12.5.

The NRC requested closure of this recommendation.

The NRC reviewed and updated the organizationally defined timeframe for completion of security training in NRC MD 12.5.

Closed The NRC OIG verified that the agency has reviewed and updated the organizational defined timeframe for completion of the security training in NRC MD 12.5.

Security Training OIG-24-A-11 FY 2024 FISMA Audit Recommendation 4 Implement a technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process. Also, as part of this recommendation, consider reviewing the current configuration of the Enterprise Identity Hub and Talent Management System (TMS) integrationas well as the logic in TMS itself, as necessaryto ensure training assignments are retained (not cancelled) due to inactivity.

This recommendation remains open.

Estimated target completion date: FY 2025 Q3 The NRCs corrective action plan is underway and includes collaboration between the Office of Chief Information Officer and the Office of the Chief Human Capital Officer. The target completion date remains the same.

Open We inspected the NRC Status of OIG Recommendations workbook and determined that corrective action is on-going.

Security Training OIG-23-A-10 FY 2023 FISMA Audit Recommendation 1 We recommend that NRC management reviews all Information Technology Infrastructure (ITI) plans of action and milestones (POA&Ms) to ensure that they are accurate and contain detailed information on the status of corrective actions, including The NRC requested closure of this recommendation.

The NRC has reviewed all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of Closed We inspected the ITI open POA&M workbook to determine they are reasonably accurate and contain current, detailed information on the status of corrective actions, Risk and Asset Management 31 Through the NRC OIGs Status of Recommendations (SOR) process, the OIG has closed various recommendations. This is indicated in the Auditors Position on Status field.

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 19 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 changes to scheduled completion dates.

corrective actions, including changes to scheduled completion dates. All POA&Ms have been reviewed, changes to milestones have been updated, and all scheduled completion dates are up to date.

including disclosure of any changes to scheduled completion dates as appropriate.

We also inspected the ITI closed POA&M workbook to determine they are reasonably accurate and contain current, detailed information on the resolution of corrective actions, including disclosure of any changes to scheduled completion dates as part of remediation as appropriate.

OIG-23-A-10 FY 2023 FISMA Audit Recommendation 3 We recommend that NRC management increases the current Security Information and Event Management tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all Event Logging (EL) maturity tiers to ensure events are logged and tracked in accordance with Office of Management and Budget (OMB) Memorandum M 31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021).

This recommendation remains open.

Estimated target completion date: FY 2025 Q4 The NRC has increased the current Security Information and Event Management tool licensing level and acquired funding to adequately support procurement and onboarding.

The NRC plans to implement all requirements across all EL maturity tiers (i.e., EL1 (Basic),

EL2 (Intermediate), and EL3 (Advanced)) to ensure events are logged and tracked in accordance with OMB Memorandum M-21-31 by FY 2025 Q4 by taking a phased approach. The target completion date remains the same.

Open We inspected the NRC Status of OIG Recommendations workbook and determined that corrective action is on-going.

During the exit conference on September 8, 2025, the NRC stated that additional progress was made to resolve this recommendation. However, since this occurred outside the audit period, verification of corrective action(s) to support the request for closure will take place as part of either the next FISMA audit cycle or through the OIGs status of recommendations process.

Identity and Access Management Incident

Response

OIG-23-A-11 FY 2023 FISMA Audit Vulnerability Implement corrective actions to address vulnerabilities identified in this report.

The NRC requested closure of this recommendation.

Closed The NRC OIG reviewed the evidence of vulnerability Configuration Management

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 20 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 Assessment and Penetration Test Recommendation 1 The NRC has implemented corrective actions for the vulnerabilities identified in the report.

remediation and concurred that the agencys corrective actions met the recommendations intent.

OIG-23-A-11 FY 2023 FISMA Audit Vulnerability Assessment and Penetration Test Recommendation 2 Improve the patch and vulnerability management program to patch security deficiencies within the NRCs defined patching time frame (30 calendar days from identification for Critical and High vulnerabilities).

The NRC requested closure of this recommendation.

The NRC has aligned its operational procedures and patching timeframe policy with U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 22-01 Reducing the Significant Risk of Known Exploited Vulnerabilities and CISAs Agency-wide Adaptive Risk Enumeration (AWARE) risk-scoring methodology.

Closed The NRC OIG reviewed the operational procedures and patching timeframe policy and concurred that the agencys corrective actions met the recommendations intent.

Configuration Management OIG-22-A-14 FY 2022 FISMA Audit Recommendation 2 Implement a process to verify that remaining external interconnections noted in the ITI Core Services System Security Plan (SSP) have documented, up-to-date Interconnection Security Agreement (ISA) / Memorandums of Understanding (MOUs) or Service Level Agreements (SLAs) in place as applicable.

The NRC requested closure of this recommendation.

The NRC reviewed internal processes and identified that step 3 in the NRC policy Computer Security Organization (CSO) Process (PROS) CSO-PROS-2030, Risk Management Framework Process, provides a process for the annual review and update of the SSP, which includes the System Interconnections tab. In addition, CSO-PROS-1323, Continuous Monitoring Process, requires performance of an annual review. The NRC also conducted a training session Closed The NRC OIG reviewed and verified the NRCs implemented processes to ensure that the remaining external interconnections noted in the ITI Core Services SSP are verified to be current and accurate.

Risk and Asset Management

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 21 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 during the Information Systems Security Manager Forum on August 20, 2024 addressing the requirements of CSO-PROS-2030 and CSO-PROS-1323.

OIG-22-A-14 FY 2022 FISMA Audit Recommendation 4 Document and implement a periodic review of subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate.

The NRC requested closure of this recommendation.

The NRC has implemented a periodic review of the nine subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate. As part of the review process, the NRC implemented a dashboard and a kickoff meeting with the inventory lead to ensure a comprehensive review was performed.

Closed The NRC OIG reviewed and verified that the NRC documented and implemented a periodic review of the nine subsystem inventories to verify that the information maintained for each ITI subsystem is current, complete, and accurate.

The NRC OIG also verified that the NRC implemented a dashboard and held a kickoff meeting with the inventory lead to ensure the performance of a comprehensive review.

Risk and Asset Management OIG-22-A-14 FY 2022 FISMA Audit Recommendation 6 Implement a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.

The NRC requested closure of this recommendation.

The NRC has implemented a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role based training.

Closed The NRC OIG reviewed and verified that the NRC has implemented a process to validate that all new personnel with privileged-level responsibilities complete the annual security awareness within 20 business days of obtaining access to NRC systems and annually thereafter.

In addition, the NRC OIG verified that the NRC has updated MD 12.5 with the revised timeline to reflect this process.

Security Training OIG-22-A-14 FY 2022 FISMA Audit Recommendation 7 Implement a process to validate that all new contractors complete their initial security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment and to subsequently The NRC requested closure of this recommendation.

The NRC has implemented a process to validate that all new contractors complete their initial Closed The NRC OIG reviewed and verified the NRCs implemented security training that contains the Rules of Behavior that occurs Security Training

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 22 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 ensure completion of annual security awareness training and renewal of rules of behavior is tracked.

security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment and implemented a process to track completion of annual security awareness training and renewal of rules of behavior via TMS.

before contractors gain access to the NRC network.

OIG-22-A-04 FY 2021 FISMA Evaluation Recommendation 6 Document and implement policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third party providers.

The NRC requested closure of this recommendation.

The NRC has implemented policies and procedures for prioritizing externally provided systems and services documented in CSO-PROS-0008, Process to Assess, Respond, and Monitor ICT Supply Chain Risks, Appendix B.

Closed The NRC OIG reviewed the evidence and confirmed that the agency has documented and implemented policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third-party providers.

Cybersecurity Supply Chain Risk Management OIG-22-A-04 FY 2021 FISMA Evaluation Recommendation 7 Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

The NRC requested closure of this recommendation.

The NRC CSO-PROS-0006, Counterfeit and Compromised ICT Products Detection Process, defines the process that must be used to identify information and communication counterfeit products prior to acquisition and prior to acceptance for hardware and software products. The NRC relies on the manufacturer methods to ensure a product has not been modified (e.g.,

visual scanning techniques for hardware and checking for digital signatures in software).

Closed The NRC OIG reviewed CSO-PROS-0006 and confirmed that the NRC has implemented processes for continuous monitoring and scanning of counterfeit components including configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Cybersecurity Supply Chain Risk Management

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 23 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 OIG-22-A-04 FY 2021 FISMA Evaluation Recommendation 8 Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

This recommendation remains open.

Estimated target completion date: FY 2025 Q3 Pursuant to the Supply Chain Security Training Act of 2021, Pub. L. 117-145, the General Services Administration is required to develop training for federal officials with supply chain risk management responsibilities. The NRC will leverage this training, which will be implemented by the OMB, when it becomes available.

Open Inspected the NRC Status of OIG Recommendations workbook and determined that corrective action is on-going.

Cybersecurity Supply Chain Risk Management Security Training OIG-22-A-04 FY 2021 FISMA Evaluation Recommendation 11 Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.

The NRC requested closure of this recommendation.

The NRC has implemented a process for individuals to acknowledge the system rules of behavior as part of the Cybersecurity and Awareness (CSA) training, within 20 business days of obtaining access to NRC systems, and annually thereafter. The revised timeline was updated in MD 12.5. The completion of training and acknowledgment of the rules of behavior is monitored in TMS.

Closed The NRC OIG verified that the MD 12.5 was updated, with the revised timeline for individuals to acknowledge the system rules of behavior as part of the CSA training, required within 20 business days of obtaining access to NRC systems and annually thereafter; and that the NRC monitors completion of training and acknowledgment of the rules of behavior through the TMS.

Identity and Access Management OIG-22-A-04 FY 2021 FISMA Evaluation Recommendation 13 Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical The NRC requested closure of this recommendation.

The NRC has implemented a process to validate that new NRC employees and contractors complete security Closed The NRC OIG verified the evidence that the NRC implemented a process to validate that new NRC employees and contractors complete the security awareness Security Training

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 24 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 capability to capture NRC employees and contractors initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.

awareness training within 20 business days of obtaining access to the NRC systems, and annually thereafter. The change in timeline was updated in MD 12.5. This activity is monitored in TMS. In addition, role-based training is assigned once the employee or contractor assumes the role.

training within 20 business days of obtaining access to the NRC systems and annually thereafter.

The activity is monitored through TMS to compensate for the technical capability to capture NRC employees and contractors initial login date.

OIG-21-A-05 FY 2020 FISMA Evaluation Recommendation 5 Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals being granted access to the NRCs systems and information.

The NRC requests closure of this recommendation.

NRC updated MD 12.3, NRC Personnel Security Program (July 18, 2022) to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted a security clearance. Those individuals granted access authorizations are required to complete Standard Form 312, Classified Information Non-Disclosure Agreement, which is maintained by the Personnel Security Branch. Also, the NRC has incorporated the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures. This activity is monitored in TMS.

Closed We inspected MD 12.3, NRC Personnel Security Program (July 18, 2022) to verify that each request for access authorization done as part of onboarding procedures must be accompanied by a completed security forms packet containing NRC Form 176A, Security Acknowledgment. Also, applicants for NRC security clearances at the "L", "L(H)", or "Q" level will be required to sign an Standard Form 312, Classified Information Non-Disclosure Agreement before the clearance is granted. Additionally, inspected the Common Controls Information Security Program Plan and observed TMS to confirm non-disclosure is included as part of agency-wide rules of behavior which is presented upon onboarding and annually thereafter as part of the mandatory cybersecurity awareness training.

Identity and Access Management OIG-21-A-05 FY 2020 FISMA Evaluation Continue efforts to identify individuals having additional responsibilities for personally identifiable information (PII) or activities involving PII and The NRC requested closure of this recommendation.

Closed We inspected the NRC Privacy Program Plan, Version 2.4, and Data Protection and Privacy

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 25 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 Recommendation 6 develop role-based privacy training for them to be completed annually.

The NRC completed an independent assessment of the Privacy Program in October 2023 and identified training gaps with regard to personnel who have privacy roles requiring role-based training.

Since that time, the NRC has created and implemented role-based privacy training content for system managers, privacy custodians, and the Core Management Group (senior executive officers).

determined that it was amended to define requirements for role-based privacy training. We also verified that TMS featured an NRC role-based privacy training course as well as other role-based privacy training options such as the Lunch Byte series and the Information Systems Security Manager /

Auditor Cybersecurity Role-Based Training and Refresher courses.

OIG-21-A-05 FY 2020 FISMA Evaluation Recommendation 8 Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

The NRC requests closure of this recommendation.

The NRC has implemented a process to validate that new NRC employees and contractors complete security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The NRC updated MD 12.5 with the revised timeline. The agency monitors this activity through TMS. In addition, role-based training is assigned once the employee or contractor assumes the role.

Closed We inspected the revised response from NRC management and determined that corrective action implemented is consistent with the NRC OIGs analysis of Recommendation 13 in OIG-22-A-04, FY 2021 FISMA Evaluation and is satisfactory to resolve this similar recommendation.

Security Training OIG-21-A-05 FY 2020 FISMA Evaluation Recommendation 12 Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to This recommendation remains open.

Estimated target completion date: FY 2025 Q4 The NRC will analyze its contingency plans to identify opportunities to integrate Open Inspected the NRC Status of OIG Recommendations workbook and determined that corrective action is on-going.

Contingency Planning

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 26 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 deliver persistent situational awareness across the organization.

metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time.

OIG-21-A-05 FY 2020 FISMA Evaluation Recommendation 13 Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with information and communications technology (ICT) supply chain providers and implement an automated mechanism to test system contingency plans.

The NRC requests closure of this recommendation.

The NRC has implemented automated mechanisms for its critical IT systems and incorporated associated procedures into contingency plan testing. The NRC has also coordinated with associated ICT supply chain providers.

Closed We inspected NRC Contingency Planning - Automated Mechanisms and determined that various automated mechanisms and capabilities have been implemented to test system contingency plans. Also, inspected CSO-TEMP-2023, Contingency Plan Template, Section 4.4, and determined that procedures have been updated to coordinate contingency planning with ICT supply chain providers.

Cybersecurity Supply Chain Risk Management Contingency Planning OIG-20-A-06 FY 2019 FISMA Evaluation Recommendation 2(c)

Use the fully defined information security architecture (ISA) to formally define formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

The NRC requests closure of this recommendation.

The NRC has used the ISA to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Closed The NRC OIG verified that the NRC had used the fully defined ISA to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.

Risk and Asset Management OIG-20-A-06 FY 2019 FISMA Evaluation Recommendation 5 Identify individuals having specialized role-based responsibilities for PII or activities involving PII and develop role-based privacy training for them.

The NRC requests closure of this recommendation.

The NRC has identified individuals having specialized role-based responsibilities for PII or activities involving PII and developed role-based privacy Closed We inspected the NRC Privacy Program Plan, Version 2.4, and determined that it was amended to define requirements for role-based privacy training. We also verified that TMS featured an NRC role-Data Protection and Privacy

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 27 Report No.

Recommendation No.

Recommendation NRCs Status Auditors Position on Status Affected IG FISMA Reporting Metric Domains30 training for them. The agency has completed the associated training development and implementation.

based privacy training course as well as other role-based privacy training options such as the Lunch Byte series and the Information Systems Security Manager Auditor Cybersecurity Role-Based Training and Refresher courses.

OIG-20-A-06 FY 2019 FISMA Evaluation Recommendation 6 Based on NRCs supply chain risk assessment results, complete updates to the NRCs contingency planning policies and procedures to address supply chain risk training for them.

The NRC requested closure of this recommendation.

The NRC has updated its contingency planning policies and procedures to incorporate the NRCs current supply chain risk assessment procedures.

Closed The NRC OIG verified the evidence that the NRC updated its contingency planning policies and procedures to address supply chain risk.

Cybersecurity Supply Chain Risk Management Contingency Planning

U.S. Nuclear Regulatory Commission Audit of NRCs Implementation of FISMA Performance Audit Report 28 APPENDIX D: MANAGEMENT RESPONSE The OIG and Sikich held an exit conference with the agency on September 8, 2025. Before the exit conference, agency management reviewed and provided editorial comments on the discussion draft version of this report, and the OIG and Sikich discussed these comments with the agency during the conference. Sikich has incorporated the agencys comments into this report as appropriate. NRC management chose not to provide formal comments for inclusion in this report. Responsible officials will provide agency planned corrective actions within 30 days following report publication as part of the audit resolution process.