ML26014A239
| ML26014A239 | |
| Person / Time | |
|---|---|
| Issue date: | 01/14/2026 |
| From: | Virkar H NRC/OIG/AIGA |
| To: | Mark King NRC/EDO |
| References | |
| OIG-NRC-25-A-05 | |
| Download: ML26014A239 (0) | |
Text
NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:
January 14, 2026 TO:
Michael F. King Executive Director for Operations FROM:
Hruta Virkar, CPA /RA/
Assistant Inspector General for Audits & Evaluations
SUBJECT:
STATUS OF RECOMMENDATIONS: PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 REGION IV: ARLINGTON, TEXAS (OIG-NRC-25-A-05)
REFERENCE:
CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED DECEMBER 22, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations, as discussed in the agencys response dated December 22, 2025.
Recommendation 2 was previously closed. Based on this response, recommendation 1 remains open and resolved. Please provide an updated status of the open, resolved recommendation by July 24, 2026.
If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.
Attachment:
As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution
Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 REGION IV: ARLINGTON, TEXAS Status of Recommendations (OIG-NRC-25-A-05) 2 Recommendation 1:
We recommend that the U.S. Nuclear Regulatory Commission (NRC) management investigate methods of identifying inactive user accounts and improving its internal controls over inactivity to ensure that it disables network user accounts after 90 days of inactivity.
Agency Response Dated December 22, 2025:
The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for individuals who have recently departed the agency are manually re-enabled for temporary content preservation purposes.
The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case.
Target Completion Date: Fiscal Year 2026, Quarter 2 OIG Analysis:
The OIG will close this recommendation after confirming that NRC management has incorporated investigative methods to identify inactive user accounts and has improved its internal controls over user account inactivity to ensure that it disables network accounts after 90 days of inactivity.
Status:
Open: Resolved