Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

February 3, 2026 TO:

Michael F. King Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 (OIG-NRC-25-A-14)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED DECEMBER 31, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated December 31, 2025.

Based on this response, recommendations 2 and 3 are now closed. Recommendation 1 remains open and resolved. Please provide an updated status of the open, resolved recommendation by July 6, 2026.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO S. Anderson, Acting DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 Status of Recommendations (OIG-NRC-25-A-14) 2 Recommendation 1:

We recommend that the U.S. Nuclear Regulatory Commission (NRC) complete the implementation of Cybersecurity Framework (CSF) 2.0 requirements and develop and maintain current and target CSF profiles that anticipate changes in the NRCs cybersecurity posture.

Agency Response Dated December 29, 2025: The NRC will complete the implementation of the National Institute of Standards and Technology (NIST) CSF 2.0 requirements and develop and maintain current and target CSF profiles that anticipate changes to the agencys cybersecurity posture.

Target Completion Date: FY 2026, Quarter 3 OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence that the NRC completed the implementation of CSF 2.0 requirements and developed and maintained current and target CSF profiles that anticipate changes in the NRCs cybersecurity posture.

Status:

Open: Resolved

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 Status of Recommendations (OIG-NRC-25-A-14) 3 Recommendation 2:

We recommend that the NRC coordinates with its software producers to obtain Secure Software Development Attestation Forms. If the NRC is unable to obtain the self-attestation forms, it should request Plans of Action and Milestones (POA&Ms) from the software producers and submit them to the Office of Management and Budget (OMB), in accordance with OMB Memorandum M2316 and EO [Executive Order] 14028 self-attestation requirements.

Agency Response Dated December 30, 2025: The NRC performed an internal evaluation with consideration of current operational needs and has made a risk-based decision to discontinue pursuing additional attestation letters from software producers. The NRC has determined that the residual risk associated with the absence of the letters is acceptable and has documented this decision through the appropriate risk assessment per CSO-PROS-2030, which leverages NIST Special Publication (SP) 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. As a result of this acceptance of risk, the POA&M item has been closed as of December 8, 2025.

In addition, the NRC reviewed the supply chain risk management processes and consolidated them into a single overarching process. As a result, CSO-PROS0009, Supply Chain Software Evaluation Process, has been decommissioned. The NRC will continue to evaluate software supply risks using established internal cybersecurity processes and will adapt as needed should the OMB issue new Federal requirements or guidance.

Target Completion Date: The NRC suggests closure of this recommendation.

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 Status of Recommendations (OIG-NRC-25-A-14) 4 Recommendation 2 (continued):

OIG Analysis:

On January 23, 2026, the OMB issued Memorandum M-26-05, Adopting a Risk-based Approach to Software and Hardware Security. The OIG reviewed the memorandum and determined that the new guidance rescinds the previously mandated requirements under OMB M-23-16. This recommendation is now closed.

Status:

Closed

Audit Report PERFORMANCE AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2025 Status of Recommendations (OIG-NRC-25-A-14) 5 Recommendation 3:

We recommend that the NRC request an extension or a waiver from the OMB for continued use of the producers software when a self-attestation is not provided, in accordance with OMB Memorandum M2316 and EO 14028 self-attestation requirements.

Agency Response Dated December 30, 2025: The NRC performed an internal evaluation with consideration of current operational needs and has made a risk-based decision to discontinue pursuing additional attestation letters from software producers. The NRC has determined that the residual risk associated with the absence of the letters is acceptable and has documented this decision through the appropriate risk assessment per CSO-PROS-2030, which leverages NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. As a result of this acceptance of risk, the associated POA&M item has been closed as of December 8, 2025.

In addition, the NRC reviewed the supply chain risk management processes and consolidated them into a single overarching process. As a result, CSO-PROS0009 has been decommissioned. The NRC will continue to evaluate software supply risks using established internal cybersecurity processes and will adapt as needed should the OMB issue new federal requirements or guidance.

Target Completion Date: The NRC suggests closure of this recommendation.

OIG Analysis:

On January 23, 2026, the OMB issued Memorandum M-26-05, Adopting a Risk-based Approach to Software and Hardware Security. The OIG reviewed the memorandum and determined that the new guidance rescinds the previously mandated requirements under OMB M-23-16.

This recommendation is now closed.

Status:

Closed