OIG-21-A-05, Status of Recommendations: Independent Evaluation of the Nrc’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020, Dated, July 31, 2025

From kanterella
(Redirected from OIG-21-A-05)
Jump to navigation Jump to search
OIG-21-A-05 - Status of Recommendations: Independent Evaluation of the Nrc’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020, Dated, July 31, 2025
ML25213A017
Person / Time
Issue date: 07/31/2025
From: Virkar H
NRC/OIG/AIGA
To: Mark King
NRC/EDO
References
OIG-21-A-05
Download: ML25213A017 (1)
v  d  e


Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

July 31, 2025 TO:

Michael F. King Acting Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 (OIG-21-A-05)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED JULY 3, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations, as discussed in the agencys response dated July 3, 2025.

Recommendations 1 through 4, 7, and 9 through 11 were previously closed. Based on this response, recommendations 5, 6, 8, and 13 are now closed. Recommendation 12 remains open and resolved. Please provide an updated status of the open, resolved recommendation by January 16, 2026.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 2 Recommendation 5:

Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agencys on-boarding procedures prior to these individuals being granted access to the NRCs systems and information.

Agency Response Dated July 3, 2025:

The U.S. Nuclear Regulatory Commission (NRC) has implemented Management Directive (MD) 12.3, NRC Personnel Security Program, dated July 18, 2022, to include the requirement for individuals to complete a nondisclosure agreement as part of the clearance waiver process before the individual is granted a security clearance. Those individuals granted access authorizations are required to complete Standard Form 312, Classified Information Non-Disclosure Agreement, which is maintained by the Personnel Security Branch (PSB) in the Office of Administration (ADM). Also, the NRC has incorporated the requirement for contractors and employees to complete nondisclosure agreements (NDA) as part of the agencys onboarding procedures. This activity is monitored in the Talent Management System (TMS).

Target Completion Date: The NRC suggests closure of this recommendation OIG Analysis:

During fieldwork performed for the Independent Evaluation of the NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025 (FY 2025 FISMA) audit, the OIG and its contractors confirmed that the NRC reviewed MD 12.3. The TMS was reviewed to confirm that an NDA is included as part of agency-wide rules of behavior, which is presented upon onboarding and annually thereafter as part of the mandatory cybersecurity awareness training. This recommendation is now closed.

Status:

Closed

Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 3 Recommendation 6:

Continue efforts to identify individuals having additional responsibilities for PII (Personal Identifiable Information) or activities involving PII and develop role-based privacy training for them to be completed annually.

Agency Response Dated July 3, 2025:

The NRC completed an independent assessment of the Privacy Program in October 2023 and identified training gaps with regard to personnel who have privacy roles requiring role-based training. Since then, the NRC has created the role-based privacy training content for system managers, privacy custodians, and the Core Management Group (senior executive officers).

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

During fieldwork performed for the FY 2025 FISMA audit, the OIG and its contractors confirmed that the NRCs Privacy Program Plan has been amended to define requirements for role-based privacy training. The OIG verified that the TMS features an NRC role-based privacy training as well as other role-based privacy training options. This recommendation is now closed.

Status:

Closed

Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 4 Recommendation 8:

Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.

Agency Response Dated July 3, 2025:

The NRC has implemented a process to validate that new NRC employees and contractors complete security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The NRC updated MD 12.5, NRC Cybersecurity Program Yellow Announcement (YA) dated July 28, 2024, with the revised timeline. The agency monitors this activity through TMS. In addition, role-based training is assigned once the employee or contractor assumes the role.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

During fieldwork performed for the FY 2025 FISMA audit, the OIG and its contractors confirmed that the NRC implemented a process to validate that new NRC employees and contractors complete annual security awareness training, and that this activity is monitored through TMS.

This recommendation is now closed.

Status:

Closed

Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 5 Recommendation 12:

Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Agency Response Dated July 3, 2025:

The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The revised target completion date is the fourth quarter (Q4) of fiscal year (FY) 2025.

Target Completion Date: FY 2025, Q4 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has integrated metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Status:

Open: Resolved

Evaluation Report INDEPENDENT EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2020 Status of Recommendations (OIG-21-A-05) 6 Recommendation 13:

Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT (information and communication technology) supply chain providers and implement an automated mechanism to test system contingency plans.

Agency Response Dated July 3, 2025:

The NRC has implemented automated mechanisms for a number of its critical information technology systems and incorporated the measures in the associated contingency testing procedures.

Target Completion Date: The NRC suggests closure of this recommendation.

OIG Analysis:

During fieldwork performed for the FY 2025 FISMA audit, the OIG and its contractors confirmed that various automated mechanisms and capabilities have been implemented to test systems contingency plans and updated procedures to coordinate contingency planning with ICT supply chain providers. This recommendation is now closed.

Status:

Closed

Retrieved from "https://kanterella.com/w/index.php?title=OIG-21-A-05,_Status_of_Recommendations:_Independent_Evaluation_of_the_Nrc’S_Implementation_of_the_Federal_Information_Security_Modernization_Act_of_2014_for_Fiscal_Year_2020,_Dated,_July_31,_2025&oldid=5519645"