Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

May 19, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (OIG-22-A-04)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED APRIL 30, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations discussed in the agencys response dated April 30, 2025.

Recommendations 1-6, 9, 10, 12, and 14-18 were previously closed. Based on this response, recommendations 7, 11, and 13 are now closed. Recommendation 8 remain open and resolved. Please provide an updated status of the open, resolved recommendation by November 30, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO J. Jolicoeur, OEDO OIG Liaison Resource EDO ACS Distribution

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04) 2 Recommendation 7:

Implement processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.

Agency Response Dated April 30, 2025:

The U.S. Nuclear Regulatory Commission (NRC) has an effective process in place to monitor for counterfeit components. The agency reviewed its existing processes and determined that NRC policy, documented in CSO-PROS-0006, Revision 1.0, Counterfeit and Compromised ICT Product Detection Process, dated April 14, 2021 (Agencywide Documents Access and Management System Accession No. ML21048A050), defines the process that must be used to identify counterfeit information and communication products before acquisition and counterfeit hardware and software products before acceptance. The NRC relies on the manufacturers methods to ensure a product has not been modified (e.g., visual scanning techniques for hardware and checking for digital signatures in software). The NRC suggests closure of this recommendation.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG reviewed CSO-PROS-0006, Revision 1.0, Counterfeit and Compromised ICT Product Detection Process, dated April 14, 2021, and confirmed that the NRC has implemented processes for continuous monitoring and scanning of counterfeit components including configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service. Therefore, this recommendation is now closed.

Status:

Closed

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04) 3 Recommendation 8:

Develop and implement role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.

Agency Response Dated April 30, 2025:

Pursuant to the Supply Chain Security Training Act of 2021 (Pub. L. 117-145), the General Services Administration is required to develop training for Federal officials with supply chain risk management responsibilities. The NRC will leverage this training, which will be implemented by the Office of Management and Budget, when it becomes available.

Target Completion Date: Fiscal year 2025, third quarter OIG Analysis:

The OIG will close this recommendation after confirming that the NRC has leveraged the General Services Administrations training for Federal officials with supply chain risk management responsibilities to develop and implement role-based training for personnel with supply chain risk management roles and responsibilities to detect counterfeit system components.

Status:

Open: Resolved

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04) 4 Recommendation 11:

Update user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.

Agency Response Dated April 30, 2025:

Based on review, this recommendation is not applicable to the NRCs current environment. The agency has implemented a process for individuals to acknowledge the system rules of behavior as part of the Cybersecurity and Awareness training, required within 20 business days of obtaining access to NRC systems and annually thereafter.

The staff updated NRC Management Directive (MD) 12.5, NRC Cybersecurity Program (ML24198A139), with the revised timeline. The agency monitors completion of training and acknowledgment of the rules of behavior through the Talent Management System (TMS). The NRC suggests closure of this recommendation.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG confirmed that the NRC Management Directive (MD) 12.5, NRC Cybersecurity Program (ML24198A139) was updated, with the revised timeline for individuals to acknowledge the system rules of behavior as part of the Cybersecurity and Awareness training, required within 20 business days of obtaining access to NRC systems and annually thereafter; and that the NRC monitors completion of training and acknowledgment of the rules of behavior through the Talent Management System (TMS) to compensate for the user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information. Therefore, this recommendation is now closed.

Status:

Closed

Evaluation Report INDEPENDENT EVALUATION OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (OIG-22-A-04) 5 Recommendation 13:

Implement the technical capability to restrict access or not allow access to the NRCs systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractors initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.

Agency Response Dated April 30, 2025:

Based on review, this recommendation is not applicable to the NRCs current environment. The agency has implemented a process to validate that new NRC employees and contractors complete security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The staff updated MD 12.5 with the revised timeline. The agency monitors this activity through TMS. In addition, role-based training is assigned once the employee or contractor assumes the role. The NRC suggests closure of this recommendation.

Target Completion Date: The NRC recommends closure of this item.

OIG Analysis:

The OIG reviewed and confirmed that the agency has implemented a process to validate that new NRC employees and contractors complete the security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The activity is monitored through TMS to compensate for the technical capability to capture NRC employees and contractors initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place. Therefore, this recommendation is now closed.

Status:

Closed