Text

MEMORANDUM DATE:

June 4, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 (OIG-22-A-14)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED MAY 29, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated May 29, 2025. Based on this response, recommendations 4 and 6 are now closed. Recommendations 1, 2, 3, 5 and 7 were previously closed. All recommendations are now closed.

If you have any questions or concerns, please call me at 301.415.1982 or Michael Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14) 2 Recommendation 4:

Document and implement a periodic review of subsystem inventories to verify information maintained for each Information Technology Infrastructure System (ITI) subsystem is current, complete, and accurate.

Agency Response Dated May 29, 2025:

The U.S. Nuclear Regulatory Commission (NRC) implemented a periodic review of the nine subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate. As part of the review process, the NRC implemented a dashboard and held a kickoff meeting with the inventory lead to ensure performance of a comprehensive review.

Target Completion Date: The NRC suggests closure of this item.

OIG Analysis:

The OIG reviewed and verified that the NRC documented and implemented a periodic review of the nine subsystem inventories to verify that the information maintained for each ITI subsystem is current, complete, and accurate. The OIG also verified that the NRC implemented a dashboard and held a kickoff meeting with the inventory lead to ensure the performance of a comprehensive review. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE NRCS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2022 Status of Recommendations (OIG-22-A-14) 3 Recommendation 6:

Implement a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.

Agency Response Dated May 29, 2025:

The NRC has implemented a process to validate that all new personnel with privileged level responsibilities complete annual security awareness within 20 business days of obtaining access to the NRC systems and annually thereafter.

The staff updated Management Directive (MD) 12.5 with the revised timeline. The agency monitors this activity through Talent Management System (TMS). In addition, role-based training is assigned once the employee assumes the role.

The NRC suggests closure of this recommendation.

Target Completion Date: The NRC suggests closure of this item.

OIG Analysis:

The OIG reviewed and verified that the NRC has implemented a process to validate that all new personnel with privileged-level responsibilities complete the annual security awareness within 20 business days of obtaining access to NRC systems and annually thereafter. In addition, the OIG verified that the NRC has updated MD 12.5 with the revised timeline to reflect this process. This recommendation is now closed.

Status:

Closed