OIG-23-A-10, Status of Recommendations: Audit of the U.S. Nuclear Regulatory Commission’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023, Dated, July 31, 2025

From kanterella
(Redirected from OIG-23-A-10)
Jump to navigation Jump to search
OIG-23-A-10 - Status of Recommendations: Audit of the U.S. Nuclear Regulatory Commission’S Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023, Dated, July 31, 2025
ML25213A060
Person / Time
Issue date: 07/31/2025
From: Virkar H
NRC/OIG/AIGA
To: Mark King
NRC/EDO
References
OIG-23-A-10
Download: ML25213A060 (1)
v  d  e


Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

July 31, 2025 TO:

Michael F. King Acting Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 (OIG-23-A-10)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER, MEMORANDUM DATED JULY 7, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated July 7, 2025. Based on this response, recommendation 1 is now closed. Recommendation 3 remains open and resolved. Recommendation 2 was previously closed. Please provide an updated status of the open, resolved recommendation by January 16, 2026.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations (OIG-23-A-10) 2 Recommendation 1:

We recommend that U.S. Nuclear Regulatory Commission (NRC) management reviews all Information Technology Infrastructure (ITI) plans of action and milestones (POA&Ms) to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.

Agency Response Dated July 7, 2025:

The NRC management has reviewed all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. All POA&Ms have been reviewed, changes to milestones have been updated, and all scheduled completion dates are up to date.

Target Completion Date: The NRC suggests closure of this item.

OIG Analysis:

The OIG and its contractor reviewed and confirmed the evidence that all ITI POA&Ms are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates as appropriate. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2023 Status of Recommendations (OIG-23-A-10) 3 Recommendation 3:

We recommend that NRC management increases the current Security Information and Event Management (SIEM) tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all Event Logging (EL) maturity tiers to ensure events are logged and tracked in accordance with Office of Management and Budget (OMB) M-21-31.

Agency Response Dated July 7, 2025:

The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC has implemented some requirements across EL maturity tiers EL1 (Basic), EL2 (Intermediate),

and plans to implement EL3 (Advanced) to ensure events are logged and tracked in accordance with OMB M-21-31, Improving the Federal Governments Investigative and Remediation Capabilities Related to Cybersecurity Incidents, dated August 27, 2021, by the fourth quarter (Q4) of fiscal year (FY) 2025. The NRC is taking a phased approach to meeting the requirements of OMB M-21-31. The EL1 logging maturity level was completed on 7/19/2024, requirements for the EL2 logging maturity level were completed on 3/31/2025, and the EL3 logging maturity level is scheduled for completion by 8/1/2025.

Target Completion Date: FY 2025, Q4 OIG Analysis:

The OIG reviewed and confirmed the evidence that the NRC increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The OIG will close this recommendation when it verifies that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved.

Status:

Open: Resolved

Retrieved from "https://kanterella.com/w/index.php?title=OIG-23-A-10,_Status_of_Recommendations:_Audit_of_the_U.S._Nuclear_Regulatory_Commission’S_Implementation_of_the_Federal_Information_Security_Modernization_Act_of_2014_for_Fiscal_Year_2023,_Dated,_July_31,_2025&oldid=5519634"