Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

January 26, 2026 TO:

Michael F. King Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 (OIG-24-A-11)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED DECEMBER 30, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations, as discussed in the agencys response dated December 30, 2025.

Based on this response, recommendation 1 is now closed. Recommendation 4 remains open and resolved. Recommendations 2 and 3 were previously closed. Please provide an updated status of the open, resolved recommendation by July 31, 2026.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 2 Recommendation 1:

Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either Trusted Workforce (TW) or U.S. Department of Defense Continuous Vetting (DoD CV) until such time as their enrollment is complete.

Agency Response Dated December 30, 2025:

The U.S. Nuclear Regulatory Commission (NRC) has engaged the Defense Counterintelligence and Security Agency (DCSA) on a more frequent basis to ensure NRC records of enrollment match those of the DCSA. In addition, the NRC runs a reinvestigation report at the beginning of the fiscal year and compares it to enrollment records the DCSA provides upon request. Through the continuous vetting process, the NRC ensures that employees and contractors are actively enrolled in TW or DoD CV.

Target Completion Date: The NRC suggests closure of this recommendation.

OIG Analysis:

The OIG reviewed the evidence and confirmed that the NRC has established a process to monitor and ensure that reinvestigations occur for employees and contractors identified as not yet enrolled in continuous vetting through TW or DoD CV, until their enrollment is complete. Hence, this recommendation is closed.

Status:

Closed

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 3 Recommendation 4:

Implement a technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process.

Also, as part of this recommendation, consider reviewing the current configuration of the Enterprise Identity Hub (EIH) and Talent Management System (TMS) integrationas well as the logic in TMS itself, as necessaryto ensure training assignments are retained (not cancelled) due to inactivity.

Agency Response Dated December 30, 2025:

The NRC has reviewed the relevant configuration settings within the EIH and TMS. The technical teams are working to determine an appropriate set of configuration and system interconnection updates to support resolution of the finding.

Initial solutioning work is underway. Some potential solutions include the use of attributes other than an initial login date to ensure that training assignments are both assigned appropriately and retained even through periods of inactivity.

Target Completion Date: Fiscal Year 2026, second quarter OIG Analysis:

The OIG will close this recommendation after verifying that the agency has implemented a solution or an appropriate set of configuration and system interconnection updates to support resolution of the finding that meets the technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process and has reviewed the current configuration of the EIH and TMS integration - as well as the logic in TMS itself, as necessary - to ensure training assignments are retained (not cancelled) due to the inactivity.

Status:

Open: Resolved