Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

June 25, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 (OIG-24-A-11)

REFERENCE:

CHIEF INFORMATION OFFICER, OFFICE OF THE CHIEF INFORMATION OFFICER MEMORANDUM DATED JUNE 5, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of the recommendations, as discussed in the agencys response dated June 5, 2025. Based on this response, recommendations 1 and 4 remain open and resolved. Recommendations 2 and 3 were previously closed. Please provide an updated status of the open, resolved recommendations by December 12, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 2 Recommendation 1:

Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either Trusted Workforce (TW) or U.S. Department of Defense Continuous Vetting (DoD CV) until such time as their enrollment is complete.

Agency Response Dated June 5, 2025:

The U.S. Nuclear Regulatory Commission (NRC) will engage the Defense Counterintelligence and Security Agency (DCSA) on a more frequent basis to ensure NRC records of enrollment match those of the DCSA. If a reinvestigation is needed for enrollment of an individual, that process will be initiated promptly. The DCSA is implementing an automated system that will enroll individuals into continuous vetting when the NRC grants the clearance, eliminating the manual review process and removing the possibility of individuals failing to be enrolled.

Target Completion Date: Fiscal Year (FY) 2025, Quarter 4 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has implemented a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either TW or DoD CV until such time as their enrollment is complete.

Status:

Open: Resolved

Audit Report AUDIT OF THE U.S. NUCLEAR REGULATORY COMMISSIONS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2024 Status of Recommendations (OIG-24-A-11) 3 Recommendation 4:

Implement a technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process.

Also, as part of this recommendation, consider reviewing the current configuration of the Enterprise Identity Hub (EIH) and Talent Management System (TMS) integrationas well as the logic in TMS itself, as necessaryto ensure training assignments are retained (not cancelled) due to inactivity.

Agency Response Dated June 5, 2025:

The NRC has reviewed the relevant configuration settings within the EIH and TMS. The technical teams are working to determine an appropriate set of configuration and system interconnection updates to support resolution of the recommendation. Initial work on a solution is underway.

Some potential solutions include the use of attributes other than an initial login date to ensure that training assignments are both assigned appropriately and retained even through periods of inactivity.

Target Completion Date: FY 2025, Quarter 3 OIG Analysis:

The OIG will close this recommendation after verifying that the agency has implemented a solution or an appropriate set of configuration and system interconnection updates to support resolution of the finding that meets the technical capability to capture NRC employees and contractors initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process and has reviewed the current configuration of the EIH and TMS integration - as well as the logic in TMS itself, as necessary - to ensure training assignments are retained (not cancelled) due to the inactivity.

Status:

Open: Resolved