Text

MEMORANDUM TO:

Those on the Attached List FROM:

Scott C. Flanders, Chief Information Officer Office of the Chief Information Officer

SUBJECT:

FISCAL YEAR 2026 CYBERSECURITY RISK MANAGEMENT ACTIVITIES Given the growing and evolving use of technology across both mission and corporate functions, and our focus on advancing artificial intelligence adoption to enhance agency mission efficiency, it is essential to adapt cybersecurity measures to secure the agencys information technology assets effectively. I would like to convey my appreciation for your continuous efforts to improve the cybersecurity posture of the U.S. Nuclear Regulatory Commission (NRC) and our collective objective to minimize security risks. These advancements have been made possible through the dedication and hard work of you and your team, as evidenced by our quarterly Federal Information Security Modernization Act of 2014 (FISMA) reports, responses to the Office of Management and Budget and Cybersecurity and Infrastructure Security Agency directives, and annual audit outcomes.

Executive Order 14306, Sustaining Select Efforts to Strengthen the Nations Cybersecurity and Amending EOs 13694 and 14144, dated June 6, 2025, highlights key areas such as software assurance, streamlined authorizations, secure communication infrastructure, post-quantum cryptography readiness, and the responsible use of artificial intelligence. In light of these requirements and the current heightened geopolitical tensions, we must remain vigilant in monitoring systems and ensuring that the NRC's information system risk posture, security controls, and data integrity are not compromised within an ever-changing threat landscape.

While FISMA risk-management activities and the National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, remain foundational, we are now reviewing and revising our processes to align with the NIST Cybersecurity Framework 2.0 to sharpen risk-based prioritization and outcome-driven decision-making. We also continue our focus on the agencys high-value asset systems, as the sensitivity of the information they process makes them attractive targets for our Nations adversaries.

Succeeding in such important efforts requires support from all NRC office directors, regional administrators, and system owners. The agencys success also depends on completion of the risk-management activities outlined in the enclosed Cybersecurity Risk Management Activities Instructions, Fiscal Year 2026. These instructions provide detailed guidance on the required activities, such as making the specified documentation available to authorized individuals, including Office of the Inspector General and Government Accountability Office staff.

CONTACT: Garo Nalabandian, OCIO, CISO 301-415-8421 September 18, 2025 Signed by Flanders, on 09/18/25

2 As the agency continues to navigate the Accelerating Deployment of Versatile Advanced Nuclear for Clean Energy Act of 2024 and embraces our new mission statement emphasizing efficient and reliable regulation, we must seek further methods to streamline cybersecurity processes, automate controls, and support greater efficiencies and resource utilization. I will continue to focus on ensuring that the agency identifies needed resources in the budget formulation process for all aspects of required cybersecurity for the life of its systems, including plans for hardware and software upgrades, maintenance, and system changes.

In this climate oriented towards Information Technology (IT) efficiency and reduced contract expenditure, it is essential to be conscious of redundant IT resources and services and to seek opportunities to eliminate unnecessary functions. Contract vehicles remain available to NRC Headquarters and regional offices to support these activities. If contract support is required, please coordinate your requirements with your designated contracting officers representative for the NRC Cyber Security Program Support Services Blanket Purchase Agreement contract to ensure sufficient resources and time are allocated. Given the rigorous scrutiny of contract expenditures, it is important to utilize existing vehicles, eliminate redundancy, and clearly document the value of all cybersecurity expenditures.

Please feel free to contact Garo Nalabandian or me with questions. As always, I expect and appreciate your support as we work to jointly accomplish the agencys mission and minimize cybersecurity risk to the NRC.

Enclosure:

Cybersecurity Risk Management Activities Instructions, Fiscal Year 2026

SUBJECT:

FISCAL YEAR 2026 CYBERSECURITY RISK MANAGEMENT ACTIVITIES DATED: September 18, 2025 DISTRIBUTION See Next Page ADAMS Accession Number: ML25227A163 (pkg)

• via e-mail OFFICE OCIO/CISD/COT QTE*

OCIO/CISD/Acting D OCIO/D NAME TTruong KAzariah-Kribbs GNalabandian SFlanders DATE 08/19/2025 08/12/2025 08/29/2025 09/18/2025 OFFICIAL RECORD COPY

(I) Information Items (A) Action Items MEMORANDUM TO THOSE ON THE ATTACHED LIST DATED: SEPTEMBER 18, 2025

SUBJECT:

FISCAL YEAR 2026 CYBERSECURITY RISK MANAGEMENT ACTIVITIES E-Mail/Mail Stops Marissa Bailey, Executive Director, Advisory Committee on Reactor Safeguards RidsACRS_MailCTR Resource E. Roy Hawkens, Chief Administrative Judge, Atomic Safety and Licensing Board Panel RidsAslbpManagement Resource David R. Taggart, General Counsel RidsOgcMailCenter Resource Catherine Kanatas, Office of Commission Appellate Adjudication RidsOcaaMailCenter Resource Christopher D. Carroll, Acting Chief Financial Officer RidsOcfoMailCenter Resource Robert J. Feitel, Inspector General RidsOigMailCenter Resource David L. Skeen, Director, Office of International Programs RidsOipMailCenter Resource Eugene Dacus, Director, Office of Congressional Affairs RidsOcaMailCenter Resource Hal Pittman, Director, Office of Public Affairs RidsOpaMail Resource Carrie Safford, Secretary of the Commission RidsSecyMailCenter Resource RidsSecyCorrespondenceMCTR Resource Michael F. King, Acting Executive Director for Operations RidsEdoMailCenter Resource Sabrina D. Atack, Acting Deputy Director for Operations RidsEdoMailCenter Resource Jody C. Martin, Associate Director for Operations, OEDO RidsEdoMailCenter Resource Eleni Jernell, Acting Director, Office of Administration RidsAdmMailCenter Resource Scott C. Flanders, Chief Information Officer RidsOCIO Resource (I)

RidsOcioMailCenter Resource (A)

Bo Pham, Acting Director, Office of Enforcement RidsOeMailCenter Resource Thomas G. Ashley, Director, Office of Investigations RidsOiMailCenter Resource Jennifer M. Golder, Chief Human Capital Officer RidsOchcoMailCenter Resource Andrea Kock, Acting Director, Office of Nuclear Material Safety and Safeguards RidsNmssOd Resource Greg T. Bowman, Acting Director, Office of Nuclear Reactor Regulation RidsNrrOd Resource (I)

RidsNrrMailCenter Resource (A)

John Tappert, Director, Office of Nuclear Regulatory Research RidsResOd Resource (I)

RidsResPmdaMail Resource (A)

Fanto Sacko, Acting Director, Office of Small Business and Civil Rights RidsSbcrMailCenter Resource Kevin Williams, Acting Director, Office of Nuclear Security and Incident Response RidsNsirOd Resource (I)

RidsNsirMailCenter Resource (A)

Daniel S. Collins, Acting Regional Administrator, Region I RidsRgn1MailCenter Resource Julio Lara, Acting Regional Administrator Region II RidsRgn2MailCenter Resource John B. Giessner, Regional Administrator, Region III RidsRgn3MailCenter Resource John D. Monninger, Regional Administrator, Region IV RidsRgn4MailCenter Resource