U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the Defense Nuclear Facilities Safety Board’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

Report Information

Date Issued
Report Number
DNFSB-24-A-05
Report Type
Audit
Description
The Office of the Inspector General (OIG) contracted with Sikich to conduct the Audit of the Defense Nuclear Facilities Safety Board’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the Defense Nuclear Facilities Safety Board (DNFSB). The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards. Based on its assessment of the period October 1, 2023, through June 30, 2024, Sikich found that the DNFSB has not established an effective agency-wide information security program or effective information security practices. There are weaknesses that impact the agency’s ability to adequately protect the DNFSB’s systems and information.
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that the DNFSB implement the DNFSB’s Vulnerability Management Standard Operating Procedure for vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis, such as:a) Remediating vulnerabilities in accordance with the DNFSB Vulnerability Management Standard Operating Procedure.b) Opening plans of action and milestones to track critical and high-risk vulnerabilities that the DNFSB cannot address within 30 days.c) Preparing risk-based decisions in unusual circumstances in which a technical or cost limitation makes it infeasible to mitigate a critical or high-risk vulnerability, including identifying documented, effective compensating controls coupled with a clear timeframe for planned remediation.

Agency Response Dated November 7, 2024: DNFSB approved OP-411.1-16, System and Information Integrity Operating Procedure on September 17, 2024, which replaces OP-412.2-1, Vulnerability Management. DNFSB is currently organizing the vulnerability data from<br />
the month of October 2024 to create a vulnerability Plan of Actions &amp; Milestones (POA&amp;M) in accordance with OP-411.1-16.<br />
Agency Response Dated February 18, 2025: Please see “FY24 Recommendation 1 – Vulnerability POAMs Using Updated Procedures.zip” that contains updated vulnerability POAMs implemented using updated procedures for November 2024, December 2024 and<br />
January 2025.<br />
OIG Analysis: The OIG reviewed and confirmed the evidence provided by DNFSB management of implementation of OP-411.1-16, System and Information Integrity Operating Procedure, for vulnerability and compliance management based on the risk and level of effort involved in mitigating confirmed vulnerabilities on a case-by-case basis and the vulnerability<br />
POA&amp;Ms created in accordance with OP-411.1-16. This recommendation is now closed.

We recommend that the DNFSB (1) ensure that personnel complete privacy awareness and literacy training upon initial hire and annually thereafter, and (2) maintain training records in accordance with the DNFSB Security and Privacy Awareness and Training Program Standard Operating Procedure.

Agency Response Dated November 7, 2024: DNFSB used the AgLearn LMS to deliver the following course to agency staff:<br />
Privacy Awareness As a federal employee, you have access to citizens&#039; personal information &quot;federally employed or not&quot; and you&#039;re responsible for its protection and safe keeping. In this<br />
course, you&#039;ll learn about Personally Identifiable Information, or &quot;PII&quot; what it is, and how to identify it. This includes personal information about both federal employees and private citizens. This course will help federal employees follow federal privacy laws and ensure Fair<br />
Information Principles, or FIPs, are followed.<br />
Agency Response Dated February 18, 2025: There have been significant changes in how we deliver and track completion for most of the Information Technology (IT) security-related courses as we have expanded the use of AgLearn and are trying to deliver as many trainings as possible using this learning management system. For example, we can now provide trainings to all federal employees and all contractors (which we could not do last year). The first example of this new training process is the annual security and phishing awareness trainings, the training window for which is closing this Friday, February 14. Please see “2025.02.13 Info Sec Awareness Certification Status.xlsx” as a sample of this new process. <br />
OIG Analysis: The OIG reviewed and confirmed the evidence that the DNFSB used AgLearn LMS to deliver the training course to agency staff electronically and maintains training records in accordance with the DNFSB Security and Privacy Awareness and Training Program Standard Operating Procedure. This recommendation is now closed.

We recommend that the DNFSB update and finalize the Incident Response Plan and Incident Response Process Guide Cyber Playbook to incorporate lessons learned from incident response exercises.

Agency Response Dated November 7, 2024: OP-411.1-21, Incident Response Plan Operating Procedure and OP 411.1-22, Cyber Playbook, have both been updated with lessons learned from FY24’s incident response exercises and are currently undergoing internal management review.<br />
Agency Response Dated February 18, 2025: Please see copies of OP-411.1-21, Incident Response Plan Operating Procedure, and OP 411.1-22, Cyber Playbook which were approved by the DNFSB’s internal management (by Toni Reddish, Authorizing Official).<br />
OIG Analysis: The OIG reviewed and confirmed the evidence that OP-411.1-21, Incident Response Plan Operating Procedure, and OP 411.1-22, Cyber Playbook, have both been updated with lessons learned from FY24’s incident response exercises and approved by the DNFSB’s internal management. This recommendation is now closed.

We recommend that the DNFSB ensure all personnel with incident response responsibilities participate in incident response exercises.

Agency Response Dated February 18, 2025: Please see “Additional Evidence for FY2024-04.docx” for the list of all positions with incident response responsibilities, along with the specific names of people assigned to those positions.<br />
Please see “Memo – September 2024 Incident Response + Breach Response TTE Participants 2-23-25.pdf” for the list<br />
of everyone that participated in the agency’s annual incident response tabletop exercise that was held on September 19, 2024. Also see “EXERCISE EXERCISE EXERCISE – Security Incident Meeting – Attendance report 9-19-24.csv”<br />
for the Teams Attendance Log for evidence of who participated in the tabletop exercise. Note that some of the<br />
participant listed in the memo such as Barry Breland and Chris Still participated in person and did not join the Teams<br />
meeting, since we were all in the same room at the Germantown COOP site for the tabletop exercise.<br />
Agency Response Dated February 19, 2025: See the additional requested documentation for audit recommendation #4. <br />
OIG Analysis: The OIG reviewed and confirmed the evidence that the DNFSB ensured that all members of the Incident Response Team (as defined in OP-411.1-21, Incident Response Plan Operating Procedure) participated in the agency’s annual incident response exercise. This recommendation is now closed.<br />
<br />
Agency Response Dated November 7, 2024: DNFSB ensured that all members of the Incident Response Team (as defined in OP-411.1-21, Incident Response Plan Operating Procedure) participated in the agency’s annual incident response exercise that was held in September 2024.<br />
Agency Response Dated February 18, 2025: Please see “Additional Evidence for FY2024-04.docx” for the list of all positions with incident response responsibilities, along with the specific names of people assigned to those positions. Please see “Memo – September 2024 Incident Response + Breach Response TTE Participants 2-23-25.pdf” for the list of everyone that participated in the agency’s annual incident response tabletop exercise that was held on September 19, 2024. Also see “EXERCISE EXERCISE EXERCISE –Security Incident Meeting – Attendance report 9-19-24.csv” for the Teams Attendance Log for evidence of who participated in the tabletop exercise. Note that some of the participant listed in the memo such as Barry Breland and Chris Still participated in person and did not join the Teams<br />
meeting, since we were all in the same room at the Germantown COOP site for the tabletop exercise.<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that the DNFSB ensured that all members of the Incident Response Team (as defined in OP-411.1-21, Incident Response Plan Operating Procedure) participated in the agency’s annual incident response exercise. This recommendation remains open and resolved.