Audit of the NRC’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2022

Status: Open: Resolved. The NRC reviewed internal processes and identified that step 3 in the NRC policy CSO-PROS-2030, “Risk Management Framework Process,” provides a process for the annual review and update of the SSP, which includes the System Interconnections tab. In addition, CSO-PROS-1323, “Continuous Monitoring Process,” requires performance of an annual review. The NRC will conduct a training session during its next agencywide Information Systems Security Manager Forum, addressing the requirements of CSO-PROS-2030 and CSO PROS-1323. The new target completion date is the third quarter (Q3) of fiscal year (FY) 2024. Target Completion Date: FY 2024, Q3

Agency Response Dated May 29, 2025: The U.S. Nuclear Regulatory Commission (NRC) implemented a periodic review of the nine subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate. As part of the review process, the NRC implemented a dashboard and held a kickoff meeting with the inventory lead to ensure performance of a comprehensive review. Target Completion Date: The NRC suggests closure of this<br />
item.<br />
OIG Analysis: The OIG reviewed and verified that the NRC documented and implemented a periodic review of the nine subsystem inventories to verify that the information maintained for each ITI subsystem is current, complete, and accurate. The OIG also verified that the NRC implemented a dashboard and held a kickoff meeting with the inventory lead to ensure the performance of a comprehensive review. This recommendation is now closed.<br />
<br />
Agency Response Dated August 22, 2024: Due to the size and complexity of the ITI system covered by the Federal Information Security Modernization Act of 2014, the NRC will capitalize on its existing Office of the Chief Information Officer (OCIO) Service Model to assign primary <br />
ITI asset inventory responsibilities to the associated service area role. Service area role information technology asset inventory responsibilities will be defined, and associated reports developed to ensure accuracy. Due to competing priorities and dependencies on a legacy system migration, the NRC&#039;s new target completion date is the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2 <br />
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC documents and implements a periodic review of subsystem inventories to verify that the information maintained for each ITI subsystem is current, complete, and accurate.<br />
<br />
Status: Open: Resolved. Due to the size and complexity of the ITI system covered by the Federal Information Security Modernization Act of 2014 (FISMA), the NRC will capitalize on its existing Office of the Chief Information Officer (OCIO) Service Model to assign primary ITI asset inventory responsibilities to the associated service area role. Service area role information technology asset inventory responsibilities will be defined, and metrics developed to ensure accuracy. Due to competing priorities and dependencies on a legacy system migration, the NRC’s new target completion date is the fourth quarter (Q4) of FY 2024. Target Completion Date: FY 2024, Q4.