U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the NRC’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2022

Report Information

Date Issued
Report Number
OIG-22-A-14
Report Type
Audit
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Implement a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.

Agency Response Dated May 29, 2025: The NRC has implemented a process to validate that all new personnel with privileged level responsibilities complete annual security awareness within 20 business days of obtaining access to the NRC systems and annually thereafter. The staff updated Management Directive (MD) 12.5 with the revised timeline. The agency monitors this activity through Talent Management System (TMS). In addition, role-based training is assigned once the employee assumes the role. The NRC suggests closure of this recommendation. Target Completion Date: The NRC suggests closure of this item.<br />
OIG Analysis: The OIG reviewed and verified that the NRC has implemented a process to validate that all new personnel with privileged-level responsibilities complete the annual security awareness within 20 business days of obtaining<br />
access to NRC systems and annually thereafter. In addition, the OIG verified that the NRC has updated MD 12.5 with the revised timeline to reflect this process. This recommendation is now closed.<br />
<br />
Agency Response Dated August 22, 2024: The NRC will implement a process to ensure that all personnel with privileged-level responsibilities complete annual security awareness and role-based training if applicable. Due to competing priorities and resource limitation, the NRC&#039;s new target completion date is FY 2025, Q1. Target Completion Date: FY 2025, Q1 <br />
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.<br />
<br />
Status: Open: Resolved. The NRC will implement a process to ensure that all personnel with privileged level responsibilities complete annual security awareness and role-based training if applicable. Due to competing priorities and resource limitation, the NRC’s new target completion date is FY 2024, Q3. Target Completion Date: FY 2024, Q3.
https://www.oversight.gov/sites/default/files/oig-reports/NRC/20220929ROAOIG-22…

Implement a process to validate that all new contractors complete their initial security training requirements and acknowledgement of rules of behavior prior to accessing the NRC environment and to subsequently ensure completion of annual security awareness training and renewal of rules of behavior is tracked.

Status: Open: Resolved. The NRC will implement a process to validate that all new contractors complete their initial security training requirements and acknowledgement of rules of behavior before accessing the NRC environment and to subsequently ensure that the completion of annual security awareness training and renewal of rules of behavior is tracked. Due to competing priorities and resource limitations, the NRC’s new target completion date is FY 2024, Q3. Target Completion Date: FY 2024, Q3.
https://www.oversight.gov/sites/default/files/oig-reports/NRC/20220929ROAOIG-22…