U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the U.S. NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

Report Information

Date Issued
Report Number
OIG-24-A-11
Report Type
Audit
Description
The Office of the Inspector General (OIG) contracted with Sikich to conduct an audit of the United States Nuclear Regulatory Commission’s (NRC) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the NRC. The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards. Based on its assessment of the period October 1, 2023, through June 30, 2024, Sikich found that although the NRC has established an effective agency-wide information security program and effective information security practices, there are weaknesses that may have some impact on the agency’s ability to optimally protect the NRC’s systems and information.
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either TW or DoD CV until such time as their enrollment is complete.

ADAMS Accession No: ML24326A180<br />
Agency Response Dated October 16, 2024: The U.S. Nuclear Regulatory Commission (NRC) will engage the Defense Counterintelligence and Security Agency (DCSA) on a more frequent basis to ensure NRC records of enrollment match those of the DCSA. If a reinvestigation is needed for enrollment of an individual, that process will be initiated promptly. The DCSA is implementing an automated system that will enroll individuals into continuous vetting when the clearance is granted by the NRC, eliminating the manual review process and negating the possibility of individuals failing to be enrolled. Target Completion Date: Fiscal Year (FY) 2025, Quarter 2 <br />
OIG Analysis: The OIG will close this recommendation after confirming that the agency has implemented a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in<br />
continuous vetting through either TW or DoD CV until such time as their enrollment is complete.

Complete enrollment of the identified employees and contractors in continuous vetting through TW.

ADAMS Accession No: ML24326A180<br />
Agency Response Dated October 16, 2024: The NRC has identified and completed enrollment of the 214 employees and contractor personnel in continuous vetting through TW as of June 21, 2024. Individuals who are not enrolled, due to the age of their previous investigation or security documents, will be reinvestigated. Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG has reviewed the evidence and confirms that the agency has completed enrollment of the identified employees and contractors in continuous vetting through TW. Hence this recommendation is closed.

Review and update the organizationally defined timeframe for completion of security training in NRC MD 12.5.

ADAMS Accession No: ML24326A180<br />
Agency Response Dated October 16, 2024: The NRC has reviewed and updated the organizationally defined timeframe for completion of security training in NRC MD 12.5, “NRC Cybersecurity Program.” The revised guidance (ML24198A139) specifies that “NRC employees shall receive an initial cybersecurity awareness briefing. All NRC authenticated users (employees and contractor personnel) are required to take the Computer Security Awareness course within 20 business days of obtaining access to NRC systems, and annually thereafter.”<br />
Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG has verified that the agency has reviewed and updated the organizational defined timeframe for<br />
completion of the security training in NRC MD 12.5. Hence, this recommendation is closed.

Implement a technical capability to capture NRC employees’ and contractors’ initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process. Also, as part of this recommendation, consider reviewing the current configuration of the EIH and TMS integration—as well as the logic in TMS itself, as necessary—to ensure training assignments are retained (not cancelled) due to inactivity.

ADAMS Accession No: ML24326A180<br />
Agency Response Dated October 16, 2024: The NRC has reviewed the relevant configuration settings within the EIH and TMS. The technical teams are working to determine an appropriate set of configuration and system interconnection updates to support resolution of the finding. Initial solutioning work is underway. Some potential solutions include the use of attributes other than an initial login date to ensure that training assignments are both assigned appropriately and retained even through periods of inactivity.<br />
Target Completion Date: FY 2025, Quarter 3<br />
OIG Analysis: The OIG will close this recommendation after verifying that the agency has implemented a solution or an appropriate set of configuration and system interconnection updates to support resolution of the finding that meets the technical capability to capture NRC employees’ and contractors’ initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process and has reviewed the current configuration of the EIH and TMS integration – as well as the logic in TMS itself, as necessary – to ensure training assignments are retained (not cancelled) due to the inactivity.