U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023 Region I: King of Prussia, Pennsylvania

Report Information

Date Issued
Report Number
OIG-24-A-03
Report Type
Audit
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

We recommend NRC management implement a process to validate that all new users complete their initial security training requirements and acknowledgement of rules of behavior within the defined timeframes NRC has established.

ADAMS Accession No: ML24295A041<br />
Agency Response Dated September 16, 2024: The NRC has implemented a process to validate that all new contractor personnel complete their initial security training requirements and acknowledgement of the rules of behavior within 20 business days of obtaining access to the NRC <br />
systems, and annually thereafter. The staff updated the change in timeline in NRC Management Directive 12.5, “NRC Cybersecurity Program.” In addition, the NRC will ensure the tracking of the completion of annual security awareness training and renewal of acknowledgement of the rules of behavior. This activity is monitored in the Talent Management System. Target Completion Date: The NRC recommends closure of <br />
this item. <br />
OIG Analysis: The OIG reviewed and verified that NRC management has implemented a process to validate that all new users completed their initial security training requirements and acknowledgement of rules of behavior within the defined timeframes that the NRC has established. This recommendation is now closed.

We recommend NRC management define and implement a process to notify appropriate members of personnel security of separations at the Region I facility.

We recommend NRC management define and implement a process to conduct reviews and removal of unnecessary badged access for its Regions.

ADAMS Accession No: ML24295A041<br />
Agency Response Dated September 16, 2024: Region I has implemented a quarterly Division Action review process in the Division of Resource Management to conduct access reviews and remove unnecessary badged access to the secure areas. In addition, the NRC already has an effective process in place to conduct reviews and removal of unnecessary badged access at Headquarters, regional offices, and the Technical Training Center. Specifically, Management Directive 12.1, “NRC Facility Security Program,” dated April 22, 2024, describes the following: The NRC access control system is managed and maintained by DFS [the Division of Facilities and Security]. It is used to ensure that only authorized <br />
individuals are granted physical access. Access lists (a list of individuals with authorized access) are required for administratively controlled, limited access, and security-controlled areas and must be reviewed and approved by the room’s designated owner (i.e., the Access Reviewing Official) at least annually. The agency conducts an assessment of access with every badge renewal. Target Completion Date: The NRC recommends closure of this item. <br />
OIG Analysis: The OIG reviewed and verified that NRC management has defined and implemented a process for conducting reviews and removing unnecessary badged access for its Regions. This recommendation is now closed.

We recommend NRC management remediate identified vulnerabilities in accordance with NRC’s defined timeframes and document risk acceptances with mitigating controls for vulnerabilities that cannot be remediated within the defined timeframes.