Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023 Region II: Atlanta, Georgia

Agency Response dated June 28, 2024: The U.S. Nuclear Regulatory Commission (NRC) already has an effective process in place to review badged access and remove it when not necessary at Headquarters, regional offices, and the Technical Training Center. Specifically, as<br />
described in Management Directive 12.1, “NRC Facility Security Program,” dated April 22, 2024, “The NRC access control system is managed and maintained by DFS [Division of Facilities and Security]. It is used to ensure that only authorized individuals are granted physical access. Access<br />
lists (a list of individuals with authorized access) are required for administratively controlled, limited access, and security controlled areas and must be reviewed and approved by the room’s designated owner (i.e., the Access Reviewing Official) at least annually.” The NRC conducts an assessment of access needs with every badge renewal. Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG reviewed the evidence and confirmed that the NRC management has defined and implemented a process to conduct reviews and remove unnecessary badged access for its Regions. Hence, the recommendation is closed.