Sorry, you need to enable JavaScript to visit this website.
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the U.S. Nuclear Regulatory Commission’s (NRC) Cybersecurity Inspection Program for Operating Nuclear Power Plants

Report Information

Date Issued
Report Number
OIG-NRC-26-A-03
Report Type
Audit
Description
The OIG determined that the current cybersecurity program guidance lacks clarity; expectations for maintaining training qualifications are not well-defined; the cybersecurity inspection process contains redundant and time-consuming tasks; and NRC staff members did not always accurately report their time spent on cybersecurity inspection-related activities.  The OIG makes 9 recommendations to enhance the effectiveness, consistency, and efficiency of the NRC’s cybersecurity inspection program. 
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

The OIG recommends that the Executive Director for Operations develop and issue supplemental guidance clarifying the expected implementation of cybersecurity controls, the interpretation of requirements, and methods for evaluating control effectiveness.

The OIG recommends that the Executive Director for Operations update Inspection Procedure 71130.10 to clarify the Cyber Security Issues Forum process and its potential impacts on findings and violations.

The OIG recommends that the Executive Director for Operations update Inspection Manual Chapter 1245, Appendix D-1, to include periodic refresher training requirements for cybersecurity-qualified inspectors.

The OIG recommends that the Executive Director for Operations define a schedule for contractor-led training (in-person or virtual), and ensure sessions are recorded and accessible.

The OIG recommends that the Executive Director for Operations revise the request for information guidance to require inspectors to identify the most current cybersecurity program documents already in the NRC’s possession before issuing the initial request, and to clearly communicate target dates for both issuing requests and receiving licensee responses.