Audit of the U.S. Nuclear Regulatory Commission’s (NRC) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023
Report Information
Recommendations
We recommend that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.
operating systems that are no longer in use. The CISO approved the closure of these POA&Ms for findings that were<br />
no longer relevant, and the count of open ITI POA&Ms has been reduced by more than 50 percent to the current<br />
number of 2,505. The POA&M Reduction Working Group continues to review the remaining ITI POA&Ms and is<br />
developing methods to improve the efficiency of POA&M management through automation. Corrective actions for the<br />
remaining 2,505 ITI POA&Ms are ongoing, with expected completion in the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2<br />
OIG Analysis: The OIG will close this recommendation after confirming that NRC management has reviewed all ITI OA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including<br />
changes to scheduled completion dates.<br />
<br />
Agency Response Dated June 6, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. The NRC recommends a target completion date of the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2.<br />
OIG Analysis: The OIG will close the recommendation when it verifies that NRC management reviews all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. This recommendation remains open and resolved.
We recommend NRC management implement a revised ITI Core Services 90-day account disablement script to ensure all non-privileged and privileged Active Directory accounts are captured and disabled in accordance with NRC policies.After notification of the audit finding, NRC management implemented a revised ITI Core Services 90-day account disablement script. The effectiveness of the revised script will be assessed during the next audit period.
We recommend that NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.
OIG Analysis: The OIG has reviewed the evidence and confirms that the agency has increased the current SIEM tool licensing level and acquired funding. A month after the OIG’s audit fieldwork ended for the FY 2024 FISMA audit, NRC<br />
management informed the OIG that the agency has achieved EL1 maturity. The OIG will close this recommendation after verifying that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure<br />
events are logged and tracked in accordance with OMB M-21-31.<br />
<br />
Agency Response Dated June 6, 2024: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC plans to implement all requirements across EL maturity tiers EL1 (Basic), EL2 (Intermediate), and EL3 (Advanced) to ensure events are logged and tracked in accordance with OMBM- 21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” dated August 27, 2021, by the fourth quarter (Q4) of FY 2025. The NRC is taking a<br />
phased approach to meeting the requirements of OMB M-21-31. The EL1 logging level is scheduled to be completed by 7/31/24. The EL2 logging level is scheduled to be completed by 3/31/25. The EL3 logging level is scheduled to be completed by 8/01/25. Target Completion Date: FY 2025, Q4.<br />
OIG Analysis: The OIG will close the recommendation when it verifies that the NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved.