U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Audit of the Defense Nuclear Facilities Safety Board's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Report Information

Date Issued
Report Number
OIG-DNFSB-25-A-05
Report Type
Audit
Description
The Office of the Inspector General (OIG) contracted with Sikich CPA LLC (Sikich) to audit the Defense Nuclear Facilities Safety Board’s (DNFSB) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB.  The findings and conclusions presented in this report are Sikich’s responsibility.  The OIG’s responsibility was to oversee the contractor’s work in accordance with generally accepted government auditing standards.  Based on their review for the period of October 1, 2024, through June 30, 2025, Sikich found that the DNFSB has not established an effective agency-wide information security program and practices.  There are weaknesses that impact the agency’s ability to protect the DNFSB’s systems and information adequately. As a result of the weaknesses noted in this audit, Sikich made seven new recommendations to assist the DNFSB in strengthening its information security program and practices in addition to the six prior-year recommendations that remain open.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that the DNFSB finalize its project plan and procedures for developing and maintaining current and target CSF profiles.

We recommend that the DNFSB develop current and target CSF profiles.

We recommend that the DNFSB coordinate with its software producers to obtain Secure Software Development Attestation Forms. If the DNFSB is unable to obtain the attestation forms, it should request POA&Ms from the software producers, in accordance with OMB Memorandum M-23-16.

We recommend that the DNFSB submit POA&Ms and risk-based waiver requests to OMB for approval in accordance with OMB Memorandum M-23-16.

We recommend that the DNFSB document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for the DNFSB’s data types.