U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Audit of the U.S. Nuclear Regulatory Commission’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 Technical Training Center: Chattanooga, Tennessee

Report Information

Date Issued
Report Number
OIG-NRC-25-A-04
Report Type
Audit
Description
The Office of the Inspector General (OIG) contracted with Sikich to conduct this performance audit.  The objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission’s (NRC) Technical Training Center (TTC).  The findings and conclusions presented in this report are the responsibility of Sikich.  The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.  Based on its assessment period from March 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for the TTC, the agency’s implementation of a subset of selected controls was not fully effective.  There were weaknesses in the TTC’s information security program and practices.  As a result, six recommendations were made to assist the TTC in strengthening its information security program.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that the NRC OCIO management, in coordination with OCHCO and ADM, evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner.

Agency Response<br />
Dated February 10, 2025: The management of the NRC OCIO, in coordination with the OCHCO and the ADM, will evaluate the NRC’s separation policies and procedures, and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal year (FY) 2026, second quarter (Q2)<br />
OIG Analysis: The OIG will close this recommendation after confirming that the management of NRC OCIO, in coordination with OCHCO and ADM evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. This recommendation remains open and resolved.

We recommend that the TTC and NRC management evaluate the TTC system ATO memorandum for revision and update it to reflect the current operating environment.

Agency Response Dated February 10, 2025: The NRC and TTC management will evaluate the TTC system authority to operate (ATO) memorandum for revision and update it to reflect the current operating environment. Target Completion Date: FY 2026, Q1 <br />
OIG Analysis: The OIG will close this recommendation after confirming the NRC and TTC management evaluated the TTC system ATO memorandum for revision and updated it to reflect the current operating environment. This recommendation remains open and resolved.

We recommend that the NRC’s TTC management install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel.

Agency Response Dated February 10, 2025: The NRC’s TTC management will install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel. In addition, OCHCO will coordinate with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility.<br />
Target Completion Date: FY 2026, Q2 <br />
OIG Analysis: The OIG will close this recommendation after confirming the NRC’s TTC management installed a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel while the OCHCO coordinates with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility. This recommendation remains open and resolved.

We recommend that the NRC’s TTC management install protective covers over the emergency power shut-off switches throughout the facility.

Agency Response Dated February 10, 2025: The NRC’s TTC management will purchase and install either protective covers or extended collars over the emergency power shut-off switches throughout the facility, which will stop accidental pushing of the power shut-off switch. Target Completion Date: FY 2025, Q4 <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC’s TTC management purchased and installed either protective covers or extended collars over the emergency power shut-off switches throughout the facility, which will prevent accidental pushing of the power shut-off switch. This recommendation remains open and resolved.

We recommend that NRC management define and implement a risk-based process for regularly reviewing users who have badged access to the NRC general access group and restricting badged access to the Regions based on business needs.

Agency Response Dated February 10, 2025: The NRC’s ADM management will define the risk-based determination and mitigations for including the regions in the NRC general access group. Target Completion Date: FY 2025, Q2<br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC’s ADM management defined and implemented a risk-based process for regularly reviewing users who have badged access to the NRC general access group and define the risk-based determination and mitigations for including regions in the NRC general access group. This recommendation remains open and resolved.