Sorry, you need to enable JavaScript to visit this website.
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Audit of the U.S. Nuclear Regulatory Commission’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 Region IV: Arlington, Texas

Report Information

Date Issued
Report Number
OIG-NRC-25-A-05
Report Type
Audit
Description
The Office of the Inspector General contracted with Sikich CPA LLC to conduct this audit.  Its objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission Region IV facility.  The findings and conclusions presented in this report are the responsibility of Sikich.  The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards. Based on its assessment period from April 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for Region IV, the agency’s implementation of a subset of selected controls was not fully effective.  There were weaknesses in Region IV’s information security program and practices.  As a result, two recommendations were made to assist Region IV in strengthening its information security program.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that NRC management investigate methods of identifying inactive user accounts and improving its internal controls over inactivity to ensure that it disables network user accounts after 90 days of inactivity.

Agency Response Dated December 22, 2025: The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for individuals who have recently departed the agency are manually re-enabled for temporary content preservation purposes. The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case. <br />
<br />
Target Completion Date: Fiscal Year 2026, Quarter 2<br />
<br />
<br />
OIG Analysis: The OIG will close this recommendation after confirming that NRC management has incorporated investigative methods to identify inactive user accounts and has improved its internal controls over user account inactivity to ensure that it disables network accounts after 90 days of inactivity. <br />
<br />
<br />
Agency Response Dated March 13, 2025: The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for recently departed individuals are manually re-enabled for temporary content preservation purposes. The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case. <br />
Target Completion Date: Fiscal Year 2026, Quarter 1.<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that NRC management investigated methods of identifying inactive user accounts and improved its internal controls over inactivity to ensure that network user accounts are disabled after 90 days of inactivity.

We recommend that Region IV management ensure that the Region IV – Sensitive Area Access Review includes the data center and that Region IV management maintains evidence of this review.

Agency Response Dated March 13, 2025: Region IV management ensured that the Region IV— Sensitive Area Access Review included the data center, and that Region IV management maintained evidence of the review. The NRC suggests closure of this recommendation. <br />
OIG Analysis: The OIG reviewed and confirmed the evidence that the Region IV—Sensitive Area Access Review includes the data center, and that Region IV management maintains evidence of this review. This recommendation is now closed.