Performance Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Agency Response Dated December 29, 2025: The NRC will complete the implementation of the National Institute of Standards and Technology (NIST) CSF 2.0 requirements and develop and maintain current and target CSF profiles that anticipate changes to the agency’s cybersecurity posture. Target Completion Date: FY 2026, Quarter 3<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that the NRC completed the implementation of CSF 2.0 requirements and developed and maintained current and target CSF profiles that anticipate changes in the NRC’s cybersecurity posture.

Agency Response Dated December 30, 2025: The NRC performed an internal evaluation with consideration of current operational needs and has made a risk-based decision to discontinue pursuing additional attestation letters from software producers. The NRC has determined that the residual risk associated with the absence of the letters is acceptable and has documented this decision through the appropriate risk assessment per CSO-PROS-2030, which leverages NIST Special Publication (SP) 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.” As a result of this acceptance of risk, the POA&amp;M item has been closed as of December 8, 2025. In addition, the NRC reviewed the supply chain risk management processes and consolidated them into a single overarching process. As a result, CSO-PROS‑0009, “Supply Chain Software Evaluation Process,” has been decommissioned. The NRC will continue to evaluate software supply risks using established internal cybersecurity processes and will adapt as needed should the OMB issue new Federal requirements or guidance. Target Completion Date: The NRC suggests closure of this recommendation.<br />
OIG Analysis: On January 23, 2026, the OMB issued Memorandum M-26-05, “Adopting a Risk-based Approach to Software and Hardware Security.” The OIG reviewed the memorandum and determined that the new guidance<br />
rescinds the previously mandated requirements under OMB M-23-16. This recommendation is now closed.

Agency Response Dated December 30, 2025: The NRC performed an internal evaluation with consideration of current operational needs and has made a risk-based decision to discontinue pursuing additional attestation letters from software producers. The NRC has determined that the residual risk associated with the absence of the letters is acceptable and has documented this decision through the appropriate risk assessment per CSO-PROS-2030, which leverages NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.” As a result of this acceptance of risk, the associated POA&amp;M item has been closed as of December 8, 2025. In addition, the NRC reviewed the supply chain risk management processes and consolidated them into a single overarching process. As a result, CSO-PROS‑0009 has been decommissioned. The NRC will continue to evaluate<br />
software supply risks using established internal cybersecurity processes and will adapt as needed should the OMB issue new federal requirements or guidance. Target Completion Date: The NRC suggests closure of this recommendation.<br />
OIG Analysis: On January 23, 2026, the OMB issued Memorandum M-26-05, “Adopting a Risk-based Approach to Software and Hardware Security.” The OIG reviewed the memorandum and determined that the new guidance rescinds the previously mandated requirements under OMB M-23-16. This recommendation is now closed.