Sorry, you need to enable JavaScript to visit this website.
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Report Information

Date Issued
Report Number
OIG-NRC-25-A-14
Report Type
Audit
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that the NRC complete the implementation of CSF 2.0 requirements, and develop and maintain current and target CSF profiles that anticipate changes in the NRC’s cybersecurity posture.

We recommend that the NRC coordinates with its software producers to obtain Secure Software Development Attestation Forms. If the NRC is unable to obtain the self-attestation forms, it should request POA&Ms from the software producers and submit them to the OMB, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.

We recommend that the NRC request an extension or a waiver from the OMB for continued use of the producer’s software when a self-attestation is not provided, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.