U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 For Fiscal Year 2019

Report Information

Date Issued
Report Number
DNFSB-20-A-05
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Use the fully defined ISA to:a. Assess enterprise, business process, and information system level risk.b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decision.c. Conduct an organization wide security and privacy risk assessment.d. Conduct a supply chain risk assessment.

Using the results of recommendations one (1) and two (2) :a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components; Cybersecurity Team exports metrics and vulnerability reports and sends them to the CISO and CIO’s Office monthly for review. Develop a centralized dashboard that Cybersecurity Team and the CISO can populate for real-time assessments of compliance and security policies.b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program.d. Implement a centralized view of risk across the organization.

Agency Response Dated June 2, 2025: As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 3b, 3c, and 3d. However, the agency provided an update to the target completion date.<br />
Estimated Target Completion Date: Fiscal Year (FY) 2025<br />
OIG Analysis: The OIG will close this recommendation after confirming that the agency has established performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by the Cybersecurity Team. Additionally, the OIG will verify evidence that demonstrates the agency has established performance metrics to manage and optimize all domains of the agency’s information security program more effectively and has implemented a centralized view of risk across the organization.<br />
<br />
March 31, 2025: DNFSB did not provide an updated response pertaining to recommendation 3b and 3c. On September 20, 2023, the agency provided the following response:<br />
b. DNFSB needs clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation. <br />
c. DNFSB needs more clarification from the OIG of the specific actions that are required to resolve this portion of the recommendation.<br />
The OIG clarified on November 01, 2023, that subsection “b” of this recommendation will require the DNFSB to provide<br />
evidence of established performance metrics in service level agreements for the contractor systems and services<br />
monitored by Information Technology (IT) Operations. Subsection “c” of this recommendation will require the DNFSB to utilize guidance from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-55, Performance Measurement Guide for Information Security, to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program. The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.<br />
<br />
<br />
Status: Open: Resolved. 3.a. DNFSB has implemented Qualys, Intune, and Defender as vulnerability and compliance management platforms. These systems have dashboards which provide an up-to-date, complete, accurate, and readily available Agencywide view of security configurations. Vulnerability reports are provided to the CIO/CISO weekly and include the number of open vulnerabilities, the number of patches applied in the last 7 days, and detailed information on remediation efforts. <br />
3.b. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.<br />
3.c. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.<br />
3.d. A centralized view of risk across the organization will be possible once the Agency implements an Enterprise Risk Management Program, which is currently under development with an outside consultant.<br />
DNFSB anticipates completing these tasks by Quarter 4 FY 2023.<br />

Finalize the implementation of a centralized automatedsolution for monitoring authorized and unauthorized softwareand hardware connected to the agency’s network in nearreal time. Continue ongoing efforts to apply the Track-It!ForeScout and KACE solutions.

Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agency’s Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.

Agency Response Dated June 2, 2025: The DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. This document is currently under review. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided. <br />
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years’ outstanding FISMA recommendations. The OIG verified that the DNFSB has revised its CM Plan to include a requirement for remedial training and consequences for failure to follow the appropriate processes. The CM Operating Procedure and CM Plan identify that the DNFSB has incorporated requirements for remedial training. The agency’s corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.<br />
<br />
March 31, 2025. OIG Analysis: The DNFSB met with OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.<br />
<br />
Status: Open: Resolved. The DNFSB Configuration Management Plan details change control procedures. Consequences for noncompliance are detailed in the DNFSB Configuration Management Policy, section 6: Compliance (revised March 2023), and the DNFSB Information Systems User Agreement + IT Equipment Agreement Form, section: Policy, Standards, and Procedures Must Be Followed. DNFSB required all members of the IT Team that are authorized to submit change request tickets to take remedial “CCB and Change Request Training” in August 2022 and then take an updated remedial training in December 2022 that addressed changes to the CCB &amp; SIA form process. Based on actions already taken, DNFSB’s position is that this recommendation needs to be closed.