U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Report Information

Date Issued
Report Number
DNFSB-22-A-04
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Agency Response Dated June 2, 2025: As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date. Estimated Target Completion Date: fiscal year (FY) 2025, Quarter 4<br />
OIG Analysis: The OIG will close this recommendation after confirming that the agency has continued its efforts to develop and implement role-based privacy training for users with significant privacy or data protection-related duties.<br />
<br />
March 31, 2025: Agency Status: In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, “the DNFSB is currently in the process of developing role-based privacy training,” based on their testing.<br />
OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. The OIG notified the DNFSB that, ultimately, the agency should define this themselves (i.e., who/what roles require additional privacy role-based training). Therefore, to close this recommendation, the DNFSB would need to demonstrate identification of the roles that are required to take additional privacy role-based training, show evidence of the development and/or acquisition/rollout of privacy rolebased training program materials, and show the<br />
implementation of the privacy role-based training (i.e., that the required personnel have taken the training). The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.<br />
<br />
Status: Open: Resolved. DNFSB provides role-based privacy training within its required annual Cyber Awareness training. Topics such as Social Networking, handling of Controlled Unclassified Information (CUI) and Classified data, website use, and Social Engineering are all covered by this training. Each user is required to complete this training prior to accessing DNFSB systems. DNFSB further requires all users to take annual Controlled Unclassified Information (CUI) training, and all Federal employees with DOE clearances must take an annual clearance holder training, both of which address requirements for accessing, storing, and transmitting sensitive information. DNFSB has developed updated privacy training and will deliver it to agency users by the end of Q1 FY 2024. DNFSB needs the OIG to define which roles it feels require additional role-based privacy training in order to resolve this recommendation.

Formally document requirements and procedures for the completion of role-based training and enforcement methods in place for individuals who do not complete role-based training.

Continue current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Update the DNFSB ISCM policies and procedures clearly defining what needs to be monitored at the system and organization level.

Define standard operating procedures for the use of the agency’s continuous monitoring tools or update the continuous monitoring plan to include the use of new monitoring tools.