U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Report Information

Date Issued
Report Number
Report Type
Inspection / Evaluation
Joint Report
Agency Wide
Yes (agency-wide)
Questioned Costs
Funds for Better Use


Reconcile mission priorities and cybersecurity requirements into profiles to inform the prioritization and tailoring of controls (e.g. HVA control overlays) to support the risk-based allocation of resources to protect the NRC's identified Agency level and/or National level HVAs.

Continue current Agency’s efforts to update the Agency’s cybersecurity risk register to (i) aggregate security risks, (ii) normalize cybersecurity risk information across organizational units, and (iii) prioritize operational risk response.

Update procedures to include assessing the impacts to the organization’s ISA prior to introducing new information systems or major system changes into the Agency’s environment.

Develop and implement procedures in the POA&M process to include mechanisms for prioritizing completion and incorporating this as part of documenting a justification and approval for delayed POA&Ms.

Assess the NRC supply chain risk and fully define performance metrics in service level agreements and procedures to measure, report on, and monitor the risks related to contractor systems and services.