Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Agency Response Dated August 22, 2024: The U.S. Nuclear Regulatory Commission (NRC) has implemented policies and procedures for prioritizing externally provided systems and services documented in CSO-PROS-0008, “Process to Assess, Respond, and Monitor ICT Supply Chain Risks,” dated August 1, 2023. Specifically, appendix B documents the criteria for prioritizing supply chain risk assessments for information communication technology (ICT) products and services. Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG reviewed the evidence and confirmed that the agency has documented and implemented policies and procedures for prioritizing externally provided systems and services or a risk-based process for evaluating cyber supply chain risks associated with third-party providers. <br />
<br />
Status: Open: Resolved. The NRC has developed two draft computer security processes in CSO-PROS-0008, “Process to Assess, Respond, and Monitor ICT Supply Chain Risks,” and CSO-PROS-0007, “Process to Use SCR Investigation Service to Determine Information and Communications Technology (ICT) Supply Chain Risk Associated with an Offeror,” both dated August 8, 2022, that are currently being used to determine the supply chain risk associated with an ICT product or service and to perform appropriate responsive actions and monitor the risk over time. The NRC will finalize the processes once a sufficient number of assessments have been performed to determine the effectiveness of the evaluations. Target Completion Date: Fiscal year (FY) 2024, third quarter (Q3).

Agency Response Dated April 30, 2025: The U.S. Nuclear Regulatory Commission (NRC) has an effective process in place to monitor for counterfeit components. The agency reviewed its existing processes and determined that NRC policy, documented in CSO-PROS-0006, Revision 1.0, “Counterfeit and Compromised ICT Product Detection Process,” dated April 14, 2021 (Agencywide Documents Access and Management System Accession No. ML21048A050), defines the process that must be used to identify counterfeit information and communication products before acquisition and counterfeit hardware and software products before acceptance. The NRC relies on the manufacturer’s methods to ensure a product has not been modified (e.g., visual scanning techniques for hardware and checking for digital signatures<br />
in software). The NRC suggests closure of this recommendation.<br />
Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG reviewed CSO-PROS-0006, Revision 1.0, “Counterfeit and Compromised ICT Product Detection<br />
Process,” dated April 14, 2021, and confirmed that the NRC has implemented processes for continuous monitoring and<br />
scanning of counterfeit components including configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service. Therefore, this recommendation is now closed.<br />
<br />
Agency Response Dated August 22, 2024 (ADAMS Accession No: ML24285A157): The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRC’s environment are not yet available. However, in April 2021, the NRC developed CSO-PROS0006, “Counterfeit and Compromised ICT Product Detection Process,” to ensure that counterfeit products are detected before they are added to the NRC’s environment. In addition, Section 6, “After Acceptance,” of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC-controlled physical space. The appropriate NRC staff members generally vet any third-party service personnel and replacement parts. The NRC will update CSO-PROS 0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components and prevent them from being added to its environment. Target Completion Date: FY 2025, first quarter (Q1) <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has implemented processes for continuous monitoring and scanning of counterfeit components to include configuration control over system components awaiting service or repair and serviced or repaired components awaiting return to service.<br />
<br />
Status: Open: Resolved. The tools and technologies required for automated scanning and detection of counterfeit information technology (IT) assets in the NRC’s environment are not yet available. However, in April 2021, the NRC developed CSO-PROS-0006, “Counterfeit and Compromised ICT Product Detection Process,” to ensure that counterfeit products are detected before they are added to the NRC’s environment. In addition, Section 6, “After Acceptance,” of CSO-PROS-0006 outlines the requirement for automated scanning and detection and will be updated when the associated tools and technologies are available industrywide. In the rare instances when physical IT components are awaiting repair, those components are maintained and managed in NRC controlled physical space. The appropriate NRC staff members generally vet any third-party service personnel and replacement parts. The NRC will update CSO-PROS 0006 to include the vetting of third-party service personnel and replacement parts to detect counterfeit parts and other components and prevent them from being added to its environment. Target Completion Date: FY 2025, first quarter (Q1).

Agency Response Dated April 30, 2025: Pursuant to the Supply Chain Security Training Act of 2021 (Pub. L. 117-145), the General Services Administration is required to develop training for Federal officials with supply chain risk management responsibilities. The NRC will leverage this training, which will be implemented by the Office of Management and Budget, when it becomes available. Target Completion Date: Fiscal year 2025, third quarter <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has leveraged the General Services<br />
Administration’s training for Federal officials with supply chain risk management responsibilities to develop and<br />
implement role-based training for personnel with supply chain risk management roles and responsibilities to detect<br />
counterfeit system components. <br />
<br />
Agency Response Dated August 22, 2024: Pursuant to the Supply Chain Security Training Act of 2021 (Public Law 117-145), the General Services Administration is required to develop training for Federal officials with supply chain management responsibilities. The NRC will leverage this training for role holders, which will be implemented by the Office of Management and Budget, when it becomes available. Additionally, in April 2021, the NRC developed CSO-PROS-0006, aimed at those who hold supply chain risk management roles and responsibilities to ensure that <br />
counterfeit products are detected before being added to the NRC’s environment. Target Completion Date: FY 2025, Q3 <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has developed and implemented role-based training with those who hold supply chain risk management roles and responsibilities to detect counterfeit system components.<br />
<br />
Status: Open: Resolved. Pursuant to the Supply Chain Security Training Act of 2021 (Public Law 117-145), the General Services Administration is required to develop training for Federal officials with leverage this training, which will be implemented by the Office of Management and Budget, when it becomes available. Target Completion Date: FY 2024, Q3.