Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Agency Response Dated April 30, 2025: Based on review, this recommendation is not applicable to the NRC’s current environment. The agency has implemented a process for individuals to acknowledge the system rules of behavior as part of the Cybersecurity and Awareness training, required within 20 business days of obtaining access to NRC systems and annually thereafter. The staff updated NRC Management Directive (MD) 12.5, “NRC Cybersecurity Program” (ML24198A139), with the revised timeline. The agency monitors completion of training and acknowledgment of the rules of behavior through the Talent Management System (TMS). The NRC suggests closure of this recommendation.<br />
Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG confirmed that the NRC Management Directive (MD) 12.5, “NRC Cybersecurity Program” (ML24198A139) was updated, with the revised timeline for individuals to acknowledge the system rules of behavior as part of the Cybersecurity and Awareness training, required within 20 business days of obtaining access to NRC systems and annually thereafter; and that the NRC monitors completion of training and acknowledgment of the rules of behavior through the Talent Management System (TMS) to compensate for the user system access control procedures to<br />
include the requirement for individuals to complete a nondisclosure and rules of behavior agreements prior to the<br />
individual being granted access to NRC systems and information. Therefore, this recommendation is now closed.<br />
<br />
Agency Response Dated August 22, 2024: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agency’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security <br />
Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A. Target Completion Date: FY 2025, Q3 <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has updated user system access control procedures to include the requirement for individuals to complete a non-disclosure and rules of behavior agreements prior to the individual being granted access to NRC systems and information.<br />
<br />
Status: Open: Resolved. The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the agency’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the target date has been adjusted. Target Completion Date: FY 2024, Q3.

Agency Response Dated April 30, 2025: Based on review, this recommendation is not applicable to the NRC’s current environment. The agency has implemented a process to validate that new NRC employees and contractors’ complete security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The staff updated MD 12.5 with the revised timeline. The agency monitors this activity through TMS. In addition, role-based training is assigned once the employee or contractor assumes the role. The NRC suggests closure of this recommendation. Target Completion Date: The NRC recommends closure of this item.<br />
OIG Analysis: The OIG reviewed and confirmed that the agency has implemented a process to validate that new NRC employees and contractors complete the security awareness training within 20 business days of obtaining access to the NRC systems and annually thereafter. The activity is monitored through TMS to compensate for the technical capability to capture NRC employees’ and contractors’ initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place. Therefore, this recommendation is now closed.<br />
<br />
Agency Response Dated August 22, 2024: The NRC will implement a technical capability to capture NRC employees’ and contractor personnel initial login dates or equivalent so that the process currently in place can accurately track and manage the required cybersecurity <br />
awareness and role-based training. Target Completion Date: FY 2025, Q3 <br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC has implemented the technical capability to restrict access or not allow access to the NRC’s systems until new NRC employees and contractors have completed security awareness training and role-based training as applicable or implement the technical capability to capture NRC employees and contractor’s initial login date so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process in place.<br />
<br />
Status: Open: Resolved. The creation of a separate, secure system to perform this security awareness and role-based training activity is not deemed cost effective since it would require the duplication of existing hardware, software, and support services. It would also redirect staff from other network operations and maintenance tasks, which could cause security and operational issues to the main network and reduce the NRC’s ability to provide mission-focused services. The NRC estimates that this would increase costs across the Information Technology/Information Management Business Line, including hardware, software, operational maintenance, and NRC staff and contractual support resources, by nearly $1 million annually. This estimated cost does not include any changes that would be required by the Office of the Chief Human Capital Officer for its training system or resources. Rather than implement this specific recommendation, the NRC plans to add to its onboarding process streamlined security training that contains the Rules of Behavior but does not contain sensitive information. The onboarding process occurs before employees and contractors gain access to the NRC network. The agency will also strengthen its post-onboarding process to ensure that new employees and contractors complete all required security awareness and role-based training, including acknowledging the Rules of Behavior, within the required timeframe. These changes, along with the personnel security processing that occurs before onboarding, make this a low risk to NRC systems. The NRC will provide more information upon request. Target Completion Date: The NRC recommends closure of this item.

Status: Open: Resolved. The NRC Office of the Chief Information Officer (OCIO) staff will consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training. The NRC requests a new target completion date of FY 2024, Q3. Target Completion Date: FY 2024, Q3.