U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of the NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

Report Information

Date Issued
Report Number
OIG-22-A-04
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Conduct an organizational level BIA to determine contingency planning requirements and priorities, including for mission essential functions/high value assets, and update contingency planning policies and procedures accordingly.

Status: Open: Resolved. The NRC will conduct an organization-level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission essential functions and high-value assets, and update contingency planning policies and procedures accordingly. Because of limited resources and other priority operational and cybersecurity work, the NRC is now targeting completion in FY 2024, Q3. Target Completion Date: FY 2024, Q3.

Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.

Status: Open: Resolved. The NRC will integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization. Target Completion Date: FY 2024, fourth quarter (Q4).

Update and implement procedures to coordinate contingency plan testing with ICT supply chain providers.

Status: Open: Resolved. The NRC is assessing approaches to implement procedures to coordinate contingency plan testing with ICT supply chain providers. Target Completion Date: FY 2024, Q4.