U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Independent Evaluation of NRC’s Implementation of the Federal Information Security Modernization Act of 2014 For Fiscal Year 2019

Report Information

Date Issued
Report Number
OIG-20-A-06
Report Type
Inspection / Evaluation
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

Fully define NRC’s ISA across the enterprise and businessprocesses and system levels.

a Use the fully defined ISA to assess enterprise, business process, and information system level risks.
b. Use the fully defined ISA to update the list of high value assets by considering risks from the supporting business functions and mission impacts.
c. Use the fully defined ISA to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
d. Use the fully defined ISA to conduct an organization-wide security and privacy risk assessment.
e. Use the fully defined ISA to conduct a supply chain risk assessment.
f. Use the fully defined ISA to identify and update NRC risk management policies, procedures, and strategy.

2c Agency Response Dated March 20, 2024: The U.S. Nuclear Regulatory Commission (NRC) has transitioned and assessed 11 of its 15 information systems to National Institute of Standards and Technology Special Publication 800-53, Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” issued September 2020. The agency expects to complete the transition and assessment of the remaining four systems to Revision 5 in the fourth quarter (Q4) of fiscal year (FY) 2024. Target Completion Date: FY 2024, Q4<br />
OIG Analysis: The OIG will close this recommendation after confirming that NRC has used the fully defined ISA [Information Security Architecture] to formally define enterprise, business process, information system level risk tolerance, and appetite levels necessary for prioritizing and guiding risk management decisions. Status: Open: Resolved.<br />

Identify and implement a software whitelisting tool to detectauthorized software and block the risk of unauthorized software on its network.

Perform an assessment of role-based privacy training gaps.

Identify individuals having specialized role-based responsibilities for PII or activities involving PII and develop role-based privacy training for them.

Agency Response Dated March 20, 2024: As a result of the assessment referenced in recommendation 4, the NRC will identify individuals having specialized role-based responsibilities for PII or activities involving PII and develop role-based privacy training for them. The agency plans to complete the associated training development and implementation by the first quarter (Q1) of FY 2025. Target Completion Date: FY 2025, Q1<br />
OIG Analysis: The OIG will close this recommendation after getting assurance from evidence that the agency has identified individuals having specialized role-based responsibilities for PII [personally identifiable information] or activities involving PII and has developed role-based privacy training for them. Status: Open: Resolved.