Independent Evaluation of NRC's Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Agency Response Dated February 14, 2025: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRC’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security<br />
Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of fiscal year (FY) 2025, third<br />
quarter (Q3). Target Completion Date: FY 2025, Q3<br />
OIG Analysis: The OIG will close this recommendation after confirming the NRC updated the user system access control procedures to include the requirement for individuals to complete a nondisclosure agreement as part of the clearance waiver process and that contractors and employees completed the nondisclosure agreements as part of the agency’s onboarding procedures prior to being granted access to the NRC’s systems and information. This recommendation remains open and resolved.<br />
<br />
Open: Resolved. The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRC’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of FY 2024, Q3.

Agency Response Dated February 14, 2025: The NRC completed an independent assessment of the Privacy Program in October 2023 and identified training gaps with regard to personnel who have privacy roles requiring role-based training. Since that time, the NRC has created the role-based privacy training content for system managers, privacy custodians, and the Core Management Group (senior executive officers). The NRC is working with the contractors on developing the format of presentation. Due to project constraints, the new target completion date is the second quarter (Q2) of FY 2025. Target Completion Date: FY 2025, Q2<br />
OIG Analysis: The OIG will close this recommendation after confirming the continued efforts of the NRC in identifying individuals who have additional responsibilities for PII or activities involving PII and developed a role-based privacy training for them to complete annually.<br />
<br />
Status: Open: Resolved. The NRC will conduct an in-depth, independent assessment of the Privacy Program, which will cover roles and training gaps. Using the results of the assessment, the NRC will update and develop annual role-based privacy training to address the identified gaps. The NRC will begin the assessment in Q3 of FY 2023, with completion planned by the first quarter (Q1) of FY 2024. The agency plans to complete the associated training development and implementation by FY 2025, Q1.

Agency Response Dated February 14, 2025: Due to constraints outlined by the National Treasury Employees Union (NTEU), the NRC is unable to implement a technical capability specifically to restrict NRC network access for the Federal employees. However, the agency has implemented a technical capability to restrict NRC network access for contractors who do not complete the annual security awareness training and their assigned role-based security training. In addition, the NRC has reviewed and updated the organizationally defined timeframe for the completion of security training in NRC Management Directive 12.5, “NRC Cybersecurity Program.” The revised guidance (Agencywide Documents Access and Management System Accession No. ML24198A139) specifies “NRC employees shall receive an initial cybersecurity awareness briefing. All NRC authenticated users (employees and contractors) are required to take the Computer Security Awareness course within 20 business days of obtaining access to NRC systems, and annually thereafter.” Target Completion Date: The NRC suggests closure of this recommendation.<br />
OIG Analysis: The OIG reviewed and confirmed the updated defined timeframe for the completion of security training in the NRC Management Directive 12.5, “NRC Cybersecurity Program.” However, the OIG will close this recommendation after reviewing and confirming evidence that the NRC implemented the technical capability to restrict NRC<br />
network access for contractors who have not completed the annual security awareness training, their assigned role-based security training, and a documented risk acceptance form or risk-based decision regarding non-restriction of NRC employee network access related to training requirements due to NTEU constraints. This recommendation remains open and resolved.<br />
<br />
Status: Open: Resolved. The Office of the Chief Information Officer (OCIO) will analyze the agency’s security awareness and role-based training records to better inform its response to this recommendation. OCIO staff will also consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training. To perform this analysis and develop a solution the NRC requests a new Target Completion Date of Q2 FY2024.