Independent Evaluation of NRC's Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

Status: Open: Resolved. The NRC will conduct an organizational level business impact assessment (BIA) to determine contingency planning requirements and priorities, including for mission-essential functions/high-value assets, and update contingency planning policies and procedures accordingly. Target Completion Date: FY 2023, Q4.

Recommendation 12: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.<br />
Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The new target completion date is the fourth quarter (Q4) of FY 2025. Target Completion Date: FY 2025, Q4<br />
OIG Analysis: The OIG will close this recommendation after reviewing the evidence that demonstrates and confirms the NRC integrated metrics for measuring the effectiveness of information system contingency plans and its relation to other plans such as the organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness<br />
across the organization. This recommendation remains open and resolved.<br />
<br />
Status: Open: Resolved. The NRC and the OIG are working to come to an agreement on a sufficient way to complete this recommendation. The OIG will close the recommendation after the NRC integrates metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans to deliver persistent situational awareness across the organization. Target Completion Date: To be determined.

Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify candidates for automated testing. Based on that analysis, if automated testing is feasible and cost effective, then the NRC will develop plans to implement those measures and coordinate with all associated ICT supply chain providers. The new target completion date is FY 2025, Q2. Target Completion Date: FY 2025, Q2<br />
OIG Analysis: The OIG will close this recommendation after confirming that the NRC implemented automated mechanisms to test system contingency plans, then updated and implemented procedures to coordinate contingency plan testing with ICT supply chain providers. This recommendation remains open and resolved.<br />
<br />
Status: Open: Resolved. The NRC and the OIG are working to come to an agreement on a sufficient way to complete this recommendation. The OIG will close the recommendation when the agency provides documentation of the cost-benefit analysis and detailed information on the decision as to why or why not the agency will implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans. Target Completion Date: To be determined.