Agency Response Dated March 20, 2024: The U.S. Nuclear Regulatory Commission (NRC) has transitioned and assessed 11 of its 15 information systems to National Institute of Standards and Technology Special Publication 800-53, Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” issued September 2020. The agency expects to complete the transition and assessment of the remaining four systems to Revision 5 in the fourth quarter (Q4) of fiscal year (FY) 2024. Target Completion Date: FY 2024, Q4 OIG Analysis: The OIG will close this recommendation after confirming that NRC has used the fully defined ISA [Information Security Architecture] to formally define enterprise, business process, information system level risk tolerance, and appetite levels necessary for prioritizing and guiding risk management decisions. Status: Open: Resolved.