Skip to main content
Report File
Date Issued
Submitting OIG
Nuclear Regulatory Commission OIG
Other Participating OIGs
Nuclear Regulatory Commission OIG
Agencies Reviewed/Investigated
Defense Nuclear Facilities Safety Board
Report Number
DNFSB-21-A-04
Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
14
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 3 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
2 Yes $0 $0 OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 2a and 2b.
On September 20, 2023, the agency provided the following response:
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management to make more informed risk management decisions.
The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 2c
and 2d. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address
Recommendation 2 during its FY25 Federal Information Security Modernization Act of 2014 (FISMA) audit.

Status: Open: Resolved. 2.a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
2.b. Risk tolerance, risk profiles and a risk register will be established as part of DNFSB’s ERM program. Risks from the information system level will flow up to the business process level, and risks at the business process level will flow up to the enterprise level to allow management make more informed risk management decisions. No target date for all four parts.
2.c. DNFSB will conduct an organization wide security and privacy risk assessment once the ERM program has been established.
2.d. DNFSB will conduct a supply chain risk assessment in Q2 FY2024.

Use the fully defined ISA to: a. Assess enterprise, business process, and information system level risks;b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions;c. Conduct an organization wide security and privacy risk assessment; and,d. Conduct a supply chain risk assessment.

3 Yes $0 $0 OIG Analysis: The agency did not provide an updated response pertaining to Recommendation 3b and 3d. On September 20, 2023, the agency provided the following response:
a. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and a process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.
b. DNFSB will review existing policies & procedures against the recommendation in NIST SP-800 55 Rev.2 and make any updates by Q2 FY 2024.
d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies &
Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY 2024. The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for Recommendation 3a and 3c. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address Recommendation 3a through 3d during its FY25 FISMA audit.

Status: Open: Resolved. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management Program and process in accordance with recommendation 2020-2. Once complete, DNFSB can begin working on this recommendation.
3.a. DNFSB seeks clarification from the OIG of the specific actions that are required to resolve this portion of the Recommendation.
3.b. DNFSB will review existing policies & procedures against the recommendations in NIST SP-800 55 Rev.2 and make any updates by Q2 FY2024.
3.c. DNFSB is currently contracting with an outside consultant to develop an Enterprise Risk Management (ERM) Program and process, which will assess risk at the enterprise level. DNFSB’s existing Executive Committee on Internal Controls (ECIC) assesses risk at the business process level, and DNFSB’s existing Risk Management Framework handbook, configuration management, and continuous monitoring processes assess risk at the information system level.
3.d. DNFSB will update its Risk Management Framework Handbook and its and Continuous Monitoring Policies & Procedures Guide to include prioritization of vulnerabilities based on severity level by Q2 FY2024.

Using the results of recommendations one (1) and two (2)above:a. Collaborate with the DNFSB’s Cybersecurity Team to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by IT Operations;b. Utilize guidance from the National Institute of Standards in Technology (NIST) Special Publication (SP) 800-55 (Rev. 1) – Performance Measurement Guide for Information Security to establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program;c. Implement a centralized view of risk across the organization; and,d. Implement formal procedures for prioritizing and tracking POA&M to remediate vulnerabilities.

9 Yes $0 $0 OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. It was determined that the OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit.

Status: Open: Resolved. DNFSB has determined that automated management of privileged accounts presents a higher risk than the current manual process of account review. DNFSB has implemented a manual review of account activity based on automated reports sent from the Varonis tool weekly. Administrators review this data and act in accordance with DNFSB policies and procedures.
DNFSB will request a risk acceptance for this recommendation by Q4 FY23.

Implement automated mechanisms (e.g. machine-based, or user-based enforcement) to support the management of privileged accounts, including for the automatic removal/disabling of temporary, emergency, and inactive accounts, as appropriate.

Nuclear Regulatory Commission OIG

United States