Audit of the Defense Nuclear Facilities Safety Board’s Implementation of the Federal Information Security Modernization Act of 2014

Date Issued

Friday, September 29, 2023

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Defense Nuclear Facilities Safety Board

Report Number

DNFSB-23-A-04

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agency Response Dated February 27, 2025: DNFSB is now capturing all required logs for Criticality Levels 1, 2, & 3 as required by OMB M-21-31. The Logging Requirements M-21-31.xlsx file lists all of the required log types and a mapping to the specific logs that are being captured along with the log location. NOTE: a hands-on walkthrough of the various playbooks in the Sentinel Security Information and Event Management (SIEM) would be helpful to demonstrate how the logs are being captured & accessed. OIG Analysis: After reviewing the evidence, the OIG has concluded that additional artifacts are needed, such as screenshots of the various playbooks in Sentinel SIEM, to demonstrate how logs are being captured and accessed. Therefore, this recommendation remains open and resolved. The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014 audit.
We recommend that DNFSB’s Chief Information Security Officer acquire resources to adequately support the procurement, onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.