Audit of the NRC’s Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2022

View Report

Date Issued

Thursday, September 29, 2022

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-22-A-14

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
4	No	$0	$0	Agency Response Dated August 22, 2024: Due to the size and complexity of the ITI system covered by the Federal Information Security Modernization Act of 2014, the NRC will capitalize on its existing Office of the Chief Information Officer (OCIO) Service Model to assign primary ITI asset inventory responsibilities to the associated service area role. Service area role information technology asset inventory responsibilities will be defined, and associated reports developed to ensure accuracy. Due to competing priorities and dependencies on a legacy system migration, the NRC's new target completion date is the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC documents and implements a periodic review of subsystem inventories to verify that the information maintained for each ITI subsystem is current, complete, and accurate. Status: Open: Resolved. Due to the size and complexity of the ITI system covered by the Federal Information Security Modernization Act of 2014 (FISMA), the NRC will capitalize on its existing Office of the Chief Information Officer (OCIO) Service Model to assign primary ITI asset inventory responsibilities to the associated service area role. Service area role information technology asset inventory responsibilities will be defined, and metrics developed to ensure accuracy. Due to competing priorities and dependencies on a legacy system migration, the NRC’s new target completion date is the fourth quarter (Q4) of FY 2024. Target Completion Date: FY 2024, Q4.
Document and implement a periodic review of subsystem inventories to verify information maintained for each ITI subsystem is current, complete, and accurate.
6	No	$0	$0	Agency Response Dated August 22, 2024: The NRC will implement a process to ensure that all personnel with privileged-level responsibilities complete annual security awareness and role-based training if applicable. Due to competing priorities and resource limitation, the NRC's new target completion date is FY 2025, Q1. Target Completion Date: FY 2025, Q1 OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close this recommendation when the NRC implements a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training. Status: Open: Resolved. The NRC will implement a process to ensure that all personnel with privileged level responsibilities complete annual security awareness and role-based training if applicable. Due to competing priorities and resource limitation, the NRC’s new target completion date is FY 2024, Q3. Target Completion Date: FY 2024, Q3.
Implement a process to validate that all personnel with privileged level responsibilities complete annual security awareness and role-based training.