Audit of the U.S. NRC’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

View Report

Date Issued

Monday, September 30, 2024

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-24-A-11

Report Description

The Office of the Inspector General (OIG) contracted with Sikich to conduct an audit of the United States Nuclear Regulatory Commission’s (NRC) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the NRC. The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards. Based on its assessment of the period October 1, 2023, through June 30, 2024, Sikich found that although the NRC has established an effective agency-wide information security program and effective information security practices, there are weaknesses that may have some impact on the agency’s ability to optimally protect the NRC’s systems and information.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	ADAMS Accession No: ML24326A180 Agency Response Dated October 16, 2024: The U.S. Nuclear Regulatory Commission (NRC) will engage the Defense Counterintelligence and Security Agency (DCSA) on a more frequent basis to ensure NRC records of enrollment match those of the DCSA. If a reinvestigation is needed for enrollment of an individual, that process will be initiated promptly. The DCSA is implementing an automated system that will enroll individuals into continuous vetting when the clearance is granted by the NRC, eliminating the manual review process and negating the possibility of individuals failing to be enrolled. Target Completion Date: Fiscal Year (FY) 2025, Quarter 2 OIG Analysis: The OIG will close this recommendation after confirming that the agency has implemented a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either TW or DoD CV until such time as their enrollment is complete.
Implement a process to monitor and ensure that reinvestigations occur for the identified employees and contractors not currently enrolled in continuous vetting through either TW or DoD CV until such time as their enrollment is complete.
4	Yes	$0	$0	ADAMS Accession No: ML24326A180 Agency Response Dated October 16, 2024: The NRC has reviewed the relevant configuration settings within the EIH and TMS. The technical teams are working to determine an appropriate set of configuration and system interconnection updates to support resolution of the finding. Initial solutioning work is underway. Some potential solutions include the use of attributes other than an initial login date to ensure that training assignments are both assigned appropriately and retained even through periods of inactivity. Target Completion Date: FY 2025, Quarter 3 OIG Analysis: The OIG will close this recommendation after verifying that the agency has implemented a solution or an appropriate set of configuration and system interconnection updates to support resolution of the finding that meets the technical capability to capture NRC employees’ and contractors’ initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process and has reviewed the current configuration of the EIH and TMS integration – as well as the logic in TMS itself, as necessary – to ensure training assignments are retained (not cancelled) due to the inactivity.
Implement a technical capability to capture NRC employees’ and contractors’ initial login dates so that the required cybersecurity awareness and role-based training can be accurately tracked and managed by the current process. Also, as part of this recommendation, consider reviewing the current configuration of the EIH and TMS integration—as well as the logic in TMS itself, as necessary—to ensure training assignments are retained (not cancelled) due to inactivity.