Audit of the U.S. Nuclear Regulatory Commission’s (NRC) Cybersecurity Inspection Program for Operating Nuclear Power Plants

View Report

Date Issued

Thursday, June 4, 2026

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-NRC-26-A-03

Report Description

The OIG determined that the current cybersecurity program guidance lacks clarity; expectations for maintaining training qualifications are not well-defined; the cybersecurity inspection process contains redundant and time-consuming tasks; and NRC staff members did not always accurately report their time spent on cybersecurity inspection-related activities. The OIG makes 9 recommendations to enhance the effectiveness, consistency, and efficiency of the NRC’s cybersecurity inspection program.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1.1	Yes	$0	$0
The OIG recommends that the Executive Director for Operations develop and issue supplemental guidance clarifying the expected implementation of cybersecurity controls, the interpretation of requirements, and methods for evaluating control effectiveness.
1.2	Yes	$0	$0
The OIG recommends that the Executive Director for Operations update Inspection Procedure 71130.10 to clarify the Cyber Security Issues Forum process and its potential impacts on findings and violations.
2.1	Yes	$0	$0
The OIG recommends that the Executive Director for Operations update Inspection Manual Chapter 1245, Appendix D-1, to include periodic refresher training requirements for cybersecurity-qualified inspectors.
2.2	Yes	$0	$0
The OIG recommends that the Executive Director for Operations define a schedule for contractor-led training (in-person or virtual), and ensure sessions are recorded and accessible.
3.1	Yes	$0	$0
The OIG recommends that the Executive Director for Operations revise the request for information guidance to require inspectors to identify the most current cybersecurity program documents already in the NRC’s possession before issuing the initial request, and to clearly communicate target dates for both issuing requests and receiving licensee responses.
4.1	Yes	$0	$0
The OIG recommends that the Executive Director for Operations train staff on the correct Cost Activity Codes for reporting fee-billable and non-billable cybersecurity inspection activities within the Human Capital Management Cloud System.
4.2	Yes	$0	$0
The OIG recommends that the Executive Director for Operations finalize the Cyber Security Issues Forum Draft Charter to include the Cost Activity Codes used by staff members when participating in or observing meetings.
4.3	Yes	$0	$0
The OIG recommends that the Executive Director for Operations develop clear guidance on the appropriate use of security oversight Cost Activity Codes.
4.4	Yes	$0	$0
The OIG recommends that the Executive Director for Operations develop and implement Enterprise Project Identifier codes for inspection oversight activities to improve tracking of safety and security related oversight activities.