Audit of the U.S. Nuclear Regulatory Commission’s (NRC) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023

View Report

Date Issued

Friday, September 29, 2023

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-23-A-10

Report Description

For this year’s review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas — Identify, Protect, Detect, Respond, and Recover — to determine the effectiveness of their agencies’ information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, the NRC’s information security program must be rated Level 4 – Managed and Measurable.The audit included an assessment of the NRC’s information security programs and practices consistent with the FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for a sample of systems in the NRC’s FISMA inventory of information systems. Audit fieldwork covered the NRC’s headquarters located in Rockville, MD from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 – Managed and Measurable maturity level; therefore, the NRC has an effective information security program. Although we concluded that the NRC implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
3	Yes	$0	$0	Agency Response Dated July 7, 2025: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC has implemented some requirements across EL maturity tiers EL1 (Basic), EL2 (Intermediate), and plans to implement EL3 (Advanced) to ensure events are logged and tracked in accordance with OMB M-21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” dated August 27, 2021, by the fourth quarter (Q4) of fiscal year (FY) 2025. The NRC is taking a phased approach to meeting the requirements of OMB M-21-31. The EL1 logging maturity level was completed on 7/19/2024, requirements for the EL2 logging maturity level were completed on 3/31/2025, and the EL3 logging maturity level is scheduled for completion by 8/1/2025. Target Completion Date: FY 2025, Q4 OIG Analysis: The OIG reviewed and confirmed the evidence that the NRC increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The OIG will close this recommendation when it verifies that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved. Agency Response Dated December 10, 2024: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. Target Completion Date: The NRC recommends closure of this item. OIG Analysis: The OIG has reviewed the evidence and confirms that the agency has increased the current SIEM tool licensing level and acquired funding. A month after the OIG’s audit fieldwork ended for the FY 2024 FISMA audit, NRC management informed the OIG that the agency has achieved EL1 maturity. The OIG will close this recommendation after verifying that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure events are logged and tracked in accordance with OMB M-21-31. Agency Response Dated June 6, 2024: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC plans to implement all requirements across EL maturity tiers EL1 (Basic), EL2 (Intermediate), and EL3 (Advanced) to ensure events are logged and tracked in accordance with OMBM- 21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” dated August 27, 2021, by the fourth quarter (Q4) of FY 2025. The NRC is taking a phased approach to meeting the requirements of OMB M-21-31. The EL1 logging level is scheduled to be completed by 7/31/24. The EL2 logging level is scheduled to be completed by 3/31/25. The EL3 logging level is scheduled to be completed by 8/01/25. Target Completion Date: FY 2025, Q4. OIG Analysis: The OIG will close the recommendation when it verifies that the NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved.
We recommend that NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.