Audit of the U.S. Nuclear Regulatory Commission’s (NRC) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023

View Report

Date Issued

Friday, September 29, 2023

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-23-A-10

Report Description

For this year’s review, IGs were required to assess 20 Core IG FISMA Reporting Metrics and 20 Supplemental IG FISMA Reporting Metrics across five security function areas — Identify, Protect, Detect, Respond, and Recover — to determine the effectiveness of their agencies’ information security program and the maturity level of each function area.1 The maturity levels are: Level 1 - Ad Hoc, Level 2 - Defined, Level 3 - Consistently Implemented, Level 4 - Managed and Measurable, and Level 5 - Optimized. To be considered effective, the NRC’s information security program must be rated Level 4 – Managed and Measurable.The audit included an assessment of the NRC’s information security programs and practices consistent with the FISMA and reporting instructions issued by the Office of Management and Budget (OMB). The scope also included assessing selected security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, for a sample of systems in the NRC’s FISMA inventory of information systems. Audit fieldwork covered the NRC’s headquarters located in Rockville, MD from January 2023 to June 2023. The audit covered the period from October 1, 2022, through June 30, 2023.We concluded that the NRC implemented effective information security policies, procedures, and practices, since it achieved an overall Level 4 – Managed and Measurable maturity level; therefore, the NRC has an effective information security program. Although we concluded that the NRC implemented an effective information security program overall, its implementation of a subset of selected controls was not fully effective. We noted new and repeat weaknesses in its security program related to the risk management, supply chain risk management, configuration management, identity and access management, security training, incident response, and contingency planning domains of the FY 2023 IG FISMA Reporting Metrics. As a result, we made three new recommendations to assist the NRC in strengthening its information security program. Additionally, we noted 21 prior year recommendations remain open from the FY 2022 FISMA audit and FY 2021 FISMA evaluation based on inspection of evidence received during fieldwork.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agency Response Dated December 10, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. In August 2024, the NRC Chief Information Security Officer (CISO) directed the formation of the POA&M Reduction Working Group to review all ITI POA&Ms to ensure that they are accurate. Analysis by the POA&M Reduction Working Group found that over half of the 6,000 ITI POA&Ms listed in the Risk and Continuous Authorization Tracking System were associated with endpoints that had been decommissioned or were related to operating systems that are no longer in use. The CISO approved the closure of these POA&Ms for findings that were no longer relevant, and the count of open ITI POA&Ms has been reduced by more than 50 percent to the current number of 2,505. The POA&M Reduction Working Group continues to review the remaining ITI POA&Ms and is developing methods to improve the efficiency of POA&M management through automation. Corrective actions for the remaining 2,505 ITI POA&Ms are ongoing, with expected completion in the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2 OIG Analysis: The OIG will close this recommendation after confirming that NRC management has reviewed all ITI OA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. Agency Response Dated June 6, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. The NRC recommends a target completion date of the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2. OIG Analysis: The OIG will close the recommendation when it verifies that NRC management reviews all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. This recommendation remains open and resolved.
We recommend that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.
3	Yes	$0	$0	Agency Response Dated December 10, 2024: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. Target Completion Date: The NRC recommends closure of this item. OIG Analysis: The OIG has reviewed the evidence and confirms that the agency has increased the current SIEM tool licensing level and acquired funding. A month after the OIG’s audit fieldwork ended for the FY 2024 FISMA audit, NRC management informed the OIG that the agency has achieved EL1 maturity. The OIG will close this recommendation after verifying that the agency has implemented all requirements across EL maturity tiers (EL1, EL2, and EL3) to ensure events are logged and tracked in accordance with OMB M-21-31. Agency Response Dated June 6, 2024: The NRC has increased the SIEM tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC plans to implement all requirements across EL maturity tiers EL1 (Basic), EL2 (Intermediate), and EL3 (Advanced) to ensure events are logged and tracked in accordance with OMBM- 21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” dated August 27, 2021, by the fourth quarter (Q4) of FY 2025. The NRC is taking a phased approach to meeting the requirements of OMB M-21-31. The EL1 logging level is scheduled to be completed by 7/31/24. The EL2 logging level is scheduled to be completed by 3/31/25. The EL3 logging level is scheduled to be completed by 8/01/25. Target Completion Date: FY 2025, Q4. OIG Analysis: The OIG will close the recommendation when it verifies that the NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31. This recommendation remains open and resolved.
We recommend that NRC management increases the current SIEM tool licensing level and acquires funding to adequately support the procurement, onboarding, and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.