We recommend that NRC management reviews all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates.
Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Closed
Source UUID
229b59dd-a72e-4fb4-b86b-b05c46328066-1
Recommendation Number
1
Additional Details Link
Additional Information
Agency Response Dated July 7, 2025: The NRC management has reviewed all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. All POA&Ms have been reviewed, changes to milestones have been updated, and all scheduled completion dates are up to date. Target Completion Date: The NRC suggests closure of this item.
OIG Analysis: The OIG and its contractor reviewed and confirmed the evidence that all ITI POA&Ms are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates as
appropriate. This recommendation is now closed.
Agency Response Dated December 10, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. In August 2024, the NRC Chief Information Security Officer (CISO) directed the formation of the POA&M Reduction Working Group to review all ITI POA&Ms to ensure that they are accurate. Analysis by the POA&M Reduction Working Group found that over half of the 6,000 ITI POA&Ms listed in the Risk and Continuous Authorization Tracking System were associated with endpoints that had been decommissioned or were related to
operating systems that are no longer in use. The CISO approved the closure of these POA&Ms for findings that were
no longer relevant, and the count of open ITI POA&Ms has been reduced by more than 50 percent to the current
number of 2,505. The POA&M Reduction Working Group continues to review the remaining ITI POA&Ms and is
developing methods to improve the efficiency of POA&M management through automation. Corrective actions for the
remaining 2,505 ITI POA&Ms are ongoing, with expected completion in the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming that NRC management has reviewed all ITI OA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including
changes to scheduled completion dates.
Agency Response Dated June 6, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. The NRC recommends a target completion date of the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2.
OIG Analysis: The OIG will close the recommendation when it verifies that NRC management reviews all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. This recommendation remains open and resolved.
OIG Analysis: The OIG and its contractor reviewed and confirmed the evidence that all ITI POA&Ms are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates as
appropriate. This recommendation is now closed.
Agency Response Dated December 10, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. In August 2024, the NRC Chief Information Security Officer (CISO) directed the formation of the POA&M Reduction Working Group to review all ITI POA&Ms to ensure that they are accurate. Analysis by the POA&M Reduction Working Group found that over half of the 6,000 ITI POA&Ms listed in the Risk and Continuous Authorization Tracking System were associated with endpoints that had been decommissioned or were related to
operating systems that are no longer in use. The CISO approved the closure of these POA&Ms for findings that were
no longer relevant, and the count of open ITI POA&Ms has been reduced by more than 50 percent to the current
number of 2,505. The POA&M Reduction Working Group continues to review the remaining ITI POA&Ms and is
developing methods to improve the efficiency of POA&M management through automation. Corrective actions for the
remaining 2,505 ITI POA&Ms are ongoing, with expected completion in the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming that NRC management has reviewed all ITI OA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including
changes to scheduled completion dates.
Agency Response Dated June 6, 2024: NRC management will review all ITI POA&Ms to ensure that they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. The NRC recommends a target completion date of the second quarter (Q2) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q2.
OIG Analysis: The OIG will close the recommendation when it verifies that NRC management reviews all ITI POA&Ms to ensure they are accurate and contain detailed information on the status of corrective actions, including changes to scheduled completion dates. This recommendation remains open and resolved.
Significant Recommendation
Yes