Performance Audit of the Defense Nuclear Facilities Safety Board's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

View Report

Date Issued

Thursday, September 25, 2025

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Defense Nuclear Facilities Safety Board

Report Number

OIG-DNFSB-25-A-05

Report Description

The Office of the Inspector General (OIG) contracted with Sikich CPA LLC (Sikich) to audit the Defense Nuclear Facilities Safety Board’s (DNFSB) Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the DNFSB. The findings and conclusions presented in this report are Sikich’s responsibility. The OIG’s responsibility was to oversee the contractor’s work in accordance with generally accepted government auditing standards.

Based on their review for the period of October 1, 2024, through June 30, 2025, Sikich found that the DNFSB has not established an effective agency-wide information security program and practices. There are weaknesses that impact the agency’s ability to protect the DNFSB’s systems and information adequately.

As a result of the weaknesses noted in this audit, Sikich made seven new recommendations to assist the DNFSB in strengthening its information security program and practices in addition to the six prior-year recommendations that remain open.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
We recommend that the DNFSB finalize its project plan and procedures for developing and maintaining current and target CSF profiles.
2	Yes	$0	$0
We recommend that the DNFSB develop current and target CSF profiles.
3	Yes	$0	$0
We recommend that the DNFSB coordinate with its software producers to obtain Secure Software Development Attestation Forms. If the DNFSB is unable to obtain the attestation forms, it should request POA&Ms from the software producers, in accordance with OMB Memorandum M-23-16.
4	Yes	$0	$0
We recommend that the DNFSB submit POA&Ms and risk-based waiver requests to OMB for approval in accordance with OMB Memorandum M-23-16.
5	Yes	$0	$0
We recommend that the DNFSB document policies and procedures for developing and maintaining a comprehensive and accurate inventory of data and the corresponding metadata for the DNFSB’s data types.
6	Yes	$0	$0
We recommend that the DNFSB create and maintain a comprehensive inventory of data and corresponding metadata.
7	Yes	$0	$0
We recommend that the DNFSB prioritize and conduct an annual security control assessment and update the GSS’ System Security Plan, Security Assessment Report, Privacy Impact Assessment, and Information System Contingency Plan in accordance with the DNFSB Risk Management Framework Handbook.