Skip to main content
Report File
Date Issued
Submitting OIG
Nuclear Regulatory Commission OIG
Agencies Reviewed/Investigated
Nuclear Regulatory Commission
Report Number
OIG-NRC-25-A-04
Report Description

The Office of the Inspector General (OIG) contracted with Sikich to conduct this performance audit.  The objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission’s (NRC) Technical Training Center (TTC).  The findings and conclusions presented in this report are the responsibility of Sikich.  The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards. 

Based on its assessment period from March 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for the TTC, the agency’s implementation of a subset of selected controls was not fully effective.  There were weaknesses in the TTC’s information security program and practices.  As a result, six recommendations were made to assist the TTC in strengthening its information security program.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0 Agency Response Dated July 18, 2025: The management of the NRC OCIO, in coordination with the OCHCO and ADM, will evaluate the NRC’s separation policies and procedures and reengineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal Year (FY) 2027, Quarter (Q) 2
OIG Analysis: The OIG will close this recommendation after confirming that the OCIO, in coordination with OCHCO and the ADM, has evaluated the NRC’s separation policies and procedures and re-engineered the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner.

Agency Response Dated February 10, 2025: The management of the NRC OCIO, in coordination with the OCHCO and the ADM, will evaluate the NRC’s separation policies and procedures, and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal year (FY) 2026, second quarter (Q2)
OIG Analysis: The OIG will close this recommendation after confirming that the management of NRC OCIO, in coordination with OCHCO and ADM evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. This recommendation remains open and resolved.

We recommend that the NRC OCIO management, in coordination with OCHCO and ADM, evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner.

3 Yes $0 $0 Agency Response Dated July 18, 2025: The NRC’s TTC management will install a server cage on the second floor of the facility for the NRC IT Infrastructure Patch Panel. In addition, OCHCO will coordinate with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility. Target Completion Date: FY 2026, Q2
OIG Analysis: The OIG will close this recommendation after confirming that TTC management has installed a server cage for the NRC IT Infrastructure Patch Panel on the facility’s second floor.

Agency Response Dated February 10, 2025: The NRC’s TTC management will install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel. In addition, OCHCO will coordinate with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility.
Target Completion Date: FY 2026, Q2
OIG Analysis: The OIG will close this recommendation after confirming the NRC’s TTC management installed a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel while the OCHCO coordinates with the OCIO network team to have OCIO purchase a sever cage that is delivered and installed at the TTC facility. This recommendation remains open and resolved.

We recommend that the NRC’s TTC management install a server cage on the second floor of the facility for the NRC Information Technology Infrastructure Patch Panel.

5 Yes $0 $0 Agency Response Dated July 18, 2025: The ADM management has defined the risk-based determination and mitigations for including the regions in the NRC general access group in Section III, “Security Assessment and Surveys,” of Management Directive (MD) 12.1, “NRC Facility Security Program,” dated April 22, 2024. MD 12.1 specifically highlights that the Division of Facilities and Security conducts security reviews, physical security annual assessments (PSAAs), and technical security countermeasure (TSCM) assessments of all NRC facilities in accordance with the latest U.S. Department of Homeland Security (DHS) Interagency Security Commit (ISC) standards. In response to the annual security assessments, ADM has mitigated any potential risks associated with badged access to the NRC general access group. In addition, NRC personnel are issued an identification badge called a personal identity verification (PIV) card. PIV cards are compliant with the requirements in Homeland Security Presidential Directive 12, “Policy for a Common
Identification Standard for Federal Employees and Contractors,” dated August 27, 2004. The use of PIV cards aids access control for NRC facilities to ensure that only authorized persons gain entry. PIV cards also indicate any access limitations to classified information and limited access, security control, or other areas. Target Completion Date: The NRC suggests closure of this recommendation.

OIG Analysis: The OIG reviewed the evidence and confirmed that NRC management defined a risk-based process for regularly reviewing users who have badged access to the NRC general access group and restricting badged access to the Regions based on the business needs. However, implementation evidence of the risk-based process was not provided to address the recommendation. The OIG will close this recommendation after confirming that NRC management has implemented a risk-based process for regularly reviewing users with badged access to the NRC general
access group and restricting badged access to the Regions based on business needs.

Agency Response Dated February 10, 2025: The NRC’s ADM management will define the risk-based determination and mitigations for including the regions in the NRC general access group. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming that the NRC’s ADM management defined and implemented a risk-based process for regularly reviewing users who have badged access to the NRC general access group and define the risk-based determination and mitigations for including regions in the NRC general access group. This recommendation remains open and resolved.

We recommend that NRC management define and implement a risk-based process for regularly reviewing users who have badged access to the NRC general access group and restricting badged access to the Regions based on business needs.

6 Yes $0 $0 Agency Response Dated July 18, 2025: The NRC management has performed a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, the NRC management has leveraged MD 12.1 to conduct security reviews, PSAAs, and TSCM assessments of all NRC facilities in accordance with the latest U.S. DHS ISC standards. In response to the annual assessments, the NRC has implemented mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.
Target Completion Date: The NRC suggests closure of this item.
OIG Analysis: Evidence of implementation, specifically the risk-based analysis and/or implemented mitigated controls that would reduce the potential impact of having users with badged access to multiple facilities, was not provided. In a separate email, NRC staff stated the risk-based analysis is still under review and should be completed by the end of September 2025. The OIG will close this recommendation after confirming that NRC management has performed a
risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. Additionally,
as a part of this risk-based analysis, NRC management must define, document, and implement mitigating controls that
reduce the potential impact of having users with badged access to multiple facilities.

Agency Response Dated February 10, 2025: The NRC’s ADM management will perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities; and as a part of this risk-based analysis, will define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming that NRC management performs a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities. This recommendation remains open and resolved.

We recommend that NRC management perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.

Nuclear Regulatory Commission OIG

United States