Performance Audit of the U.S. Nuclear Regulatory Commission’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 Technical Training Center: Chattanooga, Tennessee

View Report

Date Issued

Friday, January 24, 2025

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-NRC-25-A-04

Report Description

The Office of the Inspector General (OIG) contracted with Sikich to conduct this performance audit. The objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission’s (NRC) Technical Training Center (TTC). The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.

Based on its assessment period from March 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for the TTC, the agency’s implementation of a subset of selected controls was not fully effective. There were weaknesses in the TTC’s information security program and practices. As a result, six recommendations were made to assist the TTC in strengthening its information security program.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agency Response Dated March 30, 2026: The management of the NRC OCIO, in coordination with the OCHCO and ADM, will evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts as needed to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal Year 2027, Second Quarter OIG Analysis: The OIG will close this recommendation after confirming that the OCIO, in coordination with OCHCO and the ADM, has evaluated the NRC’s separation policies and procedures and re-engineered the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Agency Response Dated July 18, 2025: The management of the NRC OCIO, in coordination with the OCHCO and ADM, will evaluate the NRC’s separation policies and procedures and reengineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal Year (FY) 2027, Quarter (Q) 2 OIG Analysis: The OIG will close this recommendation after confirming that the OCIO, in coordination with OCHCO and the ADM, has evaluated the NRC’s separation policies and procedures and re-engineered the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Agency Response Dated February 10, 2025: The management of the NRC OCIO, in coordination with the OCHCO and the ADM, will evaluate the NRC’s separation policies and procedures, and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. Target Completion Date: Fiscal year (FY) 2026, second quarter (Q2) OIG Analysis: The OIG will close this recommendation after confirming that the management of NRC OCIO, in coordination with OCHCO and ADM evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner. This recommendation remains open and resolved.
We recommend that the NRC OCIO management, in coordination with OCHCO and ADM, evaluate the NRC’s separation policies and procedures and re-engineer the related business processes and the automation used to disable separated employees’ accounts to ensure that the NRC terminates these accounts in a timely manner.