Skip to main content
Report File
Date Issued
Submitting OIG
Nuclear Regulatory Commission OIG
Agencies Reviewed/Investigated
Nuclear Regulatory Commission
Report Number
OIG-NRC-25-A-05
Report Description

The Office of the Inspector General contracted with Sikich CPA LLC to conduct this audit.  Its objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission Region IV facility.  The findings and conclusions presented in this report are the responsibility of Sikich.  The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.

Based on its assessment period from April 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for Region IV, the agency’s implementation of a subset of selected controls was not fully effective.  There were weaknesses in Region IV’s information security program and practices.  As a result, two recommendations were made to assist Region IV in strengthening its information security program.

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
2
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 1 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0 Agency Response Dated March 13, 2025: The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for recently departed individuals are manually re-enabled for temporary content preservation purposes. The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case.
Target Completion Date: Fiscal Year 2026, Quarter 1.
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that NRC management investigated methods of identifying inactive user accounts and improved its internal controls over inactivity to ensure that network user accounts are disabled after 90 days of inactivity.

We recommend that NRC management investigate methods of identifying inactive user accounts and improving its internal controls over inactivity to ensure that it disables network user accounts after 90 days of inactivity.

Nuclear Regulatory Commission OIG

United States