The Office of the Inspector General contracted with Sikich CPA LLC to conduct this audit. Its objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission Region IV facility. The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.
Based on its assessment period from April 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for Region IV, the agency’s implementation of a subset of selected controls was not fully effective. There were weaknesses in Region IV’s information security program and practices. As a result, two recommendations were made to assist Region IV in strengthening its information security program.