Performance Audit of the U.S. Nuclear Regulatory Commission’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 Region IV: Arlington, Texas

View Report

Date Issued

Tuesday, February 4, 2025

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-NRC-25-A-05

Report Description

The Office of the Inspector General contracted with Sikich CPA LLC to conduct this audit. Its objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission Region IV facility. The findings and conclusions presented in this report are the responsibility of Sikich. The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.

Based on its assessment period from April 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for Region IV, the agency’s implementation of a subset of selected controls was not fully effective. There were weaknesses in Region IV’s information security program and practices. As a result, two recommendations were made to assist Region IV in strengthening its information security program.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agency Response Dated March 13, 2025: The NRC has automated tools in place to identify and disable inactive user accounts. These tools have been verified to function as intended, except when accounts for recently departed individuals are manually re-enabled for temporary content preservation purposes. The NRC will investigate, then implement, changes to the tools to account for this specific, unaddressed use case. Target Completion Date: Fiscal Year 2026, Quarter 1. OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that NRC management investigated methods of identifying inactive user accounts and improved its internal controls over inactivity to ensure that network user accounts are disabled after 90 days of inactivity.
We recommend that NRC management investigate methods of identifying inactive user accounts and improving its internal controls over inactivity to ensure that it disables network user accounts after 90 days of inactivity.