Performance Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Date Issued

Tuesday, September 30, 2025

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-NRC-25-A-14

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	Yes	$0	$0
We recommend that the NRC complete the implementation of CSF 2.0 requirements, and develop and maintain current and target CSF profiles that anticipate changes in the NRC’s cybersecurity posture.
2	Yes	$0	$0
We recommend that the NRC coordinates with its software producers to obtain Secure Software Development Attestation Forms. If the NRC is unable to obtain the self-attestation forms, it should request POA&Ms from the software producers and submit them to the OMB, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.
3	Yes	$0	$0
We recommend that the NRC request an extension or a waiver from the OMB for continued use of the producer’s software when a self-attestation is not provided, in accordance with OMB Memorandum M-23-16 and EO 14028 self-attestation requirements.