Performance Audit of the U.S. Nuclear Regulatory Commission's Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Date Issued

Tuesday, September 30, 2025

Submitting OIG

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-NRC-25-A-14

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
1	Yes	$0	$0	Agency Response Dated December 29, 2025: The NRC will complete the implementation of the National Institute of Standards and Technology (NIST) CSF 2.0 requirements and develop and maintain current and target CSF profiles that anticipate changes to the agency’s cybersecurity posture. Target Completion Date: FY 2026, Quarter 3 OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence that the NRC completed the implementation of CSF 2.0 requirements and developed and maintained current and target CSF profiles that anticipate changes in the NRC’s cybersecurity posture.
We recommend that the NRC complete the implementation of CSF 2.0 requirements, and develop and maintain current and target CSF profiles that anticipate changes in the NRC’s cybersecurity posture.