Independent Evaluation of the DNFSB’S Implementation of the Federal Information Security Modernization Act of 2014 for FY 2021

View Report

Date Issued

Tuesday, December 21, 2021

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Defense Nuclear Facilities Safety Board

Report Number

DNFSB-22-A-04

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
11	Yes	$0	$0	Agency Response Dated June 2, 2025: As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date. Estimated Target Completion Date: fiscal year (FY) 2025, Quarter 4 OIG Analysis: The OIG will close this recommendation after confirming that the agency has continued its efforts to develop and implement role-based privacy training for users with significant privacy or data protection-related duties. March 31, 2025: Agency Status: In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, “the DNFSB is currently in the process of developing role-based privacy training,” based on their testing. OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. The OIG notified the DNFSB that, ultimately, the agency should define this themselves (i.e., who/what roles require additional privacy role-based training). Therefore, to close this recommendation, the DNFSB would need to demonstrate identification of the roles that are required to take additional privacy role-based training, show evidence of the development and/or acquisition/rollout of privacy rolebased training program materials, and show the implementation of the privacy role-based training (i.e., that the required personnel have taken the training). The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit. Status: Open: Resolved. DNFSB provides role-based privacy training within its required annual Cyber Awareness training. Topics such as Social Networking, handling of Controlled Unclassified Information (CUI) and Classified data, website use, and Social Engineering are all covered by this training. Each user is required to complete this training prior to accessing DNFSB systems. DNFSB further requires all users to take annual Controlled Unclassified Information (CUI) training, and all Federal employees with DOE clearances must take an annual clearance holder training, both of which address requirements for accessing, storing, and transmitting sensitive information. DNFSB has developed updated privacy training and will deliver it to agency users by the end of Q1 FY 2024. DNFSB needs the OIG to define which roles it feels require additional role-based privacy training in order to resolve this recommendation.
Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.
23	Yes	$0	$0	Agency Response Dated June 2, 2025: As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date. Estimated Target Completion Date: FY 2025, Quarter 4 OIG Analysis: The OIG will close this recommendation after confirming that the agency has conducted a BIA every 2 years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities. Agency Status: In a February 26th, 2025, meeting between the DNFSB and OIG, the DNFSB noted that, “corrective action is ongoing,” and “the DNFSB is currently establishing an enterprise risk management program”. Once established, this program will conduct a BIA.” OIG Analysis: The DNFSB met with the OIG on February 26th, 2025, to discuss potential corrective actions for this recommendation. To close this recommendation, the DNFSB will need to demonstrate they have conducted a DHS Federal Emergency Management Agency (FEMA) Federal Continuity Directive (FCD) 2 process-based BIA in 2025 and show that they have incorporated the results into their contingency planning strategy and mitigation planning activities. Preferably, updates to a system-based BIA supporting the DNFSB General Support Systems (GSS) Information System Contingency Program (ISCP) would be completed in parallel to ensure the most current information was reflected in the DNFSB’s contingency planning at the Mission Essential Functions (MEF), Primary Mission Essential Functions (PMEF), and system levels. It would also be preferable if regular, process- and system-level BIA updates were incorporated as part of the ISCP program / National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Monitor step in accordance with DHS FEMA FCD 2 Annex D and NIST Special Publication (SP) 800-34, Section 3.6, requirements. The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 FISMA audit. Status: Open: Resolved. This recommendation will be resolved when an agency-wide BIA is performed. DNFSB will complete a BIA Q3 FY 2024.
Conduct a business impact assessment within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.