Independent Evaluation of NRC's Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2020

View Report

Date Issued

Friday, March 19, 2021

Submitting OIG

Nuclear Regulatory Commission OIG

Other Participating OIGs

Nuclear Regulatory Commission OIG

Agencies Reviewed/Investigated

Nuclear Regulatory Commission

Report Number

OIG-21-A-05

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 1 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
12	Yes	$0	$0	Agency Response Dated July 3, 2025: The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The revised target completion date is the fourth quarter (Q4) of fiscal year (FY) 2025. Target Completion Date: FY 2025, Q4 OIG Analysis: The OIG will close this recommendation after confirming that the agency has integrated metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization. Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The new target completion date is the fourth quarter (Q4) of FY 2025. Target Completion Date: FY 2025, Q4 OIG Analysis: The OIG will close this recommendation after reviewing the evidence that demonstrates and confirms the NRC integrated metrics for measuring the effectiveness of information system contingency plans and its relation to other plans such as the organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization. This recommendation remains open and resolved. Status: Open: Resolved. The NRC and the OIG are working to come to an agreement on a sufficient way to complete this recommendation. The OIG will close the recommendation after the NRC integrates metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans to deliver persistent situational awareness across the organization. Target Completion Date: To be determined.
Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.