| 5 |
Yes |
$0 |
$0 |
Agency Response Dated February 14, 2025: The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRC’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security
Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of fiscal year (FY) 2025, third
quarter (Q3). Target Completion Date: FY 2025, Q3
OIG Analysis: The OIG will close this recommendation after confirming the NRC updated the user system access control procedures to include the requirement for individuals to complete a nondisclosure agreement as part of the clearance waiver process and that contractors and employees completed the nondisclosure agreements as part of the agency’s onboarding procedures prior to being granted access to the NRC’s systems and information. This recommendation remains open and resolved.
Open: Resolved. The NRC will update its onboarding procedures to require individuals to complete a nondisclosure agreement before they are granted access to the NRC’s systems and information. The clearance waiver process is wholly contained within the NRC’s onboarding process and will inherit the updated procedures. The updated procedures will apply to all individuals who will be granted NRC network access after receiving an IT-1, IT-2, L, or Q clearance. Individuals granted building access clearances will not be included because they are not granted access to the NRC network. The nondisclosure agreement will be an updated version of the NRC’s Form 176A, “Security Acknowledgment.” Because of the estimated time needed to obtain an Office of Management and Budget clearance for these changes to Form 176A, the NRC is recommending a new target completion date of FY 2024, Q3. |
|
Update user system access control procedures to include the requirement for individuals to complete a non-disclosure agreement as part of the clearance waiver process prior to the individual being granted access to the NRC systems and information. Also, incorporate the requirement for contractors and employees to complete non-disclosure agreements as part of the agency’s on-boarding procedures prior to these individuals being granted access to the NRC’s systems and information.
|
| 6 |
Yes |
$0 |
$0 |
Agency Response Dated February 14, 2025: The NRC completed an independent assessment of the Privacy Program in October 2023 and identified training gaps with regard to personnel who have privacy roles requiring role-based training. Since that time, the NRC has created the role-based privacy training content for system managers, privacy custodians, and the Core Management Group (senior executive officers). The NRC is working with the contractors on developing the format of presentation. Due to project constraints, the new target completion date is the second quarter (Q2) of FY 2025. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming the continued efforts of the NRC in identifying individuals who have additional responsibilities for PII or activities involving PII and developed a role-based privacy training for them to complete annually.
Status: Open: Resolved. The NRC will conduct an in-depth, independent assessment of the Privacy Program, which will cover roles and training gaps. Using the results of the assessment, the NRC will update and develop annual role-based privacy training to address the identified gaps. The NRC will begin the assessment in Q3 of FY 2023, with completion planned by the first quarter (Q1) of FY 2024. The agency plans to complete the associated training development and implementation by FY 2025, Q1. |
|
Continue efforts to identify individuals having additional responsibilities for PII or activities involving PII and develop role-based privacy training for them to be completed annually.
|
| 8 |
Yes |
$0 |
$0 |
Agency Response Dated February 14, 2025: Due to constraints outlined by the National Treasury Employees Union (NTEU), the NRC is unable to implement a technical capability specifically to restrict NRC network access for the Federal employees. However, the agency has implemented a technical capability to restrict NRC network access for contractors who do not complete the annual security awareness training and their assigned role-based security training. In addition, the NRC has reviewed and updated the organizationally defined timeframe for the completion of security training in NRC Management Directive 12.5, “NRC Cybersecurity Program.” The revised guidance (Agencywide Documents Access and Management System Accession No. ML24198A139) specifies “NRC employees shall receive an initial cybersecurity awareness briefing. All NRC authenticated users (employees and contractors) are required to take the Computer Security Awareness course within 20 business days of obtaining access to NRC systems, and annually thereafter.” Target Completion Date: The NRC suggests closure of this recommendation.
OIG Analysis: The OIG reviewed and confirmed the updated defined timeframe for the completion of security training in the NRC Management Directive 12.5, “NRC Cybersecurity Program.” However, the OIG will close this recommendation after reviewing and confirming evidence that the NRC implemented the technical capability to restrict NRC
network access for contractors who have not completed the annual security awareness training, their assigned role-based security training, and a documented risk acceptance form or risk-based decision regarding non-restriction of NRC employee network access related to training requirements due to NTEU constraints. This recommendation remains open and resolved.
Status: Open: Resolved. The Office of the Chief Information Officer (OCIO) will analyze the agency’s security awareness and role-based training records to better inform its response to this recommendation. OCIO staff will also consult with stakeholders such as the Office of the Chief Human Capital Officer and the National Treasury Employees Union to develop a specific, risk-based solution to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training. To perform this analysis and develop a solution the NRC requests a new Target Completion Date of Q2 FY2024. |
|
Implement the technical capability to restrict NRC network access for employees who do not complete annual security awareness training and, if applicable, their assigned role-based security training.
|
| 12 |
Yes |
$0 |
$0 |
Recommendation 12: Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.
Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify opportunities to integrate metrics for measuring the effectiveness of the associated information system. The analysis will include, but not be limited to, metrics for mean time to recovery, incident response time, and site recovery time. The new target completion date is the fourth quarter (Q4) of FY 2025. Target Completion Date: FY 2025, Q4
OIG Analysis: The OIG will close this recommendation after reviewing the evidence that demonstrates and confirms the NRC integrated metrics for measuring the effectiveness of information system contingency plans and its relation to other plans such as the organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness
across the organization. This recommendation remains open and resolved.
Status: Open: Resolved. The NRC and the OIG are working to come to an agreement on a sufficient way to complete this recommendation. The OIG will close the recommendation after the NRC integrates metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans to deliver persistent situational awareness across the organization. Target Completion Date: To be determined. |
|
Integrate metrics for measuring the effectiveness of information system contingency plans with information on the effectiveness of related plans, such as organization and business process continuity, disaster recovery, incident management, insider threat implementation, and occupant emergency plans, as appropriate, to deliver persistent situational awareness across the organization.
|
| 13 |
Yes |
$0 |
$0 |
Agency Response Dated February 14, 2025: The NRC will analyze its contingency plans to identify candidates for automated testing. Based on that analysis, if automated testing is feasible and cost effective, then the NRC will develop plans to implement those measures and coordinate with all associated ICT supply chain providers. The new target completion date is FY 2025, Q2. Target Completion Date: FY 2025, Q2
OIG Analysis: The OIG will close this recommendation after confirming that the NRC implemented automated mechanisms to test system contingency plans, then updated and implemented procedures to coordinate contingency plan testing with ICT supply chain providers. This recommendation remains open and resolved.
Status: Open: Resolved. The NRC and the OIG are working to come to an agreement on a sufficient way to complete this recommendation. The OIG will close the recommendation when the agency provides documentation of the cost-benefit analysis and detailed information on the decision as to why or why not the agency will implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans. Target Completion Date: To be determined. |
|
Implement automated mechanisms to test system contingency plans, then update and implement procedures to coordinate contingency plan testing with ICT supply chain providers and implement an automated mechanism to test system contingency plans.
|
