Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

June 10, 2025 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 (DNFSB-22-A-04)

REFERENCE:

OFFICE OF THE EXECUTIVE DIRECTOR OF OPERATIONS, EMAIL CORRESPONDENCE DATED JUNE 2, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations based on the email correspondence dated June 2, 2025. Based on this response, recommendations 4 and 9 are now closed. Recommendations 1-3, 5-8, 10, 12 to 22, and 24 were previously closed. Recommendations 11 and 23 remain open and resolved. Please provide an updated status of the open, resolved recommendations by December 5, 2025.

If you have any questions or concerns, please call me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: K. Herrera, DEDO J. Biggins, DEDRS G. Garvin, DEDRS

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 2 Recommendation 4:

Define a Supply Chain Risk Management (SCRM) strategy to drive the development and implementation of policies and procedures for:

a. How supply chain risks are to be managed across the agency;

b. How monitoring of external providers compliance with defined cybersecurity and supply chain requirements;

c. How counterfeit components are prevented from entering the Defense Nuclear Facilities Safety Board (DNFSB) supply chain.

Agency Response Dated June 2, 2025:

DNFSB has developed policies and procedures that demonstrate supply chain risks are managed across the agency, monitoring the compliance of external providers with defined cybersecurity and supply chain requirements, and counterfeit components are prevented from entering the agencys supply chain. DNFSB identified completion and approval of its SCRM Plan and SCRM Operating Procedure, on March 21, 2025, and May 1, 2025, respectively. Key supporting documentation was provided to the Auditor.

DNFSB request closure of this recommendation, based on the status update and documentation provided.

OIG Analysis:

During the fieldwork phase of the Audit of the DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years outstanding FISMA recommendations. The OIG inspected the SCRM Plan and SCRM Operating procedures identifying that the DNFSB has developed policies and procedures that demonstrate supply chain risks are managed across the agency, monitoring the compliance of external providers with defined cybersecurity and supply chain requirements, and counterfeit components are prevented from entering the agencys supply chain.

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 3 Recommendations 4 (continued):

The agencys corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 4 Recommendation 9:

Update agency strategic planning documents to include clear milestones for implementing strong authentication, the Federal Identity, Credential, and Access Management (ICAM) architecture and Office of Management and Budget (OMB) Memorandum (M) 17, and phase 2 of Department of Homeland Securitys (DHS) Continuous Diagnostics and Mitigation (CDM) program.

Agency Response Dated June 2, 2025:

The DNFSB has updated its Enterprise Architect and Identity and Authentication Operating procedure to reflect implementation requirements for the recommendation.

DNFSB identified completion and approval of its Enterprise Architect and Identity and Authentication Operating Procedure, on December 17, 2024, and September 17, 2024, respectively. Key supporting documentation was provided to the Auditor. DNFSB request closure of this recommendation, based on the status update and documentation provided.

OIG Analysis:

During the fieldwork phase of the Audit of the DNFSBs Implementation of FISMA for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on its prior years outstanding FISMA recommendations. The DNFSB has updated its Enterprise Architect and Identity and Authentication Operating procedure to reflect implementation requirements for the recommendation. The agency has tracked the implementation and completion of the requirement with the help of the Plan of Action and Milestones. The agencys corrective actions appear reasonable and meet the intent of the recommendation. This recommendation is now closed.

Status:

Closed

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 5 Recommendation 11:

Continue efforts to develop and implement role-based privacy training for users with significant privacy or data protection related duties.

Agency Response Dated June 2, 2025:

As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date.

Estimated Target Completion Date: fiscal year (FY) 2025, Quarter 4 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has continued its efforts to develop and implement role-based privacy training for users with significant privacy or data protection-related duties.

Status:

Open: Resolved

Audit Report AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS IMPLEMENTATION OF THE FEDERAL INFORMATION SECURITY MODERNIZATION ACT OF 2014 FOR FISCAL YEAR 2021 Status of Recommendations (DNFSB-22-A-04) 6 Recommendation 23:

Conduct a Business Impact Analysis (BIA) within every two years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Agency Response Dated June 2, 2025:

As of June 2, 2025, DNFSB did not provide an updated response pertaining to recommendation 11. However, the agency provided an update to the target completion date.

Estimated Target Completion Date: FY 2025, Quarter 4 OIG Analysis:

The OIG will close this recommendation after confirming that the agency has conducted a BIA every 2 years to assess mission essential functions and incorporate the results into strategy and mitigation planning activities.

Status:

Open: Resolved