U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the Defense Nuclear Facilities Safety Board’s Implementation of the Federal Information Security Modernization Act of 2014

Report Information

Date Issued
Report Number
DNFSB-23-A-04
Report Type
Audit
Joint Report
Yes
Participating OIG
Nuclear Regulatory Commission OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that DNFSB’s Chief Information Security Officer acquire resources to adequately support the procurement, onboarding and implementation of requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.

Agency Response Dated June 2, 2025: A walkthrough of the DNFSB Event Logging was held on April 30, 2025. Per the walkthrough and inspection of event logging captured to meet the required logging for Critical Levels 1, 2, and 3 as required by OMB M-21-31, it was identified that the DNFSB has met the OMB’s logging requirement for Critical Levels 1, 2, and 3. Key supporting documentation was provided to the Auditor. DNFSB request the closure of this recommendation, based on the status update and documentation provided. <br />
OIG Analysis: During the fieldwork phase of the Audit of the DNFSB’s Implementation of Federal Information Security<br />
Modernization Act of 2014 (FISMA) for Fiscal Year 2025, the OIG and its contractors had a discussion with the DNFSB on<br />
its prior years’ outstanding FISMA recommendations. A walkthrough of the DNFSB Event Logging was held on April<br />
30, 2025. Per the walkthrough and inspection of event logging captured to meet the required logging for Critical<br />
Levels 1, 2, and 3 as required by OMB M-21-31, it was identified that the DNFSB had met the OMB’s logging<br />
requirement for Critical Levels 1, 2, and 3. This recommendation is now closed.<br />
<br />
Agency Response Dated February 27, 2025: DNFSB is now capturing all required logs for Criticality Levels 1, 2, &amp; 3 as required by OMB M-21-31. The Logging Requirements M-21-31.xlsx file lists all of the required log types and a mapping to the specific logs that are being captured along with the log location.<br />
NOTE: a hands-on walkthrough of the various playbooks in the Sentinel Security Information and Event Management<br />
(SIEM) would be helpful to demonstrate how the logs are being captured &amp; accessed.<br />
OIG Analysis: After reviewing the evidence, the OIG has concluded that additional artifacts are needed, such as screenshots of the various playbooks in Sentinel SIEM, to demonstrate how logs are being captured and accessed. Therefore, this recommendation remains open and resolved. The OIG will verify if corrective actions have been taken by the DNFSB to address this recommendation during its FY25 Federal Information Security Modernization Act of 2014<br />
audit.