U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Audit of the U.S. Nuclear Regulatory Commission’s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 Technical Training Center: Chattanooga, Tennessee

Report Information

Date Issued
Report Number
OIG-NRC-25-A-04
Report Type
Audit
Description
The Office of the Inspector General (OIG) contracted with Sikich to conduct this performance audit.  The objective was to assess the effectiveness of the information security policies, procedures, and practices of the U.S. Nuclear Regulatory Commission’s (NRC) Technical Training Center (TTC).  The findings and conclusions presented in this report are the responsibility of Sikich.  The OIG’s responsibility is to provide oversight of the contractor’s work in accordance with generally accepted government auditing standards.  Based on its assessment period from March 2024 through October 2024, Sikich found that although the NRC generally implemented effective information security policies, procedures, and practices for the TTC, the agency’s implementation of a subset of selected controls was not fully effective.  There were weaknesses in the TTC’s information security program and practices.  As a result, six recommendations were made to assist the TTC in strengthening its information security program.
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend that NRC management perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.

Agency Response Dated July 18, 2025: The NRC management has performed a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, the NRC management has leveraged MD 12.1 to conduct security reviews, PSAAs, and TSCM assessments of all NRC facilities in accordance with the latest U.S. DHS ISC standards. In response to the annual assessments, the NRC has implemented mitigating controls that reduce the potential impact of having users with badged access to multiple facilities.<br />
Target Completion Date: The NRC suggests closure of this item.<br />
OIG Analysis: Evidence of implementation, specifically the risk-based analysis and/or implemented mitigated controls that would reduce the potential impact of having users with badged access to multiple facilities, was not provided. In a separate email, NRC staff stated the risk-based analysis is still under review and should be completed by the end of September 2025. The OIG will close this recommendation after confirming that NRC management has performed a<br />
risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. Additionally,<br />
as a part of this risk-based analysis, NRC management must define, document, and implement mitigating controls that<br />
reduce the potential impact of having users with badged access to multiple facilities.<br />
<br />
Agency Response Dated February 10, 2025: The NRC’s ADM management will perform a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities; and as a part of this risk-based analysis, will define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities. Target Completion Date: FY 2025, Q2<br />
OIG Analysis: The OIG will close this recommendation after confirming that NRC management performs a risk-based analysis of the practice of allowing users to have general badge access to multiple NRC facilities. As a part of this risk-based analysis, NRC management should define, document, and implement mitigating controls that reduce the potential impact of having users with badged access to multiple facilities. This recommendation remains open and resolved.