A FISMA compliance evaluation of the Nuclear Regulatory Commission by an independent auditor on behalf of the Office of Inspector General found that NRC has made IT security progress on some fronts but issues, particularly on management issues.
The report concluded that over the past nine years, “NRC has continued to make improvements to its information system security program and continues to make progress in implementing the recommendations resulting from previous evaluations.”
The auditor also concluded that weaknesses remain in NRC’s compliance with FISMA. Of note, the “agency has not developed an organization-wide risk management strategy” and, as multiple previous audits have found, “the agency’s POA&M [Plan Of Action and Milestones] program still needs improvement.”
The complete report is attached below.