The Nuclear Regulatory Commission (NRC) hasn’t implemented any priority recommendations made by the Government Accountability Office (GAO) in 2019 and now GAO has identified three additional recommendations, including one involving cybersecurity.
In a new report, GAO recommended that NRC “make consistent, informed, risk-based decisions” to protect its systems and information against cyber threats.
“Without developing an agency-wide cybersecurity risk management strategy, agencies may lack a consistent approach to managing cybersecurity risks,” the report said.
In July 2019, GAO recommended to NRC that it develop a cybersecurity risk management strategy that contains elements that are key to effectively managing cybersecurity risks. NRC will assess GAO’s findings and update agency policy by end of fiscal year 2020 and “generally agreed” with the recommendation.
Elsewhere, GAO urged NRC leadership to give attention to government-wide high-risk issues such as the personnel security clearance process, ensuring cybersecurity of the nation, and improving IT acquisitions and operations management.
“We urge your attention to the government-wide high-risk issues as they relate to NRC,” GAO said. “Progress on high-risk issues has been possible through the concerted actions and effort of Congress, the Office of Management and Budget, and the leadership and staff in agencies, including NRC.”