The Nuclear Regulatory Commission’s (NRC’s) Assistant Inspector General for Audits issued a memorandum on August 20 on the status of recommendations based on the Office of Inspector General’s (OIG’s) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13). As previously reported on Up & Atom, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures for licensees to use to demonstrate sustained program effectiveness. Based on the NRC’s July 3, 2019, response, OIG has issued this status of recommendations.
OIG’s Recommendation 1 is that “concurrent with developing any changes to the cyber security inspection program, use the Strategic Workforce Planning initiative to identify critical skill gap and closure strategies for future cyber security inspection staffing, such as hiring flexibilities, internal rotations, competency modeling, availability of outside training and continuous training, and appropriate numbers and roles of staff.” The NRC stated that it agreed with the recommendation, and that in FY 2020, an enhanced Strategic Workforce Planning (SWP) program would be initiated for cybersecurity needs. An SWP is an agency-wide initiative that enables the NRC to recruit, retain, and develop a skilled and diverse workforce with the abilities to address emerging demands and workload fluctuations to accomplish the agency mission. The NRC stated that its staff will continue the routine tele-training of specific key areas to enhance inspector understanding and expertise. Upon review of the agency’s response, OIG determined that more information was needed to verify the completion of this recommendation. At a meeting on July 25, 2019, OIG and agency representatives discussed the actions described in the staff response. OIG has reviewed additional documentation provided by staff as a result of the meeting and verified that staff have implemented this recommendation. Recommendation 1 is now closed.
OIG’s Recommendation 2 is that the NRC “use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g. testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.” The NRC stated that it agreed with the recommendation, and that the staff had completed an assessment of the Power Reactor Cyber Security Program, which, as previously reported on Up & Atom, collected feedback and lessons learned from stakeholders regarding the cybersecurity rule, associated guidance, licensee implementation, and NRC inspections. The NRC stated the target date for completion for the Issuance of the NRC Assessment Report and NRC Action Plan are both for the Fourth Quarter of FY 2019. OIG stated that it will close this recommendation after verifying that the NRC, through the assessment report and action plan, has developed and implemented suitable cybersecurity performance measure(s). Until then, Recommendation 2 will remain open.
We will continue to monitor developments for cybersecurity at the NRC.