Text of Recommendation | Use the fully defined ISA to formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions. |
---|---|
Recommendation Number | 2c. |
Recommendation Status | Open |
Significant Recommendation | Yes |
Additional Information | Agency Response Dated March 20, 2024: The U.S. Nuclear Regulatory Commission (NRC) has transitioned and assessed 11 of its 15 information systems to National Institute of Standards and Technology Special Publication 800-53, Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” issued September 2020. The agency expects to complete the transition and assessment of the remaining four systems to Revision 5 in the fourth quarter (Q4) of fiscal year (FY) 2024. Target Completion Date: FY 2024, Q4
OIG Analysis: The OIG will close this recommendation after confirming that NRC has used the fully defined ISA [Information Security Architecture] to formally define enterprise, business process, information system level risk tolerance, and appetite levels necessary for prioritizing and guiding risk management decisions. Status: Open: Resolved. |
Submitting OIG | |
---|---|
Linked Report |