Evaluation of the U.S. Nuclear Regulatory Commission’s Information Technology Asset Management

The Office of the Inspector General (OIG) determined that U.S. Nuclear Regulatory Commission (NRC) information technology (IT) assets were not managed effectively throughout aspects of the IT lifecycle management process. The OIG substantiated four allegations, and found that some NRC assets were not returned upon employee separation from the NRC. Specifically, three employees separated from the NRC without returning four laptops. Additionally, NRC IT assets are not located in the locations that are shown in the configuration management database. The OIG found that 666 of 980 items were not in the locations assigned within the ITSM toolset. Further, new IT assets were not logged into the appropriate database for a period of 3 months. The OIG also found that NRC decommissioning procedures were not followed for IT assets.This report makes six recommendations to improve the NRC’s information technology asset management program.