The Office of the Inspector General (OIG) determined that U.S. Nuclear Regulatory Commission (NRC) information technology (IT) assets were not managed effectively throughout aspects of the IT lifecycle management process. The OIG substantiated four allegations, and found that some NRC assets were not returned upon employee separation from the NRC. Specifically, three employees separated from the NRC without returning four laptops. Additionally, NRC IT assets are not located in the locations that are shown in the configuration management database. The OIG found that 666 of 980 items were not in the locations assigned within the ITSM toolset. Further, new IT assets were not logged into the appropriate database for a period of 3 months. The OIG also found that NRC decommissioning procedures were not followed for IT assets.This report makes six recommendations to improve the NRC’s information technology asset management program.
Report File
Date Issued
Submitting OIG
Nuclear Regulatory Commission OIG
Other Participating OIGs
Nuclear Regulatory Commission OIG
Agencies Reviewed/Investigated
Nuclear Regulatory Commission
Report Number
OIG-24-E-01
Report Description
Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$37,000
Open Recommendations
This report has 6 open recommendations.
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.1 | Yes | $0 | $0 | ADAMS Accession No: ML24241A060 Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. The NRC has modified the separation clearance process (NRC Form 270) as follows: • Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with OCHCO. (Completed: Q3 FY 2024) • Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024) To facilitate the earlier return of agency laptops (up to 10 days before departure), OCIO will develop direction and instructions, and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable employees to work during the 10 days before the departure date. (Target Completion Date: Q2 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the development of instructions and communication with staff on how to use web-based access to NRC IT Services. This recommendation remains open and resolved. |
|
| Update NRC form 270, Separation Clearance, to include a step to ensure IT assets under the $2,500 threshold are returned prior to employee clearance for separation. | |||||
| 1.2 | Yes | $0 | $0 | Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. ADM will revise MD 13.1, issued December 21, 2023, to do the following: • Update the roles and responsibilities outlined in MD 13.1. • Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff. • Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved. |
|
| Update MD 13.1, Property Management, or develop other guidance, to clearly describe the roles and responsibilities of NRC employees and contractors as it pertains to the handling, storage, issuance, and return of IT assets under the $2,500 threshold. | |||||
| 2.1 | Yes | $0 | $0 | Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. Within the past 3 months, NRC has performed regular inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will continue use of current agency discovery tools, and look at additional processes and tools, to fully inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q3, FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved. |
|
| Complete an inventory of laptops, desktops, and tablets, and update the information in the CMBD in the current ITSM toolset. | |||||
| 3.1 | Yes | $0 | $0 | Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. OCIO had already done the following: • The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Target Completion Date: Q4 FY 2024) • For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC. (Completed: Q3 FY 2024) OCIO will update the HAM Playbook to reflect the ADM process for requesting tags. (Target Completion Date: Q1 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved. |
|
| Update MD 13.1, Property Management, and the Hardware Asset Management Playbook, or develop other guidance, to expressly state the roles and responsibilities for acquiring assets and requesting red tags for IT assets in a timely manner. | |||||
| 4.1 | Yes | $0 | $0 | Agency Response dated July 31, 2024: NRC staff agrees with this recommendation. When the option period is executed in April 2025, OCIO will add a specific service level agreement to the end user computing contract referencing the requirement for timely completion of device sanitization. (Target Completion Date: Q3 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved. |
|
| Update the affected contract(s) to include a service level requirement for the sanitation of assets. | |||||
| 4.2 | Yes | $0 | $0 | Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. OCIO has updated the standard operating procedure to reflect all the required steps in the decommissioning and disposal process. (Completed: Q3 FY 2024) OCIO will update the HAM Playbook to reflect the established standard operating procedure. (Target Completion Date: Q1 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management updating the HAM Playbook. This recommendation remains open and resolved. |
|
| Update the PC Decommissioning Standard Operating Procedure and the Hardware Asset Management Playbook to reflect all the required steps in the decommissioning and disposal process. | |||||
