The Office of the Inspector General (OIG) determined that U.S. Nuclear Regulatory Commission (NRC) information technology (IT) assets were not managed effectively throughout aspects of the IT lifecycle management process. The OIG substantiated four allegations, and found that some NRC assets were not returned upon employee separation from the NRC. Specifically, three employees separated from the NRC without returning four laptops. Additionally, NRC IT assets are not located in the locations that are shown in the configuration management database. The OIG found that 666 of 980 items were not in the locations assigned within the ITSM toolset. Further, new IT assets were not logged into the appropriate database for a period of 3 months. The OIG also found that NRC decommissioning procedures were not followed for IT assets.This report makes six recommendations to improve the NRC’s information technology asset management program.
Report File
Date Issued
Submitting OIG
Nuclear Regulatory Commission OIG
Other Participating OIGs
Nuclear Regulatory Commission OIG
Agencies Reviewed/Investigated
Nuclear Regulatory Commission
Report Number
OIG-24-E-01
Report Description
Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$37,000
Open Recommendations
This report has 3 open recommendations.
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1.2 | Yes | $0 | $0 | Agency Response Dated January 30, 2026: NRC staff agrees with this recommendation. The following items have been updated and can be referenced in MD 13.1, Section F. NRC Space and Property Management System (SPMS) Roles and Responsibilities, and Section G. ServiceNow Roles and Responsibilities, once published. • Updated the roles and responsibilities outlined in MD 13.1. • Referenced the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff. • Referenced the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under the $2500 threshold. All updates have been incorporated into MD 13.1. ADM will provide the revised MD to the manuscript team for final review and publication. Target Completion Date: Q2 FY 2026 OIG Analysis: The OIG will close this recommendation after reviewing the updated published MD 13.1. This recommendation remains open and resolved. Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025: ADM will revise MD 13.1, issued December 21, 2023, to do the following: • Update the roles and responsibilities outlined in MD 13.1. • Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff. • Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved. Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. ADM will revise MD 13.1, issued December 21, 2023, to do the following: • Update the roles and responsibilities outlined in MD 13.1. • Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff. • Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved. |
|
| Update MD 13.1, Property Management, or develop other guidance, to clearly describe the roles and responsibilities of NRC employees and contractors as it pertains to the handling, storage, issuance, and return of IT assets under the $2,500 threshold. | |||||
| 3.1 | Yes | $0 | $0 | Agency Response Dated January 30, 2026: NRC staff agree with this recommendation. OCIO has done the following: • The staff drafted standard operating procedures (SOPs) specific to the handling, storage, issuance, and return of IT assets. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Completed: Q4 FY 2024) • For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC. (Completed: Q3 FY 2024) • OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags. (Reference ITAM Playbook, 4.3.1 Control of Equipment (NRC Tags) (Completed: Q1 FY2026) The updated HAM Playbook has been incorporated into MD 13.1. ADM will provide the revised MD to the manuscript team for final review and publication. Target Completion Date: Q2 FY2026 OIG Analysis: The OIG will close this recommendation after reviewing the updated published MD 13.1. This recommendation remains open and resolved. Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025: OCIO has already done the following: • The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Completed: Q4 FY 2024) • For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC. (Completed: Q3 FY 2024) • OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags. (Completed: Q1 FY 2025) ADM will update MD 13.1 to incorporate the updated HAM Playbook (Target Completion Date: Q4, FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved. Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. OCIO had already done the following: • The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Target Completion Date: Q4 FY 2024) • For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC. (Completed: Q3 FY 2024) OCIO will update the HAM Playbook to reflect the ADM process for requesting tags. (Target Completion Date: Q1 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved. |
|
| Update MD 13.1, Property Management, and the Hardware Asset Management Playbook, or develop other guidance, to expressly state the roles and responsibilities for acquiring assets and requesting red tags for IT assets in a timely manner. | |||||
| 4.1 | Yes | $0 | $0 | Agency Response Dated January 30, 2026: NRC staff agrees with this recommendation. All affected contracts have been updated to include a service level agreement for sanitation of assets. Requisitions are pending management review and approval. Target Completion Date: Q2 FY2026 OIG Analysis: The OIG will close this recommendation after the affected contracts are reviewed and the updated service-level requirement for asset sanitation is confirmed. This recommendation remains open and resolved. Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025: The End User Computing Contracting Officer's Representative is planning several modifications to the affected contract to include a service level requirement for sanitization of all NRC-issued laptops. (Target Completion Date: Q4 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved. Agency Response dated July 31, 2024: NRC staff agrees with this recommendation. When the option period is executed in April 2025, OCIO will add a specific service level agreement to the end user computing contract referencing the requirement for timely completion of device sanitization. (Target Completion Date: Q3 FY 2025) OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved. |
|
| Update the affected contract(s) to include a service level requirement for the sanitation of assets. | |||||
