ML20052D885
| ML20052D885 | |
| Person / Time | |
|---|---|
| Issue date: | 03/24/2020 |
| From: | Kristine Svinicki NRC/Chairman |
| To: | Dodaro G US Government Accountability Office (GAO) |
| Quichocho J, 415-0209 | |
| Shared Package | |
| ML20052D881 | List: |
| References | |
| CORR-20-0023 | |
| Download: ML20052D885 (21) | |
Text
1
SUMMARY
OF NRC ACTIONS - RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98)................................................................................................... 2 Data Center Consolidation: Agencies Making Progress, but Planned Savings Goals Need to Be Established (GAO-16-323).............................................................................................................. 3 Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330)............................................................................................. 4 Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings (GAO-16-511)................................................................................................... 7 Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring (GAO-16-713)................................................................................................ 8 Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices (GAO-17-233)....................................... 9 Data Center Optimization: Agencies Need to Address Challenges and Improve Progress to Achieve Cost Savings Goal (GAO-17-448)................................................................................... 11 Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities (GAO-18-93).......................................................... 12 Nuclear Regulatory Commission: Additional Action Needed to Improve Process for Billing Licensees (GAO-18-318)............................................................................................................... 13 Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects (GAO-19-22) 14 Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs (GAO-19-144)........................................................................................... 15 Data Center Optimization: Additional Agency Actions Needed to Meet OMB Goals (GAO-19-241)
....................................................................................................................................................... 16 Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384)............................................................................................................. 17 Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468).............................................................................. 19 Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129)................................................................................................................................ 21
2 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)
GAO, in its report, Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the NRC align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation:
To improve the reliability of its cost estimates, as NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.
Status:
The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices and cost-estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses.
The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the updated Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, which the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft final NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, Draft Final NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission).
Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and reference it on the NRC public website.
This GAO recommendation remains open.
3 The U.S. Government Accountability Office Report Data Center Consolidation: Agencies Making Progress, but Planned Savings Goals Need to Be Established March 2016 (GAO-16-323)
In 2010, as the focal point for IT management across the government, OMBs Federal Chief Information Officer launched the Federal Data Center Consolidation Initiative to reduce the growing number of data centers. Subsequently, IT reform legislation was enacted in December 2014 that included a series of provisions related to the federal data center consolidation effort, including requiring agencies to report on cost savings and requiring GAO to review agency inventories and strategies on an annual basis. The status of the actions taken by the NRC in response to the GAO recommendation in the 2016 report is provided below.
Recommendation:
The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and the U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMBs established targets, including addressing any identified challenges.
Status:
The NRC met all metrics outlined in the current Data Center Optimization Initiative (DCOI) as of the third quarter of fiscal year (FY) 2019. The NRC installed energy metering, power usage effectiveness, and tiered server utilization software in the NRC environment. These updates have been reported to OMB, and the metrics are now showing as completed in the OMB MAX portal dashboard.
The NRC considers this GAO recommendation to be closed.
4 The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)
GAO, in its report, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for Category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.
Recommendation 1:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include Category 3 sources in the National Source Tracking System and add agreement state Category 3 licenses to the Web-based Licensing System as quickly as reasonably possible.
Status:
In early 2016, the NRC formed a working group, the License Verification and Transfer of Category 3 Sources Working Group (LVWG), to evaluate license verification and transfer requirements for Category 3 sources. The LVWG evaluated the inclusion of Category 3 licenses in the NRCs Web-Based Licensing System and the methods available for verifying the legitimacy of licenses held by those licensees prior to the transfer of material. The working group also evaluated the inclusion of Category 3 sources in the National Source Tracking System (NSTS) for the specific purpose of preventing licensees from accumulating Category 3 sources into Category 2 or higher quantities of radioactive material. The LVWG made recommendations to enhance the existing processes for license verification and source tracking beyond Category 1 and Category 2 thresholds. These recommendations were provided to the Commission as part of the staffs reevaluation of Category 3 sources as outlined below.
On October 18, 2016, in the SRM for COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability, the Commission directed the NRC staff to re-evaluate Category 3 source accountability given the agencys operating experience with higher-risk sources and in response to findings made by GAO. In the direction provided in the SRM, the Commission stated that the staff should assess the risks posed by the aggregation of Category 3 sources into Category 2 quantities as part of its efforts to re-evaluate Category 3 source accountability.
A working group - the Category 3 Source Security and Accountability Working Group - was formed to address the following tasks: evaluating the pros and cons of different methods for verifying the validity of a license before a Category 3 source is transferred; evaluating the pros and cons of including Category 3 sources in the NSTS; assessing any additional options to address the source accountability recommendations made by GAO; identifying changes in the threat environment since 2009 and evaluating whether those changes support expanding the NSTS to include Category 3 sources; assessing the risks posed when a licensee possesses enough
5 Category 3 sources to require the higher level protections for Category 2 quantities; and collaborating with NRCs Agreement State partners, non-Agreement States, licensees, public interest groups, industry groups, and the reactor community to fully assess the regulatory impact of any recommendation made by the working group. The Category 3 Source Security and Accountability Working Group considered recommendations made by the LVWG and also informed its evaluation with the results of the NRC staffs review of the effectiveness of Title 10 of the Code of Federal Regulations (10 CFR) Part 37, the results of which were reported to Congress in December 2016.
As directed by the Commission, the Category 3 Source Security and Accountability Working Group developed a notation vote paper that was submitted to the Commission in August 2017 (SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001"). The Commission is currently considering the staffs analysis and recommendations.
This GAO recommendation remains open.
Recommendation 2:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should at least until such time that Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchasers radioactive materials license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed materials.
Status:
The LVWG evaluated this recommendation, and its analysis was considered by the Category 3 Source Security and Accountability Working Group. The Commission is currently considering the staffs analysis and recommendations.
This GAO recommendation remains open.
Recommendation 3:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of NRC working groups meeting to develop enhancements to the pre-licensing requirements for Category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of Category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.
Status:
In early 2016, the NRC formed a working group, the Enhancements to Pre-Licensing Guidance Working Group (PLWG), to evaluate pre-licensing activities and develop recommendations for enhancements to the pre-licensing process. The PLWG developed recommendations that involve
6 changes to existing regulations and revisions to existing training, guidance, and procedures. The NRC staff developed an action plan for the non-rulemaking recommendations (e.g., revisions to license applicant guidance documents, and revisions to NRC pre-licensing guidance and checklists), which it is currently implementing. The NRC has completed several items outlined in the action plan. For example, the NRC has: 1) issued a revision to the pre-licensing guidance (e.g., to emphasize that licenses should not be hand-delivered during a pre-licensing site visit and to outline processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate); and 2) updated the licensing and inspection courses offered at the NRC Technical Training Center and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.
The NRC staff provided additional recommendations to the Commission for consideration. The Commission is currently considering the staffs analysis and recommendations. Upon receipt of Commission direction on this and other recommendations pertaining to materials licensees, the NRC staff will develop a rulemaking plan for Commission consideration.
This GAO recommendation remains open.
7 The U.S. Government Accountability Office Report Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings September 2016 (GAO-16-511)
The Federal Government is expected to spend more than $90 billion on IT in FY 2017. This includes a variety of software applications supporting agencies enterprise needs. Since 2013, OMB has advocated the use of application rationalization. This is a process by which an agency streamlines its portfolio of software applications with the goal of improving efficiency, reducing complexity and redundancy, and lowering the cost of ownership.
The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation:
To improve federal agencies efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S.
Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.
Status:
The NRC addressed the one remaining action item for the GAO recommendation. This action item was to document the application inventory within the NRC. The agency considered this action item closed as of March 2019.
GAO followed up with the NRC in November 2019 and requested 1) documentation that the quarterly and annual validation reviews in the inventory maintenance process have occurred and
- 2) a more recent inventory list that includes attributes for all systems.
The NRC provided the requested information to GAO in November 2019, except for the documentation of an annual review. The annual review was completed in January 2020. This documentation will be transmitted to GAO by the end of the second quarter of FY 2020.
This GAO recommendation remains open.
8 The U.S. Government Accountability Office Report Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring September 2016 (GAO-16-713)
GAO, in its report, Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring, made two recommendations to improve inventory monitoring, one of which applies to the NRC. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 1:
Clarify in guidance the conditions under which facilities may carry negative obligation balances.
Status:
The NRC guidance in this area is found in NUREG/BR-0006, Instructions for Completing Nuclear Material Transaction Reports (DOE/NRC Forms 741 and 740M) and NUREG/BR-0007, Instructions for the Preparation and Distribution of Material Status Reports (DOE/NRC Forms 742 and 742C). The NRC staff drafted revisions to these documents to include clarifying instructions for obligations accounting and published the revised draft documents for public comment in August 2019. In addition to addressing the GAO recommendation, the draft revisions included clarifications and changes in response to comments that users of the documents have provided over the past several years. The 90-day public comment period closed on November 13, 2019.
The staff will review and address the public comments and finalize the documents for publication by the end of the second quarter of FY 2020.
This GAO recommendation remains open.
9 The U.S. Government Accountability Office Report Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices April 2017 (GAO-17-233)
GAO, in its report, "Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices, made recommendations to the NRC to further enhance strategic human capital management practices.
GAO indicated that using forward-looking strategies, setting goals, using data-driven planning and accountability systems, and ensuring that employees have the relevant knowledge to carry out their responsibilities are essential for strategic human capital management. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.
Recommendation 1:
Set agencywide goals, which could be ranges, for overall workforce size and skills composition that extend beyond the 2-year budget cycle.
Status:
On July 5, 2017, the NRCs Executive Director for Operations initiated a three-office pilot project of an enhanced Strategic Workforce Planning (SWP) process for the NRC that better integrates workload projection, skills identification, human capital management, individual development, and workforce management activities. Two headquarters offices and one regional office participated in the pilot project, which concluded in June 2018. A lessons-learned report found that the enhanced SWP process provided a sound, repeatable process that was used to prepare a projection for staff of the anticipated type and amount of work in the pilot organizations.
Following the lessons-learned report, the NRC SWP implementation team made recommendations for adjusting the process and expanding implementation to additional offices and regions.
In 2019, the agency implemented Phase II of the SWP that expanded the scope to cover 11 offices, including all four regions, Office of Nuclear Reactor Regulation, Office of New Reactors, Office of Nuclear Material Safety and Safeguards, Office of Nuclear Regulatory Research, Office of Nuclear Security and Incident Response, Office of the Chief Financial Officer (OCFO), and Office of the Chief Information Officer. These offices represented approximately 79 percent of the agencys workforce. Phase II demonstrated that the enhanced SWP process will support agency efforts to better forecast the amount and type of work now and in the future, and the workforce needed to perform this work.
With Phase II now complete, the NRC has ended the phased implementation of the enhanced SWP process, and the process has become part of the agencys standard operating procedures.
Implementation for the FY will begin each September and will include all offices that report to the Office of the Executive Director for Operations and three offices that report to the Commission, including OCFO, Office of the General Counsel, and Office of the Secretary.
The NRC considers this GAO recommendation to be closed.
10 Recommendation 2:
Establish a systematic, comprehensive approach for tracking employee skills information, either through the system developed through the competency modeling pilot program or some other system.
Status:
During the SWP pilot, the NRC developed a standard skills inventory system to track positions and the associated skills for agencywide use. At the conclusion of the pilot, the lessons-learned assessment included an evaluation of the skills inventory to identify strengths, challenges, estimated resources, and recommended improvements. At the beginning of Phase II, the NRC SWP implementation team capitalized on an existing initiative to modernize the agencys human capital management program with a competency modeling approach. The integration of competency models with SWP enables employees to assess their own skills against positions with forecasted needs, thus enabling the agency to catalog skill sets and empower employees to direct their career path towards areas of mission need. In 2019, the agency completed models for the 83 core positions identified in the SWP process. Moving forward, the agency will continue to incorporate and adjust models, as necessary.
The NRC considers this GAO recommendation to be closed.
Recommendation 3:
Consistently train managers and supervisors in strategic human capital management and assessing employee skillsets.
Status:
The NRC developed and delivered training on SWP and assessing employee skill sets to all supervisors participating in SWP. The NRC will continue to provide training for supervisors to support the annual implementation of the enhanced SWP process as part of the agencys standard operating procedures.
The NRC considers this GAO recommendation to be closed.
11 The U.S. Government Accountability Office Report Data Center Optimization: Agencies Need to Address Challenges and Improve Progress to Achieve Cost Savings Goal August 2017 (GAO-17-448)
In December 2014, the Federal Information Technology Acquisition Reform Act was enacted. It contained a series of provisions related to improving the performance of data centers, including requiring OMB to establish optimization metrics and agencies to report on progress toward meeting the metrics. OMBs Federal Chief Information Officer subsequently launched the DCOI to build on prior data center consolidation and optimization efforts.
GAO reviewed data center optimization. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation:
The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, [Health and Human Services], Interior, Labor, State, Transportation, Treasury, and [Veterans Affairs]; the Attorney General of the United States; the Administrators of [the Environmental Protection Agency], [General Services Administration], and [Small Business Administration]; the Director of
[the Office of Personnel Management]; and the Chairman of the NRC take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMBs requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.
Status:
The NRC met all metrics outlined in the current DCOI as of the third quarter of FY 2019. These implementation updates have been reported to OMB, and the metrics are now showing as completed in the OMB MAX portal dashboard.
This NRC considers this GAO recommendation to be closed.
12 The U.S. Government Accountability Office Report Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities August 2018 (GAO-18-93)
GAO, in its report, Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities, made one recommendation to the NRC to ensure that the agencys IT management policies address the role of the CIO for key responsibilities in five areas - IT Leadership and Accountability, IT Strategic Planning, IT Workforce, IT Investment Management, and Information Security. The status of actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 23:
The Chairman of the Nuclear Regulatory Commission should ensure that the agencys IT management policies address the role of the CIO for key responsibilities in the five areas we identified.
Status:
The NRC has completed the revision of its Information Technology/Information Management (IT/IM) Strategic Plan and published it in FY 2019. The NRC is currently in the process of identifying the appropriate agency policy to amend, as appropriate, to include the key responsibilities for the role of the CIO based upon the five areas identified by GAO. The NRC plans to complete any policy update by the end of the second quarter of FY 2020.
This GAO recommendation remains open.
13 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: Additional Action Needed to Improve Process for Billing Licensees March 2018 (GAO-18-318)
GAO, in its report, Nuclear Regulatory Commission: Additional Action Needed to Improve Process for Billing Licensees, provided five recommendations to the NRC. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.
Recommendation 5:
In developing the project plan for electronic billing, the Chief Financial Officer of the NRC should include steps to assess the results of implementing electronic billing, which includes comparing the actual performance to intended outcomes.
Status:
The NRC began eBilling on September 30, 2019. Thus far, the performance of the system has matched the intended outcomes. All eBilling-enrolled licensees have received invoices. The eBilling team has been tracking enrollment on a monthly basis, allowing NRC to reassess its strategy for optimizing awareness and encouraging enrollment..
The NRC considers this GAO recommendation to be closed
14 The U.S. Government Accountability Office Report Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects March 2019 (GAO-19-22)
In its report, Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects, GAO made one recommendation to the NRC on how the NRC communicates with Indian Tribes about how their input was considered in the agencys decisions on infrastructure projects. The status of the actions taken by the NRC in response to this GAO recommendation is provided below.
Recommendation 19:
The Chairman of the Nuclear Regulatory Commission should document in the agencys Tribal consultation policy how agency officials are to communicate with Tribes about how Tribal input from consultation was considered in agency decisions on infrastructure projects.
Status:
The NRC is developing agencywide guidance for Tribal consultation and communication, including how input from Tribes will be considered in the agencys decisions. The NRC expects this guidance to be completed by October 2020.
This GAO recommendation remains open.
15 The U.S. Government Accountability Office Report Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs March 2019 (GAO-19-144)
GAO, in its report, "Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs, made one recommendation to the NRC related to reviewing and assigning the appropriate codes to IT, cybersecurity, and cyber-related positions consistent with the Federal Cybersecurity Workforce Assessment Act. The status of the action taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 25:
The Chairman of the Nuclear Regulatory Commission should take steps to review the assignment of the 000 code to any positions at NRC in the 2210 IT management occupational series and assign the appropriate [National Initiative for Cybersecurity Education] framework work role codes.
Status:
The NRC performed a review and validated that all 2210 IT management occupational series and cyber-related positions have assigned National Initiative for Cybersecurity Education work role codes. All codes have been entered into the Federal Payroll and Personnel System.
The NRC considers this GAO recommendation to be closed.
16 The U.S. Government Accountability Office Report Data Center Optimization: Additional Agency Actions Needed to Meet OMB Goals April 2019 (GAO-19-241)
In December 2014, Congress enacted federal IT acquisition reform legislation that included provisions related to ongoing federal data center consolidation efforts. OMBs Federal Chief Information Officer launched the Data Center Optimization Initiative (DCOI) to build on prior data center consolidation efforts; improve federal data centers performance; and establish goals for inventory closures, cost savings and avoidances, and optimizing performance.
The 2014 legislation included a provision for GAO to annually review agencies data center inventories and strategies. GAO made one recommendation to the NRC in its 2019 report. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 30:
The Chairman of NRC should take action to meet the data center optimization metric targets established under DCOI by OMB.
Status:
The NRC met all metrics outlined in the current DCOI as of the third quarter of FY 2019. These implementation updates have been reported to OMB, and the metrics are now showing as completed in the OMB MAX portal dashboard.
The NRC considers this GAO recommendation to be closed.
17 The U.S. Government Accountability Office Report Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384)
GAO, in its report, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges, provided four recommendations to the NRC. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.
Recommendation 49:
Develop a cybersecurity risk management strategy that includes the key elements identified in this report.
Status:
The NRC developed a cybersecurity risk management strategy that includes and addresses the majority of the key elements identified in this GAO report to include the following: assigning appropriate (cybersecurity) roles, developing an agencywide risk assessment, identifying common controls, maintaining a control monitoring strategy, maintaining system level risk assessments, conducting and maintaining risk determinations for system operations, and conducting risk assessments for control monitoring and plan of action and milestones (POA&Ms).
The NRC acknowledges that it has not addressed all of the key elements identified by GAO.
The agency is assessing each finding and is updating agency policy, as appropriate, based on the analysis. The NRC plans to complete this recommendation by the end of FY 2020.
This GAO recommendation remains open.
Recommendation 50:
Update the agencys policies to require (1) an organization-wide cybersecurity risk assessment and (2) the use of risk assessments to inform POA&M prioritization.
Status:
The NRC developed an updated agencywide policy for risk assessment. This policy, outlined in CSO-PROS-2030, NRC Risk Management Framework (RMF) Process, went into effect on September 1, 2019.
The NRC uses CSO-PROS-2030 as a baseline to inform and guide POA&M prioritization. The NRC uses CSO-PROS-2016, Plan of Action and Milestones Process, to assess agencywide cybersecurity risk, and prioritize and mitigate POA&Ms. The prioritized approach to risk mitigation is determined by the severity level of each POA&M. POA&Ms with a critical and high severity take priority in remediation efforts and must be fixed within 30 calendar days, those with a moderate severity within 90 days, and those with a low severity within 120 days. The prioritized approach is defined in CSO-STD-0020, Organization Defined Values for System Security and Privacy Controls, under the vulnerability scanning control.
18 The NRC uses risk assessments to inform and guide POA&M prioritization. Each organization implements a consistent process for developing POA&Ms that uses a prioritized approach to risk mitigation that is uniform across the organization. These risk assessments guide the prioritization process for items included in the POA&Ms.
The NRC considers this GAO recommendation to be closed.
Recommendation 51:
Establish a process for conducting an organization-wide cybersecurity risk assessment.
Status:
The NRC developed an updated agencywide policy for risk assessment. This policy, outlined in CSO-PROS-2030, went into effect on September 1, 2019. CSO-PROS-2030 defines the NRC Risk Management Framework process that must be followed to apply the National Institute of Standards and Technology Special Publication SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, to secure NRC information systems.
The NRC considers this GAO recommendation to be closed.
Recommendation 52:
Establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions.
Status:
The NRC uses CSO-PROS-2030 to outline the linkage between the cybersecurity risk management and enterprise risk management functions as part of the system development life cycle. Managing information-security-related risks for an information system is viewed as part of a larger NRC-wide risk management activity carried out by senior leaders. Cybersecurity risks are reviewed on a quarterly basis by agencywide senior leadership as part of enterprise risk management reviews and quarterly performance reporting.
The NRC considers this GAO recommendation to be closed.
19 The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO-19-468)
GAO, in its report, Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, made three recommendations to the NRC related to the security of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.
Recommendation 1:
The Chairman of NRC should direct NRC staff to consider socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in [a radiological dispersal device (RDD)].
Status:
The NRC disagrees with this recommendation and maintains that the current regulatory requirements provide for the safe and secure use of radioactive materials, regardless of category. The NRC has encouraged GAO to consider the conclusions of the Radiation Source Protection and Security Task Force (Task Force), which is comprised of independent experts from 14 Federal agencies and one State organization and whose reports represent the coordinated Federal consensus on source security in the United States. The Task Force has determined both the isotopes and activity thresholds appropriate for enhanced security and concluded that current measures for the security and control of radioactive sources are appropriately protective of risk-significant quantities of radioactive material.... Further, the Task Force found that there are no significant gaps in the area of radioactive source protection and security that are not already being addressed....
GAO also considers postulated fatalities that could occur during evacuations in response to the use of an RDD as part of its basis for recommending increased security measures for radioactive materials. However, the recommended protective action strategy in response to a RDD would be to shelter in place. The NRC will continue to participate in the wider ongoing efforts in the United States both to educate the public on appropriate responses to emergency situations and to maintain capabilities to mitigate adverse consequences of the misuse of radioactive materials.
The NRC considers this GAO recommendation to be closed.
Recommendation 2:
The Chairman of NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material, and assess whether other category 3 materials should also be safeguarded with additional security measures.
20 Status:
The NRC is considering actions relevant to this recommendation in connection with the agencys response to GAO-16-330, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, as well as to the Commissions direction on COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability. Potential options in response to these efforts are described in the NRC staffs policy paper, SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001, which is currently before the Commission for its consideration.
This GAO recommendation remains open.
Recommendation 3:
The Chairman of NRC should require all licensees to implement additional security measures when they have multiple quantities of category 3 americium-241 at a single facility that in total reach a category 1 or 2 quantity of material.
Status:
The NRC disagrees with the recommendation that additional action is warranted in this area in order to provide adequate protection. The NRC has taken several actions related to the aggregation of sources, including evaluating inspection experience and reviewing reported incidents of loss and theft. The NRC has concluded that current regulations, which require additional security controls when lower category discrete sources are aggregated, are sufficiently protective. The NRCs ongoing actions to revise procedures for regulatory staff and guidance for licensees to prevent aggregation without appropriate security controls will further ensure safety and security for facilities where this situation may occur.
The NRC considers this GAO recommendation to be closed.
21 The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities October 2019 (GAO-20-129)
The federal government spends over $90 billion on IT. Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 14:
The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement.
Status:
The NRC has enhanced its SWP process. This process was informed by the GAO report titled Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices (GAO-17-233). This enhanced SWP process has been fully implemented, resulting in the identification of strategies and action plans to address potential IT skill gaps.
The NRC has also provided feedback to GAO on the current state of its IT workforce planning activities, including efforts to identify competencies at the agency, and to further strengthen that activity by joining other Federal agencies that are part of the CIOs Council to build career paths/competency models for 64 IT Security roles across the Federal Government.
This GAO recommendation remains open.