ML20147A661

From kanterella
Jump to navigation Jump to search
Office of the Inspector General - Semiannual Report to Congress for Period October 1, 2019, Through March 31, 2020
ML20147A661
Person / Time
Issue date: 10/01/2019
From:
NRC/OIG
To:
References
Download: ML20147A661 (76)
v  d  e


Text

Office of the Inspector General U.S. Nuclear Regulatory Commission Defense Nuclear Facilities Safety Board Semiannual Report to Congress October 1, 2019 March 31, 2020

OIG VISION Advancing nuclear safety and security through audits, evaluations, and investigations.

OIG MISSION Provide independent, objective audit and investigative oversight of Nuclear Regulatory Commission and Defense Nuclear Facilities Safety Board operations to protect people and the environment.

COVER PHOTOS:

From left to right An NRC inspector surveys a radiography camera A reactor vessel head A technician above commercial irradiator A resident inspector routine inspection

A MESSAGE FROM THE DEPUTY INSPECTOR GENERAL I am pleased to present this Semiannual Report to Congress on the activities and accomplishments of the Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG) from October 1, 2019, to March 31, 2020.

Our work reflects the legislative mandate of the Inspector General Act, which is to identify and prevent fraud, waste, and abuse through the conduct of audits and investigations relating to NRC programs and operations.

The audits and investigations highlighted in this report demonstrate our commitment to ensuring integrity and efficiency in NRCs programs and operations. In addition, the Consolidated Appropriations Act, 2014, provided that notwithstanding any other provision of law, the NRC Inspector General is authorized in 2014 and subsequent years to exercise the same authorities with respect to the Defense Nuclear Facilities Safety Board (DNFSB), as determined by NRC Inspector General, as the Inspector General exercises under the Inspector General Act of 1978 (5 U.S.C. App.) with respect to NRC.

During this reporting period, OIG issued reports intended to strengthen NRCs information technology vulnerabilities, and the digital accountability and transparency. We issued financial statement audits for both NRC and DNFSB, and we identified the most serious management and performance challenges facing each agency in fiscal year (FY) 2020. We also issued an audit for DNFSBs Human Resources Program. OIG opened 11 investigations, and completed 16 cases.

Three of the open cases were referred to the Department of Justice, and 31 allegations were referred to agency management for action.

NRC OIG is committed to the integrity, efficiency, and effectiveness of NRC and DNFSB programs and operations, and our audits, investigations, and other activities highlighted in this report demonstrate our ongoing commitment. I would like to acknowledge our auditors, investigators, and support staff for their commitment to the mission of this office.

Our success would not be possible without the collaborative efforts between OIG staff and NRC and DNFSB staff to address OIG findings and implement corrective actions in a timely manner.

I thank them for their dedication, and I look forward to continued cooperation as we work together to ensure the integrity and efficiency of agency operations.

David C. Lee Deputy Inspector General October 1, 2019, to March 31, 2020 iii

Control panel at a nuclear power station.

iv NRC Office of the Inspector General Semiannual Report to Congress

CONTENTS Highlights .......................................................................................................................................1 Audits and Evaluations ........................................................................................................1 Investigations .......................................................................................................................3 Overview of NRC and OIG ..........................................................................................................5 NRCs Mission.....................................................................................................................5 OIG History, Mission, and Goals ........................................................................................7 OIG History ...................................................................................................................7 OIG Mission and Goals .................................................................................................8 OIG Programs and Activities .......................................................................................................9 Audit and Evaluation Program ............................................................................................9 Investigative Program ........................................................................................................10 OIG General Counsel Regulatory Review ..........................................................................11 Other OIG Activities ..........................................................................................................12 NRC Management and Performance Challenges .....................................................................13 NRC Audits and Evaluations .....................................................................................................15 Summaries..........................................................................................................................15 In Progress .........................................................................................................................19 NRC Investigations ......................................................................................................................25 Summaries..........................................................................................................................25 DNFSB ..........................................................................................................................................30 DNFSB Management and Performance Challenges .................................................................30 DNFSB Audits and Evaluations .................................................................................................32 Summaries..........................................................................................................................32 DNFSB Investigations..................................................................................................................38 Summaries..........................................................................................................................38 Summary of OIG Accomplishments at NRC ............................................................................40 Investigative Statistics .......................................................................................................41 Audit and Evaluation Listings ...........................................................................................42 October 1, 2019, to March 31, 2020 v

Contract Reports ................................................................................................................43 Resolution Activities..........................................................................................................44 Summary of OIG Accomplishments at DNFSB ........................................................................46 Investigative Statistics .......................................................................................................47 Audit and Evaluation Listings ...........................................................................................48 Resolution Activities..........................................................................................................49 Unimplemented Audit Recommendations .................................................................................51 NRC ...................................................................................................................................51 DNFSB ...............................................................................................................................58 Abbreviations and Acronyms .....................................................................................................61 Reporting Requirements .............................................................................................................63 Appendix .......................................................................................................................................66 vi NRC Office of the Inspector General Semiannual Report to Congress

Resident Inspector at Watts Bar Nuclear Power Plant.

October 1, 2019, to March 31, 2020 vii

HIGHLIGHTS The following sections highlight selected audits and investigations completed during this reporting period. More detailed summaries appear in subsequent sections of this report.

Audits and Evaluations Nuclear Regulatory Commission

  • NRC is viewed as the world leader among nuclear regulatory bodies as it licenses and regulates the Nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, to promote the common defense and security, and to protect the environment. The NRCs proposed FY 2020 budget is $921.1 million, including 3,062 full-time equivalent employees located in five primary locations in the United States. Beyond its nuclear safety and security mission, as a Federal agency, NRC must be a responsible steward of taxpayer dollars and expend its budgeted funds properly. This year OIG is introducing a new design for the Management Challenges report, in which we use a single-page format to identify each challenge, actions taken by the agency, and work left to do. Based on feedback from the agency and our desire to improve the specificity and clarity of the challenges we believe should receive the NRCs attention, we have modified the challenge areas identified in our FY 2019 Management Challenges report and have identified seven areas representing more focused and actionable challenges.
  • OIG issued an Official Use Only report, Evaluation of Nuclear Regulatory Commission Vulnerability Assessment and Penetration Testing, which is not publicly available because it contains sensitive security information.
  • The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014, and requires that Federal agencies report financial and payment data in accordance with data standards established by the Department of Treasury and the Office of Management and Budget (OMB). The data reported will be displayed on a Web site available to taxpayers and policy makers. In addition, the DATA Act requires Inspector Generals (IGs) to review the data submitted by the agency under the Act and report to Congress on the completeness, timeliness, quality and accuracy of this information. The OIG contracted with CliftonLarsonAllen LLP (CLA) to conduct an independent audit of NRCs implementation of DATA Act of 2014.
  • The Chief Financial Officers Act of 1990, as amended, requires the Inspector General (IG) or an independent external auditor, as determined by the IG, to annually audit NRCs financial statements in accordance with applicable standards. In compliance with this requirement, OIG retained CLA to conduct this annual audit. The audit included, among other things, obtaining an understanding of NRC and its operations, including internal control over financial reporting; evaluating the design and operating effectiveness of internal control and assessing risk; and testing relevant internal controls over financial reporting. The audit also examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assesses the accounting principles used, and evaluates the significant estimates made by agency management as well as the overall financial statement presentations. The resulting report 1 NRC Office of the Inspector General Semiannual Report to Congress

contained unmodified opinions on the agencys financial statements and internal controls and did not identify any instances of non-compliance regarding the agencys compliance with laws and regulations.

Defense Nuclear Facilities Safety Board

  • DNFSB was established to oversee the Department of Energys (DOE) defense nuclear facilities, and to provide the Secretary of Energy with advice and recommendations to ensure adequate protection of public health and safety at these facilities. DNFSBs staff is composed of excepted service and general schedule staff. In addition, Senior Executive Service (SES) employees are assigned to lead DNFSBs offices. From 2018 through 2019, DNFSB lost approximately 25 percent of its technical staff. As a result, Congress directed DNFSB to increase the number of its staff. The audit objective was to determine if DNFSBs human resources program is designed and implemented to effectively support the execution of its mission.
  • The Accountability for Tax Dollars Act of 2002 requires the IG or an independent external auditor, as determined by the IG, to annually audit the DNFSB financial statements in accordance with applicable standards. In compliance with this requirement, the OIG retained CLA to conduct this annual audit. CLA examined DNFSBs FY 2019 Agency Financial Report, which includes financial statements for FY 2019. The resulting report contained unmodified opinions on the agencys financial statements and internal controls and did not identify any instances of non-compliance regarding the agencys compliance with laws and regulations.
  • The DNFSB is required to submit quarterly financial and award data for publication on USASpending.gov in compliance with the DATA Act. The NRC OIG contracted with CLA, an independent certified public accounting firm, to conduct a performance audit on DNFSBs compliance under the DATA Act. This report represents the results of our performance audit of the DNFSBs compliance under the DATA Act.
  • DNFSB is an independent oversight organization within the Executive Branch created by Congress in 1988. DNFSB is considered a critical oversight agency as it performs its mission to provide independent analysis, advice, and recommendations to the Secretary of Energy in providing adequate protection of public health and safety at defense nuclear facilities in the DOE. DNFSB requested $29,450,000 and 100 full-time equivalents (FTE) to carry out its mission in FY 2020. This is a 5 percent decrease from the agencys FY 2019 appropriation level of $31,000,000. As of October 2019, DNFSB has 89 positions occupied. DNFSB unanimously approved an FY 2020 staffing plan totaling 115 employees. Based on hiring/

attrition cycles, DNFSB expects to average 100 employees going forward. This year OIG is introducing a new design for the Management Challenges report, in which we identify each challenge, actions taken, and work left to do. We identified four actionable challenges DNFSB must continue to address.

  • On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency October 1, 2019, to March 31, 2020 2

IG. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at strengthening the security of the Federal Government information and information systems further. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

The OIG engaged SBG Technology Solutions, Inc. (SBG), to conduct an independent evaluation of DNFSBs overall information security program and practices to respond to the FY 2019 IG FISMA Reporting Metrics.

Investigations Nuclear Regulatory Commission

  • OIG completed an investigation into concerns reported by a citizen stakeholder pertaining to NRCs oversight of a 42-inch natural gas pipeline that was, at the time, proposed to traverse Indian Point Energy Center (IPEC) property. This pipeline, now in operation, was part of the Algonquin Incremental Market (AIM) Project, which was proposed to replace certain portions of the existing pipeline and install a new pipeline in the northeast United States. NRCs role was to support the Federal Energy Regulatory Commissions (FERC) decision to approve or disapprove the project by providing information to FERC on the impacts of the AIM Project on IPEC.
  • OIG completed an investigation into an allegation that an NRC senior manager had resigned from the NRC effective August 19, 2017, and shortly thereafter, on August 24, 2017, an NRC licensee announced she had accepted a position with the licensee. Prior to her departure from NRC, the senior manager had oversight of the strategic alliance for flex emergency response (SAFER) Regional Response Centers and safety evaluations of the FLEX programs. FLEX is portable equipment and mitigating strategies to respond to events that exceed design basis incidents.
  • OIG completed an investigation into an allegation from the NRC Office of the Chief Financial Officer (OCFO) that an NRC employee had recurring E-Z Pass (electronic toll collection system used on most tolled roads, bridges, and tunnels in the Midwestern and Eastern United States, as far south as Florida and as far west as Illinois) charges on his Government contractor-issued travel charge card (Government travel card) account with no matching official travel. OCFO informed OIG that during a review of the employees Government travel card records, OCFO found the NRC employee's Government travel card account had a reoccurring $70 charge for E-Z Pass toll transactions but had no matching Government travel vouchers. OCFO reported that for an approximate 3-year period, the employees Government travel card account was charged more than $1,000 in E-Z Pass toll transactions.
  • OIG completed an investigation into an allegation from an NRC employee concerned that he had been threatened with insubordination by his manager for refusing to sign a relief request safety evaluation. This relief request safety evaluation was submitted to the NRC by 3 NRC Office of the Inspector General Semiannual Report to Congress

a licensee seeking relief for licensing requirements for specific electrical codes for a specific and limited area. The employee refused to sign the relief request safety evaluation because he was aware another employee intended to use the agencys Non-Concurrence Process, which is used by an NRC employee when he or she has a concern about a document that they had a role in creating or reviewing in the concurrence process.

Defense Nuclear Facilities Safety Board

  • OIG completed an investigation into an allegation that DNFSB violated the agencys Equal Employment Opportunity (EEO) Program complaint process procedures and the Privacy Act of 1974 by mishandling an EEO summary report. According to the allegation, a senior manager obtained an EEO summary report when she was no longer authorized to review the content of that report after the EEO process had changed from informal to formal stage.

October 1, 2019, to March 31, 2020 4

OVERVIEW OF NRC AND OIG NRCS Mission NRC was formed in 1975, in accordance with the Energy Reorganization Act of 1974, to regulate the various commercial and institutional uses of nuclear materials. The agency succeeded the Atomic Energy Commission, which previously had responsibility for both developing and regulating nuclear activities.

NRCs mission is to regulate the Nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety, and to promote the common defense and security and to protect the environment. NRCs regulatory mission covers three main areas:

  • Reactors - Commercial reactors that generate electric power and research and test reactors used for research, testing, and training.
  • Materials - Uses of nuclear materials in medical, industrial, and academic settings and facilities that produce nuclear fuel.
  • Waste - Transportation, storage, and disposal of nuclear materials and waste, and decommissioning of nuclear facilities from service.

Under its responsibility to protect public health and safety, NRC has the following main regulatory functions: (1) establish standards and regulations; (2) issue licenses, certificates, and permits; (3) ensure compliance with established standards and regulations; and (4) conduct research, adjudication, risk and performance assessments to support regulatory decisions. These regulatory functions include regulating nuclear power plants, fuel cycle facilities, and other civilian uses of radioactive materials - like nuclear medicine programs at hospitals, academic activities at educational institutions, research, and such industrial applications as gauges and testing equipment.

NRC maintains a current Web site and a public document room at its headquarters in Rockville, MD; holds public hearings and public meetings in local areas and at NRC offices; and engages in discussions with individuals and organizations.

5 NRC Office of the Inspector General Semiannual Report to Congress

Vent header inspection at the Nile Mile Point nuclear power plant.

October 1, 2019, to March 31, 2020 6

OIG HISTORY, MISSION, AND GOALS OIG History In the 1970s, Government scandals, oil shortages, and stories of corruption covered by newspapers, television, and radio stations took a toll on the American publics faith in its Government. The U.S. Congress knew it had to take action to restore the publics trust. It had to increase oversight of Federal programs and operations. It had to create a mechanism to evaluate the effectiveness of Government programs. And, it had to provide an independent voice for economy, efficiency, and effectiveness within the Federal Government that would earn and maintain the trust of the American people.

In response, Congress passed the landmark legislation known as the Inspector General Act (IG Act), which President Jimmy Carter signed into law in 1978. The IG Act created independent Inspectors General (IG), who would protect the integrity of Government; improve program efficiency and effectiveness; prevent and detect fraud, waste, and abuse in Federal agencies; and keep agency heads, Congress, and the American people fully and currently informed of the findings of IG work.

Today, the IG concept is a proven success. The IGs continue to deliver significant benefits to our Nation. Thanks to IG audits and investigations, billions of dollars have been returned to the Federal Government or have been better spent based on recommendations identified through those audits and investigations. IG investigations have also contributed to the prosecution of thousands of wrongdoers. In addition, the IG concepts of good governance, accountability, and monetary recovery encourage foreign governments to seek advice from IGs, with the goal of replicating the basic IG principles in their own governments.

7 NRC Office of the Inspector General Semiannual Report to Congress

OIG Mission and Goals NRCs OIG was established as a statutory entity on April 15, 1989, in accordance with the 1988 amendment to the IG Act. NRC OIGs mission is to (1) independently and objectively conduct and supervise audits and investigations relating to NRC programs and operations; (2) prevent and detect fraud, waste, and abuse; and (3) promote economy, efficiency, and effectiveness in NRC programs and operations.

OIG is committed to ensuring the integrity of NRC programs and operations. Developing an effective planning strategy is a critical aspect of meeting this commitment. Such planning ensures that audit and investigative resources are used effectively. To that end, OIG developed a Strategic Plan that includes the major challenges and critical risk areas facing NRC.

The plan identifies OIGs priorities and establishes a shared set of expectations regarding the goals OIG expects to achieve and the strategies that will be employed to do so. OIGs Strategic Plan features three goals, which generally align with NRCs mission and goals:

1. Strengthen NRCs efforts to protect public health and safety and the environment.
2. Strengthen NRCs security efforts in response to an evolving threat environment.
3. Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

October 1, 2019, to March 31, 2020 8

OIG PROGRAMS AND ACTIVITIES Audit and Evaluation Program The OIG Audit Program focuses on management and financial operations; the economy or efficiency with which an organization, program, or function is managed; and whether the programs achieve intended results. OIG auditors assess the degree to which an organization complies with laws, regulations, and internal policies in carrying out programs, and they test program effectiveness as well as the accuracy and reliability of financial statements. The overall objective of an audit is to identify ways to enhance agency operations and promote greater economy and efficiency. Audits comprise four phases:

  • Survey - An initial phase of the audit process is used to gather information on the agencys organization, programs, activities, and functions. An assessment of vulnerable areas determines whether further review is needed.
  • Fieldwork - Detailed information is obtained to develop findings and support conclusions and recommendations.
  • Reporting - The auditors present the information, findings, conclusions, and recommendations that are supported by the evidence gathered during the survey and fieldwork phases. Exit conferences are held with management officials to obtain their views on issues in the draft audit report. Comments from the exit conferences are presented in the published audit report, as appropriate. Formal written comments are included in their entirety as an appendix in the published audit report.
  • Resolution - Positive change results from the resolution process in which management takes action to improve operations based on the recommendations in the published audit report. Management actions are monitored until final action is taken on all recommendations. When management and OIG cannot agree on the actions needed to correct a problem identified in an audit report, the issue can be taken to the NRC Chairman for resolution.

Each October, OIG issues an Annual Plan that summarizes the audits planned for the coming fiscal year. Unanticipated high-priority issues may arise that generate audits not listed in the Annual Plan. OIG audit staff continually monitor specific issue areas to strengthen OIGs internal coordination and overall planning process. Under the OIG Issue Area Monitor (IAM) program, staff designated as IAMs are assigned responsibility for keeping abreast of major agency programs and activities. The broad IAM areas address nuclear reactors, nuclear materials, nuclear waste, international programs, security, information management, and financial management and administrative programs.

9 NRC Office of the Inspector General Semiannual Report to Congress

Investigative Program OIGs responsibility for detecting and preventing fraud, waste, and abuse within NRC includes investigating possible violations of criminal statutes relating to NRC programs and activities, investigating misconduct by NRC employees and contractors, interfacing with the Department of Justice on OIG-related criminal and civil matters, and coordinating investigations and other OIG initiatives with Federal, State, and local investigative agencies and other OIGs.

Investigations may be initiated as a result of allegations or referrals from private citizens; licensee employees; NRC employees; Congress; other Federal, State, and local law enforcement agencies; OIG audits; the OIG Hotline; and OIG initiatives directed at areas bearing a high potential for fraud, waste, and abuse.

Because NRCs mission is to protect the health and safety of the public, OIGs Investigative Program directs much of its resources and attention to investigating allegations of NRC staff conduct that could adversely impact matters related to health and safety. These investigations may address allegations of

  • Misconduct by high-ranking NRC officials and other NRC officials, such as managers and inspectors, whose positions directly impact public health and safety.
  • Failure by NRC management to ensure that health and safety matters are appropriately addressed.
  • Failure by NRC to appropriately transact nuclear regulation publicly and candidly and to openly seek and consider the publics input during the regulatory process.
  • Conflicts of interest involving NRC employees and NRC contractors and licensees, including such matters as promises of future employment for favorable or inappropriate treatment and the acceptance of gratuities.
  • Fraud in the NRC procurement program involving contractors violating Government contracting laws and rules.

OIG has also implemented a series of proactive initiatives designed to identify specific high-risk areas that are most vulnerable to fraud, waste, and abuse. A primary focus is electronic-related fraud in the business environment. OIG is committed to improving the security of this constantly changing electronic business environment by investigating unauthorized intrusions and computer-related fraud, and by conducting computer forensic examinations. Other proactive initiatives focus on determining instances of procurement fraud, theft of property, Government credit card abuse, and fraud in Federal programs.

October 1, 2019, to March 31, 2020 10

OIG General Counsel Regulatory Review Investigative Program Pursuant to the Inspector General Act, 5 U.S.C. App. 3, Section 4(a)(2), OIG reviews existing and proposed legislation, regulations, policy, management directives (MD), and makes recommendations to the agency concerning their impact on the economy and efficiency of agency programs and operations.

Regulatory review is intended to provide assistance and guidance to the agency prior to the concurrence process so as to avoid formal implementation of potentially flawed documents. OIG does not concur or object to the agency actions reflected in the regulatory documents, but rather offers comments.

Comments provided in regulatory review reflect an objective analysis of the language of proposed agency statutes, directives, regulations, and policies resulting from OIG insights from audits, investigations, and historical data and experience with agency programs. OIG review is structured so as to identify vulnerabilities and offer additional or alternative choices.

To effectively track the agencys response to OIG regulatory review, substantive comments should include a request for written replies within 90 days, with either a substantive reply or status of issues raised by OIG.

From October 1, 2019, to March 31, 2020, OIG reviewed a variety of agency documents. In its regulatory reviews, OIG is cognizant of potential impacts to its functions as well as potentially negative impacts on its independence from the agency. In addition to impacts on OIG functions, some of the documents reviewed could have a major impact on NRC operations or are of high interest to NRC staff and stakeholders, and OIGs regulatory reviews reflect OIGs knowledge and awareness of underlying trends and overarching developments at the agency and in the industry it regulates.

OIG did not identify any issues that would have a major impact on its independence or conflict with its audit or investigative functions during its review of agency documents during this time.

However, OIGs review did identify instances where the agency document and its effectiveness could be reviewed for greater clarity, organization, or inclusion of background information. The policy documents reviewed during this period are described below.

NRC

  • Management Directive 3.5, Attendance at NRC Staff-Sponsored Meetings, which outlines the Commissions policy and intent to ensure that certain meetings between the NRC staff and external stakeholders are open to all members of the public in order to further the goals of public information and involvement. This goal must be balanced with a need to protect sensitive information. This particular revision was minor and resulted in minor OIG comments. However, OIGs review was cognizant of the tension 11 NRC Office of the Inspector General Semiannual Report to Congress

between public openness and protecting sensitive information and looked for areas where the staffs policy could be more effective in both areas.

  • Draft Management Directive 9.26, Organization and Functions, Office of Nuclear Material Safety and Safeguards (NMSS), which outlines the functions, organizational structure, and reporting requirements for a major NRC program office. If finalized, this management directive would replace the prior version which has been in place for 30 years and will re-integrate a previously separate program office back into NMSS. OIGs review was cognizant of the significance of this revision and carefully considered whether the proposed document meets the goals of clarity and efficiency. While the OIG review did not identify substantive issues with the document, OIG offered minor suggestions to ensure that the final document, if implemented, clearly communicates NRC policy.
  • Management Directive 10.13, Special Employment Programs, which outlines the NRC policy regarding a variety of non-competitive special employment programs that the agency maintains pursuant to its statutory authority under Section 161d of the Atomic Energy Act of 1954. This revision eliminated references to unneeded programs and clarified the NRCs general authority to provide for similar opportunities to Governmentwide special hiring programs and the competitive and excepted service. OIGs review focused on ensuring that the NRCs policy remains consistent with existing statutory authority and Federal policies, and did not find substantive concerns.

Other OIG Activities OIG General Counsel Addresses Honor Law Graduate Attorneys The OIG General Counsel continued the policy of addressing NRC Office of the General Counsel Honor Law Graduate attorneys as part of their education on the agency and the Federal government. Honor Law Graduate attorneys are recent law school graduates just entering the legal profession. The OIG General Counsel provided information describing the Office of the Inspector General both generally and at the NRC specifically, its history, statutory basis, implementing regulations, and relevant case law. In addition, the role of IG General Counsel, as counsel and Whistleblower Protection Coordinator at NRC, and in the Federal community were detailed and compared. The group discussed appropriate interactions between agency attorneys and the OIG, including key interoffice connections in administrative adjudications, matters of government employee ethics, and joint educational efforts related to Whistleblower rights under the Whistleblower Protection Enhancement Act.

October 1, 2019, to March 31, 2020 12

NRC MANAGEMENT AND PERFORMANCE CHALLENGES Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission

  • in FY 2020 (as identified by the Office of the Inspector General)

Challenge 1 NRC and Agreement State Coordination on Oversight of Materials and Waste.

Challenge 2 Continuous Improvement Opportunities for Information Technology (IT) and Information Management (includes internal IT security).

Challenge 3 Management and Transparency of Financial and Acquisitions Operations.

Challenge 4 Strategic Workforce Planning.

Challenge 5 Strengthening Oversight of External Security.

Challenge 6 Readiness for Advanced Reactor Technologies.

Challenge 7 Strengthening Risk Informed Oversight.

13 NRC Office of the Inspector General Semiannual Report to Congress

Millstone Power Station, located in Waterford,CT.

October 1, 2019, to March 31, 2020 14

NRC AUDITS AND EVALUATIONS Summaries Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission in Fiscal Year 2020 OIG Strategic Goal: Safety, Security, Corporate Management In accordance with the Reports Consolidation Act of 2001, the Deputy Inspector General provides what is considers to be the most serious management and performance challenges facing the NRC in FY 2020. Congress left the determination and threshold of what constitutes a most serious management and performance challenge to the discretion of the IG. The Deputy Inspector General has defined serious management and performance challenges as mission critical areas or programs that have the potential for perennial weakness or vulnerability that, without substantial management attention, would seriously impact agency operations or strategic goals.

Audit Results:

This year we are introducing a new design for the Management Challenges report, in which we use a single-page format to identify each challenge, actions taken by the agency, and work left to do. Based on feedback from the agency and our desire to improve the specificity and clarity of the challenges we believe should receive the NRCs attention, we have modified the challenge areas identified in our FY 2019 Management Challenges report and have identified the following seven areas representing more focused and actionable challenges.

1. NRC and Agreement State Coordination on Oversight of Materials and Waste
2. Continuous Improvement Opportunities for Information Technology (IT) and Information Management (includes internal IT security)
3. Management and Transparency of Financial and Acquisitions Operations
4. Strategic Workforce Planning
5. Strengthening Oversight of External Security
6. Readiness for Advanced Reactor Technologies
7. Strengthening Risk Informed Oversight.

(Addresses Management and Performance Challenges #1-7) 15 NRC Office of the Inspector General Semiannual Report to Congress

Evaluation of Nuclear Regulatory Commission Vulnerability Assessment and Penetration Testing OIG Strategic Goal: Safety This Official Use Only evaluation report was not issued publicly because it contains sensitive security information.

(Addresses Management and Performance Challenge #2)

Audit of NRCs Compliance with the Digital Accountability and Transparency Act of 2014 (DATA Act)

OIG Strategic Goal: Corporate Management The OIG contracted CLA to conduct an independent audit of NRCs implementation of DATA Act of 2014. The objective of this audit was to assess (1) the completeness, accuracy, timeliness and quality of NRCs FY 2019, first quarter financial and award data submitted for publication on USASpending.gov, and (2) NRCs implementation and use of the Government-wide financial data standards established by OMB and the U.S. Department of the Treasury. The findings and conclusions presented in this report are the responsibility of CLA. OIGs responsibility is to provide adequate oversight of the contractors work in accordance with Generally Accepted Government Auditing Standards (GAGAS).

Audit Results:

CLA found that the NRCs submission at the summary level and linkages was timely and complete for FY 2019, Quarter 1. Additionally, CLA determined that the quality of NRCs data was considered of higher quality overall. However, the audit identified areas that need improvement.

(Addresses Management and Performance Challenge #2)

Results of the Audit of the United States Nuclear Regulatory Commissions Financial Statements for Fiscal Year 2019 OIG Strategic Goal: Corporate Management Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 19-03, Audit Requirements for Federal Financial Statements, OIG is required to audit NRC's financial statements. In compliance with this requirement, the OIG retained CLA to conduct this annual audit. CLA examined NRCs FY 2019 Agency Financial Report, which includes financial statements for FY 2019.

October 1, 2019, to March 31, 2020 16

CLAs audit report contains the following reports:

  • Opinion on the Financial Statements.
  • Opinion on Internal Control over Financial Reporting.
  • Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements.

The audit objectives were to:

  • Express opinions on NRCs financial statements and internal controls.
  • Review compliance with applicable laws and regulations.
  • Review the controls in NRCs computer systems that are significant to the financial statements.
  • Assess the agencys compliance with the OMB Circular A-123, (Revised), Managements Responsibility for Enterprise Risk Management and Internal Control.

$XGLW5HVXOWV

  • NRCs financial statements as of and for the FY ended September 30, 2019, are presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles;
  • Although internal controls could be improved, NRC maintained, in all material respects, effective internal control over financial reporting as of September 30, 2019; and
  • No reportable noncompliance for FY 2019 with provisions of applicable laws, regulations, contracts, and grant agreements we tested.

(Addresses Management and Performance Challenge #3) 17 NRC Office of the Inspector General Semiannual Report to Congress

Low Level Waste disposal site accepts waste from States participating in a regional disposal agreement.

October 1, 2019, to March 31, 2020 18

IN PROGRESS Audit of NRCs Property Management Program OIG Strategic Goal: Corporate Management Government personal property is defined as any equipment, furniture, or supply items that are owned, leased, borrowed, donated, forfeited, or transferred from another Federal agency, purchased with NRC funds, or otherwise in the possession or control of the NRC. Property management encompasses both capitalized and non-capitalized property. Capitalized property is any NRC-purchased property with an initial acquisition cost of $50,000 or more. Non-capitalized property is NRC property with an initial acquisition cost of less than $50,000.

During FY 2018, NRC managed roughly $65 million of capitalized property and purchased approximately $3 million of non-capitalized property tracked by the Office of Administration.

In addition, a large percentage of IT equipment (i.e. laptops, phones, tablets) were removed from the Office of Administrations property database and are now maintained by the Office of the Chief Information Officer.

The audit objective is to determine if NRC has established and implemented an effective system of internal controls for maintaining accountability and control of government property.

(Addresses Management and Performance Challenge #3)

Audit of NRCs Drug-Free Workplace Program Implementation OIG Strategic Goal: Corporate Management The Federal Drug-Free Workplace Program is a comprehensive program to address illicit drug use by Federal employees. On September 15, 1986, President Reagan signed Executive Order 12564, establishing the goal of a Drug-Free Federal Workplace. The Order made it a condition of employment that all Federal employees refrain from using illegal drugs on or off duty.

Because of NRCs national security and public health and safety responsibilities and the sensitive nature of its work, NRC has a compelling obligation to detect and eliminate illegal drug use from its workplace and has developed the NRC Drug-Free Workplace Plan. The most recent revision was published in August 2007. The NRC Drug-Free Workplace Plan includes awareness and education opportunities for all employees, information about drug testing and counseling, and provisions for rehabilitation for employees who use illegal drugs.

By 2008, NRC completed actions recommended by NRC OIG contained in Audit of NRCs Drug Testing Program, thus strengthening the drug testing programs effectiveness as a deterrent to illegal drug use. However, recent revisions to marijuana use laws, as well as the opioid epidemic, have raised National attention to the tragedies that result from illegal drug use.

The audit objective is to assess the effectiveness and efficiency of NRCs implementation of the NRC Drug-Free Workplace Program.

(Addresses Management and Performance Challenge #4) 19 NRC Office of the Inspector General Semiannual Report to Congress

Audit of NRCs Nuclear Power Emergency Preparedness Program OIG Strategic Goal: Safety Emergency preparedness (EP) is intended to ensure that nuclear power plant licensees are capable of implementing adequate measures to protect public health and safety in the event of a radiological emergency. As a condition of their licenses, licensees of nuclear power plants must develop and maintain emergency plans that meet comprehensive NRC EP requirements. NRC oversees EP plans and activities through inspection of the requirements of emergency preparedness and the evaluation of their implementation through periodic exercises and drills. In EP policymaking and planning NRC coordinates with Federal partners, and licensees must coordinate EP planning with State and local authorities.

NRCs proposed Reactor Oversight Program enhancement measures recommend changes to EP oversight, including modifications of the EP Significance Determination Process and reduction of certain uses of Inspection Procedure 71111.01, used to inspect weather-related risks, offsite power systems, alternate AC power sources, and external flooding mitigation measures.

The audit objective is to determine whether NRCs EP oversight program for nuclear power plants adequately addresses adverse weather conditions and related communications with external stakeholders.

(Addresses Management and Performance Challenge #7)

Audit of NRCs Nuclear Power Plant Surveillance Test Inspection Program OIG Strategic Goal: Safety, Security, Corporate Management NRC inspects surveillance testing of safety structures, systems, and components at commercial nuclear power plants. The purpose of these inspections is to evaluate licensees surveillance testing activities and their effectiveness in demonstrating that plant systems are capable of performing intended safety functions consistent with their design and licensing bases.

Surveillance test inspections are performed in accordance with Inspection Procedure 71111.22, which requires inspectors to evaluate 14 to 22 samples annually per unit at each site. Inspectors are to select risk- or safety-significant surveillance activities based on risk information.

Verification of activities under this procedure should focus on performance-based field observations of complete surveillance test evolutions, followed by verification of the bases and of the proper demonstration of performance that supports operability determinations.

Additionally, once or twice a year, inspectors should consider conducting a vertical slice review of work activities on safety-significant systems to assess whether different aspects of the licensees processes work effectively together (e.g., Maintenance, Operations, Risk Management, Scheduling, etc.).

The audit objective is to assess NRCs conduct of surveillance test inspection activities relative to Inspection Procedure 71111.22 requirements.

(Addresses Management and Performance Challenge #5)

October 1, 2019, to March 31, 2020 20

Audit of NRCs Integrated Materials Performance Evaluation Program (IMPEP)

OIG Strategic Goal: Safety, Security The IMPEP process employs a team of NRC and Agreement State staff to assess both Agreement State and NRC regional radioactive materials licensing and inspection programs. It is designed to assess whether public health and safety are adequately protected from the potential hazards associated with the use of radioactive materials, and that Agreement State programs are compatible with the NRCs program.

IMPEPs review approximately 8-10 Agreement State and NRC Regional radioactive materials licensing and inspection programs per year. The IMPEP review teams consist of a combination of NRC and Agreement State staff.

The audit objective is to assess and evaluate the IMPEP program, determine if the program is meeting its stated objectives, and to identify any areas for improvement.

(Addresses Management and Performance Challenge #1)

Audit of NRCs Regulatory Oversight of Radiation Safety Officers OIG Strategic Goal: Safety Radiation Safety Officers (RSOs) are responsible for radiological safety in conjunction with the use, handling, and storage of radioactive materials in programs licensed by NRC. NRC requires that most of its licensees employ RSOs to assess whether all licensed activities are carried out in compliance with the requirements of their NRC materials license, as well as with applicable regulations.

RSOs must have adequate training to understand the hazards associated with radioactive material and be familiar with all applicable regulatory requirements. RSOs must have the knowledge, skill, and resources to reasonably determine that a licensees activities involving radiation and radioactive materials are conducted safely. RSOs should also have independent authority to stop operations they consider unsafe. Additionally, they should have enough time and commitment from management to fulfill their duties and responsibilities including determining whether radiation safety procedures are being implemented and that the required records of licensed activities are maintained.

Because RSOs work for licensees involved with several different areas of nuclear material, RSOs play a vital role in radiation protection programs as they are ultimately responsible for overseeing safe operations within those programs.

The audit objective is to determine the adequacy of NRCs regulatory oversight of Radiation Safety Officers.

(Addresses Management and Performance Challenges #1 and #7) 21 NRC Office of the Inspector General Semiannual Report to Congress

Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2017 (FISMA) for Fiscal Year 2019 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at strengthening the security of the Federal Government information and information systems further. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the OMB and Congress on the effectiveness of their security programs. The evaluation objective is to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2019.

(Addresses Management and Performance Challenge #2)

Audit of NRCs Compliance with Improper Payment Laws OIG Strategic Goal: Corporate Management In November 2002, the Congress passed the Improper Payments Act of 2002 (IPIA) to enhance the accuracy and integrity of Federal payments.

An improper payment is (a) any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements, and (b) includes any payment to an ineligible recipient, any payment for an ineligible good or service, any duplicate payment, any payment for a good or service not received (except for such payments where authorized by law),

and any payment that does not account for credit for applicable discounts.

On July 22, 2010, the President signed the Improper Payment Elimination and Recovery Act of 2010 (IPERA). IPERA requires Federal agencies to periodically review all programs and activities that the agency administers and identify all programs and activities that may be susceptible to significant improper payments. In addition, IPERA requires each agency to conduct recovery audits with respect to each program and activity of the agency that expends

$1,000,000 or more annually, if conducting such audits would be cost effective. Lastly, the Improper Payment Elimination and Recovery Improvement Act of 2012 (IPERIA) amended IPIA by establishing the Do Not Pay Initiative, which directs agencies to verify the eligibility of payments using databases before making payments.

October 1, 2019, to March 31, 2020 22

The audit objectives are to assess NRCs compliance with the IPIA, as amended by the IPERA, and IPERIA, and report any material weaknesses in internal control.

(Addresses Management and Performance Challenge #3)

Survey of NRCs Safety Culture and Climate OIG Strategic Goal: Safety, Security, and Corporate Management In 1998, 2002, 2006, 2009, 2012, and 2015 OIG contracted with an international survey firm to conduct surveys that evaluated the organizational safety culture and climate of the agencys workforce and identified agency strengths and opportunities for improvements. Comparisons were made to the previous surveys as well as to national and Government norms. In response to the survey results, the agency evaluated the key areas for improvement and developed strategies for addressing them.

A clear understanding of NRCs current safety culture and climate will facilitate identification of agency strengths and opportunities for improvement as it continues to experience significant challenges. These challenges include the licensing of new reactor facilities, operating under reduced budgets and realignment of program offices.

The survey objectives are to (1) measure NRCs safety culture and climate to identify areas of strength and opportunities for improvement; (2) compare the results of this survey against the survey results that OIG previously reported; and (3) provide, where practical, benchmarks for the qualitative and quantitative findings against other organizations.

(Addresses all Management and performance challenges) 23 NRC Office of the Inspector General Semiannual Report to Congress

A Resident Inspector conducts routine inspection of plant equipment.

October 1, 2019, to March 31, 2020 24

NRC INVESTIGATIONS Summaries Concerns Pertaining to Gas Transmission Lines at the Indian Point Nuclear Power Plant OIG Strategic Goal: Safety OIG completed an investigation into concerns communicated to OIG from a citizen stakeholder pertaining to NRCs oversight of a 42-inch natural gas pipeline that was, at the time, proposed to traverse IPEC property. This pipeline, now in operation, was part of the AIM Project, which proposed to replace certain portions of the existing pipeline and install new pipeline in the northeast United States. NRCs role was to support the FERCs decision to approve or disapprove the project by providing information to FERC on the impacts of the AIM Project on IPEC. NRCs findings were documented in its Third-Quarter Integrated Inspection Report issued to Entergy, IPECs license holder, on November 7, 2014.

In a publicly available Title 10 of the Code of Federal Regulations Section 2.206 (10 CFR) petition, dated October 15, 2014, and a letter to NRC dated July 27, 2015, the stakeholder questioned the adequacy and completeness of the licensees (Entergy) site hazards analysis and NRCs independent and followup analyses prepared to determine the safety impact on IPEC plant components due to the potential rupture of the proposed high pressure 42-inch gas pipeline. The stakeholder also questioned whether (1) NRC misled FERC and the public by claiming to FERC that there was no additional risk associated with the proposed 42-inch gas pipeline, thereby putting at risk 20 million people near IPEC; (2) NRC was aware of material false statements made by Entergy to NRC with respect to the 42-inch gas pipeline; (3) NRC violated its procedures and regulations when analyzing the potential safety impacts from the 42-inch gas pipeline; and (4) NRC is allowing IPEC to operate in an unanalyzed condition.

OIGs investigation examined NRCs inspection report and underlying analysis used to determine that Entergy appropriately concluded the 42-inch gas pipeline would not introduce significant risk to safety-related systems, structures, and components; and systems, structures, and components important-to-safety at IPEC.

The investigation addressed the following issues:

Issue 1. Problems Identified by OIG With NRCs November 7, 2014, Inspection Report and Underlying Analysis.

Issue 2. NRCs Response to Stakeholder Concerns Over Project AIM Pipeline.

Investigative Results:

Issue 1: While FERCs approval of the AIM Project pipeline relied in part on NRCs assessment of Entergys site hazards analysis and NRCs independent analysis of the impact of a potential rupture of the portion of the pipeline that traversed IPEC property, OIG found (1)

NRCs independent analysis was incorrectly portrayed in FERCs approval document as significantly more conservative than it actually was; (2) NRCs inspection report contained 25 NRC Office of the Inspector General Semiannual Report to Congress

inaccuracies suggesting additional analysis had been conducted, when this was not the case; and (3) NRCs underlying independent analysis was conducted using a computer program that the National Oceanic and Atmospheric Administration (NOAA), which developed the program, said it was not designed for. Moreover, the majority of NRCs independent analysis described the impact of a potential rupture on an above ground point on IPEC property that NRC believed presented the most credible risk due to its exposure; however, ultimately the as-built 42-inch pipeline does not come above ground anywhere on IPEC property but does traverse the IPEC property.

OIGs investigation also found that NRC decisionmakers had differing understandings of the assumptions and factors driving the analysis conducted by an NRC Physical Scientist, who NRC considered a subject matter expert and who was responsible for conducting, documenting, and communicating his results. While the Physical Scientist attributed his analysis assumptions to OIG as engineering judgment, he did not have a basis for it and did not document a basis or a methodology in his report. When OIG briefed NRC managers on the issues OIG identified in the Physical Scientists analysis, one noted that because the Physical Scientist conducted multiple calculations with increasing credit for pipeline enhancements, it appeared to be backwards engineering to get a desired result. An NRC senior manager said the Physical Scientists use of credit for enhanced piping was inappropriate in part because the pipeline enhancements were not intended to mitigate the impact of a blast, but rather to reduce the chances of a rupture in the first place. Several NRC senior managers said that based on issues identified in this event inquiry pertaining to the Physical Scientists analysis, it may be prudent to redo the analysis.

Issue 2: OIGs investigation disclosed that through the stakeholders 2.206 petition and associated concerns - which were relevant and on point - NRC was presented an opportunity to reevaluate and confirm work previously conducted that supported the agencys conclusion that Entergys hazards analysis was reliable. However, NRC failed to thoroughly reexamine the underlying premises of its analyses and did not accurately communicate its analytical work performed.

First, in response to the stakeholders assertion that it would take longer than 3 minutes for the pipeline operators in Houston, Texas, to close the valves, thereby stopping the flow of gas, NRC misrepresented the assumptions used in the followup bounding analysis that was conducted to assess the impact of 60 minutes of gas released. While NRCs response to the stakeholder described having conducted an assessment that assumed an infinite source of natural gas with the pipeline valves open for an hour, OIGs investigation found that NRC assessed only 1 minute of gas released. Moreover, NRC never confirmed the validity of the licensees assumption that the valves could be closed in 3 minutes.

Second, in response to the stakeholders question of whether NRC performed a validation and verification of NOAAs computer program to ascertain its adequacy for this purpose, NRC stated there was no need for NRC to perform a validation and verification of the computer program.

However, OIG contacted NOAA, which confirmed the program is not designed for this purpose.

Third, NRCs response to the stakeholder stated that NRC used the methodology and equations of Regulatory Guide 1.91, Evaluations of Explosions Postulated to Occur at Nearby Facilities and On Transportation Routes Near Nuclear Power Plants, without deviation; however, OIG found that NRC used a draft regulatory guide in lieu of the final, approved version (which had October 1, 2019, to March 31, 2020 26

been issued approximately 2 years prior) and deviated from the approved version in a manner that was less conservative and had an impact on the analysis outcome.

Fourth, the stakeholder asked whether NRC had any quality assurance requirements/procedures for conducting safety related calculations. NRC responded that they do not perform safety related calculations and do not have a quality assurance program for these calculations, but they said a peer review by a qualified NRC engineer was performed on NRCs independent analysis and followup analysis. OIGs investigation revealed that the assigned engineer, who felt there were more qualified people in NRC to do this, performed a limited review that focused mainly on the licensees hazards analysis and not NRCs analyses.

An NRC senior manager conveyed to OIG that NRC decisionmakers rely on accurate information from the staff to support decisions and communicate accurately to stakeholders and, in this case, another Federal agency. However, NRC managers confirmed they do not have a quality assurance process or a formal peer review process to review this type of assessment.

(Addresses Management and Performance Challenge #1)

Alleged Conflict of Interest by Former NRC Oversight Process Engineer OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that an NRC senior manager had resigned from the NRC effective August 19, 2017, and shortly thereafter, on August 24, 2017, an NRC licensee announced she had accepted a position with the licensee. Prior to her departure from NRC, the senior manager had oversight of SAFER Regional Response Centers and safety evaluations of the FLEX programs. FLEX is portable equipment and mitigating strategies to respond to events that exceed design basis incidents.

Investigative Results OIG did not develop evidence that the senior managers efforts to obtain post-NRC employment with Entergy created a conflict of interest. OIG found the senior manager sought advice from an NRC Office of the General Counsel (OGC) Ethics Counselor in January, May, and July 2017, to avoid any conflict of interest during her employment at NRC and post-NRC employment. OGC confirmed that because the generic applications of the SAFER and FLEX programs applied to all licensees, the senior managers oversight over these programs would not have created a conflict of interest in connection with her employment with Entergy.

(Addresses Management and Performance Challenge #1) 27 NRC Office of the Inspector General Semiannual Report to Congress

Misuse of Government-Issued Travel Credit Card OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation from the NRC OCFO that an NRC employee had recurring E-Z Pass charges on his Government contractor-issued travel charge card account with no matching official travel. OCFO informed OIG that during a review of the employees Government travel card records, OCFO found the NRC employees Government travel card account had a reoccurring $70 charge for E-Z Pass toll transactions but had no matching Government travel vouchers. OCFO reported that for an approximate 3-year period, the employees Government travel card account was charged more than $1,000 in E-Z Pass toll transactions. OCFO also reported that the employee had other potential misuse of his travel card.

Investigative Results OIG found the employee misused his Government travel card to pay for charges on his two personal E-Z Pass devices. Specifically, from June 22, 2015, through March 28, 2018, $1,083.70 of the $1,645 in E-Z Pass charges to the employees Government travel card account were used for personal tolls not associated with official Government travel. OIG determined the employee used his personal E-Z Pass devices for both personal and official travel and charged the renewal (replenish) E-Z Pass fees to his Government travel card, which was listed on his personal E-Z Pass account.

OIG also found the employee misused his travel card by charging airline tickets and hotel fees in the amount of $1,479.30, which were not made in conjunction with official travel status. The employee also admitted that on several occasions, he had used his Government travel card to purchase meals for his family when they accompanied him on certain travel.

(Addresses Management and Performance Challenge #5)

NRC Manager's Actions Precludes Staff from Engaging in Non-Concurrence Process OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation from an NRC employee concerned he had been threatened with insubordination by his manager for refusing to sign a relief request safety evaluation. This relief request safety evaluation was submitted to the NRC by a licensee seeking relief for licensing requirements for specific electrical codes for a specific and limited area. The employee refused to sign the relief request safety evaluation because he was aware another employee intended to use the agencys Non-Concurrence Process, which is used by an NRC employee when he or she has a concern about a document that they had a role in creating or reviewing in the concurrence process.

Investigative Results OIG determined there was no misconduct by the manager. A witness corroborated the manager did verbally tell the employee he would be insubordinate if he did not sign the relief request safety evaluation. However, a higher-level manager reviewed the non-concurrence information with the assistance of another employee with engineering expertise. The higher-level manager October 1, 2019, to March 31, 2020 28

determined the relief request safety evaluation provided reasonable assurance of adequate protection and signed the relief request safety evaluation for the non-concurring employee.

OIG briefed NRC OGC on the results of the investigation. OGC told OIG that managers are expected to direct employees to complete tasks on time. Unless the employee is refusing to sign the relief request safety evaluation due to a violation of law or serious safety violation, there is no misconduct.

(Addresses Management and Performance Challenge #5) 29 NRC Office of the Inspector General Semiannual Report to Congress

DEFENSE NUCLEAR FACILITIES SAFETY BOARD Congress created the DNFSB as an independent agency within the executive branch to identify the nature and consequences of potential threats to public health and safety at DOEs defense nuclear facilities, to elevate such issues to the highest levels of authority, and to inform the public. Since DOE is a self-regulating entity, DNFSB constitutes the only independent technical oversight of operations at the Nations defense nuclear facilities. DNFSB is composed of experts in the field of nuclear safety with demonstrated competence and knowledge relevant to its independent investigative and oversight functions.

The Consolidated Appropriations Act, 2014, provided that notwithstanding any other provision of law, the Inspector General of the Nuclear Regulatory Commission is authorized in 2014 and subsequent years to exercise the same authorities with respect to the Defense Nuclear Facilities Safety Board, as determined by the Inspector General of the Nuclear Regulatory Commission, as the Inspector General exercises under the Inspector General Act of 1978 (5 U.S.C. App.) with respect to the Nuclear Regulatory Commission.

DNFSB MANAGEMENT AND PERFORMANCE CHALLENGES Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board in FY 2020*

(as identified by the Office of the Inspector General)

Challenge 1 Management of a healthy and sustainable organizational culture and climate.

Challenge 2 Management of security over internal infrastructure (personnel, physical, and cyber security) and nuclear security.

Challenge 3 Management of administrative functions.

Challenge 4 Management of technical programs.

  • For more information on the challenges, see DNFSB-20-A-01, Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board (https://www.nrc.gov/docs/ML1930/ML19302D596.pdf)

October 1, 2019, to March 31, 2020 30

Power lines from Indian Point nuclear power station.

31 NRC Office of the Inspector General Semiannual Report to Congress

DNFSB AUDITS AND EVALUATIONS Summaries Audit of DNFSBs Human Resources Program OIG Strategic Goal: Corporate Management DNFSB was established to oversee the DOEs defense nuclear facilities, and to provide the Secretary of Energy with advice and recommendations to ensure adequate protection of public health and safety at these facilities.

DNFSBs staff is composed of excepted service and general schedule staff. In addition, SES employees are assigned to lead DNFSBs offices. From 2018 through 2019, DNFSB lost approximately 25 percent of its technical staff. As a result, Congress directed DNFSB to increase the number of its staff.

The audit objective was to determine if DNFSBs human resources program is designed and implemented to effectively support the execution of its mission.

DNFSB Staffing Levels from FY15 - FY19 Source: OIG generated.

Audit Results DNFSBs human resources program is currently not designed and implemented to effectively support the execution of its mission.

DNFSBs hiring process has been ineffective and inefficient. DNFSB must be able to select candidates efficiently and effectively; however, there is a lack of agency consensus and October 1, 2019, to March 31, 2020 32

communication regarding DNFSBs hiring practices. As a result, the agency remains understaffed, which may negatively impact DNFSBs ability to accomplish its mission.

Additionally, nearly half of DNFSBs SES positions are vacant. DNFSB should establish its SES positions to provide more effective management of its staff; however, DNFSBs senior leadership does not believe SES positions are needed. As a result, the agency's responsibilities may be ineffectively managed.

This report makes four recommendations to improve the effectiveness and efficiency of DNFSBs hiring practices; and two recommendations to provide more effective SES management of agency staff.

(Addresses Management and Performance Challenge #1)

Results of the Audit of the Defense Nuclear Facilities Safety Boards Financial Statements for Fiscal Year 2019 OIG Strategic Goal: Corporate Management The Accountability for Tax Dollars Act of 2002 requires the IG or an independent external auditor, as determined by the IG, to annually audit the DNFSB financial statements in accordance with applicable standards. In compliance with this requirement, the OIG retained CLA to conduct this annual audit. CLA examined DNFSBs FY 2019 Agency Financial Report, which includes financial statements for FY 2019. CLAs audit report contains the following reports:

  • Opinion on the Financial Statements.
  • Opinion on Internal Control over Financial Reporting.
  • Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements.

The audit objectives were to:

  • Express opinions on DNFSBs financial statements and internal controls.
  • Review compliance with applicable laws and regulations.
  • Review the controls in DNFSBs computer systems that are significant to the financial statements.
  • Assess the agencys compliance with OMB Circular A-123, (Revised), Managements Responsibility for Enterprise Risk Management and Internal Control.

Audit Results The audit of the FY 2019 financial statements of the DNFSB found the following:

  • DNFSBs financial statements as of and for the FY ended September 30, 2019, are presented fairly, in all material respects, in accordance with U.S. generally accepted accounting principles; 33 NRC Office of the Inspector General Semiannual Report to Congress
  • Although internal controls could be improved, DNFSB maintained, in all material respects, effective internal control over financial reporting as of September 30, 2019; and
  • No reportable noncompliance for FY 2019 with provisions of applicable laws, regulations, contracts, and grant agreements we tested.

(Addresses Management and Performance Challenge #3)

Audit of DNFSBs Compliance with the Digital Accountability and Transparency Act of 2014 (DATA Act) for Fiscal Year 2019 OIG Strategic Goal: Corporate Management The DNFSB is required to submit quarterly financial and award data for publication on USASpending.gov in compliance with the DATA Act. The NRC OIG contracted with CLA, an independent certified public accounting firm, to conduct a performance audit on DNFSBs compliance under the DATA Act. This report represents the results of our performance audit of the DNFSBs compliance under the DATA Act.

The audit objectives were to review the first quarter data submitted by DNFSB under the DATA Act and (1) determine the completeness, timeliness, accuracy and quality of the data sampled and (2) assess the implementation of the governing standards by the agency.

Audit Results DNFSBs FY 2019, Quarter 1 submission at the summary-level data and linkages for Files A, B, and C was timely and complete. However, the audit found errors in record-level data and linkages for Files C and D1. Also, the audit identified errors in record-level data elements testing for completeness, accuracy, and timeliness resulting in moderate quality of the data submitted. Finally, the audit found that DNFSBs data has some mapping errors in implementing and using the Government-wide financial data standards in accordance with the standards established by OMB and Treasury.

This report makes two recommendations to improve DNFSBs data quality and the implementation of the governing standards.

(Addresses Management and Performance Challenge #3)

October 1, 2019, to March 31, 2020 34

Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the DNFSB in Fiscal Year 2020 OIG Strategic Goal: Safety, Security, Corporate Management The Reports Consolidation Act of 2000 (Public Law 106-531) requires OIG to annually update our assessment of DNFSBs most serious management and performance challenges facing the agency and the agencys progress in addressing those challenges.

Audit Results DNFSB is an independent oversight organization within the Executive Branch created by Congress in 1988. DNFSB is considered a critical oversight agency as it performs its mission to provide independent analysis, advice, and recommendations to the Secretary of Energy in providing adequate protection of public health and safety at defense nuclear facilities in the DOE. The DNFSB requested $29,450,000 and 100 FTE to carry out its mission in FY 2020.

This is a 5 percent decrease from the agencys FY 2019 appropriation level of $31,000,000. As of October 2019, DNFSB has 89 positions occupied. The DNFSB unanimously approved an FY 2020 staffing plan totaling 115 employees. Based on hiring/attrition cycles, DNFSB expects to average 100 employees going forward.

This year OIG is introducing a new design for the Management Challenges report, in which we identify each challenge, actions taken, and work left to do. We identified four actionable challenges DNFSB must continue to address:

1. Management of a healthy and sustainable organizational culture and climate.
2. Management of security over internal infrastructure (personnel, physical, and cyber security) and nuclear security.
3. Management of administrative functions.
4. Management of technical programs.

Effective responses to these challenges will position DNFSB to work towards the effective and efficient execution of its mission, achievement of its strategic goals, and to achieve the highest level of accountability over taxpayer dollars.

(Addresses Management and Performance Challenges #1-4)

Independent Evaluation of DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2019 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors 35 NRC Office of the Inspector General Semiannual Report to Congress

General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at strengthening the security of the Federal Government information and information systems further. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security. FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the OMB and Congress on the effectiveness of their security programs. The OIG engaged SBG to conduct an independent evaluation of DNFSBs overall information security program and practices to respond to the FY 2019 IG FISMA Reporting Metrics.

The evaluation objective was to conduct an independent assessment of the DNFSBs FISMA implementation for FY 2019.

Audit Results Although the DNFSB established an Agency-wide information security program and practices that was Consistently Implemented at a Cyber Scope overall rating of Level 3, SBG identified weaknesses related to Risk Management, Identity and Access Management, Configuration Management, Incident Response, and Contingency Planning. The Cyber Scope overall rating of Effective reflects DNFSB strides since 2017 in organizing third-party Security Assessment Reviews (SAR) and Gap Analyses to determine outstanding risks to the system and organization.

This evaluation makes 11 recommendations to strengthen DNFSBs information security Risk Management Framework.

(Addresses Management and Performance Challenge #2)

October 1, 2019, to March 31, 2020 36

Containment tendon surveillance at the Turkey Point nuclear generating station.

37 NRC Office of the Inspector General Semiannual Report to Congress

DNFSB INVESTIGATIONS Summaries Violations of Equal Employment Opportunity Commission Regulation and the Privacy Act OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that a senior manager had obtained an EEO summary report when she was no longer authorized to review the content of the report because the EEO complaint had changed from an informal to formal EEO complaint. According to the allegation, DNFSB managements handling of the EEO report violated the Privacy Act of 1974 and the EEOC MD. OIG completed an investigation into an allegation that DNFSB violated the EEO complaint process procedures and the Privacy Act of 1974 by mishandling an EEO summary report. According to the allegation, a senior manager obtained an EEO summary report when she was no longer authorized to review the content of that report after the EEO process had changed from informal to formal.

Investigative Results OIG did not substantiate that the senior managers access to the EEO summary report constituted a violation of the EEOC MD-110, Chapter 1,Section V, Delegation of Settlement Authority to Resolve Disputes or the Privacy Act. OIG learned that the report the senior manager received contained information related to the informal stage of the complaint. The DNFSB General Manager designated the senior manager as the Settlement Official to provide a resolution during the informal process. Even though the informal EEO complaint process had ended by the time the senior manager reviewed the report, since she had already known the details about the incident and the information about the complainant, her access to the informal summary report did not violate the Privacy Act. Moreover, OIG learned that the formal EEO complaint process had not initiated at the time the senior manager accessed the report; nevertheless, the General Manager, who was overseeing the agency's EEO program, should have known that the informal EEO complaint process had ended, and should not have sent the report to her.

OIG also identified other violations of the CFR and EEOC MD due to a lack of an operational EEO program and inadequately trained staff within DNFSB. OIG learned that in May 2017, an aggrieved DNFSB employee (hereinafter referred to as the AGGRIEVED) submitted a harassment complaint and requested EEO assistance from DNFSBs Human Resources (HR)

Department; however, due to the lack of personnel and resources within the agency, DNFSB was unable to provide the support that the AGGRIEVED had requested. A year after the complaint was reported, DNFSB finally assigned an EEO counselor to the AGGRIEVED. In accordance with 29 CFR Section 1614.105, EEO Complaint Process Procedures, counseling must be completed within 30 days of the date the aggrieved person contacts the agencys EEO office. OIG found that DNFSB did not possess an operational EEO program or a systematic process to track any EEO complaints at the time the AGGRIEVED filed a complaint. In accordance with the EEOC MD-715, the Commission mandates that every Federal agency must have the policy guidance and standards for establishing and maintaining effective affirmative programs of equal employment opportunity.

October 1, 2019, to March 31, 2020 38

In addition, OIG found that DNFSB lacked adequately trained staff to assist employees with EEO complaints at the time the AGGRIEVED filed the complaint.

The AGGRIEVED reported her EEO complaint directly to the former HR Director. OIG learned the former HR Director assessed the complaint and did not believe it warranted an investigation.

A review of the agencys training record disclosed the former HR Director never received any EEO-related training during her tenure with DNFSB. In accordance with the EEOC MD-110, Chapter 2,Section II, Part A, the [EEO] Commission requires that new EEO Counselors receive a minimum of thirty-two (32) hours of EEO Counselor training prior to assuming counseling duties. OIG also learned the General Manager, who began overseeing the EEO Program Office after the former HR Directors departure from DNFSB, did not attend any EEO-related training prior to assuming the EEO Program Manager duties. OIG found that because DNFSB did not have a proper EEO program and lacked resources to assist employees, the agency sought to acquire contracting support to provide EEO services; however, a delay in awarding this contract postponed the ability to provide EEO assistance to the AGGRIEVED in a timely manner, thereby, violating the EEOC MD.

(Addresses Management and Performance Challenge #3) 39 NRC Office of the Inspector General Semiannual Report to Congress

SUMMARY

OF OIG ACCOMPLISHMENTS AT NRC October 1, 2019 - March 31, 2020 Investigative Statistics Source of Allegations NRC Employee 19 NRC Management 5 General Public 10 Other Government Agency 1 Anonymous 32 Contractor 2 Regulated Industry 2 Allegations resulting from the NRC OIG Hotline calls: 40 Total: 71 Disposition of Allegations Total 71 Closed Administratively 15 Referred for OIG Investigation 8 Referred to Management and Staff 31 Pending Review Action 7 Correlated to Existing Case 5 Referred to OIG for Audits 5 October 1, 2019, to March 31, 2020 40

Status of Investigations DOJ Referrals.... 0 DOJ Declinations... 1 DOJ Pending. 0 Criminal Information/Indictments 0 Criminal Convictions. 0 Civil Penalty Fines. 0 Civil/Administrative Recovery. 1 Administrative Recovery Amount ..$883.95 State and Local Referrals 1 NRC Administrative Actions:

Counseling and Letter of Reprimand.. 0 Terminations and Resignations 0 Suspensions and Demotions. 1 Other (e.g., PFCRA). 0 Summary of Investigations Classification of Opened Closed Reports Cases in Investigations Carryover Cases Cases Issued1 Progress Conflict of Interest 0 0 0 0 0 Employee Misconduct 10 7 7 4 10 External Fraud 5 0 3 0 2 Internal Fraud 1 1 0 0 2 Management Misconduct 12 3 4 0 11 Miscellaneous 3 0 1 0 2 Proactive Initiatives 2 0 0 0 2 Technical Allegations 9 0 1 0 8 Theft 1 0 0 1 1 Total 43 11 16 5 38 1

Number of reports issued represents the number of closed cases where allegations were substantiated and the results were reported outside of OIG.

41 NRC Office of the Inspector General Semiannual Report to Congress

NRC AUDIT AND EVALUATION LISTINGS Date Title Audit Number 10/29/2019 Inspector Generals Assessment of the Most OIG-20-A-01 Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission in Fiscal Year 2020 11/06/2019 Evaluation of Nuclear Regulatory Commission OIG-20-A-02 Vulnerability Assessment and Penetration Testing OFFICIAL USE ONLY - SENSITIVE INTERNAL INFORMATION 11/07/2019 Audit of NRCs Compliance with the Digital OIG-20-A-03 Accountability and Transparency Act of 2014 (DATA Act) 11/15/2019 Results of the Audit of the United States Nuclear OIG-20-A-04 Regulatory Commission's Financial Statements for Fiscal Year 2019 October 1, 2019, to March 31, 2020 42

NRC Contract Audit Reports OIG Issue Date Contractor/Title/Contract Questioned Unsupported Number Cost Cost February 27, 2020 Advanced Systems $367,858 $0 Technology Management Inc.

Independent Audit Report on Advanced Systems Technology Management Inc.s Proposed Amounts on Unsettled Flexibly Priced Contracts for Fiscal Year (FY) 2018 NRC-HQ-7G-14C-0001 43 NRC Office of the Inspector General Semiannual Report to Congress

NRC Audit Resolution Activities Table 1 OIG Reports Containing Questioned Costs 2 Questioned Unsupported Reports Number of Costs Costs Reports (Dollars) (Dollars)

A. For which no management decision had been made by the 0 0 0 commencement of the reporting period B. Which were issued during the reporting period 0 0 Subtotal (A + B) 0 0 0 C. For which a management Decision was made during the Reporting period:

(i) dollar value of disallowed costs 0 0 0 (ii) dollar value of costs not disallowed 0 0 0 D. For which no management decision had been made by the end of the reporting period 0 0 0 2

Questioned costs are costs that are questioned by the OIG because of an alleged violation of a provision of a law, regulation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; a finding that, at the time of the audit, such costs are not supported by adequate documentation; or a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable.

October 1, 2019, to March 31, 2020 44

TABLE II OIG Reports Issued with Recommendations That Funds be Put to Better Use3 Number of Dollar Value of Reports Reports Funds A. For which no management decision had been made by the commencement of the reporting period 0 0 B. Which were issued during the reporting period 0 0 C. For which a management decision was made during the reporting period:

(i) dollar value of recommendations that were agreed to by management 0 0 (ii) dollar value of recommendations that were not agreed to by management 0 0 D. For which no management decision had been made by the end of the reporting period 0 0 3

A recommendation that funds be put to better use is a recommendation by the OIG that funds could be used more efficiently if NRC management took actions to implement and complete the recommendation, including reductions in outlays; deobligation of funds from programs or operations; withdrawal of interest subsidy costs on loans or loan guarantees, insurance, or bonds; costs not incurred by implementing recommended improvements related to the operations of NRC, a contractor, or a grantee; avoidance of unnecessary expenditures noted in preaward reviews of contract or grant agreements; or any other savings which are specifically identified.

45 NRC Office of the Inspector General Semiannual Report to Congress

SUMMARY

OF OIG ACCOMPLISHMENTS AT DNFSB October 1, 2019 - March 31, 2020 Investigative Statistics Source of Allegations DNFSB Employee 0 DNFSB General Public 1 DNFSB Management 2 Allegations Received from the NRC OIG Hotline: 1 Total: 3 Disposition of Allegations Total: 3 Referred for OIG Investigation 1 Pending Review Action 2 Closed Administratively 0 Referred to Other Agency 0 October 1, 2019, to March 31, 2020 46

Status of Investigations DOJ Referrals......................................................................................................... 0 DOJ Declinations... 0 DOJ Pending........................................................................................................... 0 Criminal Information/Indictments.......................................................................... 0 Criminal Convictions.............................................................................................. 0 Civil Penalty Fines...... 0 Civil Recovery.... 0 State and Local Referrals.... 0 DNFSB Administrative Actions:

Counseling and Letter of Reprimand.... 0 Terminations and Resignations. 0 Suspensions and Demotions. 0 Other (e.g., PFCRA).. 0 Summary of Investigations Classification of Opened Closed Reports Cases in Investigations Carryover Cases Cases Issued4 Progress Employee Misconduct 0 1 0 0 1 Management Misconduct 4 0 1 0 3 Proactive Initiatives 1 0 0 0 1 Total 5 1 1 0 5 4

Number of reports issued represents the number of closed cases where allegations were substantiated and the results were reported outside of OIG.

47 NRC Office of the Inspector General Semiannual Report to Congress

DNFSB AUDIT AND EVALUATION LISTINGS Date Title Audit Number 10/29/2019 Inspector Generals Assessment of the Most DNFSB-20-A-01 Serious Management and Performance Challenges Facing the DNFSB in Fiscal Year 2020 11/07/2019 Audit of NRCs Compliance with the Digital DNFSB-20-A-02 Accountability and Transparency Act of 2014 (DATA Act) 12/18/2019 Results of the Audit of the United States Nuclear DNFSB-20-A-03 Regulatory Commissions Financial Statements for Fiscal Year 2019 01/27/2020 Audit of DNFSBs Human Resources Program DNFSB-20-A-04 03/31/2020 Independent Evaluation Report of DNFSBs DNFSB-20-A-05 Implementation of FISMA 2014 for Fiscal Year 2019 October 1, 2019, to March 31, 2020 48

DNFSB Audit Resolution Activities TABLE I OIG Reports Containing Questioned Costs5 Number of Questioned Unsupported Reports Reports Costs Costs (Dollars) (Dollars)

A. For which no management decision had been made by the commencement of the reporting period 0 0 0 B. Which were issued during the reporting 0 0 0 Subtotal (A + B) 0 0 0 C. For which a management decision was made during the reporting period:

(i) dollar value of disallowed costs 0 0 0 (ii) dollar value of costs not disallowed 0 0 0 D. For which no management decision had been made by the end of the reporting period 0 0 0 5

Questioned costs are costs that are questioned by the OIG because of an alleged violation of a provision of a law, regulation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; a finding that, at the time of the audit, such costs are not supported by adequate documentation; or a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable.

49 NRC Office of the Inspector General Semiannual Report to Congress

TABLE II OIG Reports Issued with Recommendations That Funds be Put to Better Use6 Number of Dollar Value of Reports Reports Funds A. For which no management decision had been made by the commencement of the reporting period 0 0 B. Which were issued during the reporting period 0 0 C. For which a management decision was made during the reporting period:

(i) dollar value of recommendations that were agreed to by management 0 0 (ii) dollar value of recommendations that were not agreed to by management 0 0 D. For which no management decision had been made by the end of the reporting period 0 0 6

A recommendation that funds be put to better use is a recommendation by the OIG that funds could be used more efficiently if NRC management took actions to implement and complete the recommendation, including reductions in outlays; deobligation of funds from programs or operations; withdrawal of interest subsidy costs on loans or loan guarantees, insurance, or bonds; costs not incurred by implementing recommended improvements related to the operations of NRC, a contractor, or a grantee; avoidance of unnecessary expenditures noted in preaward reviews of contract or grant agreements; or any other savings which are specifically identified.

October 1, 2019, to March 31, 2020 50

UNIMPLEMENTED AUDIT RECOMMENDATIONS Nuclear Regulatory Commission Audit of NRCs Shared S Drive (OIG-11-A-15) 2 of 5 recommendations open since July 27, 2011 Recommendation 2: Revise current information security training for NRC staff to address specific practices for protecting SUNSI on the agencys shared network drives.

Recommendation 3: Develop CUI policies and guidance for storing and protecting CUI in agency shared drives, and (a) post this guidance on the NRC intranet; and (b) include this guidance in annual training.

Audit of NRCs Safeguards Information Local Area Network and Electronic Safe (OIG-13-A-16) 2 of 7 recommendations open since April 1, 2013 Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Recommendation 7: Develop a structured access process that is consistent with the SGI need-to-know requirement and least privilege principle. This should include (1) Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs); (2) Conducting periodic reviews of user access to folders; and (3) Developing a standard process to grant user access.

Audit of NRCs Budget Execution Process (OIG-13-A-18) 1 of 8 recommendations open since May 7, 2013 Recommendation 3: Enforce the use of correct budget object codes.

Audit of NRCs Oversight of Spent Fuel Pools (OIG-15-A-06) 1 of 4 recommendations open since February 10, 2015 Recommendation 1: Provide a generic regulatory solution for spent fuel pool criticality analysis by developing and issuing detailed licensee guidance along with NRC internal procedures.

Audit of NRCs Internal Controls Over Fee Revenue (OIG-15-A-12) 1 of 7 recommendations open since March 19, 2015 Recommendation 1: Establish policies and procedures to centralize the control of the TAC setup.

Audit of NRCs Decommissioning Funds Program (OIG-16-A-16) 2 of 9 recommendations open since June 8, 2016 Recommendation 1: Clarify guidance to further define legitimate decommissioning activities by developing objective criteria for this term.

Recommendation 2: Develop and issue clarifying guidance to NRC staff and licensees specifying instances when an exemption is not needed.

51 NRC Office of the Inspector General Semiannual Report to Congress

Audit of NRCs Implementation of Federal Classified Information Laws and Policies (OIG-16-A-17) 1 of 3 recommendations open since June 8, 2016 Recommendation 1: Complete and fully implement current initiatives: (a) Finalize and provide records management training for authorized classifiers, (2) Complete the current inventories of classified information in safes and secure storage areas, (3) Develop declassification training to prepare and authorize declassifies, (4) Develop an updated declassification guide, (5) Identify classified records requiring transfer to national Archives and Records Administration and complete the transfers, (6) Complete the Office Instruction for performing mandatory declassification reviews.

Audit of NRCs Significance Determination Process for Reactor Safety (OIG-16-A-21) 2 of 4 recommendations open since September 26, 2016 Recommendation 2: Clarify IMC 0612 Appendix B issue screening questions so that they are readily understood and easily applied.

Audit of NRCs Foreign Assignee Program (OIG 17-A-07) 2 of 3 recommendations open since December 19, 2016 Recommendation 2: Develop a secure, cost-efficient method to provide foreign assignees an email account which allows for NRC detection and mitigation of inadvertent transmission of sensitive information and seek Commission approval to implement it.

Recommendation 3: When an NRC approved email account is available, develop specific Computer Security Rules of Behavior for foreign assignees using the approved email.

Audit of NRCs Oversight of Security at Decommissioning Reactors (OIG-17-A-09) 2 of 3 recommendations open since February 22, 2017 Recommendation 1: Clarify the fitness-for-duty elements that are necessary to comply with 10 CFR 73.55 (b)(9)(i), insider mitigation program.

Recommendation 2: Develop rule language in 10 CFR Part 26 that describes the necessary fitness-for-duty requirements for decommissioning licensees.

Audit of NRCs PMDA/DRMA Functions to Identify Program Efficiencies (OIG-17-A-18) 1 of 1 recommendation open since July 3, 2017 Recommendation 1: Complete implementation of all Mission Support Task Force recommendations that may assist in optimizing the use of resources and result in improving standardization and centralization throughout the agency.

Evaluation of NRCs Network Storage Interruption (OIG-17-A-19) 1 of 4 recommendations open since July 27, 2017 Recommendation 2: Develop and implement an internal OCIO policy that requires NRC subject matter experts to re-evaluate the storage system architecture.

October 1, 2019, to March 31, 2020 52

Evaluation of the Shared S Drive (OIG-18-A-06) 1 of 4 recommendations open since December 21, 2017 Recommendation 4: Remove or delete PII from the shared S drive.

Audit of NRCs Decommissioning Financial Assurance Instrument Inventory (OIG-18-A-09) 1 of 1 recommendation open since February 8, 2018 Recommendation 1: Update guidance to reflect current practices, including (a) Define what is to be kept in the files and/or safe and implement the guidance; (b) Define the filing methodology or the safe (e.g., by licensee, site, license, or instrument.); (c) Require supporting documentation of completion of every step in the NMSS and NRR evaluations; (d)

Describe procedural steps for NRR to complete the evaluations or state expectations for NRR to complete the same steps as NMSS; (e) Require written follow-up from the NMSS and NRR evaluations by the auditee to the evaluator, to ensure any identified discrepancies are corrected; (f) Require NMSS and NRR evaluation reports and the Inventory List to be marked OUO, as appropriate; and (G) Require segregation of duties between the person in NMSS who maintains the Inventory List and the person who completes the annual evaluation.

Audit of NRCs Consultation practices with Federally Recognized Native American Tribal Governments (OIG-18-A-10) 2 of 5 recommendations open since April 4, 2018 Recommendation 1: Update MD 5.1 to include FSTB when working with Tribes. The guidance should also clearly define FSTBs role and responsibilities with regard to Tribal outreach and consultation.

Recommendation 2: Update NRC office procedures to include more specific direction on how to coordinate with FSTB and how to work with Tribes.

Audit of NRCs Special and Infrequently Performed Inspections (OIG-18-A-13) 1 of 6 recommendations open since May 15, 2018 Recommendation 1: Update IMC 2515 Appendix C and applicable NRR guidance to reflect the requirement to ensure consistent and period reviews of IMC 2515 Appendix C inspection procedures.

U.S. Nuclear Regulatory Commission Office of the Inspector General External Vulnerability Assessment and Penetration Testing (OIG-18-A-14) 1 of 1 recommendation open since June 6, 2018 Recommendation 1: Remediate the identified vulnerabilities in the findings matrix.

Audit of NRCs License Amendment Request Acceptance Review Process (OIG-19-A-05) 3 of 3 recommendations open since December 13, 2018 Recommendation 1: Strengthen data verification and validation measures to ensure completed acceptance review reports and data are processed accurately.

53 NRC Office of the Inspector General Semiannual Report to Congress

Recommendation 2: Identify a single, consistent process for calculating the number of workdays for the acceptance review metric and communicate it to DORL staff.

Recommendation 3: Complete the Replacement Reactor Program System-Licensing Module upgrade efforts to generate automated reports.

Audit of NRCs Process for Developing and Coordinating Research Activities (OIG-19-A-06) 4 of 4 recommendations open since December 13, 2018 Recommendation 1: Involve RES and requesting office senior managers earlier in the work request development process to ensure work requests are properly understood, resourced, and achievable before they are formally submitted to RES.

Recommendation 2: Implement a standard template for ES staff to sue when preparing acceptance memorandum or email responses to all work request types.

Recommendation 3: Implement a single agencywide tracking system with the capabilities needed to effectively and efficiently keep the agency aware of research activities.

Recommendation 4: Develop and implement a process for obtaining and using feedback from requesting offices. The process should include, but not be limited to, guidance on obtaining feedback during interim project milestones, creating access controls, and roles and responsibilities.

Independent evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (OIG-19-A-08) 6 of 6 recommendations open since May 1, 2019 Recommendation 1: Develop and implement a process to remove all non-standard software that has not been approved by an authorized agency official.

Recommendation 2: Implement a process to manage non-standard software to ensure the software is properly approve and inspected for security weaknesses before the software is installed on NRC's network.

Recommendation 3: Monitor the approved installed software on NRCs network to determine whether it is still in use, periodically inspect the software for known vulnerabilities, and mitigate any vulnerabilities found.

Recommendation 4: Develop and establish processes and procedures to govern the installation of non-standard software, including processes and procedures on determining impact to agency operations or cybersecurity.

Recommendation 5: Implement a process to remove unsupported software from NRC networks.

Recommendation 6: Implement a process to mitigate known high-risk vulnerabilities.

October 1, 2019, to March 31, 2020 54

Audit of NRC's Training Selection Process for Agreement State Personnel (OIG-19-A-11) 1 of 1 recommendation open since May 31, 2019 Recommendation 1: Update SA-600 to more accurately reflect the training selection process and the roles and responsibilities of the NRC parties involved.

Audit of NRC'S Fiscal Year (FY) 2018 Compliance with Improper Payment Laws (OIG-19-A-12) 3 of 3 recommendations open since July 3, 2019 Recommendation 1: Take steps to ensure that the Appendix C risk assessment provides supportable information for IPIA compliance. This should include creating contract deliverables addressing Appendix C requirements and performing a quality assurance review to ensure that the contractors conclusions are thoroughly supported by evidence.

Recommendation 2: Review the various payment integrity-related internal control efforts and revise procedures to enhance consistency among the different internal control compliance requirements.

Recommendation 3: Update policies/procedures pertaining to the agencys improper payment notification, tracking, and monitoring. This policy/procedure should include steps to address and correct the high-level root cause of the improper payments identified.

Audit of NRC's Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13) 1 of 2 recommendations open since December 1, 2019 Recommendation 2: Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g., testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.

Audit of NRC's Computer Code Sharing (OIG-19-A-14)

Recommendations: Status is Official Use Only.

Audit of NRC's Transition Process for Decommissioning Power Reactors (OIG-19-A-16) 2 of 2 recommendations open since August 23, 2019 Recommendation 1: Update NRR and NMSS decommissioning guidance to include the license transfer business model, the applicable items/recommendations of the Lessons Learned Report, and to further clarify the operating to decommissioning transition process.

Recommendation 2: Create and implement a formal project manager knowledge transfer process on decommissioning power reactors.

Evaluation of NRC's Oversight of the Voice over Internet Protocol Contract and Implementation (OIG-19-A-17) 6 of 6 recommendations open since September 5, 2019 Recommendation 1: In all current telecommunications contracts, a) clarify contractor roles and responsibilities, and b) consult legal counsel to review the telecommunications contracts collectively to eliminate gaps and duplication in services.

55 NRC Office of the Inspector General Semiannual Report to Congress

Recommendation 2: Establish a policy for all new telecommunications contracts, and future modifications to current telecommunications contracts, that CORs must review the roles and responsibilities of all related contracts to prevent gaps and duplication in services.

Recommendation 3: Conduct a lesson learned to identify opportunities for improvement in deploying future IT systems or services with an impact on operations agency-wide.

Recommendation 4: Strengthen telecommunications expertise through knowledge management and training.

Recommendation 5: Update the relevant management directives to include a) current telecommunications infrastructure and current organizational responsibilities, and b) a requirement to comply with MD 10.162 Disability Programs and Reasonable Accommodation when deploying any IT projects.

Recommendation 6: Identify and implement a solution to address the issue pertaining to diverting an assigned phone line.

Audit of NRCs Oversight of Supplemental Inspection Corrective Actions (OIG-19-A-19) 1 of 2 recommendations open since September 13, 2019 Recommendation 1: Update NRC inspection guidance to support documentation of significant planned corrective actions associated with 95001 and 95002 supplemental inspections.

Recommendation 2: Implement an efficient means for inspectors to readily identify and retrieve information about completed and planned corrective actions associated with 95001 and 95002 supplemental inspections.

Audit of NRCs Process for Placing Official Agency Records in ADAMS (OIG-19-A-20) 5 of 5 recommendations open since September 26, 2019 Recommendation 1: Require NRCs refresher records management training be completed annually.

Recommendation 2: Assess and update NRCs records management training.

Recommendation 3: Conduct an initial review of ADAMS and implement a policy.

Recommendation 4: Strengthen internal controls to prevent individuals from entering personal papers in ADAMS.

Recommendation 5: Strengthen internal controls.

Audit of NRC's Grants Administration and Closeout (OIG-19-A-21) 9 of 9 recommendations open since September 30, 2019 Recommendation 1: Update training guidance.

Recommendation 3: Transition to electronic files.

Recommendation 4: Knowledge management procedures.

October 1, 2019, to March 31, 2020 56

Recommendation 5: Report review.

Recommendation 6: Accountability.

Recommendation 7: Training.

Recommendation 8: Interim guidance.

Recommendation 9: Closeout Plan.

Evaluation of Nuclear Regulatory Commission Vulnerability Assessment and Penetration Testing (OIG-20-A-02) 2 of 2 recommendations open since August 23, 2019 Recommendation 1: Address identified security deficiencies in accordance with agency guidance.

Recommendation 2: Develop a plan.

NRCs Compliance under the Digital Accountability and Transparency (DATA) Act of 2014 (OIG-20-A-03) 1 of 1 recommendation open since August 23, 2019 Recommendation 1: Enhance Internal Control and Detective Procedures.

57 NRC Office of the Inspector General Semiannual Report to Congress

UNIMPLEMENTED AUDIT RECOMMENDATIONS Defense Nuclear Facilities Safety Board Audit of DNFSBs Telework Program (DNFSB-17-A-06) 3 of 3 recommendations open since July 10, 2017 Recommendation 1: Revise the telework directive and operating procedure to a) clarify the process for telework denials, b) list information technology security training as part of the requirements, and c) incorporate a requirement to update agency telework training to reflect changes made in policy.

Recommendation 2: Finish updating all telework agreements in accordance with the telework agreement template.

Recommendation 3: Develop and implement a checklist for telework recordkeeping to ensure the employee telework files are consistent.

Audit of DNFSBs Implementation of Its Governing Legislation (DNFSB-18-A-05) 1 of 2 recommendations open since May 29, 2018 Recommendation 2: Develop and implement a plan of action to address the issues of low employee morale and Board collegiality as documented it he FEVS surveys, LMI Report, and Towers Watson Report.

Audit of DNFSBs Issue and Commitment Tracking System (IACTS) and Its Related Processes (DNFSB-19-A-02) 1 of 8 recommendations open since November 1, 2018 Recommendation 5: Create and implement a policy to consistently track RFBAs through a tracking mechanism or through IACTS.

Audit of DNFSBs Compliance under the Digital (DNFSB-20-A-02)

Accountability and Transparency (DATA) Act of 2014 2 of 2 recommendations open since November 1, 2018 Recommendation 1: Correct Data Element Mapping.

Recommendation 2: Perform Effective Quality Control.

Audit of DNFSBs Human Resources Program (DNFSB-20-A-04) 6 of 6 recommendations open since January 27, 2020 Recommendation 1: ES Recruitment Strategy OGM Resolved.

Recommendation 2: Hiring Process Metric OGM Resolved.

Recommendation 3: Technical Qualifications Policies and Procedures Resolved.

Recommendation 4: Hiring Process Training OGM Resolved.

October 1, 2019, to March 31, 2020 58

Recommendation 5: SES Span-of-Control OGM Resolved.

Recommendation 6: Plan Implementation OGM Resolved.

Independent Evaluation of DNFSBs Implementation of the Federal Information Security Modernization Act (FISMA) of 2014 for Fiscal Year 2019 (DNFSB-20-A-05) 11 of 11 recommendations open since March 31, 2020 Recommendation 1: Define an ISA in accordance with the Federal Enterprise Architecture Framework.

Recommendation 2: Use the fully defined ISA to:

a. Assess enterprise, business process, and information system level risks.
b. Formally define enterprise, business process, and information system level risk tolerance and appetite levels necessary for prioritizing and guiding risk management decisions.
c. Conduct an organization wide security and privacy risk assessment.
d. Conduct a supply chain risk assessment.

Recommendation 3: a. Implement an automated solution to help maintain an up-to-date, complete, accurate, and readily available Agency-wide view of the security configurations for all its GSS components.

b. Collaborate with DNFSB Cybersecurity Team Support to establish performance metrics in service level agreements to measure, report on, and monitor the risks related to contractor systems and services being monitored by Cybersecurity Team.
c. Establish performance metrics to more effectively manage and optimize all domains of the DNFSB information security program. d. Implement a centralized view of risk across the organization.

Recommendation 4: Finalize the implementation of a centralized automated solution for monitoring authorized and unauthorized software and hardware connected to the agencys network in near real time.

Recommendation 5: Management should re-enforce requirements for performing DNFSBs change control procedures in accordance with the agencys Configuration Management Plan by defining consequences for not following these procedures and conducting remedial training as necessary.

Recommendation 6: Implement procedures and define roles for reviewing configuration change activities to the DNFSB information system production environment by those with privileged access to verify the activity was approved by the system CCB and executed appropriately.

Recommendation 7: Complete and document a risk-based justification for not implementing an automated solution (e.g. Splunk) to help maintain an up-to-date, complete, accurate, and readily available view of the security configurations for all information system components connected to the organizations network.

Recommendation 8: Continue efforts to meet milestones of the DNFSB ICAM Strategy necessary for fully transitioning to DNFSBs to-be" ICAM architecture.

59 NRC Office of the Inspector General Semiannual Report to Congress

Recommendation 9: Complete current efforts to refine existing monitoring and assessment procedures to more effectively support ongoing authorization of the DNFSB system.

Recommendation 10: Identify and fully define requirements for the incident response technologies DNFSB plans to utilize in the specified areas and how these technologies respond to detected threats (e.g. cross-site scripting, phishing attempts, etc.).

Recommendation 11: Based on the results of DNFSBs supply chain risk assessment included in the recommendation for the Identify function above, update DNFSBs contingency planning policies and procedures to address ICT supply chain risk.

October 1, 2019, to March 31, 2020 60

ABBREVIATIONS AND ACRONYMS CFR Code of Federal Regulations DATA Act Digital Accountability and Transparency Act of 2014 DNFSB Defense Nuclear Facilities Safety Board DOE Department of Energy DOJ Department of Justice EEO Equal Employment Opportunity FERC Federal Energy Regulatory Commissions FISMA 2014 Federal Information Security Modernization Act of 2014 FY Fiscal Year GC General Counsel HR Human Resources IACTS Issue and Commitment Tracking System IAM Issue Area Monitoring IG Inspector General IPERA Improper Payments Elimination and Recovery Act IPERIA Improper Payments Elimination and Recovery Improvement Act IPIA Improper Payments Information Act MD Management Directive NMSS Office of Nuclear Material Safety and Safeguards NRC Nuclear Regulatory Commission NRR Office of Nuclear Reactor Regulation OCFO Office of the Chief Financial Officer OIG Office of the Inspector General OMB Office of Management and Budget SES Senior Executive Service 61 NRC Office of the Inspector General Semiannual Report to Congress

Indian Point nuclear power station.

October 1, 2019, to March 31, 2020 62

REPORTING REQUIREMENTS The Inspector General Act of 1978, as amended, specifies reporting requirements for semiannual reports. This index cross-references those requirements to the applicable pages where they are fulfilled in this report.

CITATION REPORTING REQUIREMENTS PAGE Section 4(a)(2) Review of legislation and regulations ............................................. 13-14 Section 5(a)(1) Significant problems, abuses, and deficiencies .................... 15-27;35-38 Section 5(a)(2) Recommendations for corrective action ......................................... 15-27 Section 5(a)(3) Prior significant recommendations not yet completed ...................... N/A Section 5(a)(4) Matters referred to prosecutive authorities .....................................50, 56 Section 5(a)(5) Listing of audit reports ..............................................................51, 52, 57 Section 5(a)(6) Listing of audit reports with questioned costs or funds put to better use ...............................................................................................52 Section 5(a)(7) Summary of significant reports........................................................ 15-27 Section 5(a)(8) Audit reports questioned costs ....................................................53, 59 Section 5(a)(9) Audit reports Funds put to better use ..........................................54, 60 Section 5(a)(10) Audit reports issued before commencement of the reporting period (a) for which no management decision has been made, (b) which received no management comment within 60 days, and (c) with outstanding, unimplemented recommendations, including aggregate potential costs savings.............................................................................................. 61-70 Section 5(a)(11) Significant revised management decisions .............................................43 Section 5(a)(12) Significant management decisions with which OIG disagreed..N/A Section 5(a)(13) FFMIA section 804(b) information .................................................... N/A 63 NRC Office of the Inspector General Semiannual Report to Congress

Section 5(a)(14)(15)(16) Peer review information ........................................................................75 Section 5(a)(17) Investigations statistical tables.............................................. 40-50; 55-56 Section 5(a)(18) Description of metrics ......................................................................50, 56 Section 5(a)(19) Investigations of senior Government officials where misconduct was substantiated........................................................................................N/A Section 5(a)(20) Whistleblower retaliation .....................................................................N/A Section 5(a)(21) Interference with IG independence ...................................................... N/A Section 5(a)(22) Audits not made public ............................................................................20 Section 5(a)22(b) Investigations involving senior Government employees where Misconduct was not substantiated and report was not made public30-35, 36-37, 38-40 October 1, 2019, to March 31, 2020 64

Nuclear power station cooling tower.

65 NRC Office of the Inspector General Semiannual Report to Congress

APPENDIX Peer Review Information Audits The NRC OIG Audit Program was peer reviewed by the OIG for the Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial Protection. The review was conducted in accordance with Government Auditing Standards and Council of the Inspector General on Integrity and Efficiency requirements. In a report dated September 4, 2018, the NRC OIG received an external peer review rating of pass. This is the highest rating possible based on the available options of pass, pass with deficiencies, or fail.

Investigations The NRC OIG investigative program was peer reviewed by the Department of Commerce Office of the Inspector General. The peer review final report, dated November 1, 2019, reflected that NRC OIG is in full compliance with the quality standards established by the Council of Inspector General on Integrity and Efficiency and the Attorney General Guidelines for OIGs with Statutory Law Enforcement Authority. These safeguards and procedures provide reasonable assurance of confirming with professional standards in the planning, execution, and reporting of investigations.

October 1, 2019, to March 31, 2020 66

OIG STRATEGIC GOALS FOR NRC

1. Strengthen NRCs efforts to protect public health and safety and the environment.
2. Strengthen NRC's security efforts response to an evolving threat environment.
3. Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

OIG STRATEGIC GOALS FOR DNFSB

1. Strengthen DNFSB's efforts to oversee the safe operation of DOE defense nuclear facilities.
2. Strengthen DNFSB's security efforts in response to an evolving threat environment.
3. Increase the economy, efficiency, and effectiveness with which DNFSB manages and exercises stewardship over its resources.

The NRC OIG Hotline The Hotline Program provides NRC and DNFSB employees, other Government employees, licensee/utility employees, contractors, and the public with a confidential means of reporting suspicious activity concerning fraud, waste, abuse, and employee or management misconduct.

Mismanagement of agency programs or danger to public health and safety may also be reported. We do not attempt to identify persons contacting the Hotline.

What should be reported:

  • Contract and Procurement Irregularities
  • Abuse of Authority
  • Conflicts of Interest
  • Misuse of Government Credit Card
  • Theft and Misuse of Property
  • Time and Attendance Abuse
  • Travel Fraud
  • Misuse of Information Technology Resources
  • Misconduct
  • Program Mismanagement Ways To Contact the OIG Call:

OIG Hotline 1-800-233-3497 TTY/TDD: 7-1-1, or 1-800-201-7165 7:00 a.m. - 4:00 p.m. (EST)

After hours, please leave a message.

Submit:

Online Form www.nrc.gov Click on Inspector General Click on OIG Hotline Write:

U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program, MS O5 E13 11555 Rockville Pike Rockville, MD 20852-2738 NUREG-1415, Vol. 34, No. 1 April 2020

Retrieved from "https://kanterella.com/w/index.php?title=ML20147A661&oldid=2825773"