ML20210H936

From kanterella
Jump to navigation Jump to search
Audit Rept OIG/99A-06, Review of NRC Separation-Clearance Process for Exiting Staff & Contractors
ML20210H936
Person / Time
Issue date: 07/20/1999
From:
NRC OFFICE OF THE INSPECTOR GENERAL (OIG)
To:
Shared Package
ML20210H922 List:
References
OIG-99A-06, NUDOCS 9908040139
Download: ML20210H936 (22)
v  d  e


Text

_

OFFICE OF THE INSPECI'OR GENERAL U.S. NUCLEAR REGULATORY COMMISSION REVIEW OF NRC'S SEPARATION-CLEARANCE PROCESS FOR EXITING STAFF AND CONTRACTORS OlG/99A-06 July 20,1999 AUDITREPORT g REcq,

/g A>

[

x (k_

fc3 s

0

?

g 4

h 0

Q)@,,9l\\

0 4

040olG Y+++Y E88 08s ' 728?$

PDR

cc:

J. Blaha, AO/OEDO P. Norry, DEDM/OEDO F. Miraglia, DEDR/OEDO M. Knapp, DEDE/OEDO J. Funches, CFO J. Cordes, Acting OCAA D. Rathbun, OCA K. Cyr, OGC J. Dunn Lee, OlP W. Seecher, OPA A. Vietti-Cook, SECY M. Springer, ADM J. Lieberman, OE G. Caputo, Ol P. Bird, HR I. Little, SBCR P. Lohaus, OSP C. Paperiello, NMSS S. Collins, NRR A. Thadani, RES T. Taylor, ACMUI J. Larkins, ACRS/ACNW B. Garrick, ACNW R. Seale, ACRS P. Bollwerk lil, ASLBP H. Miller, RI L. Reyes, Ril J. Dyer, Rill E. Merschoff, RIV OPA-RI OPA-Ril OPA-Rill OPA-RIV OPA-R.IV-FO

I

{

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors REPORT SYNOPSIS The Office of the Inspector General initiated a review of the U.S. Nuclear Regulatory Commission's (NRC) separation-clearance process after learning of several cases where local area network (LAN) accounts for former employees and contractors had not been deleted. Moreover, we identified one former employee who could still access an NRC LAN account and the files of the employee's former office. The

{

agency's separation-clearance process contains a step intended to trigger the termination of LAN accour,ts for employees who separate from the agency.

However, we were concerned that the step was not achieving its intended purpose and about the risks involved in unintentionally allowing former employees / contractors to have access to sensitive, non oublic agency information.

We were also concerned that other steps in the process might not be achieving their intended purposes. Our objectives for the audit were to determine (1) whether the agency was terminating employee / contractor access to the LAN in a timely manner f

after those individuals ended tneir employment with NRC, and (2) whether other steps in the separation-clearance process were being fulfilled as intended.

[

In general, NRC's separation-clearance process appears to be working to prevent t

employees from terminating their employment without repaying debts owed to NRC.

However, the process has failed to ensure the consistent, timely termination of LAN

[

accounts when employees and contractors stop working for NRC. In addition, the process is duplicative in parts, some clearing officials do not carry out the process as NRC managers expect them to or as guidance prescribes, and agency guidance

{

on the topic is sometimes conflicting.

f We found that the separation-clearance process does not directly trigger termination of LAN accounts at headquarters. We also noted an absence of clear guidance on the separation-clearance process in general, and the LAN-related steps in particular.

We believe the manner in which the separation-clesrance process is carried out and the lack of clear guidance contribute to the failure to delete LAN accounts in a timely manner. We also believe that the other problems we identified with regard to the separation-clearance process result from (1) no single office taking responsibility for guiding the process and ensuring maximum efficiency, and (2) a lack of specific written guidance.

(

Our report makes four recommendations to improve the agency's separation-clearance process and ensure that it remains current with agency operations.

OlG/99A-06 Pagei i

L

Review of NRC's Separ.ition-Clearance Process for Exiting Staff and Contractors TABLE OF CONTENTS REPORT SYNOPSIS..

i INTRODUCTION

.1 BACKGROUND 1

FINDINGS...

.2 LAN ACCOUNTS NOT CONSISTENTLY TERMINATED FOR SEPARATING EMPLOYEES AND CONTRACTORS 2

SEPARATION-CLEARANCE PROCESS REFLECTS THAT NO ONE OFFICE HAS TAKEN CHARGE 5

CONCLUSION.

.7 RECOMMENDATIONS

.7 OlG COMMENTS ON AGENCY RESPONSE 8

APPENDICES I

OBJECTIVES, SCOPE, AND METHODOLOGY ll NRC FORM 270, " SEPARATION CLEARANCE" 111 AGENCY RESPONSE TO DRAFT REPORT IV NRC ORGANIZATIONAL CHART V

MAJOR CONTRIBUTORS TO THIS REPORT VI GLOSSARY: OFFICE OF THE INSPECTOR GENERAL PRODUCTS OlG!99A-06

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors INTRODUCTION The Office of the !nspector Generalinitiated a review of the U.S. Nuclear Regulatory Commission's (NRC) separation-clearance process after learning of several cases where local area network (LAN) accounts had not been deleted for former employees and contractors of the tgency. Moreover, we identified one former employee who could still access an NRC LAN account and the files of the employee's former office. The agency's separation-clearance process contains a step intended to trigger the termination of LAN accounts for employees who separate from the agency. However, we were concerned that the step was not s

achieving its purpose. We were also concerned about the risks involved in unintentionally allowing former employees / contractors to have access to sensitive, non-public agency information.

Furthermore, we leamed that the separation-clearance process is not addressed in NRC's Management Directives or comprehensively in any other agency guidance.

Given this lack of instruction on the process, and the presence of LAN accounts for former employees and contractors, we became concemed as to whether other steps in the process were being fulfilled as intended.

Our objectives for this audit were to determine (1) whether the agency was s

terminating employee / contractor access to the LAN in a timely manner after those individuals ended their employment with NRC, and (2) whether other steps in NRC's separation-clearance process were being fulfilled as intended. Appendix I contains additionalinformation on our objectives, scope, and methodology.

BACKGROUND In preparing to terminate their NRC employment, staff members must obtain a number of clearances before they receive their final salary payments. The organizational units that clear separating employees and the items to be cleared are specified on NRC Form 270, " Separation Clearance" (see Appendix II).

Currently, there is no Management Directive addressing the separation-clearance process. A manual chapter addressing the topic was abolished in August 1994 because responsible managers felt that the manual chapter merely repeated information already included on Form 270, and that the form could stand alone. The Office of Human Resources (HR) now provides separating employees with an instruction sheet to help guide them through the separation-clearance process. The instruction sheet lists the organizational units responsible for clearing employees at olG/99A-06 Page1

Review of NRC's Separation-Clearance Process for Exiting Statt and Contractors each step of the process as well as the rame, location, and telephone extension for the clearing official. Generally, in carrying out the process, the employee's home office handles the initial clearance steps on the form and then the separating g

employee hand carries the form to clearing officials representing each of the g

remaining steps on the form to obtain their clearance signatures. Form 270 was most recently updated in December 1998.

Contractors do not follow the same separation-clearance process as NRC employees, but NRC requires that their badges be returned and their LAN access terminated when they stop working for the agency.

l FINDINGS In general, NRC's separation-clearance process appears to be working to prevent g

employees from terminating their employment without repaying debts owed to NRC.

m However, the process has failed to ensure the consistent, timely termination of LAN accounts when employees and contractors stop working for NRC. In addition, the process is duplicative in parts, some clearing officials do not carry out the process as NRC managers expect them to or as guidance prescribes, and agency guidance on the topic is sometimes conflicting. In this section, we will discuss our findings (1) regarding the termination of employee and contractor LAN accounts upon separation from the agency and (2) concerning the process in general.

LAN ACCOUNTS NOT CONSISTENTLY TERMINATED FOR SEPARATING EMPLOYEES AND CONTRACTORS LAN accounts are not always terminated in a timely manner after NRC staff and contractors end their employment with the agency. Furthermore, agency guidance g

on the separation-clearance process is unclear and key players in the process do 3

not always carry out the process as intended. Failure to terminate LAN accounts in a timely manner creates a threat to sensitive information stored on the LAN and a gg scenario where abuse could occur. This is particularly important, given the pending

[l implementation of the Agencywide Documents Access and Management System (ADAMS) as the agency's electronic reco'idkeeping system.

According to an NRC Management Directive,W LAN user identifications (ID's) must be invalidated (removed from the automated information system) for various Guidance on termination of LAN access appears in Handbook 12.5, NRC Management Directive Volume 12, Security.

OlG/99A-06 Page 2 I

Review of NRC's Separation-Clerance Process for Exiting Staff and Contractors reasons, including termination of employment or contract. While the agency does not prescribe a time by which removal should occur, it seems logical that termination of electronic access to the agency's files should be treated in a manner similar to termination of physical access to agency facilities when an employee or contractor stops working for NRC. Interestingly, another Management Directive,m which addresses physical access to NRC facilities, does not prescribe a specific time frame for termination of access authorization when an NRC staff member leaves the agency. Nevertheless, in practice, and as reflected on NRC Form 270, " Separation Clearance," employee key card badges, which are required for access to NRC facilities, must be submitted before an employee can be cleared to receive his or her last paycheck. Badge return typically occurs on the employee's last day of work at NRC.

While termination of an employee's LAN access on his or her last day of work would seem to be a reasonable goal, this is not the general practice at NRC. At headquartc rs, the separation-clearance process does not directly trigger termination of LAN accounts. Office of the ChiefInformation Officer (OClO) managers say that they expect, and depend on, office LAN Managers and Information Technology (IT)

Coordinators to inform them when an employee or contractor is leaving so that they can terminate the account. While the separation-clearance form requires the employing office to notify its "LA N Manager" at the start of the separation-clearance process for each separating employee, there is no signoff to indicate that this individual has notified OClO of the pending separation. According to OClO managers, upon such notification, the terminated employee's account would be deleted, ideally, within a day. However, they said, such notification does not always occur, particularly with regard to contractors. Therefore, as a backup, 0C10 managers responsible for the LAN periodically receive a list of employees and contractors who have stopped working for the agency and who have turned in their badges to the Division of Facilities and Security (DFS). Due to the periodicity with which OClO has received this list, they acknowledged the possibility oflag times with regard to deletion of LAN accounts.m 2

Guidance on termination of physical access to NRC facilities appears in Handbook 12.3, NRC Management Directive VWme 12, Security.

3 During the course of OlG's audit, an OClO manager reported that OCIO had streamlined the process by which it received HR's " loss list" of employees who have separated from NRC during the week and is using it each week as a basis for removing employee names from the LAN. OClO also reported having plans to receive, on a regular basis, the DFS list of employees and contractors who have turned in their badges due to separation.

According to the OClO manager, the lists will be given to the Network Control Center (NCC) and NCC staff wiU be required to delete LAN accounts for these individuals within 2 working days.

olG/99A-06 Page 3

(

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors in an effort to assess whether a significant number of former employees still appeared to have LAN accounts after termination of employment, we searched in the GroupWise address book for the names of employees who separated from NRC during fiscal year 1998. Of 231 employees who separated from the agency during that time frame, 32 (14 percent) still had e-mail addresses on NRC's LAN at headquarters. In addition, we sent test messages to half of these individuals and received indication from GroupWise that all had been delivered. Furthermore, at least one of these individuals still had access to an NRC LAN account and could retriave e-mail and open files maintained by the employee's former office.

According to 0C10 managers, the appearance of former employees' names on the LAN does not necessarily indicate an active LAN account. They said that sometimes former employee names and user ID's remain on the list because of special requests made by offices to disable, rather than delete, the accounts of

)

former employees. In such cases, the former employee's name is kept on the LAN, but his or her password is changed. As a result, the person's network access is terminated. The OClO managers said that, in some cases, there may be a failure to ultimately delete these accounts, resulting in the appearance of former employee names in the address book.

l In comparison to the process at headquarters, the regional offices we contacted for this review described strategies thLt more closely linked a step on the Form 270 to the actual deletion of LAN accounts. Reportedly, in these regions, a clearing official's signature on the separation-clearance form indicates that this person will immediately contact the region's LAN Administrator to request either disabling or termination of the LAN account. According to those interviewed, disabling and termination (in some cases) of accounts typically occurs within 1 tvorking day of the employee's last day at work.

There is an absence of clear guidance on the separation-clearance process in general, and the LAN-related steps in particular. We beiieve this void contributes E

to the failure to delete LAN accounts consistently in a timely manner. First, as 3

mentioned earlier, there is no single management directive addressing the separation-clearance process overall and the purpose of each step in the process.

While employees are expected to go through the separation-clearance process prior to termination, there is no similar process for contractors. While OClO staff expect office LAN Managers /IT Coordinators to notify them when a contractor stops working for the agency, the current " guidance" on the subject is contained in contract language and does not support this expectation. This contract language requires l

only that DFS be notified when a contractor no longer requires access to NRC g

sensitive automated information systems and da+a. While the contract language li does not specify who should notify DFS, we were told it is typically the project officer i

who provides this notification.

olG/99A-06 Page 4

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors Second, the existing guidance on termination of LAN accounts neither prescrit,es a time frame or process for achieving termination of LAN accounts nor explains either of the two LAN-related steps on the separation-clearance form. While one step on the form, "ADP Equipment and Software / AUTOS Password Cancelled," suggests it might be a trigger point for cancellation of LAN accounts, the step is not used for that purpose. It should be noted that the regions we contacted for this review had modified the Form 270 in such a manner to more clearly identify a LAN account termination step on the form. Additionally, the staff people considered by OClO to be responsible for informing OCIO about LAN account termination requests have i

not received clear or consistent guiciance on this expectation.

A third area of concem related to guidance is that the instruction sheet prepared by HR to complement Form 270 is inconsistent with information provided on the form itself. For example, Form 270 states that the clearing unit for step 8 of the process

("ADP Equipment and Software / AUTOS Password Cance!Ied") is the " Office IT c

Coordinator," while the HR instruction sheet states it is the " Office Automation &

Network Development /CIO." Adding to the confusion is that Form 270 impues that the clearing official for step 8 is the " Office IT Coordinator," whereas the HR instruction sheet states that the clearing official is the "Home Ofiice Custodian."

1 Failure to terminate LAN accounts of former employees and contractors in a timely manner creates an unnecessary risk to the agency's sensitive information stored on the network. The risk will be potentially magnified further when ADAMS is implemented as the agency's electronic recordkeeping system.

Furthermore, leaving the names of former employees on the IAN, even if the accounts have been

" disabled," creates a false impression that a message sent to that individual will be received.

SEPARATION-CLEARANCE PROCESS REFLECTS THAT No ONE OFFICE HAS TAKEN CHARGE in addition to reviewing the specific portion of the separation-clearance process pertaining to termination of LAN access, we reviewed the overall clearance process to determine whether there were other areas of concem. We found that agency guidance on the process is unclear and there has been no single office th at has taken responsibility for the overall process. As a result, we believe the process takes longer than necessary, is not always carried out as intended, and creatas the potential for NRC to miss opportunities for collecting debts and removing en.ployees from access lists.

As reflected on Form 270, and as stated in an abolished manual chapter on the subject. the purpose of the separation-clearance process is "to assure that persons separating from employment or being reassigned obtain the necessary clearances before they receive their final salary payments." Whi.e there is no agency guidance l

setting a standard for how the process is to be carried out, it seems appropriate that olG/99A-06 Page5

I!

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors NRC's separation-clearance process should be purposeful, efficient, non-duplicative, consistent, and in line with present-day needs.

While we found that the separation-clearance forms are completed in most cases for separating employees, clearing officials know what they are supposed to do in order to sign off, and the agency is not having problems collecting debts owed to it by former employees - the process could be improved. In addition to the issues we

{

described relating to the termination of LAN accounts, we identified two steps 1

conceming property on the separation-clearance form that could be consolidated j

into one. We noted two steps that are worded inaccurately, reflecting directions that j

may have been appropriate in the past, but which are no longer applicable. We also found cases where regional staff are submitting forms that are no longer required by i

headquarters as part of the clearance process. Further, we observed a lack of f

specific written instructions for clearing officials describing the steps required to clear employees.

Moreover, we identified inconsistencies between instructions on the form and the way the process is carried out. For example, while Form 270 directs regional staff separating from employment to obtain local regional office clearances for all applicable items except three specific fiscal matters, this is not the way the regional forms are handled. Additionally, Form 270 asks regional offices to telefax a copy of a separating employee's separation-clearance form to the Payroll Office in headquarters when the emplow begins the clearance process, in many cases, this is not occurring. Whik w.td not identify any negative consequences that resulted from this discrepancy, it causes one to question the value of the guidance.

We also noted discrepancies between the form and the instruction sheet provided by HR to help guide employees through the separation-clearance process. While Form 270 instructs headquarters employees, after their exit interview with HR, to

  • hand carry this form to the Payroll Operations Section, OC,"W the HR instruction sheet contains a prominent note to employees to " leave your NRC Form 270 with the Human Resources Specialist after your debriefing." Perhaps the most notable error on the Form 270 itself is its reference to a non-existent NRC Management Directive 10.8, presumably for guidance on the separation-clearance process.

Our review also raised questions as to whether the current clearance process ensures account termination as appropriate in all agency automated information systems. For example, we noted several cases where the names of former employees remained in an office time and attendance (T&A) group on the PAY /PERS system, potentially creating a false impression that the employees still were in that T&A group.

4 As part of NRC's reorganizaton of January 5,1997, the Offico of the Controller (OC) was incorporated into the newly created Office of the Chief Financial Officer.

olG/99A-06 Page 6

[

l Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors We also found that while there is a paperwork process to clear NRC employees, there is no similar process for contractors who stop working for the agency. NRC f

has over the past several years made efforts to tighten the controls over contractor access to the agency. At present, contract project officers are expected to notify DFS when a contractor stops working for the agency. Yet, it was reported to us that project officers do not consistently carry out this duty.

Finally, on a positive note, we observed that three of the regional offices have modified the separation-clearance form to suit their specific needs. For example, regions have added steps for such items as conflict-of-interest debriefings, removal from site access lists, issuance of radiation dosimetry, and exit interviews with the

(

regional administrator.

We believe that the problems identified regarding the separation-clearance process

[

result from (1) no single office taking responsibility for guiding the process and ensuring maximum efficiency, and (2) a lack of specific written guidance on the subject. According to one HR manager, the separation-clearance form just seems to have evolved over time, based on input from the offices responsible for steps in the clearance process. However, HR does coordinate the process by which changes, additions, or deletions are made to the form.

Taken separately, each of the problems we identified may seem inconsequential; yet, as a whole, they reflect a process that is not being closely monitored and which could result in problems for the agency at a future date.

CONCLUSION

[

Although NRC's separation-clearance process appears to be working in a general sense to prevent employees from terminating their employment without repaying f

debts owed to NRC, the process is not resulting in the consistent termination of LAN accounts for employees and contractors who stop working for the agency. The process also suffers from a lack of clear guidance and no single office taking charge of it to ensure that it fits current agency needs. An inefficient and outdated process could result in threats to sensitive agency information and to loss of money for the agency.

RECOMMENDATIONS To improve the efficiency of the agency's separation-clearance process, we recommend that the Executive Director for Operations (EDO):

1)

Revise the current Form 270 to eliminate duplication and include any new steps that would be appropriate for inclusion in the process, including olG/99A-06 Page 7

Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors termination of access to all automated inforrnation systems. This revision should incorporate a more direct link between termination of LAN accounts and the 270 process. The EDO should also examine all instructions on the form and the accompanying instruction sheet and ensure that each reflects current and accurate information.

2)

Develop a Management Directive on the separation-clearance process, detailing the purpose of each step, regional responsibilities, and contractor issues. This guidance should also specify time frames for completion of actions triggered by the form (e.g., termination of LAN accounts).

3)

On a regular basis, review the Form 270 to ensure it is current and consistent with agency operations.

4)

Consider placing primary responsibility and accountability for obtaining necessary clearances on a designated entity (e.g., home office, HR) other than the separating employee. In addition, look for ways to automate the clearance process.

OlG COMMENTS ON AGENCY RESPONSE On July 9,1999, the Deputy Executive Director for Management Services (DEDM) responded to our draft report. The DEDM agreed with our four recommendations and presented the corrective actions planned to address our concerns and time frames for the completion or initiation of these measures.

The response also included a comment attributed to the Chief Information Officer (ClO) pertaining to recommendation 1 While the CIO concurred with the I

recommendation, he stated that " methods used by OlG to quantify the problem may a

be inaccurate." We take strong exception to the ClO's comment. As we stated in our report, we found that 14 percent of the employees who separated from NRC g

during FY 1998 still had e-mail addresses on NRC's LAN at headquarters. We sent 5

test messages to half of these individuals and received indication that all had been

" delivered." Despite these findings, we did not characterize these accour's as active or say that former employees could access them. However, we identified one former employee who still had access to an NRC LAN account and could retrieve e-mail and open files maintained by the employee's former office. This proves that NRC needs to take greater measures to protect its information from the threat of unauthorized access and tampering. Furthermore, we presented this quantifiable information to the CIO at the audit entrance conference. Neither at that time nor during the entire course of the audit did the CIO or his staff question or disagree with our methods for " quantifying the problem."

Furthermore, we reiterated this information at the audit exit conference and, again, no one raised any objections to our methodology. T herefore, we continue to believe our methodology for quantifying this problem was both appropriate and accurate.

olG/99A-06 Page 8

_ _ = - _

V l

l

[

I Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors Finally, the CIO concludes his comment by saying that "under many circumstances"

[

it is a " prudent course of action" to preserve former employee accounts and their functions while changing the account passwords.

We understand that it may sometimes be necessary to preserve such accounts, and that changing the account

(

password is a method for preventing the former employee from accessing the account. However, we caution against OClO's practice of leaving the names of former employees on the LAN. Even if the individual no longer has access, the

(

appearance of a former employee's name on the address list can provide people who send messages to this address with the mistaken impression that the message was "deliyered" to the former employee. If 0C10 makes the effort to change the

(

password to access the account, we believe they could also change the name on the account to more accurately reflect the recipient of messages sent to that e-mail address, and thereby prevent the dissemination of erroneous information.

[

[

[

[

[

[

OlG/99A-06 Page9 k

.m...

~-

Appendix l Rewow of NRC's SeparatiorwClearance Process for Exiting Staff and Contractors OBJECTIVES, SCOPE, AND METHODOLOGY The objectives of our audit were to 1) determine whether the agency is terminating employee / contractor access to the local area network (LAN) in a timely manner after those individuals end their employment with U.S. Nuclear Regulatory Commission (NRC), and 2) determine whether other steps in NRC's separation-clearance process are being fulfilled as intended.

To explore these issues, we talked with headquarters clearing officials representing each step of the Form 270 clearance process to determine the purpose of the step, the strategy for ensuring clearance, and their understanding of the step. We also spoke with several clearing officials in Regions I,11, and lli and in the Technical Training Center in Chattanooga, Tennessee, to learn about their approaches with regard to termination of LAN and facility access in particular, in addition, we interviewed Office of Human Resources, Office of the Chief Information Officer, and Office of the Chief Financial Officer staff to gain more 4

information about the separation-clearance process in general, the LAN access step, and the methods by which NRC recovers debts from separated employees.

Our audit was conducted from December 1998 to April 1999 in accordance with generally accepted Government auditing standards.

olG/99A46 Page 1 of 1

Appendix ll Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors NRC FORM 270 U.S. NUCLEAR REGULATORY COMMISSION 112-199a SEPARATION CLEARANCE NacMo to s Regen. g. N N o s N rhvUfb Ne$ak NstNNh i Yorkpiofe'sINare aDgnMtweeUFYg

'uI N e N e'acq rIka a

EMPLdYEE DATA NAME i SOC A SECVRITV NUMSER TiTLg TELEPrsOhE NW83ER (incewoe Aree cace, b;.ON OR OFFICE NAME OF LAST SUPERvtSOR LAST DAY OF ACTIVE DJrY FORWAR0thG ADDREis STREET

~DITY g STATE zip CODE l

'TVPE OF F SEPARATION FROM SEPARATION]:,j~ EMPLOYMENT

[l] NEADOUARTERS AND A REGIONREASSIGNMENTBETWEEN REGIONS OR B

}

CLEARahG O NLZA TIQhAb ACTION llTEM CLEARED SIGNATURE. CLEARING OFFICIAL DATE

a. T&A Cieru Notmed; SF $2 Instated l

. S.__.~ A_ged C. Classmed/ Sensitive UndassmedInformauan RecovereWRaassigned

d. Separation interview with Hurnan Resources Scheduied l
e. Mail Room Notified of Forwardang Address, l

f

f. Property Cusaxhan; All Assigned Property Retumed/ Transferred

}

g. LAN Manager Notifled 2 Law Library. OGC Books and Regulatons I

3 O

Travel Advances. Passports. Charge Cards. Recent Travel Authonzahons 4 Health Unit Employee may copy health fne fue will te retred l

l t

L""nt. aO"O" Property (e g. Calculator. Typewriter, etc.)

;gg re-oes P, ope,. Co,ges..nd se.- C, edit Cams e

P MO ks and Litrary Matenals

4. Ofree IT Coon $nator ADP Equipment and Software /AUTOL Password Cancelied 9 Lc. Fee and Accounts

,p,,,

l Receivable Dr.. OCFO l

10. Financia! System Staff. OCFO Accountmg Systems E

8 9' 8

,0 Record /Nonrecord Holdings and Cha geouts ygg j no t2. Devtsson of Facalibes

~I and Security. ADM

b. NRC Form 136 Compoeted?

j l

c. Badge Sutrnitted?

l I

,,m,,,,,,,

a m ie,v.swand %. me~.ce % t-Resources D. Pencing Tramang and Sennos Agreement l

{

I4. Payrou Operations NOTE The air pg p,y

_.mm_re cg a.ar y

Secton OCFO Cm airm

m9ew servu agreement not susliea. wv ot 6ast avty s

staten CERTIFICATION OF SE.PARATING EMPLOYEE i certify inat ad appropnate cearances. as stated m the Cearsnce instruct.ons and m NRC Management Dueenve 10 8, have been oDisined 5 GNATskE. SEPAAATING E MPLOYEE jDATE ~

l num vw2.w,

es a ra on as%s wan Two,.

e.,n e.,.

OlG/99A-06 Page 1 of 2

E e

Appendix il n

R; View of NRC's Separition-Cletranc) Proc;Ss for Exiting StMT and Contrtctors

~

INSTRUCTIONS FOR COMPLETING NRC FORM 270 A. SEPARATIONS FROM HEADOUARTERS 1.

For all separations, the employing of6ce v4 initiate the form, complete all itenis in the " Employee Data" sscten, and certify item 1 a. tnrough g 2.

Forward the form through the appGcable cleanng organszational units listed en the form. In oroer to expecite tnis process. the employee may hand carry the form through the respective orgaruzat ons (Law Library All attorneys who separate from NRO rolls must obtam Law Library clearance ptem 2.]. Other emptcyees need octam this clearance only if they have checked out Law Library materials.)

?

Schedule clearances so that the separatmg employee visits the Divisen of Secunty (Item 12) dunnJ the last week of employment 4.

On the last day of employrient, employees should report to the Ofh:4 of Human Resources foi n exit mteryww after all other items except the Payroll Operatens Section (item 14) are completed. After tne exit entennew. employees should hud carry this form to the Payroll Operations Section, OC, 5.

Each cleanng organizational unit listed on the form will check its records to detemune if property, classired matter, etc., has been accouritee for and will record apprupnate notations on the form.

6.

If item (s) cannot be located:

a.

Items of Non-Monetary Velve Seoarating employees are expected to make every ef' ort to locate and return items of non-monetary value. These inctuoe such items as secunty identification badges, unexecutedtrar sportation requests, govemment charge cards, anc classified matter.

b Items o/ Monetary Valve.

Separating employees are expected to make every effort to locate and retum items of monetary value to the office accountable for the items. When an item cannot be located, the clearing organizational unit will tetermme the value of the item and whether the separatmg individuars explanation for the loss is adequate. Ifit is necessary to seek is.

  • sement from tne separatmg individual, the ciearing crganizational unit will coordinate with thePayroll OperationsSection, OCFO, whS responsee for secunng reimbursements.

7.

After competion, NRC Form 270 remains in the Payroll Operations Sect on, OCFO. for appropnate disposition.

B. SEPARAU3NS FROM REGIONS 1.

Regional employees should contact the Regertal Personnel Office for spect% instructions.

2.

Regional employees pparating from employment should obtain local Regional Ofree Clearances for all applicable items except the fiscal matters covered under ite,, s 3,9, and 13. To instiate and expedite clearances for these items, Regional Offices should telefax a copy of a separatmg empnoyee's NRC Form 270 to the Chief, Payroll Operations Section OC, when t*,e employee begins the clearance process.

C. REASSIGNMENTS BETWEEN REGIONS AND BETWEEN HEADQUARTERS AND REGIONS 1.

Onty these cearance items that are shaded need to be completed for employees who are reassigned between Regions or betweer' Headquarters and a Region. (The $haced stems are as follows: Numbers 1.a. through g ; 5.,8., and 12.a and c.)

2.

Upon completon of the appropnata citarances, the Separyston Clearance form should be maded or carned to the Office of Human Resources or to the reassing Regonal Personne: Office, as appropnate.

PRIVACY ACT STATEMENT Pursuant to 5 U.S C. $52a(eX3), enacted mto law by section 3 of the Privacy Act of 1974 (Public Law 93-570). the follow; rig statement is fumished to moividuals who s' apply information to the Nuclear Regulatery Commason on NRC Form 270 This infortnaton is roa ntained in a system of records cesgrsated as NRC 21 and decribed at 58 FederalRegister 35469 (July 7.1993); or the mest recent Federal Regi.ter publication of the Nuclear Regulatory Commission's " Republication of Systems of records Notices" that is availabie at the NRC Pubhc Document Room. Ge man Building. 2120 L Street NW, Lower Level, Washington, DC.

1. AUTHORITY: 31 U.S C. 716,1104.1108. 35t1, 3512, 3701, respond to tneir inquiry made et your request, or to NRC. paid 3711,3717,3718 (1984) and 10 CFR O.735-4*L experts, consultants, and otners under contract with the NRC. on a need4c know basis.
2. PRINCIPAL PURPOSE (S) AND ROUTINE USEfS):

The information is used by NRC in orcer to obtem necessary 3 WHETHER DISCLOSURE IS MANDA10RY OR VOLUNTARY clearances for individua.s who are seras atmg from amployrnent, AND EFFECT ON INDIV10UAL OF NOT PROVIDING INFORMATION: Disclosure of the information is mandatmr if the being reassigned to another geographical reg,on of the NRC, or requested clearance mformation is not proviced. tne cioaritig going on leave without pay or furlough in excess of 90 days-individuars last paycheck will be withheld until the reoered information sney also be discioned to to an appropnate Federal, clearances are obtamed.

state, local, or Foreign agency in the event true information

4. SYSTEM inANAGER AND ADDRESSES:

andicates a violabon or potentwat violaron of law and in the course sti of an admirustrative of judicial proceedmg. In addition, this ye m{c g

a anc information rnay be transferred to un appropriate Federa!, State.

Office of the Chief Wormaut.m Officer local and Foreign agency to the extent relevant and necessary for U S. Nuclear Regulatory Cornmmsion I

en NRC decision about you or to the 4xtent relevant and Wasnington DC 20555-WJ01 necessary for that agency's decison about you Information from the form may also be disclosed, in the course of dsscovery under a protective order issued by a court of competent Jursdschon, and in presentno evidence to a Concressionalo'fice to l

l OlG/99A-06 Page 2 of 2 l

Appendix ill l

Rsvitw of NRC's S;p? ration-Cinrrnee Proc:ss for Exibng Staff and Contractors l

l p&p r.ta %,t v

UNITED STATES E

S NUCLEAR REGULATORY COMMISSION E

'f WASHINGTON, D.C. ?O55HKc1

%* ~%,,.$

July 9, 1999 I

I MEMORANDUM TO:

Thomas J. Barchi Assistant inspector General for Audits l

Office of the inspector General FROM:

Patricia G. Norry Deputy Executive i nagement Services

SUBJECT:

REVIEW OF NRC'S SEPARATION CLEARANCE PROCESS l

FOR EXISTING STAFF AND CONTRACTORS This responds to the June 2,1999, draft audit report to which you requested comments. With respect to your specific recommendations, I submit the following:

Recommendation 1 Revise the current Form 270 to eliminate duplication and include any new steps that would be I

appropriate for ine'usion in the process, including termination of access to all automated informat:en systems. This revision should incorporate a mcre direct link between termination of LAN accounts and the 270 process. The EDO should also examine allinstructions on the form I

and accompanying instruction sheet and ensure that each rehets current and accurate information.

Response. Agree.

I Separation processes are oeing reviewed and Form 270, " Separation Clearancef is

+

being revised to reflect updated organization responsibilities and to include procedures r

to ensure that LAN accounts are terminated upon separation of any employee.

Instructions accompanying the form will also be revised to ensure that roles and responsibilities are current and clearly described.

In providing his concurrence to this response, the CIO noted the following:

Although we fully agree with the OlG recommendations for improvement in the separation clearance process, methods used by OlG to quantify the problem may be inaccurate. Existence of an employee's local area network account after the employee has terminated, and the ability of others to continue to sending e-mail to that account, does not in itself indicate the terminated employee has access.

Administrative controls (e.g. password chan9%,

+ 7.e both the account and its function. Under many circumstances, this is a prudent course of action.

olGl99A-06 Page 1 of 3

1 Appendix 111 Revie:e of NRC's Srpnrrtico-Ch"rrnua Proccss for Exiting Staff rnd Contr:ctors iI 2

i The estimated completion date for the actions being taken in response to this ll recommendation is 12/31/99. Immediate steps have been taken to ensure that the B !

Director, Information Techno!ogy infrastructure Division, is promptly notified that i

glI employees are separating. This information is subsequently used to reset the employce's password or terminate the account so that access by the departing E

employee is not possible.

Recommendation,2 Develop a Management Directive on the aaparation clearance process, detailing the purpose

}

of each step, regional responsibilities, and contractor issues. This guidance should also specify i

time frames for completion of actions triggered by the form (e.g., termination of LAN accounts).

,l Resoonse. Agree.

1 Manual Chapter 41o3, "Clo.:rances Prior to Separation /ReassignmentNas eliminated in 1994. Efforts are underway to re-establish the guidance provided in this chapter as Management Directive 10.8, " Clearances Prior to Separation / Reassignment." This new Directive will include a Handbook which will give specific instructions regarding the purpose of each step and the responsibilities of the parties involved. The Handbook will also cross reference pertinent sections of Management Directive 11.1 and Division of Contracts and Property Management (DCPM) Procurement Instruction DC 94-03 which address Project Officer and DCPM responsibilities regarding termination of j

contractor access to IT systems.

The estimated completion date for the issuance of a new Management Directive and Handbook is 03/31/00.

Recommendation 3 On a regular basis, review the Form 270 to ensure it is current and consistent with agency operations.

Roscon_se. Agree.

HR Service Center team leaders and Regional Human Resources te.am leaders will be tasked with monitoring the use of Form 270. They wdl suggest any revisions to the form based on actual use. Any necesssry changes will be brought to management's i

attention. In addition, each administrative office contact will be asked to monitor the use of the form and make any recommendations for changes or revisions as appropriate.

This activity will be initiated by 7/31/99 and will be ongoing.

i

..s. m s y;

1 l

{

j Appendix 111 Review of NRC's Separ: tion-Clear? rice Proc:ss for Exiting Staff and ConWetors

^

3 i

Recommendation 4 Consider placing primary responsibility for obtaining necessary clearances on a designated entity (e.g., the home office, HR) other than the separating employee, in addition, look for ways to automate the clearance process.

Response. Agree.

The Office of Human Resources has primary responsibility for the separation clearance

' process and will take the lead in improving procedures for the orderly out-processing of separating employees along the lines and schedule indicated above. HR and OClO are examining ways to process clearances electronically.

(

l I

[,

OtGt99A-06 Page 3 of 3 Wh

1l ij\\i 1l1' ll

,lI]jll)4;I) l l,

l

)

%E g

2{ k z"S ?u$Eg yBa*?o! {

@ ug E aih3 zWoo5O>

OZh o at 5

n u

U o

ad m

ns m

U r

e t

t ah Ssg m

la f

si u

=

l o

e l-o eR A

f 7

enli s

j e

csiiv r

a A

c*e o

UuC e

f n

B r

r O

o A

se la cc t

f n

ei o o v

s r

~

i s

i r f

e et ia e

De on c r

l e a S

ar f

m of e

in l

cmu f

t f

f v

o Ote eA u

t e

s ic u

n f ic cm He i

f l

ee R

Obu xg yg' Ea n

P t

n ei y

n f

s a

a n iI tu o

Se pM it f

cic e

oa r

D et s

f imL o

l ci m

s od

! cy Om og I

s n

a f in a

V e

i f

f t

r Aa U

n r

la d

eo I

ol

_O" A

c ia e

iP c

f eD h

f et "

Ote R

h f t

o l

foyea' r

ct ft e f r r

c l

Oe o

il o r

t S

o c n ng f

f a o o a

?I

,4 9

oei I

igi r

c t

e os era h

n cm cr lu t

i e

h fa' o

s ea f ag R C t

f r

i n

r r f

t i g Olee oe" a

o Do cR l

e n it c e m

a e

u 5

r a

O p

ivP N

r r

iG o

e ff n

f t

y m

In ur 1

O co f

et 1

a a

nt r

e r

i i

o xl r

E u ay s on a

h f

t g

let d I

iglta h

C n

ye er C

t cf a eA a

uR u au R

e t

h s

p NSg e

e n

T is f

o l

s D

laf s

c c

A oia i

i eeS S

r t

s t

s n

c n i ad n

ct i

u e

m e

f o

f m

^

C Da m

O Ma ia o

i it o

f n

r ih e e np o

r c

e ee ic o

l C

i ip o

i e v

f r

v f

s u

uO Of I

gd e

r t

t n

ea h

e T

n E

R l

c cr i

e eo h

o x

xf r

P o

is E

E f

is A

s s

r s n

s o e f

m o

m ye d

tcn oit roe a

ee e a o

i iv i

s "m i i g

la Dt Il icg r

C f

t v

e c

f s

e d

f ic ee Oe h

Am a

n f

r ivf v

T O

S ae t E

\\

in nc ucy i

if r

Ff e o r

l f

O xt a

n e ie Ea c

t l

os h

yu ic h

ye a C

t g

u c

oeW u e N

a r

r p

stt eR o '9"s e

f iirvma D

d e

Aml eU e c

c R

o u f

i CN f

O 90

v k "

i l

Appendix V Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors MAJOR CONTRIBUTORS TO THIS REPORT Corenthis B. Kelley Team Leader Judy G. Gordon Management Analyst OlG/99A 06 s

Page 1 of 1 l

' - - ~

Appendix VI Review of NRC's Separation-Clearance Process for Exiting Staff and Contractors GLOSSARY: OFFICE OF THE INSPECTOR GENERAL PRODUCTS INVESTIGATIVE 1.

INVESTIGATIVE REPORT-WHITE COVER An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated.

Investigative reports do not recommend disciplinary action against individual employees.

Investigative reports are sensitive documents and contain inforrnation subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrat.ve action is warranted. The agency is expected to advise the OlG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.

2.

EVENTINQUIRY-GREEN COVER The Event inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OlG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.

3.

MANAGEMENT IMPLICA TIONS REPORT (MIR) - MEMORANDUM MIRs provide a " ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.

AUDIT 4.

AUDITREPORT-BLUE COVER An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, functicn, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports The audit results are also reported in the OiG's " Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.

5.

SPECIAL EVALUATION REPORT - BURGUNDY COVER A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.

REGULATORY 6.

REGULATORY COMMENTARY-BROWN COVER Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OlG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OlG Semiannual Report to Congress. Each report indicates whether a response is required.

olG/99A-06 Page 1 of 1 1

..b 'T hkr..

N t' -eQ: h Q. :h.,;p. +3.m:h:,y):+d4..-.-

~

h f

D I1'MM J.C.I;)5..):[

D.J e... -'?. M

...i. $..g,,

[d 'd..;[ M. M.,.

4(. .; t' /.. %jt Z8,c.

.n. e

p...;m Q$ d g ' s

- - 'y y

  • IN ;.; r.f]f.,

jJ (%. y_ q m..i.f.f.ff5

,h'~ff{,q:g: fff.kQs rr

3......._ m:n$.?.E_lp.4.@ffQg(lQ. t e

' g y?Qy#,p D.N

..,, pMi'Vp 0

%U li?;

?

%e, fl N

p.hy,g);:f ?h~~ hb;

. f: f.fh;;;

{u'.l k, ?.:*.. l:*f ( '*!.. f.q g &' ? l3:h.? ) p ; m.c, 4.f.'.

q., f.,

h-$.

.i

..s.

=

~g' y,,g.:7 m. m.s,.

+.

N j'.'ki h

.(:l Y.jh ND).f* W Q n ?;h;& b:h;j.[p n.. n -

.,y.y:m.

~

4:

f.

,W.~~. '

. r:

.. !, * ; y[.f.

_ ~'... 5:Ql,

};.).. >

'W.E l* '

3:- -&,'.

~

l

h 5
' Y
:',::.:.l.

+.

_:..F f.'.','. vy;[' ';

.(.. f.,l. ; :' ' -" lf

?

'I.W.,. a, ?}::.l 'i'fY - j&v. f.l.l '. j.

'. A t. : :!,, : fi;I,

..4l.f jih -j.

, ; f !V.

,[:. ' ';-])' ;.;,,.' : -...

,,,;&o.J.f).

.}l r[;. i Q." #

(:

..n N.

3b^ $h 'l. b l.: $,,'

'.N .r,,;...ui,.. ; :'.. h .

s..? * ;'d. '.,... :. *i;,Y :N flb '. * ?.. - - - -' '~.

u

.9 c.

.. v;
a, r.
e
3.. y.,

?l*?y,^h L

'ft.'fi '

I..

..... l _, L.',is Y;.l e

  • r.

9-.

. t .'. /,,. '!Nf,..f.. '.. ' '.). $,t V: t....,. ' L

,-( A. q. !'. t \\..'4.)

.y.'

., ;,h ' 5 n -'} ;".. ;.. e _.'

4

..:i.,

', y*r :J. _

-. i

?

/

t

. ' ' '. ;;'~~ "<.

s;

,. '.. '. H. ". p. i.. n. s'

'o

.s

~

.y

' '...b.

J~

g.-

y.

,b. ".

e.

%p,h. '
'

i

..j

.'_.t..

',. )-

, " '..., M, h,. "; #.,'

3

,-c*.,.'.

s.

i.:

o';

" l(,l. '. <.-_ ' ' _, _"[

  • 4; '.,, ' '

/' :

.).

p, INI i f ; '

K,W..

jft(. ;'.'.

',,f,.

, _ ~.

. j, j '

s

,yj M

/..

.c

' A..y ;j -

V!

l i '..

,'.'s j)'. '
. - * '.

.,4 f-j jg

.J,; !j 7.L :. l,,

., 'g h f,

r,b. . j

,N e ; 'll

}

,y.

' t_.

^

y' [-;.h '.

.l f'Y'

'? -

- p;y

. '. *'g..

s.

.,l*

t

-L

/.
#

. i, :

.[

j ;.f..o Te j,r 4, e ' ' ' r). " l 1..','....

.L

_t d

%'y..$. u *....;;.;.. '

'.*F

= *

)

t

.p

'k l} ~, -.

f *,::,,.

L*

i e"

. p

.-~

/,seg.;..

y yl } ;,

, :(,_, _

n"

'a

~.; 'q

' ' '.3

~

".M?. - *

  • v,.'..f:$.,.;%

.)

...: ~

.N.

i g

+:

m

$/

4 s

<i4..(-.

.g e,

war

,c.

y

~......;.. <.

l(,

L:

y q, x

-,yf r.

v....

,.s

.~,

j' N' }

..i

.L l

g J

- 'I q..

y y.

l

.o s

c. g;

, xff..

'. & Qff,f y JiQ ' '

~

. '.. ~;

~

N

  • f. 'jl h..

y g

f 5*'

i

,p 9

g s

h'.;.y.7. 3 7 g.:, 4.,;,,,.

ggg g

- 4.

.p ;

3 g

%m.a,.b. ~g LG l [

.. 7.;w w. w.n as9m h r 9.-

-~

q;...

a 1.

wi.....

~

9 e

M.N && W Q:Nf ' Q..,.r.

- ?

E y+,::p ::., ;.fl An... '...' ' : r.

~

7 n p_ '... ;. gw.... L.'.

.si.,.

x...,.

. %'./.: y'.'.

l,.

.,,g; i - '

.c a

g p

.,.,'.'Q 1 ;..

f..

n...

(, j

,.c

..f.f

VT' E'

' :,, ~

1

..,f g,,

h, _ _,,

.:l!. '.

..,1 q,.

. ~.

.h. -

~

.e c..4r &. :..

  • N gy
s:

-....a. L. -. o. (

.i i

$ J ' ' ;.

^

,1

' ; u:

' - e'

.l

  • * *:7. k, f ;

i,(.

4.,.

^-

, t, f ;..;, '. +.. -

)

i....

e..

s t-.

,[

s. ',:.

1,

. -\\

",l[ -' ' '

....J.

,.h.

t,.

b'

~

d

?. ' ' l,

[,

$%1 '..!

.it

' QlY. 'l I ';

N.,,

, N.O.A. T..h; ' h ' ' ' *i'${.*

-. l...'.Y '. '. ' '...

I

... g z.

m.. x.. a...

.;f -.-.

.r...

{.D;.$.c.C,@a!?

0.' : 'i... c g. $$.. a@.sh.g.':"..,;.

~ 9 ", '. i 1,' ? f>. ;..

m, [n,. D....

1

...y g

.s

.n. :.-..

waa[m[mwansga'Mhh[..,..

.y.

r.s.~ -.. u. -..

v;:

r

. j

' y.) l. '

E.. ;.

.d.;.

y

Ikh..

M g..

n hh Nhhfhhkfkk kh

_s

-_ ~

__-._ _~ _

a

Retrieved from "https://kanterella.com/w/index.php?title=ML20210H936&oldid=4020478"