ML22250A549

From kanterella
Jump to navigation Jump to search
OIG-20-A-17 Status of Recommendations: Audit of the Nrc'S Property Management Program Dated September 7, 2022
ML22250A549
Person / Time
Issue date: 09/07/2022
From: Rivera E
NRC/OIG/AIGA
To: Dan Dorman
NRC/EDO
References
OIG-20-A-17
Download: ML22250A549 (15)
v  d  e


Text

MEMORANDUM DATE: September 7, 2022 TO: Daniel H. Dorman Executive Director for Operations FROM: Eric Rivera /RA/

Acting Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM (OIG-20-A-17)

REFERENCE:

OFFICE OF ADMINISTRATION DIRECTOR MEMORANDUM DATED June 24, 2022 AND ENCLOSURES Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated June 24, 2022. Based on this response, recommendations 1 and 3 are closed; recommendations 2, and 4 through 7 remain open and resolved. Please provide a status update for the open, resolved recommendations by December 31, 2022.

If you have questions or concerns, please call me at (301) 415-5915 or Paul Rades, Acting Team Leader, at (301) 415-6228.

Attachment:

As stated cc: M. Bailey, OEDO E. Stahl, OEDO J. Jolicoeur, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 1: Modify the definition of accountable property to align with the agencys procedures for accounting for property under the property management program. This encompasses defining and addressing the accountability of items not tracked in the Space and Property Management System (SPMS) including pilferable property.

Agency Response Dated June 24, 2022: Status: Completed.

Revised definition of accountable property to comprise of both the agencys Accountable Property System Records and the SPMS and Office of the Chief Information Officer (OCIO) Remedy (IT) databases. Definition revision completed in February 2021 and provided in March 30, 2021 update.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the OIG verifies that the Office of the Administration (ADM) has modified the definition of accountable property in the NRCs property management program policy, MD 13.1.

Agency Status:

The Office of Administration (ADM) issued YA-22-0028 on April 1, 2022. Enclosure 2, Item 1 reflects this change. This change will be incorporated into the MD 13.1 update scheduled for December 31, 2023.

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The actions taken meet the intent of this recommendation.

Specifically, Enclosures 1 and 2 of the agency response reflect this change to the definition of accountable property. This interim policy change issued in YA-22-0028 will be incorporated into the MD 13.1 revision scheduled for December 31, 2023.

Status: Closed.

2

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 2:

a. Updating MD 13.1, Property Management to designate Remedy as the property tracking system specifically for IT assets;
b. Updating MD 13.1 to include the NRC IT Logistics Index policy for inputting IT assets greater than or equal to

$2,500, or which contain NRC information or data within the property management program;

c. Specify in the updated MD 13.1, the use of unique identifiers to track and manage those IT assets within the NRC property management program;
d. Specify in the updated MD 13.1, the methods and documentation of periodic inventories using unique identifiers within the NRC property management program;
e. Provide appropriate acquisition information in excess property reporting for IT assets that contain NRC information or data; and,
f. Ensure IT assets in the property disposal process comply with documenting media sanitation in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1:

Guidelines for Media Sanitization (NIST 800-88).

Agency Response Dated June 24, 2022: Items a, b, c, d, and e are in progress. Item f is completed.

a. Remedy will be designated as the IT property tracking system in the MD 13.1 update.

3

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 2 (continued):

b. OCIOs Hardware Asset Management Playbook, which contains the IT Asset and Logistics Index Appendix, HAM Asset Management Playbook.docx index is located on page 26.

To review the document once opened, click the Editing dropdown and select Open in Desktop App. NRC blue and red tags are the unique identifiers for managing IT assets.

NRC blue tags are tracked in both SPMS and Remedy for IT equipment with an acquisition cost of $2500+. NRC red tags are tracked in Remedy only for IT assets less than $2500. This will be specified in the MD 13.1 update.

c. ADM and OCIO will begin conducting and documenting quarterly SPMS and Remedy reconciliations and maintain reports of stated reconciliations beginning July 1, 2022. After further review of the current software programs, SPMS and Remedy do not have the capability to reconcile via an automated process. ADM and OCIO will collaborate to ensure future systems have the capability to execute automated reconciliations.
d. The OCIOs Hardware Asset Management Playbook documents the process for excessing IT assets HAM Asset Management Playbook.docx IT asset disposal is located on pages 15 and 16. To view the document once opened, click the Editing dropdown and select Open in Desktop App. OCIO uses Remedy to track all IT assets from acquisition to disposal.

As of 2018, when NRC/OCIO took ownership for IT assets, the appropriate acquisition information was captured in Remedy for all new IT property. However, prior IT assets (legacy) that predated 2018, may not contain the appropriate acquisition information.

e. ADM has developed the NRC Form 973 - Certification of Sanitization, that incorporates information which ensures IT assets in the property disposal process comply with documenting media sanitation in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1: Guidelines for Media Sanitization, NIST 800-88 Form. Enclosure 3 4

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 2 (continued):

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation. This recommendation will be closed when the OIG verifies that the ADM has updated MD 13.1, Property Management, to include all relevant practices and procedures and has implemented procedures for the receipt, management, and disposal of the IT assets in Remedy.

Agency Status:

ADM issued YA-22-0028 on April 1, 2022 informing the agency of changes made to items a. (YA item 1); b. (YA item 2); c. (YA item 3); and f. (YA item 4) (see Enclosure 2). Lines a, b, c, d, and e recommendation will be completed upon the scheduled update to MD 13.1.

Target Completion Date: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: Part of the actions completed meet the intent of this recommendation. Specifically, Enclosure 2 (YA-22-0028), the OCIOs Hardware Asset Management Playbook, and Enclosure 3 address the following policy changes: designating Remedy as the IT property tracking system, tracking of property greater than

$2,500, using unique identifiers to track IT assets, providing acquisition information for excess property, and ensuring IT assets are properly disposed in accordance with NIST 800-88.

The OIG will close this recommendation once the NRC provides documentation of periodic inventories and quarterly SPMS and Remedy reconciliations for OIG review.

Status: Open: Resolved.

5

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 3: Update and implement property receipt and tagging processes and procedures for the Facilities, Operations, and Space Management Branch (FOSMB), warehouse personnel, and property custodians, that will address:

a. Decentralized property receipt and tagging functions; and,
b. Providing property staff with acquisition information such as the cost and shipping information necessary to perform their property-related duties through automated notification.

Agency Response Dated June 24, 2022: Status: Completed.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the OIG verifies that the ADM has updated and implemented receipt and tagging processes and procedures for the FLB, warehouse personnel, and property custodians that addresses:

a. ADM implemented revised procedures for decentralized property receipt and tagging functions. ADM issued YA 0028 on April 1, 2022. Enclosure 2, Item 5 addresses the new procedures. This will be completed upon MD 13.1 update.
b. Acquisition Management Division has implemented a process workflow for property staff to receive acquisition information via automated email notifications. Enclosure 4.

ADM issued YA-22-0028 on April 1, 2022. Enclosure 2, Item 6 addresses new process.

Agency Status:

Recommendation completed upon the scheduled update to MD 13.1 6

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 3 (continued):

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The actions taken meet the intent of this recommendation.

Specifically, Enclosure 2 (YA-22-0028), Item 5 communicates the procedures and decentralized locations for property receipt and tagging. Additionally, Enclosure 2, Item 6 and Enclosure 4 notify staff and provide examples of the newly automated process of providing acquisition information to property staff.

Enclosure 2 (YA-22-0028) is an interim policy update with incorporation to be incorporated into the MD 13.1 revision scheduled for December 31, 2023.

Status: Closed.

7

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 4: Limit the regional and the Technical Training Center (TTC) property item assignments to regional property custodians.

Agency Response Dated June 24, 2022: Status: Completed.

ADM completed a thorough review of the SPMS database with property custodians to update property assignments. All items were properly assigned to regional property custodians.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the agency provides documentation for the OIG to review and verify that the ADM has reviewed and adjusted regional and TTC property item assignments to ensure they have assigned property in the property custodians jurisdictions to the regional property custodian, as appropriate.

Agency Status:

ADM met with OIG auditors on May 24, 2022 to inform auditors of the changes. Due to changes being made systematically, documentation is not available. OIG Auditors suggest ADM issue a YA to inform property custodians that end users must reside in the office/region in which the property is assigned. ADM will issue a YA in July 2022 and update this internal control in MD 13.1. Recommendation completion upon issuance of YA and revision update in MD 13.1.

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the agency provides the July 2022 interim guidance issued via yellow announcement (YA) referenced in the June 24, 2022 agency response, and clarification that this interim guidance to incorporate this internal control will be included in the revised MD 13.1 scheduled to be finalized on December 31, 2023.

8

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 4 (continued):

Status: Open: Resolved.

9

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 5: Consolidate the notification of stolen NRC property to one NRC form.

Agency Response Dated June 24, 2022: Status: Completed.

Per meeting with OIG February 28, 2022, the Forms 395 and 135 will remain separate as long as it is clearly demonstrated in the office procedures and policy MD 13.1 of how the internal control measure will be incorporated in the routing of forms to ensure the appropriate NRC personnel are notified of lost, missing, or stolen property. Enclosure 5 provides revised instruction and guidance.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the OIG verifies documentation that demonstrates the ADM has revised the policy and process to consolidate the notification of stolen NRC property into a single NRC form.

Agency Status:

Recommendation completion upon scheduled update to MD 13.1.

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The proposed actions meet the intent of this recommendation. Specifically, the recommendation will be closed once the agency provides documentation confirming the discontinued use of NRC From 135, Security Incident Report and removal from the NRC Forms Library on SharePoint in lieu of using NRC Form 183, Report of Security Incident. Additionally, the OIG will need to verify that the policies/procedures included in Enclosure 5 are incorporated into official agency policy, such as through interim guidance issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled for December 31, 2023.

10

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 5 (continued):

Status: Open: Resolved.

11

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 6: Digitize the property process to facilitate reconciliation and property management workflow.

Agency Response Dated June 24, 2022: Status: In Progress.

ADM has begun digitizing the property management workflow process and will continue this process where applicable.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the OIG verifies that the ADM has digitized the property process to facilitate reconciliation and property management workflow.

Agency Status:

Property management team has started creating a digital workflow process to manage all property records and retain on the agency G:

drive. On May 24, 2022, ADM provided a demonstration to OIG auditors on the current status of the digital workflow process.

Auditors were satisfied with current progress. However, OIG suggested that the issuance of NRC property tags be captured in SPMS or through another automated process. ADM will look further into a new process and incorporate in MD 13.1.

Recommendation completion upon update to MD 13.1 which is scheduled for December 31, 2023.

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The proposed actions meet the intent of this recommendation. This recommendation will be closed when the OIG verifies that the ADM has digitized the property process to facilitate reconciliation and property management workflow such as through an interim policy issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled to be issued on December 31, 2023.

12

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 6 (continued):

Status: Open: Resolved.

13

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 7: Self-reassess the risk to the agency for the policy changes of the tracking threshold increase and removal of cell phones, laptops, and tablets from the sensitive items list, for loss or theft of property items.

Agency Response Dated June 24, 2022: Status: In Progress.

ADM and OCIO will conduct a reassessment of the risk to the agency for the policy changes of the property tracking threshold increase. This reassessment will include the discussion of the removal of cell phones, laptops, and tablets from the sensitive items list and the risk of loss or theft of these property items.

February 2022 OIG Analysis:

The proposed actions meet the intent of this recommendation.

This recommendation will be closed when the OIG verifies that the ADM and the OCIO have self-reassessed the risk to the agency for the policy changes of the tracking threshold increase and removal of cell phones, laptops, and tablets from the sensitive items list, for loss or theft of property items in accordance with the OMB Circular A-123, Appendix A and NRCs ERM risk assessments.

Agency Status:

ADM and OCIO counterparts conducted a self-reassessment of the risk for the agency for policy changes. It was concluded that the current policy for the tracking threshold increase is appropriate.

The current process to remove cell phones, laptops, and tablets from the sensitive items list adequately accounts for the risk of loss or theft of these property items. The link HAM Asset Management Playbook.docx referencing property management of cell phones, laptops, and tablets will be included in the updated MD13.1.

OCIO will continue to track and account for the risk of loss and theft of these property items. OCIOs Hardware asset management team meets weekly and uses asset dashboards to maintain control and proper documentation in the Remedy Configuration Management Database for all assets managed in the Remedy ticketing system. Recommendation completion upon update to MD 13.1 which is scheduled for December 31, 2023.

14

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM OIG-20-A-17 Status of Recommendations Recommendation 7 (continued):

Targeted Completion: December 31, 2023 POC: Charemagne Grimes, 301-415-8422 OIG Analysis: The proposed actions meet the intent of this recommendation. The OIG will close this recommendation after reviewing documentation to verify that the ADM and OCIO have conducted a self-reassessment supporting the current policy of increasing the tracking threshold and removing cell phones, laptops, and tablets from the sensitive items list for loss or theft of these property items.

The OIG will also need to review the policy modification of this process such as from an interim policy issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled for December 31, 2023.

Status: Open: Resolved.

15

Retrieved from "https://kanterella.com/w/index.php?title=ML22250A549&oldid=3469746"