Text

MEMORANDUM DATE: April 12, 2023 TO: Daniel H. Dorman Executive Director for Operations FROM: Hruta Virkar /RA/

Assistant Inspector General for Audits

SUBJECT:

STATUS OF RECOMMENDATIONS: AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM (OIG-20-A-17)

REFERENCE:

DIRECTOR, OFFICE OF ADMINISTRATION MEMORANDUM DATED DECEMBER 21, 2022 AND ENCLOSURES Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendation as discussed in the agencys response dated December 21, 2022.

Recommendations 1 and 3 were previously closed. Based on this response, recommendations 2, 4, and 6 are now closed. Recommendations 5 and 7 remain open and resolved. Please provide an updated status of the open, resolved recommendations by December 31, 2023.

If you have any questions or concerns, please call me at 301.415.1982 or Paul Rades, Team Leader, at 301.415.6228.

Attachment:

As stated cc: M. Bailey, OEDO M. Meyer, OEDO J. Jolicoeur, OEDO RidsEdoMailCenter Resource OIG Liaison Resource EDO_ACS Distribution NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 www.nrcoig.oversight.gov

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 2: Include the receipt, management, and proper disposal of IT assets planned and currently tracked in Remedy within the property management program. This may include, but is not limited to actions such as:

a. Updating Management Directive (MD) 13.1, Property Management to designate Remedy as the property tracking system specifically for IT assets;

b. Updating MD 13.1 to include the NRC IT Logistics Index policy for inputting IT assets greater than or equal to

$2,500, or which contain NRC information or data within the property management program;

c. Specify in the updated MD 13.1, the use of unique identifiers to track and manage those IT assets within the NRC property management program;

d. Specify in the updated MD 13.1, the methods and documentation of periodic inventories using unique identifiers within the NRC property management program;

e. Provide appropriate acquisition information in excess property reporting for IT assets that contain NRC information or data; and,

f. Ensure IT assets in the property disposal process comply with documenting media sanitation in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1:

Guidelines for Media Sanitization (NIST 800-88).

Agency Response Dated December 21, 2022: The OIG Office of Administration Director Memorandum, dated September 2, 2022, stated OIG will close this recommendation once the NRC provides documentation of periodic inventories and quarterly SPMS and Remedy reconciliations for OIG review.

In collaboration with the Office of the Chief Information Officer (OCIO), ADM created a manual method of reconciling the Remedy and SPMS databases in which discrepancies were identified (see Enclosure 1). ADM will 2

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 2 (contd):

continue to conduct manual reconciliations quarterly to ensure accuracy between the Remedy and SPMS databases.

OIG Analysis: In previous NRC memorandum submissions to closeout this audit recommendation, the OIG verified and was satisfied with the support for 2.a, 2.b, 2.c, 2.e, 2.f in full, and part of 2.d.

Through the December 21, 2022 NRC memorandum package, the OIG reviewed and verified Enclosure 1 for the remainder of part 2.d. This recommendation is now closed.

Status: Closed.

3

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 4: Limit the regional and the Technical Training Center (TTC) property item assignments to regional property custodians.

Agency Response Dated December 21, 2022: The OIG Office of Administration Director Memorandum, dated September 2, 2022, stated This recommendation will be closed when the agency provides the July 2022 interim guidance issued via Yellow Announcement (YA) referenced in the June 24, 2022, agency response, and clarification that this interim guidance to incorporate this internal control will be included in the revised MD 13.1 scheduled to be finalized on December 31, 2023.

ADM issued Yellow Announcement (YA-22-0098) on December 15, 2022 (see Enclosure 2).

OIG Analysis: The OIG reviewed Enclosure 2, YA-22-0098 and determined it satisfied the recommendation. This recommendation is now closed.

Status: Closed.

4

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 5: Consolidate the notification of stolen NRC property to one NRC form.

Agency Response Dated December 21, 2022: The OIG Office of Administration Director Memorandum, dated September 2, 2022, stated This recommendation will be closed once the agency provides documentation confirming the discontinued use of NRC Form 135, Security Incident Report and removal from the NRC Forms Library on SharePoint in lieu of using NRC Form 183, Report of Security Incident. Additionally, the OIG will need to verify that the policies/procedures included in Enclosure 5 are incorporated into official agency policy, such as through interim guidance issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled for December 31, 2023.

Per meeting with OIG auditors on November 22, 2022, ADM revised Enclosure 5 from the OIG Office of Administration Director Memorandum, dated June 2022 (ML22167A172) to state the various methods for reporting lost/stolen property, the proper NRC Forms, and the appropriate routing path to the appropriate parties (see Enclosure 3). Enclosure 3 will be incorporated into the official agency policy in the finalized MD 13.1 scheduled for December 31, 2023.

OIG Analysis: The OIG considered the November 22, 2022 meeting with the NRC and the review of Enclosure 3 to determine the NRC meets the intent of this recommendation by stating the various methods for reporting lost/stolen property, reporting of lost/stolen property through the appropriate NRC forms, and the routing path of these forms to the appropriate parties. The OIG will need to verify that the changes in Enclosure 3 are incorporated into official agency policy, such as through interim guidance issued through yellow announcement, and/or directly incorporated into the finalized and revised MD 13.1 scheduled for December 31, 2023.

Status: Open: Resolved.

5

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 6: Digitize the property process to facilitate reconciliation and property management workflow.

Agency Response Dated December 21, 2022: The OIG Office of Administration Director Memorandum, dated September 2, 2022, stated This recommendation will be closed when the OIG verifies that the ADM has digitized the property process to facilitate reconciliation and property management workflow such as through an interim policy issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled to be issued on December 31, 2023.

ADM has created a digital process to capture the issuance of NRC property tags using a Master G-Tag Issuance Record and Signature Receipt for Tags Issued, requiring the requester to sign using their digital certificate signature for acceptance of NRC property tags being issued prior to property releasing the property tags (see Enclosures 4 and 5).

OIG Analysis: The OIG met with the Office of Administration (ADM) on May 24, 2022 for a walkthrough of the agencys revised digitization of the property management process. Following this walkthrough, the OIG determined that it partially satisfied this recommendation, as noted in the OIGs memorandum dated September 7, 2022.

Through the December 21, 2022 NRC memorandum package, the OIG analyzed Enclosures 1, 4, and 5. The OIG determined these enclosures document the digitization of the property process to facilitate reconciliation and property management workflow, addressing the part of the recommendation that was previously open. This recommendation is now closed.

Status: Closed.

6

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 7: Self-reassess the risk to the agency for the policy changes of the tracking threshold increase and removal of cell phones, laptops, and tablets from the sensitive items list, for loss or theft of property items.

Agency Response Dated December 21, 2022: The OIG Office of Administration Director Memorandum, dated September 2, 2022, stated The OIG will close this recommendation after reviewing documentation to verify that the ADM and OCIO have conducted a self-reassessment supporting the current policy of increasing the tracking threshold and removing cell phones, laptops, and tablets from the sensitive items list for loss or theft of these property itemsThe OIG will also need to review the policy modification of this process such as from an interim policy issued through a yellow announcement prior to incorporation into the finalized MD 13.1 scheduled for December 31, 2023.

Through collaboration between ADM and OCIO, a Yellow Announcement (YA-22-0098) was issued on December 15, 2022, to inform all NRC employees of the decision to remove cell phones, laptops, and tablets from the sensitive items list and that these items are no longer being tracked in the NRCs Property Management System (SPMS) but are now being tracked and managed by OCIOs IT Service Management System (Remedy). Additionally, OCIO has updated the Hardware Asset Management playbook to include guidance on the process for reporting lost, missing, or stolen hardware assets covered under MD 12.5, NRC Cybersecurity Program. (see Enclosure 2)

OIG Analysis: The OIG determined that Enclosure 2 and the Hardware Asset Management (HAM) playbook partially address the recommendation. Specifically, Enclosure 2 documents the agency policy modification of removing cell phones, laptops, and tablets from the sensitive item list, adjusting the responsibility of tracking these items from ADM to OCIO.

Additionally, the HAM playbook provides instructions on the reporting of and adjustment to tracking lost, missing, or stolen information technology assets.

7

Audit Report AUDIT OF THE NRCS PROPERTY MANAGEMENT PROGRAM Status of Recommendations (OIG-20-A-17)

Recommendation 7 (contd):

The OIG will close this recommendation after reviewing documentation to verify the ADM and the OCIO have conducted a self-reassessment, prior to documenting the policy modifications in Enclosure 2. The self-reassessment supporting documentation can include meeting minutes of the self-reassessment discussion; methodology, analysis, and conclusion for the self-reassessment; and charter or purpose for self-reassessment.

Status: Open: Resolved.

8