Text

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

June 26, 2025 TO:

Mirela Gavrilas Executive Director for Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

STATUS OF RECOMMENDATIONS: EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT (OIG-24-E-01)

REFERENCE:

RESPONSE TO RECOMMENDATIONS FROM THE OFFICE OF THE INSPECTOR GENERAL FINAL EVALUATION REPORT: EVALUATION OF THE U.S.

NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT (OIG-24-E-01) DATED: May 29, 2025 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations as discussed in the agencys response dated May 29, 2025. Based on this response, recommendation 1.1 is now closed. Recommendations 1.2, 2.1, 3.1, 4.1, and 4.2 are open and resolved. Please provide an updated status of the open, resolved recommendations by January 30, 2026.

We appreciate the cooperation extended to us by members of your staff during the evaluation. If you have any questions or comments about our report, please contact me at 301.415.1982 or Mike Blair, Team Leader, at 301.415.8399.

Attachment:

As stated cc: J. Martin, ADO D. Lewis, DADO E. Deeds, OEDO OIG Liaison Resource EDO ACS Distribution

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 2 Recommendation 1.1:

Update U.S. Nuclear Regulatory Commission (NRC) form 270, Separation Clearance, to include a step to ensure Information Technology (IT) assets under the $2,500 threshold are returned prior to employee clearance for separation.

Agency Response NRC staff agrees with this recommendation.

Dated May 29, 2025:

The NRC has modified the separation clearance process (NRC Form 270) as follows:

• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with Office of the Chief Human Capital Officer (OCHCO). (Completed: Q3 FY 2024)

• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employees departure date (for onsite employees).

(Completed: Q3 FY 2024)

In situations where earlier return of an agency laptop is necessary (up to 10 days before departure), the Office of the Chief Human Capital Officer (OCIO) will develop directions and instructions to facilitate the earlier return of the laptop and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable the employee to work during the period between the return of the laptop and the employees departure date. (Completed: Q3 FY 2025)

OIG Analysis:

The OIG reviewed the updated NRC Form 270 and the email template sent to employees separating from the NRC. The OIG determined the information met the intent of the recommendation. This recommendation is now closed.

Status:

Closed

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 3 Recommendation 1.2: Update Management Directive (MD) 13.1, Property Management, or develop other guidance, to clearly describe the roles and responsibilities of NRC employees and contractors as it pertains to the handling, storage, issuance, and return of IT assets under the $2,500 threshold.

Agency Response NRC staff agrees with this recommendation.

Dated May 29, 2025:

ADM will revise MD 13.1, issued December 21, 2023, to do the following:

• Update the roles and responsibilities outlined in MD 13.1.

• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.

• Reference the Hardware Asset Management (HAM)

Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence provided by NRCs management regarding the update to MD 13.1. This recommendation remains open and resolved.

Status: Open: Resolved

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 4 Recommendation 2.1:

Complete an inventory of laptops, desktops, and tablets, and update the information in the Configuration Management Database (CMDB) in the current IT Service Management (ITSM) toolset.

Agency Response NRC staff agrees with this recommendation Dated May 29, 2025:

Within the past 3 months, NRC has performed regular inventories of all agency storage locations (stockrooms),

touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of in use assets by comparing inventory with reports from network discovery tools. OCIO will maintain the use of existing agency discovery tools and consider additional processes and tools to comprehensively inventory all laptops, desktops, and tablets in the environment.

(Target Completion Date: Q4, FY 2025)

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming with NRCs management that the inventories were completed. This recommendation remains open and resolved.

Status:

Open: Resolved

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 5 Recommendation 3.1:

Update MD 13.1, Property Management, and the Hardware Asset Management (HAM) Playbook, or develop other guidance, to expressly state the roles and responsibilities for acquiring assets and requesting red tags for IT assets in a timely manner.

Agency Response NRC staff agrees with this recommendation.

Dated May 29, 2025:

OCIO has already done the following:

• The staff drafted standard operating procedures (SOPs) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets.

(Completed: Q4 FY 2024)

• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.

(Completed: Q3 FY 2024)

• OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags.

(Completed: Q1 FY 2025)

ADM will update MD 13.1 to incorporate the updated HAM Playbook (Target Completion Date: Q4, FY 2025)

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence provided by NRCs management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.

Status:

Open: Resolved

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 6 Recommendation 4.1:

Update the affected contract(s) to include a service level requirement for the sanitation of assets.

Agency Response NRC staff agrees with this recommendation.

Dated May 29, 2025:

The End User Computing Contracting Officer's Representative is planning several modifications to the affected contract to include a service level requirement for sanitization of all NRC-issued laptops.

(Target Completion Date: Q4 FY 2025)

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence provided by NRCs management regarding the update to the end-user computing contract.

This recommendation remains open and resolved.

Status:

Open: Resolved

Evaluation Report EVALUATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS INFORMATION TECHNOLOGY ASSET MANAGEMENT Status of Recommendations (OIG-24-E-01) 7 Recommendation 4.2:

Update the PC Decommissioning Standard Operating Procedure and the Hardware Asset Management Playbook to reflect all the required steps in the decommissioning and disposal process.

Agency Response NRC staff agrees with this recommendation.

Dated May 29, 2025:

OCIO has updated the standard operating procedure to reflect all the required steps in the decommissioning and disposal process. (Completed: Q3 FY 2024)

OCIO will update the HAM Playbook to reflect the established standard operating procedure.

(Completed: Q1 FY 2025)

OIG Analysis:

The OIG will close this recommendation after reviewing and confirming the evidence provided by NRCs management regarding the update of the HAM Playbook. This recommendation remains open and resolved.

Status:

Open: Resolved