ML21029A311: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot change)
(StriderTol Bot change)
 
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:}}
{{#Wiki_filter:
 
==SUMMARY==
OF NRC ACTIONS - RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98) ............................................................................................................. 2 Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330) ....................................................................................................... 3 Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings (GAO-16-511) .............................................................................................................. 6 Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring (GAO-16-713) ........................................................................................................... 7 Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities (GAO-18-93) .................................................................. .8 Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects (GAO-19-22) .11 Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384) ......................................................................................................................... 12 Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468) ...................................................................................... 13 Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129) .............................................................................................................................................. 14 Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts (GAO-20-362) ....16 Enclosure
 
The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)
The U.S. Government Accountability Office (GAO), in its report, Nuclear Regulatory Commission:
NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation:
To improve the reliability of its cost estimates, as NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.
Status:
The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices and cost- estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses.
The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the update to Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, that the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft of NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, Draft Final NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission). Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and reference it on the NRC public website.
This GAO recommendation remains open.
2
 
The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)
GAO, in its report, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for Category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.
Recommendation 1:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include Category 3 sources in the National Source Tracking System and add agreement state Category 3 licenses to the Web-based Licensing System as quickly as reasonably possible.
Status:
In early 2016, the NRC formed a working group, the License Verification and Transfer of Category 3 Sources Working Group (LVWG), to evaluate license verification and transfer requirements for Category 3 sources. The LVWG evaluated the inclusion of Category 3 licenses in the NRCs Web-Based Licensing System and the methods available for verifying the legitimacy of licenses held by those licensees prior to the transfer of material. The working group also evaluated the inclusion of Category 3 sources in the National Source Tracking System (NSTS) for the specific purpose of preventing licensees from accumulating Category 3 sources into Category 2 or higher quantities of radioactive material. The LVWG made recommendations to enhance the existing processes for license verification and source tracking beyond Category 1 and Category 2 thresholds. These recommendations were provided to the Commission as part of the staffs reevaluation of Category 3 sources as outlined below.
On October 18, 2016, in the SRM for COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability, the Commission directed the NRC staff to re-evaluate Category 3 source accountability given the agencys operating experience with higher-risk sources and in response to findings made by GAO. In the direction provided in the SRM, the Commission stated that the staff should assess the risks posed by the aggregation of Category 3 sources into Category 2 quantities as part of its efforts to re-evaluate Category 3 source accountability.
A working group - the Category 3 Source Security and Accountability Working Group - was formed to address the following tasks: evaluating the pros and cons of different methods for verifying the validity of a license before a Category 3 source is transferred; evaluating the pros and cons of including Category 3 sources in the NSTS; assessing any additional options to address the source accountability recommendations made by GAO; identifying changes in the 3
 
threat environment since 2009 and evaluating whether those changes support expanding the NSTS to include Category 3 sources; assessing the risks posed when a licensee possesses enough Category 3 sources to require the higher level protections for Category 2 quantities; and collaborating with NRCs Agreement State partners, non-Agreement States, licensees, public interest groups, industry groups, and the reactor community to fully assess the regulatory impact of any recommendation made by the working group. The Category 3 Source Security and Accountability Working Group considered recommendations made by the LVWG and also informed its evaluation with the results of the NRC staffs review of the effectiveness of Title 10 of the Code of Federal Regulations (10 CFR) Part 37, the results of which were reported to Congress in December 2016.
As directed by the Commission, the Category 3 Source Security and Accountability Working Group developed a notation vote paper that was submitted to the Commission in August 2017 (SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001). The Commission is currently considering the staffs analysis and recommendations.
This GAO recommendation remains open.
Recommendation 2:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should at least until such time that Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchasers radioactive materials license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed materials.
Status:
The LVWG evaluated this recommendation, and its analysis was considered by the Category 3 Source Security and Accountability Working Group. The Commission is currently considering the staffs analysis and recommendations.
This GAO recommendation remains open.
Recommendation 3:
Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of NRC working groups meeting to develop enhancements to the pre-licensing requirements for Category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of Category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.
4
 
Status:
In early 2016, the NRC formed a working group, the Enhancements to Pre-Licensing Guidance Working Group (PLWG), to evaluate pre-licensing activities and develop recommendations for enhancements to the pre-licensing process. The PLWG developed recommendations that involve changes to existing regulations and revisions to existing training, guidance, and procedures. The NRC staff developed an action plan for the non-rulemaking recommendations (e.g., revisions to license applicant guidance documents, and revisions to NRC pre-licensing guidance and checklists), which it is currently implementing. The NRC has completed several items outlined in the action plan. For example, the NRC has: 1) issued a revision to the pre-licensing guidance (e.g., to emphasize that licenses should not be hand-delivered during a pre-licensing site visit and to outline processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate); and
: 2) updated the licensing and inspection courses offered at the NRC Technical Training Center and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.
For the recommendations that would require rulemaking, the Commission is currently considering the staffs analysis and recommendations. Upon receipt of Commission direction on this and other recommendations pertaining to materials licensees, the NRC staff will develop a rulemaking plan for Commission consideration.
This GAO recommendation remains open.
5
 
The U.S. Government Accountability Office Report Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings September 2016 (GAO-16-511)
The Federal Government is expected to spend more than $90 billion on Information Technology (IT) in fiscal year (FY) 2017. This includes a variety of software applications supporting agencies enterprise needs. Since 2013, OMB has advocated the use of application rationalization. This is a process by which an agency streamlines its portfolio of software applications with the goal of improving efficiency, reducing complexity and redundancy, and lowering the cost of ownership.
The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation:
To improve federal agencies efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.
Status:
The NRC addressed the one remaining action item for the GAO recommendation. This action item was to document the application inventory within the NRC. GAO followed up with the NRC in November 2019 and requested 1) documentation that the quarterly and annual validation reviews in the inventory maintenance process have occurred and 2) a more recent inventory list that includes attributes for all systems. The NRC provided the requested information to GAO in November 2019, except for the documentation of an annual review. An independent review for verifying and validating the NRC system inventory and IT service inventory was completed in January 2020. In August 2020, the NRC transmitted documentation of this annual review to GAO.
The NRC considers this GAO recommendation to be closed.
6
 
The U.S. Government Accountability Office Report Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring September 2016 (GAO-16-713)
GAO, in its report, Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring, made two recommendations to improve inventory monitoring, one of which applies to the NRC. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 1:
Clarify in guidance the conditions under which facilities may carry negative obligation balances.
Status:
The NRC guidance in this area is found in NUREG/BR-0006, Instructions for Completing Nuclear Material Transaction Reports (DOE/NRC Forms 741 and 740M) and NUREG/BR-0007, Instructions for the Preparation and Distribution of Material Status Reports (DOE/NRC Forms 742 and 742C). The NRC staff drafted revisions to these documents to include clarifying instructions for obligations accounting and published the revised draft documents for public comment in August 2019. In addition to addressing the GAO recommendation, the draft revisions included clarifications and changes in response to comments that users of the documents have provided over the past several years. The 90-day public comment period closed on November 13, 2019.
The two NUREG revisions were issued on August 31, 2020. They can be found in the Agencywide Documents Access and Management System at accession numbers ML20240A155 (NUREG/BR-0006, Rev. 9) and ML20240A181 (NUREG/BR-0007, Rev. 8). The staff published a notice of the revisions in the Federal Register on October 30, 2020 (FR Volume 85, pages 68722-68723).
The NRC considers this GAO recommendation to be closed.
7
 
The U.S. Government Accountability Office Report Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities March 2020 (GAO-18-93)
GAO, in its report, Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities, made one recommendation to the NRC to ensure that the agencys IT management policies address the role of the CIO for key responsibilities in five areas - IT Leadership and Accountability, IT Strategic Planning, IT Workforce, IT Investment Management, and Information Security. The status of actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 23:
The Chairman of the Nuclear Regulatory Commission should ensure that the agencys IT management policies address the role of the CIO for key responsibilities in the five areas we identified.
Status:
The NRC has identified proposed policies and appropriate language to include key responsibilities for the role of the CIO based upon the five areas identified by GAO. The NRC plans to complete any policy update by the end of the third quarter of FY 2021.
In April 2020, NRC submitted updated information to GAO and GAO agreed that the NRC had appropriately addressed a number of the recommendations, including all the recommendations in the area of IT Strategic Workforce. Below is a summary of the NRCs actions in response to the remaining four areas of key IT Management responsibilities identified by GAO.
Information Technology Leadership and Accountability Report directly to the agency head or that officials deputy As explained in the agencys {{letter dated|date=May 7, 2018|text=May 7, 2018, letter}} to GAO, the NRC believes that it is fully compliant with this requirement. NRC-specific organizational legislation (Reorganization Plan No. 1 of 1980) assigns the agencys administrative functions to the Chairman and then requires the Chairman to delegate them to the Executive Director for Operations. The NRCs CIO reports directly to the Executive Director for Operations, who serves as the Chief Operating Officer. The CIO also has direct access to the Chairman.
Information Technologies Strategic Planning Benchmark agency processes against private and public sector performance The NRC develops and uses the IT/IM Strategic Plan to outline and refine internal processes.
The Office of the Chief Information Officer (OCIO) has completed a benchmark of the IT/IM 8
 
Strategic Plan and the NRC is in alignment with industry standards both in the private and public sector. The CIO has integrated benchmarking as part of the NRC IT/IM Strategic Plan.
Benchmarking will continue, on an ongoing basis and language has been added to the Capital Planning and Investment Control policy indicating CIO authority over this process.
Ensure that agency processes are analyzed and revised as appropriate before making significant IT investments The NRC plans to add language to Management Directive (MD) 2.8, Integrated Information Technology (IT/IM) Governance Framework to explicitly describe the CIOs responsibility and authority to ensure that agency processes are analyzed and revised as appropriate before making significant IT investments.
Information Technologies Investment Management Advise the head of the agency on whether to continue, modify, or terminate any acquisition, investment, or activity that includes a significant IT component based on the CIOs evaluation The CIO advises both the Chairman and the Executive Director for Operations on the IT investments and activities on a regular basis. The role and responsibilities of the CIO are outlined in MD 2.8, Integrated Information Technology/Information Management (IT/IM)
Governance Framework.
The CIO and Chief Financial Officer (CFO) define and provide oversight of the process by which the CIO, CFO, Chief Acquisition Officer, and Chief Human Capital Officer work with program leadership to plan an overall IT portfolio that efficiently and effectively leverages IT for strategic outcomes in support of the NRCs program and business objectives. This includes defining the level of detail at which IT resources are budgeted and defining processes to track planned expenditures for IT resources against actual expenditures for all transactions that include IT resources.
Maintain a strategy to consolidate and optimize data centers The CIO provides oversight and monitoring of the NRCs Data Center Consolidation reporting and activities through the following activities: 1) evaluating agencies data center closures and cost savings; (2) assessing agencies progress against OMBs data center optimization targets; and (3) monitoring effective agency practices for achieving data center closures, cost savings, and optimization progress. This information was included as part of GAO-16-323 and GAO 241 reports, both of which have been completed.
As of January 2020, the NRC reported to OMB that all metrics outlined in the current Data Center Optimization Initiative to consolidate and optimize data centers have been met. These metrics are currently show as completed in the OMB MAX portal dashboard.
9
 
Information Security Ensure that senior agency officials, including CIOs of bureaus or equivalent officials, carry out their information security responsibilities As the agency authorizing official, the CIO provides oversight over key agency officials in their respective roles as outlined in MD 12.5, NRC Cybersecurity Program. Additionally, the CIO oversees the system ownership roles of the Office Directors, Regional Administrators, and Services Development and Operations Division Director. The CIO has oversight of the Chief Information Security Officer, works with the CFO on budget oversight of information technology as outlined in the Federal IT Acquisition Reform Act, and works with the Acquisition Management Division in the Office of Administration in overseeing acquisition budget requests.
The CIO provides oversight over the NRC Cybersecurity Program. The cybersecurity Performance Metric, which is reported on a quarterly basis, reports the information security responsibilities of all employees including agency senior officials based upon five major criteria.
The five major criteria include: 1) Computer Security Awareness training, 2) Role-based training, 3) Continuous Monitoring, 4) Cybersecurity Incidents, and 5) Phishing. MD 2.8 will be updated to explicitly describe the CIOs cybersecurity responsibilities.
This GAO recommendation remains open.
10
 
The U.S. Government Accountability Office Report Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects March 2019 (GAO-19-22)
In its report, Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects, GAO made one recommendation to the NRC on how the NRC communicates with Indian Tribes about how their input was considered in the agencys decisions on infrastructure projects. The status of the actions taken by the NRC in response to this GAO recommendation is provided below.
Recommendation 19:
The Chairman of the Nuclear Regulatory Commission should document in the agencys Tribal consultation policy how agency officials are to communicate with Tribes about how Tribal input from consultation was considered in agency decisions on infrastructure projects.
Status:
On December 11, 2020, the NRC issued a policy announcement to inform the staff that they are responsible for providing written communication to federally recognized Indian Tribes that provide input concerning any NRC regulatory action, as soon as practical after the agencys final decision. This action amended the direction to the staff in MD 5.1, Consultation and Coordination with Governments and Indian Tribes, and remains in place until the next periodic revision of MD 5.1. The policy announcement also clarified that the staffs written communication to federally recognized Indian Tribes should inform the Tribe of the agencys final decision, describe how the NRC considered the Tribes input, and respond to the Tribes comments. The staff was also reminded that all NRC offices and regions should update their office specific guidance documents to include coordination with the agencys tribal liaison staff in the Office of Nuclear Material Safety and Safeguards.
The NRC considers this GAO recommendation to be closed.
11
 
The U.S. Government Accountability Office Report Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges June 2020 (GAO-19-384)
GAO, in its report, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges, provided four recommendations to the NRC. Three of these recommendations have previously been reported as implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.
Recommendation 49:
Develop a cybersecurity risk management strategy that includes the key elements identified in this report.
Status:
In September 2020, the NRC issued an updated risk management strategy in agency policy CSO-PROS-2030 that addresses the key elements identified by GAO. Consistent with GAOs recommendation, the updated agency policy addresses the following key elements:
assigning appropriate Cybersecurity roles, developing an agencywide risk assessment strategy, identifying common controls, maintaining a control monitoring strategy, maintaining system level risk assessments, conducting and maintaining risk determinations for system operations, and conducting risk assessments for control monitoring and plan of action and milestones.
This NRC considers this GAO recommendation to be closed.
12
 
The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO-19-468)
GAO, in its report, Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, made three recommendations to the NRC related to the security of radioactive material. Two of these recommendations have been previously reported as implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.
Recommendation 2:
The Chairman of NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.
Status:
The NRC is considering actions relevant to this recommendation in connection with the agencys response to GAO-16-330, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, as well as to the Commissions direction on COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability. Potential options in response to these efforts are described in the NRC staffs policy paper, SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001. The Commission is currently considering the staffs analysis and recommendations.
This GAO recommendation remains open.
13
 
The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities March 2020lk (GAO-20-129)
The federal government spends over $90 billion on IT. Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report.
Recommendation 14:
The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement.
Status:
The following summary describes the actions taken by the NRC to fully implement seven key IT workforce planning activities identified by GAO.
Develop competency and staffing requirements NRC is in the process of developing competency requirements for its IT staff. NRC officials have initiated competency modeling for IT roles and are engaged in ongoing staffing target development for its IT staff. This modeling projects staffing targets over the next 5 years, including mission critical occupations and IT management in response to the Office of Personnel Managements requirement to submit this information annually.
Assess competency and staffing needs regularly Each office within the agency, which includes the OCIO, is responsible for evaluating its workforce on an annual basis. This evaluation is conducted utilizing six key steps: 1) Annually Set Strategic Direction; 2) Conduct Workforce Forecast & Demand Analysis; 3) Conduct Workforce Supply Analysis; 4) Perform a Gap Analysis and Risk Assessment to Prioritize Results; 5) Develop and Execute Office Strategies; and 6) Monitor, Evaluate, and Revise Strategies.
Assess gaps in competencies and staffing In FY 2018, OCIO participated in the enhanced Strategic Workforce Planning (eSWP) process.
The eSWP process was designed to provide a baseline for each program office to evaluate its workforce on an annual basis. Currently, on an annual cycle, the SWP review and evaluation helps the agency be more agile as the workload and workforce needs change, and gives the 14
 
staff information on the expected future mission needs of the NRC, allowing for more effective career planning and development.
Developing strategies and plans to address gaps in competencies and staffing In FY 2019, the NRC specified competencies for all the IT positions listed in our mission critical occupations (0080 Cybersecurity and 2210 Information Technology Management), which reflects all of the agencys IT positions. NRC has also joined other federal agencies that are part of the CIO Council to build career paths/competency models for 64 IT security roles across the federal government. These activities will further strengthen our enterprise expectations for IT competencies, as well as allow individuals to identify career development opportunities.
Implement activities that address gaps The NRC conducted a gap analysis of the current IT workforce, which revealed gaps in cybersecurity and cloud computing. The NRC has developed mitigation strategies to address current skills gaps in those areas. The Office of the Chief Human Capital Officer continues to partner with OCIO to ensure that the agency maintains the appropriate mix of skill levels to meet its full-time equivalent utilization goal.
Monitor the agencys progress in addressing gaps The CIO continues to assess the existing IT workforce to identify deficiencies within the agency.
The most recent assessment indicated that deficiencies exist in the work role areas of security control assessor and enterprise architect. As attrition occurs, the agency is reassigning current staff where feasible; retraining agency staff; and using contractor support to close current IT work role area gaps that cannot be addressed with internal staff. The agency is also in the process of identifying IT positions for the development of competency models with the associated core competencies and functions. Additionally, to more effectively assess future IT workforce needs, the agency has begun to develop a more comprehensive SWP process that maps NRCs current IT workforce to the projected agency IT workforce.
Report to agency leadership progress in addressing gaps The NRC annually reviews IT skills and capabilities via the staffing plan preparation/review and the eSWP process. In addition, the eSWP includes strategies to address skill gaps. Annually, the NRC has a Human Capital Commission Briefing that is presented to the Chairman and the Commission and includes information on SWP results and strategies, as well as agency workforce data and information. This annual review includes the status of personnel capabilities for the entire agency and review of the IT SWP strategies.
This GAO recommendation remains open.
15
 
The U.S. Government Accountability Office Report Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts February 2020 (GAO-20-362)
The NRC creates and posts public cost estimates for common oversight activities on its website to increase transparency and enhance stakeholder awareness of the costs associated with these activities. These estimates are designed to aide licensees in planning for future work and assisting with budgeting to pay future costs. GAO, in its report, Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts, indicated that the NRC has not consistently updated those estimates since September 2017, or clearly defined what costs were included in the estimates.
GAO made two recommendations to the NRC in this report. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.
Recommendation 1:
The Executive Director for Operations of NRC should ensure relevant NRC program offices develop policy and guidance for when to communicate information on work progress to licensees, such as through communications to licensees at specified timeframes or thresholds.
Status:
The appropriate program offices have been tasked to update relevant office procedures to establish policy and guidance for when to communicate information on work progress to licensees. These procedure updates are expected to be completed by the end of FY 2021.
This GAO recommendation remains open.
Recommendation 2:
The Chief Financial Officer of NRC should, in consultation with NRC program offices, develop guidance to ensure NRC staff clearly define what costs - such as project management - are included in its public cost estimates.
Status:
In December 2019, the Budget Director, Office of the Chief Financial Officer (OCFO), tasked the responsible program offices to update the fee estimates for common oversight activities that were posted on the NRC website. The updates to the estimates were completed in 2020. The tasking further explained that these estimates should be reviewed and updated, if necessary, on a biennial basis. The OCFO will task the program offices biennially to review and update (if needed) the tables. Additionally, OCFO staff met with the appropriate program office staff to determine how the estimates can be improved by clearly defining the costs included in the public estimates. The group developed a solution that further defined these cost estimates and this solution was also implemented in 2020. The revised estimates for each category are published on the NRC public website and can be found at the links indicated below.
16
 
POWER REACTORS - CHART: Operating Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/power.html (select- License Fees/Fee Estimates)
RESEARCH AND TEST REACTORS - CHART: Operating Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/power.html (select- License Fees/Fee Estimates)
NEW REACTORS - CHART: New Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/new-reactors.html (select- Cost Projections for Licensing Actions)
URANIUM RECOVERY - CHART: Cost Projections for Uranium Recovery Licensing Actions https://www.nrc.gov/materials/uranium-recovery/cost-projections-license-apps.html FUEL CYCLE FACILITIES - CHART: Fuel Facility Regulatory Action Cost Estimates https://www.nrc.gov/materials/fuel-cycle-fac.html (select - Cost Projections for Inspections and Licensing Actions)
MATERIALS TRANSPORATION - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html STORAGE OF SPENT NUCLEAR FUEL - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html TRANSPORTATION OF SPENT NUCLEAR FUEL - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html DECOMMISSIONING OF NUCLEAR FACILITIES - CHART: Cost Estimates for Decommissioning Licensing Actions https://www.nrc.gov/waste/decommissioning/cost-estimates-dla.html The NRC considers this GAO recommendation to be closed.
17}}

Latest revision as of 19:52, 20 January 2022

Enclosure - Summary of NRC Actions - Response to Gao Reports
ML21029A311
Person / Time
Issue date: 03/01/2021
From: Christopher Hanson
NRC/Chairman
To: Dodaro G
US Government Accountability Office (GAO)
Jolicoeur J
Shared Package
ML21029A307:ml21029A307 List:
References
CORR-21-0012, GAO-15-98
Download: ML21029A311 (17)


Text

SUMMARY

OF NRC ACTIONS - RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98) ............................................................................................................. 2 Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330) ....................................................................................................... 3 Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings (GAO-16-511) .............................................................................................................. 6 Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring (GAO-16-713) ........................................................................................................... 7 Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities (GAO-18-93) .................................................................. .8 Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects (GAO-19-22) .11 Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges (GAO-19-384) ......................................................................................................................... 12 Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468) ...................................................................................... 13 Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129) .............................................................................................................................................. 14 Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts (GAO-20-362) ....16 Enclosure

The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)

The U.S. Government Accountability Office (GAO), in its report, Nuclear Regulatory Commission:

NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices and cost- estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses.

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the update to Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, that the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft of NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, Draft Final NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission). Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and reference it on the NRC public website.

This GAO recommendation remains open.

2

The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

GAO, in its report, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for Category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include Category 3 sources in the National Source Tracking System and add agreement state Category 3 licenses to the Web-based Licensing System as quickly as reasonably possible.

Status:

In early 2016, the NRC formed a working group, the License Verification and Transfer of Category 3 Sources Working Group (LVWG), to evaluate license verification and transfer requirements for Category 3 sources. The LVWG evaluated the inclusion of Category 3 licenses in the NRCs Web-Based Licensing System and the methods available for verifying the legitimacy of licenses held by those licensees prior to the transfer of material. The working group also evaluated the inclusion of Category 3 sources in the National Source Tracking System (NSTS) for the specific purpose of preventing licensees from accumulating Category 3 sources into Category 2 or higher quantities of radioactive material. The LVWG made recommendations to enhance the existing processes for license verification and source tracking beyond Category 1 and Category 2 thresholds. These recommendations were provided to the Commission as part of the staffs reevaluation of Category 3 sources as outlined below.

On October 18, 2016, in the SRM for COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability, the Commission directed the NRC staff to re-evaluate Category 3 source accountability given the agencys operating experience with higher-risk sources and in response to findings made by GAO. In the direction provided in the SRM, the Commission stated that the staff should assess the risks posed by the aggregation of Category 3 sources into Category 2 quantities as part of its efforts to re-evaluate Category 3 source accountability.

A working group - the Category 3 Source Security and Accountability Working Group - was formed to address the following tasks: evaluating the pros and cons of different methods for verifying the validity of a license before a Category 3 source is transferred; evaluating the pros and cons of including Category 3 sources in the NSTS; assessing any additional options to address the source accountability recommendations made by GAO; identifying changes in the 3

threat environment since 2009 and evaluating whether those changes support expanding the NSTS to include Category 3 sources; assessing the risks posed when a licensee possesses enough Category 3 sources to require the higher level protections for Category 2 quantities; and collaborating with NRCs Agreement State partners, non-Agreement States, licensees, public interest groups, industry groups, and the reactor community to fully assess the regulatory impact of any recommendation made by the working group. The Category 3 Source Security and Accountability Working Group considered recommendations made by the LVWG and also informed its evaluation with the results of the NRC staffs review of the effectiveness of Title 10 of the Code of Federal Regulations (10 CFR) Part 37, the results of which were reported to Congress in December 2016.

As directed by the Commission, the Category 3 Source Security and Accountability Working Group developed a notation vote paper that was submitted to the Commission in August 2017 (SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001). The Commission is currently considering the staffs analysis and recommendations.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should at least until such time that Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchasers radioactive materials license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed materials.

Status:

The LVWG evaluated this recommendation, and its analysis was considered by the Category 3 Source Security and Accountability Working Group. The Commission is currently considering the staffs analysis and recommendations.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of NRC working groups meeting to develop enhancements to the pre-licensing requirements for Category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of Category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

4

Status:

In early 2016, the NRC formed a working group, the Enhancements to Pre-Licensing Guidance Working Group (PLWG), to evaluate pre-licensing activities and develop recommendations for enhancements to the pre-licensing process. The PLWG developed recommendations that involve changes to existing regulations and revisions to existing training, guidance, and procedures. The NRC staff developed an action plan for the non-rulemaking recommendations (e.g., revisions to license applicant guidance documents, and revisions to NRC pre-licensing guidance and checklists), which it is currently implementing. The NRC has completed several items outlined in the action plan. For example, the NRC has: 1) issued a revision to the pre-licensing guidance (e.g., to emphasize that licenses should not be hand-delivered during a pre-licensing site visit and to outline processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate); and

2) updated the licensing and inspection courses offered at the NRC Technical Training Center and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

For the recommendations that would require rulemaking, the Commission is currently considering the staffs analysis and recommendations. Upon receipt of Commission direction on this and other recommendations pertaining to materials licensees, the NRC staff will develop a rulemaking plan for Commission consideration.

This GAO recommendation remains open.

5

The U.S. Government Accountability Office Report Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings September 2016 (GAO-16-511)

The Federal Government is expected to spend more than $90 billion on Information Technology (IT) in fiscal year (FY) 2017. This includes a variety of software applications supporting agencies enterprise needs. Since 2013, OMB has advocated the use of application rationalization. This is a process by which an agency streamlines its portfolio of software applications with the goal of improving efficiency, reducing complexity and redundancy, and lowering the cost of ownership.

The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve federal agencies efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Status:

The NRC addressed the one remaining action item for the GAO recommendation. This action item was to document the application inventory within the NRC. GAO followed up with the NRC in November 2019 and requested 1) documentation that the quarterly and annual validation reviews in the inventory maintenance process have occurred and 2) a more recent inventory list that includes attributes for all systems. The NRC provided the requested information to GAO in November 2019, except for the documentation of an annual review. An independent review for verifying and validating the NRC system inventory and IT service inventory was completed in January 2020. In August 2020, the NRC transmitted documentation of this annual review to GAO.

The NRC considers this GAO recommendation to be closed.

6

The U.S. Government Accountability Office Report Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring September 2016 (GAO-16-713)

GAO, in its report, Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring, made two recommendations to improve inventory monitoring, one of which applies to the NRC. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 1:

Clarify in guidance the conditions under which facilities may carry negative obligation balances.

Status:

The NRC guidance in this area is found in NUREG/BR-0006, Instructions for Completing Nuclear Material Transaction Reports (DOE/NRC Forms 741 and 740M) and NUREG/BR-0007, Instructions for the Preparation and Distribution of Material Status Reports (DOE/NRC Forms 742 and 742C). The NRC staff drafted revisions to these documents to include clarifying instructions for obligations accounting and published the revised draft documents for public comment in August 2019. In addition to addressing the GAO recommendation, the draft revisions included clarifications and changes in response to comments that users of the documents have provided over the past several years. The 90-day public comment period closed on November 13, 2019.

The two NUREG revisions were issued on August 31, 2020. They can be found in the Agencywide Documents Access and Management System at accession numbers ML20240A155 (NUREG/BR-0006, Rev. 9) and ML20240A181 (NUREG/BR-0007, Rev. 8). The staff published a notice of the revisions in the Federal Register on October 30, 2020 (FR Volume 85, pages 68722-68723).

The NRC considers this GAO recommendation to be closed.

7

The U.S. Government Accountability Office Report Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities March 2020 (GAO-18-93)

GAO, in its report, Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities, made one recommendation to the NRC to ensure that the agencys IT management policies address the role of the CIO for key responsibilities in five areas - IT Leadership and Accountability, IT Strategic Planning, IT Workforce, IT Investment Management, and Information Security. The status of actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 23:

The Chairman of the Nuclear Regulatory Commission should ensure that the agencys IT management policies address the role of the CIO for key responsibilities in the five areas we identified.

Status:

The NRC has identified proposed policies and appropriate language to include key responsibilities for the role of the CIO based upon the five areas identified by GAO. The NRC plans to complete any policy update by the end of the third quarter of FY 2021.

In April 2020, NRC submitted updated information to GAO and GAO agreed that the NRC had appropriately addressed a number of the recommendations, including all the recommendations in the area of IT Strategic Workforce. Below is a summary of the NRCs actions in response to the remaining four areas of key IT Management responsibilities identified by GAO.

Information Technology Leadership and Accountability Report directly to the agency head or that officials deputy As explained in the agencys May 7, 2018, letter to GAO, the NRC believes that it is fully compliant with this requirement. NRC-specific organizational legislation (Reorganization Plan No. 1 of 1980) assigns the agencys administrative functions to the Chairman and then requires the Chairman to delegate them to the Executive Director for Operations. The NRCs CIO reports directly to the Executive Director for Operations, who serves as the Chief Operating Officer. The CIO also has direct access to the Chairman.

Information Technologies Strategic Planning Benchmark agency processes against private and public sector performance The NRC develops and uses the IT/IM Strategic Plan to outline and refine internal processes.

The Office of the Chief Information Officer (OCIO) has completed a benchmark of the IT/IM 8

Strategic Plan and the NRC is in alignment with industry standards both in the private and public sector. The CIO has integrated benchmarking as part of the NRC IT/IM Strategic Plan.

Benchmarking will continue, on an ongoing basis and language has been added to the Capital Planning and Investment Control policy indicating CIO authority over this process.

Ensure that agency processes are analyzed and revised as appropriate before making significant IT investments The NRC plans to add language to Management Directive (MD) 2.8, Integrated Information Technology (IT/IM) Governance Framework to explicitly describe the CIOs responsibility and authority to ensure that agency processes are analyzed and revised as appropriate before making significant IT investments.

Information Technologies Investment Management Advise the head of the agency on whether to continue, modify, or terminate any acquisition, investment, or activity that includes a significant IT component based on the CIOs evaluation The CIO advises both the Chairman and the Executive Director for Operations on the IT investments and activities on a regular basis. The role and responsibilities of the CIO are outlined in MD 2.8, Integrated Information Technology/Information Management (IT/IM)

Governance Framework.

The CIO and Chief Financial Officer (CFO) define and provide oversight of the process by which the CIO, CFO, Chief Acquisition Officer, and Chief Human Capital Officer work with program leadership to plan an overall IT portfolio that efficiently and effectively leverages IT for strategic outcomes in support of the NRCs program and business objectives. This includes defining the level of detail at which IT resources are budgeted and defining processes to track planned expenditures for IT resources against actual expenditures for all transactions that include IT resources.

Maintain a strategy to consolidate and optimize data centers The CIO provides oversight and monitoring of the NRCs Data Center Consolidation reporting and activities through the following activities: 1) evaluating agencies data center closures and cost savings; (2) assessing agencies progress against OMBs data center optimization targets; and (3) monitoring effective agency practices for achieving data center closures, cost savings, and optimization progress. This information was included as part of GAO-16-323 and GAO 241 reports, both of which have been completed.

As of January 2020, the NRC reported to OMB that all metrics outlined in the current Data Center Optimization Initiative to consolidate and optimize data centers have been met. These metrics are currently show as completed in the OMB MAX portal dashboard.

9

Information Security Ensure that senior agency officials, including CIOs of bureaus or equivalent officials, carry out their information security responsibilities As the agency authorizing official, the CIO provides oversight over key agency officials in their respective roles as outlined in MD 12.5, NRC Cybersecurity Program. Additionally, the CIO oversees the system ownership roles of the Office Directors, Regional Administrators, and Services Development and Operations Division Director. The CIO has oversight of the Chief Information Security Officer, works with the CFO on budget oversight of information technology as outlined in the Federal IT Acquisition Reform Act, and works with the Acquisition Management Division in the Office of Administration in overseeing acquisition budget requests.

The CIO provides oversight over the NRC Cybersecurity Program. The cybersecurity Performance Metric, which is reported on a quarterly basis, reports the information security responsibilities of all employees including agency senior officials based upon five major criteria.

The five major criteria include: 1) Computer Security Awareness training, 2) Role-based training, 3) Continuous Monitoring, 4) Cybersecurity Incidents, and 5) Phishing. MD 2.8 will be updated to explicitly describe the CIOs cybersecurity responsibilities.

This GAO recommendation remains open.

10

The U.S. Government Accountability Office Report Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects March 2019 (GAO-19-22)

In its report, Tribal Consultation: Additional Federal Actions Needed for Infrastructure Projects, GAO made one recommendation to the NRC on how the NRC communicates with Indian Tribes about how their input was considered in the agencys decisions on infrastructure projects. The status of the actions taken by the NRC in response to this GAO recommendation is provided below.

Recommendation 19:

The Chairman of the Nuclear Regulatory Commission should document in the agencys Tribal consultation policy how agency officials are to communicate with Tribes about how Tribal input from consultation was considered in agency decisions on infrastructure projects.

Status:

On December 11, 2020, the NRC issued a policy announcement to inform the staff that they are responsible for providing written communication to federally recognized Indian Tribes that provide input concerning any NRC regulatory action, as soon as practical after the agencys final decision. This action amended the direction to the staff in MD 5.1, Consultation and Coordination with Governments and Indian Tribes, and remains in place until the next periodic revision of MD 5.1. The policy announcement also clarified that the staffs written communication to federally recognized Indian Tribes should inform the Tribe of the agencys final decision, describe how the NRC considered the Tribes input, and respond to the Tribes comments. The staff was also reminded that all NRC offices and regions should update their office specific guidance documents to include coordination with the agencys tribal liaison staff in the Office of Nuclear Material Safety and Safeguards.

The NRC considers this GAO recommendation to be closed.

11

The U.S. Government Accountability Office Report Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges June 2020 (GAO-19-384)

GAO, in its report, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges, provided four recommendations to the NRC. Three of these recommendations have previously been reported as implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 49:

Develop a cybersecurity risk management strategy that includes the key elements identified in this report.

Status:

In September 2020, the NRC issued an updated risk management strategy in agency policy CSO-PROS-2030 that addresses the key elements identified by GAO. Consistent with GAOs recommendation, the updated agency policy addresses the following key elements:

assigning appropriate Cybersecurity roles, developing an agencywide risk assessment strategy, identifying common controls, maintaining a control monitoring strategy, maintaining system level risk assessments, conducting and maintaining risk determinations for system operations, and conducting risk assessments for control monitoring and plan of action and milestones.

This NRC considers this GAO recommendation to be closed.

12

The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO-19-468)

GAO, in its report, Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, made three recommendations to the NRC related to the security of radioactive material. Two of these recommendations have been previously reported as implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 2:

The Chairman of NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

Status:

The NRC is considering actions relevant to this recommendation in connection with the agencys response to GAO-16-330, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, as well as to the Commissions direction on COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability. Potential options in response to these efforts are described in the NRC staffs policy paper, SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001. The Commission is currently considering the staffs analysis and recommendations.

This GAO recommendation remains open.

13

The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities March 2020lk (GAO-20-129)

The federal government spends over $90 billion on IT. Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report.

Recommendation 14:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement.

Status:

The following summary describes the actions taken by the NRC to fully implement seven key IT workforce planning activities identified by GAO.

Develop competency and staffing requirements NRC is in the process of developing competency requirements for its IT staff. NRC officials have initiated competency modeling for IT roles and are engaged in ongoing staffing target development for its IT staff. This modeling projects staffing targets over the next 5 years, including mission critical occupations and IT management in response to the Office of Personnel Managements requirement to submit this information annually.

Assess competency and staffing needs regularly Each office within the agency, which includes the OCIO, is responsible for evaluating its workforce on an annual basis. This evaluation is conducted utilizing six key steps: 1) Annually Set Strategic Direction; 2) Conduct Workforce Forecast & Demand Analysis; 3) Conduct Workforce Supply Analysis; 4) Perform a Gap Analysis and Risk Assessment to Prioritize Results; 5) Develop and Execute Office Strategies; and 6) Monitor, Evaluate, and Revise Strategies.

Assess gaps in competencies and staffing In FY 2018, OCIO participated in the enhanced Strategic Workforce Planning (eSWP) process.

The eSWP process was designed to provide a baseline for each program office to evaluate its workforce on an annual basis. Currently, on an annual cycle, the SWP review and evaluation helps the agency be more agile as the workload and workforce needs change, and gives the 14

staff information on the expected future mission needs of the NRC, allowing for more effective career planning and development.

Developing strategies and plans to address gaps in competencies and staffing In FY 2019, the NRC specified competencies for all the IT positions listed in our mission critical occupations (0080 Cybersecurity and 2210 Information Technology Management), which reflects all of the agencys IT positions. NRC has also joined other federal agencies that are part of the CIO Council to build career paths/competency models for 64 IT security roles across the federal government. These activities will further strengthen our enterprise expectations for IT competencies, as well as allow individuals to identify career development opportunities.

Implement activities that address gaps The NRC conducted a gap analysis of the current IT workforce, which revealed gaps in cybersecurity and cloud computing. The NRC has developed mitigation strategies to address current skills gaps in those areas. The Office of the Chief Human Capital Officer continues to partner with OCIO to ensure that the agency maintains the appropriate mix of skill levels to meet its full-time equivalent utilization goal.

Monitor the agencys progress in addressing gaps The CIO continues to assess the existing IT workforce to identify deficiencies within the agency.

The most recent assessment indicated that deficiencies exist in the work role areas of security control assessor and enterprise architect. As attrition occurs, the agency is reassigning current staff where feasible; retraining agency staff; and using contractor support to close current IT work role area gaps that cannot be addressed with internal staff. The agency is also in the process of identifying IT positions for the development of competency models with the associated core competencies and functions. Additionally, to more effectively assess future IT workforce needs, the agency has begun to develop a more comprehensive SWP process that maps NRCs current IT workforce to the projected agency IT workforce.

Report to agency leadership progress in addressing gaps The NRC annually reviews IT skills and capabilities via the staffing plan preparation/review and the eSWP process. In addition, the eSWP includes strategies to address skill gaps. Annually, the NRC has a Human Capital Commission Briefing that is presented to the Chairman and the Commission and includes information on SWP results and strategies, as well as agency workforce data and information. This annual review includes the status of personnel capabilities for the entire agency and review of the IT SWP strategies.

This GAO recommendation remains open.

15

The U.S. Government Accountability Office Report Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts February 2020 (GAO-20-362)

The NRC creates and posts public cost estimates for common oversight activities on its website to increase transparency and enhance stakeholder awareness of the costs associated with these activities. These estimates are designed to aide licensees in planning for future work and assisting with budgeting to pay future costs. GAO, in its report, Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts, indicated that the NRC has not consistently updated those estimates since September 2017, or clearly defined what costs were included in the estimates.

GAO made two recommendations to the NRC in this report. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 1:

The Executive Director for Operations of NRC should ensure relevant NRC program offices develop policy and guidance for when to communicate information on work progress to licensees, such as through communications to licensees at specified timeframes or thresholds.

Status:

The appropriate program offices have been tasked to update relevant office procedures to establish policy and guidance for when to communicate information on work progress to licensees. These procedure updates are expected to be completed by the end of FY 2021.

This GAO recommendation remains open.

Recommendation 2:

The Chief Financial Officer of NRC should, in consultation with NRC program offices, develop guidance to ensure NRC staff clearly define what costs - such as project management - are included in its public cost estimates.

Status:

In December 2019, the Budget Director, Office of the Chief Financial Officer (OCFO), tasked the responsible program offices to update the fee estimates for common oversight activities that were posted on the NRC website. The updates to the estimates were completed in 2020. The tasking further explained that these estimates should be reviewed and updated, if necessary, on a biennial basis. The OCFO will task the program offices biennially to review and update (if needed) the tables. Additionally, OCFO staff met with the appropriate program office staff to determine how the estimates can be improved by clearly defining the costs included in the public estimates. The group developed a solution that further defined these cost estimates and this solution was also implemented in 2020. The revised estimates for each category are published on the NRC public website and can be found at the links indicated below.

16

POWER REACTORS - CHART: Operating Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/power.html (select- License Fees/Fee Estimates)

RESEARCH AND TEST REACTORS - CHART: Operating Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/power.html (select- License Fees/Fee Estimates)

NEW REACTORS - CHART: New Reactors Business Line Fee Estimates https://www.nrc.gov/reactors/new-reactors.html (select- Cost Projections for Licensing Actions)

URANIUM RECOVERY - CHART: Cost Projections for Uranium Recovery Licensing Actions https://www.nrc.gov/materials/uranium-recovery/cost-projections-license-apps.html FUEL CYCLE FACILITIES - CHART: Fuel Facility Regulatory Action Cost Estimates https://www.nrc.gov/materials/fuel-cycle-fac.html (select - Cost Projections for Inspections and Licensing Actions)

MATERIALS TRANSPORATION - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html STORAGE OF SPENT NUCLEAR FUEL - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html TRANSPORTATION OF SPENT NUCLEAR FUEL - CHART: Resource estimates for common licensing and oversight activities in Storage and Transportation https://www.nrc.gov/waste/spent-fuel-storage/resource-estimates.html DECOMMISSIONING OF NUCLEAR FACILITIES - CHART: Cost Estimates for Decommissioning Licensing Actions https://www.nrc.gov/waste/decommissioning/cost-estimates-dla.html The NRC considers this GAO recommendation to be closed.

17