Text

The U.S. Government Accountability Office Report Nuclear Regulatory Commission Summary of NRC Actions - Response to GAO Reports

SUMMARY

OF NRC ACTIONS - RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98) ........................................................................................................................ 1 Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330) ....................................................................................................... 2 Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities (GAO-18-93) ................................................................... 4 Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468) ...... .. ....................................................................... 7 Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129) ...................................................................................................................................... .......... 8 Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts (GAO-20-362) .................... .. ... .............................. 11

The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GA0-15-98)

The U.S. Government Accountability Office (GAO), in its report, "Nuclear Regulatory Commission:

NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices," recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, "GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs" (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as the NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders.

This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRC's cost-estimating practices and cost-estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, "Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses."

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the update to Management Directive (MD) 8.4, "Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests," that the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft of NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, "Draft Final NUREG/BR-0058, Revision 5, 'Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission"'). Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and reference it on the NRC public website.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

GAO, in its report, "Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain," made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for Category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them . Specifically, the NRC should take the steps needed to include Category 3 sources in the National Source Tracking System and add agreement state Category 3 licenses to the Web-based Licensing (WBL)

System as quickly as reasonably possible.

Status:

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY 0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001," the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below Category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring Category 3 quantities of radioactive material to verify licenses through the Licensee Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing Category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

The Commission did not direct the staff to include Category 3 sources in the National Source Tracking System.

The NRC staff is developing a rulemaking plan for Commission consideration.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should at least until such time that Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchaser's radioactive materials license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed materials.

Status:

Please see the response to Recommendation 1.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them . Specifically, the NRC should, as part of the ongoing efforts of the NRC working groups meeting to develop enhancements to the pre-licensing requirements for Category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of Category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

Status:

In addition to the Commission direction described in response to Recommendations 1 and 2, the NRC has taken action to address parts of this recommendation. For example, the NRC has issued a revision to the pre-licensing guidance. The revised guidance emphasizes that licenses should not be hand-delivered during a pre-licensing site visit and outlines processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate. The NRC has also updated its licensing and inspection courses and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities March 2020 (GAO-18-93)

GAO, in its report, "Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities," made one recommendation to the NRC to ensure that the agency's information technology (IT) management policies address the role of the Chief Information Officer (CIO) for key responsibilities in five areas - IT Leadership and Accountability, IT Strategic Planning, IT Workforce, IT Investment Management, and Information Security. The status of actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 23:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified.

Status:

The NRC has identified proposed policies and appropriate language to include key responsibilities for the role of the CIO based upon the five areas identified by GAO. The NRC has updated and established agency policy to address each of the five areas.

In April 2020, the NRC submitted updated information to GAO, and GAO agreed that the NRC had appropriately addressed a number of the recommendations, including all the recommendations in the area of IT Strategic Workforce. Below is a summary of the NRC's actions in response to the remaining four areas of key IT Management responsibilities identified by GAO.

Information Technology Leadership and Accountability Report directly to the agency head or that official's deputy As detailed in the agency's May 7, 2018, letter to GAO, the NRC believes that it is fully compliant with this requirement. The NRC-specific organizational legislation (Reorganization Plan No. 1 of 1980) assigns the agency's "administrative functions" to the Chairman and then requires the Chairman to delegate them to the Executive Director for Operations (EDO). The NRC's CIO reports directly to the EDO, who serves as the Chief Operating Officer. The CIO also has direct access to the Chairman.

Information Technologies Strategic Planning Benchmark agency processes against private and public sector performance The CIO will continue benchmarking processes against both private and public sectors as part of the NRC's Information Technology/Information Management (IT/IM) Strategic Plan.

Ensure that agency processes are analyzed and revised as appropriate before makingsignificant IT investments The NRC has issued an agency-wide announcement establishing the policy as an addendum to MD 2.8, "Integrated Information Technology/Information Management (IT/IM) Governance Framework" to explicitly describe the CIO's responsibility and authority to ensure that agency processes are analyzed and revised as appropriate before making significant IT investments.

Information Technologies Investment Management Advise the head of the agency on whether to continue, modify, or terminate any acquisition, investment, or activity that includes a significant IT component based on the CIO's evaluation The CIO advises both the Chairman and the EDO on the IT investments and activities on a regular basis. The role and responsibilities of the CIO are outlined in MD 2.8, "Integrated Information Technology/Information Management (IT/IM) Governance Framework."

The CIO and Chief Financial Officer (CFO) define and provide oversight of the process by which the CIO, CFO, Chief Acquisition Officer, and Chief Human Capital Officer work with program leadership to plan an overall IT portfolio that efficiently and effectively leverages IT for strategic outcomes in support of the NRC's program and business objectives. This includes defining the level of detail at which IT resources are budgeted and defining processes to track planned expenditures for IT resources against actual expenditures for all transactions that include IT resources.

Additionally, the CIO briefs the Chairman through periodic one-on-one meetings on IT challenges and investments. During these meetings, the CIO advises the Chairman on whether to continue , modify, or terminate any acquisition, investment, or activity that includes a significant IT component based on the CIO's evaluation.

Maintain a strategy to consolidate and optimize data centers The CIO provides oversight and monitoring of the NRC's Data Center Consolidation reporting and activities through the following activities: 1) evaluating the agency's data center closures and cost savings; (2) assessing the agency's progress against the Office of Management and Budget's (OMB's) data center optimization targets; and (3) monitoring effective agency practices for achieving data center closures, cost savings, and optimization progress. This information was included as part of the GAO-16-323 and GAO-19-241 reports, both of which have been completed. The NRC has added this language to MD 2.8, "Integrated Information Technology/Information Management (IT/IM)

Governance Framework."

The NRC reported to 0MB that as of January 2020, all metrics outlined in the current Data Center Optimization Initiative to consolidate and optimize data centers have been met. These metrics are currently shown as completed in the 0MB MAX portal dashboard.

Information Security Ensure that senior agency officials, including CIOs of bureaus or equivalent officials, carry out their information security responsibilities As the agency authorizing official, the CIO provides oversight of key agency officials in their respective roles as outlined in MD 12.5, "NRC Cybersecurity Program." Additionally, the CIO oversees the system ownership roles of the Office Directors, Regional Administrators, and Services Development and Operations Division Director. The CIO has oversight of the Chief Information Security Officer, works with the CFO on budget oversight of IT as outlined in the Federal IT Acquisition Reform Act, and works with the Acquisition Management Division in the Office of Administration in overseeing acquisition budget requests.

The CIO provides oversight of the NRC Cybersecurity Program. The cybersecurity Performance Metric, which is reported on a quarterly basis, reports the information security responsibilities of all employees including agency senior officials based upon five major criteria. The five major criteria include: 1) Computer Security Awareness training,

2) Role-based training, 3) Continuous Monitoring, 4) Cybersecurity Incidents, and 5)

Phishing. Additionally, the NRC has added language to MD 2.8, "Integrated Information Technology/Information Management (IT/IM) Governance Framework" clarifying that the CIO ensures development and maintenance of an agencywide continuous monitoring strategy and ensures the continuous monitoring of the cybersecurity state of the NRC's IT systems is performed consistently with that strategy.

The CIO ensures cybersecurity requirements are properly incorporated into the agency's IT operations and System Development Life Cycle (SDLC) methodology, and system security engineering principles, concepts, and techniques are employed during the SDLC to facilitate the development, deployment, operation, and sustainment of trustworthy and adequately secured systems.

The CIO serves as the Senior Agency Official responsible for Controlled Unclassified Information (CUI); manages and implements the CUI program in accordance with 32 CFR Part 2002; and manages the NRC's implementation of the CUI program, including the NRC's transition to that program. In this role, the CIO performs the following: (a) Ensures that electronic documents not covered by a waiver from the CUI executive agent containing CUI include appropriate markings such that when the document is printed or viewed, the markings are evident in accordance with CUI marking requirements; (b) Ensures that electronic CUI is protected in accordance with CUI requirements; and (c) Ensures electronic CUI is encrypted or rendered indecipherable to unauthorized users while in transit and while stored.

The NRC considers this recommendation to be closed.

The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GA0-19-468)

GAO, in its report, "Combating Nuclear Terrorism: The NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material," made three recommendations to the NRC related to the security of radioactive material. Two of these recommendations have been previously reported as implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 2:

The Chairman of the NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

Status:

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY 0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001," the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below Category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring Category 3 quantities of radioactive material to verify licenses through the LVS or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing Category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

The NRC staff is developing a rulemaking plan for Commission consideration.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities March 2020 (GAO-20-129)

The Federal government spends over $90 billion on IT. Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which Federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report.

Recommendation 14:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement.

Status:

The following summary describes the actions taken by the NRC to fully implement seven key IT workforce planning activities identified by GAO.

Develop competency and staffing requirements The NRC is in the process of developing competency requirements for its IT staff. The NRC has initiated competency modeling for IT roles and is engaged in ongoing development of staffing targets for its IT staff. This modeling projects staffing targets over the next 5 years, including mission critical occupations and IT management in response to the Office of Personnel Management's requirement to submit this information annually.

The Office of the Chief Information Officer (OCIO) continues to work closely with the NRC's Office of the Chief Human Capital Officer (OCHCO) in the development of IT competency requirements by utilizing the National Initiative for Cybersecurity Education (NICE) Framework as an assessment tool. The NICE Framework will be used to address the identified gaps discovered as a result of the strategic workforce planning process. Although the NICE Framework is based upon cybersecurity positions, the foundation of this framework may be used to identify gaps and competencies for other IT positions. The NICE Framework expresses work as task statements and describes knowledge and skill statements that provide a foundation for learners including students, job seekers, and employees. The use of these statements helps students to develop skills, job seekers to demonstrate competencies, and employees to accomplish tasks.

This Framework improves communication about how to identify, recruit, develop, and retain talent.

Assess competency and staffing needs regularly Each office within the agency, including the OCIO, is responsible for evaluating its workforce on an annual basis. This evaluation is conducted utilizing six key steps: 1)

Annually Set Strategic Direction; 2) Conduct Workforce Forecast and Demand Analysis;

3) Conduct Workforce Supply Analysis; 4) Perform a Gap Analysis and Risk Assessment to Prioritize Results; 5) Develop and Execute Office Strategies; and 6) Monitor, Evaluate, and Revise Strategies.

Assess gaps in competencies and staffing In fiscal year (FY) 2018, OCIO participated in the enhanced Strategic Workforce Planning (eSWP) process. The eSWP process was designed to provide a baseline for each program office to evaluate its workforce on an annual basis. Currently, on an annual cycle, the Strategic Workforce Planning (SWP) review and evaluation helps the agency be more agile as the workload and workforce needs change and gives the staff information on the expected future mission needs of the NRC, allowing for more effective career planning and development.

Developing strategies and plans to address gaps in competencies and staffing In FY 2019, the NRC specified competencies for all the IT positions listed in our mission critical occupations (0080 Cybersecurity and 2210 Information Technology Management), which reflects all of the agency's IT positions. The NRC has also joined other Federal agencies that are part of the CIO Council to build career paths/competency models for 64 IT security roles across the Federal government. These activities will further strengthen the agency's enterprise expectations for IT competencies, as well as allow individuals to identify career development opportunities.

Implement activities that address gaps The NRC conducted a gap analysis of the current IT workforce, which revealed gaps in cybersecurity and cloud computing. The NRC has developed mitigation strategies to address current skills gaps in those areas. OCHCO continues to partner with OCIO to ensure that the agency maintains the appropriate mix of skill levels to meet its full-time equivalent utilization goal.

Monitor the agency's progress in addressing gaps The CIO continues to assess the existing IT workforce to identify deficiencies within the agency. The most recent assessment indicated that deficiencies exist in the work role areas of security control assessor and enterprise architect. As attrition occurs, the agency is reassigning current staff where feasible, retraining agency staff, and using contractor support to close current IT work role area gaps that cannot be addressed with internal staff. The agency is also in the process of identifying IT positions for the development of competency models with the associated core competencies and functions. Additionally, to more effectively assess future IT workforce needs, the agency has begun to develop a more comprehensive SWP process that maps the NRC's current IT workforce to the projected agency IT workforce.

Report to agency leadership progress in addressing gaps The NRC annually reviews IT skills and capabilities via the staffing plan preparation/review and the eSWP process. In addition, the eSWP includes strategies to address skill gaps. Annually, the NRC has a Human Capital Commission Briefing that is presented to the Chairman and the Commission and includes information on SWP results and strategies, as well as agency workforce data and information. This annual review includes the status of personnel capabilities for the entire agency and review of the IT SWP strategies.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts February 2020 (GAO-20-362)

The NRC creates and posts public cost estimates for common oversight activities on its website to increase transparency and enhance stakeholder awareness of the costs associated with these activities. These estimates are designed to aid licensees in planning for future work and assisting with budgeting to pay future costs. The GAO, in its report, "Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts," indicated that the NRC has not consistently updated those estimates since September 2017, or clearly defined what costs were included in the estimates.

GAO made two recommendations to the NRC in this report. One of these recommendations has been closed. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 1:

The Executive Director for Operations of the NRC should ensure relevant NRC program offices develop policy and guidance for when to communicate information on work progress to licensees, such as through communications to licensees at specified timeframes or thresholds.

Status:

Two of the three relevant program offices have updated office procedures to establish policy and guidance for when to communicate information on work progress to licensees. The remaining office is expected to complete procedure updates by the end of the third quarter of FY 2022.

This GAO recommendation remains open.