ML23248A483

From kanterella
Revision as of 01:36, 29 September 2023 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Enclosuresponses to Connolly Questions
ML23248A483
Person / Time
Issue date: 09/18/2023
From: Christopher Hanson
NRC/Chairman
To: Connolly G, Mace N
US HR, Comm on Oversight and Accountability, US HR, Subcomm on Cybersecurity, Information Technology, and Government Innovation
References
CORR-23-0073, LTR-23-0190
Download: ML23248A483 (1)
v  d  e


Text

Response to Request for Information House Committee on Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Innovation Letter Dated August 16, 2023 The MGT Act Working Capital Fund

1. Has your agency made any changes to its implementation of the MGT Act since Fl TARA Scorecard 15. O?
a. If yes , please describe what steps have been taken . Specifically, if your agency has not yet established a WCF, please describe what actions your agency plans to take in fiscal year (FY) 2024 or FY 2025.

Please explain your agency's plans, including the CIO's ability to create and control a WCF .

RESPONSE

No.

b. If not, please summarize how your agency has taken steps to meet the intent of the MGT Act and the role of the CIO to create and control a WCF.

RESPONSE

The NRC's appropriation structure, budgetary resource levels, and reprogramming authority enable the agency to meet the intent of the MGT Act to accomplish information technology (IT) modernization without a working capital fund (WCF), provided that the agency continues to have sufficient budgetary resources and reprogramming authority within its appropriation language. The NRC evaluated the efficacy of establishing a working capital fund for the agency given its budget structure. The NRC determined that establishing a WCF would not deliver tangible benefits or return on investment commensurate with the associated costs to the agency, including the increased cost of the labor and changes to the agency's financial management systems needed to implement, manage, and report the use of such a fund.

Moreover, the NRC leverages its single no-year salaries and expenses appropriation to make funds available, as needed, to apply IT more effectively and at lower costs . In addition, the NRC has implemented IT portfolio management and governance processes to regularly evaluate the funding priorities for all IT investments across the agency and to optimize spending and reallocate savings to support prioritized value-added IT modernization .

These processes are described in the NRC's Common Baseline Self-Assessment and Plan , developed in accordance with the Federal Information Technology Acquisition Reform Act. The NRC follows these processes to plan Enclosure

and prioritize funding needs for all IT assets and services using the agency's appropriated funds for each fiscal year. The priorities inform both IT budget formulation and execution year IT spending decisions, including emerging technologies for IT modernization . The NRC's Chief Information Officer (CIO) is accountable for these processes and all associated budgetary resources and is the decision-making authority for all IT investments.

c. Include a description of any obstacles or challenges, including if your agency has sufficient authority to transfer funds to the WCF.

RESPONSE

As stated in response to question 1b., the NRC's appropriation and budget structure provides sufficient flexibility such that a WCF would not provide added value. However, the NRG will continue to monitor and assess the impact of all applicable legislation on the agency's ability to modernize IT.

CIO Reporting Structure and Authority

1. Is your agency in compliance with 44 U.S.C. § 3506(a)(2)(A), which requires agencies to report directly to the agency head or deputy to the agency head?
a. If yes, provide the year this compliance was achieved and any relevant policy documents.

RESPONSE

Yes. The NRC's CIO reports directly to the Executive Director for Operations (EDO), who serves as the Commission's chief operating officer and chief administrative officer. Under the NRC's organizational legislation (Reorganization Plan No. 1 of 1980) all "administrative functions" of the Commission are assigned to the NRC Chair, who is then required to delegate such functions to the EDO. In practice, the CIO also communicates directly with the NRC Chair on a regular basis. These longstanding responsibilities are reflected in NRG Management Directives 9.17 ("Organization and Functions, Office of the Executive Director for Operations") and 9.22 ("Organization and Functions, Office of the Chief Information Officer").

b. If no, please explain what actions your agency is taking to achieve compliance and what has hindered compliance .

RESPONSE

Not Applicable .

2. Does your CIO have authority over IT procurement and acquisition in 2

accordance with 40 U.S. Code§ 11315?

a. If yes, please provide an explanation and any relevant policy documents.

RESPONSE

Yes , the NRC CIO has authority over IT procurement and acquisition, as explained in more detail in the "Capital Planning and Investment Control Policy" at the NRC's IT Policy Archive on the public site (see "CIO Roles and Responsibilities" on page 23 and the "CIO Assignment Plan and Responsibilities" in Appendix A) . The CIO reviews and approves acquisition strategy and acquisition planning prior to contract award and ensures complete and accurate information . The CIO also oversees the use of agency IT funds as well as decides and approves any emerging and shortfall funding requests. This is documented in the IT Budget Execution Guidance, Management Directive 4.8, Budget Execution; and Management Directive 11 .1, NRC Acquisition of Supplies and Services. The NRC is fully compliant with FITARA Section K, "Acquisition ," as noted in Appendix A of the Capital Planning and Investment Control Policy.

The CIO Assignment Plan, described in the "Capital Planning and Investment Control Policy" details decisions about NRC IT resources and demonstrates that the CIO has the authority and delegates to other agency officials several of the functions .

This plan is also evidence that the CIO retains accountability in all the areas of IT procurement, acquisition , and spending authorities. The CIO provides both the EDO and NRC Chair the status of IT investments and the agency's IT Portfolio and activities on a regular basis.

b. If no, why not?

RESPONSE

Not Applicable.

i. Does your agency have plans to implement changes and if not, why not?

RESPONSE

Not Applicable.

ii. What changes would your agency recommend and what additional authorities would be helpful?

RESPONSE

Not Applicable.

3. Does your CIO have authority over IT spending in accordance with 40 U.S. Code§ 11319(b)(1)(A)?

3

a. If yes , please explain to what extent and provide any relevant policy documents.

RESPONSE

Yes, please see above the response for question 2a.

b. If no, why not?

RESPONSE

Not Applicable .

i. Does your agency have plans to change this structure, and if not, why not?

RESPONSE

Not Applicable .

ii. What changes would your agency recommend to the current IT spending structure , and what additional authorities would be helpful?

RESPONSE

Not Applicable .

c. Does your CIO have authority over budget formation, and if not, why not?

RESPONSE

Yes, the CIO is responsible for formulating the agency's IT and Information Management (IM) budget request. As part of the annual budget request, the CIO recommends and concurs on the annual IT/IM budget request to the NRC Chair, in coordination with the Chief Financial Officer (CFO) and EDO.

The NRC Chair, with input from the CFO , EDO, and CIO , provides the Chair's budget proposal to the Commission for approval.

i. If not, do you plan to make changes in the upcoming future?

RESPONSE

Not Applicable .

ii. Please explain your answer.

4

RESPONSE

Not Applicable.

Data Center and Cloud Computing Capabilities

1. Has the number of federal data centers your agency operates changed since FITARA Scorecard 15.0?
a. If no, please confirm the number.

RESPONSE

No , the number of federal data centers has not changed. The NRC has three data centers , as defined in the FITARA Scorecard . The NRC has one "Tiered" data center and two "Key Mission Facilities." The Tiered data center is located in Three White Flint North (3WFN). The NRC's two key mission facilities a~e located in the 3WFN Headquarters Operating Center (HOC) and Region IV.

b. If yes, please explain what has changed and provide the updated number.

RESPONSE

Not Applicable .

2. Has the number of operating data centers designated as key mission facilities changed since FITARA Scorecard 15.0?

RESPONSE

No.

a. If yes, please confirm the number.

RESPONSE

Not Applicable .

b. If no, please explain what has changed and provide the updated number.

RESPONSE

The NRC's number of operating data centers designated as key mission facilities has not changed. The NRC has two key mission facilities located in the 3WFN HOC and Region IV.

3. Does your agency have plans to close or open any data centers in the future?

5

a. If yes, please explain and provide the numbers expected to be closed or opened, along with a timeframe for doing so.

RESPONSE

Yes , the NRC plans to move the Tiered data center and the HOC key mission facility which are both located in 3WFN . The 3WFN building lease is expiring in November 2027, which will require the Tiered data center and HOC key mission facility to relocate to the One White Flint North (OWFN) building. The data center that will be opened to accommodate 3WFN's closure will be reduced in scale by an estimated 75%. The net number of facilities will not change.

4. If you have remaining federal data centers , please explain why these centers are vital to your agency's operations.

RESPONSE

The NRC's data centers contain restricted data as defined by the Atomic Energy Act. Th is sensitive data cannot be stored in an existing cloud or data center co-location without additional layers of security. The NRC is exploring the financial feasibility of moving to a data center co-location or the cloud and options for additional layers of security. All three facilities support the NRC's Incident Response Primary Mission Essential Function .

5. How many applications , as defined by in the CIO Council's Application Rationalization Playbook, are in your agency's portfolio? 1

RESPONSE

The NRC has approximately 130 applications. Many of those applications are already in the cloud. The NRC has 40 applications that it intends to review for refactoring in the next year.

6. As required in the Federal Cloud Computing Strategy, has your agency rationalized its application portfolio? 2 (Yes/No)

RESPONSE

No, the NRC is actively using the Playbook to inform application rationalization reviews. Applications/Systems are reviewed annually. In preparation of the closure of NRC's on-premise data center, the NRC is 1 Chief Information Officers Council, The Application Rationalization Playbook: An Agency Guide to Portfolio Management (June 28 , 2019) (online at www.cio.gov/assets/files/Application-Rationalization-Playbook.pdD .

2 Office of Management and Budget, Federal Cloud Computing Strategy (June 24 , 2019) (online at https://tru mpwh iteho use.archives.gov /wp-content/u ploads/2019/06/C loud-Strategy. pdf) .

6

reviewing all applications that currently reside within the on-premise data center. During this review, the NRG is determining if the application is a duplicate, can be consolidated or decommissioned, and if the application/system can be modernized in the cloud.

a. If not, when does your agency anticipate it will be in compliance with this law?

RESPONSE

The NRG plans to complete its first rationalization stage in FY 2024.

7. The Application Rationalization Playbook notes that application rationalization is an ongoing , critical part of IT portfolio management and that agencies must routinely and continuously update and rationalize their portfolios to enable IT managers to make informed decisions.3 How frequently does your agency plan to rationalize its application portfolio?

RESPONSE

The NRG is currently reviewing systems/applications on an annual basis.

8. How many applications have been through your agency's rationalization process?

RESPONSE

Approximately 60 applications went through the rationalization process.

a. Based on the results of the application rationalization process, how many applications will your agency move to cloud computing services?

RESPONSE

The NRG has approximately 60 applications targeted for a cloud service provider.

b. Has your agency developed a timeline for when it will complete the migration of the applications described in 8(a) to the cloud? (Yes/No)
i. If yes , what is the timeline?

RESPONSE

The NRG anticipates November 2026 as our migration completion date for 60 identified applications.

3 Ch ief Information Officers Council , The Appl ication Rationalization Playbook: An Agency Guide to Portfolio Management (June 28 , 2019) (online at www.cio .gov/assets/files/Application-Rationalization-Playbook.pdD .

7

ii. If no, please explain .

RESPONSE

Not Applicable.

c. Has your agency obtained funding to implement its planned migration activities? (Yes/No)
i. If yes, when?

RESPONSE

Yes, for some planned migration activities , such as high priority aspects of the on-premise data center closure, funding has been identified and approved. Other lower priority migration activities have been identified as emergent needs and funding is currently being evaluated .

ii. If no, please explain .

RESPONSE

Not Applicable.

9. How many of your agency's mission and business applications currently use cloud computing services?

RESPONSE

The NRC has 15 overarch ing FISMA systems . Within these systems , the NRC has authorized 36 cloud offerings. Examples include Azure Commercial, Azure Government, Amazon Web Services (AWS), Oracle, DocuSign . There are several applications that utilize similar cloud solutions such as Azure Commercial Services and AWS US East/West.

8

Retrieved from "https://kanterella.com/w/index.php?title=ML23248A483&oldid=3618385"