U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Audit of the U.S. Nuclear Regulatory Commission’s Web-Based Licensing System

Report Information

Date Issued
Report Number
OIG-NRC-25-A-09
Report Type
Audit
Description
The audit objective was to determine if the Web-Based Licensing (WBL) System effectively manages the U.S. Nuclear Regulatory Commission’s (NRC) materials licensing and inspection information and provides for the security, availability, and integrity of the system data.  The OIG found that the WBL System’s inactivity controls interrupt users’ work processes; WBL users are unable to edit role-based licensing information in the Export/Import and Decommissioning, Uranium Recovery and Waste Programs modules; the WBL User Guide lacks quality information for using certain WBL modules; WBL users are generally unfamiliar with the change control process; several WBL enhancements do not work as intended; the licensing and inspection modules do not contain quality data; and, WBL System data is not readily available for the agency to use in other applications. The report contains 15 recommendations to increase the WBL System’s functionality, effectiveness, and users’ efficiency. 
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

The OIG recommends that the Executive Director for Operations update the inactivity control in the Nuclear Material FISMA Systems-system security plan to include references to the 30-minute deviation request and approval.

Agency Response Dated August 13, 2025: The inactivity timeout setting for the Nuclear Materials FISMA boundary was updated from 15 minutes to 30 minutes, consistent with Deviation 15-05, which was approved in 2016. The NMFS system security plan (SSP) has been revised to reflect this change and now documents both the approved 30-minute timeout setting and the associated deviation approval process. The NMFS is the parent system to the Integrated Source Management Portfolio (ISMP), which includes the Web-Based Licensing (WBL) System. The NMFS SSP includes the following statement: “Please refer to the NMFS subsystems SSPs for this control implementation details.”<br />
Within the ISMP Subsystem Security Plan, the following is documented: “WBL session lock is initiated after 30 minutes<br />
of inactivity. This session lock will remain in effect until the user re-establishes access using appropriate identification<br />
and authentication procedures. WBL has been granted Deviation 15-05 to deviate from the requirement of 15 minutes.”<br />
These updates address the recommendation in full and it is now considered complete.<br />
Completion Date: March 26, 2025<br />
OIG Analysis: The OIG reviewed the updated NMFS system security plan and the associated ISMP system security plan, and verified that they included references to the 30-minute deviation request and approval. Therefore, this recommendation is now closed.

The OIG recommends that the Executive Director for Operations update the Web-Based Licensing System User Guide’s instructions on clearing the cache to access the system without closing the browser.

Agency Response Dated August 13, 2025: The WBL User Guide was revised to remove inaccurate instructions advising users to clear the browser cache following a session timeout. The updated guidance now correctly states that a full browser restart is required to regain access. Completion Date: July 25, 2025<br />
OIG Analysis: The OIG reviewed the Web-Based Licensing System User Guide and verified that its instructions correctly stated how to regain access to the system. Therefore, this recommendation is now closed.

The OIG recommends that the Executive Director for Operations evaluate and update the Web-Based Licensing System to ensure users assigned to multiple roles may perform tasks associated with the highest access rights.

Agency Response Dated August 13, 2025: WBL role assignment procedures have been reviewed to ensure users assigned to multiple roles can perform all tasks associated with the highest level of access required for their responsibilities. In practice, the primary role is designated to reflect the highest level of access needed, and elevated roles are granted when additional functionality is required. The WBL Help Desk continues to promptly address role assignments, misconfigurations, and access-related issues to avoid disruptions in licensing activities. Based on these actions, this recommendation is considered complete. Completion Date: March 31, 2025<br />
OIG Analysis: The OIG reviewed the ISMP Help Desk Standard Operating Procedures and acknowledged that they contain the process for updating user roles. The OIG will close the recommendation after verifying that the WBL has been<br />
reviewed or updated to prevent access restrictions for its user groups. This recommendation remains open and resolved.

The OIG recommends that the Executive Director for Operations update the Web-Based Licensing System’s user role descriptions to ensure users’ capabilities in the system are properly defined.

Agency Response Dated August 13, 2025: The WBL team will review and refine all user role descriptions to ensure they accurately reflect current system functionality and align with users’ responsibilities. Target Completion Date: December 31, 2025<br />
OIG Analysis: The proposed actions meet the intent of the recommendation. The OIG will close the recommendation<br />
after verifying that the user role descriptions are updated and properly defined in the WBL. This recommendation<br />
remains open and resolved.

The OIG recommends that the Executive Director for Operations develop and implement a process to periodically update user roles in the Web-Based Licensing System to ensure users may perform tasks commensurate with their assigned NRC responsibilities.

Agency Response Dated August 13, 2025: A process exists to update user roles in WBL when a need is identified. When users are unable to perform tasks due to insufficient access or role limitations, the WBL Help Desk either resolves the issue using existing roles or initiates a change request to revise or create roles, as needed. Although WBL does not currently include proactive system-driven detection of access gaps, this reactive process ensures that users’ system roles are updated in response to changes in responsibilities or access needs. Based on the implementation and use of this process, staff consider this recommendation closed. Completion Date: March 31, 2025<br />
OIG Analysis: The OIG reviewed the ISMP Help Desk Standard Operating Procedures and acknowledged that it contains the process for updating user roles. The OIG also acknowledged and verified that the agency utilizes a reactive process for updating users’ system roles so they may perform tasks commensurate with their assigned NRC responsibilities.<br />
Therefore, this recommendation is now closed.