Evaluation of the U.S. Nuclear Regulatory Commission’s Information Technology Asset Management
Report Information
Recommendations
Update NRC form 270, Separation Clearance, to include a step to ensure IT assets under the $2,500 threshold are returned prior to employee clearance for separation.
• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with Office of the Chief Human Capital Officer (OCHCO). (Completed: Q3 FY 2024)<br />
• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024)<br />
In situations where earlier return of an agency laptop is necessary (up to 10 days before departure), the Office of the Chief Human Capital Officer (OCIO) will develop directions and instructions to facilitate the earlier return of the laptop and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable the employee to work during the period between the return of the laptop and the employee’s departure date. (Completed: Q3 FY 2025)<br />
OIG Analysis: The OIG reviewed the updated NRC Form 270 and the email template sent to employees separating from the NRC. The OIG determined the information met the intent of the recommendation. This recommendation is now closed.<br />
<br />
ADAMS Accession No: ML24241A060<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. The NRC has modified the separation clearance process<br />
(NRC Form 270) as follows:<br />
• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with OCHCO. (Completed: Q3 FY 2024)<br />
• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024)<br />
To facilitate the earlier return of agency laptops (up to 10 days before departure), OCIO will develop direction and instructions, and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable employees to work during the 10 days before the departure date. (Target Completion Date: Q2 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the development of instructions and communication with staff on how to use web-based access to NRC IT Services. This recommendation remains open and resolved.
Update MD 13.1, Property Management, or develop other guidance, to clearly describe the roles and responsibilities of NRC employees and contractors as it pertains to the handling, storage, issuance, and return of IT assets under the $2,500 threshold.
ADM will revise MD 13.1, issued December 21, 2023, to do the following:<br />
• Update the roles and responsibilities outlined in MD 13.1.<br />
• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. ADM will revise MD 13.1, issued December 21, 2023, to do the following:<br />
• Update the roles and responsibilities outlined in MD 13.1.<br />
• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved.
Complete an inventory of laptops, desktops, and tablets, and update the information in the CMBD in the current ITSM toolset.
Within the past 3 months, NRC has performed regular inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will maintain the use of existing agency discovery tools and consider additional processes and tools to comprehensively inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q4, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. Within the past 3 months, NRC has performed regular<br />
inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will continue use of current agency discovery tools, and look at additional processes and tools, to fully inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q3, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved.
Update MD 13.1, Property Management, and the Hardware Asset Management Playbook, or develop other guidance, to expressly state the roles and responsibilities for acquiring assets and requesting red tags for IT assets in a timely manner.
OCIO has already done the following:<br />
• The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets.<br />
(Completed: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.<br />
(Completed: Q3 FY 2024)<br />
• OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags.<br />
(Completed: Q1 FY 2025)<br />
ADM will update MD 13.1 to incorporate the updated HAM Playbook (Target Completion Date: Q4, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. OCIO had already done the following:<br />
• The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Target Completion Date: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.<br />
(Completed: Q3 FY 2024)<br />
OCIO will update the HAM Playbook to reflect the ADM process for requesting tags. (Target Completion Date: Q1 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.
Update the affected contract(s) to include a service level requirement for the sanitation of assets.
Dated May 29, 2025: The End User Computing Contracting Officer's Representative is planning several modifications to the affected contract to include a service level requirement for sanitization of all NRC-issued laptops.<br />
(Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved.<br />
<br />
Agency Response dated July 31, 2024: NRC staff agrees with this recommendation. When the option period is executed in April 2025, OCIO will<br />
add a specific service level agreement to the end user computing contract referencing the requirement for timely completion of device sanitization. (Target Completion Date: Q3 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved.