Evaluation of the U.S. Nuclear Regulatory Commission’s Information Technology Asset Management

Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025: The NRC has modified the separation clearance process (NRC Form 270) as follows:<br />
• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with Office of the Chief Human Capital Officer (OCHCO). (Completed: Q3 FY 2024)<br />
• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024)<br />
In situations where earlier return of an agency laptop is necessary (up to 10 days before departure), the Office of the Chief Human Capital Officer (OCIO) will develop directions and instructions to facilitate the earlier return of the laptop and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable the employee to work during the period between the return of the laptop and the employee’s departure date. (Completed: Q3 FY 2025)<br />
OIG Analysis: The OIG reviewed the updated NRC Form 270 and the email template sent to employees separating from the NRC. The OIG determined the information met the intent of the recommendation. This recommendation is now closed.<br />
<br />
ADAMS Accession No: ML24241A060<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. The NRC has modified the separation clearance process<br />
(NRC Form 270) as follows:<br />
• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with OCHCO. (Completed: Q3 FY 2024)<br />
• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024)<br />
To facilitate the earlier return of agency laptops (up to 10 days before departure), OCIO will develop direction and instructions, and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable employees to work during the 10 days before the departure date. (Target Completion Date: Q2 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the development of instructions and communication with staff on how to use web-based access to NRC IT Services. This recommendation remains open and resolved.

Agency Response Dated April 21, 2026: NRC staff agree with this recommendation. All updates have been incorporated into MD 13.1 (ML23349A082). Section III.H of the directive outlines the responsibility of the Chief Information Officer.<br />
This update was also reflected in the Yellow Announcement (YA-26-0032) published on March 23, 2026. The associated handbook, specifically the sections below, outlines the required procedures and defines the roles and responsibilities for managing all government-issued IT assets. In several cases, the guidance is specific to property items that fall below the $2,500 accountability threshold.<br />
• Section I.C. Property Custodians<br />
• Section I.D. NRC Employees<br />
• Section I.E.2. Non-sensitive Property<br />
• Section I.F. NRC Space and Property Management System (SPMS)<br />
• Section I.G. ServiceNow<br />
• Section I.H.2. Control of Equipment (NRC Tags)<br />
• Section I.J. Reassignment or Transfer of Equipment<br />
• Section II.E. Returning All Property Upon Separation from the NRC<br />
Additionally, Section IV. IT Asset Management Policy of the updated IT Asset Management (ITAM) Policy (ML26061A297) sets the agency’s requirements for proper handling, safeguarding, and management of all government issued IT assets. These requirements apply to both employees and contractors ensuring consistent handling, tracking, and stewardship across the full asset lifecycle. <br />
OIG Analysis: The OIG determined that the corrective action taken met the intent of the recommendation. This recommendation is closed.<br />
<br />
Agency Response Dated January 30, 2026: NRC staff agrees with this recommendation. The following items have been updated and can be referenced in MD 13.1, Section F. NRC Space and Property Management System (SPMS) Roles and<br />
Responsibilities, and Section G. ServiceNow Roles and Responsibilities, once published. <br />
• Updated the roles and responsibilities outlined in MD 13.1.<br />
• Referenced the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Referenced the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under the $2500 threshold. All updates have been incorporated into MD 13.1. ADM will provide the revised MD to the manuscript team for final review and publication.<br />
Target Completion Date: Q2 FY 2026 <br />
OIG Analysis: The OIG will close this recommendation after reviewing the updated published MD 13.1. This recommendation remains open and resolved.<br />
<br />
Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025:<br />
ADM will revise MD 13.1, issued December 21, 2023, to do the following:<br />
• Update the roles and responsibilities outlined in MD 13.1.<br />
• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. ADM will revise MD 13.1, issued December 21, 2023, to do the following:<br />
• Update the roles and responsibilities outlined in MD 13.1.<br />
• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved.

Agency Response Dated January 30, 2026: NRC staff agrees with this recommendation. NRC has performed regular inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters, as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled, and the Information Technology Service Management (ITSM) toolset has been updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. OCIO has reconciled “in use” assets by comparing inventory with reports from network discovery tools. OCIO will maintain the use of existing agency discovery tools and consider additional processes and tools to comprehensively inventory all laptops, desktops, and tablets in the environment. Additionally, OCIO performs an annual equipment<br />
validation for IT assets under $2500 in the CMDB and supports ADM’s annual inventory for IT assets over $2500<br />
in SPMS.<br />
OIG Analysis: The OIG determined that the corrective action taken met the intent of the recommendation. This recommendation is closed.<br />
<br />
Agency Response NRC staff agrees with this recommendation Dated May 29, 2025:<br />
Within the past 3 months, NRC has performed regular inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will maintain the use of existing agency discovery tools and consider additional processes and tools to comprehensively inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q4, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. Within the past 3 months, NRC has performed regular<br />
inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will continue use of current agency discovery tools, and look at additional processes and tools, to fully inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q3, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved.

Agency Response Dated April 21, 2026: NRC staff agree with this recommendation. Section VI. Purchase of Hardware and Software of the updated ITAM Policy (ML26061A297) provides guidance on the proper acquisition of IT assets, ensuring that all purchases follow established approval, documentation, and accountability requirements. Section VII. Roles and Responsibilities define duties of supervisors and personnel throughout the asset lifecycle process.<br />
Section I.H. Tagging and Control of Equipment in the associated handbook for MD 13.1 (ML23349A082) outline the operational steps that the property custodians must follow to obtain property tags in a timely manner and ensure all accountable property is properly identified and recorded. It also establishes the threshold criteria that determines<br />
when red tags must be applied. Additional guidance is provided in the ITAM Playbook, Section 4.3.1(iii) which outlines the detailed steps required to obtain red tags in a timely manner for large orders, ensuring proper identification, tracking, and accountability during high-volume asset intake.<br />
OIG Analysis: The OIG determined that the corrective action taken met the intent of the recommendation. This recommendation is closed.<br />
<br />
Agency Response Dated January 30, 2026: NRC staff agree with this recommendation. OCIO has done the following:<br />
• The staff drafted standard operating procedures (SOPs) specific to the handling, storage, issuance, and return of IT assets. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Completed: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC. (Completed: Q3 FY 2024)<br />
• OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags. (Reference ITAM Playbook, 4.3.1 Control of Equipment (NRC Tags) (Completed: Q1 FY2026) <br />
The updated HAM Playbook has been incorporated into MD 13.1. ADM will provide the revised MD to the manuscript team for final review and publication. Target Completion Date: Q2 FY2026<br />
OIG Analysis: The OIG will close this recommendation after reviewing the updated published MD 13.1. This recommendation remains open and resolved.<br />
<br />
Agency Response NRC staff agrees with this recommendation. Dated May 29, 2025:<br />
OCIO has already done the following:<br />
• The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets.<br />
(Completed: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.<br />
(Completed: Q3 FY 2024)<br />
• OCIO has updated the HAM Playbook to reflect the ADM process for requesting tags.<br />
(Completed: Q1 FY 2025)<br />
ADM will update MD 13.1 to incorporate the updated HAM Playbook (Target Completion Date: Q4, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.<br />
<br />
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. OCIO had already done the following:<br />
• The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Target Completion Date: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.<br />
(Completed: Q3 FY 2024)<br />
OCIO will update the HAM Playbook to reflect the ADM process for requesting tags. (Target Completion Date: Q1 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.

Agency Response Dated April 21, 2026: NRC staff agree with this recommendation. The affected contract was updated on March 12, 2026, to include a service level requirement for sanitation of assets. The updated language below has been formally added to Attachment 1 – Section C: Performance Work Statement for contract (NRC-HQ-10-17-A-0007 / 31310018F0015), the NRC’s GLobal INfrastructure and Development Acquisition (GLINDA) End User Computing Services (EUC) contract. A copy of the contract modification and updated attachment has been provided directly to the Audit Manager. C.3.3.3.1 Data Storage Device Sanitation Services The Contractor shall perform data storage device sanitation services on the IT components that it disposes of for the NRC. The Contractor must provide a certification of<br />
sanitization to the Blanket Purchase Agreement Call Contracting Officer Representative. The Contractor shall provide certification for each item that is degaussed, and the certification must be current. Techniques used to sanitize media must be appropriate to the media type and must be in accordance with NRC security policies, processes, and procedures. Other guidance / reference resources include the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53; NIST SP 800-88; National Security Agency (NSA) Central Security Service (CSS) Policy Manual 9-12; International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27002, “Information technology - Security techniques - Code of practice for information security management”; and Committee on National Security Systems Policy (CNSSP) No. 26, “National Policy on Reducing the Risk of Removable<br />
Media”. The contractor shall sanitize all EUC responsible personal computers within 30 calendar days from the 10 business days quarantine period end. For the regions and Technical Training Center, sanitization of data storage devices is jointly performed by the one contractor (within identified hours of operations in Section C.3.4.2.1) and federal IT Specialist assigned to each respective site. Any requested measurements require shared accountability and mutual<br />
agreement between the NRC Office of the Chief Information Officer and Leidos along with proper configuration of the<br />
Information Technology Service Management system. <br />
OIG Analysis: The OIG determined that the corrective action taken met the intent of the recommendation. This recommendation is closed.<br />
<br />
Agency Response Dated January 30, 2026: NRC staff agrees with this recommendation. All affected contracts have been updated to include a service level agreement for sanitation of assets. Requisitions are pending management review and approval. Target Completion Date: Q2 FY2026<br />
OIG Analysis: The OIG will close this recommendation after the affected contracts are reviewed and the updated service-level requirement for asset sanitation is confirmed. This recommendation remains open and resolved.<br />
<br />
Agency Response NRC staff agrees with this recommendation.<br />
Dated May 29, 2025: The End User Computing Contracting Officer&#039;s Representative is planning several modifications to the affected contract to include a service level requirement for sanitization of all NRC-issued laptops.<br />
(Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved.<br />
<br />
Agency Response dated July 31, 2024: NRC staff agrees with this recommendation. When the option period is executed in April 2025, OCIO will<br />
add a specific service level agreement to the end user computing contract referencing the requirement for timely completion of device sanitization. (Target Completion Date: Q3 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved.