Evaluation of the U.S. Nuclear Regulatory Commission’s Information Technology Asset Management
Report Information
Recommendations
Update NRC form 270, Separation Clearance, to include a step to ensure IT assets under the $2,500 threshold are returned prior to employee clearance for separation.
Agency Response Dated July 31, 2024: NRC staff agrees with this recommendation. The NRC has modified the separation clearance process<br />
(NRC Form 270) as follows:<br />
• Modified the tasks within the separation clearance process to initiate the collection of IT equipment at the beginning of the process. This ensures that mail return kits are sent earlier in the process for remote employees and, hybrid or onsite employees must return all IT equipment prior to their separation interview with OCHCO. (Completed: Q3 FY 2024)<br />
• Modified the task for the Deskside Support Team to reclaim hardware up to 10 days before an employee’s departure date (for onsite employees). (Completed: Q3 FY 2024)<br />
To facilitate the earlier return of agency laptops (up to 10 days before departure), OCIO will develop direction and instructions, and communicate them to the staff, on using web-based access to NRC IT services (i.e., Azure Virtual Desktop and Microsoft Office 365), that do not require having an agency laptop, to enable employees to work during the 10 days before the departure date. (Target Completion Date: Q2 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the development of instructions and communication with staff on how to use web-based access to NRC IT Services. This recommendation remains open and resolved.
Update MD 13.1, Property Management, or develop other guidance, to clearly describe the roles and responsibilities of NRC employees and contractors as it pertains to the handling, storage, issuance, and return of IT assets under the $2,500 threshold.
• Update the roles and responsibilities outlined in MD 13.1.<br />
• Reference the IT Asset Management policy in MD 13.1 to ensure that agency staff, managers, and contractors understand their responsibilities regarding NRC IT equipment assigned to them and their staff.<br />
• Reference the Hardware Asset Management (HAM) Playbook in MD 13.1, which outlines processes for the handling, storage, issuance, and return of IT assets under $2500 threshold (Target Completion Date: Q4 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to MD 13.1. This recommendation remains open and resolved.
Complete an inventory of laptops, desktops, and tablets, and update the information in the CMBD in the current ITSM toolset.
inventories of all agency storage locations (stockrooms), touchdown stations, and hoteling spaces at Headquarters as well as all regional offices, the Technical Training Center, and the NRC warehouse. These assets have been reconciled and the Information Technology Service Management (ITSM) toolset was updated accordingly to resolve discrepancies introduced from the previous ITSM transition and movement of staff and space across the White Flint Complex. Additionally, OCIO has started reconciliation of “in use” assets by comparing inventory with reports from network discovery tools. OCIO will continue use of current agency discovery tools, and look at additional processes and tools, to fully inventory all laptops, desktops, and tablets in the environment. (Target Completion Date: Q3, FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming with NRC’s management that the inventories were completed. This recommendation remains open and resolved.
Update MD 13.1, Property Management, and the Hardware Asset Management Playbook, or develop other guidance, to expressly state the roles and responsibilities for acquiring assets and requesting red tags for IT assets in a timely manner.
• The staff drafted standard operating procedures (SOP’s) specific to the handling, storage, issuance, and return of IT assets and working toward finalizing the SOPs. The SOP addresses roles and responsibilities for staff involved in the process, including those responsible for acquiring assets and requesting tags for IT assets. (Target Completion Date: Q4 FY 2024)<br />
• For large purchases of laptops, ADM has developed a process to acquire and place red tags on devices before their arrival to the NRC.<br />
(Completed: Q3 FY 2024)<br />
OCIO will update the HAM Playbook to reflect the ADM process for requesting tags. (Target Completion Date: Q1 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the updates to the MD 13.1 and the HAM Playbook. This recommendation remains open and resolved.
Update the affected contract(s) to include a service level requirement for the sanitation of assets.
add a specific service level agreement to the end user computing contract referencing the requirement for timely completion of device sanitization. (Target Completion Date: Q3 FY 2025)<br />
OIG Analysis: The OIG will close this recommendation after reviewing and confirming the evidence provided by NRC’s management regarding the update to the end-user computing contract. This recommendation remains open and resolved.