Text

April 1, 2019, to September 30, 2019 iii I am pleased to present this Semiannual Report to Congress on the activities and accomplishments of the Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG) from April 1, 2019, to September 30, 2019.

Our work reflects the legislative mandate of the Inspector General Act, which is to identify and prevent fraud, waste, and abuse through the conduct of audits and investigations relating to NRC programs and operations. The audits and investigations highlighted in this report demonstrate our commitment to ensuring integrity and efficiency in NRCs programs and operations. In addition, the Consoli dated Appropriations Act, 2014, provided that notwithstanding any other provision of law, the NRC Inspector General is authorized in 2014 and subsequent years to exercise the same authorities with respect to the Defense Nuclear Facilities Safety Board (DNFSB), as determined by NRC Inspec tor General, as the Inspector General exercises under the Inspector General Act of 1978 (5 U.S.C.

App.) with respect to NRC.

During this reporting period, we issued audit reports intended to strengthen NRCs oversight of supplemental inspection corrective actions, oversight of the voice over Internet protocol contract and implementation, transition process for decommissioning power reactors, computer code shar ing, cyber security inspections, and training selection process for Agreement State personnel. OIG received 98 allegations, opened 13 investigations, and completed 18 cases. One of the open cases was referred to the Department of Justice, and 32 allegations were referred to NRC management for action.

NRC OIG is committed to the integrity, efficiency, and effectiveness of NRC and DNFSB pro grams and operations, and our audits, investigations, and other activities highlighted in this report demonstrate our ongoing commitment. I would like to acknowledge our auditors, investigators, and support staff for their commitment to the mission of this office.

Our success would not be possible without the collaborative efforts between OIG staff and NRC and DNFSB staff to address OIG findings and implement corrective actions in a timely manner. I thank them for their dedication, and I look forward to continued cooperation as we work together to ensure the integrity and efficiency of agency operations.

David C. Lee Deputy Inspector General A MESSAGE FROM THE DEPUTY INSPECTOR GENERAL

iv NRC Office of the Inspector General Semiannual Report to Congress Backfill begins on Vogtle Unit 3. Courtesy of Southern Nuclear.

April 1, 2019, to September 30, 2019 v CONTENTS Highlights...........................................................................................................................1 Audits and Evaluations....................................................................................................1 Investigations...................................................................................................................5 Overview of NRC and OIG...........................................................................................7 NRCs Mission.................................................................................................................7 OIG History, Mission, and Goals..................................................................................9 OIG History................................................................................................................9 OIG Mission and Goals............................................................................................10 OIG Programs and Activities...................................................................................... 11 Audit and Evaluation Program....................................................................................11 Investigative Program...................................................................................................12 OIG General Counsel Regulatory Review.................................................................13 NRC Management and Performance Challenges................................................. 14 NRC Audits and Evaluations...................................................................................... 15 Summaries......................................................................................................................15 In Progress.....................................................................................................................29 Cancelled........................................................................................................................31 NRC Investigations....................................................................................................... 33 Summaries......................................................................................................................33 DNFSB............................................................................................................................. 41 DNFSB Management and Performance Challenges............................................ 41 DNFSB Audits and Evaluations................................................................................. 43 Summaries......................................................................................................................43 In Progress.....................................................................................................................43 DNFSB Investigations.................................................................................................. 47 Summaries.........................................................................................................................47 Summary of OIG Accomplishments at NRC......................................................... 49 Investigative Statistics...................................................................................................49 Audit and Evaluation Listings......................................................................................51 Contract Reports...........................................................................................................52 Resolution Activities......................................................................................................53 Summary of OIG Accomplishments at DNFSB.................................................... 55 Investigative Statistics...................................................................................................55 Audit and Evaluation Listings......................................................................................57 Resolution Activities......................................................................................................59 Unimplemented Audit Recommendations.............................................................. 61 Abbreviations and Acronyms...................................................................................... 71 Reporting Requirements............................................................................................. 73 Appendix.......................................................................................................................... 75

vi NRC Office of the Inspector General Semiannual Report to Congress Resident Inspector at Calvert Cliffs Nuclear power plant.

April 1, 2019, to September 30, 2019 1 The following sections highlight selected audits, evaluations, and investigations completed during this reporting period. More detailed summaries appear in subsequent sections of this report.

Audits and Evaluations Nuclear Regulatory Commission

NRCs Reactor Oversight Process (ROP) verifies that U.S. reactors are operat ing in accordance with NRC rules, regulations, and license requirements. NRC staff uses the ROP to evaluate NRC inspection findings and performance indi cators records for each reactor and uses this information to assess the reactors safety performance and security measures. While performance indicators can provide insights into plant performance in selected areas, the NRCs supple mental inspection program provides in-depth information for monitoring and assessing plant performance. The audit objective was to assess how NRC uses supplemental inspections to verify licensees corrective actions, and how NRC documents supplemental inspection results.

Enforcement discretion is a broad concept that is used in all NRC oversight areas to allow NRC to focus on the most risk significant areas or to recognize a licensees corrective actions. In a specific type of enforcement discre tion, nuclear power licensees in limited circumstances may request NRC to grant enforcement discretion for temporary deviation from plant technical specifications or other license conditions. Enforcement discretion is used in situations where compliance with regulatory requirements would require a change that increases safety risk relative to current plant specific conditions.

It may also serve as a contingency for severe weather or natural phenomena.

No net increase in radiological risk to the public is allowed during periods of enforcement discretion and NRC engineers need to be fully satisfied that the requested action involves no safety impact in accordance with the enforce ment policy and staff guidance. The audit objective was to assess NRCs use of enforcement discretion, with emphasis on decision bases, documentation, and conditions licensees must meet to achieve regulatory compliance.

Voice over Internet Protocol (VoIP) is a technology that allows you to make voice calls using a broadband internet connection instead of a regular (or analog) phone line. VoIP service converts your voice into a digital signal that travels over the internet. VoIP can allow you to make a call directly from a computer, a special VoIP phone, or a traditional phone connected to a special adaptor. The primary benefits of implementing VoIP were NRC's transition to a modern telephone system with better conferencing features; improved voice quality; and greater reliability at headquarters, the regions, Technical Train ing Center, and resident inspector sites. The audit objective was to evaluate the NRC VoIP deployment, the relevant contracts, and the functionality of the new equipment, in order to identify any opportunities for improvement and solu tions moving forward.

HIGHLIGHTS

2 NRC Office of the Inspector General Semiannual Report to Congress

Decommissioning is the process used to safely remove a nuclear power plant from service and reduce residual radioactivity to a level that permits release of the property and termination of its NRC operating license. The Office of Nuclear Reactor Regulation (NRR) maintains oversight of all operating nuclear power plants. The Office of Nuclear Material Safety and Safeguards (NMSS) maintains oversight of all decommissioning activities. Once a licensee announces its intention to shut down its reactor, NRR and NMSS closely coor dinate during this operating to decommissioning transition process. The audit objective was to determine whether NRCs transfer of oversight respon sibilities, used when operating power reactors undergo decommissioning, is efficient and effective.

OIG issued an Official Use Only report, Audit of NRCs Computer Code Sharing, which is not publicly available because it contains sensitive security information.

Under the Cyber Security Rule at 10 Code of Federal Regulations 73.54, NRC requires that licensees operating a nuclear power plant provide high assur ance that digital computer and communication systems and networks are adequately protected against cyber attacks. The Cyber Security Rule required licensees to submit for NRC review and approval a Cyber Security Plan with a proposed implementation schedule. NRC is conducting cyber security inspec tions through 2020 to verify that licensees have fully developed cyber security programs conforming to the Cyber Security Rule and licensing basis commit ments such as the approved Cyber Security Plan. The audit objective was to determine whether the cyber security inspection program provides reason able assurance that nuclear power plant licensees adequately protect digital computers, communication systems, and networks associated with safety, important-to-safety, security, and emergency preparedness.

The Improper Payments Information Act of 2002 (IPIA) requires all agencies to annually review programs and activities susceptible to significant improper payments and report agency estimates to Congress. The Improper Payments Elimination and Recovery Act of 2010 (IPERA) amended IPIA to require OIG to annually determine and report whether the agency is in compliance with improper payment laws. The Improper Payments Elimination and Recov ery Improvement Act of 2012 (IPERIA) further enhanced the requirements of IPIA to assist Federal Government improper payment reduction efforts.

During fiscal year (FY) 2018, the NRC self-reported approximately $960,000 in improper payments. The audit objectives were to assess NRCs compliance with the IPIA, as amended by the IPERA, and IPERIA, and report any material weaknesses in internal control.

NRC fully funds the training and associated travel costs for Agreement State staff to attend NRC-sponsored training. The funding is intended to help Agreement States enhance their programs performance and foster national consistency among Agreement State and NRC inspectors and license reviewers.

Certain NRC-sponsored training courses have been identified as providing basic information that directly supports the Agreement State program. NRCs

April 1, 2019, to September 30, 2019 3 guidance document, SA-600, Training Selection Process and Criteria for Agreement State Personnel, outlines the process through which Agreement State personnel can apply for NRC-sponsored training and the criteria used to select training course attendees. The audit objective was to determine the effectiveness and efficiency of NRCs process for selecting Agreement State personnel for NRC-sponsored training courses.

OIG and the Defense Contract Audit Agency (DCAA) have an interagency agreement whereby DCAA provides contract audit services for OIG. DCAA is responsible for the audit methodologies used to reach the audit conclusions, monitoring their staff qualifications, and ensuring compliance with Generally Accepted Government Auditing Standards. OIGs responsibility is to distrib ute the report to NRC management and follow up on agency actions initiated as a result of this report. At the request of OIG, DCAA audited Qi Tech, LLC.

The DCAA audit report, identified questioned costs to be addressed by NRC management. Also, at the request of OIG, DCAA audited Southwest Research Institute and Advanced Systems Technology and Management, Inc. The DCAA audit reports did not identify any questioned cost for either contracted business.

On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA 2014), reforming the Federal Informa tion Security Management Act of 2002 (FISMA). FISMA 2014 outlines the information security management requirements for agencies, which include an annual independent evaluation of an agencys information security program and practices to determine their effectiveness. This evaluation must include testing the effectiveness of information security policies, procedures, and practices for a representative subset of the agencys information systems. The evaluation also must include an assessment of the effectiveness of the information security pol icies, procedures, and practices of the agency. FISMA 2014 requires the annual evaluation to be performed by the agencys OIG or by an independent external auditor. FISMA 2014 requires organizations to adopt a risk-based, life-cycle approach to improving information security that includes annual security pro gram reviews and independent evaluations. The objective of this evaluation was to conduct an independent assessment of the NRCs FISMA implementa tion for Fiscal Year 2018.

The Omnibus Appropriations Act of 2009 (the Act) established the Integrated University Program (IUP) between the NRC, Department of Energy (DOE),

and the National Nuclear Security Administration (NNSA). The Act autho rized the appropriation of $45 million per year from Fiscal Year (FY) 2009 through FY 2019 with $15 million for each agency. NRC, DOE, and NNSA independently manage their own portions of the IUP and communicate fre quently to coordinate and avoid duplication. NRC provides various types of grants to support educational institutions and research to facilitate the support of nuclear science and engineering. The NRC grants program from FY 2008 through FY 2018 comprised 488 grants and totaled roughly $171.2 million.

The audit objectives were to determine whether (1) NRCs grant administra tion program complies with Federal regulations and agency guidance, employs

4 NRC Office of the Inspector General Semiannual Report to Congress sufficient internal control, and provides accountability over Federal funds through its policies and procedures, and (2) NRCs grant closeout program has employed policies and procedures to close out grants in a proper and timely manner.

Records management enables and supports NRCs work to fulfill its mission.

Since April 2000, NRC has relied on an electronic recordkeeping system called the Agencywide Documents Access and Management System (ADAMS) to manage agency records. Federal agencies are required to establish a records management program to ensure compliance with the regulations governing records management issued by the National Archives and Records Adminis tration (NARA). The NRC Office of the Chief Information Officer (OCIO) manages NRCs records management program and ensures that NRC effi ciently complies with all applicable records management regulations and NARA policy. The audit objective was to determine whether NRCs process ensures official agency records are properly identified and profiled within ADAMS.

Defense Nuclear Facilities Safety Board

No DNFSB-related audit reports were issued during this reporting period.

However, OIG provides, in this semiannual report, an update concerning the Audit of DNFSBs Issue and Commitment Tracking System and Its Related Processes, a report issued during the prior reporting period. While the Board initially concurred with all eight of OIGs recommendations in the report, it later changed its original position on two recommendations related to commu nication with staff, electing not to concur. OIG provided a written response to the Board expressing its disagreement with the Boards decision. OIG closed the two recommendations and will therefore discontinue further followup.

April 1, 2019, to September 30, 2019 5 Investigations Nuclear Regulatory Commission

OIG completed an investigation into concerns expressed to NRC by Congres sional stakeholders and members of the public regarding the sale of Uranium One - a nuclear source material extraction company that owns numerous ura nium mines around the world, including one operational, NRC-licensed, U.S.

based uranium mine - to ARMZ, a Russian corporation. ARMZ is 1 of more than 300 wholly or partially owned subsidiaries of ROSATOM, the Russian, state-owned nuclear energy corporation. Stakeholders broadly questioned whether NRC appropriately exercised its oversight over the sale and other related export transactions, particularly given that companies with links to Uranium One have reportedly been under criminal investigation on charges relating to bribery and corruption. Such charges have been cited by stakehold ers as indicators of possible corruption in the Uranium One transaction itself.

OIG completed an investigation pertaining to a voluntary disclosure by NTT Data Services Financial Government LLC (NDFG), formally Dell Services Federal Government, Inc., that NDFG provided NRC with non-compliant Trade Agreements Act (TAA) end products during the performance of their NRC Information Technology Infrastructure and Support Services (ITISS) contract. The contract was initiated to provide the NRC with a wide range of Information Technology (IT) services to include wireless telecommunications, data center functions, and programmatic IT infrastructure. The ITISS contract also provided NRC employees with a majority of needed IT services. OIG coordinated this investigation with the U.S. Attorneys Office, Washington, DC, and a settlement included monetary recoveries for NRC.

OIG completed an investigation into an allegation that an NRC senior official backdated FY 2018 performance appraisal plans. The senior official allegedly falsified dates on FY 2018 Executive Performance Agreements. According to the alleger, the performance agreements were required to be issued by Octo ber 31, 2017; however, they were not provided until November 4-8, 2017, and the NRC senior official falsely dated the agreements October 1 to cover up not issuing the agreements by October 31, 2017.

OIG completed an investigation into an allegation that an NRC employee falsified an excused absence letter. Allegedly, the NRC employee falsified an excused absence letter, purportedly from a doctor, to support the employees absence from work due to health reasons. The alleger provided OIG with three other excused absence letters from the NRC employee that the alleger suspected were falsified.

OIG completed an investigation into an anonymous allegation that an NRC senior official abused Government time. The NRC senior official alleg edly conducted real estate business while on official travel to nuclear power plants. According to the allegation, when the NRC senior official visited a nuclear power plant, the official was observed on many phone calls. OIG had

6 NRC Office of the Inspector General Semiannual Report to Congress previously conducted an investigation pertaining to this senior official that sub stantiated the official used a Government-issued computer to conduct private business as a real estate agent.

OIG completed an investigation into an allegation that NRC senior officials had continued to retaliate against an NRC manager for participating in the NRC Differing Professional Opinion (DPO) Program, which is used by an NRC employee or contractor when he or she has a conscientious expression of a judgment or position that differs from an established staff view, agency practice, management decision, or policy position involving technical, legal, or policy issues. According to the alleger, the NRC senior officials reassigned the alleger to another position at the NRC purportedly because the alleger had filed a DPO.

Defense Nuclear Facilities Safety Board No DNFSB-related investigations were completed during this reporting period.

April 1, 2019, to September 30, 2019 7 NRCs Mission NRC was formed in 1975, in accordance with the Energy Reorganization Act of 1974, to regulate the various commercial and institutional uses of nuclear materi als. The agency succeeded the Atomic Energy Commission, which previously had responsibility for both developing and regulating nuclear activities.

NRCs mission is to regulate the Nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety and to promote the common defense and security and to protect the environment.

NRCs regulatory mission covers three main areas:

Reactors - Commercial reactors that generate electric power and research and test reactors used for research, testing, and training.

Materials - Uses of nuclear materials in medical, industrial, and academic settings and facilities that produce nuclear fuel.

Waste - Transportation, storage, and disposal of nuclear materials and waste, and decommissioning of nuclear facilities from service.

Under its responsibility to protect public health and safety, NRC has the follow ing main regulatory functions: (1) establish standards and regulations; (2) issue licenses, certificates, and permits; (3) ensure compliance with established standards and regulations; and (4) conduct research, adjudication, and risk and performance assessments to support regulatory decisions. These regulatory functions relate both to nuclear power plants and other uses of nuclear materials - like nuclear medicine programs at hospitals, academic activities at educational institutions, research, and such industrial applications as gauges and testing equipment.

NRC maintains a current Web site and a public document room at its headquarters in Rockville, MD; holds public hearings and public meetings in local areas and at NRC offices; and engages in discussions with individuals and organizations.

OVERVIEW OF NRC AND OIG

8 NRC Office of the Inspector General Semiannual Report to Congress Fire equipment inspection at Calvert Cliffs nuclear power plant.

April 1, 2019, to September 30, 2019 9 OIG History, Mission, and Goals OIG History In the 1970s, Government scandals, oil shortages, and stories of corruption covered by newspapers, television, and radio stations took a toll on the American publics faith in its Government. The U.S. Congress knew it had to take action to restore the publics trust. It had to increase oversight of Federal programs and opera tions. It had to create a mechanism to evaluate the effectiveness of Government programs. And, it had to provide an independent voice for economy, efficiency, and effectiveness within the Federal Government that would earn and maintain the trust of the American people.

In response, Congress passed the landmark legislation known as the Inspector General Act (IG Act), which President Jimmy Carter signed into law in 1978. The IG Act created independent Inspectors General, who would protect the integrity of Government; improve program efficiency and effectiveness; prevent and detect fraud, waste, and abuse in Federal agencies; and keep agency heads, Congress, and the American people fully and currently informed of the findings of IG work.

Today, the IG concept is a proven success. The IGs continue to deliver signifi cant benefits to our Nation. Thanks to IG audits and investigations, billions of dollars have been returned to the Federal Government or have been better spent based on recommendations identified through those audits and investigations. IG investigations have also contributed to the prosecution of thousands of wrongdo ers. In addition, the IG concepts of good governance, accountability, and monetary recovery encourage foreign governments to seek advice from IGs, with the goal of replicating the basic IG principles in their own governments.

10 NRC Office of the Inspector General Semiannual Report to Congress OIG Mission and Goals NRCs OIG was established as a statutory entity on April 15, 1989, in accordance with the 1988 amendment to the IG Act. NRC OIGs mission is to (1) indepen dently and objectively conduct and supervise audits and investigations relating to NRC programs and operations; (2) prevent and detect fraud, waste, and abuse; and (3) promote economy, efficiency, and effectiveness in NRC programs and operations.

OIG is committed to ensuring the integrity of NRC programs and operations.

Developing an effective planning strategy is a critical aspect of accomplishing this commitment. Such planning ensures that audit and investigative resources are used effectively. To that end, OIG developed a Strategic Plan that includes the major challenges and critical risk areas facing NRC.

The plan identifies OIGs priorities and establishes a shared set of expecta tions regarding the goals OIG expects to achieve and the strategies that will be employed to do so. OIGs Strategic Plan features three goals, which generally align with NRCs mission and goals:

1. Strengthen NRCs efforts to protect public health and safety and the environment.

2. Strengthen NRCs security efforts in response to an evolving threat environment.

3. Increase the economy, efficiency, and effectiveness with which NRC manages and exercises stewardship over its resources.

April 1, 2019, to September 30, 2019 11 OIG Programs and Activities Audit and Evaluation Program The OIG Audit Program focuses on management and financial operations; economy or efficiency with which an organization, program, or function is man aged; and whether the programs achieve intended results. OIG auditors assess the degree to which an organization complies with laws, regulations, and inter nal policies in carrying out programs, and they test program effectiveness as well as the accuracy and reliability of financial statements. The overall objective of an audit is to identify ways to enhance agency operations and promote greater economy and efficiency. Audits comprise four phases:

Survey - An initial phase of the audit process is used to gather information on the agencys organization, programs, activities, and functions. An assessment of vulnerable areas determines whether further review is needed.

Fieldwork - Detailed information is obtained to develop findings and support conclusions and recommendations.

Reporting - The auditors present the information, findings, conclusions, and recommendations that are supported by the evidence gathered during the survey and fieldwork phases. Exit conferences are held with management offi cials to obtain their views on issues in the draft audit report. Comments from the exit conferences are presented in the published audit report, as appropriate.

Formal written comments are included in their entirety as an appendix in the published audit report.

Resolution - Positive change results from the resolution process in which management takes action to improve operations based on the recommenda tions in the published audit report. Management actions are monitored until final action is taken on all recommendations. When management and OIG cannot agree on the actions needed to correct a problem identified in an audit report, the issue can be taken to the NRC Chairman for resolution.

Each October, OIG issues an Annual Plan that summarizes the audits and evalu ations planned for the coming fiscal year. Unanticipated high-priority issues may arise that generate audits not listed in the Annual Plan. OIG audit staff continually monitor specific issues areas to strengthen OIGs internal coor dination and overall planning process. Under the OIG Issue Area Monitor (IAM) program, staff designated as IAMs are assigned responsibility for keeping abreast of major agency programs and activities. The broad IAM areas address nuclear reactors, nuclear materials, nuclear waste, international programs, secu rity, information management, and financial management and administrative programs.

12 NRC Office of the Inspector General Semiannual Report to Congress Investigative Program OIGs responsibility for detecting and preventing fraud, waste, and abuse within NRC includes investigating possible violations of criminal statutes relating to NRC programs and activities, investigating misconduct by NRC employees and contractors, interfacing with the Department of Justice on OIG-related crimi nal and civil matters, and coordinating investigations and other OIG initiatives with Federal, State, and local investigative agencies and other OIGs. Investiga tions may be initiated as a result of allegations or referrals from private citizens; licensee employees; NRC employees; Congress; other Federal, State, and local law enforcement agencies; OIG audits; the OIG Hotline; and OIG initiatives directed at areas bearing a high potential for fraud, waste, and abuse.

Because NRCs mission is to protect the health and safety of the public, OIGs Investigative Program directs much of its resources and attention to investigat ing allegations of NRC staff conduct that could adversely impact matters related to health and safety. These investigations may address allegations of

Misconduct by high-ranking NRC officials and other NRC officials, such as managers and inspectors, whose positions directly impact public health and safety.

Failure by NRC management to ensure that health and safety matters are appropriately addressed.

Failure by NRC to appropriately transact nuclear regulation publicly and can didly and to openly seek and consider the publics input during the regulatory process.

Conflicts of interest involving NRC employees and NRC contractors and licensees, including such matters as promises of future employment for favor able or inappropriate treatment and the acceptance of gratuities.

Fraud in the NRC procurement program involving contractors violating Gov ernment contracting laws and rules.

OIG has also implemented a series of proactive initiatives designed to iden tify specific high-risk areas that are most vulnerable to fraud, waste, and abuse.

A primary focus is electronic-related fraud in the business environment. OIG is committed to improving the security of this constantly changing electronic business environment by investigating unauthorized intrusions and computer-related fraud, and by conducting computer forensic examinations. Other proactive initiatives focus on determining instances of procurement fraud, theft of property, Government credit card abuse, and fraud in Federal programs.

April 1, 2019, to September 30, 2019 13 OIG General Counsel Regulatory Review Pursuant to the Inspector General Act, 5 U.S.C. App. 3, Section 4(a)(2), OIG reviews existing and proposed legislation, regulations, policy, and implementing management directives (MD), and makes recommendations to the agency concern ing their impact on the economy and efficiency of agency programs and operations.

Regulatory review is intended to provide assistance and guidance to the agency prior to the concurrence process so as to avoid formal implementation of poten tially flawed documents. OIG does not concur or object to the agency actions reflected in the regulatory documents, but rather offers comments.

Comments provided in regulatory review reflect an objective analysis of the lan guage of proposed agency statutes, directives, regulations, and policies resulting from OIG insights from audits, investigations, and historical data and experience with agency programs. OIG review is structured so as to identify vulnerabilities and offer additional or alternative choices.

To effectively track the agencys response to OIG regulatory review, signifi cant comments should include a request for written replies within 90 days, with either a substantive reply or status of issues raised by OIG.

From April 1, 2019, to September 30, 2019 OIG reviewed a variety of agency documents. In its regulatory reviews, OIG is cognizant of potential impacts to its functions as well as potentially negative impacts on its independence from the agency. In addition to impacts on OIG functions, some of the documents reviewed could have a major impact on NRC operations or are of high inter est to NRC staff and stakeholders, and OIGs regulatory reviews reflect OIGs knowledge and awareness of underlying trends and overarching developments at the agency and in the industry, it regulates.

OIG did not identify any issues that would impact its independence or conflict with its audit or investigatory functions during its review of agency documents during this time period. However, OIGs review did identify multiple instances where the agency document and its effectiveness could be reviewed by greater clarity, organization, or inclusion of background information. The most signifi cant matters addressed during this period are described below.

NRC

Management Directive 4.5, Contingency Plans for Periods of Lapsed Appropriations, which provides guidance and instructions for suspending non excepted agency activities should Congress fail to appropriate funds for normal agency operations, was reviewed during this period. Although revisions to this Management Directive were minor, and the decision to revise the management directive was not the direct result of the 2019 lapse in appropriations, which did not directly affect the NRC, the review took place during a time of height ened concern among the NRC staff regarding the potential impact of future lapses in appropriation. OIG was sensitive to these concerns as it considered the proposed changes.

14 NRC Office of the Inspector General Semiannual Report to Congress

Management Directive 8.12, Decommissioning Financial Assurance Instru ment Security Program, which provides guidance for assuring that financial instruments provided as financial assurance for decommissioning are available when needed, received minor revisions from the NRC staff during the report ing period. While the scope of the Management Directive is limited to the physical storage of documents and the edits to the Directive itself were minor, the topic of licensee decommissioning is an important one to the agency at present, and OIGs review was mindful of any impact this revision could have on other agency decommissioning activities.

Management Directive 9.1, Organization Management, which provides basic policy regarding the organizational structure, delegations of authority, and formal assignments within the NRC. OIG offered suggested edits that clarify the OIGs information reporting relationship to the Chairman of the agency and emphasized OIGs independence from the wider agency.

Additional Management Directives reviewed included:

Management Directive 12.6, NRC Controlled Unclassified Information System, which describes the agencys controlled unclassified information program.

Management Directive 10.122, Employee Assistance and Wellness Services Programs, which provides policy regarding the establishment and manage ment of agencywide Employee Assistance and Wellness programs.

NRC Management and Performance Challenges Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission*

in FY 2019 (as identified by the Inspector General)

Challenge 1 Regulation of nuclear reactor safety programs.

Challenge 2 Regulation of nuclear materials and radioactive waste programs.

Challenge 3 Management of security over internal infrastructure (personnel, physi cal, and cyber security) and nuclear security.

Challenge 4 Management of information technology and information management.

Challenge 5 Management of financial programs.

Challenge 6 Management of administrative functions.

•  For more information on the challenges, see OIG-18-A-01, Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing NRC, https://www.nrc.gov/docs/ML1729/

ML17291A011.pdf

April 1, 2019, to September 30, 2019 15 NRC AUDITS AND EVALUATIONS Summaries Audit of NRCs Oversight of Supplemental Inspection Corrective Actions OIG Strategic Goal: Safety The NRC Reactor Oversight Process (ROP) verifies that U.S. reactors are oper ating in accordance with NRC rules, regulations, and license requirements. NRC staff uses the ROP to evaluate NRC inspection findings and performance indica tors records for each reactor and uses this information to assess the reactors safety performance and security measures. While performance indicators can provide insights into plant performance in selected areas, the NRCs supplemental inspec tion program provides in-depth information for monitoring and assessing plant performance.

The audit objective was to assess how NRC uses supplemental inspections to verify licensees corrective actions and how NRC documents supplemental inspection results.

Audit Results:

NRC conducts supplemental inspections to assure licensee corrective actions effectively address and preclude repetition of significant performance problems.

However, NRC does not centrally organize information about a licensees planned corrective actions associated with 95001 and 95002 supplemental inspections to ensure verification of their effectiveness. This occurs because NRC does not require staff to centrally capture and organize planned corrective actions infor mation associated with 95001 and 95002 supplemental inspections. Improving the consistency and quality of 95001 and 95002 inspection report data, while also leveraging technology to make this information more readily accessible to agency staff and senior management, can reduce the risk of oversight lapses and streamline workflow for greater efficiency.

This report made two recommendations to support improved documentation of significant planned corrective actions associated with 95001 and 95002 supplemen tal inspections.

(Addresses Management Challenge # 1)

16 NRC Office of the Inspector General Semiannual Report to Congress Grey Water Pond at Palo Verde A spray pond at the Palo Verde nuclear plant in the middle of the Arizona desert allows the plant to efficiently dispense heat from water used to cool some plant components.

April 1, 2019, to September 30, 2019 17 Audit of NRCs Use of Enforcement Discretion for Nuclear Power Licensees OIG Strategic Goal: Safety Enforcement discretion is a broad concept that is used in all NRC oversight areas to allow NRC to focus on the most risk significant areas or to recognize a licens ees corrective actions. In a specific type of enforcement discretion, nuclear power licensees, in limited circumstances, may request NRC to grant enforcement discre tion for temporary deviation from plant technical specifications or other license conditions. Enforcement discretion is used in situations where compliance with regulatory requirements would require a change that increases safety risk relative to current plant specific conditions. It may also serve as a contingency for severe weather or natural phenomena. No net increase in radiological risk to the public is allowed during periods of enforcement discretion. Net increase in radiological risk is a quantitative assessment. NRC approval of such a request is documented in a Notice of Enforcement Discretion.

The audit objective was to assess NRCs use of enforcement discretion, with emphasis on decision bases, documentation, and conditions licensees must meet to achieve regulatory compliance.

Audit Results:

OIG found that enforcement discretion decisions were timely, conducted in accor dance with NRC guidance, and documented with enough information to justify the decision. Licensees understand and follow NRC guidance to provide required information to support their requests. Staff also adhered consistently to agency guidance for following up with licensees after enforcement discretion was granted.

Therefore, OIG made no recommendations.

(Addresses Management and Performance Challenge # 1)

Evaluation of NRCs Oversight of the Voice over Internet Protocol (VoIP ) Contract and Implementation OIG Strategic Goal: Corporate Management VoIP is a technology that allows you to make voice calls using a broadband inter net connection instead of a regular (analog) phone line. VoIP service converts your voice into a digital signal that travels over the internet. VoIP can allow you to make a call directly from a computer, a special VoIP phone, or a traditional phone connected to a special adaptor.

The primary benefits to NRC of implementing VoIP were the transition to a modern telephony system with better conferencing features; improved voice quality; and more reliability at headquarters, the regions, the Technical Training Center, and at resident inspector sites. The VoIP project was initiated on October 31, 2018, with the expectation that about 2,900 phones would be deployed at NRC headquarters (Rockville, MD) and an additional 1,000 phones in the regions and at the Technical Training Center.

18 NRC Office of the Inspector General Semiannual Report to Congress The objective was to evaluate NRCs VoIP deployment, the relevant contracts, and the functionality of the new equipment, to identify any opportunities for improve ment and for solutions moving forward.

Audit Results:

The evaluation identified two areas for improvement pertaining to the contracting and deployment approaches used to implement VoIP. Particularly, the roles and responsibilities of the respective telecommunications contractors were not speci fied, and the telecommunications contracts had duplicative services. This was a result of the contracts not being clearly written and a lack of coordination among NRC offices involved in VoIP transition. As a result, there is the perception that contractors are not performing satisfactorily, and NRC is paying for additional services.

Additionally, the evaluation found that the VoIP transition was poorly implemented as a result of poor project planning. Consequently, agency communications were unduly impacted, and concerns remain for future IT transitions.

This report made six recommendations to address clarity in telecommunications contracts, and the planning and implementation of large-scale information tech nology deployments.

(Addresses Management and Performance Challenge # 3)

Audit of NRCs Transition Process for Decommissioning Power Reactors OIG Strategic Goal: Safety Decommissioning is the process used to safely remove a nuclear power plant from service and reduce residual radioactivity to a level that permits release of the prop erty and termination of the NRC license under which the plant operates.

The Office of Nuclear Reactor Regulation (NRR) maintains oversight of all oper ating nuclear power plants. The Office of Nuclear Material Safety and Safeguards Source: Epik networks (Link: https://www.epiknetworks.com/what-is-voip/

How VoIP Technology Works

April 1, 2019, to September 30, 2019 19 (NMSS) maintains oversight of all decommissioning activities. Once a licensee announces its intention to shut down its reactor, NRR and NMSS closely coordi nate during the transition process from operating to decommissioned.

The audit objective was to determine whether NRCs transfer of oversight respon sibilities, used when operating power reactors undergo decommissioning, is efficient and effective.

Audit Results:

OIG found that NRCs transfer of oversight responsibilities is effective; however, the efficiency could be improved. Specifically, NRC should update decommission ing guidance and implement a formal project manager knowledge transfer process.

Agency guidance states NRC should run its programs effectively and efficiently; however, NRC does not practice certain knowledge management principles in the reactor decommissioning process. Consequently, there may be unnecessary delays in the processing and management of reactor decommissioning projects which may incur additional costs to licensees, NRC, and taxpayers.

This report made two recommendations to improve the effectiveness and effi ciency of the transition from operating to decommissioning power reactors.

(Addresses Management and Performance Challenge # 1)

Source: NRC

20 NRC Office of the Inspector General Semiannual Report to Congress Defense Contract Audit Agency (DCAA) Audit Report Numbers 01321-2016V10100018 and 01321-2017V10100018 OIG Strategic Goal: Corporate Management OIG and DCAA have an interagency agreement whereby DCAA provides contract audit services for OIG. DCAA is responsible for the audit methodologies used to reach the audit conclusions, monitoring their staff qualifications, and ensur ing compliance with Generally Accepted Government Auditing Standards. OIGs responsibility is to distribute the report to NRC management and follow-up on agency actions initiated because of this report. At the request of OIG, DCAA audited NRCs contract with Qi Tech, LLC.

Audit Results:

The DCAA audit report identified questioned costs to be addressed by NRC management.

(Addresses Management and Performance Challenge # 5)

Audit of NRCs Computer Code Sharing OIG Strategic Goal: Corporate Management This Official Use Only audit report was not issued publicly because it contains sen sitive security information.

(Addresses Management and Performance Challenge # 3)

Audit of NRCs Cyber Security Inspections at Nuclear Power Plants OIG Strategic Goal: Security Under the Cyber Security Rule at Title 10 Chapter 1 of the Code of Federal Regu lations Part 73.54, NRC requires that licensees operating a nuclear power plant provide high assurance that digital computer and communication systems and networks are adequately protected against cyberattacks. The Cyber Security Rule required licensees to submit a Cyber Security Plan with a proposed implementa tion schedule for NRC review and approval.

NRC is conducting cyber security inspections through 2020 to verify that licens ees have fully developed cyber security programs conforming to the Cyber Security Rule and licensing basis commitments such as the approved Cyber Security Plan.

The audit objective was to determine whether the cyber security inspection pro gram provides reasonable assurance that nuclear power plant licensees adequately protect digital computers, communication systems, and networks associated with safety, important-to-safety, security, and emergency preparedness.

April 1, 2019, to September 30, 2019 21 Audit Results:

NRCs cyber security inspections generally provide reasonable assurance that nuclear power plant licensees adequately protect digital computers, communica tion systems, and networks associated with safety, important-to-safety, security, and emergency preparedness.

However, although NRC trains current staff as cyber security inspectors, the inspection program faces future staffing challenges because demographic and resource constraints work against optimal staffing. Challenges in maintain ing cyber security expertise among the inspectors could hinder NRCs ability to manage cyber security risk.

Additionally, the current cyber security inspection program is risk-informed but not yet fully performance based. The cyber security inspection program has not identified performance measures because of technical and regulatory challenges in program implementation, and there are challenges in predicting the level of effort required to conduct inspections. Identifying appropriate performance measures will permit NRCs cyber security inspection program to become more efficient and reliable without diminishing the level of assurance.

This report made two recommendations to address future inspection staffing challenges and suitable performance measures for the cyber security inspection program.

(Addresses Management and Performance Challenge # 1)

Audit of NRCs Fiscal Year (FY) 2018 Compliance with Improper Payment Laws OIG Strategic Goal: Corporate Management The Improper Payments Information Act of 2002 (IPIA) requires all agencies to annually review programs and activities susceptible to significant improper payments and report agency estimates to Congress. The Improper Payments Elimination and Recovery Act of 2010 (IPERA) amended IPIA to require OIG to Retirement Eligibility of NRC Staff Now1 End of 20202 Regional Divisions of Reactor Safety (combined) 26%

32%

Agencywide 24%

30%

Source: NRC provided data, as of March 2, 2019 1 As of March 2, 2019, there were 224 people in the combined regional Divisions of Reactor Safety, 59 of whom are currently eligible to retire. Agencywide, there were 3,003 employees on board, 724 of whom are currently eligible to retire.

2 By the end of FY 2020, 12 more people will be eligible to retire in the Divisions of Reactor Safety, and agencywide, 168 more people will be eligible to retire.

22 NRC Office of the Inspector General Semiannual Report to Congress annually determine and report whether the agency is in compliance with improper payment laws. The Improper Payments Elimination and Recovery Improvement Act of 2012 (IPERIA) further enhanced the requirements of IPIA to assist Federal Government improper payment reduction efforts. During fiscal year (FY) 2018, the NRC self-reported approximately $960,000 in improper payments.

The audit objectives were to assess NRCs compliance with the IPIA, as amended by the IPERA, and IPERIA, and report any material weaknesses in internal control.

Audit Results:

OIG found that NRC is generally compliant with IPIA, IPERA, and IPERIA.

OIG did not identify any material weaknesses in internal control during this audit.

However, opportunities for improvement exist to strengthen support for Appendix C compliance, and for strengthening and coordinating internal control efforts.

This report made three recommendations to strengthen support for Appendix C to OMB Circular A-123, Requirements for Payment Integrity Improvement compli ance, and to strengthen and coordinate internal control efforts.

(Addresses Management and Performance Challenge # 4)

Audit of NRCs Training Selection Process for Agreement State Personnel OIG Strategic Goal: Safety Agreement States are the States of the United States that have signed an agree ment with the NRC authorizing them to regulate certain uses of radioactive materials within the State. The NRC fully funds the training and associated travel costs for Agreement State staff to attend NRC-sponsored training. The fund ing is intended to help Agreement States enhance their programs performance and foster national consistency among Agreement State and NRC inspectors and license reviewers.

Certain NRC-sponsored training courses have been identified as providing basic information that directly supports the Agreement State program. NRCs guidance document, SA-600, Training Selection Process and Criteria for Agreement State Personnel, outlines the process through which Agreement State personnel can apply for NRC-sponsored training and the criteria used to select training course attendees.

The audit objective was to determine the effectiveness and efficiency of NRCs process for selecting Agreement State personnel for NRC-sponsored training courses.

Audit Results:

NRCs process for selecting Agreement State personnel for NRC-sponsored train ing courses is generally effective and efficient. Additionally, NRC Agreement State Program Directors interviewed by OIG expressed positive views regarding support

April 1, 2019, to September 30, 2019 23 provided by Regional State Agreement Officers (RSAO). However, NRC can improve this process by updating guidance to more accurately reflect the training selection process and the roles and responsibilities of the NRC parties involved and by clarifying the role of the RSAO.

Additionally, staff should adhere to consistent business practices that support effec tive and efficient program operations. However, aspects of the Agreement State training selection process are not carried out consistently. This occurs because the training selection process guidance does not accurately reflect the current pro cedures and does not provide enough detail, particularly with respect to RSAO roles and responsibilities. Current and accurate guidance would support program knowledge management and could help NRC staff make best use of limited train ing resources.

This report made one recommendation to enhance guidance for NRCs training selection process for Agreement State personnel.

(Addresses Management and Performance Challenge # 2)

Defense Contract Audit Agency (DCAA) Audit Report Numbers 3311-2016W10100001 and 3311-2017W10100001 OIG Strategic Goal: Corporate Management The OIG and DCAA have an interagency agreement whereby DCAA provides contract audit services for OIG. DCAA is responsible for the audit methodologies CA NV OR WA ID UT WY MT CO NM AZ TX OK KS NE SD ND MN WI IA IL MO AR LA MS AL TN KY VA MD DC DE NJ RI WV OH MI PA NY ME VT CT NH MA IN GA FL AK HI USVI PR SC NC AS GU MP Agreement States Agreement States Non-Agreement States States Pursuing Agreements Source: NRC

24 NRC Office of the Inspector General Semiannual Report to Congress used to reach the audit conclusions, monitoring their staff qualifications, and ensuring compliance with Generally Accepted Government Auditing Standards.

OIGs responsibility is to distribute the report to NRC management and follow-up on agency actions initiated because of this report.

At the request of OIG, DCAA audited NRCs contract with Southwest Research Institute.

Audit Results:

The DCAA audit report did not identify any questioned cost.

(Addresses Management and Performance Challenge # 5)

Defense Contract Audit Agency (DCAA) Audit Report Numbers 01321-2016V10100012 and 01321-2017V10100012 OIG Strategic Goal: Corporate Management The OIG and DCAA have an interagency agreement whereby DCAA provides contract audit services for OIG. DCAA is responsible for the audit methodolo gies used to reach the audit conclusions, monitoring their staff qualifications, and ensuring compliance with Generally Accepted Government Auditing Standards.

OIGs responsibility is to distribute the report to NRC management and follow-up on agency actions initiated because of this report.

At the request of OIG, DCAA audited NRCs contract with Advanced Systems Technology and Management, Inc.

Audit Results:

The DCAA audit report did not identify any questioned cost.

(Addresses Management and Performance Challenge #5)

Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA), reforming the Federal Information Security Management Act of 2002. FISMA outlines the information security management requirements for agencies, which include an annual independent evaluation of an agencys information security program and practices to determine their effec tiveness. This evaluation must include testing the effectiveness of information security policies, procedures, and practices for a representative subset of the agen cys information systems. The evaluation also must include an assessment of the effectiveness of the information security policies, procedures, and practices of the

April 1, 2019, to September 30, 2019 25 agency. FISMA requires the annual evaluation to be performed by the agencys Office of the Inspector General or by an independent external auditor.

FISMA 2014 requires organizations to adopt a risk-based, life-cycle approach to improving information security that includes annual security program reviews and independent evaluations.

The objective of this evaluation was to conduct an independent assessment of the NRCs FISMA implementation for Fiscal Year 2018.

Audit Results:

OIG found that the NRCs information security program and practices were generally effective for the period October 1, 2017, through September 30, 2018.

However, the evaluation identified information technology security program areas that need improvement. Specifically, improvements can be made in the following areas:

Management of non-standard use software,

Efforts to remove unsupported software vulnerabilities, and

Mitigating high-risk vulnerabilities on NRC networks.

This evaluation presented six recommendations to improve NRCs implementation of FISMA to strengthen information technology security.

(Addresses Management and Performance Challenge # 3)

Audit of NRCs Grants Administration and Closeout OIG Strategic Goal: Corporate Management The Omnibus Appropriations Act of 2009 (the Act) established the Integrated University Program (IUP) between the Nuclear Regulatory Commission (NRC),

Department of Energy (DOE), and the National Nuclear Security Administration (NNSA). The Act authorized the appropriation of $45 million per year from Fiscal Year (FY) 2009 through FY 2019 with $15 million for each agency. NRC, DOE, and NNSA independently manage their own portions of the IUP and communi cate frequently to coordinate and avoid duplication. NRC provides various types of grants to support educational institutions and research to facilitate the sup port of nuclear science and engineering. The NRC grants program from FY 2008 through FY 2018 comprised 488 grants and totaled roughly $171.2 million. The audit objectives were to determine whether (1) NRCs grant administration pro gram complies with Federal regulations and agency guidance, employs sufficient internal control, and provides accountability over Federal funds through its policies and procedures, and (2) NRCs grant closeout program has employed policies and procedures to close out grants in a proper and timely manner.

Audit Results:

NRC can strengthen its accountability over Federal grant funds by improving grant administration oversight and internal controls for closeout in the areas of

26 NRC Office of the Inspector General Semiannual Report to Congress monitoring, records maintenance, and timeliness. Specifically, NRC is not ade quately fulfilling its grant oversight responsibilities regarding grant monitoring and records maintenance in the following areas:

Reviewing performance and financial reports.

Monitoring training completion.

Processing ASAP refunds.

Tracking student service agreement requirements.

Maintaining STAQS grant files.

This happened because of outdated policies and procedures, and the need for knowledge management. Without assurance of adequate oversight of the grant program, the stewardship of Federal funds could be adversely affected in the areas of fund use, decision-making, and accountability. Furthermore, staff do not close out grants in a timely manner. These conditions exist because (1) NRCs grant pro gram has no staff dedicated solely to the closeout process, (2) guidance is outdated, and (3) staff has no plan in place to address grants overdue for closeout. As a result, NRC is out of compliance with Federal regulations and agency guidance.

This report makes nine recommendations to improve oversight of grant adminis tration and closeout. Agency management stated their general agreement with the findings and recommendations in this report.

(Addresses Management and Performance Challenge #5)

Audit of NRCs Process for Placing Official Agency Records in ADAMS OIG Strategic Goal: Corporate Management NRCs mission is to license and regulate the Nations civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety and to promote the common defense and security and to protect the environment. Records management enables and supports NRCs work to fulfill its mission. Since April 2000, NRC has relied on an electronic recordkeeping system called the Agencywide Documents Access and Management System (ADAMS) to manage agency records.

Federal agencies are required to establish a records management program to ensure compliance with the regulations governing records management issued by the National Archives and Records Administration (NARA). The NRC Office of the Chief Information Officer (OCIO) manages NRCs records management program and ensures that NRC efficiently complies with all applicable records management regulations and NARA policy. The audit objective was to determine whether NRCs process ensures official agency records are properly identified and profiled within ADAMS.

April 1, 2019, to September 30, 2019 27 Audit Results:

NRC has processes in place to identify and profile official agency records in ADAMS. However, personal papers are stored in ADAMS and the email manage ment tool is inconsistently used. Opportunities exist for improvements to NRCs (1) records management training (2) review and monitoring of ADAMS records, and (3) proper capture of email records.

NARA and NRC guidance require that personal papers must be maintained sepa rate from official agency records (OARs) and are not to be stored in ADAMS.

However, NRC staff placed personal papers in ADAMS and, in some cases, incor rectly profiled them as OARs. This occurs because NRC records management training is inadequate, and ADAMS does not have controls to prevent storage of personal papers. As a result, ADAMS effectiveness as an official records repository could be diminished and information in personal papers could be released.

NARA and NRC guidance require that all email records must be managed in an electronic format and NRC Capstone officials must identify emails that should be captured and retained as Federal records. However, the Capstone tool is inconsis tently used because there are no controls to ensure Capstone officials use the tool.

In addition, the Capstone tool is time consuming for Capstone officials to use. As a result, NRC runs the risk of non-compliance with Federal requirements and the loss of valuable email records of importance to NRCs mission.

This report makes five recommendations to improve the effectiveness of plac ing OARs in ADAMS by improving training and strengthening internal controls.

Agency management stated their general agreement with the findings and recom mendations in this report.

(Addresses Management and Performance Challenge #4)

Vogtle Unit 3 middle ring. Photo courtesy of George Power Company.

28 NRC Office of the Inspector General Semiannual Report to Congress The White Mesa uranium mill is located in Blanding, Utah, near the uranium mines of the Four Corners region of the United States. Energy Fuels, Inc. constructed the mill in 1980. The mill uses sulfuric acid and a solvent to extract uranium and vanadium.

Courtesy of Energy Fuels, Inc.

April 1, 2019, to September 30, 2019 29

IN PROGRESS Audit of NRCs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 (DATA Act)

OIG Strategic Goal: Corporate Management The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014, and requires that Federal agencies report financial and payment data in accordance with data standards established by the Department of Treasury and the Office of Management and Budget. The data reported will be displayed on a Web site available to taxpayers and policy makers. In addition, the DATA Act requires Inspectors General (IGs) to review the data submitted by the agency under the act and report to Congress on the completeness, timeliness, quality and accuracy of this information.

In accordance with the act, the IG issued an audit in November 2017, and plans to issue the next audits in 2019, and 2021. This audit pertains to the review of data sampled for FY 2019. The audit objectives are to review the 1st quarter 2019 data submitted by NRC under the DATA Act and determine the completeness, timeli ness, accuracy and quality of the data sampled; and assess the implementation of the governing standards by the agency.

(Addresses Management Challenge # 3)

Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Nuclear Regulatory Commission in Fiscal Year 2020 OIG Strategic Goal: Safety, Security, Corporate Management In accordance with the Reports Consolidation Act of 2000, The Inspector General provides what OIG considers to be the most serious management and perfor mance challenges facing the NRC in FY 2020. Congress left the determination and threshold of what constitutes a most serious management and performance challenge to the discretion of the Inspectors General. The IG has defined seri ous management and performance challenges as mission critical areas or programs that have the potential for a perennial weakness or vulnerability that, without substantial management attention, would seriously impact agency operations or strategic goals.

(Addresses Management and Performance Challenges #1-5)

Audit of NRCs Fiscal Year 2019 Financial Statements OIG Strategic Goal: Corporate Management Under the Chief Financial Officers Act, the Government Management and Reform Act, and OMB Bulletin 17-03, Audit Requirements for Federal Financial

30 NRC Office of the Inspector General Semiannual Report to Congress Statements, OIG is required to audit NRCs financial statements. The report on the audit of the agencys financial statements is due on November 15, 2019. In addition, OIG will issue a report on NRCs closing package financial statements.

The audit objectives are to:

Express opinions on the agencys financial statements and internal controls,

Review compliance with applicable laws and regulations,

Review controls in NRCs computer systems that are significant to the financial statements,

Assess the agencys compliance with Office of Management and Budget (OMB)

Circular A-123, Revised, Managements Responsibility for Enterprise Risk Management and Internal Control.

(Addresses Management Challenge # 4)

Survey of NRCs Safety Culture and Climate OIG Strategic Goal: Safety, Security, and Corporate Management In 1998, 2002, 2006, 2009, 2012, and 2015 OIG contracted with an international survey firm to conduct surveys that evaluated the organizational safety culture and climate of the agencys workforce and identified agency strengths and opportunities for improvements. Comparisons were made to the previous surveys as well as to national and Government norms. In response to the survey results, the agency eval uated the key areas for improvement and developed strategies for addressing them.

A clear understanding of NRCs current safety culture and climate will facilitate identification of agency strengths and opportunities for improvement as it contin ues to experience significant challenges. These challenges include the licensing of new reactor facilities, operating under reduced budgets and realignment of pro gram offices.

The survey objectives are to (1) measure NRCs safety culture and climate to iden tify areas of strength and opportunities for improvement; (2) compare the results of this survey against the survey results that OIG previously reported; and (3) provide, where practical, benchmarks for the qualitative and quantitative findings against other organizations.

(Addresses all management and performance challenges)

Independent Evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2019 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual

April 1, 2019, to September 30, 2019 31 independent assessment by agency Inspectors General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information and information systems. The annual assessments provide agencies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security.

FISMA provides the framework for securing the Federal Governments informa tion technology including both unclassified and national security systems. All agencies must implement the requirements of FISMA and report annually to the Office of Management and Budget and Congress on the effectiveness of their security programs. The evaluation objective is to conduct an independent assess ment of the NRCs FISMA implementation for FY19.

(Addresses Management Challenge #5)

CANCELLED On July 31, 2019, the Office of the Inspector General initiated the Evaluation of NRCs Differing Professional Opinions [DPO] Program. The evaluation objec tive was to assess whether NRC employees suffer retaliation or other harm by expressing their professional opinions through the DPO program.

During the survey phase of the evaluation, OIG reviewed Federal and agency documents pertaining to the various programs for preventing and reporting retaliation and noted NRCs recent assessments and recommendations addressing the DPO program and retaliation issues detailed in the Final Report: Differ ing Views Program Improvement Project (Rev. 1.3) and Study of Reprisal and Chilling Effect for Raising Mission-Related Concerns and Differing Views at the NRC.

Based on OIGs reviews of the Final Report and other documentation, OIG determined that those recent assessments and recommendations adequately addressed the objectives of the planned evaluation. Therefore, OIG termi nated its evaluation of NRCs Differing Professional Opinions program on September 5, 2019.

32 NRC Office of the Inspector General Semiannual Report to Congress Professor Douglass Henderson of the University of Wisconsin-Madison above the pool of the Universitys TRIGA Research Reactor.

April 1, 2019, to September 30, 2019 33 NRC INVESTIGATIONS Summaries Issues Regarding NRC Role in Uranium One and Related Nuclear Materials Export Licenses OIG Strategic Goal: Security OIG completed an investigation into concerns expressed to NRC by Congressio nal stakeholders and members of the public regarding the sale of Uranium One - a nuclear source material extraction company that owns numerous uranium mines around the world, including one operational, NRC-licensed U.S. uranium mine -

to ARMZ, a Russian corporation. ARMZ is 1 of more than 300 wholly or partially owned subsidiaries of ROSATOM, the Russian, state-owned nuclear energy cor poration. Stakeholders broadly questioned whether NRC appropriately exercised its oversight over the sale and over related export transactions, particularly given that companies with links to Uranium One have reportedly been under criminal investigation on charges relating to bribery and corruption. Such charges have been cited by stakeholders as indicators of possible corruption in the Uranium One transaction itself.

The investigation addressed the following issues:

Issue 1. Did NRC properly fulfill its oversight and review role regarding the Uranium One license transfer to Russian corporate ownership, and were NRC decisionmakers improperly influenced to approve this transfer?

Issue 2. Did NRC maintain appropriate regulatory oversight over exports of Ura nium One nuclear material and was any of that material exported to Russia?

Issue 3. Did NRC communicate accurately to stakeholders about the Uranium One license transfer and related export transactions?

Issue 4. Did NRC react appropriately to the disclosure of criminal misconduct by persons affiliated with Uranium Ones Russian parent company and associated enti ties, including companies directly involved in the export of nuclear material, and including some exports of nuclear source material (not from Uranium One) from the United States to Russia?

Investigative Results:

Issue 1: OIG identified no deficiencies in the 2010 NRC review process for the transfer of the Uranium One materials license to Russian control, and no inappro priate outside influence upon the NRC decisionmakers involved in that process.

However, OIG identified that the former NRC senior official who had approval authority for the transfer objected to the transaction due to personal discomfort with a U.S. mine being transferred to Russian ownership. Rather than officially exercising the authority to disapprove the transfer or otherwise officially docu ment concerns, the senior official exercised what the senior official considered the right to step back from the Uranium One transfer to Russian ownership, and this

34 NRC Office of the Inspector General Semiannual Report to Congress sufficed so the senior officials conscience was clear. Specifically, the NRC senior official delegated approval authority to the Acting Deputy Director.

Issue 2: OIGs investigation disclosed no evidence that any source material origi nating at Uranium Ones U.S. facility was ever exported to Russia. OIG identified no deficiencies in the 2012 NRC review process for the export license amendment request that allowed Uranium One to become a supplier to a distributor on that distributors existing export license. While it is true the NRC was aware during the 2010 license transfer process that there was a potential for exporting source material, the staff confirmed through Requests for Additional Information as docu mented in the Safety Evaluation Report (SER) that Uranium One did not intend to export source material. However, OIG determined that NRC regulations permit U.S. uranium producers (including those that are foreign owned) to trans fer (i.e., sell) the source material to a distributor, at which point the source material becomes subject to the distributors export license conditions and Department of Energy nuclear material tracking. Additionally, OIG found no lapses in the required tracking of the nuclear material originating at Uranium Ones U.S. extrac tion facility and returning to the U.S. from Canada. However, OIG identified that there was U.S. uranium sent to Canada for conversion which was then transferred to a third country (not Russia) under subsequent arrangements in accordance with a 123 Agreement.1 Although this process met regulations, the tracking system lacked the capability to further track additional transfers of the uranium, and inter national business transaction are not wholly under NRC regulations.

Issue 3: OIG identified no false or inaccurate information in NRC official corre spondence to stakeholders in response to inquiries about the Uranium One license transfer and associated exports of nuclear material. Such correspondence included a 2011 letter to Senator John Barrasso of Wyoming. However, OIG identified an incomplete passage in that letter that contributed to subsequent stakeholder per ceptions of impropriety. Specifically, the NRC letter states, In order to export uranium from the United States, Uranium One, Inc. or ARMZ would need to apply for and obtain a specific NRC license authorizing the export of uranium for use in reactor fuel. However, the NRC did not articulate in the letter that Ura nium One could be added to an existing export licensee to transfer their uranium material as described in Issue 2 above.

Issue 4: OIG found that one NRC component, the Intelligence Liaison and Threat Assessment Branch (ILTAB), was aware of a Department of Justice (DOJ) corruption investigation into TENEX (a uranium enrichment and export-import corporation that, like ARMZ, is a subsidiary of ROSATOM) and Transport Logis tics International (TLI)(a Fulton, MD, based, transportation company involved in international nuclear transportation) during its early stages in 2010; however, ILTAB did not provide this information to the NRC staff directly responsible for authorizing the Uranium One materials license transfer, exports of Uranium One material, or the TENEX-TLI export license. Additionally, OIG found that 1 All exports of nuclear material are also controlled by international treaties, signed by the President and negotiated at the Cabinet level, commonly known as 123 Agreements, pursuant to Section 123 of the U.S. Atomic Energy Act of 1954, which establishes the conditions and process for nuclear cooperation between the United States and interna tional partners.

April 1, 2019, to September 30, 2019 35 NRC and interagency policies and processes did not require direct communica tion and sharing of law enforcement information between ITLAB and the NRC staff directly responsible for the above-mentioned matters. NRC officials indicated that timely knowledge of the pending investigation would not have changed any of the licensing decisions in the scope of this case. Additionally, NRC staff expressed a cautious attitude towards taking enforcement action against TLI, the licensee identified as being involved in the corruption investigation after learning of it, and exports to Russia have continued under the TLI license. NRC staff justified this approach by citing the limitations upon NRC jurisdiction in such matters, express ing the view that allegations of export licensee misconduct, even when proven and resulting in criminal convictions and sanctions, would not constitute offenses mer iting the revocation or suspension of NRC export licenses unless the misconduct was tied directly to NRC regulated activities. OIG identified no direct connection between the corruption investigation and Uranium One.

(Addresses Management and Performance Challenge # 1)

Reported Voluntary Disclosure of Procurement-Related Problems by an NRC Contractor OIG Strategic Goal: Corporate Management OIG completed an investigation into a voluntary disclosure by NTT Data Services Financial Government LLC (NDFG), formally Dell Services Federal Government, Inc. (DSFG), that NDFG provided NRC with non-compliant Trade Agreements Act (TAA) end products during the performance of their NRC Information Tech nology Infrastructure and Support Services (ITISS) contract. TAA (19 U.S.C. § 2501) requires the U.S. Government to purchase only U.S.-made or designated country end products. Designated country end product means an article that (1) Is wholly the growth, product, or manufacture of a designated country; or (2)

In the case of an article that consists in whole or in part of materials from another country, has been substantially transformed in a designated country into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was transformed. End product means those articles, materials, and supplies to be acquired under the contract for public use.

Government contractors are considered non-TAA-compliant if they fail to follow TAA guidelines.

The contract was initiated to provide the NRC with a wide range of informa tion technology (IT) services to include wireless telecommunications, data center functions, and programmatic IT infrastructure. The ITISS contract also pro vided NRC employees with the vast majority of needed IT services. The reported non-compliant products provided to the NRC included Apple products, laptops, smartphones, and tablets.

36 NRC Office of the Inspector General Semiannual Report to Congress Investigative Results:

OIG found that NDFG/DSFG violated the TAA. OIG determined that the NRC paid NDFG/DSFG for non-compliant TAA end products. NDFG entered into a civil settlement agreement with U.S. Department of Justice (DOJ) in which NDFG paid $1,585,856.75 to the U.S. Government on April 8, 2019, for violating the TAA.

Perot Systems Government Services, Inc. (Perot Systems), was awarded the NRC ITISS contract in February 2011. Subsequently in 2011, DSFG acquired Perot Systems after which time Perot Systems was known as DSFG. In November 2016, NDFG acquired DSFG through acquisition.

In February 2017, NDFG disclosed that DSFG provided the NRC with approxi mately $1.3 million of non-compliant TAA end products. OIG learned that NRC made approximately 28 modifications to the contract from August 2011 to May 2014. It was primarily through these modifications that a majority of the non-TAA-compliant end products were furnished to the NRC.

NDFG identified four reasons they believed the non-compliance occurred:

1) DSFG employees responsible for purchasing items under the contract did not fully understand the TAAs compliance obligations because DSFG is primarily a services provider; 2) both DSFG and NRC were confused regarding the TAAs applicability to the contract; 3) DSFG needed additional policies and procedures in place to monitor TAA compliance; and 4) DSFG employees were committed to meeting the Commissions requirements.

OIG reviewed NDFGs two independent examinations (audits) of the purchase records for products provided to the NRC under the contract. In the second audit of NDFGs records, it identified products that originated from a country that was non-compliant with the TAA, or the country of origin was unable to be identified.

OIG coordinated that investigation with the U.S. Attorney Office (USAO), Wash ington, DC. On March 20, 2019, USAO and NDFG entered into a settlement agreement where NDFG agreed to pay the U.S. Government $1,585,856.75. The NRC received back $1,266,196.05 of the $1,585,856.75 paid by NDFG.

(Addresses Management and Performance Challenge # 5)

Alleged Backdating of 2018 Performance Appraisal Plans by NRC Manager OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that an NRC senior official backdated 2018 performance appraisal plans. Allegedly, the senior official falsified dates on Fiscal Year (FY) 2018 Executive Performance Agreements. The per formance agreements define individual employee performance expectations and establish results-oriented goals. According to the alleger, the performance agree ments were required to be issued by October 31, 2017; however, they were not

April 1, 2019, to September 30, 2019 37 provided until November 4-8, 2017, and the NRC senior official falsely dated the agreements October 1 to cover up not issuing the agreements by October 31, 2017.

Investigative Results:

OIG determined that the senior official backdated the FY 2018 Executive Per formance Agreements to October 1, 2017. However, OIG found the relevant NRC Management Directive 10.37, Senior Executive Service Performance Man agement System, does not contain guidance, which requires performance plans to be dated on the date it is given to a Senior Executive Service (SES) employee.

The senior official reported having signed the plans to reflect the appraisal period (October 1, 2017, through September 30, 2018) rather than the date of actual sig nature. OIG found that the SES employee rating period does not begin until the SES employee signs the performance plan. Therefore, the date October 1, 2017, used by the senior official, could not cause an SES employee to receive a perfor mance rating prior to the required 90-day performance period. OIG also found that the senior official met the agencys requirement to certify that all SES perfor mance agreements were issued by November 10, 2017.

(Addresses Management and Performance Challenge # 5)

Falsification of an Excused Absence Letter by NRC Employee OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that an NRC employee falsi fied an excused absence letter. Allegedly, the NRC employee falsified an excused absence letter, purportedly from a doctor, to support the employees absence from work due to health reasons. The alleger provided OIG with three other excused absence letters from the NRC employee that the alleger suspected were falsified.

Investigative Results:

OIG substantiated that the employee submitted a falsified excused absence letter, purportedly from a dentist, to the employees supervisor to excuse the individuals absence from work for 5 days. The employee resigned from Federal service the day after OIG interviewed this individual in connection with this allegation.

The employees supervisor reported to the OIG that the employee provided the supervisor with an excused absence letter supposedly from a dentist in Maryland for the employees absence from work for a week. The supervisor did not believe the excused absence letter looked real. The supervisor attempted to find the den tist named in the letter but could not find anyone by that name with a dentist license in Maryland. The supervisor provided OIG three other excused absence letters and believed these might also have been falsified by the NRC employee.

A review of the excused absence letter purportedly from a Maryland dentist in Rockville, MD, reflected that "it was medically necessary for [the NRC employee]

to be absent from work. Database searches conducted by OIG found no results for the name of the dentist listed on the letter. OIG attempted to visit the address

38 NRC Office of the Inspector General Semiannual Report to Congress listed on the letter for the dentist but was unable to find the address. OIG reviewed the three other excused absence letters provided by the employee and found that the letters were legitimately provided by medical doctors. However, one of the medical doctors told OIG that because he knew of the employees con dition, he agreed to sign an excused absence letter after the employee asked him for one to cover the period of time the employee was absent from work.

The employee admitted to OIG having created the fake doctors letter from the Maryland dentist to cover the period of absence from work. The employee claimed to have fabricated the letter because the employee was on leave restric tion and was required to provide a doctors note for any sick leave but was unable to provide a note for 5 days the employee was out of the office. The employee resigned from Federal service after being interviewed by OIG in connection with this investigation. OIG referred this investigation to the United States Attorneys Office, Southern District of Maryland, who declined criminal prosecution.

(Addresses Management and Performance Challenge # 5)

Abuse of Government Time by NRC Manager OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that an NRC senior official abused Government time by conducting a real estate business while on offi cial travel to nuclear power plants. According to the alleger, the senior official was observed engaging in many telephone calls while visiting a nuclear power plant. OIG previously conducted an investigation that substantiated the same senior official used a Government-issued computer to conduct private business as a real estate agent. During this investigation, OIG reviewed the senior offi cials phone and Internet activity over a 1-year period to determine if the senior official conducted real estate business while at a nuclear power plant on official Government time.

Investigative Results:

OIG could not substantiate whether or not the senior official conducted work related to the senior officials real estate business while on official duty at nuclear power plants over the 1-year period prior to OIGs receipt of the allegation. OIG did not find any indication that the senior official used a Government-issued cellu lar phone to contact the realty company the official worked for, or that the official used Government resources, email or computer, to conduct real estate business while on Government time. OIG noted that a significant number of calls were made to and from the employees personal cellular phone to immediate family members while on official business. OIG also noted the senior official received calls forwarded to a personal cellular phone from a Google Talk number that the official listed as a contact number on file at NRC and on the officials real estate business website, which masked callers numbers. The official did not recall receiv ing any specific calls and said most likely there would have been some family calls during the time period reviewed by OIG. The senior official denied conducting

April 1, 2019, to September 30, 2019 39 any real estate business while on official duty since the first OIG investigation.

OIG briefed the senior officials manager on the results of the investigation. The manager reminded the senior official of the agency rules with regards to conduct ing a personal business during work hours and counseled the employee on avoiding the appearance of conducting personal business during work hours.

(Addresses Management and Performance Challenge # 5)

Continued Retaliation Against NRC Manager for Engaging in the NRC Differing Professional Opinion Program OIG Strategic Goal: Corporate Management OIG completed an investigation into an allegation that two NRC senior officials continued retaliation against an NRC manager for engaging in the NRC Differ ing Professional Opinion (DPO) Program, which is used by an NRC employee or contractor when he or she has a conscientious expression of a judgment or position that differs from an established staff view, agency practice, management decision, or policy position involving technical, legal, or policy issues. According to the alleger, the senior officials reassigned the alleger to another position at the NRC purportedly because the manager filed a DPO.

Investigative Results:

OIG did not substantiate that the two senior officials retaliated against the man ager by reassigning the manager as a director of one division to director of another division at the NRC. OIG found that the manager, who is in the Senior Executive Service (SES), accepted the reassignment without communicating any dissatisfac tion or apprehensions to the managers supervisors, the senior officials. In addition, OIG found that the decision to reassign the manager was in accordance with NRC Management Directive (MD) 10.1, Recruitment, Appointment, and Merit Staff ing, and Presidential Executive Order 13714, Strengthening the Senior Executive Service.

As background, OIG had previously conducted an investigation into an allega tion by the SES manager that two NRC senior officials harassed, intimidated, and retaliated against the manager for submitting a DPO. In that investigation, OIG determined that the senior officials made comments to the manager that were inappropriate and inconsistent with the NRC DPO program. The senior officials apologized, in part, for failing to clearly communicate during the managers mid year review, that the manager had the right to file the DPO, without first raising the matter to NRC senior executives.

Subsequently, OIG received another allegation (the basis for this investigation) that the same senior officials have continued to retaliate against the manager for sub mitting subsequent DPOs by reassigning him to another division director position at the NRC. The manager told OIG that although the position change to another division director position was a lateral move, the manager felt the new position was

40 NRC Office of the Inspector General Semiannual Report to Congress of lower stature and the reassignment was directly related to the managers filing subsequent DPOs.

The manager confirmed that the two senior officials provided several opportunities to voice dissatisfaction and offer opposing views of the reassignments. The man agers stated reasons for not voicing concerns or challenging the reassignment were the manager did not feel in in position to dispute their decision, and that challeng ing their decision would have made the managers life more difficult.

The senior officials said they had conversations with the manager about the man agers future career desires and interest in rotational positions. The senior officials stated that the manager conveyed boredom with the managers s current role. The senior officials also said that they had multiple conversations with the manager about rotating the division directors, during the mid-year and end-of-year perfor mance appraisal meetings. According to the senior officials, the manager agreed to the reassignment and even suggested when the reassignment should take place.

(Addresses Management and Performance Challenge # 5)

April 1, 2019, to September 30, 2019 41 DEFENSE NUCLEAR FACILITIES SAFETY BOARD Congress created the Defense Nuclear Facilities Safety Board (DNFSB) as an independent agency within the executive branch to identify the nature and con sequences of potential threats to public health and safety at the Department of Energys (DOE) defense nuclear facilities, to elevate such issues to the highest levels of authority, and to inform the public. Since DOE is a self-regulating entity, DNFSB constitutes the only independent technical oversight of operations at the Nations defense nuclear facilities. DNFSB is composed of experts in the field of nuclear safety with demonstrated competence and knowledge relevant to its inde pendent investigative and oversight functions.

The Consolidated Appropriations Act, 2014, provided that notwithstanding any other provision of law, the Inspector General of the Nuclear Regulatory Commis sion is authorized in 2014 and subsequent years to exercise the same authorities with respect to the Defense Nuclear Facilities Safety Board, as determined by the Inspector General of the Nuclear Regulatory Commission, as the Inspector Gen eral exercises under the Inspector General Act of 1978 (5 U.S.C. App.) with respect to the Nuclear Regulatory Commission.

DNFSB Management And Performance Challenges Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board in FY 2019 (as identified by the Inspector General)

Challenge 1: Management of a healthy and sustainable organizational culture and climate.

Challenge 2: Management of security over internal infrastructure (personnel, physi cal, and cyber security) and nuclear security.

Challenge 3: Management of administrative functions.

Challenge 4: Management of technical programs.

• For more information on the challenges, see DNFSB-19-A-01, Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board (https://www.nrc.gov/docs/ML1829/ML18296A208.pdf)

42 NRC Office of the Inspector General Semiannual Report to Congress Routine inspection at the Calvert Cliffs Nuclear Power Plant in Lusby, Maryland.

April 1, 2019, to September 30, 2019 43 DNFSB AUDITS AND EVALUATIONS Summaries OIG did not issue any audit or evaluation reports for DNFSB within the reporting period for this Semiannual Report. However, OIG provides the following update concerning a report issued during the prior reporting period.

Audit of DNFSBs Issue and Commitment Tracking System (IACTS) and its Related Process On November 1, 2018, OIG issued the Audit of DNFSBs Issue and Commitment Tracking System (IACTS) and its Related Process. The Board concurred with all eight of OIGs recommendations and stated it would further address the recom mendations after it received a related study from the National Academy of Public Administration (NAPA). After NAPA issued its report in May 2019, the Board resumed action to address six of the OIGs recommendations, but changed its original position on two recommendations related to communication with staff, electing not to concur. OIG provided a written response to the Board expressing its disagreement with the Boards decision. OIG has closed the two recommenda tions and will therefore discontinue further followup.

In Progress Audit of DNFSBs Compliance with Standards Established by the Digital Accountability and Transparency Act of 2014 (DATA Act)

OIG Strategic Goal: Corporate Management The Digital Accountability and Transparency Act of 2014 (DATA Act) was enacted May 9, 2014, and requires Federal agencies report financial and payment data in accordance with data standards established by the Department of Treasury and the Office of Management and Budget. The data reported will be displayed on a Web site available to taxpayers and policy makers. In addition, the DATA Act requires Inspectors General (IGs) to review the data submitted by the agency under the act and report to Congress on the completeness, timeliness, quality and accuracy of this information. In accordance with the act, the IG issued an audit in November 2017, and plans to issue the next audits in 2019, and 2021. This audit pertains to the review of data sampled for FY 2019.

The audit objectives are to review the 1st quarter data submitted by DNFSB under the DATA Act and (1) determine the completeness, timeliness, accuracy and quality of the data sampled and (2) assess the implementation of the governing standards by the agency.

(Addresses Management and Performance Challenge # 3)

44 NRC Office of the Inspector General Semiannual Report to Congress Independent Evaluation of DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2018 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA 2014), reforming the Federal Information Security Management Act of 2002 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, FISMA includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information and information systems. The annual assessments provide agen cies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security. FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems.

All agencies must implement the requirements of FISMA and report annually to OMB and Congress on the effectiveness of their security programs.

The evaluation objective is to conduct an independent assessment of DNFSBs implementation of FISMA for FY 2018.

(Addresses Management and Performance Challenge #2)

Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board in Fiscal Year 2020 OIG Strategic Goal: Safety, Security, Corporate Management In accordance with the Reports Consolidation Act of 2000, The Inspector General provides what OIG considers to be the most serious management and performance challenges facing the DNFSB in FY 2020. Congress left the determination and threshold of what constitutes the most serious management and performance chal lenges to the discretion of the Inspectors General. The IG has defined serious management and performance challenges as mission critical areas or programs that have the potential for a perennial weakness or vulnerability that, without substan tial management attention, would seriously impact agency operations or strategic goals.

(Addresses Management and Performance Challenges #1-4)

April 1, 2019, to September 30, 2019 45 Audit of DNFSBs Human Resource Program OIG Strategic Goal: Corporate Management The Office of Personnel Management (OPM) requires that agencies use guidance, to plan, implement, evaluate, and improve human capital policies and procedures.

OPM established the Human Capital Framework (HCF) to provide comprehen sive guidance on strategic human capital management in the government. The framework provides direction on human capital planning, implementation, and evaluation in the Federal environment. The HCFs flexible structure supports organizational agility and adaptability. HCFs components are (1) Strategic Align ment System, (2) Performance Culture, (3) Talent Management System, and (4)

Evaluation.

The audit objective is to determine if DNFSBs human resources program is designed and implemented to effectively support the execution of its mission.

(Addresses Management and Performance Challenge #1)

Audit of DNFSBs Fiscal Year 2019 Financial Statements OIG Strategic Goal: Corporate Management Under the Chief Financial Officers Act, as updated by the Accountability of Tax Dollars Act of 2002 and OMB Bulletin 17-03, Audit Requirements for Federal Finan cial Statements, OIG is required to audit DNFSBs financial statements and produce a public report of the results to include the following specific activities:

Express opinions on DNFSBs financial statements and internal controls.

Review compliance with applicable laws and regulations.

Review the controls in DNFSBs computer systems that are significant to the financial statements.

Assess the agencys compliance with OMB Circular A-123, (Revised), Manage ments Responsibility for Enterprise Risk Management and Internal Control.

(Addresses Management and Performance Challenge #3)

Independent Evaluation of DNFSBs Implementation of the Federal Information Security Modernization Act of 2014 (FISMA) for Fiscal Year 2019 OIG Strategic Goal: Security On December 18, 2014, the President signed the Federal Information Security Modernization Act of 2014 (FISMA 2014), reforming the Federal Information Security Management Act of 2002 (FISMA). FISMA outlines the information security management requirements for agencies, including the requirement for an annual independent assessment by agency Inspectors General. In addition, FISMA

46 NRC Office of the Inspector General Semiannual Report to Congress includes provisions such as the development of minimum standards for agency systems, aimed at further strengthening the security of the Federal Government information and information systems. The annual assessments provide agen cies with the information needed to determine the effectiveness of overall security programs and to develop strategies and best practices for improving information security. FISMA provides the framework for securing the Federal Governments information technology including both unclassified and national security systems.

All agencies must implement the requirements of FISMA and report annually to OMB and Congress on the effectiveness of their security programs.

The evaluation objective is to conduct an independent assessment of DNFSBs implementation of FISMA for FY 2019.

(Addresses Management and Performance Challenge #2)

April 1, 2019, to September 30, 2019 47 DNFSB INVESTIGATIONS Summaries OIG did not complete any DNFSB-related investigations during this reporting period.

Diablo Canyon Nuclear Power Plant, Units 1 and 2.

48 NRC Office of the Inspector General Semiannual Report to Congress

April 1, 2019, to September 30, 2019 49

SUMMARY

OF OIG ACCOMPLISHMENTS AT NRC April 1, 2019, through September 30, 2019 Investigative Statistics Disposition of Allegations NRC Employee NRC Management General Public Congressional Anonymous Contractor Regulated Industry Intervenor Other Government Agency Total Closed Administratively Referred for OIG Investigation Referred to NRC Management Pending Review Action Correlated to Existing Case Referred to OIG Audit Allegations resulting from the NRC OIG Hotline calls: 58 Total: 96 23 96 36 13 32 9

3 3

44 17 6

1 2

1 1

1

50 NRC Office of the Inspector General Semiannual Report to Congress Status of Investigations DOJ Referrals.................................... 1 DOJ Declinations.................................. 3 DOJ Pending..................................... 0 Criminal Informations/Indictments........................ 0 Criminal Convictions................................ 0 Criminal Penalty Fines............................... 0 Civil Recovery.................................... 1 Administrative Recovery............................... 2 Total Amount Recovered................... $1,589,804.91 State and Local Referrals.............................. 0 Criminal Informations/Indictments...................... 0 Criminal Convictions.............................. 0 Criminal Penalty Fines............................. 0 Civil Recovery.................................. 0 NRC Administrative Actions:

Counseling and Letter of Reprimand..................... 0 Terminations and Resignations......................... 0 Suspensions and Demotions.......................... 0 Other (e.g., PFCRA).............................. 0 Summary of Investigations Classification of

Opened

Closed Reports Cases in Investigations

Carryover

Cases

Cases

Issued* Progress Conflict of Interest

1

0

1

0

0 Employee Misconduct

17

6

12

2

11 External Fraud

6

0

1

1

5 Internal Fraud

1

0

0

0

1 Management Misconduct

14

2

4

1

12

Miscellaneous

3

0

0

0

3 Proactive Initiatives

2

0

0

0

2

Technical Allegations

6

3

0

0

9

Theft

0

1

0

0

1 Total

50

12

18

4

44

• Number of reports issued represents the number of closed cases where allegations were substantiated and the results reported outside of OIG.

April 1, 2019, to September 30, 2019 51 NRC Audit and Evaluation Listings Date

Title

Audit Number 09/30/2019

Audit of NRCs Grants Administration and Closeout

OIG-19-A-21 09/26/2019

Audit of NRCs Process for Placing Official Agency Records in ADAMS

OIG-19-A-20 09/13//2019

Audit of NRCs Oversight of Supplemental Inspection

OIG-19-A-19 Corrective Actions 09/09/19

Audit of NRCs Use of Enforcement Discretion

OIG-19-A-18 for Nuclear Power Licensees 09/05/2019

Evaluation of NRCs Oversight of the Voice Over

OIG-19-A-17 Internet protocol Contract and Implementation 08/23/2019

Audit of NRCs Transition Process for Decommissioning

OIG-19-A-16 Power Reactors 06/14/2019

Defense Contract Audit Agency (DCAA) Audit Report

OIG-19-A-15 Numbers 01321-2016V10100018 and 01321-2017V 10100018 06/11/2019

Audit of NRCs Computer Code Sharing

OIG-19-A-14

OFFICIAL USE ONLY - SENSITIVE SECURITY INFORMATION 06/04/2019

Audit of NRCs Cyber Security Inspections at Nuclear

OIG-19-A-13 Power Plants 06/03/2019

Audit of NRCs Fiscal Year (FY) 2018 Compliance

OIG-19-A-12 With Improper Payment Laws 04/30/2019

Audit of NRCs Training Selection Process for

OIG-19-A-11 Agreement State Personnel 04/22/2019

Defense Contract Audit Agency (DCAA) Audit Report

OIG-19-A-10 Numbers 3311-2016W10100001 and 3311-201W 10100001 04/22/2019

Defense Contract Audit Agency (DCAA) Audit Report

OIG-19-1-09 Numbers 01321-2016V10100012 and 01321-2017V 10100012 04/02/2019

Independent Evaluation of NRCs Implementation

OIG-19-A-08 of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2018

52 NRC Office of the Inspector General Semiannual Report to Congress NRC Contract Audit Reports OIG Issue Date Contractor/Title/Contract Number Questioned Cost Unsupported Cost June 14, 2019 QITech, LLC Independent Audit Reoport On QiTech, LLCs Proposed Amounts on Unsettle Flexibility Priced Contractor Fiscal Years (CFYs) 2016 - 2017 NRC-HQ-7G-14C-0001 NRC-HG-84-14-C-0013

$1,615,847.00

$0 April 22, 2019 Southwest Research Institute Independent Audit Report on Southwest Research Institutes Proposed Amounts On Select Unsettled Flexibility-Priced Contracts For Fiscal Years 2016 and 2017 NRC-HQ-11C-02-0084 NRC-HQ-12-C-02-0089 NRC-HQ-12-C-42-0083 NRC-HQ-12-C-03-0044 NRC-HQ-13-C-03-0048 NRC-HQ-50-14-E-0001

$0

$0

April 1, 2019, to September 30, 2019 53 Table I OIG Reports Containing Questioned Costs 1

Questioned

Unsupported Number of

Costs

Costs Reports

Reports

(Dollars)

(Dollars)

A. For which no management decision had been made by the commencement of the reporting period

4

$2,189,047

0 B.

Which were issued during the reporting period

1

$1,615,847

0 Subtotal (A + B)

5

$3,804,894

0

C. For which a management decision was made during the reporting period:

(i) dollar value of disallowed costs

2

$3,948

0

(ii) dollar value of costs not disallowed

2

$582,745

0

D. For which no management decision had been made by the end of the reporting period

3

$3,218,201

0 Audit Resolution Activities 1 Questioned costs are costs that are questioned by the OIG because of an alleged violation of a provision of a law, regu lation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; a finding that, at the time of the audit, such costs are not supported by adequate documentation; or a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable.

54 NRC Office of the Inspector General Semiannual Report to Congress Table II OIG Reports Issued with Recommendations That Funds Be Put to Better Use 3

Number of

Dollar Value Reports

Reports

of Funds A.

For which no management decision

0

0 had been made by the commencement of the reporting period

B.

Which were issued during the

0

0 reporting period

C.

For which a management decision was

made during the reporting period:

(i) dollar value of recommendations

0

0 that were agreed to by management (ii) dollar value of recommendations

0

0 that were not agreed to by management D.

For which no management decision had

0

0 been made by the end of the reporting period 3 A recommendation that funds be put to better use is a recommendation by the OIG that funds could be used more efficiently if NRC management took actions to implement and complete the recommendation, including reductions in outlays; deobligation of funds from programs or operations; withdrawal of interest subsidy costs on loans or loan guar antees, insurance, or bonds; costs not incurred by implementing recommended improvements related to the operations of NRC, a contractor, or a grantee; avoidance of unnecessary expenditures noted in preaward reviews of contract or grant agreements; or any other savings which are specifically identified.

April 1, 2019, to September 30, 2019 55

SUMMARY

OF OIG ACCOMPLISHMENTS AT DNFSB April 1, 2019, through September 30, 2019 Investigative Statistics

Source of Allegations Anonymous General Public Total 1

1 2

Disposition of Allegations Referred to DNFSB Management Total 2

2

56 NRC Office of the Inspector General Semiannual Report to Congress Status of Investigations DOJ Referrals.................................... 0 DOJ Pending..................................... 0 Criminal Informations/Indictments........................ 0 Criminal Convictions................................ 0 Criminal Penalty Fines............................... 0 Civil Recovery.................................... 0 State and Local Referrals.............................. 0 Criminal Informations/Indictments........................ 0 Criminal Convictions................................ 0 Civil Penalty Fines.................................. 0 Civil Recovery.................................... 0 DNFSB Administrative Actions:

Counseling and Letter of Reprimand..................... 0 Terminations and Resignations......................... 0 Suspensions and Demotions.......................... 0 Other (e.g., PFCRA).............................. 0 Summary of Investigations Classification of

Opened

Closed Reports Cases in Investigations

Carryover

Cases

Cases

Issued4 Progress Management Misconduct

4

0

0

0

4 Proactive Initiatives

1

0

0

0

1

Total

5

0

0

0

5 4 Number of reports issued represents the number of closed cases where allegations were substanti ated and the results were reported outside of OIG.

April 1, 2019, to September 30, 2019 57 DNFSB Audit and Evaluation Listings Date Title Audit Number No Reports Issued for this Period Nuclear fuel pellets are stacked vertically in long metal tubes to power commercial nuclear reactors. There are many steps involved in processing uranium before it is fabricated into nuclear fuel. Courtesy of Areva.

58 NRC Office of the Inspector General Semiannual Report to Congress NRC Commissioner Jeff Baran (right), with Southern Nuclear's George Koucheravy, got a birds-eye view of the containment building under construction during a recent visit to the Vogtle 3 & 4 construction site in Waynesboro, Ga.

April 1, 2019, to September 30, 2019 59 Table I OIG Reports Containing Questioned Costs 5

Questioned

Unsupported Number of

Costs

Costs Reports

Reports

(Dollars)

(Dollars)

A. For which no management decision had been made by the commencement of the reporting period

0

0

0 B.

Which were issued during the reporting period

0

0

0 Subtotal (A + B)

0

0

0

C. For which a management decision was made during the reporting period:

(i) dollar value of disallowed costs

0

0

0

(ii) dollar value of costs not disallowed

0

0

0

D. For which no management decision had been made by the end of the reporting period

0

0

0 DNFSB AUDIT RESOLUTION ACTIVITIES 5Questioned costs are costs that are questioned by the OIG because of an alleged violation of a provision of a law, regu lation, contract, grant, cooperative agreement, or other agreement or document governing the expenditure of funds; a finding that, at the time of the audit, such costs are not supported by adequate documentation; or a finding that the expenditure of funds for the intended purpose is unnecessary or unreasonable.

60 NRC Office of the Inspector General Semiannual Report to Congress Table II OIG Reports Issued with Recommendations That Funds Be Put to Better Use 6

Number of

Dollar Value Reports

Reports

of Funds A.

For which no management decision

0

0 had been made by the commencement of the reporting period

B.

Which were issued during the

0

0 reporting period

C.

For which a management decision was

made during the reporting period:

(i) dollar value of recommendations

0

0 that were agreed to by management (ii) dollar value of recommendations

0

0 that were not agreed to by management D.

For which no management decision had

0

0 been made by the end of the reporting period 6  A recommendation that funds be put to better use is a recommendation by the OIG that funds could be used more efficiently if NRC management took actions to implement and complete the recommendation, includ ing reductions in outlays; deobligation of funds from programs or operations; withdrawal of interest subsidy costs on loans or loan guarantees, insurance, or bonds; costs not incurred by implementing recommended improve ments related to the operations of NRC, a contractor, or a grantee; avoidance of unnecessary expenditures noted in preaward reviews of contract or grant agreements; or any other savings which are specifically identified.

April 1, 2019, to September 30, 2019 61 UNIMPLEMENTED AUDIT RECOMMENDATIONS Nuclear Regulatory Commission Audit of NRCs Shared S Drive (OIG-11-A-15) 2 of 5 recommendations open since July 27, 2011 Recommendation 2: Revise current information security training for NRC staff to address spe cific practices for protecting SUNSI on the agencys shared network drives.

Recommendation 3: Develop CUI policies and guidance for storing and protecting CUI in agency shared drives, and (a) post this guidance on the NRC intranet; and (b) include this guidance in annual training.

Audit of NRCs Safeguards Information Local Area Network and Electronic Safe (OIG-13-A-16) 2 of 7 recommendations open since April 1, 2013 Recommendation 3: Evaluate and update the current folder structure to meet user needs.

Recommendation 7: Develop a structured access process that is consistent with the SGI need-to-know requirement and least privilege principle. This should include (1) Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs); (2) Conducting periodic reviews of user access to folders; and (3)

Developing a standard process to grant user access.

Audit of NRCs Budget Execution Process (OIG-13-A-18) 1 of 8 recommendations open since May 7, 2013 Recommendation 3: Enforce the use of correct budget object codes.

Audit of NRCs Oversight of Spent Fuel Pools (OIG-15-A-06) 1 of 4 recommendations open since February 10, 2015 Recommendation 1: Provide a generic regulatory solution for spent fuel pool criticality analysis by developing and issuing detailed licensee guidance along with NRC internal procedures.

Audit of NRCs Internal Controls Over Fee Revenue (OIG-15-A-12) 2 of 7 recommendations open since March 19, 2015 Recommendation 1: Establish policies and procedures to centralize the control of the TAC setup.

Recommendation 4: Design and implement a plan to improve the TAC validation process.

Audit of NRCs Regulatory Analysis Process (OIG-15-A-15) 1 of 4 recommendations open since June 25, 2015 Recommendation 3: Update and implement the cost benefit guidance documents as planned in SECY-14-0002. Incorporate this guidance into office procedures by reference.

Audit of NRCs Web-Based Licensing System (WBL) (OIG-15-A-17) 1 of 4 recommendations open since June 29, 2015 Recommendation 2: Revise WBL roles to require license reviewers and materials inspectors to process their work directly in WBL.

62 NRC Office of the Inspector General Semiannual Report to Congress Evaluation of ADAMS (OIG-16-A-06) 2 of 13 recommendations open since November 30, 2015 Recommendation 1: Expedite and fully implement the ADAMS RM module so that records retention schedules can be attached to all the official records within ADAMS.

Recommendation 3: Reduce the number of templates and study applicability of automation tech niques to pre-fill profile metadata and attain better standardization and consistency.

Audit of NRCs Decommissioning Funds Program (OIG-16-A-16) 2 of 9 recommendations open since June 8, 2016 Recommendation 1: Clarify guidance to further define legitimate decommissioning activities by developing objective criteria for this term.

Recommendation 2: Develop and issue clarifying guidance to NRC staff and licensees specifying instances when an exemption is not needed.

Audit of NRCs Implementation of Federal Classified Information Laws and Policies (OIG-16-A-17) 1 of 3 recommendations open since June 8, 2016 Recommendation 1: Complete and fully implement current initiatives: (a) Finalize and provide records management training for authorized classifiers, (2) Complete the current inventories of classified information in safes and secure storage areas, (3) Develop declassification training to prepare and authorize declassifiers, (4) Develop an updated declassification guide, (5) Identify clas sified records requiring transfer to national Archives and Records Administration and complete the transfers, (6) Complete the Office Instruction for performing mandatory declassification reviews.

Audit of NRCs Significance Determination Process for Reactor Safety (OIG-16-A-21) 2 of 4 recommendations open since September 26, 2016 Recommendation 2: Clarify IMC 0612 Appendix B issue screening questions so that they are readily understood and easily applied.

Audit of NRCs Foreign Assignee Program (OIG 17-A-07) 2 of 3 recommendations open since December 19, 2016 Recommendation 2: Develop a secure, cost-efficient method to provide foreign assignees an email account which allows for NRC detection and mitigation of inadvertent transmission of sen sitive information and seek Commission approval to implement it.

Recommendation 3: When an NRC approved email account is available, develop specific Com puter Security Rules of Behavior for foreign assignees using the approved email.

Audit of NRCs Oversight of Source material Exports to Foreign Countries (OIG-17-A-08) 1 of 5 recommendations open since February 16, 2017 Recommendation 1: Coordinate among OIP, NMSS and regional offices, as appropriate, in developing and implementing an export inspection program to include pre-licensing site visits and periodic post-licensing inspections at Part 110 applicant and licensee locations. The pre-licensing visits may only apply to export applicants who do not already possess another NRC license.

April 1, 2019, to September 30, 2019 63 Audit of NRCs Oversight of Security at Decommissioning Reactors (OIG-17-A-09) 2 of 3 recommendations open since February 22, 2017 Recommendation 1: Clarify the fitness-for-duty elements that are necessary to comply with 10 CFR 73.55 (b)(9)(i), insider mitigation program.

Recommendation 2: Develop rule language in 10 CFR Part 26 that describes the necessary fit ness-for-duty requirements for decommissioning licensees.

Audit of NRCs PMDA/DRMA Functions to Identify Program Efficiencies (OIG-17-A-18) 1 of 1 recommendations open since July 3, 2017 Recommendation 1: Complete implementation of all Mission Support Task Force recommenda tions that may assist in optimizing the use of resources and result in improving standardization and centralization throughout the agency.

Evaluation of NRCs Network Storage Interruption (OIG-17-A-19) 3 of 4 recommendations open since July 27, 2017 Recommendation 2: Develop and implement an internal OCIO policy that requires NRC sub ject matter experts to re-evaluate the storage system architecture.

Recommendation 3: Develop and implement GLINDA Service Level Requirement(s) that spec ify required service availability and performance requirements, from an end users perspective, for email access and network file access.

Recommendation 4: Develop and implement a GLINDA contract governance plan.

Audit of NRCs Oversight of Issuing Certificates of Compliance for Radioactive Material Packages (OIG-17-A-21) 3 of 4 recommendations open since August 16, 2017 Recommendation 2: Document and communicate to stakeholders NRCs analysis results identi fying the bases for an appropriate term for Part 71 certificates of compliance.

Evaluation of the Shared S Drive (OIG-18-A-06) 2 of 4 recommendations open since December 21, 2017 Recommendation 3: Review the shared S drive for PII on a periodic timeframe.

Recommendation 4: Remove or delete PII from the shared S drive.

Audit of NRCs Decommissioning Financial Assurance Instrument Inventory (OIG-18-A-09) 1 of 1 recommendations open since February 8, 2018 Recommendation 1: Update guidance to reflect current practices, including (a) Define what is to be kept in the files and/or safe and implement the guidance; (b) Define the filing methodology or the safe (e.g., by licensee, site, license, or instrument.); (c) Require supporting documentation of completion of every step in the NMSS and NRR evaluations; (d) Describe procedural steps for NRR to complete the evaluations or state expectations for NRR to complete the same steps as NMSS; (e) Require written follow-up from the NMSS and NRR evaluations by the auditee to the evaluator, to ensure any identified discrepancies are corrected; (f) Require NMSS and NRR evaluation reports and the Inventory List to be marked OUO, as appropriate; and (G) Require seg regation of duties between the person in NMSS who maintains the Inventory List and the person who completes the annual evaluation.

64 NRC Office of the Inspector General Semiannual Report to Congress Audit of NRCs Consultation practices with Federally Recognized Native American Tribal Governments (OIG-18-A-10) 4 of 5 recommendations open since April 4, 2018 Recommendation 1: Update MD 5.1 to include FSTB when working with Tribes. The guid ance should also clearly define FSTBs role and responsibilities with regard to Tribal outreach and consultation.

Recommendation 2: Update NRC office procedures to include more specific direction on how to coordinate with FSTB and how to work with Tribes.

Audit of NRCs Oversight of the National Materials Program (OIG-18-A-11) 2 of 2 recommendations open since April 4, 2018 Recommendation 1: Formalize the National Materials Program framework in a document to include a definition, vision, mission, goals, and objectives, membership, members roles and responsibilities, and activities.

Recommendation 2: Designate an NRC individual with expert knowledge to serve as the National Materials Program champion to help with consistent communication. NRC should also encourage the Agreement States to create a co-champion to serve as the NRC champions peer.

Audit of NRCs Special and Infrequently Performed Inspections (OIG-18-A-13) 3 of 6 recommendations open since May 15, 2018 Recommendation 1: Update IMC 2515 Appendix C and applicable NRR guidance to reflect the requirement to ensure consistent and period reviews of IMC 2515 Appendix C inspection procedures.

Recommendation 3: Review the inspection procedures listed in IM 2515 Appendix C to deter mine if they are still warranted.

Recommendation 5: Periodically test application controls in the Replacement Reactor Program System-Inspections Module to ensure NRC staff are correctly coding inspections under IMC 2515 Appendix C.

U.S. Nuclear Regulatory Commission Office of the Inspector General External Vulnerabil ity Assessment and Penetration Testing (OIG-18-A-14) 1 of 1 recommendations open since June 6, 2018 Recommendation 1: Remediate the identified vulnerabilities in the findings matrix Audit of NRCs Process for Modifying and Communicating Standard Technical Specifica tions (OIG-18-A-15) 1 of 8 recommendations open since June 18, 2018 Recommendation 8: Implement quality assurance measures to address billing verification oversight.

Audit of NRCs Process for Reimbursing Agreement State Personnel Training Expenses (OIG-18-A-18) 1 of 1 recommendations open since September 12, 2018 Recommendation 1: Conduct a cost-benefit analysis to evaluate alternative Agreement State reimbursement options, such as establishment of contracts with individual Agreement States to facilitate reimbursement at the State per diem rate not to exceed the Federal per diem rate.

April 1, 2019, to September 30, 2019 65 Audit of NRCs Exercise of Its Early Out/Buyout Authority (OIG-19-A-04) 2 of 2 recommendations open since December 3, 2018 Recommendation 1: Conduct formal evaluation assessing the value of VERA/VSIPs as work force restructuring tools at NRC. This evaluation could include (a) Program costs; (b) Impact of buyout incentives on employees decision to separate; (c) Historical attrition rates compared to attrition rates during the years NRC ran a VERA/VSIP program; (d) Timing of employee separa tions; (e) VERA/VSIPs impact on NRC and program offices long-term restructuring goals; (f)

If the formal evaluation concludes that VERA/VSIPs are the right workforce restructuring tool for NRC to use to achieve its workforce goals, then formally asses the VERA/VSIP program after each future round for potential ways to improve program implementation.

Recommendation 2: Develop written procedures for implementing a VERA/VSIP program, which include (a) Integrating the strategic workforce plan into VERA/VSIP planning and requests to OPM; (b) Determining surplus positions at the office-level; and (c) Developing a single tracking system to link VERA/VSIP separations to specific positions identified for elimination and restruc turing, where possible.

Audit of NRCs License Amendment Request Acceptance Review Process (OIG 19 A 05) 3 of 3 recommendations open since December 13, 2018 Recommendation 1: Strengthen data verification and validation measures to ensure completed acceptance review reports and data are processed accurately.

Recommendation 2: Identify a single, consistent process for calculating the number of workdays for the acceptance review metric and communicate it to DORL staff.

Recommendation 3: Complete the Replacement Reactor Program System-Licensing Module upgrade efforts to generate automated reports.

Audit of NRCs Process for Developing and Coordinating Research Activities (OIG 19 A 06) 4 of 4 recommendations open since December 13, 2018 Recommendation 1: Involve RES and requesting office senior managers earlier in the work request development process to ensure work requests are properly understood, resourced, and achievable before they are formally submitted to RES.

Recommendation 2: Implement a standard template for ES staff to sue when preparing accep tance memorandum or email responses to all work request types.

Recommendation 3: Implement a single agencywide tracking system with the capabilities needed to effectively and efficiently keep the agency aware of research activities.

Recommendation 4: Develop and implement a process for obtaining and using feedback from requesting offices. The process should include, but not be limited to, guidance on obtaining feed back during interim project milestones, creating access controls, and roles and responsibilities.

66 NRC Office of the Inspector General Semiannual Report to Congress Independent evaluation of NRCs Implementation of the Federal Information Security Modernization Act of 2014 (OIG-19-A-08) 6 of 6 recommendations open since May 1, 2019 Recommendation 1: Develop and implement a process to remove all non-standard software that has not been approved by an authorized agency official.

Recommendation 2: Implement a process to manage non-standard software to ensure the soft ware is properly approve and inspected for security weaknesses before the software is installed on NRCs network.

Recommendation 3: Monitor the approved installed software on NRCs network to determine whether it is still in use, periodically inspect the software for known vulnerabilities, and mitigate any vulnerabilities found.

Recommendation 4: Develop and establish processes and procedures to govern the installation of non-standard software, including processes and procedures on determining impact to agency operations or cybersecurity.

Recommendation 5: Implement a process to remove unsupported software from NRC networks Recommendation 6: Implement a process to mitigate known high-risk vulnerabilities.

Audit of NRCs Training Selection Process for Agreement State Personnel (OIG 19 A 11) 1 of 1 recommendation open since May 31, 2019 Recommendation 1: Update SA-600 to more accurately reflect the training selection process and the roles and responsibilities of the NRC parties involved.

Audit of NRCS Fiscal Year (FY) 2018 Compliance with Improper Payment Laws (OIG 19 A 12) 3 of 3 recommendations open since July 3, 2019 Recommendation 1: Take steps to ensure that the Appendix C risk assessment provides sup portable information for IPIA compliance. This should include creating contract deliverables addressing Appendix C requirements and performing a quality assurance review to ensure that the contractors conclusions are thoroughly supported by evidence.

Recommendation 2: Review the various payment integrity-related internal control efforts and revise procedures to enhance consistency among the different internal control compliance requirements.

Recommendation 3: Update policies/procedures pertaining to the agencys improper payment notification, tracking, and monitoring. This policy/procedure should include steps to address and correct the high level root cause of the improper payments identified.

Audit of NRCs Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13) 1 of 2 recommendations open since December 1, 2019 Recommendation 2: Use the results of operating experience and discussions with industry to develop and implement suitable cyber security performance measure(s) (e.g., testing, analysis of logs, etc.) by which licensees can demonstrate sustained program effectiveness.

April 1, 2019, to September 30, 2019 67 Audit of NRCs Computer Code Sharing (OIG-19-A-14)

Recommendations: Status is OUO.

Audit of NRCs Transition Process for Decommissioning Power Reactors (OIG-19-A-16) 2 of 2 recommendations open since August 23, 2019 Recommendation 1: Update NRR and NMSS decommissioning guidance to include the license transfer business model, the applicable.

Recommendation 2: Create and implement a formal project manager knowledge transfer process on decommissioning power reactors.

Evaluation of NRCs Oversight of the Voice over Internet Protocol Contract and Imple mentation (OIG 19 A 17) 6 of 6 recommendations open since September 5, 2019 Recommendation 1: In all current telecommunications contracts, a) clarify contractor roles and responsibilities, and b) consult legal counsel to review the telecommunications contracts collec tively to eliminate gaps and duplication in services.

Recommendation 2: Establish a policy for all new telecommunications contracts, and future modifications to current telecommunications contracts, that CORs must review the roles and responsibilities of all related contracts to prevent gaps and duplication in services.

Recommendation 3: Conduct a lessons learned to identify opportunities for improvement in deploying future IT systems or services with an impact on operations agency-wide.

Recommendation 4: Strengthen telecommunications expertise through knowledge management and training.

Recommendation 5: Update the relevant management directives to include a) current telecom munications infrastructure and current organizational responsibilities, and b) a requirement to comply with MD 10.162 Disability Programs and Reasonable Accommodation when deploying any IT projects.

Recommendation 6: Identify and implement a solution to address the issue pertaining to divert ing an assigned phone line.

Audit of NRCs Oversight of Supplemental Inspection Corrective Actions (OIG 19 A 19) 1 of 2 recommendations open since September 13, 2019 Recommendation 1: Update NRC inspection guidance to support documentation of significant planned corrective actions associated with 95001 and 95002 supplemental inspections.

Recommendation 2: Implement an efficient means for inspectors to readily identify and retrieve information about completed and planned corrective actions associated with 95001 and 95002 supplemental inspections.

68 NRC Office of the Inspector General Semiannual Report to Congress Audit of NRCs Grants Administration and Closeout (OIG-19-A-21) 9 of 9 recommendations open since September 30, 2019 Recommendation 1: Update the Grants Management Certification and Training Program guid ance to include: (1) instructions for recording completed training, (2) management's responsibility for monitoring training, and (3) the addition of ASAP training as a core course for grant manage ment professionals.

Recommendation 2: Develop and implement a formal process for monitoring student service agreement requirements and associated awarded funds, from FY 2015 forward. The process should include, but not be limited to: (1) how to process grant funds that are recaptured or returned to NRC because of withdrawal from school, GPA lower than required, non-nuclear employment, or other unmet requirements; and (2) a timeframe by which students are required to obtain employ ment in a nuclear field after graduation.

Recommendation 3: Continue and finalize the transition to electronic files implementing a checklist for completeness.

Recommendation 4: Implement knowledge management procedures such as maintaining an accurate succession planning document and desk procedures for grant functions.

Recommendation 5: Coordinate the review of performance progress reports and Federal finan cial reports.

Recommendation 6: Increase accountability for grant functions by adding grant duties to perfor mance elements and standards.

Recommendation 7: Train all employees who perform grant duties on closeout processes in the computerized grants management systems, including proper completion of the grant closeout checklist, management monitoring of checklist use, and evaluation of results.

Recommendation 8: Develop interim guidance to eliminate existing guidance in MD 11.6 con cerning issuance of modifications in lieu of new grants.

Recommendation 9: Develop and implement a grants closeout plan to include: (a) Measurable metrics for deobligation of funds, (b) Procedures for identifying and closing expired grants, and (c)

Method(s) to address closing grants with modifications that have period of performance end dates that are different than the original grant.

April 1, 2019, to September 30, 2019 69 Audit of NRCs Process for Placing Official Agency Records in ADAMS (OIG-19-A-20), 5 of 5 recommendations open since September 26, 2019 Recommendation 1: Require NRCs refresher records management training be completed annu ally by all staff and contractors with email accounts or network access.

Recommendation 2: Assess and update NRCs records management training to address NARA requirements.

Recommendation 3: Conduct an initial review of ADAMS to identify and remove personal papers, and implement a policy to conduct such reviews on a periodic basis.

Recommendation 4: Strengthen internal controls to prevent individuals from entering personal papers in ADAMS.

Recommendation 5: Strengthen internal controls to ensure use of the Capstone tool and compli ance with NARA requirements.

A photo of yellow cake uranium, a solid form of uranium oxide produced from uranium ore. Yellow cake must be processed further before it is made into nuclear fuel. Courtesy of Energy Fuels Inc.

70 NRC Office of the Inspector General Semiannual Report to Congress Defense Nuclear Facilities Safety Board Audit of DNFSBs Telework Program (DNFSB-17-A-06) 3 of 3 recommendations open since July 10, 2017 Recommendation 1: Revise the telework directive and operating procedure to a) clarify the process for telework denials, b) list information technology security training as part of the require ments, and c) incorporate a requirement to update agency telework training to reflect changes made in policy.

Recommendation 2: Finish updating all telework agreements in accordance with the telework agreement template.

Recommendation 3: Develop and implement a checklist for telework recordkeeping to ensure the employee telework files are consistent.

Audit of DNFSBs Implementation of Its Governing Legislation (DNFSB-18-A-05) 1 of 2 recommendations open since May 29, 2018 Recommendation 2: Develop and implement a plan of action to address the issues of low employee morale and Board collegiality as documented it he FEVS surveys, LMI Report, and Towers Watson Report.

Audit of DNFSBs Issue and Commitment Tracking System (IACTS) and Its Related Pro cesses (DNFSB-19-A-02) 6 of 8 recommendations open since November 1, 2018 Recommendation 1: Provide training for the agency, including Board members, focusing on effective communication and trust in the workplace.

Recommendation 2: Develop a set of principles/values, with input from staff, to help provide the agency a more unified direction relative to DOE safety oversight.

Recommendation 3: Clarify and update IACTS procedures.

Recommendation 5: Create and implement a policy to consistently track RFBAs through a track ing mechanism or through IACTS.

Recommendation 7: Create and implement a policy to conduct self-assessments for common Board member processes (e.g., RFBAs, notational voting, Yellow Folder process, etc.) to determine how these processes could be improved.

Recommendation 8: Examine and update the Board Procedure to ensure greater communication and coordination within the Board.

April 1, 2019, to September 30, 2019 71 ADAMS

Agencywide Document Access Management System CFR

Code of Federal Regulations DATA Act

Digital Accountability and Transparency Act of 2014 DCAA

Defense Contract Audit Agency DNFSB

Defense Nuclear Facilities Safety Board DOE

Department of Energy DOJ

Department of Justice DPO

Differing Professional Opinion FISMA 2014

Federal Information Security Modernization Act of 2014 FY

Fiscal Year GC

General Counsel IACTS

Issue and Commitment Tracking System IAM

Issue Area Monitoring IG

Inspector General ILTAB

Intelligence Liaison and Threat Assessment Branch IPERA

Improper Payments Elimination and Recovery Act IPERIA

Improper Payments Elimination and Recovery Improvement Act IPIA

Improper Payments Information Act IT

Information Technology ITISS

Information Technology Infrastructure and Support Services MD

Management Directive NARA

National Archives and Records Administration NMSS

Office of Nuclear Material Safety and Safeguards NNSA

National Nuclear Security Administration NRC

Nuclear Regulatory Commission NRR

Office of Nuclear Reactor Regulation OAR

Official Agency Record OIG

Office of the Inspector General ROP

Reactor Oversight Process SES

Senior Executive Service VoIP

Voice over Internet Protocol ABBREVIATIONS AND ACRONYMS

72 NRC Office of the Inspector General Semiannual Report to Congress NRC Three Mile Island 1 Resident Inspector Justin Heinly takes a rare opportunity to climb to the top of the reactor building to observe Exelons pre-outage inspection of the buildings containment tendons. The inspector is in safety harnesses for the climb.

April 1, 2019, to September 30, 2019 73 The Inspector General Act of 1978, as amended, specifies reporting requirements for semiannual reports. This index cross-references those requirements to the applicable pages where they are fulfilled in this report.

Citation

Reporting Requirements Page

Section 4(a)(2)

Review of legislation and regulations...........................................................13-14 Section 5(a)(1) 

Significant problems, abuses, and deficiencies..............................15-27; 35-38 Section 5(a)(2)

Recommendations for corrective action...................................................15-27 Section 5(a)(3)

Prior significant recommendations not yet completed..............................N/A Section 5(a)(4)

Matters referred to prosecutive authorities.............................................. 50, 56 Section 5(a)(5)

Listing of audit reports........................................................................ 51, 52, 57 Section 5(a)(6) 

Listing of audit reports with questioned costs or funds put to better use............................................................................................... 52 Section 5(a)(7)

Summary of significant reports..................................................................15-27 Section 5(a)(8)

Audit reports questioned costs............................................................. 53, 59 Section 5(a)(9)

Audit reports Funds put to better use................................................. 54, 60 Section 5(a)(10) 

Audit reports issued before commencement of the reporting period (a) for which no management decision has been made, (b) which received no management comment within 60 days, and (c) with outstanding, unimplemented recommendations, including aggregate potential costs savings................................................................61-70 Section 5(a)(11)

Significant revised management decisions..................................................... 43 Section 5(a)(12)

Significant management decisions with which OIG disagreed.................N/A Section 5(a)(13)

FFMIA section 804(b) information.............................................................N/A Section 5(a)(14)(15)(16) Peer review information.................................................................................. 75 Section 5(a)(17)

Investigations statistical tables........................................................49-50; 55-56 Section 5(a)(18)

Description of metrics............................................................................... 50, 56 Section 5(a)(19) 

Investigations of senior Government officials where misconduct was substantiated...........................................................N/A Section 5(a)(20)

Whistleblower retaliation.............................................................................N/A Section 5(a)(21)

Interference with IG independence.............................................................N/A Section 5(a)(22)

Audits not made public.................................................................................... 20 Section 5(a)(22)(b) 

Investigations involving Senior Government officials where misconduct was not substantiated and report was not made public......................................... 33-35, 36-37, 38-40 REPORTING REQUIREMENTS

74 NRC Office of the Inspector General Semiannual Report to Congress At least 23 feet of water covers the fuel assemblies in the spent fuel pool of Unit 2 at the Brunswick Nuclear Power Plant in Southport, N.C.. Courtesy of Matt Born/Wilmington Star-News.

April 1, 2019, to September 30, 2019 75 Peer Review Information Audits The NRC OIG Audit Program was peer reviewed by the OIG for the Board of Governors of the Fed eral Reserve System and the Bureau of Consumer Financial Protection. The review was conducted in accordance with Government Auditing Standards and Council of the Inspectors General on Integrity and Efficiency requirements. In a report dated September 4, 2018, the NRC OIG received an external peer review rating of pass. This is the highest rating possible based on the available options of pass, pass with deficiencies, or fail.

Investigations The NRC OIG investigative program was peer reviewed most recently by the Tennessee Valley Authority Office of Inspector General. The peer review final report, dated October 5, 2016, reflected that NRC OIG is in full compliance with the quality standards established by the Coun cil of Inspectors General on Integrity and Efficiency and the Attorney General Guidelines for OIGs with Statutory Law Enforcement Authority. These safeguards and procedures provide reasonable assurance of confirming with professional standards in the planning, execution, and reporting of investigations.

APPENDIX