By Ted Caddell and Rich Heidorn Jr.

WASHINGTON — The Nuclear Regulatory Commission’s Inspector General last week issued his annual report on the agency’s most serious management and performance challenges, highlighting concerns over cybersecurity, reactor inspections and licensing.

The report, which summarizes previous audit findings, noted that “challenges do not necessarily equate to problems.”

“These challenges represent what [the Office of the Inspector General] considers to be inherent and continuing program challenges relative to maintaining effective and efficient oversight and internal management controls,” IG Hubert T. Bell said. “As a result, it is likely they will continue to be challenges from year to year.”

In addition to regulating about 100 commercial nuclear power generators and 31 research and test reactors, the commission is responsible for overseeing the safe use of radioactive materials used in medicine, academia and industry.

The IG cited the “increasing risks” to the security of NRC information systems and urged the agency to continue its efforts to develop new regulations for the “unique requirements of decommissioned nuclear power plants, which present different security considerations than operating plants.”

Bell cited concern over the commission’s Network Security Operations Center (SOC), staffed mainly by contractors, which is responsible for ensuring the security of the agency’s networks and monitoring it for suspicious activity. The commission’s contracts do “not clearly define SOC performance goals and metrics” and different departments work with different security function descriptions, the IG said.

The result, as detailed in an audit in January, is confusion among NRC staffers and contractors about which policies and responsibilities govern the security work protecting NRC computer systems.

Another audit in March found the commission failed to collect identification cards from one-third of the 1,452 employees and contractors it terminated from 2014 through November 2015. “As a result, there is a risk of unauthorized physical access to NRC and other federal facilities,” the IG said.

The report also cites the IG’s second review of NRC’s response to the Reducing Over-Classification Act of 2010, which was enacted over concern that excessive classification increases information security costs and improperly limits public access to information.

The IG found that the commission had implemented the recommendations from a 2013 audit and said a review of NRC classification actions from April 2013 through January 2016 “revealed no systematic misclassification.” However, it said the agency “lacks a cohesive approach to records management of classified information” and has not reviewed classified records for disposition and declassification as required.

Other previous findings cited by the IG included:

• A call for improving NRC’s licensing of Advanced Passive 1000 (AP1000) pressurized water reactors, a new design for which operators have never been licensed. Four AP1000 reactors are under construction in the U.S. and about 70 licensed operators will be required by 2020.
• A risk of inconsistent reactor inspections because of a lack of clarity in the definition of mandatory and discretionary inspection procedures.
• A finding that NRC lacked “a well-structured approach” for enforcing regulations governing the conditions under which licensees may make changes to their facilities or procedures, and conduct tests or experiments, without prior NRC approval.
• Weaknesses in NRC’s process for determining the significance of reactor inspection findings. The IG said the the agency has not regularly evaluated resources needed for its Significance Determination Process workflow and has not communicated clear expectations to employees.