United States Office of Information February 1984
Environmental Protection Resources Management
Agency Washington DC 20460
EPA Management Review
of EPA's National
Computer Center
-------�
MANAGEMENT REVIEW OF
EPA'S NATIONAL COMPUTER CENTER
FINAL REPORT
February 15, 1984
Prepared for the
Office of Information Resources Management
U.S. Environmental Protection Agency
Contract 6S-OOC-60084
Task W6818-01F
American Management Systems, Inc
and Subcontractor
Cap Gemini Inc.
-------�
This report represents the results of a review of EPA
operations conducted by American Management Systems, Inc. and
Cap Gemini, Inc. The findings of this review are based on
the professional judgement of the above firms, and do not
represent the official policy or opinions of EPA. This re-
port is presented to the EPA Office of Information Resources
Management after providing the Office of Data Processing
{OOP} at RTP an opportunity to review and comment on the
findings and recommendations of the review. The review team
has given full consideration to the comments of OOP and ad-
dressed them, as appropriate, in this report. This report
has not undergone peer review within EPA.
-------�
TABUE OF CONTENTS
page
EXECUTIVE SUMMARY 1
I. INTRODUCTION. . 1-1
A. Management Review Background and Objectives .... 1-1
B. Purpose of this Draft Final Report 1-1
C. Overview of the National Computer Center 1-1
D. Management Review Criteria and Scope 1-2
E. Methodology 1-2
F. Organization of this Report 1-2
II. FINDINGS AND CONCLUSIONS II-l
A. NCC Management II-l
B. Systems Performance II-2
C. Data Center Operations ..... II-3
D. User Support II-4
E. Cost Accounting and Chargeback II-5
F.. Security II-6
G. Contingency Planning and Disaster Recovery ..... II-8
H. Equipment and Software Acquisition and Control . . . II-9
III. RECOMMENDATIONS III-l
A. NCC Management III-l
B. Systems Performance ..... III-5
C. Data Center Operations III-6
D. User Support III-9
E. Cost Accounting and Chargeback III-ll
F. Security 111-13
G. Contingency Planning and Disaster Recovery 111-20
H. Equipment and Software Acquisition and Control . . . 111-22
APPENDICES
1. SYSTEMS PERFORMANCE 1-1
2. DATA CENTER OPERATIONS 2-1
3. USER SUPPORT 3-1
4. COST ACCOUNTING AND CHARGEBACK -....;..-. 4-1
5. SECURITY 5-1
6. CONTINGENCY PLANNING AND DISASTER RECOVERY 6-1
7. EQUIPMENT AND SOFTWARE ACQUISITION AND CONTROL 7-1
8. NCC MANAGEMENT 8-1
9. DOCUMENTS EXAMINED BY THE REVIEW TEAM 9-1
10. MANAGEMENT REVIEW INTERVIEWEES 10-1
11. GLOSSARY 11-1
12. WCC COMMENTS ON DRAFT FINAL REPORT 12-1
-------�
EXECUTIVE SUMMARY
This management review has been conducted at the request of the Office of
Information Resources Management to assess the overall performance of the
National Computer Center {NCC), ensure that effective controls are in place for
managing NCC operations, and to identify needed improvements. The review
addresses NCC facilities at the Washington Information Center (WIC) as well as
the main computer center in Research Triangle Park (RTF). This review is part
of OIRM's overall AOP management evaluation program, and is not the result of
any particular event or problem.
A. NCC Management
The NCC management team and staff are extremely dedicated to providing high
quality ADP data processing services to the Agency, The organization of the
NCC as of December 31, 1983, appears to be reasonable. The NCC EPA staff pro-
vides good direction and evaluation of the Facilities Management (FM) contrac-
tor. However, several significant issues require immediate senior management
attention; insufficient qualified technical EPA staff to perform assigned
functions and also provide technical review of FM contractor functions; no
staff backup for most key NCC funcions; high turnover of NCC EPA staff;
inadequate information available for Agency program direction and ADP workload
to support capacity and technology planning; and unclear delineation of respon-
sibilities of NCC for certain ADP activities in other offices. The most signi-
ficant recommendations (high priority) are:
o The NCC should obtain and fill additional positions to undertake key
activities related to security and contingency planning, provide strong
management of the WIC, and provide senior technical expertise on the NCC
staff for several key areas. Positions related to security and contin-
gency planning should be given the highest priority. Specific needs in
terms of ideal and minimum (with balance contracted) additional EPA
staff are as follows:
- Security - Increase from fractional work year to 2-1/2 work years,
with minimum one EPA FTE.
- Contingency Planning - Increase from fractional work year to three
staff (at least one EPA) for a six month period for development and
implementation, and subsequently 1-1/2 work years (minimum one half
EPA FTE) for ongoing maintenance.
- Information Center - Addition of a senior manager to manage WIC oper-
ations ami interact with senior managers in user organizations, and
one additional EPA staff member in a direct user support role.
EPA staff at WIC should be at least three FTE.
otal
- Telecommunications, Systems Programming, CICS, and ADABAS - Addition
of a senior technical expert for each of these areas to provide
expertise not available from current staff.
Additional staff, and cross training of NCC staff, also should serve to
provide a backup person for each major NCC function.
-------�
o If additional positions cannot be obtained in FY84, the NCC should pro-
vide in-depth technical and management training for present staff, and
should actively consider awarding a task order type contract to supple-
ment EPA staff in providing quality control and technical review of
critical activities.
o The NCC and OIRM should jointly examine the reasons for high staff turn-
over during the past year and take visible actions to reduce those
causes under NCC or OIRM control.
o The NCC should establish in FY84, with the assistance of OIRM and the
expressed support of Agency top management, a highly structured Agency-
wide survey, or similar process, for identifying changes in future ADP
needs and anticipated workloads of NCC users, including state agencies
and other outside users.
o The NCC should work with OIRM management in FY84 to more clearly de-
lineate NCC responsibilities for remote site security, and for remote
facilities planning for distributed processing modernization.
B. Systems Performance
The systems performance of NCC at RTP and the WIC has been generally satis-
factory. The IBM 370/168MP has a capacity problem and it can be expected that
the Amdahl V6 will also have capacity problems with the increased use of CICS
and ADABAS. The Sperry system is not fully loaded, although this could change
with the increased accessibility provided by the new front end communications
equipment.
The most significant recommendation (medium priority) is that the NCC per-
form a comprehensive review of all performance measures and goals for all sys-
tems. This review should include special emphasis on new software, such as
AOABAS and CICS.
C. Data Center Operations
Data Center Operations at the NCC RTP center appear to be relatively well
managed and under control. Operations at the Washington Service Center (WSC)
experienced significant problems during the first half of FY83, but these prob-
lems seem to have been solved by the" last quarter of FY83. WSC operations
should improve further after an initial adjustment period at the new site. The
most significant recommendations (medium priority) are:
•
o The NCC should take active steps to encourage users to reduce unnecces-
sary printing by previewing outputs on terminals and by creating micro-
film or microfiche when that is more suitable than hard copy printouts. •
o The NCC should review plans for the continued operation of the Sperry
computer prior to the expiration1 of the maintenance agreement in July,
1984.
-------�
0. User Support
User support functions are well managed and generally are very highly rated
by NCC users. The most significant recommendation (high priority) is that the
NCC, in conjunction with OIRM, should develop and implement an AOP Coordination
Orientation and Training course for ADP coordinators which would establish
.their responsibilities and enable them to more effectively carry out their as-
signed functions.
E. Cost Accounting and Chargeback
The procedures used by the NCC to establish computer center- billing rates
are generally compliant with the guidelines of OMB circular A-121. The most
significant recommendation (high priority) is that the NCC should continue to
formalize and enforce procedures for controlling unfunded use of NCC tinieshare.
F. Security
The NCC has taken extensive steps to provide proper physical security. The
NCC RTP center is well provided for and the new WIC corrects the deficiencies
of the previous center. The NCC RTP and WIC security manuals are generally
satisfactory, but the OTS CBI security manual lacks proper incident reporting
procedures. The main weaknesses: organization of the security function;
inadequate staffing; failure to adhere 'to NCC security incident reporting
procedures; and the misuse of user IDs and passwords by NCC users. The most
significant recommendations (high priority) are:
o A single EPA staff member should be given responsibility for ADP secur-
ity Agency-wide. This individual should report to the NCC Director or
higher. The staff resources devoted to security should be increased by
at least two full time EPA and/or FM contractor staff.
o NCC should take measures where possible to enforce the official policy
prohibiting the sharing of user IDs and passwords (especially between
EPA users and contractors) with no blanket exceptions. NCC and OIRM
also should develop a security awareness program for ADP users in pro-
gram offices.
o NCC should suggest that OTS develop and add security incident reporting
procedures to The Chemicals in Commerce Information System Confidential
Business Information Security.Manual.:
o OIRM should develop a program to identify sensitive systems and should
conduct required security evaluations every three years as required by
GSA.
o NCC and OIRM, in conjunction with the program offices, should develop a
comprehensive security program which includes all sites.
o NCC should budget for and conduct in FY85 the risk analyses of its com-
puter facilities required by GSA.
o The NCC should work with the personnel office and Agency counsel to
develop standard agreements'for EPA employees using EPA computer facil-
-------�
itles to protect EPA ADP assets and to discourage misuse of AOP resourc-
es. (The FM contractor currently has in place such agreements.)
o A construction engineer should examine and report on the structural
soundness of the NCC RTP facility in view of the major crack in the wall
by the HALON room,
G. Contingency Planning and Disaster Recovery
The contingency planning and disaster recovery area is unsatisfactory. The
function is seriously understaffed. There are backup site arrangements for
only the Sperry, IBM 370/168MP, and Amdahl V6 equipment, and these arrangements
do not adequately specify available resources and backup service levels. The
NCC has no contingency plans except for the Sperry system, and that plan is not
current. The critical systems surveys are not satisfactory. There have been
no full scale tests of the backup arrangements except for the Payroll system.
The most significant recommendations (high priority) are:
o Additional staff years should be devoted to the contingency planning and
disaster recovery functions by EPA and by the FM contractor.
o The NCC should develop detailed backup agreements, including internal
agreements, for all equipment.
o The NCC should conduct a detailed and comprehensive review to establish
the criticality for backing up all applications and the specific re-
quirements for a phased recovery.
o The NCC should develop and keep current contingency plans for all sys-
tems, and test them periodically.
H. Equipment and Software Acquisition and Control
The NCC complies with all pertinent property management regulations. Pres-
ent deficiencies relate to functions performed by, or shared with, other Agency
organizations. The most significant recommendations, all of medium priority,
are:
o The NCC and Office of Administration (OAO receiving function should
jointly develop new procedures in FY84 for equipment delivered directly
to the RTP and WIC computer facilities to ensure that all items are
tagged and that component equipment is tagged properly.
o The NCC should review all hardware and software contracts before they
are signed by EPA to identify provisions that impose specific responsi-
bilities on the Agency, and should work with Procurements and Contracts
Management Division '(PCMD) to ensure that copies of appropriate
documents are made available to the NCC for timely review.
o To improve compliance with GSA reporting requirements and make more
efficient use of available ADP capabilities, the NCC or another unit
within OIRM should be assigned oversight responsibility .for ADP hardware
and software recordkeeping by other Agency offices, and in FY84 should
examine jointly with the OA property function the ADP recordkeeping
practices in these offices.
-------�
1-1
I. INTRODUCTION
A. Management Review Background and Objectives
This review was conducted at the request of the Office of Information
Resources Management (formerly the Office of Management Information and Sup-
port Services) to assess the overall performance of the National Computer
Center (NCC), ensure that effective controls are in place for managing NCC
operations, and to identify needed improvements. The review is part of OIRM's
overall AOP review program, and is not the result of any particular event or
problem.
This review addresses the NCC's computer facilities in Research Triangle
Park (RTP) and the Washington Service Center, and encompasses functions
performed by NCC EPA staff as well as those supported by the Facilities
Management (FM) contractor.
B. Purpose of this Final Report
This Final Report presents.the findings, conclusions and recommendations
of the management review team. This report reflects the findings, conclusions
and recommendations presented in a Draft Report, and the comments and sugges-
tions offered by the NCC with regard to the Draft Report. This Final Report
is complete in all respects, and covers all analyses performed by the review
team. The factual materials in support of these analyses are contained in the
review team's work papers. These have been provided to OIRM.
C« Overview of the National Computer Center
The National Computer Center consists of two computer facilities: the main
computer facility located in Research Triangle Park, North Carolina, and the
Washington Information Center (formerly Washington Service Center) located at
Waterside Mall in Washington, D.C, The NCC is operated principally as a com-
puter utility, providing computing capabilities and related support services
to other EPA offices through the Agency's telecommunications network. In
contrast to computer centers in other organizations, production operations for
most applications are initiated and controlled by the user organizations and
not by the NCC.
Organizationally, the NCC currently is managed by the Office of Data Pro-
cessing (OOP) in RTP within the Office of Administration and Resources Manage-
ment in RTP (OARM). This organization structure reflects two significant
reorganizations of ADP activities. Prior to January, 1984, the NCC was man-
aged by the Data Processing Division (DPD) within the Office of Information
Resources Management (OIRM). Prior to November, 1983, the NCC was managed by
the Data Processing Services (DPS) group of the Management Information and
Data Systems Division (MIDSD), within the Office of Management Information and
Support Services (OMISS).
0. ManagementReview Criteria and Scope
This management review addresses activities at both the RTP and Washington
locations in terms of the eight criteria listed below:
-------�
1-2
o Systems performance
o Data center operations
o User support
o Cost accounting and chargeback
o Security
o Contingency planning and disaster recovery
o Equipment and software acquisition and control
o NCC management
This review does not specifically address AOP facilities and activities
within offices outside the NCC. However, the review team has provided
specific findings, conclusions, and recommendations related to these
activities in areas that were observed or discussed in the course of the
review and appear to warrant management attention.
In conducting this review, the review team focused on the policies,
procedures, management practices, and actual experiences of the NCC during
FY83, and also activities conducted during the first month of FY84. The
review therefore does not address activities initiated by the NCC, and the
reorganization of APR activities, that took place subsequentto this period.
Due to the major reorganizations that occurred during the last month of the
field work of this review and also subsequent to the completion of all field
work, the review does not address the current NCC organization structure and
attendant management framework. It is "important to note that MIDSO was
responsible for overall NCC management during the timeframe addressed by this
review.
E. Methodology
The results of this management review
activities conducted by the review team:
are based on the following
o Review of applicable Federal and EPA guidelines,
o Examination of documents provided by the NCC,
o In-depth interviews with NCC staff, and
o Physical walk-throughs of the NCC facilities.
F. Organization of this Report
This report consists of two additional chapters and twelve appendices, as
follows.
o Chapter II summarizes the key findings and conclusions of the
management review.
o Chapter III presents the recommendations of the review.
o Appendices 1 through 8 describe in more detail the findings and
conclusions for each of the eight criteria listed above and
addressed in Chapter II.
o Appendix 9 lists the documents examined in the course of the
review.
-------�
1-3
o Appendix 10 lists all individuals interviewed by the review team.
o Appendix 11 provides a glossary defining the key and unique terms
used in this report.
o Appendix 12 provides the comments of the NCC regarding the Draft
Final Report and these comments are addressed, as appropriate, in
the current report.
-------�
-------�
II-l
II. FINDINGS AND CONCLUSIONS
This chapter summarizes the findings and conclusions of this management
review of the NCC. Appendices 1 through 8 provide a more detailed discussion
of these findings and conclusions.
A. NCC Management . .
1, Organization Structure
The NCC organization structure has changed significantly during the
past year. The structure as of December 31, 1983, although not yet defined
for individual sections, appears to be workable if it is adequately staffed.
The FM contractor utilizes a different structure. This structure is also
reasonable, but will require extra care in defining reporting relationships
between EPA staff and the contractor to ensure that contractor direction and
evaluation are well coordinated.
2. Staff Size, Qualifications, and Training
The NCC/EPA staff is very small and insufficient to perform its
assigned functions and provide proper direction and evaluation of the much
larger FM contractor staff. The current staff are stretched very thin, with
several staff currently undergoing in-depth training to acquire new technical
skills for their expanded responsibilities. There currently are vacancies in
several key areas that must be filled. In addition, the NCC/EPA staff has
experienced very high turnover during FY83 along with a significant increase
in workload,
The FM contractor staff appears to be generally adequate. However,
the security and disaster recovery functions do not have sufficient staff, and
there is a lack of senior technical expertise in the areas of telecommunica-
tions, system software, and for specific software packages (e.g., ADABAS).
3. Procurement
The NCC appears to generally comply with Agency procurement and
contract management regulations. However, the NCC does not routinely perform
a comprehensive examination of every procurement before it is signed to
identify provisions (especially for software procurements) that impose
specific responsibilities and restrictions on the Agency. The NCC also has
encounterd difficulty in regularly obtaining copies of all contract documents
from PCMO in a timely manner.
4. Management of the FM'Contract
The NCC appears to be managing the FM contract reasonably well, with
the exception of a limited capability to technically review the work of the
contractor. The NCC has implemented relatively strong work planning and
progress reporting procedures for this contract. Current problems relate to
lags in communicating overall priorities and areas of emphasis" set by the
Evaluation Board to the contractor; difficulties experienced with PCMD in
interpreting the need to address certain additional tasks through contract
-------�
II-2
modifications;
new tasks; and
by PCMD.
delays in processing modifications needed to start essential
lags in officially communicating fee awards to the contractor
5. ADP Planning
The NCC has a very professional performance monitoring staff that
provides very useful information for ADP planning. However, the planning
function is currently handicapped by a lack of a systematic process for
obtaining information about program direction and associated data processing
requirements to aid in forecasting capacity needs. In addition, the planning
group does not seem to have provided adequately for a potent!all-y significant
increase in 'demand1 processing workload relative to batch processing
workload.
6. Construction of the New Washington Information Center
The original and updated plans for building the new WIC appear to plan
for construction on a 'crash' schedule. The documentation available indicates
that a very short construction time schedule was a requirement from the time
of the initial RFP. The review team's examination of the documentation pro-
vided to us does not provide a rigorous analysis comparing the costs and bene-
fits of a normal and accelerated construction schedule, and justification for
the selected schedule. (The accelerated 'schedule may or may not have been
justified. Rapid construction involves additional costs, especially in terms
of overtime compensation.)
B. Systems Performance
1. Performance Monitoring
The NCC appears to have a very professional and diligent performance
monitoring group. A great deal of performance data is collected and a number
of useful analytic reports are produced for NCC management and are used for
planning.
The only significant measurement error discovered during the review
period was that WSC detected that the monitoring of the number of active
terminals on the POP was inaccurate. The number reported was significantly
less than the number in use. The program error has been corrected. This
means that the FY 1983 statistics understate WSC maximum terminal active
status.
There is no systematic monitoring of the status of the line
utilization and network availability.
2. Capacity Utilization
The IBM 370/168MP is again at capacity after the installation of the
AMDAHL provided some relief from previous problems.- Capacity problems are
expected to get -worse, and the NCC is aware of this situation. Although the
-------�
II-3
AMDAHL is not presently fully utilized, the installation of ADABAS and C1CS
will likely increase demand significantly. The precise magnitude of this
increase is uncertain, but initial use of this software has' resulted in a
significant increase in demand to date.
The Sperry system is experiencing no significant capacity problems.
At this time there seems to be no plan for upgrading the Sperry beyond the
capacity needed to support current users. However, the introduction of IBM
compatible RJE access capabilities may generate significantly greater usage
and possibly result in capacity problems.
Many of the severe availability problems experienced on the WSC POP
ll/70s earlier in FY83 appear to have been resolved by April. However, a high
number of failures occurred on System 'B' during June and July and apparently
the causes could not be identified. In addition, the uptime percentages for
this system have been low (approximately 96.5% since April). The WIC is now
taking steps to better pinpoint causes of failures in the future. The POP
installation at RTF has not experienced the failure and availability problems
of the WSC. The RTP POP workload is not as great and does not have the same
immediate user impact and visibility as does the WSC POP workload.
3. Performance Goals and Measures
Although there are periodic adjustments of performance goals and
measures, there has not been a comprehensive systematic review and revision
for a number of years. In some important areas there are no performance
goals, such as for line utilization, network availability, AOABAS and CICS.
NCC has tried to find a way of measuring OBS Wylbur response time, but so far.
has not found a way of doing this. Performance goals for TSO and Wylbur were
set recently in April, 1983.
C. Data Center Operations
1. Overall Appraisal
Overall NCC operations at the RTP data center appear to be relatively
well managed and under control based on our meetings with NCC staff and review
of current procedures and operating statistics. The impressions of users
regarding NCC operations supports the view that the NCC operations performance
is satisfactory.
WSC operations experienced significant problems earlier in FY83 but
appear to have attained a generally acceptable level of service considering
the difficult operating conditions at the former site. The WSC management
structure and procedures are expected to change significantly at the new site
and should be expected to further improve operations.
2. Paper Usage
The RTP and WIC facilities both seem to consume unusually large
volumes of paper. Although this consumption relates largely to jobs submitted
by users, there has not been a systematic program to reduce the amount of
-------�
II-4
printing. NCC has not had the responsibility, authority or staff to work with
Program Offices to determine whether or not there is a need for the production
of the large amount of paper output and examine alternatives.
3. Unused Data Sets
There appear to be a significantly large number of disk data sets that
are unused and then automatically stored on tape. For IBM 370/168MP and
Amdahl V6 users the data sets are moved to tape after 45 days and disposed of
after a further 18 months. For Sperry users the periods are 30 and 90 days.
4. Operating and User Manuals
The NCC has developed general operating standards and standards for
each type of equipment. The standards for IBM, Sperry and DEC operations are
current, but general procedures identified in EPA's ADP Manual (a responsi-
bility of OIRM) are quite old and appear to be out of.date. The user manuals
are generally current.
5. Archive Tapes
There is no program to check the readability of archive tapes. NCC
staff have not had significant problems reading these tapes, although some in
the inventory are becoming rather old,
6. Software Packages
.There are a number of software packages (such as AOA8AS, System 2000
and IDMS) that appear to have similar functions, NCC policy is to allow users
to procure packages with which they are familiar and to operate them on the
mainframe computers with certain stipulations to ensure no adverse impact on
other users. The Software Review Council is no longer in existence.
7. Future of the Sperry Configuration
The maintenance agreement for the Sperry system expires in July.
There is a movement of a number of major applications to the IBM compatible
equipment. It appears that the existence of several types of different
mainframe computers adds to NCC operating costs.
D. User Support
1, User Communications
The NCC utilizes a wide variety of tools to communicate with its
users. These seem to be comprehensive and well-oriented to the needs of both
users and the NCC. The NCC conducts regular user meetings for WSC users, and
tries to hold regular meetings for mainframe users when travel resources ,are
available. " •
-------�
II-5
A particularly useful means to obtain feedback from users is the user
survey conducted three times annually. This survey is comprehensive, but is
constrained by a relatively low response rate. The survey also does not
provide detailed instructions to users defining the evaluation criteria.
2. Problem Reporting and Reso1ut ion
User Support provides an effective means for users to report problems,
and does an equally effective job of tracking and resolving user problems.
Users have consistently given support services outstanding, ratings.
3. User Evaluations of NCC Services
Overall, the results of the user survey confirm the review, team's
independent finding that NCC operations appear to be well managed and reason-
ably responsive to user needs.
4, User Training
The NCC's user training program has experienced some growth during the
past year, and provides an effective means for users to request necessary
training and identify training needs that may not be addressed by current
courses. The NCC seems to be doing a good job of getting the most out of very
limited internal training resources by requiring that users pay for training
courses and also by using a mix of in-house and vendor training.
Training for ADP coordinators within program offices is inadequate.
Coordinators' duties are undocumented and there is presently no orientation or
training program for these individuals to assist them in performing their
function.
E. Cost Accounting and Chargeback
1. Cost Center Analysis and Billing Rates
The procedures used by the NCC to establish computer center billing
rates are generally compliant with the guidelines of OMB Circular A-121.
Although these rates do not include EPA personnel and general facilities
costs, this deficiency is beyond the NCC's control. The NCC staff is
constantly working to improve cost accounting and Chargeback systems by
developing and upgrading appropriate documentation, testing new automated
tools, and evaluating existing procedures.
Several areas warrant attention. Based on predicted costs, the
billing rate for printing is understated by a factor of 16%. The cost of some
software packages used by only one or a few users {e.g., OMS-1100) is included
in the basic billing rates for all users. TSO and Wylbur, used by many users,
are not separately charged. The NCC has stated that there is currently no
cost-effective method to charge by individual use of specific library systems.
2.
Chargeback and Usage Control
The lack of formal and effective
The lack of formal and effei
expenditures by internal Agency users
has
procedures for acting
been a major deficiency.
on over-
Actions
-------�
II-6
taken In past years to address overspending have been weak and uncoordinated.
In FYS4 the NCC is developing, in conjunction with OIRM management, policies
and methods for dealing with these problems. No specific actions have been
taken to date which would enable the review team to assess the effectiveness
of this effort.
The distribution of billing reports by account managers to the users
for each user ID may not be providing billing reports routinely to some users.
Procedures for establishing written agreements with outside user
agencies are more comprehensive then the requirements of OMB A-121. However,
users in two outside agencies accessed the NCC and incurred $14,000 in charges
above the current agreements which were not ultimately reimbursed to EPA.
3. Structure of User Accounts
The current timeshare accounting structure and attendant procedures
which enables a user-ID to be active across multiple accounts makes the
accuracy of timeshare cost allocations dependent on procedures followed by
users. The potential exists for a user (both internal EPA users and
contractors) to incur charges on any account for which his/her ID is
authorized, regardless of the application, in order to avoid over-expenditure
on a particular ADP account. This is a particularly significant issue for
those user IDs authorized for ADP accounts funded by different Responsible
Program Implementation Officials (RPIOs).
F. Security
1. RTP Physical Security Overview
The NCC/RTP facility has made a considerable investment in physical
security over the past several years and provides a high level of physical
protection of the equipment and systems at this location. The only
significant potential problems at the RTP facility are: a crack in the
stairwell wall near the Hal on container area that may be indicative of
structural problems; the main RTP complex water pipes could cause another
water damage problem; storage of equipment in the motor generator room; and
the fact that the Rusco badge reader system is not monitored by staff during
the hours that the RTP center is operational outside of the normal working
hours of the main RTP complex.
2. WIC Physical Security Overview
The current plans for the new WIC site appear to offer a high degree
of physical security, and superior surveillance capabilities than those of
the RTP data center. These plans have now been implemented and the new center
is operational (it was completed after the data gathering phase of this
review). The old WSC center was highly unsatisfactory as was noted in the
first Interim Findings report. The only apparent problem in the new center is
that there is a glass wall between the computer room and a corridor in the
center, which would allow persons to look into the WIC computer area. Persons
allowed in the center can observe activities in the computer room although
they do not have access prvileges.
-------�
II-7
3. Secur1ty Organizat1on
The structure of the NCC security organization is unsatisfactory,
Persons are assigned part time to this function and the appointments and
changeovers have not always been done in a formal manner. The EPA security
officer at NCC reports to a Branch Chief, which is too low a level. The
staffing of the security function by EPA and the FM contractor is insufficient
to provide a strong security program. The NCC Data Center Security Committee
does not exist although the NCC Security Manual defines its duties and
responsibilities-. There does not appear to be any clear overall official
responsible for EPA computer security.
4. User IP's and Passwords
There is evidence that the user organizations do not follow the NCC
policy of obtaining a separate ID and password for each user. There is also
evidence that these IDs and passwords are not properly protected by users.
5. Remote Sites
The organization responsible for security control at the remote sites
is unclear (Attachment A to October 27, 1983 memorandum entitled "Reorganiza-
tion" }. NCC does not have clear oversight and guidance responsibility or
authority. NCC security can be undermined by a lack of security at remote
sites. It is not clear that EPA assets at these sites are properly protected.
There appears to be no security manual for remote sites, nor any requirement
that the NCC Security Officer must approve local site security arrangements.
6. Personnel Issues
Until recently there were no routine security debrief ings for
departing EPA personnel. With the exception of staff working with
confidential TSCA systems, there are no special agreements with employees to
protect EPA information. There also are no agreements committing EPA
employees to properly use EPA-provided computer resources. The NCC also
provides no active security awareness program, although security is noted in
some orientation briefings. TSCA ADP operations do have an adequate security
awareness program.
7. Risk Analysis
The most recent full risk analysis was conducted in January 1979; Due
to the major changes that have taken place at NCC RTP and WIC, the NCC should
have conducted risk analyses at both sites.
8. SensitiveSystems
The assignment of responsibility for conducting application security
reviews required by GSA is unclear to the review team. This does not appear
to be an NCC responsibility. It appears that sensitive systems have not been
identified and reviewed according to GSA regulations.
-------�
II-8
9. Security Manuals
•*.-
The NCC security manual for the RTP facility is reasonably current and
complete and requires only minor changes. The WIC has prepared a new draft
security manual for the new site that is also reasonably complete. The TSCA
security manual prepared jointly with the Office of Toxic Substances has been
in draft form and under revision for over a year, and there have been
sufficient changes in the processing environment for TSCA CBI to require
another update. Some of the operating manuals need improved security
sections. The EPA Automatic Data Processing Manual contains no chapter on
security.
10. Security Incident Report ing
The incident reporting procedures in the NCC RTP Security Manual and
the WIC security Manual appear to be adequate. The current OTS TSCA security
manual, Chemicals in Commerce Information System Confidential Business
Information Security Manual, does not have adequate incident reporting
procedures.
Security incidents are not handled in a systematic manner at present.
Although formal procedures for reporting security incidents are included in
the current Security Manual for the RTP data center (and have been
incorporated in the new WIC manual), these" apparently are not being followed.
The TSCA Security Manual lacks formal incident reporting procedures, and
reporting is usually done informally.
Only two security incidents were brought to the attention of the
review team. One incident at the WIC related to an open door in the computer
area. The other incident was more serious and concerned the alleged misuse of
a user ID and password. This incident appears to be indicative of the sharing
of user IDs by a significant number of users, including the sharing of IDs
between EPA and contractor staffs.
G. Contingency Planning and Disaster Recovery
1. Staffing
There are only two persons with responsibilities in this area and they
are heavily committed to other tasks.
-2« Backup Arrangements
The NCC has put in place limited agreements for using
to back up the IBM 370/168MP, Amdahl V6 and Sperry computers.
agreements are current, they are relatively general
backup sites to-specific minimum resource levels.
alternate sites
Although these
and do not commit the
Only the alternate site for the Sperry has been tested, and
only for loading the operating system.
-------�
II-9
No applications have been tested for either the IBM
370/168MP, Amdahl V6 or Sperry, except for the Payroll system
on the backup IBM equipment.
The NCC is .currently conducting negotiations for a more
complete backup arrangement for the IBM 370/168MP, IBM 4341
and Amdahl V6.
o There are no written backup
POP-ll/70's (WIC as well as
agreements should exist for
backup arrangements.
3. Critical System Surveys
agreements for the DEC-2020's,
RTP), and IBM 4341. Written
internal as well as external
The NCC has no current list of critical applications that defines the
minimum level of support that must be provided in the period immediately after
a disaster. There also is no guidance to support a phased build-up to more
normal support after a disaster. The Sperry system criticality data is
several years old, the NCC believes this data is adequate and views most
Sperry systems as not being short term time critical. A very limited survey
of IBM 370/168MP and Amdahl V6 users was conducted in May, 1983. The
resulting limited data has not yet been analyzed. There have been no surveys
for the WIC systems and other systems at RTP.
4. Contingency Plans
The contingency plan for the Sperry system is seriously out of date.
Of even greater significance, there are no contingency plans 'for any of the
other systems.
The NCC has not tested the Sperry disaster recovery plan and has not
attempted to provide minimal operations support from the alternate site to
simulate the recovery from a disaster.
The NCC has prepared no plans and made no arrangements for acquiring
the equipment necessary'for teleprocessing support in the event of a disaster.
The NCC states that Sperry disaster recovery will be done in batch mode. The
NCC considers that the NIRC telecommunications will be adequate for the backup
of the IBM equipment. This has not been tested and no documented analysis of
this capability was made available to the review team.
H. Equipment and Software Acquisistion and-Control
1, NCC Equipment Inventories
The NCC complies with Agency requirements for conducting annual
inventories, and is now conducting a major inventory to update the quality of
its property records. The NCC is working with the Contract Property
Administrator for the FM contract (an individual within the Office of
Administration) to reconcile three different listings (EPA Personal Property
-------�
11-10
System (PPS), FM contractor's internal system, and the listing in the FM
contract) with this inventory. At present, OA is ultimately responsible for
maintaining ADP equipment records. There is currently no single comprehensive
and accurate inventory of the NCC's ADP equipment.
Existing property listings are inaccurate as a result of weaknesses in
current procedures for receiving and tagging equipment, Although official
procedures would eliminate some of the current problems, there are legitimate
reasons for not strictly adhering to them. There seems to be significant
cooperation between the NCC and property offices in RTP and Washington.
However, the procedures now being utilized provide inadequate coordination and
communication among the organizations following them.
2. Authorization and Tracking of Procurement Actjons
The NCC has effective controls in place for preparing and reviewing
procurement requests (PRs), including budget and technical reviews. However,
tracking of PRs is often difficult due to delays in receiving notification and
actual copies of contracts awarded by the Procurements and Contracts
Management Division (PCMD) in Washington. These delays make it difficult for
NCC Project Officers to detect contract errors in a timely manner.
3. Acquisition of Equipment by the FM Contractor
Effective controls are in place for reviewing items acquired by the FM
Contractor, including both items purchased with PCMD approval and items
acquired by lease.
4. Payment Authorjzation Procedures
Effective procedures are in place for reviewing invoices prior to
payment for items purchased or leased by EPA.
5. Controls Over High Risk Items
The NCC is now reregistering portable terminals used by EPA NCC staff
and has developed new procedures for controlling these terminals. The new
procedures should provide adequate control, but there are currently three
portable terminals that are unaccounted for.
6. Software Inventory
Although there • is currently no Agency requirement for a software
inventory, there is a GSA requirement for this inventory. The NCC maintains
its own inventory of installed software (excluding applications) including
purchase or lease costs. The Agency's Personal Property System currently
includes only tangible property and as a matter of policy does not address
software. At present, there seems to be no comprehensive Agency-wide inven-
tory of software addressing both packaged software and user applications
software.
-------�
III-l
III. RECOMMENDATIONS
This chapter presents the major recommendations of this management review.
The recommendations are organized by topic in parallel with the findings and
conclusions presented in Chapter II, Each recommendation is preceded by a
brief statement of the corresponding issue, and identification of priority for
addressing the. issue.
A. NCC Management
1. Size and Expertise of NCC EPA Staff (High Priority)
a. Issue
The NCC EPA staff is relatively small (approximately 28 staff,
including administrative and clerical staff) relative to the scope of NCC
functions and FM contractor staff (approximately 240), The current EPA staff
is insufficient in number and lacking in several key technical areas to per-
form its assigned functions adequately and provide proper direction and eval-
uation to the FM contractor. The NCC has also experienced extremely high
turnover during the past year.
b. Recommendation to NCC and OIRM-
The NCC should obtain and fill additional positions to undertake
key activities related to security and contingency planning, provide strong
management of the Washington Information Center, and provide senior technical
expertise on the NCC staff for several key areas. Positions related to
security and contingency planning should be given the highest priority.
Specific needs in terms of ideal and minimum (with balance contracted)
additional EPA staff, are as follows:
o Security - Increase from fractional work years to 2 1/2
work years, with at least one EPA FTE,
o Contingency Planning - For development and implementation
of required plans, increase from fractional work years to
three staff members (at least on EPA) for a six month
period. For ongoing maintenance of these plans, increase
to 1 1/2 work years, with at least one half EPA work years.
o Information Center - Addition of one s'enior manager to in-
teract with senior "managers in user organizations at EPA
headquarters, and an additional staff member to serve in a
direct user support role. Total WIC staffing should com-
prise of at least three full-time EPA staff.
o Telecommunications, Systems Programming, CICS, and ADABAS -
Addition of a senior technical expert for each of these
four areas to provide expertise not available from current
-------�
III-2
staff. Current staff working in these roles would devote
more time to the numerous other duties they now perform.
Systems programmer should work with NCC's 8EST1 modeling
group.
In addition to securing these positions, training should be
provided to NCC staff to provide backup in each major functional area in the
event of staff resignations and transfers.
If obtaining significant additional positions is not possible by
the end of FY84, the NCC should provide in depth training for present staff,
including both technical and management training, and not sacrifice such
training to day-to-day activities. In addition, the NCC and OIRM management
should actively consider awarding a task order type contract to supplement EPA
staff in providing quality control and technical review of critical FM
contractor activities. (Thi approach has already been used by the NCC to
obtain technical telecommunications assistance.)
The NCC and OIRM should jointly examine the reasons for the high
turnover of staff during the past twelve months and take visible actions to
reduce those causes that are under NCC and OIRM control.
2. Delineation of NCC Responsibilities (High Priority)
a. Issue
NCC responsibilities for ADP-related activities outside the NCC are
not well defined. These activities include security and facility oversight.
b. Recommendation to NCC and QIRM
The NCC should work with OIRM management to more clearly delineate
NCC responsibilities for the above activities by the end of the second quarter
of FY84.
3. NCC EPA Staff Deployment and Work Status Monitoring (Medium Priority)
a. Issue
The NCC currently has no systematic means for monitoring the
deployment of NCC EPA staff in performing NCC functions, making it difficult to
identify the staff resources actually expended on designated functions and
projects, and the magnitude of staff shortages .for these functions and
projects. In addition, the NCC has no systematic reporting process which
documents and tracks the results of projects undertaken by NCC EPA staff,
b. Recommendation .to NCC
The NCC should establish a simple (automated or manual) voluntary
time accounting system for EPA staff by the end of FY84.
in
ternal
The NCC should establish internal progress reporting for activities
performed by EPA staff, including EPA staff decisions on analyses and
recommendations of the FM contractor, in the second quarter of FY84. The NCC
-------�
III-3
also should prepare brief summary reports (one page or shorter in length)
documenting the decisions reached at the weekly senior staff meetings.
4, Survey of Users for Contractor Performance Evaluation (Medium Priority)
a. Issue
User participation in the contractor performance evaluation is
extremely low, and no standard definitions are provided to users for the
evaluation criteria.
b. Recommendation to NCC
The NCC should implement the following measures for the next and
future user surveys:
o Provide a summary of the most recent survey results to
users as part of the quarterly update request for user
profiles.
o Include notice of upcoming surveys, and encourage users to
participate, in log-on messages, print headers, and in
similar routine user communications media.
The NCC should provide users with complete definitions of evaluation
criteria/topics and how to use the evaluation point scale. This information
could be mailed to survey participants or available for automated access in a
public file. The NCC also should provide a summary of the results of the
previous survey with the survey forms.
5. Management Direction to FM Contractor and Provisional Billing of Award
Fee (Low Priority)"
a. Issue
The Performance Evaluation Board currently communicates changes in
management priorities to the FM contractor informally at least several weeks
after the start of the performance period, with formal notification provided
by PCMD as late as two months after the start of the period. Delays in
sending formal notifications of fee awards by PCMD, combined with current
arrangements for provisional billing of the award fee by the FM contractor,
result in significant delays in the ability of the contractor to bill for a
portion of the award fee ($9,000 to $20,000) each performance period.
b. Recommendation to NCC and PCMD
The Contract Evaluation Board should provide, within two weeks of
the start of each performance period, informal written notification to the FM
contractor of anticipated changes to the evaluation criteria (e.g., weightings
of criteria) for the coming evaluation period pending formal notification,
NCC should request that PCMD assess the feasibility and desirabil-
ity of changing the amount of the award fee that the FM contractor can bill on
a provisional basis, and should assist in performing this assessment. One
-------�
III-4
approach that should should be considered is a billing formula which sets the
provisional billing rate equal to the lower of the actual award fee percent-
ages for the prior two periods.
6. ADP Workload Forecasting and Capacity Planning (Medium Priority)
a. Issue
There is currently no systematic means for the NCC to project
significant changes in Agency program direction and/or anticipated changes in
future ADP heeds which may have a major impact on NCC workloads and capacity
planning,
b. Recommendation to NCC and OIRM
The NCC should establish in FY84, with the assistance of OIRM and
the expressed support of Agency top management, a highly structured
Agency-wide survey, or similar process, for identifying changes in future ADP
needs and anticipated workloads of NCC users (including users outside the
Agency, such as states) to support capacity planning and AOP technology
assessment.
7. Approval of NCC Organization Structure (Low Priority)
a. Issue
The Data Processing Division, which directly manages all NCC
operations, does not currently have an approved branch organization structure.
b. Recommendation to NCC and OIRM
The NCC should continue to work with OIRM management to expedi-
tious ly develop and obtain approval for the .internal branch structure of the
Data Processing Division.
8, Staffing of Highly Technical Positions by the FH Contractor (Medium
Priority)
a. Issue
The FM contractor does not have adequate senior technical staff
for systems programming and telecommunications, and these are also weak areas
for the NCC EPA staff.
b. Recommendation to NCC
The NCC should continue to encourage the FM contractor to fill the
current vacancy for a senior systems programmer, and to obtain senior
telecommunications staff.
-------�
III-5
9. FM Contractor Progress Reporting (Low Priority)
a. Issue
Weekly progress reports prepared by the FM contractor at the end
of each performance evaluation period and at the start of the next period do
not seem to address the disposition of all tasks scheduled for the first
period.
b. Recommendation to NCC
The FM contractor should specifically include in the final weekly
progress reports of each performance evaluation period the status of all tasks
scheduled for that period.
8. Systems Performance
1. Performance Goals and Measures (Medium Priority)
a. Issue
There has not been a comprehensive review of the performance goals
and measures for a number of years. There have been reviews of specific per-
formance measures, such as the April 1983 review of TSO and Wylbur.
b. Recommendat ion to NCC
The NCC should perform a comprehensive review of the performance
goals and measures for all computer systems under" its control during FY 1984.
This review should include:
o Reviewing the existing goals and measures to determine if
they remain suitable and making any needed changes.
Determining suitable goals and
capabilities such as CICS and AOABAS.
measures
for
new
o Determining goals and measures concerning the availability
of the telecommunication network(s) and the front end
processors.
o If the NCC becomes more of a "production" shop as. a result
of ADP reorganization, adding appropriate goals and
measures for running of production work.
2. Workload Projections (Medium Priority)
a. Issue
The assumptions underlying current projections may be undermined
by increased resource usage on the IBM/168MP and Amdahl V6 due to CICS and
ADABAS, and the Sperry may have increased use with the greater accessibility
provided by the Potomac Scheduling/TANDEM equipment.
-------�
III-6
b. Recomniendatlon to NCC
The NCC should closely monitor the impact of CICS and ADABAS usage
over the next six months and adjust future workload projections if the impact
of this software is greater than was expected. Similarly, during the same
.period, Sperry usage should be closely monitored to determine if a "latent
demand" is released by the availability of better access.
3. Sperry Usage (Low Priority)
a. Issue
There may be a latent demand for Sperry processing which will be
relased when the Potomac Scheduling/Tandem Controllers are operational.
b. Recommendation to NCC
NCC should closely monitor usage of the Sperry system for at least
six months after the installation of the Potomac Scheduling/Tandem Con-
trollers. If there is a significant trend to increased use of the Sperry,
then previous Sperry workload projections should be reexamined to determine if
there will be capacity problems.
4. BEST/1 (Low Priority)
a. Issue
The FM contractor and NCC/EPA team does not have in-depth exper-
ience in using BEST/1 with multiple configurations. Due to the many
significant changes occurring in the IBM-compatible area, e.g., implementation
of CICS and ADABAS, addition of 4341, installation of new models and versions
of the operating system, etc., development of a representative model is very
difficult to accomplish.
b. Recommendation to NCC
The NCC should continue to draw on the extensive experience of the
Library of Congress in using BEST/1 with IBM/Amdahl configurations.
C. Data Center Operations
1. High Volume Printing and Paper Usage (Medium Priority) •
a. Issue
During the costing review for FY 1984 it was estimated that there
would be 493 million lines of print at RTP with a total printing cost of about
$1,177,800. There appears to be a very large print volume without a consis-
tent effort to have users control unneeded printing of hardcbpy output,
b. Recommendation to NCC
NCC and OIRM should review use of paper output by major
applications and develop plans jointly with system managers to reduce paper
-------�
III-7
usage. This effort should specifically examine the potential of users to
review output via video display units to identify errors prior to printing,
and replacing voluminous printouts with microfilm or microfiche output. This
review should take place during the second and third quarters of FY84.
2, Tape Data Set Retention Policies (Low Priority)
a. Issue
The Sperry system has some two thousand operational tapes and the
IBM 370/168MP and Amdahl V6 users have some seven thousand operational tapes.
The IBM 370/168MP and Amdahl V6 users are allowed to keep unused data sets on
disk for forty five days, and then retain these sets on tapes for eighteen
months, whereas the Sperry users have thirty and ninety days respectively.
This can lead to unneeded retention of data,
b. Recommendat ion to NCC
NCC should implement a consistent policy of archiving unused disk
data sets on the IBM 370/168MP, Amdahl V6 and Sperry, and for erasing archive
tapes. A potential policy is .archiving all unaccessed data sets other than
those used in production runs after 30 days, and erasing tapes after an
additional 90 days with one month advance warning to users. This could result
in a substantial savings in the number of'tapes used. The present retention
policies should be reviewed and new policies implemented during FY 1984.
3. Software Packages (Low Priority)
a. Issue
The NCC maintains a number of packages which apparently perform
the same functions, and incurs duplicative acquisition and operational costs
for this software.
b. Recommendation to NCC
NCC should formalize its annual review of software packages to
identify packages which are rarely used and should be deleted, and those which
provide the same functionality as potential or desired new software acquisi-
tions. To accomplish this review, MCC should consider reactivating the
Software Review Council. A policy on software review should be in place by
the beginning of FY 1985.
4. ADP Manual (Medium Priority)
a. Issue
The Agency ADP Manual is not current.
-------�
in-8
b. Recommendation to NCC and OIRM
NCC and OIRM should update documentation of standards and
procedures contained in the Agency's ADP Manual. This should be done by the
end of FY84.
5. Long Term Use of the Sperry Computer (Medium Priority^
a. Issue r
The Sperry maintenance agreement expires in Mid-1984. There are a
number of special costs associated with maintaining different types of
computer systems and with the Sperry system (i.e., difficulty in finding
compatible hardware and support suppliers).
b. Recommendation to NCC
The NCC should review the need for the long term continuance of
the .use of the Sperry system prior to the expiration of the maintenance
contract. The expected length of time the SPERRY system will continue to be
used should influence the way in which the contract is formulated.
6. .Archive Tapes (Low Priority)
a. Issue
Tapes that are stored for a long period of time will degrade over
time and can become unreadable.
b. Recommendation to NCC
The NCC should implement a program to check every few years the
readability of tapes stored in the tape vaults, and to contact users to
identify tapes that should remain in storage. This program should be imple-
mented by the end of FY 1984. (The NCC has stated that it has implemented a
procedure to encourage users to determine; the reliability of archived tape
file's. NCC has stated that current DPD resources preclude the performance of
this activity by the Data Center.)
7. NCC Morning Meetings (Medium Priority)
a. Issue
There are no reports of these meetings.
b. Recommendation to NCC
The NCC should prepare brief summary meeting notes. These should
include important decisions and assignments of responsibility for solving
major problems. This should be implemented during the second quarter of FY
1984.
-------�
III-9
8, Operations Data Reporting (low Priority)
a. Issue
The dally reports provide dally, week-to-date and month-to-date
data. They do not provide year-to-date data.
b. Recommendation to NCC
The automated reporting should be enhanced to provide quarter-to-
date and year-to-date data for the last day of the month run during FY 1984
and as required. This should be implemented by the end of FY84.
9. Reruns (Low Priority)
a. Issue
There is no systematic reporting of reruns.
b. Recommendation to NCC
A manual or automated system should be set up to track the number
and causes of the reruns known to NCC. This should be implemented by the
third quarter of FY 1984.
10. Impact of ADP Consolidation (Low Priority)
a. Issue
If and when the second phase of the ADP consolidation plan is
implemented, the potential will exist for a significant shift from an en-
vironment where there are few "production systems" to an environment where
"production" system services are a normal mode of operations.
b. Recommendation to NCC
The NCC should determine with the appropriate parts of OIRM the
division of responsibilities in regard to operating and maintaining
application systems. Such a determination should define the degree of
formality of turnover from development to production. This effort should be
made during final implementation planning for ADP consolidation.
D. User Support.
1. Training of ADP Coordinators (High Priority)
a. Issue
At least several ADP coordinators are not familiar with their
assigned functions relating to the RTP interface 'and there are currently no
orientation and training materials for ADP coordinators.
-------�
111-10
&• Recommendationto NCC and OIRM
The NCC should document in FY84 the duties of ADP coordinators
that are required by the NCC, and provide appropriate orientation and training
to current and new coordinators. NCC and OIRM should also work with the
program offices to define and develop training capabilities for. additional
responsibilities and authorities of ADP coordinators as required by program
offices.
2. Results of User Survey ('Contractor Performance Evaluation') (Low
Priority]"
a. Issue
The NCC currently does not provide the results of the user
evaluation survey to a majority of NCC users,
b. Recommendation to NCC
The NCC should issue a user memo at the conclusion of each survey
to provide a summary of the survey results to all users of each configuration.
3. NCC User Meetings and AOP Conferences (Low Priority)
a. Issue
NCC was unable to conduct user meetings on a quarterly basis in
FY83 due to limited travel funds, An Agency-wide ADP conference has not been
conducted for several years.
b. Recommendation to NCC and OIRM
NCC should attempt to obtain sufficient travel resources to
support quarterly NCC user meetings in Washington. Conference calls open to
users throughout the Agency should be continued, if necessary, if travel funds
continue to be short, but should not be considered an equivalent substitute
for face-to-face meetings.
NCC and OIRM also should conduct an Agency-wide ADP conference if
at all possible in FY84 to inform users about current modernization efforts,
future activities, recent reorganization and roles of OIRM and program offices
with respect to ADP, and other pertinent issues identified by the NCC and
OIRM.'
4. Funding of User Training (Low Priority)
a. Issue
Program offices are required to prepare both a training request
and purchase request for each ADP training course provided by the NCC and
funded by the program office. This is a cumbersome procedure with respect to
funding.
-------�
III-ll
k* Recommendation toNCCand FMD
If feasible, the NCC should work with the Financial Management
Division to provide a mechanism for AOP user organizations to provide a pool
of funds to the NCC in advance of actual training requests, and to draw on
these funds as necessary during the fiscal year.
E. Cost Accounting and Chargebeack
1, Use of NCC Services In Excess of Budget (High Priority)
a. Issue
Existing controls to prevent unauthorized overspending have not
been fully effective.
b. Recommendation to NCC and QIRM
The NCC and OIRM should continue present efforts to formalize and
enforce procedures for controlling unfunded use of NCC timeshare. Specific
areas to be addressed include:
o Overspending by EPA program offices,
o Overspending by other agencies under lAGs.
o Use of NCC by other agencies with expired lAGs.
2. Compliance With OMB Circular A-121 (Medium Priority)
a. Issue
EPA personnel and facilities costs are not included in the full
costing as required by this OMB Circular,
b. Recommendation to NCC and OARM
The NCC and OARM should assess whether and how EPA's budget
structure may be altered to include EPA personnel and facilities costs in the
NCC budget and in timeshare billing rates to more ful.ly comply with OMB
circular A-121 (3G.(1)). This assessment should be completed prior to the
development of the initial FY86 budget,
3. Working Capital Fund (Medium Priority)
a. Issue
There is no Working Capital Fund in use by.NCC. Several agencies
have found this to be a cost effective approach to fund and manage major
computer centers.
•
b. Recommendation to NCC and QARM
NCC and OIRM should continue to work with the Agency budget office
to establish a working capital fund by FY85 if possible, or as soon thereafter
as is possible.
-------�
111-12
4. Billing Rate for Print Lines (Medium Priority)
a. Issue
The billing rate for print lines did not recover projected costs,
with a projected under-recovery of $191,800. The present approach does not
encourage users to control printing volume and costs.
b. Recommendation to NCC
The NCC should increase the billing rates for printing in FY84, if
feasible, to achieve full cost recovery of projected costs. If this is not
feasible for FY84, the billing rates should be adjusted in FY85 to ensure full
cost recovery for printing.
5. Restricting the ADP Account to Which Users Can Charge Costs for
Designated Applications (Low Priority!.
a. Issue
It is now possible for a user ID to be logged in on one account
and then do work on an application that should be billed to another account.
Users therefore may spend timeshare funds for applications other than for
which they were intended.
b. Recommendation to NCC
NCC should examine the feasibility and cost of .potential
mechanisms to link FIMAS codes to ADP accounts in order to enable users to
work on only authorized applications under each AOP account, NCC also should
inform ADP account managers and budget officers regarding the lack of
automated controls on applications that may be used by user IDs authorized
under multiple ADP accounts. The notification to ADP account managers should
take place as soon as possible. The feasibility study should be completed and
its recommendations implemented by the end of FY84. (NCC has stated that this
linking is cost prohibitive. However, no document pertinent to this issue was
provided to the review team.)
6, Documentation of Cost Recovery and Rate Setting Analyses (Medium
Priority^
a.. Issue
The procedures used for these analyses have not been fully
documented.
b. Recommendation to NCC
The NCC should document the procedures, used to conduct the FY84
Full Costing Study, cost recovery analyses and rate setting, including
annotation regarding any problems encountered and additional data that should
be collected in FY84 to help support an analysis of costs for FY85.
-------�
in-13
7- POP 11/70 Billing Systems (Low Priority)
a. Issue
The POP 11/70 billing algorithm differs from those used on the IBM
370/168MP and Sperry systems.
b. Recommendation to NCC ^
Within technical and resource constraints, the NCC should complete
current activities to make the PDP-11 billing systems mirror as much as
possible the billing systems on the mainframe computers. This activity should
be completed during the third quarter of FY84.
8. Users Do Not Always Know the Status of their Accounts (Low Priority)
a. Issue
Billing reports are sent to AOP coordinators and do not always
reach ADP account managers.
b. Recommendation to NCC
The NCC should continue examine alternative means for distributing
billing reports directly to ADP account managers, and should consider
providing training for report distribution to AOP coordinators and ADP Account
Managers. Ultimate responsibility for provision of and use of NCC billing
information to ADP Account Managers is the responsibility of the Program
Offices.
9. TSSMS Documentation (Low Priority)
a. _I_ssue_
The TSSMS system is not fully documented.
b. Recommendation to NCC
The TSSMS system should be fully documented in accordance with EPA
standards and/or FTPS PUB 38 during FY 1984.
F. Security
1. Security Organization (High Priority)
a. Issue
There has been a lack of a complete formal security organization.
b. Recommendation to NCC
The NCC should formally set forth an ADP security organization
structure for the NCC, with the head security officer reporting no lower than
\
-------�
III-H
to the NCC, Director, There should be at least one individual assigned to
security by EPA and by the FM contractor at each site (i.e., RTP and WIC), and
memoranda should be sent to all NCC users and staff identifying the
individuals to be contacted for apparent security incidents. The Data Center
Security Committee should be reactivated, meet at least bimonthly (and in
response to major incidents), and formally report to NCC management. The
security organization should be established by the end of the second quarter
of FY84.
2. Security Staffing (High Priority)
a. Issue -
The NCC EPA and FM contractor staff have devoted little time to
security functions during the past year. Only fractional staff years have
been devoted to reviewing system reports, identifying potential violations,
provided security training and awareness programs, and other key procedures.
b. Recommendation to NCC
Both EPA and the FM contractor should provide additional staff
resources (approximately two staff-years in total) to adequately perform
security functions and ensure that NCC staff and users follow established
security procedures. The additional resources should be provided as soon as
possible.
3. Control- of User IDs and Passwords (High Priority)
a. Issue
There is evidence that there is insufficient user control of IDs
and passwords.
b. Recommendation to NCC
NCC should stringently enforce the official policy prohibiting the
sharing of user IDs and passwords by users (and especially between EPA users
and contractors) with no blanket exceptions.
o Stricter enforcement should be implemented in organized
phases in conjunction with a concerted user awareness
training program for security. ADP coordinators should be
actively involved in this effort and in ensuring that users
follow established procedures.
o Exceptions to prohibitions on sharing user IDs should be
granted on a case-by-case basis only, and should be
re-examined every six months.
o Significant sanctions should be imposed on users discovered
sharing user IDs. Potential sanctions might range from
termination of jobs run by unauthorized users, .to financial
penalties, to temporary invalidation of the user ID.
-------�
111-15
Procedures for NCC review of password changes should be
developed to ensure that users actually change their
passwords as required by the NCC.
Greater use should be made of the user support function to
identify the sharing of user IDs and notify the NCC
security officer of these incidents.
Several unannounced audits of user sites should be
conducted annual.ly to ensure that user IDs and passwords
are not posted on terminals and to substantiate present
impressions by the NCC of user practices by actual review.
4. Remote Site Security (High Priority)
a. Issue
There is currently no ADP security program that systematically
addresses security at remote computing sites.
b. Recommendation to NCC and QIRM
The NCC and QIRM should develop a security program for remote
computer sites (i.e, regional data centers, laboratory computers, and office
computers such as PRIMES), and inspect a representative number of sites to
determine the extent of current deficiencies at these sites. A draft outline
of a program and initial inspections should be completed by the end of the
third quarter of FY84, and the final guidelines should be issued by the end of
FY84.
5« Personnel Issues (Medium Priority)
a. Issue
With the exception of persons responsible for operations of the
confidential TSCA facilities, there is no formal ADP security program for EPA
NCC personnel.
b. Recommendations to NCC
The following actions should be taken to increase NCC staff
awareness of security:
o The NCC should provide mandatory security awareness
training to NCC users, including a greater emphasis on
security in the NCC Users Reference Manual. NCC and OIRM
should also issue a specific section on security for the
EPA Automatic Data Processing Manual.
-------�
111-16
o The NCC and OIRM should work with Agency counsel and
personnel offices to prepare a standard agreement for all
users of the Agency's computer facilities which obligates
them to protect government information and to not misuse
government resources.
o All EPA personnel and contractors, using EPA computers
should undergo an ADP security debriefing upon their
departure (and also for contractors upon contract
expiration). The debriefing should include removal of
their user IDs and passwords from the computer system prior
to the day of their final departure or. contract
termination. Since November 1983, a system has been
implemented for EPA personnel at NCC' in RTP. The FM
Contractor personnel have followed a similar procedure.
6. Risk Analysis of NCC Computer Facilities (Medium Priority)
a. Issue
The NCC is not in compliance with GSA regulations to conduct risk
analyses,
b. Recommendation to NCC
NCC should make provision in the FY 1985 budget for full scale
risk analyses of the RTP and WIC sites. Provision should also be made for
risk analyses at the remote sites as part of the AOP Modernization Plan.
7. Sensitive Systems Evaluation (Medium Priority)
a. Issue
The NCC is not in compliance with GSA regulations to evaluate
sensitive systems every three years.
b. Recommendation to NCC and OIRM
The NCC and OIRM should establish and implement procedures to
identify sensitive systems within EPA. These systems subsequently should be
thoroughly reviewed. Procedures should be developed and sensitive systems
identified by the end of FY84. The system reviews'should take place in FY85.
8. TSCA Incident Reporting (High Priority)
a. Issue
No formal security incident procedures currently exist for the
sensitive TSCA facilities and operations. General NCC incident reporting
procedures exist but are not routinely followed in practice.
-------�
111-17
b. Recommendation to NCC and OTS
NCC and OTS should develop procedures for security incident
reporting and follow-up, and include them in the next update of the Chemicals
in Commerce Information System Confidential Business Information Security
Manual . The respons i bi 1 i ty for the development and approval 67 security
procedures is primarily the responsibility of the Office of Toxic Substances.
NCC staff in RTF and in the WIC should follow established security
incident reporting procedures. The NCC also should prepare a monthly security
report identifying all actual and apparent incidents and their disposition.
9. Structural Integrity of RTF Facility (High Priority)
a. Issue
There is a major crack in the wall fay the HALON room that extends
up to the second floor.
b. Recommendation to NCC
NCC should bring 'in a construction engineer to examine the
structural soundness of the building near the Halon room. This should be done
as soon as possible.
10. Guides and Manuals (Medium Priority)
a. Issue
Insufficient emphasis is placed
operators guides and manuals.
b. Recommendation to NCC
on security in several NCC
The NCC should revise by the end of FY84 the following guides and
manuals to place a greater emphasis on security:
o Update the DPS Data Center Security Manual to reflect new
equipment and its location, special procedures for QUOTA
and RACF, and new DPD responsibilities for security reviews
at remote sites.
o Update the NCC and WIC Security .Manuals to explicitly
address requirements/procedures for conducting required
computer center risk analyses.
o Update the Operations Handbook to include procedures for
handling securityincidentsand the automated security
incident reports.
o Revise the 'Approval for Computer Room Access1 form to
require the signature of the EPA and/or FM contractor
security officer.
-------�
111-18
o Add security incident procedures to the DEC 2020 Operators
Handbook,
11. Other RTP Physical Security Issues (Medium Priority)
a. Issues
Other significant issues include:
o The main water pipes of the RTP complex pose a threat to
the computer room. The installed shut-off valve reduces
but does not eliminate this threat,
o There are limited facility monitoring capabilities at the
NCC RTP facility.
o Equipment storage is authorized for the motor generator
room.
o The RUSCOE system is not monitored outside of normal
working hours of the main RTP building complex and is not
under NCC control.
b. Recommendations to NCC
The following recommendations address the above issues.
o The main RTP building complex water pipes should be moved
from their present location near the NCC facilities, or a
special outlet should be provided for emergency drainage.
o The NCC should examine the cost of installing closed
circuit television capabilities to monitor computer areas
at the RTP comparable to those now installed at the WIC.
This should be done in FY 1984.
j
o The NCC should examine alternatives to using the motor
generator room in RTP for storage. If feasible
alternatives are unavailable, physical barriers should be
erected within this room to reduce
forklifts and other moving equipment
electrical equipment. This examination
in the third quarter.of FY84.
the potential for
causing damage to
should be completed
The NCC should work with the RTP facilities management
staff to determine whether the RUSCOE control computer may
be moved into the NCC area so that it may be
during all NCC working hours. Since a
indicated that this approach may be
facilities management staff should
measures to prevent tampering with
periods when the system is unattended.
it may be attended
previous examination
impractical, the RTP
implement specific
the system during
-------�
111-19
12- WIG Internal Glass Mall (Low Priority)
a. Issue
The WIC has a glass wall in the computer area that faces a
corridor between the computer area and the WIC offices. Persons passing
through the corridor can look into the computer area,
b. Recommendation to NCC
The NCC should, at a minimum, cover the glass wall in the WIC
computer room with a curtain extending from floor to the false ceiling for the
entire length of the wall .and consider placing fire resistant drywall on the
outside of the wall (i.e., corridor side) to completely cover the glass.
Specific actions should be selected and implemented by the end of the third
quarter of FY84.
13. GSA Guard Service at RTF (Low Priority)
a. Issue
The GSA guards at RTP and Waterside Mall do not consistently check
individual identifications. Although there is an internal guard at the WIC,
there is no equivalent screening at the NCG RTP facility.
b. Recommendation to NCC
The NCC should work with the guard service in RTP to improve their
security consciousness and should run periodic checks to ensure that they are
alert. This effort should begin immediately.
14. Battery Room (High Priority)
a. Issue
The switch for the lighting is improperly located; it is not near
the door.
b. Recommendation to NCC
The switch should be moved to the door. This should be done
immediately.
15. WIC Halon Exhaust (Low Priority)
a. Issue
There is no active exhaust system to remove Halon from the
computer area.
-------�
111-20
b. Recommendation to NCC
The- assumption that the Hal on could be exhausted by opening
certain doors should be evaluated by a test or by a construction consultant.
This should be done by the end of the third quarter of FY84.
16. NCC RTF Second Floor Hal on Exhaust (Low Priority)
a. Issue
The only present way to exhaust Halon from this area would be by
opening doors. This procedure has not been tested and proven effective.
b. Recommendation to NCC
There should be a test or an evaluation by an engineer of whether
Halon could be removed by opening the appropriate doors. This should be done
by the end of the third quarter of FY84.
17. WSC Smoke Intrusion (Medium Priority)
f
a. Issue
The walls around the computer room do not extend to the true
ceiling, thus potentially allowing smoke intrusion from a fire in nearby
office areas.
b. Recommendation to NCC
A qualified expert should evaluate the probability of such an
intrusion. If it is high, then alternative preventive measures should be
evaluated. This should be done by the end of the third quarter of FY84.
18. Expiration of NCC Computer Room Badges (High Priority)
a. Issue
These badges have no expiration date.
b. Recommendation to NCC
NCC badges should have an expiration date. A color for the year
and number of .the month would be one solution. Badges should be valid for no
longer than 12-18 months. This should be implemented by the end of FY84.
G. Contingency Planning and Disaster Recovery
1. Staffing (High Priority)
•
a. Issue
EPA and the FM contractor have not allocated staff .levels adequate
to perform the contingency planning and disaster recovery functions.
-------�
ni-21
b. Recommendation to NCC
The Agency and FM contractor must devote more staff to this
function until there is an adequate plan for disaster recovery. It will
require approximately three persons for 3-6 months to develop the required
plans. After these plans are developed, the NCC should devote 1,5 to 2 work
years to keep all plans, agreements and information current.
2. Determination of Criticality of Application Systems (High Priority)
a. Issue
Previous surveys to identify system criticality are either old
(Sperry}, very limited in their information (1983 IBM 37Q/168MP and Amdahl
V6),and/or non-existent (POP il/70s). There is currently no baseline for
x preparing a phased recovery contingency plan.
b. Recommendation to NCC and OIRM
The NCC and OIRM should conduct a highly structured and comprehen-
sive survey to collect the information needed for an analysis of the critical-
ity of applications routinely accessed by users. All users should be surveyed
and given notice that recovery planning should be a high priority and will be
based on the survey results. Any systems which are not referenced by users
should be reviewed to determine if continued operation is necessary. The
survey results should be systematically analyzed and used as part of the
baseline for all other contingency planning activities. This survey and
subsequent analysis should be initiated and completed as soon as possible,
3. Preparation and Testing of Contingency Plans (High Priority)
a. Issue
The NCC currently has a contingency plan for only the Sperry
system, and this plan cannot be considered current. In the event of a major
disaster, a chaotic situation will exist while the NCC tries to recover an
operational capability (with the notable exception of the Payroll system).
b. Recommendation to NCC
The NCC should develop full' .scale contingency plans for all
hardware systems at RTP and WIC.' These plans would use information gathered
by the user surveys as key input. The NCC should test all contingency plans
after preparing them, and include in the test running all systems that would
need to be run at a backup site if the hardware systems were unavailable for
one month. The NCC should establish and follow procedures for updating the
contingency plans. Contingency plans should specify minimum
telecommunications requirements, and include an equipment acquisition plan for
telecommunications in the event of a disaster. These efforts should be
initiated and completed as soon as possible.
-------�
111-22
4, Full Backup Agreements (High Priority)
a. Issue
The NCC has only limited agreements to back up the IBM 370/168MP,
Amdahl V6 and Sperry configurations. There are no agreements for the other
equipment.
b. Recommendation to NCC
The NCC should develop detailed backup agreements for all
equipment. These agreements should address the extent of backup .available and
provide for pre-installation of any necessary special cabilities, such as
telecommunications support or security for TOXICS. Internal EPA. backup
agreements between different sites should be fully documented. These should
be initiated and completed as soon as possible.
5. Backup Capacity Analysis (Low Priority)
a. Issue
There is a possibility that an area wide disaster could cause a
number of sites to need backup simultaneously. This could happen if a power
station was destroyed, a major storm or other similiar event occurred.
b. Recommendation to NCC
NCC should examine responsibilities of backup sites to provide
backup capacity to other computer facilities in addition to EPA, and potential
conflicts with EPA needs in the event of failure. NCC should also examine its
capabilities to provide backup to mutual backup sites and other sites using
NCC as backup (e.g., Small Business Administration).
H. Equipment and Software^Acquisition and Control
1. Procedures for Receiving and Tagging of Equipment (Medium Pj-iority)
a. Issue
Procedures now being followed by the NCC and OA receiving staff
result in direct delivery of items to the NCC that are not tagged promptly and
in inconsistent tagging of modular equipment.
b. Recommendation to NCC and OA
The NCC and the OA receiving function should jointly develop new
procedures in FYS4 for items delivered directly to NCC (both RTP and Washing-
ton locations) to ensure that all' items are tagged before they are placed into
operation.
The NCC also should work with the receiving function to develop
consistent procedures at RTP and at the WIC for tagging component equipment
received in separate shipments. There should be clear direction on
-------�
111-23
identifying major components and subcomponents for tagging purposes. The NCC
and OA should consider placing a log sheet on the appropriate major component
cabinet and affixing decals for internal components to the log sheet.
2. Review of Contract Provisions for Hardware and Software Procurments
.Medium Priority)
a. Issue
The NCC does routinely perform comprehensive examinations of all
contracts before they are signed by PCMD,
b. Recommendation to NCC and PCMD
In FY84, the NCC should develop procedures jointly with PCMO to
ensure that NCC technical staff obtain and review copies of complete hardware
and software contracts before they are signed.
3. Software Inventory (Medium Priority)
a. Issue
There
is currently no comprehensive Agency-wide inventory of
software encompassing both software packages and software developed by users,
GSA requires this inventory for all agencies.
b. Recommendation to NCC, OIRM and OA
The NCC, OIRM and OA property function should establish a formal
procedure for maintaining an inventory of ADP software. Alternatives that
should be considered include modifying the Personal Property System (if
necessary) and attendant reporting procedures to address ADP software
installed at the NCC (and also software installed at other Agency computer
facilities), or developing a formal system for this purpose within the NCC.
4. Property Records for ADP Equipment at Other Agency Offices (Low
Priority J"
a. Issue
GSA requires that all agencies maintain accurate agency-wide
inventories of ADP hardware and software. Representatives within the NCC and
Property Management and Supply Section believe that records for ADP equipment
located in Agency program offices (Washington, regional offices, and
laboratories) are incomplete and generally of poor quality.
b. Recommendation toNCC and QIRM
To assist other offices in maintaining accurate records of ADP
hardware and software, the NCC or other organization within OIRM should be
assigned oversight responsibility for ADP hardware and software installed at
-------�
111-24
remote sites. In FY84, the NCC should examine jointly with the OA Property
Management and Supply Section the effectiveness of ADP property accounting
procedures in other program offices (including regional offices and offices in
Washington).
5. Improvements to the Personal Property System (Low Priority)
a. Issue
The Personal Property System (PPS) currently does not distinguish
between government furnished equipment (GFE) located at the Washington
Information Center and equipment located in the main center in RTP. PPS also
does not distinguish between items acquired under simple leases versus
'lease-to-purchase1 arrangements.
b. Recommendation to NCC and OA
The NCC should formally request that the Property Management and
Supply Section modify PPS to handle "lease-to-purchase" acquisitions, and also
request revisions to the designation of custodial areas for GFE within PPS to
distinguish between RTP and Washington locations.
6. FM Contract Closeout (Low Priority)
a. Issue
The NCC did not promptly perform a final inventory of GFE and CAE
in the possession of the FM contractor at the end of the previous contract.
b, Recommendation to NCC
In closing out the current FM contract in future years, the NCC
should initiate the final inventory several weeks before the end of the
contract to ensure that the inventory is completed and all discrepancies
reconciled by the time the contract is officially terminated.
7. Improvement of Equipment Inventory and Records (Medium Priority)
a. Issue
Not all items are tagged prior to receipt by the NCC. Periodic
inventories identify untagged items and other discrepancies, but no reorts are
currently prepared which summarize the results of the inventory and resolution
of problems.
b. Recommendation to NCC
The NCC should continue to implement formal internal inventories
to supplement the annual inventory for PPS, and should prepare a report at the
end of each inventory identifying the discrepancies found and how they were
resolved.
-------�
1-1
APPENDIX 1
SYSTEMS PERFORMANCE
A. Introduction
1. Objectives
This appendix reviews hardware, software and telecommunications sys-
tems performance against EPA established goals such as throughput, response
time, and availability. In those instances for which specific EPA goals do
not exist, a standard of reasonable performance based on professional judge-
ment is used. .
It should be understood that the intent of this section is to .present
the review results derived from either the interviews conducted with NCC and
FM contractor staff, or the materials presented to us for review and analysis.
No interviews were conducted with user groups either at WSC, RTP, or field
locations. Further, this review has been restricted to operational
performance only and does not cover either application development and release
or fall back procedures associated with individual applications.
2. Scope
The review focuses on the performance of the entire reviewed systems,
including overall system performance relative to a defined baseline and the
techniques which are being used to maintain or increase the overall perfor-
mance of the system. This review makes no attempt to analyze the
effectiveness of specific individual actions which have been taken to optimize
system performance (e.g. move file A from Disk pack 1 to Disk pack 5).
3. Baseline
Relative performance as stated earlier can be evaluated here only
against those baselines which have been established by EPA. The baseline to
be employed for judging performance is derived from either specific timed
boundary conditions (i.e. 95% of all transaction response times will be less
than n seconds) or specific measurable improvements in performance (i.e, 20%
or less of class E jobs exceeding throughput goals).
4. Methodology
Two sources of information have been used to obtain review informa-
tion: interviews with NCC staff and'performance statistics and analyses pro-
vided by EPA. Our review of these materials revealed a number of subject
areas which will require further investigation before meaningful conclusions
can be drawn. These areas include:
o Telecommunications - use of dedicated lines, front end processor
efficiency, planning.
0 Planning - future of AMDAHL; BEST 1 as modeling tool; use of
AOABAS; use of IBM 4341s.
-------�
1-2
o POP 11/70 - batch performance data.
0 POP 11/70 - WSC demand processslng performance data.
o Performance Goals - basis used for establishing them.
5. Structure of this Appendix
Following this introduction, three systems or system groups are exam-
ined in the next sections:
o The Sperry 1100/82 located at the NCC in RTP.
o The IBM 370/168MP and Amdahl V6 configurations, also located at
the NCC in RTP.
o The POP 11/70 configurations located at the WSC and at RTP.
A fourth section presents an overview of EPA systems planning procedures.
This subsection includes all of the above systems and will briefly discuss
known issues of importance to current planning such as software configuration,
and systems hardware expansion.-
8. Sperry Performance
1. Overview
The Sperry system supported by the NCC has evolved and has been used
by EPA since 1974. The original 1100/44 configuration was supplemented by an
1100/82. This was subsequently upgraded to an 1100/83 during its peak use
period approximately 24 months ago. Since that time, a steady migration of
applications to the IBM/AMDAHL configuration and proportionate reduced work-
load for the Sperry configuration has resulted in the removal of one of the
central processing units. There are no plans for the removal or further re-
duction of processing capacity for the current 1100/82 configuration.
The Sperry system will continue to be employed by the EPA user commu-
nity, especially by the research and development and scientific communities,
to develop special use systems. These applications are generally short lived
in comparison to those applications which have been, and still are, in the
process of being converted for IBM 370/168MP and Amdahl V6 use.
User preference for the Sperry system for these applications would
appear to result from a number of varied factors.
o Executive service utilities have been modified by the NCC to
make the system easier to use;
o Long term user familiarity with the system's on-line interactive
facilities;
-------�
1-3
o Superior FORTRAN compiler for research and development and
scientific use; and
o Reliable service and consistently good transaction response and
batch turnaround time.
Current plans call for extending Sperry system availability to users
via a series of Potomac Scheduling/TANDEM front end communications processors
which will support IBM-compatible RJE equipment. ' This enhanced system
availability could potentially bring about a significant change in the size
and nature of the workload to be supported by the Sperry system.
Modifications to the Executive System are normally not advisable in
that extensive changes jeopardize the willingness of the vendor to provide
system support. The NCC has made a number of modifications in order to
provide user convenience utilities. Sperry Corporation is aware of the
Executive modifications on the system and the NCC feels that continued support
of their system as currently modified will be available for the foreseeable
future.
Sperry system performance is assessed against three measures:
o Response time, as a measure of demand processing performance.
o Turnaround time, as a measure of batch processing performance,
o Availability, as a measure of effective maintenance and stability.
Performance objectives (number of failures, MTBF, percent up-time) have
been set for only the last two of these measures. This is as a result of the
recent overall system load declining and both demand and batch load have not
experienced any recent performance problems. The response time and turnaround
time measures will therefore be discussed in subjective terms. The primary
sources of information used to assess the performance measures are:
o Sperry Quarterly PME Report
o The FM Contractor Management Work Plans
o Weekly Progress Reports
o Failure Reports
o Tymnet Utilization Reports
o Capacity Analysis for the IBM/AMDAHL center, specifically Sec-
tion 7, Network Utilization Analysis
A Oatametrics report on Sperry performance prepared in November 1982 was
available to the review team but because of its age was used only as a
reference baseline.
2, Response Time
Currently, demand use of the system consititutes the highest critical
component. Statistics for peak first shift usage indicate the following:
o A response times peak of 4 seconds, with a much lower aver-
age response time;
o Executive usage of 12% and demand usage of 40%;
-------�
1-4
Communication line utilization of 70%.
These figures support the NCC view that the system is running smoothly.
However, some additional points must be clarified before a final judgement can
be made, including:
o terminal/line usage - a line utilization of 70% should be
considered as close to maximum if there are multiple ter-
minals. Although the review team does not have the precise
configuration, Sperry communications are addressed under
the general communications portion of the IBM/AMDAHL Capac-
ity Analysis Report. These statistics do not specifically
address terminal-to-line ratios but do seem to indicate
multiple terminal usage on most lines. This report further
indicates that reliable utilization data is not yet avail-
able. NCC has stated that under the IBM-compatible modern-
ization plan the hardware and software necessary to accom-
plish data collection for these reports is scheduled to be
procured.
o I/O statistics (number of I/O per second) and data for
deadlock are available but the review team has not yet
determined whether . internal wait queue time is reasonable
or represents the impact of any system bottlenecks. We
will examine device or channel utilization to address
this
area.
3. Batch Throughput
A copy of the Sperry Quarterly Performance Report for April thru June
1983 was provided to the review team. First shift shows an average run time
of approximately 1 minute, with backlog time about the same. Peak periods are
about 150% higher for both categories. A graph showing percentage not meeting
established goals is included in the report. Peaks on this line are not sig-
nificant. The basis for established goal figures is not known to the
reviewers. Generally, the ultimate test of throughput reasonableness is user
satisfaction. Although user support will be covered in the next phase of the
review, it should -be noted that in the June '83 NCC Contractor Performance
Evaluation, the overall user rating for job turnaround on the Sperry system
was above average, 3.64 out of a possible rating of 5.
4. Availability
System up time for the five months April through August was above 99%
for four months and 98% for one. MTBF ranged from 120 to 744 'hours. Both of
these figures exceed the. EPA goals of 97.5% and 60 hours. The maximum number
of system failures was six, in June. This also was well below the goal of 15.
The Sperry system is a dual CPU, so that a degraded operation can be
made available should one CPU fail. The Sperry disaster backup arrangements
are discussed in Appendix 6.
-------�
1-5
NCC considers the availability of the Sperry front-end communicat ions pro-
cessors to be excellent, although the documentation currently available to the
review team did not include figures to support this opinion.
C. IBM 370/168MP and Amdahl V6 Performance
1. Background and Current Use
The use of the IBM configuration is increasing steadily. There is a
steady migration of long term operational applications arid data bases to this
configuration. During 4th quarter of FY82 the tightly coupled 370/168 dual
processor began to experience serious capacity problems. Performance was
greatly improved when the AMDAHL V6 was added. However, use of the system has
increased steadily ever since and performance again appears to be reaching the
critical level. There are plans to augment the current configuration in the
near future -- a delegation of procurement authority has been requested from
GSA. There are also plans to migrate a number of applications now on the
Sperry system to the IBM 370/168MP and AMDAHL V6 systems. The reviewers have
not seen an estimate of the workload this migration is likely to impose on the
IBM 370/168MP and AMDAHL V6 system.
In general we agree with the conclusion presented in the FM contrac-
tor 3rd Quarter '83 Capacity Analysis that CPU utilization levels are the big-
gest capacity-related problem for the IBM- 370/168MP. The Capacity Analysis
and the Quarteriy Performance R epo rt (April-June 1983) have provided a great
deal of excellentinformation on the performance of this System.
No information has been made available to the review team to date
which focuses on the COMTEN front-end processors or on other aspects of commu-
nications activities. Communicat ions seem to be reliable and the pertinent
data relates to bottlenecks on the system rather than to reliability of
equipment. The NCC expressed no significant problems for this equipment.
2, Response Time
Although response time has been deteriorating, the number of DASD
EXCP's appears to be below previous yearly levels. Further, the FM contractor
plans to optimize OASD and tape blocking sizes. This approach is, for the
present CPU bound conditions on the 1MB 370/168MP, perhaps the most effective
way to control deterioration of performance under the growing work load.
More of the IBM 370/168MP workload has not been moved to the Amdahl V6 because
of:
o the cost of installing additional necessary systems
software on the Amdahl V6, and
o the as yet unknown effect of CICS and ADABAS (see "Latent
Demand" below).
3. Batch Throughput
The batch turnaround although deteriorating, appears from Quarterly
Pefgrmance Report (April - June 1983) data, to be somewhat better thanthe '82
performance during the same period. Current turnaround goals set by priority
-------�
1-6
and class are not being met. This gap, more significantly, promises to widen
rather than narrow, based on current trends. The rate of increase of job sub-
mission is difficult to predict since increasing turnaround time discourages
additional use. NCC noted that an increase in turnaround time encourages
resubmission at a higher priority which, in turn, increases turnaround. Thus
the problem compounds itself.
4. Availability
During the last six months of FY 1983 MT8F has been better than
current goals of 60 hours; number of failures per month have, on the whole,
been slightly below current tninimums (12), but exceeded them .(15) for May.
Total available system up time has consistently exceeded current goals of 98%.
At this level it is difficult to increase the level of availability.
0. PDF ll/70s
This review is directly concerned only with the two POP 11/70 sites
which are directly controlled by the NCC: the installation located at RTP and
the Washington Service Center (WSC). (The EPA also operates POP 11/70's at
regional offices and other remote sites.) Available
indicate officially established performance objectives
documentation does not
for the RTP and WSC in-
stallations. The review
against uptime objectives
Sperry mainframes:
team therefore
set by NCC for
assessed POP 11/70 availability
the IBM 370/168MP, Amdahl V6 and
o Less than 12-15 system stops per month;
o A mean time between failures of greater than 60 hours;
o An average up-time of at least 97-98%.
It should be noted that minicomputer reliability should generally be
better than that of larger mainframe computers. However, as indicated below,
the WSC POPs have not consistently achieved the standards in place for the
mainframes during the past year. The NCC noted that while there may be fewer
component failures on the minicomputers (thus longer Mean Time Between
Failures), minicomputer failures may have a greater impact because:
o ^ The Mean Time to Repair is usually longer for minicomputers
because of better on-site support from mainframe
manufacturers.
o The greater redundancy in Mainframe configurations lessens the
impact of failures in most components. For instance, loosing
on IBM disk drive is less critical than losing a POP 11/70
disk drive.
Available statistics indicate that actual uptime performance differs
significantly for the facilities at RTP and WSC. Statistics for batch
throughput performance do not seem to be available. The WSC workload is sig-
nificantly heavier than at RTP. NCC does not see a need for collecting batch
throughput performance as these jobs normally execute immediately.
-------�
1-7
1. Installation at RTF
The RTF PDP-11/70 is used to provide software support for 23 other POP
installations. All software modifications are tested at RTP and then are
distributed to the other sites in the form of executable task images. The
other sites have no system software source code and do not have the authority
to procure or install other software.
System availability data for January though September 1983 indicates
good up time performance, generally in excess of 98%. During February of 1983,
the system .experienced an abnormal number of failures (25), with a reported
MTBF of 25 hours and a total downtime of 36 hours. System availability in
subsequent months has been much better, with the number of system stops
averaging below six per month for the last quarter of FY 1983.
Based upon statistics available for September 12, 1983, system response
time seems to be excellent. Response was within one second 97% of the time,
and under three seconds 99% of the time.
As noted previously, data regarding reruns, backlogs, turnaround and
on-schedule completion times was unavailable to the review team. However,
availability and response time statistics do appear to be reasonable.
2. WSC Installation
The WSC installation maintains two POP 11/70's:
o System A ("Administrative system") provides support to the
Office of Administration and the Administrator's Office.
o System B ("Applications system") provides support to users
at other headquarters' offices.
System A is considered the priority machine and therefore, if either
machine is down, applications normally assigned to system "A will take
precedence.
As with the RTP installation, there are no officially established
performance objectives outlined for the WSC computer in the Management Work
Plans. At the WSC users' meeting of August 25 1983, WSC management expressed
the goal that the center provide 99% uptime on a 24-hour basis, excluding
planned backup and maintenance activities. Availability statistics were pro-
vided at the-meeting, as well as certain other data including printer and ter-
minal usage and disk errors. Batch throughput data was not available as NCC
does not collect this data and the batch jobs normally execute immediately.
It should be noted that uptime percentage statistics provided for the
WSC computers are different from those presented in the RTP Weekly Progress
reports. Mean time between failure (MTBF) is calculated at both sites as the
ratio between the number of systems failures and the total number of hours in
the month (MTBF = (24 x days/mo) § failures, or 1, whichever is greater).
Mean time between production failures (MTBPF) is calculated at both sites the
same way: MTBPF = Production hours/ff failures + 1. However, uptime
percentages in the reports provided for WSC have been calculated based upon
-------�
1-8
total production availability rather than total hours. The net result is that
production uptime percentages provided to the review team for the WSC are
slightly lower (relative to RTF) because of this difference in methodology.
Both types of statistics appear to be collected and reported at each site.
The differences noted here were identified through the source documents
provided to the review team, i.e., weekly progress reports for RTF and users'
meeting reports for WSC.
The review team examined uptime statistics for the A system for the
period October 1982 thru September 1983 and corresponding statistics for the B
system for the months February'1983 thru September 1983. Both systems had
difficulty meeting reasonable levels of performance through March 1983 with
high numbers of failures per month and corresponding low MTBF's.
The A system has experienced dramatic improvements in uptime perfor-
mance since March, with the number of failures per month remaining at or below
5, and MTBF never lower than 144 hours. Monthly production uptime has been as
low as 97% only once and has been 99% or higher four times since March 1983.
The B system, started to improve in April, but began to experience a
high number of failures in June and July (11 and 21, respectively). MTBF was
likewise abnormally low during'these months. The failure rate has again im-
proved to well within acceptable limits since that time, but it is not clear
whether or not this actually represents a permanent improvement in
performance.
Both the WSC and DEC have investigated the B system problems of June
and July. However it appears that a definite answer to all of these problems
has not been found. Several recommendation's are being implemented, but these
are oriented primarily toward isolating and identifying future problems.
Monthly production uptime percentages have not been consistent on the
B system and have averaged about 96%, with a low of 94% in August. Uptime was
at 97% or higher during April, June and September. It should be noted that
the uptime percentages did not drop significantly during the June-July period
despite a peak in the number of-failures.
The WSC found a discrepancy in the automated reporting of the peak
number of concurrently active terminals and the number of terminals they knew
were active. This was reported to the NCC minicomputer team at RTP and
entered into the "bug" system. The NCC minicomputer team at RTP determined
that there was a "bug" in the PDS which caused a failure to mark a user as
"logged in" if the user accessed an application through the CLI rather than
through the PDS. This error was corrected and a new copy of the PDS task was
sent to the WSC at the end of October. The corrected version was to be sent
to all sites with the December release. This means that the automated reports
for WSC cannot be relied upon concerning the peak number of active terminals
as there was serious undercounting.
E. Planning
Information for the overall planning model is gathered from a number of
sources. These include:
-------�
1-9
o FIMAS - provides run time information by system based on USER-ID
tracking of application execution.
o ARMS - provides historical and projected budget information by
program category.
o Management Survey - provides vital planning information concern-
ing new programs and program expansion.
The above three sources are combined to provide an EPA Requirements
Analysis document. This document focuses on overall agency requirements as
opposed to individual application requirements. The Requirements Analysis,
together with configuration and system operations plans, provide the input to
drive the BEST 1 model which, in turn, generates specific physical expansion
plans.
The modeling procedure, as it is roughly described above, has not yet been
examined by the reviewers. To date, only the FIMAS reports have been
reviewed. In lieu then, of a report on the planning model, a number of areas
which are considered as essential planning factors are discussed below.
1. Sperry to IBM 370/168MP and Amdahl V6 Conversion
The conversion of one or more "applications will change both the
Sperry and IBM 370/168MP and Amdahl V6 resource availability significantly.
The nature of conversion will be of particular importance: that is, whether a
straight translation is planned, or a conversion to ADABAS is contemplated for
the applications to be migrated.
2. Latent Demand for Sperry
Because of the nature of the use of the 1100/82 (i.e. short lived
programs), it would be useful to know if a latent demand exists for the Sperry
machine which might today be blocked by a lack of access via IBM compatible
RJE equipment. If this demand exists, it will show in increased usage when
access is provided by the Potomac Scheduling/Tandem controllers.
3. Latent Demand IBM 370/168MP and Amdahl V6
Latent demand is a major issue for the IBM 370/168MP and Amdahl V6
systems. Increasing turnaround time seems to be holding back latent demand.
For the Amdahl V6 processor, the impacts "of CICS and ADABAS cannot 'yet be
measured and are difficult to predict quantitatively. As these are both,
potentially, tools which together can result in a more user-oriented system,
it is extremely difficult to predict with any confidence what the final system
demand may be. -
4. Communications
In addition to the planned changes discussed above, the growing de-
mand for interactive services and the new software to be developed for the
Potomac Scheduling/TANDEM processors make communications an area of particular
importance. The review team has not been provided GCS, C/SP, COMTEM or Tymnet
line utilization projections or planning data.
-------�
1-10
5. Workload Forecasting
Although forecasts of system use have to date been made on the basis
of a reasonably uniform mix of transaction and application types, it would
seem that current trends might predict a change. In particular:
o 1nteractive processing - As indicated in the third quarter
Capacity Analyses Report, this demand may have slowed as a
result of deteriorating service on an overloaded system.
o ADABAS - The use of this data base system may increase both
the mass storage and I/O requirements significantly. The
use of a high level end user-oriented language such as
NATURAL (which is used in conjunction with ADABAS) may fur-
ther increase the program development work to be supported
by the system, (i.e. the user-friendliness of NATURAL may
encourage more development by end-users).
6. Replacement of POP 11/70 Technology
The ADP Modernization Plan expresses a goal for EPA to replace the
POP 11/70 technology at regional offices and remote sites with more current
technology. This involves the replacement of the POP's as nodes within the
communications network, but does not necessarily mean the machines themselves
will be taken out of service. The plan expresses the following rationale for
this objective:
o DEC has indicated plans to phase out software and mainte-
nance support for POP 11/70, and
o EPA would have to bear the cost of continued support of a
modified operating system in order to maintain compatibil-
ity with the EPA network;
The plan does not address the POP 11/70 installations at RTP and WSC
specifically, but the indication is that all POP 11/70 sites will be involved.
There is not enough data available at the present time to project the effect
of such a change on POP performance at either the RTP or the WSC sites,
However, we would expect a decline in workload for these machines as users
migrate to the replacement systems and also have available 'office1 computers
to support local processing needs.
-------�
2-1
APPENDIX 2
DATA CENTER OPERATIONS
A. Introduction
1. Scope and Objectives of the Evaluation
The overall objectives of this part of the review are to
whether procedures and controls for data center operations provide
processing facilities and lead to efficient operations.
assess
stable
The scope of this portion of the review includes both the RTP and the
WSC operations. At RTP the review addresses the operation of the IBM
370/168MP, Amdahl V6, Sperry and POP 11/70 equipment while it excludes the DEC
2020s, IBM 4341 and MAD VAX equipment. The DEC 2020s are being phased out and
the IBM 4341s are being brought in to replace them. At this time a baseline of
operations on the IBM 4341 equipment has not been established. The MAD VAX
equipment is operated in a way consistent with the remainder of the NCC but is
currently dedicated to the processing needs of a single laboratory. At the WSC
this portion of the review addresses current PDP-11 operations.
This review of operations focuses on the following areas for both the
RTP and WSC locations.
o Organizational structure
o Staffing
o Schedule of operation
o Maintenance of equipment and software
o Job flow management
o Monitoring and management of usage of particular resources
(e.g, drsk, paper, etc.)
o Documentation
o Standards
o - Procedures
The views of users with regard to NCC operations are addressed in
Appendices 3 and 8 of this report. General management issues that impact NCC
operations are also addressed in Appendix 8.
-------�
2-2
2. Evaluation Baseline
The EPA computer centers operate in a manner that Is somewhat unusual
when compared to centers in other organizations. In general, users control the
running of individual applications and do not turn them over to NCC/RTP and WSC
staff as operational systems in the normal sense. In EPA, user organizations
generally develop an application and operate it, and also make any necessary
modifications, corrections and extensions to the application. The NCC has not
had significant responsibility for developing user applications .in the past.
The NCC's role in this area may change somewhat under a proposed
reorganization, but the extent of changes is unclear at the present time.
In addition, there usually is no formal turnover of a system to NCC
staff when it becomes operational. The user organization remains responsible
for all software maintenance. Given this environment, the NCC operations at
RTP and WSC function essentially as a data processing service bureau which is
used by a large number of users, and are evaluated from this perspective. NCC
does provide a "production control" service for a fee when requested.
The basic evaluation guidelines are those set forth in the GSA Guide-
lines for EDP Performance Management - 1977. In addition, general industry
guides and practices are considered.
3. Methodology
The data used in the evaluation was gathered by:
o Interviews with key personnel
o Examination of documentation and reports provided by the
NCC
o Observation of operations at the two centers
4. Structure of This Appendix
This appendix consists of the following major sections in addition to
this introduction:
o Section B, EPA and FM Contractor Management Issues, covers
those issues related to organizational structure, personnel
policy and training.
o Section C, Issues Related to the Use of the Facilities,
covers issues related' to user-operated systems which have
an impact on data center operations.
o Section D, Operations Issues, covers the way in which the
operations functions of the NCC are carried out.
All sections address both NCC/RTP and WSC operations. Both facilities
are usually treated together but in some case they are treated separately.
-------�
2-3
B. EPA And FM ContractorManagement Issues
Many of these topics are addressed from a broader perspective in Appendix 8
which addresses overall NCC management.
1. EPA Organization Structure and Staffing
It appears from the interviews held with EPA staff that the staff is
hard working and professional in attitude, but they are over-committed to per-
forming more tasks than they, can reasonably be expected to handle efficiently
and with full effectiveness. In the opinion of the reviewers, the EPA staff is
not large enough and consequently as a group does not possess the depth of both
technical and management skills to properly carry out tasks performed directly
by EPA staff and also technically monitor and managerially control the work of
a very large contractor staff.
The ADP modernization plan will add new responsibilities for NCC
personnel, and the functions assigned to the NCC under the proposed reorganiza-
tion may increase the NCC's need for individuals with strong managerial skills.
(a) EPA has undergone and is undergoing significant organi-
zational changes. A firm restructuring of the NCC DPS organization took place
during November and December. " During the review the Data Processing Services
organization within MIDSO was in a state of transition.
(b) There has been a very heavy turnover of EPA staff dur-
ing the past year, especially considering the small numbers of that staff.
Some new staff were acquired from within the Agency and from other sources, and
required considerable orientation to fill their new positions. Several posi-
tions vacated by former NCC staff members have not yet been filled.
(c) The changing organizational structure and the turnover
of staff has meant that remaining staff have had to assume wider responsibili-
ties and in some cases have had to change positions.
(d) The number of EPA staff as compared to the number of
contractor staff means that it is almost impossible for EPA staff to technical-
ly monitor and managerially control contractor activities. Overall, the NCC
comprises 27 EPA staff (including administrative and clerical support) and over
200 contractor staff. At the WSC there is only one on-site full time EPA
employee.
(e) The increasing technical work means that there are
areas in which current EPA.staff appear to have insufficient depth of exper-
ience and technical knowledge to effectively review the work of the FM con-
tractor. These areas include telecommunications networking, ADABAS, CICS, and
IBM systems programming. (This finding relates only to the capabilities of EPA
staff in terms of control, and does not reflect on the quality of work perform-
ed by the FM contractor.)
-------�
2-4
(f) The limited number of EPA staff must act both as tech-
nical managers and technicians. Often qualified technicians dislike serving in
the role of manager and especially dislike having to handle the large amount of
associated paperwork. This has been one of the reasons that some of the more
technically oriented staff have resigned. It has been difficult for the NCC to
find, hire and retain good managers who possess the technical skills needed by
the NCC.
(g) The present situation, where many NCC functions are ac-
complished through a heavy reliance on contractor staff, does not appeal to a
number of present and prospective staff.
(h) There appears to be a problem of obtaining positions
for highly skilled technical staff (such as systems programmers} at a rea-
sonable grade (i.e., salary) level. This area, including a position review
conducted by the Office of Personnel Management (0PM), will receive further
attention in the next phase of the review.
2. FM Contractor Organization Structure and Staffing
The FM contractor has experienced few of the organizational and man-
agerial difficulties experienced by the NCC EPA staff. The senior FM contrac-
tor staff has been relatively stable and the organizational structure seems to
have remained stable during the past year.
The FM contractor has encountered some difficulty in hiring techni-
cally qualified staff for specific areas, such as CICS and telecommunications
experts.
C. Issues Related To Operations of Systems by Users
The following issues relate primarily to.the running of jobs directly by
user personnel rather than to the relatively small number of systems operated
by NCC staff.
1. Printed Output
The amount of paper consumed by the NCC at ,RTP and the WSC is
considerable. The normal consumption appears to be as follows:
o At the NCC, for all computers, monthly usage averages 418 .
boxes of regular paper and 139 boxes of laser paper (based
on a 9 month average). In addition, there is an irregular
use of special forms, which can be very large -- on one
weekend 89 boxes of special forms were*used
o At the WSC, average weekly usage is 110 boxes of paper for
the POP ll/70s and the RJE printers.
It should be noted that the above paper usage does not include print-
outs at regional and other sites for jobs run on the mainframe computers at
RTP. :
-------�
2-5
In total, the NCC and WSC paper consumption represents approximately 2
million pieces, of paper a month. The review team believes that it would be
difficult for users to really read this amount of paper. This large volume of
printouts represents a large significant cost in terms of:
o The cost of the paper;
o The cost of sending printouts to users from RTP — many
printouts are sent by AIRBORNE express delivery; and.
o The cost of operating the number of printers required to
support this amount of paper production (staff, machines,
power, space, maintenance,, etc.).
tion:
There is some tangible evidence that there is excessive paper produc-
o The fast rate at which the large waste paper container out-
side the WSC service window fills up with paper discarded
by users; and
o The apparent lack of any systematic effort to reduce the
amount of paper output, such as using microfiche or having
users inspect data on-line before having it printed out.
2. Tape Data Sets
At the NCC the total number of tapes changed as illustrated in Exhibit
IV-1 over the past year. Total tapes as of October 3, 1982 are 46,517, and as
of October 3, 1983 are 49,318. This represents a net growth of 2,801 tapes or
6%. Since the review team has not been tasked with examining EPA's
applications, we cannot assess whether the above data represents a reasonable
usage of tapes.
The number of foreign tapes is very limited, less than 500 tapes for
both years.
The NCC has adopted two measures to discourage users from retaining
unneeded tapes:
o All users are charged a monthly fee and receive a monthly
list of all tapes for which they are responsible.
o If a user's ID is cancelled (usually .because of departure),
then a list of the user's tapes is sent to the responsible
ADP coordinator for review.
NCC personnel consider these measures to have limited effectiveness,
particularly with respect to IBM 370/168MP and Amdahl V6 users.
-------�
2-6
EXHIBIT IV-1
CHANGES IN NUMBER OF TAPES DURING PAST YEAR
IBM Sperry
DEC
10-3-82 10-2-83 10-3-8210-2^83 10-3-8210^83
Assigned to users 11,162 14,601 11,181 11,406 1,526 . 1,625
Released/
Scratched
Archived
Operational/
Backup
Total
New, in stock*
Miscellaneous*
1,859 1,083
2,775 2,270
2,887 3,262 1,141 1,751
1,170 1,268 0 0
6,983 7,261 1,971 1,600 1,309 1,309
22,779 25.215 17.209 17,536 3.976 4,685
250* 270*
2,303* 1,612*
* = IBM + UNIVAC + DEC
-------�
2-7
To date there .has been no regular reading of archive tapes to
ascertain readability. A policy is now being developed to penalize users for
jobs which fail because of unreadable tapes. The NCC can identify the date a
tape entered the system, but does not know when it was originally created. A
number of tapes came into the system when EPA assumed operation of the IBM
equipment from COMNET, and some of them may have been created many years
earlier.
The NCC uses the UCC1 tape management system for IBM tapes and a
locally developed system to keep track of Sperry and DEC tapes. These systems
are used effectively and the NCC enforces strict tape labelling rules.
The reviewers logged in a foreign tape and received reports on the
login/logout of the tape in the NCC system. No significant problems were
encountered.
Some tapes are created when disk data sets are moved to tape. This
issue is addressed in the next subsection.
3. Disk Data Sets
For FY83 the total number of disk packs (both fixed and removable) was
as follows:
Disks
IBM 3350
3330
UNIVAC 8450
8433
DEC RP06
10-3-1982
88
168
10
175
47
1Q-2>1983
153
85
6
163
62
These statistics show a change to higher capacity fixed head disks for the IBM
system. This change represents a significant increase in on-line storage capa-
city.
There seem to be no pricing incentives for discouraging on-line disk
storage. Users are discouraged from inappropriate use of on-line storage by
moving unused disk data sets to tape in accordance with the following policies:
o For the IBM, unaccessed data sets are removed to tape after
45 days and the tapes are scratched if not accessed within
an additional 18 months.
o For the Sperry, unaccessed data sets are removed to tape
after 30 days and monthly save tapes are scratched if not
accessed within an additional 90 days.
Since the Sperry has a "virtual" disk capability, this system rolls
out unused data sets to tape if there is insufficient available space to add a
new data set.
-------�
2-8
The reviewers believe there may be a relationship between the more
liberal disk storage policy for IBM users and the fact that at the end of FY83
there were some 7,261 operational/backup tapes for the IBM and only 1600 for
the Sperry.
Users are notified if unused data sets are moved to tape. They are
not notified when those tapes are scratched.
Knowledgeable users are able to run "dummy" jobs to access data sets
for the sole purpose of keeping them from being archived to tape, and this has
happened on at least one occasion. In this case the data sets accessed by a
job had been archived to tape and the operators noticed the very large number
of tape mounts.
The retention period for IBM data sets which are not used (i.e. 45
days on the disk and 18 months on tape) seems to be too liberal and should be
justified. The Sperry approach is more reasonable. The policy of not sending
warning notifications when scratching tapes containing archived disk data sets
could be a source of problems.
4. Reruns
The NCC does not have good statistics on reruns because of the manner
in which the center operates. However, the NCC does not have the
responsibility, authority, or staff resources to monitor system design or
operational efficiency of user applications which may be one of the causes of
reruns. For the small percentage of systems for which the NCC has a "quasi"
operational responsibility, the application systems are monitored and thus
reruns are detected. However, for systems operated by users, a user may have
several reruns without the NCC being aware of them. This occurs because
production control staff do not know what type of job a user is performing.
Rerun statistics are one measure of whether application systems are well
designed, and whether they are implemented and operated properly.
When hardware or system software problems cause jobs to fail before
completion, the operations staff is aware of the resulting reruns and the users
are not billed for them.
If consolidation of AOP management is implemented Agency-wide, in the
future better information should be available for reruns and enable their
causes to be determined and preventive actions taken where possible.
5. Runbooks
Until recently the NCC had a limited formal "runbook" standard, Form
and Content Standard For Production Control Run Books, because there were very
few systems for which the NCC initiated the runs. Our examination of a sample
runbook is based on this standard, the PRODUCTION CONTROL RUNBOOK, GAS CYLINDER
INVENTORY SYSTEM PROCESSING dated August 8, 1983 indicates that the person op-
erating the system is doing more than would normally be expected of a computer
operator. However, the book appears to be understandable and appropriate.
-------�
2-9
The conversion of the Dept. of "Interior Payroll System (DIPS) has
caused the NCC to prepare specific guidelines for the Payroll system runbook.
An undated four page runbook outline, DIPS RUNBOOK SPECIFICATIONS, .has been
prepared by the NCC. The Payroll groupis expectedto prepare a runbook
according to these specifications and it will be reviewed by NCC Production
Control. If the run book follows these specifications, including the
appendices, then it should be adequate. The runbook approach of the NCC
requires close cooperation between the NCC and the group developing the runbook
because the standard is very brief and requires interpretation. The NCC
believes this approach is workable in the current environment because there are
onTy a limited number of systems for which NCC requires runbooks.
6. Available Software
There does not appear to be tight control on the number of different
types of similar software available to support a particular function. A Soft-
ware .Review Council functioned in previous years but is no longer active, DPO
policy has been to allow users to procure packages with which they are
familiar, and to operate them on the mainframes with certain stipulations to
ensure no adverse impact on other users.
Some examples of similar software are:
o Software for maintaining program libraries:
- LIBRARIAN
- PANVALET
NCC staff noted that they intend to eventually delete the
Librarian software which was acquired with the Payroll
system.
o Data base management software
- SYSTEM 2000
- IDMS
- ADABAS
For new on-line applications, ADABAS has been designated
the Agency standard. It should be noted that there are use
standards and an NCC data base administrator (DBA) for
ADABAS, while this is not true for SYSTEM 2000 and IOMS.
o Text editing software and job submission capabilities:
- OBS WYLBUR
- IBM SPF
o Graphics software:
-------�
2-10
- TEXT-GRAPH
- TELL-A-GRAF
- SAS-GRAPH
- IPP-GRAPH
- CALCOMP
- HARVARD GRAPH
Providing more types of software than may be necessary to support a
given function results in higher acquisition costs, support costs, maintenance
costs, additional training, etc. It is not apparent that the number of ver-
sions of similar software now available at the NCC are necessary. It should be
noted that this situation seems to be related to the general philosophy of•try-
ing to give the user "what the user wants".
D. Operations Issues
1. Standards
NCC has general operating standards and also specific standards for
each type of equipment. The standards listed below are those provided to the
review team.
a. General Standards
ways,
All of these general standards are not current in significant
o OPERATIONS HANDBOOK - Procedures have different dates and
some need to be updated such as the 'EPA 1000 PERSONNEL CALL
LIST1 dated September 14, 1982.
0 AUTOMATIC DATA PROCESSING (ADP) MANUAL (Joint responsibility
with OIRM)
Chapters 1-6 March 31, 1975
Chapter 6 Appendix updated December 2, 1977.
Chapter 7 added October 13, 1976
Chapter 8 added October 14, 1976
Chapter 9 added Octboer 7, 1976
o ADP SYSTEM DOCUMENTATION STANDARDS (February 1980)
-------�
2-11
b. PDP 11/70 Standards
These standards are relatively current and appear to be adequate.
They include:
PDP 11/70 SYSTEM MANAGER'S GUIDE (no date)
PDP 11/70 PROGRAMMER'S REFERENCE MANUAL (July 1982)
.PDP .11/70 USERS' MANUAL (July 1982)
PDP 11/70 OPERATIONS MANUAL (April 1983)
PDP 11/70 Standard Operating Instructions - Last update
April 4, 1983. This document is identified as an SDC
document. All documents should be identified as "NCC".
They include:
IBM/AMDAHL Standards
These standards are relatively current and appear to be adequate.
NCC-IBM STABILITY PROCEDURES MANUAL (October 22, 1982 and
currently being updated)
NCC-IBM User's Guide (May 1983)
d. Sperry Standards
These standards are relatively current and appear to be adequate.
NCC-UNI VAC STABILITY PROCEDURES MANUAL (April 1983)
NCC USER REFERENCE MANUAL (April 29, 1982) - Parts of this
manual alsohave general applicability.
2. Change Control
There is one change control procedure for the mainframe computers
(IBM, AMDAHL and Sperry} and a separate procedure for the PDP ll/70s. Both of
these.procedures seem to be adequate and function reasonably well. The change
control procedures apply to mainframe hardware changes as well as software
changes.
a. Mainframe Change Control
All managers for operations-related functions attend a
weekly change control meeting which utilizes an automated
list of all active or pending changes. These changes are
reviewed and approved before implementation. This proce-
dure has worked well except for a change in August which
caused an error in the user billing programs. There is
also a procedure for handling and documenting emergency
changes which seems to work well.
-------�
2-12
b. PDP 11/70 Change Control
A controlled approach U used for releasing software
changes. ' At mid-month* changes are frozen and then
transferred to a production data set. This set is sent to
Region 8 for a pilot operation. If the pilot succeeds the
new release is sent to all sites on the last day of the
month. An automatic notification is sent to the NCC when
the release is implemented by each site. This system
appears to work well. - .
3. Progress Reporting
The FM contractor prepares weekly progress reports for the RTP facil-
ity and the WSC. These progress reports have the following structure:
a. NCC RTP
Tasks for period
Tasks completed to date
Activity highlights {operations, systems, telecommuni-
cations)
Failures summary
Monthly NCC stability summary
Four-month NCC stability summary
IBM production control
Sperry production control
DPSS weekly work statistics
b. WSC
Tasks for period
Tasks completed to date
Activity highlights {specific tasks, production ser-
vices, operations services)
- . User assistance (IBM system, DEC systems, PDP 11/70
systems)
Washington Service Center - production services
Distribution of output
Management work plan for period
Failure and downtime
These reports appear to be reasonably complete and accurate.
4. Morning Meetings
Each morning there is an informal meeting to review the results of the
previous day and take appropriate action. These meetings use the monitor re-
ports to review system activity and to determine if there are developing pro-
blems. The shift logs are also available at these meetings. Since there us-
ually is no written record of actions selected at these meetings it is not pos-
sible to track the effectiveness of the meetings. However, morning meetings
seem to be generally effective since operations staff continue to effectively
provide needed services.
-------�
2-13
5. Monitoring Reports
These reports appear to give management a good overview of system
operations. Of particular usefulness is the month-to-date summary which pro-
vides operating trend data. There is no automated system to consolidate these
figures to produce year-to-date operations data.
-------�
-------�
3-1
APPENDIX 3
USER SUPPORT
A. Introduction
1. Objectives of the Evaluation
This part of the review addresses the overall user support function of
the NCC, and has three broad objectives. The first objective is to assess the
completeness of support services available to users. The second objective is
to determine the adequacy of these services, with a primary emphasis on the
views of actual NCC users. The final objective is to confirm our conclusions
regarding overall NCC operations by examining the views of those supported by
operations, namely the NCC user community.
2. Scope of Evaluation
This evaluation of user support services focuses on support functions
for users of the IBM and Sperry computers located in RTP, and the PDP-11
installation at the WSC. It does not address user support functions related
to the regional PDP-11 minicomputers, or the recently expanded role of the NCC
with respect to the PRIME minicomputers and IBM personal computers that are
installed at program office locations.
Specific topics addressed by this evaluation include overall user
communications, problem reporting and technical support, training, and user
evaluations of the NCC.
3. Baseline for Evaluation
There is currently no formal Federal standard or requirements specific
to the user support function. Therefore, this evaluation of user support
services reflects the judgement and experience of the review team in managing
and evaluating the operations of other data centers. This evaluation also
reflects the views of NCC users documented in regular user surveys conducted
by the NCC.
It should be noted that this evaluation focuses on the support
function within the context of the NCC serving as a computer utility and
coordinator of several key ADP functions (i.e., training). Since most
applications are operated directly by users and not by NCC staff, minimal
emphasis is placed on support services related to production system services.
4, Methodology
The findings and conclusions of this part of the review are based on
the review team's review of documented procedures, examples of pertinent
fo/ms, the results of user surveys conducted by the NCC, the reports produced
by problem reporting and tracking systems, and on interviews with
representatives of the user support function. In conducting this evaluation,
the review team did not contact directly or independently survey users of the
NCC.
-------�
3-2
5. Structure of this Appendix
This appendix consists of this introduction and the following
sections:
o Section B, User Communication^, addresses the mechanisms used by
the NCC to communicate with its users.
o Section C, Problem Reporting and Technical Support, addresses
procedures for reporting, tracking and correcting problems
reported by user's. This section also addresses how the user
support function handles problems related to the sharing of user
IDs.
o Section D, User Evaluations, addresses the procedures for
obtaining feedback from users on NCC services, and summarizes the
results of user evaluations for the past year.
o Section E, User Training, addresses the overall user training
program of the NCC, including approaches used to identify
training needs, procedures for requesting training, training
courses available, and training for program office ADP
coordinators.
B. User Communications
The NCC utilizes a wide variety of mechanisms to communicate a great deal
of information to users. Current approaches include communication directly
through the EPA network as well as mailings of hardcopy documents.
!• User Communications System
The NCC provides users the opportunity to identify the subjects for
which they would like to receive technical memoranda by distributing a User
Profile Worksheet to all new users and conducting a quarterly update for
current users. The quarterly update is sent to all user IDs, and to special
'pseudo IDs1 that are established only for purposes of communications. Among
the topics included on the worksheet are:
o Distribution of users guides and reference manuals,
o Participation in NCC performance evaluations,
o Distribution of ONLINE publication,
o Data center management,
o General Information,
o Data center policy, usage,
o Hardware,
o Telecommunications system,
o Technical advisories,
o Training, and
o Software {systems software, utilities, compilers, and
applications packages).
-------�
3-3
2. Automated Communications
The NCC communicates with users directly through the EPA network in
several ways:
o 'News Alerts' for particularly important messages sent to
users of WYLBUR and ISO, with optional printing of Alerts on
batch outputs.
o 'Computer Mail' messages for users of the IBM and Sperry
mainframes.
3. Other Hardcopy Communications
The NCC also communicates with users via the internal EPA mail system
in several ways:
o Technical memoranda and user memos distributed to appropriate
user IDs based on the results of the User Profile.
o Quarterly 'ONLINE' publication for topics of general interest
to NCC users.
4. User Group Meetings
Regular monthly meetings are held for users of the WSC. The NCC would
like to hold quarterly meetings for users of the NCC mainframes, but the
availability of limited travel funds limited these meetings to approximately
one every six months in FY83. To supplement these meetings, the NCC has held
periodic conference calls to provide information to and receive feedback from
users at remote locations. The manager of user support also noted that an
Agency-wide ADP conference has been held in past years. This conference
seemed to be of interest to users and was useful to the overall function of
the user support group. No conference has been held in the past two years,
and none is scheduled for FY84.
5. Assessment of User Communications
The User Communications System provides an excellent opportunity for
users to periodically indicate subjects of interest and ensure that they do
not receive memoranda for subjects for which they have no specific interest.
The variety of mechanisms used to communicate with NCC users seem to
effectively and efficiently communicate information that users either need or
want to receive.
C. Technical Support and Problem Reporting
1. Production Control and Technical Assistance
Most EPA application systems are operated by users and are not run by
NCC staff. Therefore, the NCC role with respect to production support is
generally to contact users when a job aborts or otherwise does not run
properly. Upon request, the NCC staff will more closely monitor very
important jobs submitted by users and provide appropriate feedback when the
-------�
3-4
job is completed. Based on the NCC survey of users, users seem to be pleased
overall with NCC production support services.
2. Problem Reporting Procedures
The NCC provides users with system status telephone numbers for each
major system (i.e., IBM, Sperry, PDP-lls at WSC). A recorded message is
provided to users when a system is expected to be down for an extended period
of time. This is a useful service and efficient way to report system status
to users.
Problems reported by users for either the IBM or Sperry systems are
entered into the 'Customer Assistance Requests System' (CARS), and are coded
by subject. Up to three codes may be used out of a total of 100 codes.
Included among the CARS codes is a code for requests for refunds. (See
chapter IV for procedures for handling refunds). All user requests are
with the exception of simple information requests or calls received
busy periods when a system is down. These calls are
user support staff. A separate reporting system (i.e.,
to record problems reported for the PDPs installed
logged
during
simply tallied by the
'Bugs' system) is used
at the WSC (and also
problems reported for PDPs at other locations). These procedures effectively
record significant problems, and also represent a reasonable approach to
tracking simple user support requests requiring minimal NCC assistance.
3. User Request Tracking and Problem Resolution
Problems recorded in the CARS and POP 'Bugs' system remain active in
these systems until they are corrected. CARS produces weekly reports which
are reviewed by NCC analysts to identify problems that have not yet been
resolved. Based on available CARS data (which is detailed and comprehensive),
it appears that virtually all requests are resolved promptly. The relatively
few CARS requests that have not yet been resolved relate to software problems
that need to be corrected by vendors and cannot- be resolved solely by the NCC.
Where possible, the NCC staff member receiving the user's call for
assistance resolves the problem. When another group within the NCC is called
on to resolve a problem, the solution is given to the original user contact
who re-contacts the user. This is a commendable approach to provide effective
feedback to users.
NCC staff also use CARS data to identify recurrent problems that may
be addressed by providing additional training to NCC users.
4. Role of User Support in Controlling User IDs
of users
the user
The user support staff indicated that a significant number
share their user IDs and- passwords with other users. Although tne user
support staff encourages each user to obtain his/her own ID, this group cannot
assign new IDs nor .unilaterally cancel misused IDs. Generally, the user
support staff reports only major abuses of the NCC facilities to the account
registration function for action to be taken against the offending ID. It
should be noted that user IDs are not cancelled without the concurrence of the
account manager for the corresponding ADP account.
-------�
3-5
User Support identifies instances where IDs are shared in several
ways.
o When a job impacts the system, User Support terminates the
job and contacts the official holder of the user 10 under
which the job is run. This individual may or may not be
aware of jobs submitted with his/her ID if they are submitted
by a different person. At times User Support is unable to
locate the individual who actually submitted the job.
o When passwords are changed quarterly, a significant number of
users call who find themselves unable to log into the system
due to the password change. ' At times the official holder of
the ID calls in for assistance because another user has
changed his/her password.
o .When a user calls in for assistance, the user support staff
may use the on-line CARS system to identify the official
holder of the ID and determine whether the caller is the
holder of the ID.
o NCC operators may notice a user having difficulty using the
system or using the system very inefficiently. In these
cases the official holder of the ID is contacted to provide
advice on the proper use of the system.
User support generally suggests that all users obtain their own IDs,
and strongly suggests that separate IDs are given to contractors and EPA staff
using the NCC's facilities under the same ADP account. User support also
encourages ADP account managers and.ADP coordinators to terminate user IDs for
employees who leave the Agency. When a user without an ID calls user support
for assistance, this group tries to provide the minimal assistance possible
and encourages the user to obtain his/her own ID.
User Support noted that there seems to be greater interest by NCC
management in recent months for controlling user IDs. However, no actions or
decisions to more rigorously enforce restrictions on sharing of user IDs, or
to provide supplemental training to users in this area, have been made to
date.
User Support also noted that stringent enforcement of policies for not
sharing user IDs might cause a hardship for some users, especially users with
minimal ADP experience. In some offices, several users may share an ID with a
'lead1 user setting up standard jobs to run reports and other common
processing functions. User support noted that some arrangement should be made
to accomodate these users if stringent enforcement of user IDs is implemented
by the NCC.
D. User Evaluations
1. User Evaluation Procedures
In addition to the users meetings noted above, the NCC conducts a
survey of users to assess the performance of the NCC. Although this survey is
-------�
3-6
entitled 'Contractor Performance Evaluation', the survey actually assesses the
overall performance of the NCC in six major areas. These include operations,
telecommunications, user support services, technical support, applications
systems support, and system reliability and user-services relative to other
data centers. The review team considers this a reasonably comprehensive
survey.
The survey is conducted every four months and is sent to all user IDs
indicating an interest in participating in the survey on their user profiles.
Scoring is. done on a five point scale, as follows:
5 - Excellent
4 - Above Average
3 - Average
2 - Below Average
1 - Poor
N - No Observation
Users are also encouraged to provide narrative comments and
suggestions in addition to the quantitative scoring for each evaluation
criterion. An apparent deficiency of the survey form, however, is that it
provides no definition of the specific services addressed by each evaluation
criterion.
Overall user interest in the survey does not appear to be especially
high. For the quarterly profile preceding the most recent survey, only 813
users out of a total of roughly 4400 user IDs for the IBM and jperry systems
(1ess than 20%) indicated an interest in participating in the survey. Actual
response to the survey for the evaluation period of June through September
1983 was extremely low. Only 14% of the users indicating an interest in the
survey actually participated. As a percentage of all user IDs, the actual
response was statistically insignificant, as follows:
System
IBM.
Sperry
POP 11/70s
Approximate
Number of
User IDs
3300
1100
230
Actual Number
of Responses
78
32
1
Response %
2%
3%
less than
1%
Although overall response to the survey is quite low, the user support
staff and other NCC managers believe that it is generally representative of
users' views of the quality of NCC services. Several managers suggested that
the survey results may tend to be low since users who have encountered service
difficulties may be more likely to respond to the survey. The review team
generally agrees with the NCC on this point. However, as noted in Appendix 8,
the survey results are also used to evaluate the FM contractor, and the low
response rate needs to be viewed from a different perspective in that context.
The survey results are compiled by the NCC staff and a number of very
useful analytic reports are produced to identify overall scores for each
-------�
3-7
question, the distribution of scores, and major, trends from previous surveys.
Both tabular reports and graphics are used, and the review team considers
these excellent. The NCC also follows up on most substantive comments
provided by survey respondents.
At present, the survey results are distributed in summary form to
several NCC managers and to other managers within OIRM. Although the results
are not currently distributed routinely to users, the NCC is considering
including the results of the previous survey with the survey forms sent to
users in. order to provide feedback to users and encourage more users to
participate in the survey. The review team believes that this should improve
the response rate, although the degree of improvement is hard to predict.
2. Results of User Evaluations
The overall results of the user evaluations indicate that users are
relatively pleased with the services provided by the NCC, and that most
operations satisfactorily meet their needs. For most evaluation criteria,
users have rated the NCC within the 3.0 to 3.5 range, with several criteria
receiving higher ratings and only a few receiving lower ratings. In reviewing
the user ratings for the past year and user comments submitted in the most
recent survey, the review team noted the following key findings.
o User support services consistently receive the highest-
overall rating of the major evaluation categories. Ratings
for direct user assistance criteria are especially high for
all systems, with ratings frequently above 4.0 for IBM and
Sperry support.
o Technical support services receive consistently high scores
from both IBM and Sperry users, with somewhat higher scores
for TSSMS office responsiveness than for computer security.
o IBM and Sperry users compare the quality of services received
from the NCC favorably with their experience with other data
centers.
o Telecommunications has received generally avaerage to
slightly above average ratings, but several IBM and Sperry
users have commented on persistent communications problems
that the NCC appears to be unable to resolve.
o There have been significant drops in users ratings of
computer graphics services for both the IBM and Sperry.
o .Several IBM users have commented on turnaround delays for
batch jobs. (However, the rating for this criterion is
average, with only slight declines during the two most recent
evaluations.)
o There has been a significant drop in the rating for
micrographics services on the Sperry, and these services are
-------�
3-8
now rated average. Micrographics ratings on the IBM are
somewhat higher, but have varied significantly from period to
period.
In view of the exceptionally low number, of responses from users of the WSC
PDP-11 systems, the review team has no significant observations regarding the
ratings for these systems. However several users noted that the WSC was able
to-successfully recover user files when the POPs were experiencing significant
operating difficulties.
E. User Training
1. Types of Training Offered
User training was virtually eliminated in the budget cuts of FY82,
with some expansion in training in the latter half of FY83. NCC management
expects some improvement in training resources for FY84. Based on the review
team's review of the user evaluations, users seem to be relatively satisfied
with current training opportunities. Our review of the training course
offerings for FY84 indicates an expansion in the types of training offered
(i.e., PRIMES and IBM PCs). However, not all of these courses have been
officially approved by NCC management. Courses are offered for both novice
and advanced users of ADP.
2« Training Survey
User Support conducted a survey of users in May 1983 to determine
their requirements for training and to focus NCC user training activities for
FY84. The survey was sent to the 320 users who noted an interest in training
on their user profiles, and 35 users responded. The results were generally
consistent with the expectations of the User Support staff.
As noted previously, the User Support staff also reviews CARS reports
to identify potential areas where additional training would be useful.
3. Sources of Training
The NCC would like to emphasize training courses developed in-house,
but has a very limited staff devoted to training — less than one FTE of EPA
staff and three individuals from the FM contractor. However, this team is
supplemented by other individuals within the NCC who lead training courses, as
well as by courses provided by outside vendors. In addition, User Support
rents training tapes from Advanced Systems, Inc. on both an annual and on an
'as needed' short term basis.
4. Funding of Training
Users are now required to pay for ADP training to enable the NCC to
offer a wider variety of training and reduce the burden on the NCC budget.
Formal procedures have been established for users to request specific training
courses, and are generally followed. These procedures may be revised in FY84
-------�
3-9
to enable user organizations to provide funding in advance to the NCC for
multiple training courses under a single 'blanket' purchase request, thus
avoiding the need to prepare separate purchase requests to fund each course.
No quantity discounts are offered to NCC users from the same program office.
5. Training of ADP Coordinators
ADP coordinators within EPA program offices perform a liaison function
between users and the NCC. Among their responsibilities are coordinating the
distribution of account billing and fSSMS reports, and providing assistance to
users'in identifying how to obtain particular NCC services, such as training.
These individuals perform their functions as coordinators in addition to their
regular programmatic responsibilities. User Support noted that some
coordinators are unfamiliar with their specific responsibilities as
coordinators. However, there is currently no documentation of the duties of
AOP coordinators in regard to the NCC and no training in these duties is
available.
-------�
-------�
4-1
APPENDIX 4
COST ACCOUNTING AND CHARGEBACK
A. Introduction
!• Objectives of the Evaluation
There are three major objectives for this part of the review. The
first is to assess whether the NCC rate structure and procedures for
chargeback of ADP costs are consistent with applicable regulations. The
second objective is to examine the suitability of the content and distribution
of ADP usage and cost reports. The final objective is to determine whether
the mechanisms used to control ADP usage are effective.
2. Scope of the Evaluation
This part of the review covered computer configurations which are
included in the NCC budget and are under NCC control. For FY 1983, this
included the IBM 370/168MP and Sperry configurations which were subjected to
complete full costing analysis. The three POP 11/70's under NCC control are
also considered to the extent that NCC analyzed costs for these in FY 1983.
For FY 1984, a "full costing study" has not yet been completed because
of delays in finalizing the NCC budget. Thus, the assessment focused on
anticipated cost accounting/chargeback activities for FY 1984.
The DEC 2020 computers, MAD VAX, OTS VAX, Regional POP computers, la-
boratory processors and local capabilities (e.g., Prime equipment) were not
included in the FY 1983 assessment* These are not EPA general use computers
and thus are not controlled by the NCC.
3. Baseline for Evaluation
OMB Circular A-121 entitled Cost Accounting, Cost Recovery and Inter-
Agency Sharing of Data Processing Facilities dated September 16, 1980, pro-
vides a comprehensive baseline for evaluation. This circular specifies that
agency data processing facilities should:
o Share excess capacity with other agencies to the extent
feasible and document arrangements of over $500,000/year via
written agreement.
Establish cost accounting procedures consistent
Federal Government Accounting Pamphlet Number 4.
with the
Implement a user cost distribution system to account for the
full cost of providing services.
Separately identify the costs of operating each computer
application.
-------�
4-2
o Distribute costs commensurate with the amount of resources
used.
o Separately identify unfunded (e.g., depreciations) costs.
o Distribute the costs of dedicated services to the specific
recipient of services.
o Submit periodic statements to users specifying the cost of
operating each application.
o Reduce budget requests by the amount of reimbursements
planned from Interagency Agreements.
In December 1982, the National Bureau of Standards published FIPS PUB
96, which is-a Guideline for Developing and Implementing a Charging System for
Data Processing Services.This document provides technical guidance to assist
managers in the effort to comply with OMB Circular A-121.
4. Methodology
The findings and conclusions of this part of the review are based on
the review team's review of applicable guidelines, assessment of analysis
reports prepared by the NCC, review of accounting system outputs, and
interviews with representatives of the NCC.
5. Structure of ThisAppendix
This appendix consists of four major sections in addition to the
introduction. These sections which.correspond to the review objectives are:
o Section B, Rate Setting, covers the methodology used to
establish the rates used in FY 1983 and addresses plans for
setting FY 1984 rates.
o Section C, Billing/Usage Reporting, covers the assessment of
billing systems used by NCC as well as the reports which are
generated to document costs and usage.
o Section D, Usage Control, addresses the policies and
procedures associated with monitoring and controlling
resource usage by both internal EPA and Interagency accounts.
B. Rate Setting
This section addresses the rates developed for use in FY 1983 and also
covers plans for establishing FY 1984 rates.
1. Rate Setting for FY 1983
In order to establish FY 1983 rates, an "NCC Full Costing" document
was prepared and published in August 1982. This document itemized FY 1983
-------�
4-3
budgets and anticipated costs. The IBM 370/168MP and Sperry Systems were
covered in detail. POP 11/70 costs (three machines) were itemized separately
and excluded from the main comparison tables.
The "NCC Full Costing" study formed the basis for IBM and Sperry
Univac cost analyses which were published in October 1982. These analyses
developed the rationale for FY 1983 billing rates for these two configura-
tions. Rates were set for the entire FY 1983 period. The NCC sets rates for
the entire fiscal year in order to allow program managers and user groups to
adequately plan and budget ADP usage. No adjustments were made during the
fiscal year. When the Amdahl was installed, the study was not redone. Rates
charged for the Amdahl followed the IBM scheme with processing charges
adjusted to account for differences in MIPS rates between these machines.
Since historical billing information did not exist for the POP 11/70
computers, no analyses were conducted for these configurations. FY 1983 rates
for the POP 11/70's were set by EPA management. The procedure used was not
documented.
In general, rate setting procedures were generally compliant with OMB
Circular A-121 guidelines as follows:
o All appropriate cost elements (e.g., hardware, contractor
personnel) were considered. However, EPA personnel salaries
and a portion of the facilities costs were not included in
the calculations used to establish rates for internal users.
This is not in strict compliance with the OMB guideline and
results in rates which are artifically low. The reason why
these costs were not included is that they are not part of
the NCC budget. Thus, EPA's budget structure would have to
be revised to include personnel costs as part of the billing
rates. It should be-noted that a surcharge to cover these
items jŁ included in the rates charged to users from other
agencies.
o The analyses took into account expected utilization increases
based on review of historical data and program office inputs.
A hardware normalization figure was used to shift some of the
advantages associated with the low cost IBM 370/168MP acqui-
sition to Sperry users.
o Rates were established for CPU and I/O usage and for specific
"cost centers" such as standard tapes and connect time. The
methodology for prorating specific cost components (e.g.,
hardware, personnel, facilities and supplies) in the cost
center analysis was clearly documented. Some components such
as software and maintenance were bundled into the CPU rate
analysis. However, this part of the analysis methodology was
not clearly documented.
o Most billing rates implemented were close to the calculated
unit cost. In some cases, the actual rate was modified to
encourage efficient resource utilization (e.g., the rate for
private disk packs was increased to encourage more use of
public storage). However, some rates were not set properly.
-------�
4-4
In FY82, the billing rate for print lines was $2.50 per 1,000
lines. Although the projected rate for full recovery for FY
1983 was $2.39 per 1000 lines, the billing rate was set at
$2.00 per 1,000 lines. This does not represent full cost
recovery and encourages excessive printing. The projected
effect of this billing rate is underrecovery of approximately
$191,800 ($1,177,800 expected total cost less $986,000
anticipated billings).
The anticipated amount of reimbursement expected from other
agency users was included in the analysis. The estimated
amount was the figure reflected in signed agreements.
Unfunded costs (e.g.,
specific line items.
depreciation) were considered as
o The billing rates distribute special hardware usage costs
(e.g., micrographics) and services (e.g., special delivery)
commensurate with specific use of these resources. However,
all software costs are bundled and spread across all users.
ADABAS and CICS are treated like other software (i.e.,
purchase costs (depreciated) and maintenance costs are
bundled). The UMAX package is being tested as a .tool for
better tracking of CICS usage. NCC review has indicated that
an appropriate billing package does not exist for ADABAS.
It would be desirable to pro-rate Wylbur or TSO usage to.
users based on their level of activity. However, direct
measurement of Wylbur time is not available via a package and
the NCC considers it too expensive to develop.
DPD policy has been to permit access of all software systems
by all users whether or not they use them. DPD believes
there is no cost effective way of charging individuals based
on the use of specific library systems.
While the rate setting analysis studies for FY 1983 were relatively
complete, it should be noted that there are no documented procedures for cost
recovery analysis or rate setting. The NCC indicated that it plans to doc-
ument the procedures being used. This is a January 1984 deliverable in the
current NCC workplan.
2. Rate Setting for FY 1984
Preliminary work has been done
1984 but completion of these efforts is
budget is not yet finalized.1
in full costing and rate setting for
being delayed because the data center
In developing a total budget for FY 1984, OMISS solicited budget
estimates from program offices and consolidated these. However, in FY 1984,
memo billing will continue for organizations within EPA and actual funds will
not be transferred from EPA user organizations unless an organization chooses
to add funds by reprogramming non-timeshare resources. EPA management is
examining the possibility of implementing a Working Capital Fund (WCF) for the
-------�
4-5
NCC. In this approach, a revolving fund of capital would be used to pay the
expenses associated with providing ADP services. This fund would be replen-
ished by "user charges" paid by consumers of the services. Implementation of
this approach would require a change in EPA's funding structure and definitely
will not be accomplished before FY 1985.
Although there are currently no formal documents describing the FY
1984 analyses, the following plans appear to be in effect:
o The FY 1984 analysis will include the IBM 370/168MP, Amdahl
V6, the Sperry, the IBM 4341- used by Toxics and the MAO VAX
11/780. The three POP 11/70 computers will be analyzed in
more detail. The current proposal for the IBM 4341 (which
will be a target machine for conversion from a DEC computer)
is to use the IBM 370/168MP billing rate with adjustment for
differences in MIPS rates between the processors.
o The FY 1984 rates will take into account FY 1983 recovery
statistics. In FY 1983, total monies recovered were close to
plan (101.7%). However, recovery on IBM 370/168MP and Amdahl
V6 was nearly $2 million higher than expected (119.7% of
planned) while the Sperry recovery was about $1.7 million
less than planned (79.5%). The IBM comparison is based on
cost estimates developed before it was known that the Amdahl
would be installed. The NCC plans to factor this into the FY
1984 billing rates.
o The 15% figure added to processing charges for users from
other agencies (to cover personnel and facilities) will be
reexamined and modified-if appropriate.
Since there is a delay in completing the necessary analyses, FY 1983
rates will remain in effect until January 1, 1984. Users have been made aware
of this. Any resulting differences between costs and rates for October
through December will be either written off by the data center or reconciled
by an adjustment to rates for the rest of the year. A retroactive billing or
crediting of any difference is not anticipated.
C. Billing/Usage Reporting
This section describes different AOP cost and usage reporting systems in
operation at the NCC.
1. Billing Systems
There are specific billing systems in operation on each configuration.
The IBM 370/168MP and Amdahl V6 systems use the Johnson Systems JARS package
plus a front end from Johnson Systems (UMAX) for CICS usage accounting. A
package from Signal Technology is being installed on the MAD VAX 11/780. NCC
analysis showed that installation of this package was more cost effective than
custom development. The Sperry and POP 11/70 billing systems were developed
in-house. The current POP 11/70 systems bills are based on just two measures
(CPU hours and connect time). This system is currently being evaluated by the
NCC.
-------�
4-6
These billing systems meet OMB Circular A-121 guidelines for identifi-
cation of costs associated with each unique application and dissemination of
periodic statements specifying these costs. Billing reports are distributed
to ADP Coordinators (approximately 70-80) who have responsibility for multiple
accounts. In addition to a series of standard reports which provide monthly
usage and costs aggregated at the user ID and account levels, special runs
providing data at the job level can be produced if requested. The billing
reports produced appear to be comprehensive and provide various levels of de-
tail appropriate for use by different levels of user management.
on their
distribution
The distribution of billing reports to account managers is performed
by ADP coordinators within the program offices. Some managers may not be
receiving these reports, making it difficult to control usage
accounts. NCC plans to conduct a study to look into better
procedures for billing data.
2. The Timesharing Services Management System (TSSMS)
TSSMS serves as the main resource usage tracking tool at the NCC. It
is also the system used for user ID/account control and checking. A draft
manual for the system was published in October 1983. Only minor changes to
the draft are anticipated.
Inputs to TSSMS include budget data from the ADP Resource Management
Information System (ARIS) and workload cost data from the computer billing
systems. Refunds are also entered into TSSMS. The NCC has reasonable proce-
dures for users to claim refunds, and the TSSMS staff performs adequate inves-
tigations of refund claims prior to approving them.
TSSMS produces twelve reports each month. These provide cost data and
comparisons of actual costs versus budgets at the Program Element level.
TSSMS reports are distributed to senior budget "managers in the program offices
and to specific OIRM managers.
3. The Facility Impact Monitoring and Analysis System (FIMAS)
FIMAS produces quarterly reports which are used for capacity planning
and workload analysis. FIMAS reports are distributed to ADP coordinators and
within OIRM. These reports allow for tracking of usage and costs by applica-
tion (e.g., STORET). This is accomplished by capturing the application code
which users must enter in the logon procedure. While there is no link between
TSSMS and FIMAS, consistent organizational codes are used in these systems and
in the billing reports. Data from FIMAS reports and other sources is used to
produce a Monthly Review and Analysis Report. This report provides the basic
information .needed for workload analysis and rate setting.
D. Usage Control
This section discusses the related areas of user account management and
cost/usage monitoring and control. This latter topic is covered separately
for EPA internal users and other agency users authorized via Interagency
Agreements (lAGs).
-------�
4-7
1. User Account Management
There are currently approximately 3,300 different user ID'S and about
2,400 ADP accounts. A single account can have multiple ID's. There are
approximately 500 account managers each of whom usually has responsibility for
monitoring the activities of several accounts. Account managers must be EPA
personnel. The AOP Coordinators are responsible for multiple account managers
and must approve the establishment of each new account. An FMS code must also
be identified to establish a new account in order to provide a link to spe-
cific budget components.
NCC policy is to have a single user ID assigned to each user. The use
of the same ID by multiple users has often been traced to policy
misinterpretation by account managers and users. However, in some cases,
flagrant misuse of ID's has been discovered by the NCC.
Procedures are in effect to limit support to only valid ID holders.
Postcards are sent to all new users to confirm the new ID. If these are
signed by a different person, the ID can be invalidated. Daily reports are
compiled for logon and security system failures. It is NCC policy to have
these checked daily. However, the one person assigned this responsibility has
many other duties and has been unable to always accomplish the daily checks.
The NCC reviews ID's during reorganization and requires periodic password
change. As a result of the procedures currently used, between five and ten
ID's are invalidated monthly.
A user account characteristic which complicates accounting and
chargeback is that a single ID can be active across multiple ADP accounts.
Thus, the accuracy of charges and usage allocation to specific accounts (i.e.,
TSSMS reports) and applications (i.e., FIMAS reports) is dependent on user
procedures. A user can sign on to a specific account using an appropriate ID
and application identifier and then switch to another account without changing
logon information. All cost/usage would then be recorded against the first
account and system application. This is especially critical in cases in which
a user has access to accounts belonging to different RPIO's. A user could
take advantage of this situation to divert charges from an account which is
close to its expenditure limit to one which has sufficient remaining funds.
NCC personnel indicated that they had found at least one occurrence of this
practice.
The current system is designed to make accurate accounting easy for
the user to accomplish (i.e., a user does not have to sign off to enter a new
identifier when switching between applications). However, while many users
follow proper procedures, there is only a limited capability for detection of
improper use or enforcement. .
2. Usage Control (EPA Users)
In FY 1983, expenditures which exceeded budget for a given
organization were flagged. No formal procedures were followed to control
over-expenditures. OMISS management, not the NCC, decided whether or not to
take action on over-expenditures. ADP coordinators had the option to request
invalidation of specific accounts or ID's based on excessive utilization.
This option was occasionally exercised.
-------�
4-8
Since there was no actual funds transfer from EPA users in FY 1983,
the major problem which existed was that the users had limited incentives to
be efficient (e.g., run jobs at lower priorities, conserve disk space, reduce
printing). There was no control over priorities except for "Priority 5"
(highest priority). Jobs run at this priority required ADP Coordinator
approval.
For FY 1984, OIRM is in the process of developing a policy for
handling expenditures which exceed budget. The first step in this process was
issuance of a November 7 memo entitled "FY 1984 Timeshare Management." This
memo moves the level of. timeshare ceiling management up to the RPIO level. It
also precludes reprogramming of funds out of the timeshare account or between
the NCC and commercial timesharing. Reprogramming of program resources into
the timeshare account fallowed if formal procedures are followed.
Future policy memoranda will examine other issues under consideration
including criteria for determining when action must be taken to reduce the
potential for overexpenditure, potential penalities for violation, and manage-
ment tools for usage monitoring. OIRM plans to issue these in December 1983.
At this time, the effectiveness of planned procedures cannot be
assessed. However, it appears that EPA management recognizes the existing
problems and is taking action to deal with these problems.
3. Usage Control (Interagency Agreements)
EPA recovers computer center usage costs in the form of funds trans-
ferred from outside agencies which use the IBM 370/168MP, Amdahl V6 or Sperry
facilities. In FY 1983, there were 97 Interagency Agreements (lAGs) with a
total expenditure limit of about $2 million (according to TSSMS IA6 Report #4
- August 1983)
The procedures in effect at EPA exceed the requirements presented in
OMB Circular A-121. A written agreement exists between EPA and each outside
user agency (not just those whose expenditures exceed $500,000).
The charges billed to other agencies in FY 1983 were based on the
standard rates (i.e., those charged to EPA users) plus a 15% addition to pro-
cessing charges only. This 15% is re-evaluated yearly and covers personnel
and facility costs which are outside the NCC budget. This adjustment is built
into the Sperry, IBM 370/168MP and Amdahl V6 billing algorithms (i.e., manual
bill modification is not required).
Prior to February 1983, the responsibility for management of lAG's was
outside direct DPD control. In some instances, new lAGs were held up in mu-
tual agency approval processes. Work in progress was normally continued de-
spite absence of an approved IAG to permit the affected agency to gain a com-
plete and usable work product. In other instances, higher priority financial
management activities prevented timely collection of incurred billings. To
offset this periodic problem, a new policy has been established and will be
formally communicated to new IAG customers. This policy requires an approved
or revised IAG to be in place by December 31 or the project will be unilater-
ally terminated, pending subsequent approval and receipt of necessary funding.
-------�
4-9
DPD stated that by the end of FY 1983, all but $14,000 out of $1,400,000 was
billed and procedures were in place to prevent previous problems. For two
cases of significant overexpenditures of $34,453, all but $14,000 has been
recovered by DPD.
The NCC expressed their intention to more stringently enforce these
policies in FY 1984. Specific measures to be taken and conditions under which
they would be taken are expected to be included in future policy memoranda.
-------�
-------�
5-1
APPENDIX 5
SECURITY
A. Introduction
!• Scope and Objectives of the Evaluation
The scope of the security portion of the overall review includes both
security at the NCC RTP center and the security at the Washington Information
Center (WIC) site. The review on-site research was completed in November
1983. At that time, the new WIC site had not been completed. The findings
concerning the old WSC site were documented in the first Interim Findings
Report produced in this review and are not repeated here since they are no
longer relevant. The review addresses the planning for security at the new
WIC.
Security is considered to include the protection of hardware, build-
Ings, systems and data against internal failures, human errors, deliberate
attacks, and natural catastrophy. Security is provided by physical devices,
software features, manual procedures and qualified and dedicated personnel.
There are two major areas of security which fall outside the scope of
this review. These are discussed briefly in the following paragraphs.
a. User Security Procedures and Practices
The review team did not directly investigate user practices and
procedures relating to security. However, NCC staff discussed several issues
which relate to perceived user practices. If the users do not protect and
control user IDs and passwords then the software protection features provided
by the NCC can be easily bypassed by an intruder. This could result in the
potential alteration, modification, and/or disclosure of. the data. If print-
outs containing confidential or sensitive data are not properly handled then
there is a real possibility of disclosure of sensitive data to persons who do
not have an official need to know. The adequacy of controls built into speci-
fic applications is outside the scope of this review.
b. Remote Computing Facilities
The review team did not investigate the many other sites within
EPA where there are computing facilities, such as the regional offices,
laboratories, etc. These sites were not included under NCC security respon-
sibilities at the time the scope of this review was established. With the ADP
modernization plan, the regions will become computing centers of a. signifi-
cantly greater size than at present. These computing sites throughout EPA
will have security concerns similar to those of the NCC.
2. Baseline for Evaluation
The baseline for
guidelines and regulations,
evaluation includes the applicable governmental
EPA guidelines, and the nature of NCC operations.
-------�
5-2
a. Applicable Governmental Regulations and Guidelines
The following list identifies the major applicable Federal
guidelines and regulations:
o OMB Circular No. A-71: Security of Federal automated
information systems, July 27, 1978
o Federal Property Management Regulations Chapter 101.
Subpart -101-35.3 - Security of Federal ADP and Tele-
communication Systems
o Federal Property Management Regulations Chapter 101
Subpart 101-36.7 - Environmental and Physical Security
o Federal Property Management Regulations Chapter 101
Subpart 101-35.17 - Privacy and Data Security for ADP
and Telecommunication Systems
o FIPS-PUB-31 GUIDELINES FOR AUTOMATIC DATA PROCESSING
PHYSICAL SECURITY AND RISK MANAGEMENT, June 1974
0 FIPS-PUB-39 GLOSSARY FOR COMPUTER SYSTEM SECURITY,
February 15, 1976
o FIPS-PUB-41 COMPUTER SECURITY GUIDELINES FOR IMPLE-
MENTING THE PRIVACY ACT OF 1974, May 30, 1975
o FIPS-PUB-46 DATA ENCRYPTION STANDARD, January 15, 1977
o FIPS-PUB-48 GUIDELINES ON' EVALUATION TECHNIQUES FOR
AUTOMATED PERSONNEL IDENTIFICATION, April 1, 1977
o FIPS-PUB-65 GUIDELINE FOR AUTOMATIC DATA PROCESSING
RISK ANALYSIS, August 1, 1979
o FIPS-PUB-73 GUIDELINES FOR SECURITY OF COMPUTER APPLI-
CATIONS, June 30, 1980
o FIPS-PUB-74 GUIDELINES FOR IMPLEMENTING AND USING THE
NBS DATA ENCRYPTION STANDARD, April 1, 1981
o FIPS-PUB-81 DES MODES OF OPERATION, December 2, 1980
o FIPS-PUB-83 GUIDELINES ON USER AUTHENTICATION TECH-
NIQUES FOR COMPUTER NETWORK ACCESS CONTROL, September
29, 1980
0 FIPS-PUB-87 GUIDELINES FOR ADP CONTINGENCY PLANNING,
March 27, 1981
b. EPA Guidelines
The review team examined three major EPA guidelines:
-------�
5-3
o DPS DATA CENTER SECURITY MANUAL April 3, 1979 revised
June 29, 1979 and December 5, 1982
o CHEMICALS IN COMMERCE INFORMATION SYSTEMS CONFIDENTIAL
BUSINESS INFORMATION SECURITY MANUAL, November 1981
o WSC SECURITY MANUAL (186/001 Draft), November 25, 1983
Security requirements and procedures are also discussed in other
EPA manuals such as:
o POP 11/70 SYSTEM MANAGER'S GUIDE (no date)
o POP 11/70 OPERATIONS MANUAL (Revised April 1983)
o POP 11/70 USER'S Manual (July 1982)
' o NCC USER REFERENCE MANUAL — UNIVAC (Revised April 29,
1983
o NCC - IBM USER'S GUIDE (Revised May 1983)
o OPERATIONS HANDBOOK ~ IBM/AMDAHL, 4341 (dates vary,
ranging from 1980 to 1983 for various procedures)
The EPA systems tend to fall into three groupings:
o Not sensitive - The majority of the work processed by
lfh"eEPA computers is not highly confidential in
nature. Most EPA systems are sensitive in the sense
of GSA terminology only because they are needed for
the proper functioning of the agency. For these sys-
tems protection is primarily oriented against loss or
alteration of data and continued processing rather
than protection against improper disclosure.
o Privacy Act Sensitive - A small number of systems are
' sensitive because they contain information concerning
individuals, such as the Personnel Management Informa-
tion System (PMIS) and the Merit Pay System. The Pay-
roll system is a special sensitive system since it
controls cash .disbursements.
o Highly Confidential - The OTS CBI systems are very
sensitive systems and receive special treatment.
3. Methodology
The review team performed the following actions:
o Reviewed the applicable general Federal and EPA guidelines,
o Examined the documentation provided by EPA,
-------�
5-4
o Conducted interviews with NCC personnel at RTP and WSC, and
o Performed a physical walkthrough of the main NCC site and
of the old WSC site.
Structure of this Appendix
This appendix consists of an introduction and the following four
sections:
o Section B, Physical Security, addresses the physical secu-
rity of the NCC main center in RTP (including physical
security pertinent to OTS requirements), and the WIC now
under development,
o Section C, Security Manuals and Procedures, addresses pri-
marily the manuals and procedures by the NCC main site,
including procedures pertinent to TSCA CBI.
o Section D, Other Security Issues, addresses issues not
covered in the previous two sections.
B. Physical Security
The NCC has made a major effort to protect the assets of the EPA by an
extensive program of providing preventive and corrective mechanisms at the
main center in RTP and are doing similar work at the new WIC which was under
construction at the time of the review.
The points made below are in the order of Federal Property Management
Regulations Subpart 101-36.7 - Environmental and Physical Security, with some
additions by the review team.
1. NCC Main Site in RTP
The NCC main computer center meets the requirements of the GSA regu-
lations with a few minor exceptions as noted in the following paragraphs.
a. Main Site Description
The main site consists of the following areas:
o A large controlled area on the ground floor which
includes:
- An I/O. pickup area,
- An I/O room (printers, etc.),
- A pai r of tape vaults,
A room with the consoles, minicomputers and tape
drives, and Sperry computer,
- A room with the disk drives,
- A room with communications equipment, and
-------�
5-5
- A separate room for TOXICS (This room has two doors
and both are controlled. There is a glass wall
between this room and the console room)
o There are several other areas on the ground floor
including:
- A room with motor generators and UPS equipment, and
an adjacent battery room,
- A room for paper stock, and
"- A room (small) for the Hal on system
o There is a second floor room which contains the IBM
370/168MP and AMDAHL-V6 computers.
b. Temperature and Humidity
o There are closed doors between the' main computer room
area and the other areas of the first floor.
o There are several temperature and humidity recorders
located in the area and there is a portable recording
unit which can be moved to potential trouble spots.
o Over the years the NCC has completely reworked the air
and water systems so that they are now fully adequate
and are independent of the overloaded system of the
RTF complex. The NCC can borrow chilled water from
the complex in the event of a failure, but this is a
one-way system so that the center controls its own
chilled water supply.
.0 There is monitoring of air and water temperature.
c. Lighting and Electrical Service
o There Is adequate lighting.
o There is a UPS system that will provide sufficient
carryover time to allow orderly shutdown in the event
of a complete power failure. There are two sources of
outside power (lines from two substations) so the UPS
will allow cutover if one fails.
o There is equipment to provide "clean" power to all OP
equipment.
o There are lighted exit signs.
o If the power fails, every other light on every other
row is powered by a diesel generator supplied by the
complex. In addition certain exits have separate
emergency lights.
-------�
5-6
The only room examined which had improper lighting was
the battery room where the light switch was not by the
door and it did not work.
Cleanliness
o For the main computer facilities, the I/O room with
dust-producing peripherals is separated and has a door
between it and the disk room. The printers for TOXICS
are in the same area as the DEC 2020 CPUs for security
reasons.
o All of the areas which contained computer equipment
were clean, including under the false floor.
o The battery room could not be examined as there was no
light.
o The motor generator and UPS room is also used for
storage. While this is understandable, it does pre-
sent the problem of potential damage to high voltage
equipment when moving the items stored in this area.
o There appears to be a lack of proper temporary storage
space. Crated equipment was stored in the room con-
taining the disk drives and in the communications
room.
o Cleaning is done by contracted cleaning personnel
under supervision of the building manager.
o There are no coat racks, etc. in the computer room
area.
o The false floor has static-free carpeting.
Personnel
o Only authorized persons with the appropriate badges
are allowed in. Visitors must be signed in and
escorted.
o The Rusco system of badge readers is used to gain
entrance. This system allows zoning of the badges.
o The RTP facilities management office controls the
badge reader computer. Since this office works normal
working hours, the control computer for the badge
readers is unattended for the times the computer
center is operational outside of normal complex work-
ing hours. If the system fails, the badge readers in
-------�
5-7
EPA buildings throughout the RTP area are degraded or
non-functional until repairs are made. This procedure
is less satisfactory than that' utilized at the new
WIC.
•
o Smoking, eating and drinking is not allowed in the
computer areas.
o Non-essential appliances are not present in the com-
puter areas (coffee pots, etc.}* They are forbidden.
Precautionary Measures
o There are plastic sheets available to cover equipment
in case of water leakage.
o There are underfloor alarms in case of water intrusion
from leaking pipes or other sources.
o There are a number of 4" drains in the floor of the
computer area.
o The walls of the tape vaults extend from the floor
slab to the true ceiling. The walls bounding the com-
puter area on the ground floor also extend from slab
to true ceiling.
o The air conditioning ducting has automatic closure in
case of fire or depression of the Emergency Power Off
(EPO) button. -
o There is no forced exhaust system for removing smoke
or Hal on. On the ground floor this can be (and in one
case was) accomplished by opening the appropriate
doors. The resulting draft will clear the air on the
gound floor.
Fire Safety
o There are annual fire fighting demonstrations held
with the cooperation of the local fire department.
Fire Prevention - Master Control Switches
o There are Emergency Power Off (EPO) buttons in protec-
tive covers by every exit from the computer'area.
Portable Fire Fighting Equipment
o
There are numerous portable fire extinguishers with
current inspection stickers.
-------�
5-8
o GSA prescribes C02 fire extinguishers for electrical
fires. NCC uses Halon extinguishers which is a -rea-
sonable approach in the opinion of the review team.
j» Smoke Detection
o There are automatic detectors for smoke and heat
located under the fal-se floor, on the false ceiling
and above the false ceiling.
k. Contingency PIanning
o Contingency planning is generally weak, and is
addressed in more detail in Appendix 6 of this report.
1. Security of ADP Facilities
o This is covered in Section C of this Appendix.
m. Fire Suppression System
o There is a zoned Halon system for the computer areas.
n. Special Hazards
o There is a water main for the main RTP facility out-
•side the second floor computer area. This pipe has
led to flooding in one case. NCC has requested that
it be relocated, but this has not been done. There is
now an easily accessible shut-off valve for this pipe.
o There is a major crack in the stairwell wall by the
Halon room and there has been slab subsidence. The
cracking extends to the second floor and is very
vi sable.
o It would be possible for a truck to be run through the
door to the computer area. The NCC requested that
posts be installed, but this request was rejected by
the management of the main RTP facility.
2. New Washington Information Center
The new WIC site was under contraction at the time of this review.
The observations made below are based on a review of the site plans with NCC
staff.
The new site meets GSA regulations except for a few minor items which
are noted below.
a. WIC New Site Description
The new site has the following characteristics:
-------�
5-9
o There Is an area 22,000 square feet dedicated to the
new WIC which is on the ground floor of the Waterside
Mall.
o There is a special computer work area consisting of
the computer room, the telecommunications room, a tape
vault and a printer room.
o There is a special room for CBI terminals.
o The only outside wall that is not a solid wall is the
wall facing the mall where there is a glass wall
behind which are WSC offices.
o The I/O control area is a separate area and users pick
up output via opening locked I/O boxes,
o There are separate areas for offices, terminals,
training, paper storage, kitchen, etc.
Temperature and Humidity
o There are closed doors between the computer areas and
the rest of the WIC area.
o There will be temperature and humidity recorders.
o A WIC controlled air conditioning system is being
installed for the computer areas. There will be no
chilled water. . -
o There will be monitoring of air temperature.
Lighting and Electrical Service
o Adequate lighting is planned.
o There will not be UPS. UPS is considered unnecessary
based on a study that was performed in FY83.
o There is only one source of power available. The new
computer center will use all of the remaining capacity
of lines that run to Waterside Mall from a single
power substation.
o Three power distribution filters will ensure that only
"clean" power is available.
o There will be lighted exit signs and emergency
lighting.
-------�
5-10
Cleanliness
0
0
This could not be directly examined as the center is
not operati onal.
The electostatic filters used in the old center will
be used, mainly in the printer area.
There will be special air filtering.
There will be a separate area for coats, etc. which is
not in the computer work area.
o The false floor will have static-free carpeting.
Personnel
o There will be a badge system for all persons. Visi-
tors will be signed in and escorted.
o There will be a zoned badge reader system under con-
trol of WSC.
o There will be TV cameras monitoring critical areas
with the monitor information being relayed to the WIC
guard desk.
o Smoking, eating and drinking will be forbidden in the
computer areas.
Precautionary Measures
o There will be plastic sheets available in the event of
water intrusion.
o There will be underfloor alarms in case of water
intrusion.
o There will be floor drains in case of water intrusion.
o The area under the WIC is an EPA area.
o The walls of the tape vault will extend from true
floor to the building ceiling.
o The air conditioning ducting will have automatic
closure in case of fire or EPO.
o There will be no forced exhaust system for removing
smoke or Hal on. If certain doors are opened, it is
expected that the draft will rapidly clean the air.
-------�
5-11
m,
Fire Safety
o There will be annual fire training.
Fire Prevention - Master Control Switches
o There will be Emergency Power Off (EPO) buttons with
protective covers by the exits from the computer area
to the rest of the WSC area.
Portable Fire Fighting Equipment
o There, will be a number of hand held fire extin-
guishers.
o GSA prescribes C02 fire extinguishers for electrical
fires. WIC will use Hal on extinguishers which is a
reasonable approach in the opinion of the review team.
Smoke Detection
o There will be automatic detectors for smoke and heat
located under the false floor, below the false ceiling
and above the false ceiling.
Conti ngency PIanni ng
o Contingency planning is addressed in Appendix 6 of
this report.
Security of ADP Facilities
This is covered in Section C of this Appendix.
Fire Suppression System
There will be an unzoned Hal on system for the WIC computer
work area. The remainder of the center will have a
sprinkler system.
Special Hazards
o The outside area appears to be physically dangerous to
personnel because of the alleged high local crime rate
in Waterside Mall. The review team did not collect
pertinent crime statistics.
o The computer work area walls do not extend from floor
to true ceiling. They stop four feet above the false
ceiling. This could allow smoke from other areas to
come into the computer work area.
-------�
5-12
C. Security Manuals and Procedures
This section covers the procedures used to carry out security at the NCC
and the WSC.
1. NCC Main Site
a.
Manuals
DPS DATA CENTER SECURITY MANUAL April 3, 1979 revised
June 29, 1979 and December 5, 1982
— This manual is relatively current with the major
exception being that the descriptions of equipment
and its locations has not been adjusted for the
changes that have taken place.
— The manual appears to cover the main aspects of
security in an adequate manner.
— The special procedures for QUOTA (SPERRY) and RACF
(IBM 370/168MP and Amdahl V6) are not covered in
this manual. The Sperry procedures are covered in
the manual noted below.
— The manual does not include the very recently
assigned responsibilities for developing security
guidelines for other Agency computer sites.
(However, the extent of NCC responsibilities for
remote site security is somewhat unclear.)
The OS 1100 LOCAL ENHANCEMENT LC048-36R2B SECURITY
ENHANCEMENTS (revised September 16, 1980) describes
special software developed for SPERRY security.
The NCC USER'S REFERENCE MANUAL (for the SPERRY sys-
tem) provides a reasonably detailed user-oriented
description of computer security. However, it does
not strongly emphasize the need for users to protect
IDs, passwords, and outputs.
The NCC IBM USER'S GUIDE provides a reasonably de-
tailed user-oriented description of computer security.
The OPERATIONS HANDBOOK provides considerable guidance
concerning the actions to take place in the event of
environmental problems. It does not cover security
incidents or security violation reports produced by
the security software.
The POP 11/70 SYSTEM MANAGER'S GUIDE, OPERATIONS
MANUAL and USER'S MANUAL provide very limited notes on
security.
-------�
5-13
The OPERATOR'S HANDBOOK - MAO/VAX does not mention
security.
b. Procedures
o
o
Officially there is one person on the NCC/EPA staff
assigned to perform security. Very little of his time
is involved with security because of many other
assigned tasks. There has been a lack of formaliza-.
tion of the role of the EPA Security Officer and the
position changed hands several times in FY 1983 in an
informal manner. The position changed hands again in
January of CY 1984.
One person on the FM contractor staff is officially
assigned half-time to security. This person is heavi-
ly involved in other tasks and has had little time to
devote to security issues.
For the SPERRY and IBM 370/168MP and Amdahl V6
systems, users are required to change passwords every
90 days. This procedure is automatically enforced.
However, it is possible for a user to do multiple
password changes in order to keep using the initial
password. The NCC has allowed this possibility to
exist as a conscious policy choice.
The POP 11/70 does not have capability of enforcing
password changes.
The MAD/VAX password procedures were not reviewed.
The Data Center Security Committee, defined in the
Security Manual, does not appear to exist.
There is evidence that there are multiple users for
the same ID/password. Although this activity is con-
trary to NCC policy, it is not actively discouraged.
This is a security weakness.
Security is addressed in the NCC orientation briefing.
However, there is no active ongoing security awareness
program. The NCC-IBM Orientation course being devel-
oped (October 1983 - January 1984 management work
plan, Task 4.2.1.9) does not appear to include secur-
ity. .In FY 1983, technical information items on se-
curity were included in several NCC publications and
ah outline was prepared for a security training pro-
gram. NCC staff stated that budgetary limitations
prevented implementation of the security training
program.
-------�
5-14
There does not appear to be an EPA security awareness
program or high level policies relating specifically
to computer security.
Daily reports are produced by the POP ll/70s, SPERRY,
IBM 370/168MP and Amdahl V6 systems concerning log ons
and potential security violations or attempted viola-
tions. The amount of information provided varies-with
the system. The FM contractor Security Officer reads
the Sperry and IBM 370/168MP and Amdahl V6 reports as
frequently as possible (but not necessarily on a da.ily
basis) and follows up when there appears to be a
potential problem. The reports are kept for 30 days.
The NCC Security Manual provides forms and describes a
complete formal procedure for handling security inci-
dents. It does not appear that this procedure is
followed.
There was a significant incident detected by the NCC
during the review. A former user performed work on
the computer using a then-current user's ID and pass-
word. The misuse was detected by accident. Problems
with ID/password use are discussed in Appendix 3 and
in Appendix 4.
By direct tests it is clear that the Complex building
guards do not consistently check badges of persons
entering the building.
It does appear, by two inspections by the review team,
that the visitors sign in and escort procedures are
followed.
The form APPROVAL FOR COMPUTER ROOM ACCESS does not
require signature by the EPA and/or FM Contractor
security officer.
There does not appear to be a formal program for iden-
tifying "sensitive" systems.
OTS Security
a. Manuals
The primary manual is CHEMICALS IN COMMERCE INFORMA-
TION SYSTEMS CONFIDENTIAL BUSINESS INFORMATION SECU-
RITY MANUAL dated November 1981.
— This manual has supposedly been revised, but NCC
has not received a copy of the revision. NCC
received a draft revision and returned it with
comments.
-------�
5-15
— The NCC intends to work with OTS to update the
manual to reflect the conversion to the IBM 4341.
This activity is designated as high priority in
the FM contractor's current workplan.
— The draft manual reviewed appeared to be reason-
ably complete (if one includes the handwritten
notes) with one major exception. The draft con-
tains no clearcut security incident reporting and
follow-up procedure.
The OTS VAX OPERATORS HANDBOOK does not cover secu-
rity.
The DEC 2020 OPERATORS HANDBOOK does not cover secu-
rity.
b. Procedures
The EPA staff member responsible for OTS security has
many other responsibilities.
When the OTS computers were moved to the new location
the CBI inspector from OTS did not make a formal site
inspection report.
Security incident reporting is done mainly by tele-
phone. There is no formal reporting system.
There are semi-annual security briefings.
All employees (EPA and contractor) must sign security
agreements.
For new employees there must be full FBI background
checks since the summer of 1983.
Encryption is used for transmission outside of the
local area.
3. WIC New Site
a.
Manual
WSC SECURITY MANUAL (186/001 Draft dated November 25,
1983)
This manual will be reviewed by NCC staff
(including the EPA & FM security officers at NCC)
by December 7, 1983. The NCC expects to complete
the final version by the date of the WSC new site
opening (December 19, 1983).
-------�
5-16
This manual refers to the "EPA Automatic Data
Processing Manual, Chapter 10, ADP Security
Program." The version of the ADP Automatic Data
Processing Manual provided to the review team
does not contain this chapter and it is not
listed in the table of contents.
The WSC manual appears to cover the basic compo-
nents of a security program in an adequate
manner.
In the manual (4.3) it is stated that level-4
badges .give access to the CBI computer room in
addition to the access priveleges of lower level
badges. In principle, it should not be necessary
for CBI personnel to have access to the computer
area. This will be changed in the final version
of the manual.
The review team examined several guides
that addressed security aspects of POP
with the following findings:
and manuals
operations,
POP 11/70 PROGRAMMER'S REFERENCE MANUAL (July
1982) - This manual does not cover security.
POP 11/70 SYSTEM MANAGER'S GUIDE (no date) -
Section 8 addresses security. It is one page
and gives only very general directions. It
states that, the system will print violation
notices and that the system manager should
take appropriate action.
POP 11/70 OPERATIONS MANUAL (May 1982 Revised
April1983) - Section 2.2 covers user and ac-
count registration in one paragraph. Section
2.3 gives very general instructions on site
access.
POP 11/70 USEiTS MANUAL (July 1982) - Section
7 covers security in one page.
b. Procedures
Since the new WSC site was not operational at the time of the
review, the .procedures in place at the time of the review are noted below:
o There was no specific security manual tailored to the
needs of the WSC. There are situations at WSC where
there is a need for specific local guidance (for
example, security incident reporting). The NCC was
preparing this manual at the time of the review.
-------�
5-17
o There is no person specifically assigned the duty and
title of on-site EPA security officer for the WSC.
o It is not clear what is done with the computer gener-
ated violation reports and how, or if, they are fol-
lowed up.
o There appears to be no clearly defined reporting
procedure for such incidents nor an incident tracking
system. An incident occurred during this review
regarding an unlocked door and an inoperative alarm.
The full paperwork for these incidents was not
provided to the reviewers.
D. Other Security Issues
1. Security Staffing
The staffing of the security function on both the part of EPA and the
FM contractor is inadequate. In both cases one person is assigned for the NCC
main center and these persons have many other responsibilities.
2. Security Organization
The security function has been handled informally with unofficial
appointments of EPA staff members and without formal changeover procedures.
The person responsible for EPA security under the new organization
reports to a branch chief rather than directly to top management. This implies
a relatively low level of emphasis given to security as a function of the NCC.
In many organizations the security officer-reports to a level above the head of
Data Processing in order that security is brought directly to top management
attention.
3. Contractor Management Work Plan
The NCC TSCA CBI security manual was to be updated. A formal revised
version incorporating the previous changes has not yet been approved by OTS.
(This is not entirely under the control of the NCC.) In the current management
work plan there is a priority project to update the TSCA CBI security manual
jointly with OTS to include the most recent set of changes.
There was a task to develop a security training program in the Octo-
ber-December 1982 management work plan. And in the February-May 1983 plan.
This task was later changed to the development of an outline for such a program
in the June-September 1983 plan. There is no security training task in the
current plan. The NCC staff noted that there has not been sufficient funding
to carry out a security training program.
4. NCC Badges
The badges should have an expiration date. They currently have none.
-------�
5-18
5. Sensitive Systems Security Evaluations
According to the Federal Property Management Regulations Subpart
101-35.303 (c) there should be security evaluations of sensitive systems at
least every 3 years. It is not clear who should perform these in EPA. At
present this does not fall within the responsibilities of the NCC. This
function appears to be a legitimate responsibility of the Information Systems
Division of ORIM.
6. Computer Center Risk Analysis
According to FPMR 101-35.304-2 a computer center risk analysis "shall
be. performed before the approval of design specifications for new installations
or whenever there is a significant change to the physical facility or to the
hardware or software. The analysis shall be reviewed and updated whenever
changes affecting the degree of protection occur. In any event, the interval
between reviews shall not exceed 5 years. A copy of each risk analysis shall
be maintained for evaluation and audit purposes. These should be protected to
the greatest extent practicable under law."
The NCC did not meet these requirements. NCC noted that a risk
analysis was performed in January 1979. Considering the extensive changes in
the facilities and hardware since that date, subsequent risk analyses should
have been conducted by the NCC. The review team did not see any document
covering EPA risk analysis policies and procedures.
7. Security Agreements With EPA and Contractor Employees
The EPA Handbopjc For Employees does not mention security or misuse of
government resources. The EPA EmpIoyee Security Awareness pamphlet (August
1983) concentrates on theft and attacks on employees. The EPA Conduct and
Piscipiine Manual (last changed TN-2 24 January 1980) covers security issues in
Chapter 2(Paragraph 3 relates to use of government resources and Paragraph 4
relates to the safeguarding of information). The EPA Employees Responsibili-
ties and Conduct document (Volume 38, Number 73, Apm17^ 1973} in part
3.104(a) requireT the use of government resources for only officially approved
activities and in part 3.103(c) identifies several requirements for information
protection. This document is primarily related to the use of information or
resources for personal gain. The interim Policy Regarding the Acquisition and
Use of Microcomputers in EPA addresses the mi sue of government resources at the
end of Section F. This is an advisory document only.
There are no specific requirements for EPA employees using computer
systems to sign confidentiality agreements and agreements not to misuse
computer resources.
EPA employee exit agreements did not require a computer security
debriefing until a recent change was made at RTP to include this on the exit
form.
The FM contractor does secure confidentiality agreements from its
employees for the protection of customer information.
-------�
5-19
Although various documents do address the security responsibilities of
employees of EPA, this is done in a manner which does not clearly describe the
specific security responsibilities when dealing with automated systems.
-------�
-------�
6-1
APPENDIX 6
CONTINGENCY PLANNING AND DISASTER RECOVERY
A. Introduction
1. Objectives of the Evaluation
The primary objectives of this part of the review are two-fold. The
first objective is to determine whether or not the NCC has an adequate
arrangement for alternate facilities in the event of a disaster that disables
the NCC's facilities. The second objective is to assess the degree to which
the NCC is prepared to operationally handle such a disaster.
2. Scope of the Evaluation
a. Included Equipment and Systems
This part of the review addresses the IBM 370/168MP, Amdahl V6,
Sperry, DEC POP ll/70s, the MAD VAX, IBM 4341 and Toxics DEC 2020s installed
at NCC as well as the DEC POP ll/70s installed at WSC. Also included in the
scope is the part of the telecommunications network under the control of the
NCC.
b. Excluded Equipment and Systems
Excluded from the scope are the OPP DEC 2020-in Washington, the
regional computers, and office computers such as the Primes and IBM PCs cur-
rently being installed in program offices at EPA headquarters.
3- Baseline for Evaluation
a. Government Baselines
The most applicable baselines are:
o OMB Circular No. A-71: Security of Federal automated
information systems, July 27, 1978 which states (4.g.)
that the executive agencies have the responsibility
to:
"Establish policies and responsibilities to assure
that appropriate contingency plans are developed and
maintained. The objective of these plans should be to
provide reasonable continuity of data processing sup-
port should events occur which prevent normal opera-
tions. These plans should be reviewed and tested at
periodic intervals of time commensurate with the risk
and magnitude of loss or harm which could result from
disruption of data processing support."
-------�
6-2
Federal Property Management
101-35.305{c), which states:
Regulations chapter
"Contingency pians. Plans should be developed to pro-
vide continuity of data processing support should
normal operations be interrupted. Alternate facili-
ties are' essential for systems that process sensitive
data applications. The alternate facility should have
sufficient capability to run its own sensitive data
applications plus the sensitive application(s) from
the downed system. The backup capability may reside
in one or more systems or facilities but should be
located so that operating personnel, programs* data,
paper, forms, etc. can be made available on short
notice. Agreements for use of the backup (alternate)
facilities should be made in advance so that sensitive
data applications are operated with minimum interrup-
tion. Plans should be reviewed and tested at periodic
intervals."
Part 101-36.704 also covers contingency planning.
o FIPS-PUB-31: GUIDELINES FOR AUTOMATIC DATA PROCESSING
PHYSICAL SECURITY AND RISK MANAGEMENT, June 1974
o FIPS-PU8-65: GUIDELINES FOR AUTOMATIC DATA PROCESSING
RISK ANALYSIS, August 1, 1979
o FIPS-PUB-87: GUIDELINES FOR ADP CONTINGENCY PLANNING,
March 27, 1981 .
b. Industry Guidelines
There are numerous industry guidelines. Some of the major ones
are included in the reading list which is part of FIPS-PUB-87. The Auerbach
EDP reviewing Series, the "Security Standards Checklist" emphasizes the
following:
Written Backup Agreements
Backup Compatability Reviews
Backup Procedures Manual
Annual Backup Tests ;
On-Lirie Systems
c.
The reviewers acknowledge that the NCC does not have the same
requirement for instant fallback and recovery for key systems as do the
Department of Defense, the FAA, or other organizations which have unusually
time-critical applications. However, it is a requirement that the NCC be able
-------�
6-3
to support EPA in its mission during a disaster to the degree that the amount
of degredation is justified by the additional costs in providing a more exten-
sive backup capability.
The scope does not include fallback and recovery procedures from
one machine to another when there are local problems. These are presently
well defined and used in practice where there is similar equipment at the same
installation (such as the POP 11/70 "A" and "B" systems at the WSC).
4. Hethodology
The findings and conclusions of this part of the review are based on
the review team's review of the applicable regulations and guidelines,
examination of pertinent NCC forms and documents, and in-depth interviews with
representatives of the NCC.
5. Structure of this Chapter
This chapter consists of an introduction and the following sections:
o Section B, Backup Agreements, addresses the extent to which
the NCC has in place backup agreements.
o Section C, Backup Compatability Reviews, addresses the
extent to which there are periodic reviews to assure con-
tinued hardware and software compatability with the backup
site.
o Section D, Backup Procedures Manual, addresses the extent
and currency of the written backup procedures.
o Section E, Annual Backup Tests, addresses the annual full
review of the backup procedures and alternate site func-
tioning.
o Section F, Special Systems, addresses the special problems
of on-line systems and highly secure systems.
B. Backup Agreements
1. Equipment Not Covered by Backup Agreements
There are no backup agreements for the following equipment:
o . The DEC 2020
o The MAO VAX
o The DEC POP 11/70
o The IBM 4341 equipment
-------�
6-4
o The OTS VAX
It should be noted that even if there is an intention to use another
EPA site computers as backup, there should be a written procedure, including
agreements between different organizations where appropriate, so that' the
obligations and responsibilities are clearly defined.
For the OTS DEC 2020s, the conversion to the IBM 4341 equipment is
expected to be complete for the CBI systems by the end of February 1983. It
is not clear that it would be worthwhile to establish backup arrangements for
this short period. However, if there is a prospect of significant schedule
slippage, then the time and cost of implementing backup arrangements become
more reasonable.
used by the OTS CBI systems, there
requirements being applied to the
as at EPA NCC would require signi-
local alternative sites that have
CBI security can be lowered in the
to the NCC by OTS. This is one of
For the IBM 4341 equipment to be
is the question of the special security
backup site. Protection at the same level
ficant advance preparatory costs for all
been considered. The degree to which TSCA
case of a disaster has not been made clear
the key issues in regard to toxics backup.
2. Equi pment Covered by Backup^
The Sperry system is covered by an agreement signed with the U.S.
Army Finance and Accounting Center (USAFAC), Fort Harrison Indiana. This
agreement was signed on the 27th of January 1982 and has an indefinite contin-
uation unless cancelled. The agreement is mutual in that both parties back up
each other. The agreement is in very general terms and does not give any
level of minimal computer resource- availability in case of a disaster. The
guaranteed storage of 25 magnetic tapes is far below normal EPA usage. There
is no provision for additional telecommunications capability on a prior-to-
disaster basis. There has not been an update of the contact list although it
is out of date. A significant disadvantage of this agreement is that the site
of Fort Harrison is located at such a distance from the NCC that the distance
alone, would make recovery more difficult.
There is a backup agreement for the IBM 370/168MP and Amdahl V6 main-
frames signed with the U.S. Postal Service National Information Resource Cen-
ter (NIRC) on 30 March 1983. The agreement is mutual in that both parties
back up each other. The agreement is in very general terms and does not give
any level of minimal computer resource availability in case of a disaster.
The guaranteed storage of 25 magnetic tapes is far below normal EPA usage.
There is no provision for additional telecommunications capability on a prior-
to-disaster basis. There has not been an update of the contract list although
it is out of date. The agreement is virtually identical to the USAFAC agree-
ment. The Post Office site is in the local area.
There is presently a discussion with the NIRC concerning a more suit-
able arrangement. Furthermore, NCC staff state that they are negotiating with
NCHS concerning the possibility of NCHS becoming the primary backup site.
-------�
6-5
There has been a special arrangement made with NIRC for the Payroll
system and it has been run in test mode on the NIRC computer. There is work
being done for a similar agreement with NCHS. The Payroll system is to be
tested on the NCHS computer during the last part of November 1983.
C. Backup Compatability Reviews'
1. Equipment with No Backup Capability Reviews
As there are no backup agreements for the following equipment, there
can be no compatability reviews:
o The DEC 2020
o The MAD VAX
o The DEC POP 11/70
o The IBM 4341 equipment
o The OTS VAX
2. Equipment with Limited Backup Capability Reviews
For the Sperry equipment, there was a test of the EPA operating sys-
tem on the Fort Benjamin Harrison facility equipment, approximately 12-18
months ago. No formal report was prepared for the test. There has been no
retest since the initial test. The NCC staff is convinced that the revised
Sperry operating system will still work as the revisions in the recent past
have been oriented toward making it more standard. There are no regular site
compatability reviews.
There is no regular review of the NIRC site which backs up the IBM
370/168MP and Amdahl V6 systems. The mainframe operating system has not been
loaded on the NIRC equipment. However, the Payroll system has been
successfully run on the NIRC equipment.-
0.' Backup Procedures Manual
1. Equipment Without a Backup Procedures Manual
The following equipment is not covered by the existing disaster
recovery plan: -
o The DEC 2020s
o The MAD VAX
o The OTS VAX
o The DEC POP 11/70
o The IBM 4341 equipment
-------�
6-6
o The IBM 370/168MP and Amdahl V6 equipment.
2. Equipment Covered by An Outdated ProceduresManual
The EPA NATIONAL COMPUTER CENTER DISASTER RECOVERY PLAN covers the
Sperry system and it was dated the 30th of June 1979. This manual was written
so long ago that it cannot be considered to meet minimal requirements. It is
not a plan for transferring operations to Fort Harrison as the backup site is
not specified. However, many parts of the manual could be incorporated into a
current manual.
3. Critical System Surveys
a. Hardware Not Having Had Critical Systems Survey
o The DEC 2020s
o The MAD VAX
o The OTS VAX
o The DEC POP 11/70
o The IBM 4341 equipment
b. Hardware Which Has Had A Critical System Survey
o The Sperry users were surveyed in 1979 and there was a
memo report on the 12th of June 1979. This memo re-
port noted that- only a small number of users re-
sponded. The main concern of the respondents was that
data not be lost. Most of the respondents could take
a 30 day or longer downtime without extreme .problems.
NCC staff believe that this survey is still largely
valid since systems have been moving away from the
Sperry instead of toward the Sperry. The majority o'f
the users are running scientific models.
o The IBM 370/168MP and Amdahl V6 users were surveyed in
1981. There was no formal report made of this survey,
but the notes on this survey indicate that almost all
users could go without support for a week before there
would be significant impact. In April 1983 User Memo
#178 was sent out to the users asking them to name the
systems that should be a part of the disaster recovery
plan. NCC was then going to call the respondents and
ask them more detailed questions. The responses have
not yet been fully assessed by the NCC.
-------�
6-7
E. Annual Backup Tests
There are no annual full tests of the IBM 370/168MP, Amdahl V6 and Sperry
backup sites. To the reviewers' knowledge, there has never been a full test
of either backup site. Such a test would involve using the Backup Procedures
Manual and operating all critical systems.
F. Special Systems
1, On-Line Systems -
On-line systems present special .backup and recovery problems. Tele-
communications lines and equipment cannot be made rapidly available. The
ability to switch from direct to dial-up will be needed in many cases. The
present arrangements do not cover this area in a significant manner. The
necessary arrangements would be made only after the disaster has happened.
The NCC has stated that managers of the systems operating on the
SPERRY which require disaster support have all indicated that operation in
batch mode will meet their requirements in an emergency situation. The NCC
further states that the NIRC telecommunications network is virtually a
duplicate of the NCC network. It should be noted that the SPERRY survey is
several years old and that the the addition of the NCC emergency workload
could possibly saturate the NIRC network. The NCC has not tested the use of
the NIRC network.
2. Secure Systems
If the OTS DEC 2020s (and replacement IBM 4341) are to be backed up,
the NCC and OTS will need to establish a. clear policy of the degree of
security needed for emergency operation. A high level of security cannot be
added at the last moment. 'This applies as well, to running CBI data on the OPP
DEC 2020s (and replacement system) at EPA as well as at other sites.
3. Critical Systems
It is not possible for any contingency plan to be considered adequate
that has not designated the critical systems, assigned priorities, and identi-
fied the minimal resource requirements needed to support those systems. These
activities have not been done in a manner that will provide the detailed data
needed for proper planning.
4. Backup and Storage of Data and Programs
No disaster recovery plan will work unless the data and programs are
kept current at another, location. It appears that the NCC has taken care to
provide for this important basic function.
-------�
-------�
7-1
APPENDIX 7
EQUIPMENT AND SOFTWARE ACQUISITION AND CONTROL
A. Introduction
1. Objectives of the Evaluation
The primary objectives of this part of the review are two-fold. One
.objective is to ensure that the NCC has accurate documentation of the assets
within'its control in terms of location, condition, and cost or-value. 'The
second is to ensure that from a financial perspective, the NCC monitors deli-
very of ordered items and is approving payment for only those items received
and approved in accordance with the terms of the contracts under which they
were acquired.
A secondary objective is to ensure that adequate controls are placed
on the acquisition of ADP equipment and software by other offices within EPA
to prevent serious disruption of NCC operations when these items are installed
and used by these offices.
2. Scope of Evaluation
a. Types of Items and Locations
This part of the review addresses computer hardware and software
acquired by the NCC and installed at either the main computer center in RTP or
the WSC in Waterside Mall. With respect to equipment, the review encompasses
items acquired for use either by EPA staff or by the FM Contractor, and
includes equipment comprising the -major computer installations (IBM, Sperry
and DEC) and peripheral equipment (e.g., terminals) acquired for use by NCC
staff.
With respect to software, the review ecompasses general purpose
and packaged software acquired for Agency-wide use, and special purpose soft-
ware acquired to support NCC operations. Controls on the development or ac-
quisition of applications software by other offices are not addressed by this
part of the review. Controls over supplies and other expendable items are
likewise not addressed by this part of the review.
b. Means of Acquisition
This evaluation addresses both purchased and leased items. Con-
tractor acquired equipment (CAE) is included as well as equipment furnished by
EPA (GFE) to the contractor. Controls administered by EPA directly as well as
those administered by the FM Contractor are assessed in the review. Most
equipment is acquired by EPA and provided to the FM Contractor.
c. Items Installed at Remote Locations
The NCC is not responsible for property-related functions for
hardware and software installed at remote locations. This review therefore
addresses these items principally In terms of procedures and controls that are
in place to ensure compatibility and guard against adverse "impacts on NCC
operations.
-------�
7-2
d. Procurements
Verifying compliance with those portions of the procurement re-
gulations that address competition of contracting has been specifically ex-
cluded from the scope of this review. However, the review does address the
preparation and review of procurement actions from a technical and financial
perspective, and receipt, acceptance and payment for procured items.
3. Baseline for Evaluation
The acquisition and control of hardware and software by the NCC is
subject to a number of Agency regulations and policies which substitute for
otherwise applicable Federal regulations. These include Agency procurement
regulations and related "notices," and Agency property management regulations
(EPPMRs). Consistent with OIRM's requirements and with other parts of the
review, this evaluation addresses the most significant requirements of
applicable regulations, and does not represent a highly detailed analysis of
every requirement or procedure included in these regulations.
4. Methodology
The findings and conclusions of this part of the review are based on
the review team's review of applicable regulations, examination of examples of
pertinent forms and reports, and in-depth interviews with representatives of
the NCC and representatives of the property function in RTP and Washington.
In conducting this evaluation, the review team did not test samples of
procurement actions or perform a detailed examination of NCC sites or
inventory records. Sufficient information was provided by the organizations
referenced above.
5. Structure of this Appendix
This appendix consists of an introduction and the following sections:
o Section B, Controls Within the Main Computer Center at
RTP, addresses the controls for items located at the
main computer center in Research Triangle Park.
o Section C, Controls Within the Washington Service Cen-
ter (WSC). addresses the controls for items located at
the computer facility in Waterside Mall.
NCC, address-
locations
This sec-
Section D, Controls on Items Outside the
es controls for items installed at remote
which may have an impact on NCC operations.
tion includes "office computing" equipment ordered un-
der Agency-wide contracts and other items acquired
through individual contracts.
Section E, AdequacyofPersonal Property System for
ADP Equipment, addresses the ability of PPS software
to support the recordkeeping requirements of the NCC.
-------�
7-3
B. Controls Within the Main Computer Center at RTP
This section addresses controls for equipment and software installed at
the main computer center in RTP. Controls administered by NCC EPA staff and
by the FM contractor are described separately. Several of these controls also
apply to items installed at the WSC, and are referenced in Section C.
!• Ordering and Acceptance
The NCC has adopted specific procedures for ordering new equipment
and software which are reasonably well understood by the NCC' staff. However,
these procedures are largely undocumented.
a. Preparation and Technical Review of Purchase Requests
Purchase requests (PRs) are initiated by designated project
officers and are prepared on standard forms. The NCC Director approves all
procurements. Approvals also are obtained from the Management Information and
Data Systems Divsion. Technical reviews are conducted as appropriate for each
PR, and no significant problems have arisen in the past year.
The FM Contractor also may request that equipment be acquired.
These requests are reviewed by the NCC project officer against the NCC budget.
If it is determined that the request cannot be fulfilled with currently
available equipment or from' surplus equipment lists, a recommendation for
acquisition is made by the NCC project officer to PCMD. PCMD reviews the
recommendation and after analysis, notifies the FM Contractor and project
officer of their final decision. If authorization for acquisition is given,
the FM contractor initiates the proper procurement actions in accordance with
the EPPMRs.
b. Budget Review
The NCC Administrative Officer reviews all PRs against the NCC
budget for the appropriate budget category. This is in addition to official
certification of available funds performed by the Office of Administration's
(OA) Budget and Control Staff, and prevents the submission of over-budget PRs.
The FM contractor submits all procurement actions under the FM
contract to the NCC EPA staff for review and approval. In addition, the
Contract Property Administrator at RTP reviews each PR to ascertain whether
the proposed items are included in the contract and whether the Agency wants
to acquire them.
These procedures provide effective budget'review for all pro-
curement actions initiated by the NCC.
-------�
7-4
c. Procurement Tracking and Execution
The NCC Administrative Officer maintains a manual log of PRs
that have not yet been assigned a document control number (DCN) by the OA Bud-
get and Control Staff, and an automated log for PRs for which funds have been
committed and a DCN assigned.
Once PRs have been forwarded to the Procurements and Contracts
Management Divsion (PCMO) for execution, tracking information is obtained in-
formally by calling PCMD staff directly. Although NCC staff have no direct
access to PCMD tracking systems, the current arrangement seems to work satis-
factorily for most procurements. The NCC Administrative Officer considers
PCMD staff to be friendly and cooperative.
NCC does not execute PRs; all are negotiated by PCMD staff in
Washington or RTP on behalf of the Agency. This is consistent with Agency re-
gulations. However, NCC staff sometimes are not consulted sufficiently before
a contract is signed and are unable to identify potential risks to the Agency
and errors in the contract at that time. This issue is addressed in more
detail in Appendix 8.
The NCC Administrative Officer usually does not receive prompt
notification of contracts awarded by PCMD in Washington and often does not re-
ceive actual copies of purchase orders or contracts until several weeks or
months after they are awarded. Copies of some contracts are never received.
NCC staff believe that these problems result from limited resources within
PCMD, and not because PCMD staff are unaware of NCC needs.
In many cases, the Administrative Officer identifies new con-
tracts issued in Washington by reviewing NCC obligations that appear on month-
ly reports generated by the Agency's Financial Management System. Until
recently, these reports were sent through a member of OIRM staff in Washington
and were received up to several weeks after the end of the month. As a
result, the NCC had difficulty tracking final contracts awards, and found it
especially difficult to track the status of its funds (e.g., open commitments)
at the end of each fiscal year. This delay was solved within the past few
months.
In addition,
significant adverse impact
review activities. This issue
the delayed receipt of contract documents has a
on property receiving and tagging, and on invoice
is addressed later in this section.
d. Testing and Acceptance
NCC staff perform independent testing of all mainframe compo-
nents and most peripheral equipment before formally accepting delivered equip-
ment. These tests are in addition to vendor testing performed during install-
ation, and ensure that payment is not made for defective equipment. These
tests are done off-line to ensure that defective equipment does not impact
production operations. Peripheral equipment (e.g., terminals) that is not
tested prior to acceptance is accepted only if covered by a warranty or if a
maintenance agreement is in effect. This is a reasonable procedure that
protects the Agency's interests without the burden of conducting full tests of
all peripheral equipment.
-------�
7-5
2. Receiving, Tagging and Inventory
Overall, the NCC does not appear to be losing equipment, or approving
invoices for items that have not been delivered to the NCC. However, in a
significant number of cases, established procedures are not being followed and
current practices do not provide an adequate accounting of NCC property (in-
cluding items in EPA areas and GFE). Effective control over receiving, tag-
ging, and inventory activities requires coordination and cooperation among in-
dividuals within the NCC, RTP Property Branch, and PCMD in Washington and in
RTP. The NCC is not solely responsible for these functions.
This subsection first summarizes the official procedures, and then
describes current practices and evaluates the adequacy of current practices to
provide the equivalent control of official procedures. Several key procedures
within the NCC are being revised to improve property control, and are noted
where appropriate.
a. Official Procedures
With respect to the functions cited above, official procedures
and responsibilities are as follows:
o The Personl Property System (PPS) contains the Agency's
official property records including all NCC equipment.
Software is not included. GFE and CAE are included in
addition to equipment in EPA areas.
o Copies of contracts should be sent to the NCC Admini-
strative Officer, NCC Project Officer and the Property
Branch. Contracts include a projected delivery date or
deadline.
o All items should be delivered to the receiving area
that reports to the Property Branch.
o Decals should be affixed to delivered items in the re-.
ceiving area. Corresponding records are entered in PPS
by the Property Branch. Two types of decals dis-
tinquish between purchased and leased items.
.0 Major and minor decal numbers should be used to record
"component" equipment. Decals should be placed on both
the overall item and individual subcomponents. There
is no physical difference in the decals. However, the
decal number placed on the overall item is entered into
the PPS as the major decal for the item. The 'entries
for subcomponents include the decal number associated
with the specific subcomponent (minor decal number) and
also the major decal number for the overall item of
which the subcomponent is a part.
o Items should be moved from the receiving area to the
NCC after they are tagged.
-------�
7-6
o All offices, including the NCC, should report untagged
items to the Property Branch and obtain a decal for
them.
o All offices, including the NCC, should conduct annual
inventories to update PPS records, including records
for GFE.
o Contractor should turn over GFE and CAE to EPA at the
end of a contract .and provide a complete inventory.
o Controls should be established for specific items which
may be easily converted to private use (e.g., portable
terminals and microcomputers, although these items are
not specifically identified in the EPPMRs).
The following paragraphs describe and assess current practices.
b. p roperty Records
Two systems are used to track NCC property in addition to the
PPS. The FM Contractor maintains its own system to track items under the FM
contract. This system also includes items in EPA areas, and thus supplements
the PPS. The NCC and Property Branch are currently reconciling PPS with this
system.
Another automated system is used by a member of the NCC staff
(not the Administrative Officer) to account for software acquired by the NCC.
These records include annual lease costs or the purchase price. This system
addresses a major deficiency of PPS-regarding the exclusion of software.
A senior member of the property office in Washington indicated
that the current policy is to record only tangible items in PPS. No offices
have specifically requested that software be included in PPS.
c. Notification of Order and Shipping
PCMO in Washington
NCC copies of purchase orders and
ter they are signed. At times a
contain a list of specific items
cate a specific delivery date or
often receives delivery of items i
Although PRs for these items are
current items list and delivery
deliveries.
d. Receiving
frequently provides the Property Branch and
signed contracts several weeks or months af-
"letter of intent" is provided, but does not
included in the contract, and may not indi-
deadline. As a result, the Property Branch
before corresponding contracts are received.
available, they do not necessarily contain
dates and are thus not used to forecast
Most small items are delivered to the receiving area. However,
many items, especially those, in large boxes are delivered directly to the NCC
site, bypassing the receiving area. This eliminates extra handling in moving
sensitive ADP equipment from the receiving area to the NCC site, and elimi-
nates moving costs. NCC staff are expected to notify the Property Branch of
-------�
7-7
these items to obtain a property decal, but do not always do so. No single
individual in NCC is designated to sign for all deliveries.
The Property Branch cannot easily identify items delivered
directly to the NCC unless contacted by NCC staff. Contract documents may not
be available to identify anticipated deliveries and the need for follow-up
with the NCC. The Property Branch claims to have inadequate resources to do
this type of follow-up. Property Branch and NCC staff agree that coordination
needs to be improved for items delivered directly to NCC.
The FM Contractor has recently designated an individual whose
primary responsibility is to assist EPA staff in maintaining accurate property
records, including reporting untagged items promptly to the Property Branch
and conducting quarterly walk-throughs of all NCC facilities. These measures
should help improve the NCC's property records.
The FM Contractor has implemented effective controls for
centralized delivery of CAE directly to off-site FM Contractor locations.
e. Taggi ng of Equipment
Tagging of ADP equipment is often complex, with NCC staff pro-
viding considerable assistance to the Property Branch. ADP equipment lists
cannot be deciphered by a person without ADP training, and many items repre-
sent intangible features or internal parts that either are inaccessible or
would be damaged if they were tagged. The Property Branch cannot solely det-
ermine how decals should be assigned to many pieces of equipment, and should
not be expected to do so. Tagging is especially difficult when copies of
purchase orders or contracts (which include item lists) have not yet been re-
ceived from PCMD.
Major and minor decal s are utili-zed for some equipment, but do
not seem to be applied consistently. Major decals should address the primary
component or cabinet, with minor decals addressing separately identifiable
items that relate to the primary item. However, when they are not assisted,
individuals in the receiving area tag component equipment with a single decal.
The net effect is that a single decal covers multiple components that should
have been assigned minor decal numbers and linked to separate major decal num-
ber in PPS. The current practice is especially awkward when one of the com-
ponents included under a single decal is disposed of, or when an additional
component of the same type is added to an existing cabinet but is tagged with
its own decal. In the latter situation, the decal is affixed to the new com-
ponent and entered into PPS without any information identifying the "major"
decal number for the related piece of existing equipment.
The FM Contractor has recently established a formal internal
property function. The FM Contractor affixes its own decals to CAE and
notifies the Property Branch when these items are delivered to FM contractor
sites. Although some items are inadvertantly not reported until a periodic
inventory is taken, there are relatively few of these items and they tend to
be relatively inexpensive. Major equipment is 6FE, is ordered by EPA, and is
delivered for use at EPA sites.
-------�
7-8
f. Custodial Accounts
All items in PPS are identified with a custodial account. Sepa-
rate accounts are used for NCC items controlled by EPA and for GFE. To reduce
errors, the NCC Administrative Officer has recently started filling in the
custodial account on NCC PRs, and the Property Branch reviews these entries.
This information was previously recorded by the Property Branch. Since the
Administrative Officer is usually better informed regarding the intended use
and location of the equipment, this change is reasonable.
9- Periodic Inventories
The NCC conducts jointly with the Property Branch in RTP annual
inventories in accordance with PPS reporting requirements. Recent inventories
have shown many errors in PPS data for items at the NCC, including the exis-
tence of untagged items, tagged items not listed in PPS, and items listed in
PPS not appearing in the NCC inventory. Most items listed
appearing in the inventory have been legitimately disposed of
deleted from leases, etc.), but have not been removed from PPS
in PPS but not
(e.g., surplus,
The reconcil-
iation of the annual inventory with PPS has not identified any cases of theft.
The Property Branch updates PPS records to reflect the findings
of each inventory. However, neither the Property Branch nor the NCC prepares
a report summarizing the results of the inventory. Although persistent prob-
lems have been identified, they are not formally documented.
As noted previously, the FM Contractor will be conducting
quarterly inventories encompassing all NCC equipment. These inventories
should result in more accurate PPS records for NCC equipment.
An inventory of GFE is
identified many errors in PPS. This
section of this appendix.
currently in progress, and has to date
inventory is addressed in the next sub-
A present shortcoming of current inventory procedures and PPS is
the inability of • PPS to readily record items acquired under "lease-to-
purchase" contracts. At the end of the term of these contracts, PPS records
are now changed from "lease" status to "purchased" only if NCC staff remember
to notify the Property Branch. No separate logs of these contracts are main-
tained by the NCC or Property Branch. However, NCC staff are aware of these
contracts and.review all invoices relating to them to ensure that payments are
not made beyond the end of the lease. (FMD also reviews these invoices.)
The chief of the Property Branch in RTP has little overall con-
fidence in the accuracy of PPS records of the NCC due to the inadequacies of
receiving and tagging activities noted previously. In contrast, however, a
senior member of the property group in Washington considers PPS records for
the NCC to be much more accurate than records for ADP equipment in other
Agency offices.
It should
Agency's AOPE to GSA's
reporting probably is
information.
be noted that PPS records are used to report the
ADP Management Information System (ADP/MIS). This
incomplete and likely includes some erroneous
-------�
7-9
h. Inventories of GFE/CAE
The NCC and RTP Property Branch are currently conducting an
Inventory of GFE to close out the previous FM contract and develop accurate
records of GFE to update the official listing included in the new contract.
This inventory is comprehensive and meets Agency requirements for control of
GFE. It should be noted, however, that the previous FM contract expired at
the end of FY82.
A faster close-out will be essential if the next facilities man-
agement contract is awarded to a different contractor. The"present contract
expires at the end of FY87.
i. . Controls Over High Risk Items
The NCC currently does not have complete records of the location
of portable terminals. Until recently, users were-not required to sign out
terminals unless they intended to remove them from the NCC facility. The
Administrative Officer is now reregistering all portable terminals and obtain-
ing signed receipts for each terminal.
At the present time, sixteen terminals are accounted for out of
a total of nineteen. The Administrative Officer has issued several notices to
users to report terminals in their possession, and believes that no terminals
have been stolen. Users may be reluctant to reveal they have terminals
because they believe the terminals will be taken away.
The NCC currently has no microcomputers.
Portable terminals in the possession of the FM Contractor are
all accounted for. The FM Contractor obtains signed receipts for all
terminals and ensures that terminals are returned as part of the staff
termination procedure,
3. Approving Invoicesfor Payment
a. Purchased Items
NCC staff must approve the receiving copy of the PR before the
Financial Management Division (FMD) will issue payment on the corresponding
invoice. NCC project officers provide this approval, and do so only after
verifying that the proper equipment or software has been received and has been
tested (if appropriate). This procedure effectively prevents EPA from paying
for defective items. .
b. Leased Items
For leased items, monthly invoices are forwarded-by FMD to the
NCC for review from an ADP perspective to ensure that invoices are consistent
with current lease provisions. One individual coordinates lease invoice
reviews within. NCC. Each invoice is reviewed against the corresponding con-
tract. An in-depth review is performed for the first invoice under each
-------�
contract and for subsequent invoices if
Otherwise, a subsequent invoice is not
contract. This is a reasonable procedure.
the contract
reviewed in
7-10
has been modified.
detail against the
c. Difficulties and Risks in Approving Invoices
In some cases, equipment has been delivered, and accepted, and
the corresponding invoice approved for payment before a complete copy of the
contract was obtained by NCC. This can and has created major problems in
previous years for NCC project officers. For the procurement of the IBM
370/168, the contract erroneously did not list a required item. This item was
covered in the PR and was installed with other equipment included in the
contract. The receiving report and invoice were approved by the Project
Officer without reviewing the contract (the contract was unavailable).
Technically, this individual appears to have acted outside the scope of his
authority and could have been asked to sign a ratification.
If NCC Project Officers waited until a copy of each contract was
received before accepting an item or approving the invoice, they would not
need to run the risk of ratification. However, given delays in receiving
copies of contracts from PCMD in Washington, installation of essential equip-
ment and software would be seriously delayed and adversely affect NCC service
levels if Project Officers followed this procedure. These delays have been
reduced somewhat in the second half of FY83.
4. Testing of Equipment
The NCC does not regularly test installed equipment. However, modern
technology has led to consistent performance against specifications, and most
failures are obvious.
5. Termination of Items
a. Purchased Equipment
NCC staff report surplus equipment to the Property Branch. This
office is responsible for preparing an excess property form (SF-120) and up-
dating the appropriate records in PPS. These procedures were not examined in
detail. However, recent inventories have shown that PPS identifies some sur-
plus equipment as currently in use. ',
b. Leased Hardware and Software
PR
For leased items the NCC prepares a
contract. These PRs are handled in the same manner
responsible for notifying vendors to remove
needed.
to officially modify the
• as other PRs. PCMD is
leased items that are no longer
NCC Project Officers are aware of the opportunity for other
agencies to obtain lease credits by assuming leases on items that the NCC no
longer needs, and try to meet GSA's 90 day notification requirement for termi-
nating leases. (The Property Branch provides official notification to GSA.}
However, the NCC was unable to fully comply with this requirement in FY82 due
to severe budget cuts which mandated prompt termination of several leases.
-------�
7-11
C._ Controls Within the Information Service Center (WIG)
1. Ordering and Acceptance
a. Preparation and Technical Review of Purchase Requests
The WIC Technical Manager is the originator for Purchase Re-
quests (PRs) involving WIC standalone configurations including the POP 11/70,
Data 100 and Xerox 1200 assets. NCC staff in RTP initiate PRs for communica-
tions equipment located in the WIC if it interfaces with RTP computers (e.g.,
statistical multiplexor used to communicate with RTP IBM configuration), NCC
staff in RTP also take the lead in ordering portable terminals, even if they
are for eventual WIC use. Copies of PRs that originate in RTP for WIC equip-
ment should be sent to the WIC Technical Manager. However, procedures in this
area are informal and the WIC is not always notified prior to actual delivery.
All PRs for WIC assets are approved by the NCC Director and
reviewed by NCC/MIOSO technical and administrative staff. The technical
review considers:
o justification for the asset;
o compatibility with NCC standards;
o suitability of the source.
PRs are also reviewed by a Property Management Officer to ensure
that the requirement cannot be satisfied by the use of excess property.
b. Budget Review
PRs originating at the WIC are handled in the same manner as for
PRs originating in RTP. The WIC has a separate budget within the overall NCC
budget.
c. Procurement Tracking and Execution
PRs for the WIC are handled in essentially the same manner as
those originating in RTP. PCMO issues purchase orders and executes all con-
tracts. PCMO also is expected to update the GFE list for the FM contract.
These updates are often delayed, and in many cases equipment is delivered
before the WIC receives a copy of the PO or the contract. The GFE list in the
FM contract is very seldom amended to reflect GFE additions until after the
items are received. However, the new quarterly walk-throughs should improve
the timeliness of updates to the PPS for items which are not tagged and
entered into PPS immediately upon delivery, If the WIC is notified in a
timely fashion, they assist in order tracking for critical delivery items.
d. Testing and Acceptance
The WIC is responsible for technical acceptance and installation
monitoring for items delivered to the WIC. Like the RTP facility, the WIC
-------�
7-12
performs its own acceptance testing of ADP equipment as appropriate after it
is installed and tested by the vendor.
2. Receiving, Tagging and Inventory
a. Official Procedures
The official procedures for receiving, tagging and conducting
inventories of WIC equipment and software parallel those of the RTP facility.
It should be noted that most WIC equipment is acquired for use within the FM
Contractor facility. The Contract Property Administrator for the FM contract
is responsible for all GFE located at the WIC as well as at the.RTP facility,
Since the FM contract was issued out of RTP, all NCC and WIC assets are the
responsibility of the Contract Property Administrator who is physically
located in RTP.
b. Receiving
All items for the WIC should be delivered to shipping and re-
ceiving personnel (part of the property office) at the Waterside Mall loading
dock. These personnel tag equipment and sign the delivery receipt. The pro-
perty office in Washington is sent the "property copy" of the receipt which
includes decal number, serial number and date.
The receipt is then forwarded to the Contract Property Adminis-
trator in RTP for entry into PPS, Although it is informal, this arrangement
seems reasonable. However, recent inventories have shown that some WIC items
are not tagged and are not entered into PPS.
c. Tagging of Equipment
Like the NCC staff in RTP, the WIC Technical Director assists in
tagging ADP equipment. Property personnel in Washington require assistance in
determining how decals should be assigned for "complex" equipment such as a
cabinet which includes several modules. As noted previously, the PPS allows
for the use of major and minor decals, a concept which the WIC Technical
Director assists in implementing. The WIC Technical Director uses the follow-
ing guidelines to assign decal numbers:
o If the subcomponents cannot be used outside the cabi-
net as standalone items (e.g., module boards) they are
not separately tagged,
o If'the subcomponents can be used independently of the
cabinet {e.g., modems) they are separately tagged.
o Add-on items (e.g., memory expansion) are not tagged-
if made by the vendor who supplied the basic configu-
ration but are tagged if they are supplied by an in-
dependent vendor.
These guidelines are inconsistent with those followed in RTP, -and do not pro-
vide consistent treatment of comparable add-on equipment.
-------�
7-13
The WIC Technical Manager also assists in tagging equipment
which bypasses receiving personnel and is delivered directly to the WIC.
These items should be identified promptly to the Contracts Property Adminis-
trator in RTF. Although the property office in Washington is contacted for
many such items, a recent physical inventory initiated by the Washington pro-
perty office identified approximately ten untagged .items, comprising mostly
terminals and communications controllers to be installed in the new WIC
facility that have not yet been uncrated.
d. Logging into Inventory
There are several different inventories of the AOP assets at
WSC. The PPS lists WSC equipment, but not software. These records are gen-
erally good, as noted below. However, as discussed in more detail in Section
E, the PPS does not designate a specific field to differentiate between assets
located at the WSC and those located at the NCC.
The GFE list in the FM contract is another inventory. This list
should be updated by a contract modification when new GFE is added to or
removed from the WSC. As noted previously, this list is currently being up-
dated.
The FM contractor . also maintains its own inventory system, as
noted previously.
When changes in the inventory occur, the WSC generally notifies
personnel in the Washington property office. This is done because these per-
sonnel are located in geographic proximity of the WSC. This procedure is an
informal one since the official contact for changes in the contract related to
property is the Contracts Property Administrator at RTP, Currently,
Washington property office staff forward change information to RTP for entry
into PPS.
e. Periodic Inventory
A yearly inventory report is provided by the WSC to the Property
and Supply Management Section. The WSC inventory information was described as
"generally good" by a senior member of the Washington Property and Supply Man-
agement Section. Additional inventories are conducted on an irregular basis.
As in the recent case of a pre-move inventory, these are often initiated by
the Property Office.
f. Controls Over High Risk Items
Existing controls over portable terminals used at the WSC
appeared to be inadequate. Although the NCC Administrative Officer was
currently re- registering all portable terminals, the WSC Technical Manager
seemed to be unaware of this effort until this effort was mentioned, by the
review team. This individual has since been informed of this effort by the
NCC.
3, Approving Invoices for Payment
The WSC Technical Director is responsible for approving payment on
all assets for which the WSC is the initiator of the Purchase Request. Cur-
rent procedures parallel those at RTP and provide effective control over pay-
-------�
7-14
merits. The NCC is~ the approval authority for assets located at the WSC which
interface with NCC configurations. These procedures were assessed in the sec-
tion for the RTP facility.
4, Termination of Items
In cases where a lease is terminated, the WSC is responsible for gen-
erating a PR to amend or to cancel the lease. The PR for termination is
handled using the same procedure as a PR for new items (i.e., approval by NCC
Director, NCC Technical/administrative review, Property Officer review). This
procedure was assessed in the section for the RTP facility.
If purchased equipment is no longer needed, the WSC Technical Direc-
tor is expected to notify the Contracts Property Administrator so that the
item can be identified as excess in the PPS. This situation rarely arises
since WSC hardware requirements have not decreased within the past year,
0. Controls on Items Outside the NCC
The NCC has limited responsibility for ADP equipment and software acquired
by other offices, and physical 1-y located outside the NCC. NCC is responsible
principally for technical review, and there are no significant problems in
this area. However, based on our limited assessment there may be major
deficiencies in other offices responsible for tracking this equipment. Our
findings are presented below and are presented separately for office systems
equipment ordered under Agency-wide contracts and for other equipment. It
should be noted that this portion of the review does not address equipment
that may in the future be procured under new Agency-wide contracts (e.g.,
graphics workstations, upgrades for the POP-lls as part of the Distributed
Processing Modernization Program, etc.)
1. Controlson Office Systems
The NCC has no responsibility for controlling office systems equip-
ment used by other offices. OIRM administers agency-wide contracts for
Lexitron and Prime 2250 equipment. These resulted from fully competitive pro-
curements. Requests for other office automation equipment are also reviewed
by OIRM.
Program offices budget for office system equipment and prepare PRs
for specific items which are approved at the branch/division level and by the
program office budget officer, These are then forwarded to OIRM for adminis-
trative review,' logging and technical review. OIRM places the order, supports
order tracking and monitors technical compliance.
When a piece of office computer equipment is received, it should be
tagged by .Property personnel at the delivery site (e.g., Washington, Regional
Office, ORD Laboratory) and entered into PPS. Users notify vendors of loca-
tion changes; there is no guarantee that these changes are forwarded to pro-
perty office staff for input to PPS. Vendors provide monthly reports to OIRM
identifying orders placed and equipment status. The Property and Supply Man-
agement Section does not receive copies of these reports.
-------�
7-15
Vendor invoices are sent to EPA accounting offices, and an approval
is sent to the user. These both flow to OIRM for review.
The program offices work directly with local property office staff
for disposing of purchased equipment which is no longer used. Such equipment
becomes excess.
2. Controls on Other ADP Oustide of NCC
The NCC responsibility for other AOP equipment and software used by
program offices is limited to technical review.
• .
o justification for the asset;
o compatibility with NCC standards;
o suitability of the source.
Over 700 PRs were reviewed in FY 1983. Approximately 2 or 3 requests per 100
are returned to the originator for revised justification or technical ap-
proach. At present, the only-difficulty that exists is that the technical
reviewer has been physically relocated to RTP. This causes some delay because
the remainder of processing for these PRs is performed in Washington.
For proposed software acquisitions, the NCC specifically determines
whether equivalent software already is available within the Agency. NCC staff
also determine whether software to be installed on the mainframe computers can
be reasonably maintained. Users may acquire a software package that is not
approved by the NCC, although the user will be responsible for maintaining it.
Existing procedures seem to provide a reliable check on program
offices that may attempt to purchase ADP equipment or software without OIRM
approval. PCMO identifies PRs coded with an ADP object class that do not have
OIRM .approval and contacts OIRM to conduct the required review.
All ADP PRs are approved by the .program office branch and division
managers and the program office budget officer. In addition to the technical
review, OIRM reviews the administrative data provided (e.g., object class) and
logs each PR. Forms then are approved by a Property management Officer and
are forwarded to a Contracts Administrator. Order tracking and accep-
tance/installation are joint PCMD/program office responsibilities.
The local property office should- receive and tag new items and enter
them into the PPS. Program offices and local property officials are respon-
sible for conducting annual inventories and updating PPS. The program office
should notify the property office of any purchased equipment to be declared
excess. Termination of maintenance on such equipment and lease termination is
accomplished by following PR procedures, and includes technical review by the
NCC. These procedures were not examined by the review team.
-------�
7-16
E. Adequacy of Personal Property System for ADPE
This section addresses the adequacy for PPS software and procedures for
maintaining reliable records for the NCC's equipment. The quality of informa-
tion in PPS is addressed in previous sections of this chapter where appropri-
ate. .
The personal Property System (PPS) was implemented in 1972 as the general
system used to track all personal property within EPA. It is not specifically
designed as an ADP inventory system but generally provides capabilities needed
to manage complex property such as ADP and scientific laboratory equipment.
Updates to the system data base are made monthly under the control of property
office personnel. Batch outputs are not restricted and all inventory informa-
tion can be made available upon request to NCC or WSC personnel.
Reports contain information including:
o decal numbers,
o serial number,
o manufacturer,
o model,
o nomenclature,
o custodial area,
o remarks,
o contract number,
o acquisition date.
The decal number fields for each item allow for inclusion of both a major and
minor decal entry. This permits the logical linking of a component (tagged
with a minor decal number) to an overall item. The decal number of the over-
all item is entered into the "major decal" field for the component.
The PPS is used as the source of EPA's required input into the GSA ADP
MIS. Reporting is accomplished via output of punched cards in a format com-
pliant with GSA requirements.
ADP software is not recorded in the PPS, and as a result the Agency has no
comprehensive Agency-wide list of software. The PPS is intended to be an
equipment type of inventory. The Property and Supply Management Section
claims that no requirement has been expressed to that office to record
software in the PPS.
The definition of "custodial area" associated with contract property seems
to be a problem. For in-house assets, custodial area is the field used to
identify the general location of equipment. For contract property, custodial
area is defined as the contractor. Thus, the custodial area identified in the
-------�
7-17
PPS is the same for RTP and WSC equipment that is provided to the FM
Contractor (i.e., a code for the FM Contractor is entered in the custodial
area field). A remarks field can be used for differentiation between RTP and
WSC locations but this is an optional entry and is free text. This limitation
precludes the accurate identification of equipment by location.
-------�
-------�
8-1
APPENDIX 8
NCC MANAGEMENT
A. Introduction
!• Objectives of the Evaluation
This part of the review addresses the overall management of the NCC,
and has four broad objectives. The first objective is to assess whether the
overall organization structure and internal reporting relationships and
management systems are appropriate to support the functions of the NCC. The
second objective is to determine whether the level and mix of staffing for
both EPA arid the FM contractor are appropriate. The third objective is to
assess the adequacy of contract management practices, with particular emphasis
on the management of the FM contract. The final objective is to assess the
adequacy of planning for future NCC operations. A more general cross-cutting
objective of this evaluation is to identify potential opportunities for
introducing more effective and/or efficient techniques for managing the NCC.
2. Scope of Evaluation
This evaluation focuses on the management practices of the NCC that
relate directly to its functi-oning as a -computer service to other Agency
offices. The evaluation encompasses the management of operations at both the
RTF and WSC facilities, and the management of key related support functions
(i.e., contract management, capacity planning).
This evaluation is not intended to address the management of all
functions currrently assigned to the Data Processing Division, and
specifically excludes those functions directly related to the planning, direct
management, or oversight of regional computer facilities and 'office' level
computers (i.e., microcomputers and PRIME minicomputers). This evaluation is
also not intended to serve as an assessment of the performance of the current
.FM contractor; rather, this evaluation focuses on the management system now in
place to evaluate contractor performance.
3. Baseline for Evaluation
There is no specific Federal baseline for conducting evaluations of
the overall management of Federal computer centers. This evaluation reflects
the judgement and experience of the review team in managing and evaluating the
operations of other data centers.
4. Methodology
The findings and conclusions of this part of the review are based on
the review team's observations of the NCC work environment, a review of
documented management processes and outputs, and in-depth interviews of all
NCC managers and many of the NCC staff. The review team did not solicit the
opinions of individuals outside the.NCC, nor did we perform a methodical
comparative analysis of NCC management practices with those of other Federal
and non-Federal data centers.
-------�
8-2
5. Structure of this Appendix
This appendix consists of this introduction and the following
sections:
o Section B, Organization Structure and Designation of
Responsibilities, addresses the organization of the NCC
(including EPA and FM contractor organization), the
delineation of NCC staff responsibilities, and internal NCC
reporting proceses.
o .Section C, Staffing and Personnel, addresses the size,
qualifications and training of the NCC staff, and other
staffing issues.
o Section D, Contract Management, addresses NCC's overall
management processes with respect to procurement and contract
managemnt, and activities and practices specifically related
to managing the FM contract.
o Section E, ADP Planning, addresses NCC practices for
identifying future Agency ADP needs and responding to these
needs.
o Section F, Other Management Issues, addresses other issues
related to overall NCC management.
B. Organizational Structure and Designation of Responsibilities
1. EpAjDrganizational Structure at NCC
The organizational structure has changed drastically from the previous
organizational structure implemented during the second month of FY84. In
January 1984 a new structure was announced. This Appendix does not address
this new structure.
a. Structure Description
The formal organization of the NCC during FY 83 was reflected in
the organization of the Data Processing Services group within MIDSD:
o Deputy Director of DPS
o Data Center Branch
o Computing Resources Branch
o Minicomputer Operations Branch
Several NCC managers indicated the actual structure and reporting
relationships within DPS were not the same as the formal structure and seemed
to be unclear. No "informal" documentd descriptions or charts for the actual
organization were available to the review team.
Within the new OIRM organization, the organization of the NCC is
reflected in that of the Data Processing Division.
-------�
8-3
o Director of DPD
o Deputy Director
o Architectural Management and Planning Branch
o Computing Technology Branch
o Computing Services Branch
The details of the internal branch structures are in the process of being
finalized.
The new organizational structure appears to be reasonable if it
can be properly staffed.
b. Descriptions of Key Positions and Responsibilities
There were full descriptions of the general responsibilities
assigned to each branch in the new DPD. The available descriptions did not
extend down to the section level within the branches. However, the branch
chiefs have a relatively clear idea of how they wish the sections to function.
Their major problem appears to be acquiring adequate numbers of the right
types of technical staff.
c. Reporting Mechanisms
There is no time accounting system relating staff time to specific
activities. The Agency payroll system and timecards do not support
timekeeping at the project level, and the NCC has not implemented its own
internal system for tracking the time of EPA staff 'by project or function. As
a result, NCC managers have only an approximate knowledge of how staff time is
actually utilized. Although the NCC claims that implementing such a system
may violate current agreements with employee bargaining units, the NCC has not
identified the number of NCC employees covered by these agreements, and
whether those employees would object to a voluntary system.
There does not appear to be any formal system of reporting NCC/EPA
staff activities to the NCC management that is equivalent to the progress
reports submitted by the FM contractor. Weekly NCC senior staff meetings are
conducted regularly. However, there appear to be no formal written minutes or
summaries of the results of these meetings.
In recent weeks, DPD has initiated branch status reporting and
provides a monthly staus report to the OIRM Director.
2. Facilities Management Contractor Structure
a. Structure Description
The FM contractor structure has been relatively stable and appears
to be reasonable. The main structure is as follows:
o Project Manager
— Project staff
— Business Office
o Technical Support and Planning
-------�
8-4
o Telecommunications
o Operations Support
— Operations
— Systems
— Telecommunications
o Software and Support Services
— User Support
— User Communications and Training :
— Computer Graphics
— Central Data Base Group
— Conversion and Optimization Group
o Washington Services Center
— User Services
— Operations Services
— Production Services
b. Descriptions of Key Positions and Responsibilities
The FM contract identifies specific functional areas and within
each area identifies specific position types and the requirements and
responsibilities of each position.. The requirements and responsibilities of
each position are described to a reasonable level of detail. The specified
functions and planned staffing levels (in work years) are as follows:
A Management and Administration (32)
B Operations and Maintenance (55)
C Washington Operations (11)
D Hardware Maintenance (1)
E Maintain Operating Systems (16)
F Maintain Support Applications and Packages (4)
G Operate Production Oriented systems (6)
H Data Entry Support (1)
I Publication and Reproduction (5)
0 User Support Services (33.5)
K Word Processing (2)
L Performance Monitoring and Evaluation (3)
M Capacity Planning (2.5)
N Computer Utilization Billing System (13)
0 Graphics Capability '(!}
P Facility Impact Monitoring and Analysis (1.5)
Q. Security (.5)
R Disaster Plan (.5)
S Courier Service
T Special Projects
U Operational Support Equipment
V Applications Analysis and Programming Support (18.5)
W Telecommunications (15)
X Facility Support (2)
Y Administrative Support (1)
Z Architectural Planning Support (6)
-------�
8-5
In summary, there are 237 planned positions, 224 staff on board, and 13
vacancies. (See Section C of this chapter for a discussion of FM contractor
staffing and vacancies,)
3. Differences in Organization between NCC/EPA and the Facilities
Management Contractor
The FM contractor management and the EPA management believe that this
difference will not cause any significant problems in terms of supervision or
reporting. The reporting relationships are relatively simple and straight-
forward at the day-to-day working level.
C. Staffing and Personnel
1. EPA Staff . .
a. Overall Responsibilities
The EPA staff perform primarily as management decision-makers to
provide technical direction and evaluation to the FM Contractor. In order to
direct and evaluate the diverse requirements of this contract, it is necessary
that the DPO staff be of sufficent numbers and have the appropriate qualifi-
cations to be able to perform these functions.
b. Staff Size
The NCC/EPA staff is exceptionally small relative to the FM
contractor staff and to the number of diverse activities performed by the NCC.
At present there are roughly 27 DPO staff, of which approximately ten
workyears represent oversight and management of the FM contract for FY84. As
a result of the current staff size, many NCC staff with a technical
orientation have been forced to assume management responsibilities.
There have been several requests by the NCC Director to increase
staffing, but some of the more significant reqests have not been approved. In
addition, NCC management indicated that some positions that are now vacant and
need to be filled (e.g., telecommunications specialist) may be lost. In
addition, the NCC workload is expected to grow considerably. Examples
include:
o The newly added high level software, particularly CICS and
. ADABAS.
o The changes being brought about by the overall • ADP
Modernization Plan which replaces the DEC-20 computers with
IBM 4341s and adds Prime minicomputers, IBM 4300 compatible
computers in the regions, and expanded networking.
o The increased number of users.
o The expanded functions at' the WSC, including the
Information Center concept.
-------�
8-6
o The increased complexity of handling telecommunications due
to the divestiture of AT&T effective in January 1984 which
will drastically impact telecommunications planning and
management.
0PM gave a briefing recently which indicated that the old Data
Center Branch should be able to perform their work with only 9 staff. It is
the opinion of the review team that this staffing level does not provide
sufficient numbers- of qualified staff to perform the tasks necessary to
fulfill the OPD mission. This forces DPD to rely heavily on the FM
contractor.
c. Turnover - ..
There has been considerable turnover in the NCC/EPA staff during
FY83. Key staff members continued to depart during the first four months of
FY84. Of the 27 staff on board at the start of the year, seven staff left the
NCC during FY83. These departures include the NCC Director and five other
professional staff. The reasons for termination are not completely clear to
the review team, but seem to include:
o Better opportunities outside of the Government.
o Preference for high level technical work without the
"hassle" of managerial responsibilities and oversight of
the contractor staff.
o Desire to stay in the local area and not transfer to
Washington.
o The high level of pressure inherent in an atmosphere of
increasing workload spread among a declining staff.
There also has been a significant influx of new staff during FY83.
Of the 25 staff on board at the end of the year, seven joined the NCC during
FY83, including six professional staff.
The overall number of filled positions and vacancies declined from
31 on September 30, 1982 to 28 on September 30, 1983. There are some persons
who now work at the NCC who are detailed from other organizational units on a
temporary basis.
There are currently several key positions for which senior level
replacements with requisite skills have not been brought on board, including:
o A senior system progammer for the mainframe computers.
o A senior telecommunications and network expert.
o A technical manager for supporting the implementation of
the ADP Modernization Plan in the regions.
o A senior manager for the new WSC.
o A senior manager for the user support function.
-------�
8-7
o A senior staff member to lead the new Information Center
project at the WSC.
One of the impacts of this turnover is the difficulty faced by top
NCC management in establishing an overall management style within the NCC.
NCC managers also indicated a difficulty in filling positions that
require a high level of technical knowledge and experience. Other Federal
agencies are having similar difficulties due to a shortage of these types of
individuals and current 0PM policies regarding grades, salaries, etc.
d. Qualifications
The EPA staff in certain key positions are not fully qualified
technically by training or experience for those positions. This lack of
technical knowledge can hinder NCC performance in several ways. For example:
o If the NCC does not have a knowledgeable systems programmer
then it is not possible to determine whether or not the FM
contractor has done a good or merely adequate job of
installing and updating the operating system. A correct but
inefficient system generation on an IBM type of computer can
result in a stable system which wastes resources.
o With no senior telecommunications expert on board, there is a
greater likelihood that the NCC will not make a good choice of
networking options.
There is usually an inherent conflict between having the high
degree of technical competence required for technical supervision and having
an inclination toward management activities. For many persons who are
technically qualified, the paperwork and meetings associated with project
management appear to make a position with the NCC unattractive.
There is a training program in place to train the present staff in
the necessary skills. However, it will take several years before there will
be fully trained and experienced professionals in those positions. This does
not mean that the existing staff will be ineffective; rather, there will be a
long period before they reach their peak effectiveness. The efforts being
made to upgrade current staff by training are noted below.
e. Training - Technical and Management
For NCC EPA personnel there is a significant program for technical
training. However, there is very limited management training. Current major
training efforts are related to ADABAS, CICS, telecommunications, and MVS.
The only management training presently offered is the training
course for persons who have or will have Program Officer (i.e. contract
management) responsibilities. Although this training is appropriate there is
also a need for general management training.
-------�
8-8
For FY84, the NCC projects that there will likely be adequate
funding of training to meet its training objectives for the year. However,
travel funds appear to be limited, and these are necessary for NCC staff to
attend training courses that are not available in the RTF area. In addition,
the relatively small number of staff within the NCC will make it difficult for
many staff to find the time to attend training and also accomplish their other
duties.
f. Position Descriptions and Delineation of PerformanceObjective and
Personnel Reviews
For NCC EPA personnel, objectives have been outlined in the new
reorganization structure for some positions. In some cases there are similar
titles but different descriptions depending on the duties performed. The
positions covered include:
o FY 1983
Acting Director, Data Processing Services
Computer Systems Analyst
Computer Specialist
Supervisory Computer Systems Analyst
Chief, Minicomputer Operations Branch
o FY 1984 (Draft to be completed in December 1983)
Acting Director, Data-Processing Services
Supervisory Computer Systems Analyst
Chief, Computer Technology Branch
For NCC EPA personnel the position descriptions on record during
FY83 were so general that they were non-specific to the individual. The
position descriptions were updated in November and December to reflect the new
organizational structure" implemented at the beginning of FY84.
NCC managers are required to prepare performance objectives for
all NCC staff. They appear to do this diligently.
2. Facilities Management Contractor
The review team's observations and findings concerning contractor
staffing are limited since this review was not intended to evaluate the
contractor in this area.
a. Staff Size
The contractor seems to have a sufficiently large number of staff
positions to perform the functions assigned during the period of review, with
the exception of security and contingency planning. However, there are areas
where the contractor has had difficulty in staffing. These areas have usually
been in high technology areas. As there is not a large pool of talent in the
RTP area, this often requires recruiting elsewhere and relocating staff. The
recent economic situation has made persons highly reluctant to move, especial-
ly in light of the perception of limited job security with the FM contractor
due to the contracting environment (the contract must be periodically
recompeted).
-------�
8-9
b. Qualifications
Contractor staff seem to be generally qualified. A problem has
been encountered In attracting technically qualified personnel to fill key
high technology slots, such as systems programming, packaged software support
(e.g., ADABAS), and telecommunications. At present, one position for a
systems programmer remains vacant.
c. Terminations, Resignations and Transfers
The FM contractor staff has been relatively stable. However, the
imminent depature of the contractor's user support manager, in conjunction
with the depature of his counterpart on the EPA staff, will require that this
position be filled on a high priority basis.
0. Contract Management
1. Initiation, Tracking and Negotiation of Procurements
The NCC appears to generally comply with all Agency regulations for
authorizing procurement actions, with a few exceptions (see subsection 2.c
below). Formal project officers are assigned to all procurements, the NCC
Director approves all procurement actions, and all actions are tracked by the
NCC's administrative officer. As noted in the first Interim Findings report,
the NCC adequately tracks all procurement actions, and performs the necessary
control activities to ensure that payment is authorized for only those items
and services actually received by the NCC.
One problem area is the failure of the NCC to review in detail all
provisions of every contract to identify from a technical perspective those
provisions which impose specific responsibilities on the Agency. At the
present time, PCMD conducts final negotiations of contracts and the NCC may
not see all important provisions of a contract until after it is signed. This
is particularly important for software acquisition procurements. The NCC must
review these contracts to identify the Agency's obligations and
responsibilities under vendor licensing agreements, and the conditions under
which software may be installed on more than one processor or may be
transfered to a replacement processor. PCMO may not be conducting this type
of review and may not have the technical expertise to do so without the
assistance of the NCC. For the NCC to assist in this review, PCMO would need
to provide a complete copy of contract documentation to the NCC before the
contract is signed.
A related problem is the present difficulty in'receiving copies of all
contracts and contract modifications from PCMD in a timely manner.
2. Management of the Facilities Management Contract
The NCC appears to be managing the FM contract quite well overall,
w'ith the exception of the NCC's limited capability to technically review the
work of the contractor as noted previously. The following paragraphs describe
the most significant attributes of the NCC's approach to managing the FM
contract. ' •
-------�
8-10
a- Workplan Development and Monitoring
The FM contractor is required to prepare a relatively detailed
workplan three times annually identifying the specific tasks to be performed
during the next four-month period. Tasks are grouped into six major
functional categories:
o Technical support and planning,
o Operations support,
o Systems and telecommunications support,
o Software and support services,
o Washington service operations, and
o Project management.
FM contractor workplans include both ongoing activities and
individual projects. The workplans also highlight priority tasks. The
workplans for each planning period are updated by separate listings which
identify additional assignments, modifications to current tasks, or deletions
arising during a given period.
The FM contractor submits weekly progress reports for each of the
workplan categories. These reports are number-keyed directly to the workplan
and appear to be reasonably detailed and comprehensive. The progress reports
note tasks completed, rescheduled, and placed on hold, and are cumulative for
each performance period. However, the review team noted that the progress
reports at the end of one performance period and beginning of the next period
seem to drop some tasks that were not completed by the end of the first
period. For example, disaster recovery planning activities for the Sperry
facility (Task 1.2.3.1) scheduled for the October 1982 through January 1983
period were not completed during this period and were not mentioned in
progress reports for the subsequent period. As a result, the progress reports
do not indicate the disposition of this (and other) tasks.
In addition to formal progress reporting, there appears to be an
excellent working relationship between EPA and FM contractor staff which
enables EPA staff to keep abreast of all key contractor activities.
b. Contractor Evaluation
EPA is required to conduct formal evaluations of the FM contractor
for each performance period to support the determination of the contractors
fee award under this award fee type of contract. The review team reviewed the
evaluation plan included in the previous FM contract and EPA appears to be
following the requirements of this plan. (A copy of plan for the current
contract was not available. However, NCC/EPA staff noted that the plan is
unchanged from the previous contract.)
Evaluations of contractor performance are submitted to the NCC
Project Officer for the contract (who also serves as evaluation coordinator)
who compiles the evaluations and prepares a recommendation to the Evaluation
Board. The evaluation inputs consist of the management plan for the next
period, written evaluations from NCC/EPA technical managers, pertinent
memoranda prepared during the performance period, and the results of a survey
-------�
8-11
of NCC users (see Chapter V for a description of this survey). The FM
contractor also may prepare a self evaluation for input to the evaluation
process, and currently does so.
Based on our conversations with senior management of the FM
contractor, these self evaluations seem to track fairly closely with those of
the Board, and the Board's evaluations and fee award decisions appear to be
fair and reasonable, with one exception. The contractor noted that in one
period the award fee was lower than usual due to perceived delays in hiring
new staff for certain positions. In this case, the contractor claimed that it
was essential to hire the right kinds of people which were in short supply.
In addition, the contractor was unable to actually bring these staff on board
until a contract change order was approved by PCMD.
In reviewing the results of the survey of users, the review team
noted that response to this survey is quite low, with response rates no higher
than 3% of the total number of users for any processor (i.e., IBM/AMDAHL,
Sperry, POP). Fewer than 20% of all users request participation and only 14%
of this group actually do participate. Although this response rate may be
acceptable for assessing users views of service quality at a gross level, this
response is not statistically significant for the Sperry and POP processors if
user ratings are considered from a quantitative perspective. For the Sperry,
the response rate can provider confidence level of 90%, but with an error
factor of 15%, a potential rating error of .75 points on the 5.0 point scale
used in the survey. For the POPs, the response of only 1 or 2 users cannot be
considered significant at all. As a result, the user ratings should not be
given a significant weighting in the evauation process for services related to
the Sperry and POPs.
A second limitation of the survey is that some questions do not
appear to clearly discriminate between the quality of .contractor services
under the control of the contractor and the potential effects of EPA policies
that affect service levels. The Evaluation Board appears to be aware of this
limitation in interpreting the survey results. Another deficiency of the
survey is the failure to provide definitions of the evaluation criteria to
users, as indicated in Chapter V.
Concurrent with its review of the fee award recommendation, the
Evaluation Board also establishes priorities for performance in the next
review period. This direction is usually communicated informally to the FM
contractor several weeks after the start of the performance period, and
formally several weeks later with the official notification of the fee award.
The contractor suggested that the Board establish priorities in an earlier
meeting to enable the contractor to respond to the NCC's priorities from the
outset of each performance period.
c. Contract Administration
The NCC and FM contractor have together encountered several
problems in administering the FM contract from a contracting procedures
perspective. It appears that PCMD' does not have significant experience in
administering this type of mission contract, and requires formal contract
modifications for new tasks which the NCC staff consider to be encompassed by
the existing contract. On one occasion this resulted in the OPO Co-Project
-------�
8-12
Officer having to sign a ratification for authorizing work that was viewed by
PCMD as outside the scope of the contract. A related problem is the frequent
delay within PCMD in processing contract modifications.
A second difficulty relates to the award fee and payment of the FM
contractor. The current ^ contract includes a base fee of 3% and an award fee
of up to 7% of loaded costs for designated labor-intensive tasks. The FM
contractor noted that formal notification of the fee award is required for
billing, and sometimes is not received for up to ten weeks after the close of
the performance period. Although the contractor may bill for 75% of a
pro-rata share of the fee biweekly, the actual fee award has ranged from 80%
to 89% during the past year. As a result, the contractor experiences
significant delays in billing for and receiving between $9,000 and $20,000 of
for fee each performance period.
E. ADP Planning
ADP planning for any data center generally comprises a variety of
activities. These include setting of planning objectives, analysis of current
performance and trends, forecasting of capacity requirements to support users'
processing workloads, and technology assessment. The NCC's efforts in each of
these areas is addressed in the following subsections,
1. Setting of Performance Objectives
The NCC appears to have set general planning objectives in terms of
compatibility of equipment and standardization of software, and specific
objectives for availability and batch turnaround for designated processing
priorities. However, there has been no overall review of the NCC's
performance objectives for several years. The currently changing hardware and
software environment and an increasing on-line processing orientation make the
lack of such a review more acute. CICS and AOA8AS will require specific
performance objectives.
2. Performance Monitoring
As noted in the first Interim Findings report, the NCC has a very
professional and diligent performance monitoring group. This group collects a
great deal of performance,data and produces a number of very useful analytical
reports for NCC management and overall planning.
3. Forecasting of Capacity Requirements
The NCC has a very limited capability to forecast, capacity
requirements. There is presently no systematic means for the NCC to identify
the future direction of major Agency programs and administrative functions,
and attendant data processing support needs in terms of processing capacity,
storage, and telecommunications. In addition, no major Agency-wide ADP
planning studies have been conducted since the terminated A-109 effort of
several years ago. A study was recently conducted by a task force within OARM
which focused on the direction of Agency programs and administrative
functions, and related ADP needs, during the next three to five years, but
this effort did not address (and was not designed to address) capacity needs.
-------�
8-13
The Facility Impact Monitoring and Analysis System (FIMAS) helps the
NCC identify new applications that are under development, but in the view of
the review team this capability does not provide an adequate lead time before
system implementation for planning purposes. The NCC does receive advance
notification of potential plans to develop or enhance major new applications
from some program offices on a case by case basis. However, this notification
is not done consistently or with sufficient lead time in some cases to support
procurement planning.
Most forecasts are currently based on analysis of historical system
use and performance data. Since the IBM facility has been operating at or
near capacity for the past several years, these forecasts may not fully
reflect latent demand for processing capacity for applications which now
operate on the IBM. Historical usage data also may not provide an unbiased
indication of future demand due to the relatively tight timeshare budget of
recent years.
The review team's discussions with several managers indicated that the
NCC does not expect the mix of batch versus demand (i.e., jobs executed
immediately upon upon submission by users) processing to change significantly
during the next several years based on their analysis of historical usage.
The review team considers this expectation unjustified since the NCC is now
making CICS and AOABAS available to users, and will also be installing 3270
full-screen terminal support capabilities and graphics workstations. These
enhancements should be expected to significantly increase the proportion of
demand processing.
4. Technology Assessment^
The NCC plans for the introduction of new technology and enhancement
of current facilities to address current demands and perceived future demands.
Examples of current projects include the installation of high speed Tl lines
between the RTF and WSC locations, installation of 3270 communications, and
upgrade of the communications front end processor for the Sperry to interface
with IBM-compatible remote job entry terminals.
An Architectural Management and Planning Branch (AMPB) has been
established within the new DPD organization to identify and evaluate
technologies that would be of particular usefulness, and would ' be
cost-effective, to the Agency. In addition, DPD has recently established (in
conjunction with OIRM management) a telecommunications project team to help
develop a long term telecommunications strategy for the Agency {including
NCC). It appears that these two groups will have the capability to identify
potentially useful technologies. However, these groups appear to be
handicapped by -very limited information about the overall direction of
specific EPA programs and the data processing support needs asssociated with
future program directions. There also is some question whether AMPB will have
a sufficiently large staff and whether both groups will have suffiently
skilled staff on board within EPA to successfully carry out their functions.
-------�
8-14
P» Other Management Issues
1. Construction of the New WSC Facility
Based on the review team's conversations with several NCC managers, it
appears that the new WSC facility was planned for construction on a 'crash'
basis to meet the original schedule of completion by September 30, 1983. This
schedule would have resulted in significant overtime costs (the amount of
which is unclear since this information was not included in documents provided
to the review team). Numerous delays in fully negotiating this contract
(which were not under the control of the NCC) have resulted in significant
schedule slippage with a current projected completion date of December 19.
This revised schedule also calls for construction on a 'crash1 basis.
Our review of the parts of the WSC construction contract and
subcontractor proposal provided to the review team do not appear to provide a
justification for the tight construction schedule and the resulting additional
costs. Although one member of the FM contractor staff noted that the tight
schedule was selected in part to reduce the total space rental payments for
the old WSC location, the review team has been provided with no documented
analysis of the costs and benefits of the original and revised "crash"
construction schedules.
-------�
APPENDIXJ
DOCUMENTS EXAMINED BY THE REVIEW TEAM
9-1
AOOO
A0005
AOOO 7
A0010
A0020
A0021
A0022
A0030
A0031
A0032
A0040
A0050
A0055
A0060
A0070
A0071
A0080
A0090
A0100
A0105
A0110
A0120
A0130
A0140
A0500
A0510
A0511
A0512
A0513
A0514
A0600
A0610
A0611
A0612
A0613
A0615
PROCEDURES
ADP OPERATIONS
IBM/AMDAHL SYSTEM CONFIGURATION
UNIVAC SYSTEM CONFIGURATION
EPA PERF. MEAS. OPERATIONS GUIDE
CHANGE CONTROL REPORT—JULY '83
CHANGE CONTROL REPORT--AUGUST '83
CHANGE CONTROL REPORT—SEPTEMBER''83
SYS. ACTIVITIES LOGS—JULY '83
SYS. ACTIVITIES LOGS—AUGUST '83
SYS. ACTIVITIES LOGS—SEPTEMBER '83
NCC CHANGE REPORTS—SEPTEMBER '83
SAMPLE INCIDENT REPORT (IBM/AMDAHL)
SAMPLE FOREIGN TAPE ACTIVITY REPORT
PDP 11/70 APPLICATION DIST. & MAINT.
POP 11/70 BUG REPORT
PDP 11/70 BUG REPORT
PDP 11/70 BUG REPORT SCREENS
PROBLEM REPORTING EXAMPLES
DIPS RUNBOOK SPECIFICATIONS
RELATIONAL DICTIONARY DBA GUIDE
RUNBOOK FOR GAS CYLINDER INVENTORY SYSTEM
MEMO—SOFTWARE CHANGE CONTROL PROCEDURES
MEMO—IMPROVING QUALITY OF SOFTWARE RELEASES
VAX 11/780 TEST AND ACCEPTANCE PLAN
PDP SOFTWARE PROBLEMS AT WSC
INITIAL MEETING NOTES... EPA/DEC
RECOM. PROCEDURES (LETTER FROM DEC)
WSC RESPONSE TO DEC RECOMMENDATIONS
DEC FIELD SERVICE RECOMMENDATIONS
WSC RESPONSE TO DEC FIELD SERVICE RECOMMENDTN'S
LOGS AND CONTROL SHEETS
UNIVAC
PDP 11/70
CBI 2020/NCBI 2020/VAX 11/780
DAILY STATISTICS
WSC SAMPLE LOGS . .
NO DATE
NO DATE
6/21/82
NO DATE
NO DATE
NO DATE
7/31/83
8/31/83
9/30/83
VARIES
9/30/83
10/1/83
NO DATE
9/13/83
10/2/83
NO DATE
8/12/83
NO DATE
8/8/83
7/22/83
7/22/83
12/27/82
5/18/83
6/29/83
6/30/83
NO DATE
8/3/83
NO DATE
NO DATE
NO DATE
NO DATE
VARIES
BOOOO
B0010
BOOH
B0012
B0013
B0014
B0015
B0016
B0017
B0018
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEK ENDING
WEEKLY PROGRESS REPORTS
WSC REPORTS
10/1/82
10/8/82
10/15/82
10/22/82
10/29/82
11/5/82
11/12/82
11/19/82
-------�
9-2
B0019
B0020
B0021
B0022
B0023
B0024
B0025
B0026
B0027
B0028
B0029
B0030
B0031
B0032
B0033
B0034
B0035
BO 03 6
B0037
B0038
B0039
B0040
B0041
B0042
BO 043
B0044
B0045
B0046
B0047
B0048
B0049
B0050
B0051
B0052
B0053
B0054
B0055
B0056
B0057
B0058
B0070
B0071
B0072
B0073
B0074
B0100
B0101
B0102
B0103
B0104
B0105
B0106
B0107
B0108
B0109
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
WEEK
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
ENDING
11/26/82
-12/3/82
12/10/82
12/17/82
12/23/82
12/30/83
1/7/83
1/14/83
1/21/83
1/28/83
2/4/83 '
2/11/83
2/18/83
2/25/83
3/4/83
3/11/83
3/18/83
3/25/83
4/1/83
4/8/83
4/15/83
4/22/83
4/29/83
5/6/83
5/13/83
5/20/83
5/27/83
6/3/83
6/10/83
6/17/83
6/24/83
7/1/83
7/8/83
7/15/83
7/22/83
7/29/83
8/5/83
8/12/83
8/19/83
8/26/83
9/2/83
9/9/83
9716/83
9/23/83
9/30/83
RTP OPERATIONS REPORTS
10/3/82
10/10 82
10/17/82
10/24/82
10/31/82
11/7/82
11/14/82
11/21/82
11/28/82
6/17/83
6/23/83
6/28/83
7/8/83
7/13/83
7/19/83
7/26/83
8/2/83
8/9/83
8/16/83
8/23/83
8/30/83
9/7/83
9/13/83
9/20/83
9/27/83
10/4/83
10/4/82
10/11/82
10/18/82
10/25/82
11/1/82
11/8/82
11/15/82
11/22/82
11/29/82
-------�
9-3
B0110
B0111
B0112
B0113
B0114
B0115
B0116
B0117
B0118
B0119
B0120
B0121
B0122
B0123
B0124
B0125
B0126
B0127
B0128
B0129
B0130
80131
B0132
B0133
B0134
B0135
B0136
B0137
B0138
B0139
B0140
B0141
B0142
B0143
B0144
B0145
B0146
B0147
B0148
B0149
B0150
B0151
BO 15.2
B0153
B0200
B0201
B0300
B0301
WEEK ENDING 12/5/82
WEEK ENDING 12/12/82
WEEK ENDING 12/19/82
WEEK ENDING 12/26/82
WEEK ENDING 1/2/83
WEEK ENDING 1/9/83
WEEK ENDING 1/16/83
WEEK ENDING 1/23/83
WEEK ENDING 1/30/83
WEEK ENDING 2/6/83
WEEK ENDING 2/13/83
WEEK ENDING 2/20/83
WEEK ENDING 2/27/83
WEEK ENDING 3/6/83
WEEK ENDING 3/13/83
WEEK ENDING 3/20/83
WEEK ENDING 3/27/83
WEEK ENDING 4/3/83
WEEK ENDING 4/10/83
WEEK ENDING 4/17/83
WEEK ENDING 4/24/83
WEEK ENDING 5/1/83
WEEK ENDING 5/8/83
WEEK ENDING 5/15/83
WEEK ENDING 5/22/83
WEEK ENDING 5/29/83
WEEK ENDING 6/5/83
WEEK ENDING 6/12/83
WEEK ENDING 6/19/83
WEEK ENDING 6/26/83
WEEK ENDING 7/3/83
WEEK ENDING 7/10/83
WEEK ENDING 7/17/83
WEEK ENDING 7/24/83
WEEK ENDING 7/31/83
WEEK ENDING 8/7/83
WEEK ENDING 8/14/83
WEEK ENDING 8/21/83
WEEK ENDING 8/28/83
.WEEK ENDING 9/4/83
WEEK ENDING 9/11/83
WEEK ENDING 9/18/83
WEEK ENDING 9/25/83
WEEK ENDING 10/2/83
PRIORITY PROJECTS WEEKLY PROGRESS REPORTS
REPORTS DATED 8/1/83 - 9/19/83
TECH. SUPPORT & PLANNING WEEKLY PROGRESS REPORTS
REPORTS FOR WEEKS ENDING 9/19/82 - 9/25/83
12/6/82
12/13/82
12/20/82
12/27/82
1/3/83
1/10/83
1/17/83
1/24/83
1/31/83
2/7/83
2/14/83
2/22/83
2/28/83
3/7/83
3/14/83
3/21/83
3/28/83
4/4/83
4/11/83
4/18/83
4/25/83
5/2/83
5/9/83
5/16/83
5/23/83
5/30/83
6/6/83
6/13/83
6/20/83
6/27/83
7/5/83
7/11/83
7/18/83
7/25/83
8/1/83
8/8/83
8/15/83
8/22/83
8/29/83 -
9/6/83
9/12/83
9/19/83
9/26/83
10/3/83
VARIES
VARIES
COOOO
PERFORMANCE
CO010 RTF SYSTEM FAILURE REPORTS
C0011 10/1/82-10/3/82
-------�
9-4
C0012
C0013
C0014
C0015
C0016
C0017
C0018
C0020
C0021
C0022
C0023
C0024
C0025
C0026
C0027
C0028
C0029
C0100
C0110
C0120
C0121
C0122
C0130
C0131
C0132
C0133
CO 13 4
C0135
C0136
C0137
C0138
.C0139
C0200
C0210
C0220
C0225
C0230
C0231
C0240
C0250
C0260
C0261
C0270
C0280
C0290
C0291
C0292
C0300
C0310
C0320
C0330
C0340
C0350
C0360
10/1/82-10/10/82
10/1/82-10/17/82
10/1/82-10/24/82
10/1/82-10/31/82
11/1/82-11/7/82
11/1/82-11/14/82
11/1/82-11/21/82
11/1/82-11/30/82
12/1/82-12/5/82
12/1/82-12/12/82
12/1/82-12/19/82
12/1/82-12/26/82
12/1/82-12/31/82
1/1/83-1/31/83
2/1/83-2/28/83
3/1/83-3/31/83
4/1/83-4/30/83
WSC STATISTICS
WSC PERFORMANCE CHARTS PACKET
MONTHLY STATISTICS— JULY
MONTHLY STATISTICS — AUGUST
MONTHLY STATISTICS— SEPTEMBER
DAILY STATISTICS , "A" SYSTEM — JAN ' 83
DAILY STATISTICS, BOTH SYSTEMS — PEB '83
DAILY STATISTICS, BOTH SYSTEMS — MAR '83
DAILY STATISTICS, BOTH SYSTEMS ~ APR '83
DAILY STATISTICS, BOTH SYSTEMS — MAY '83
DAILY STATISTICS, BOTH SYSTEMS — JUN '83
DAILY STATISTICS, BOTH SYSTEMS — JUL '83
DAILY STATISTICS, BOTH SYSTEMS — AUG '83
DAILY STATISTICS, BOTH SYSTEMS — SEP '83
DAILY STATISTICS, BOTH SYSTEMS — OCT '83
RTP STATISTICS
POP - IAS PERFORMANCE MONITOR DOCUMENTATION
PDP 11/70 PERFORMANCE REPORT — 9/13/83
PDP 11/70 PERFORMANCE REPORT — 10/1/83
IBM/ AMDAHL CAPACITY ANALYSIS— 2ND QTR
IBM/AMDAHL CAPACITY ANALYSIS — 3RD QTR
IBM QUARTERLY PME REPORT — APRIL- JUNE '83
UNIVAC — DATAMETRICS 3RD QTR '82 REPORT
UNIVAC QUARTERLY PME REPORT — APRIL-JUNE '83
UNIVAC QUARTELY PME REPORT — JULY-SEPTEMBER '83
UNIVAC PROCESSOR CALL REPORT— JUNE '83
UTILIZATION STATISTICS, ALL SYSTEMS (MORNING RPT . )
UTILIZATION STATISTICS — JULY '83
UTILIZATION STATISTICS — AUGUST '83
UTILIZATION STATISTICS — SEPTEMBER '83
NETWORK ANALYSIS REPORTS/CHARTS — 1ST QTR '83
SPSRRY COMM. LINE UTILZ. RPT — 5/82-5/83
AMDAHL CAPACITY PROBLEMS MEMO
TYMNET CONTRACT PERFORMANCE REQUIREMENTS
SEPTEMBER COMMUNICATIONS TROUBLE REPORT
WSC ADMIN SYS — SYSTEM PERFORMANCE REPORT
WSC APPLC SYS — SYSTEM PERFORMANCE REPORT
10/25/83
8/1/83
9/1/83
10/1/83
NO DATE
9/13/83
10/1/83
5/4/83
8/3/83
7/11/83
11/22/82
7/11/83
10/12/83
7/14/83
8/3/83
7/31/83
8/31/83
9/30/83
VARIOUS
NO DATE
10/28/83
NO DATE
SEPT '83
11/8/83
11/8/83
-------�
9-5
DOOO . PLANNING
DO010 RTP MANAGEMENT WORK PLANS
i D0011 MGMT WORK PLAN JUNE-SEPT. 1982 (REVISED 6/21/82) 5/31/82
D0012 MGMT WORK PLAN OCT '82-JAN !83 (DRAFT) 10/15/82
D0013 MGMT WORK PLAN FEE-MAY 1983 2/23/83
* D0014 MGMT WORK PLAN JUNE-SEPT. 1983 6/15/83
D0015 MGMT WORK PLAN OCT '83-JAN '84 (REVISED 11/22/83) 9/23/83
D0020 PDP 11/70 CONVERSION COSTS/ALTERNATIVES SEPT '83
DO030 AGENCY REQUEST FOR COMPUTER REPLACEMENT 6/15/83
D0040 ADP MODERNIZATION PLAN AUG '83
D0050 INTERIM EPA POLICY ON MICROCOMPUTERS 9/9/83
D0060 PDP 11/70 DISK JUSTIFICATION (SUPERFUND) NO DATE
D0070 DOCUMENTATION LIST FOR SYSTEMS UNDER DEVELOPMENT 11/15/83
D0080 DRAFT ADABAS PROCEDURES MANUAL—SECTION 3 NO DATE
DO090 DPA LETTER—MAINFRAME & MINICOMPUTERS 10/12/83
D0095 DPA LETTER—GRAPHICS SYSTEMS 9/30/83
D0099 WSC RENOVATIONS JUSTIFICATION 4/18/83
D0100 WSC RENOVATION CONTRACT 10/6/83
D0105 WSC RENOV.—COM-SITE PROPOSAL(pp. 1.3-1.7 MISSING) 7/25/83
D0110 FINAL REPORT—LONG RANGE ADP USER REQ. TASK FORCE OCT '83
D0120 OMISS FY84 PROGRAM PLAN 11/17/83
D0130 IBM/AMDAHL SERVICE LEVEL GOALS REVIEW 4/5/83
EOOO STANDARDS AND PROCEDURES
E0010 OPPERATIONS MANUAL—PDP 11/70 (REV. 4/83)
E0020 OPERATIONS HANDBOOF—IBM/AMDAHL,4341
E0030 OPERATOR'S HANDBOOK—DEC 2020 (IN REWRITE)
E0040 OPERATOR'S HANDBOOK—OTS VAX (IN REWRITE) f
E0050 OPERATIONS HANDBOOK—MAD VAX (IN REWRITE)
E0060 STABILITY PROCEDURES MANUAL—UNIVAC (REV. 4/28/83)
S0070 STABILITY PROCEDURES MANUAL—IBM (IN REWRITE)
E0080 STANDARD OPERATING INSTRUCTIONS—PDP 11/70
E0090 NCC USER REFERENCE MANUAL—UNIVAC (REV.4/29/83)
E0100 NCC - IBM USER'S GUIDE (REVISED MAY '83
E0110 PDP 11/70 USER.'S MANUAL
E0120 PDP 11/70 SYSTEM MANAGER'S GUIDE
E0130 PDP 11/70' PROGRAMMER'S REFERENCE MANUAL
E0140 PDP 11/70 OPERATIONS MANUAL
S0150 FORMAT & CONTENT STD'S FOR PROD. CONTROL RUNBOOKS
E0160* OBS WYLBUR USER'S GUIDE AND REP.' MANUALS
FOOO POLICY & GUIDANCE, DOCUMENTATION
F0010 ADP MANUAL
F0011 ADP MANUAL CHAPTERS 1-6
F0012 ADP MANUAL UPDATE: CHAP 7—NON-EPA USE
F0013 ADP MANUAL UPDATE: CHAP 8—STANDARD LANG.
F0014 ADP MANUAL UPDATE: CHAP 9—MICROGRAPHICS
F0015 ADP MNL UPDT:CHAP 6, APPENDIX 0-PRPSLS,EVAL PLNS
F0020 ADP SYSTEM DOCUMENTATION STANDARDS
MAY '82
12/80-4/83
NO DATE
NO DATE
NO DATE
6/10/81
10/22/82
1/1/83
1/2/80
FEB '82
JULY '82
NO DATE
JULY '82
MAY'82
4/30/82
VARIES
3/31/75
10/13/76
10/14/76
10/7/76
12/2/77
FEB '80
-------�
9-6
GO00 NCC MANAGEMENT
G0010 RESUMES—KEY GOVERNMENT PERSONNEL
G0011 NCC ORG. CHART (TEMP./ HANDWRITTEN)
G0012 RESUMES FOR RECENT ADDT'NS TO NCC/EPA STAFF
G0013 POSITIONS/DESCRIPTIONS CURR. ADTH. FOR NCC/EPA
G0014 CURRENT POSITION DESC. FOR NCC STAFF
GO015 OIRM REORGANIZATION MEMO
G0020 REVIEW OF OIRM BRANCH FUNCTIONAL STATEMENTS
G0021 DP DIVISION—BRANCH FUNCTIONAL STATEMENTS
G0025 ORG CHART—ARCH. MGMT & PLANNING BRANCH &POSITIONS
G0026 ORG CHART—COMPUTER TECHNOLOGY BRANCH
G0027 ORG. CHART—COMPUTER SERVICES BRANCH(RCVD 11/2/83)
GO030 POSITION DESCRIPTION—COMPUTER SPECIALIST
GOO40 EPA PHONE LIST
GOO50 NEW EMPLOYEE AFFIDAVITS
G0060 ETHICS & CONFLICTS OF INTEREST MEMO
G0061 POLICY ON CONFLICT OF INTEREST
GOO62 GUIDANCE ON ETHICS & CONFLICTS OF INTEREST
GO070 EPA EMPLOYEE HANDBOOK -
GOO76 AWARD FEE PLAN
G0077 AWARD FEE STANDARD LETTER (SAMPLE)
GOO80 MISC STAFFING MEMOS
GO081 TEMP. STAFF REASSIGNMENTS
GOO82 APPOINTMENT OF TONY JOVER
G0083 TEMP. REASSIGNMENT OF MARY BLAKESLEE
GO090 REASONS FOR RESIGNATION—1983
GO100 MIDSD PERSONNEL ROSTER—OCT '83
G0101 MIDSD PERSONNEL ROSTER—SEPT '83
G0102 MIDSD PERSONNEL ROSTER—SEPT '82
GO110 JIM PLATTEN ASSIGNMENT LETTER
G0120 EPA EMPLOYEE RESPONSIBILITIES & CONDUCT
G0130 SPA CONDUCT & DISCIPLINE MANUAL (REV 1/24/80)
G0140 NCC LEAVE SCHEDULE, OCT-NOV '83
GO150 FM CONTRACT EVALUATION MEMO
G0160 CONTRACT MODIFICATION LETTER
G0170 DON FULFORD-RATIFICATION MEMO
GO180 INTERIM STAFFING PATTERN
G0190 RQST FOR PERSONNEL. CLASSIFICATION ACTION FOR 0PM
G0200 SDC STAFF BY FUNCTION
G0210 STAFF PERF. OBJECTIVES FOR NCC/EPA—FY83
G0215 STAFF PERF. OBJECTIVES FOR NCC/EPA—FY84 (DRAFT)
G0220 SDC CONTRACT PERFORMANCE EVALUATION REPORTS
G0221 10/1/82—1/31/83
G0222 2/1/83—5/31/83
G0223 6/1/83—9/30/83
GO230 AUDIT OF BILLING RESOURCES
GO240 STAFF TRAINING AUTHORIZATIONS
NO DATE
OCT '83
NO DATE
NO DATES
12/83-1/84
10/27/83
10/27/83
10/18/83
10/17/83 ..
NO DATE
NO DATE
NO DATE
9/12/83
SEPT '70
8/1/83
OCT '83
AUG '83
NO DATE
NOV '80
5/27/82
9/7/83
9/20/83
SEPT '83
VARIES
10/31/82
9/30/83
9/30/82
4/30/82
4/17/73
10/18/76
10/5/83
9/13/82
3/18/83
9/7/83
11/1/83
8/24/83
10/5/83
NO DATE
NO DATE
NO DATE
NO DATE
NO DATE
8/16/83
VARIES
-------�
9-7
HOOO
H0010
H0020
H0030
, H0040
H0050
CONTRACTOR MANAGEMENT.
RESUMES—KEY CONTRACTOR 'PERSONNEL
SDC ORG. CHARTS
OPERATIONS TRAINING PROGRAM OUTLINE
NO DATE
NO DATE
NO DATE
SDC PROPOSED POSITIONS—PROPOSALS 82-5084, 83-5309 8/26/83
SDC STAFF DEPLOYMENT/CURR. AUTHORIZED POSITIONS- NO DATES
1000
10005
10010
10020
10030
10040
10050
10060
10065
10070
10080
10090
10091
10092
10095
10096
10097
10100
zoioi
10110
10111
10112
10113
10114
10115
10116
10130
10131
10132
10140
10150
10160
10180
10190
*
10200
10210
a 10215
10220
10225
10226
10230
10231
10232
10233
10234
10235
10236
USER SUPPORT & TRAINING
OBTAINING AN ADP UTILIZATION IDENTIFIER
CICS OUTLINE.
AVAILABLE ASET COURSES
RTP TRAINING COURSES
RESIDENT LIBRARY COURSE
ADP TRAINING PROBLEMS & RECOMMENDATIONS
USER PROFILE REQUEST MEMO
SAMPLE INVALID USER- ID LETTER
ONLINE NEWSLETTER — JULY '83
CUSTOMER ASSISTANCE REQUESTS (CAR) WEEKLY RPT.
CAR ACTIVITY BAR CHART— 5/11-7/27
CAR ACTIVITY SUMMARY— FY83 (RTP)
CAR ACTIVITY REPORT FOR-WSC - OCTOBER '83
PSRF. EVAL. SURVEY LETTERS — IBM; SPERRY; DEC
PERF. EVAL. SURVEY LETTER— IBM - JAN '84
PERF. EVAL. SURVEY LETTER — SPERRY - JAN '84
CONTRACTOR PERFORMANCE EVALUATIONS (JUNE !83)
CONTRACTOR PERFORMANCE EVALUATIONS (SEPT '83)
CONTRACTOR PERFORMANCE EVALUATION SUMMARY (6/83)
CONTRACTOR PERF. EVALUATION SUMMARY — FEB '82
CONTRACTOR PERF. EVALUATION SUMMARY — JUNE '82
CONTRACTOR PERF. EVALUATION SUMMARY — SEPT '82
CONTRACTOR PERF. EVALUATION SUMMARY — FEB '83
CONTRACTOR PERF. EVALUATION SUMMARY—JUNE '83
CONTRACTOR PERF. EVALUATION SUMMARY—SEPT '83
CONTRACTOR PERF. EVAL. CHARTS — FEB ' 82- JAN '83
CONTRACTOR PERF. EVAL. CHARTS — JUN '83-MAY '83
CONTRACTOR PERF. EVAL. CHARTS — OCT ' 83-SEP '83
WSC CONTRACTOR PERF. EVAL. SUMMARY — FEB '83
TRAINING COURSE SUMMARY — FY83
MEMO ON TRAINING SURVEY RESULTS
IBM USER'S GUIDE, SEC. 3.0 — MGMT OF SYS. RESOURCES
MEMO 1609— USER'S MEETING RECAP
MISC. MEMOS
MEMO 182 — RESUMPTION OF NCC TRAINING
MEMO 184— TRAINING SCHEDULE
MEMO 192 — NCC TRAINING AUG-SEPT 1983
MEMO 202 — CICS/VS COMMAND LEVEL PROG. COURSE
MEMO 203 — AD ABAS
MEMO 209 — NCC DATA SET NAMING CONVENTIONS
MEMO 210 — TELL-A-GRAF 4.2
MEMO 211 — PLANNED SYSTEM SHUTDOWN
MEMO 212 — VS FORTRAN AVAILABILITY
MEMO 213— NEW RELEASE OPTIMIZER III
MEMO 214 — MORE DATA SET NAMING CONVENTION CHANGE
MEMO 215— NEW RELEASE PL/1 OPTIMIZING COMPILER
NO DATE
NO DATE
12/27/82
NO DATE
3/3/83
NO DATE
NO DATE
9/22/83
NO DATE
7/28/83
•NO DATE
10/5/83
11/4/83
SEPT '83
1/12/84
NO DATE
6/7/83
SEPT '83
6/10/83
FEB '82
6/15/82
9/12/82
2/14/83
6/10/83
9/23/83
NO DATE
NO DATE
NO DATE
2/15/83
NO DATE
7/1/83
11/7/83
5/5/83
6/16/83
7/22/83
9/9/83
10/6/83
10/5/83
10/10/83
10/17/83
10/12/83-
10/20/83
11/1/83
11/1/83
-------�
9-8
10237
10238
10241
10242
10243
10245
10246
10247
10248
10249
10252
10253
10257
10258
JOOO
JQ010
J0020
J0030
J0040
JO 041
J0045
J0050
J0051
J0052
J0053
J0054
J0055
J0056
J0060
J0070
J0080
J0090
J0100
J0103
J0110
J0120
J0130
J0140
J0150
J0160
J0170
J0180
J0185
J0190
J0200
J0210
J0220
J0300
J0305
J0310
J0315
. J0320
TfCSO R
MEMO 216— NCC-IBM USER'S MEETING RECAP
MEMO 217— PANVALET RELEASE 11.0 INSTALLATION
MEMO 220— WSC SHUTDOWN FOR MOVE TO NEW FACILITY
MEMO 221— MAPPER DEMONSTRATIOMN AVAILABILITY
MEMO 222 — SYSTEM 2000 RELEASE 2.95C IMPLEMENTATION
MEMO 224— HOLIDAY SCHED. FOR CALENDAR 1984 (IBM)
MEMO 225 — HOLIDAY SCHED. FOR "CALENDAR 1984(SPERRY)
MEMO 226 — NEW RELEASE EASYTRIEVE
MEMO 227 — ASSEMBLER H VERSION 2 AVAILABLE
MEMO 228— VS FORTRAN PROCEDURES UPGRADE
MEMO 231 — ICF IMPLEMENTATION
MEMO 232— NCC TRAINING JAN. -MARCH 1984
MEMO 236— TRANSFER OF USER SUPPORT FUNCTION
MEMO 237— FREE LEVEL 38R5A TESTING
COST ACCOUNTING AND CHARGEBACK
ARMS RDS DATABASE DEFINITION/SCHEMA/ELEMEMT DESC .
SAS DEFINITIONS FOR SMF DATA FR. ABM/ AMDAHL
SAS ROUTINE TO COLLECT SMF DATA FR. IBM/ AMDAHL
FIMAS MGMT REPORTS THROUGH MARCH 1983
FIMAS MGMT REPORTS THROUGH JUNE '83
FIMAS PROJECT PLAN
SAMPLE TSSMS REPORTS
TSSMS SYSTEM MANUAL (DRAFT)
TSSMS ACCOUNT MANAGER REPORT
TSSMS/UTILIZATION ACCOUNTING SYSTEM FLOW CHART
TSSMS USERID ACCEPTANCE FORM (SIGNATURE CARD)
TSSMS MGMT REPORTS DISTRIBUTION LIST
TSSMS ADP COORDINATOR MAILING LIST
OMB CIRC. A-ll: PREP. & SUBM. OF BUDGET ESTIMATES
NCC FULL COSTING— FY 83
IBM COST CENTER ANALYSIS— FY 83
UNIVAC COST CENTER ANALYSIS— PY83
MONTHLY REVIEW & ANALYSIS RPT— MAY '83
MONTHLY REVIEW & ANALYSIS REPORT— AUGUST '83
UNIVAC MONTHLY RUN SUMMARY — MAY '83
UNIVAC UTILIZATION & CHARGE SUMMARY— MAY '83
UNIVAC YTD UTIL. & CHARGE SUMMARY — OCT '82-MAY '83
BILLING SUMMARIES — JUNE 1983
FY83 BUDGET PROPOSAL (UPDATED THROUGH 6/15/83)
INTERAGENCY AGREEMENT CHARGE SUMMARIES '
IAG ACCOUNTS— FY 8 3
IAG AGREEMENT WITH COMMODITY FUTURES TRADING COMM
IAG AGREEMENT WITH NAT'L TECHNICAL INFO SERVICE
TIMES HARE MANAGEMENT MEMO
PRELIMINARY WORKING CAPITAL FUND DESIGN PAPER
IAG REPORT 11 — INTERAGENCY AGREEMENT SUMMARY
MEMO — TIMESHARE POLICY & MO. TARGETS (RCVD 1/23/84)
SAMPLE REPORTS (REGION V)
IBM USERID BATCH JOB PRIORITY REPORT
IBM SYSTEM ACCOUNT BATCH PRIORITY REPORT
IBM SYSTEM ACCOUNT JOB SUMMARY
IBM COMPUTER-RELATED CHARGE SUMMARY— SEPT '83
TTIM cvcT'FM 1 Q fl 7 FT.Qr AT. VRAT9 TO HATE STATEMENT
11/14/83
11/10/83
11/25/83
11/25/83
11/17/83
12/7/83
12/7/83
12/9/83
12/9/83
12/9/83
12/23/83
12/23/83
1/13/84
1/13/84
NO DATE
8/8/83
7/30/83
5/4/83
8/1/83
10/24/80
VARIES
9/12/83
8/23/83
NO DATE
NO DATE
NO DATE
8/1/83
6/1/83
9/1/83
6/1/83
6/1/83
6/2/83
JUL '83
5/15/83
10/2/83 -
NO DATE
10/11/83
NO DATE
11/7/83
9/23/83
10/7/83
NO DATE
10/4/83
10/4/83
10/4/83
10/3/83
10/5/83
-------�
9-9
J0330
J0335
J0340
J0345
.* JO3 50
J0355
J0360
•
JO 400
JO 410
J0415
J0420
J0425
J0430
J0435
J0440
J0445
J0450
IBM SYSTEM USERID JOB COST SUMMARY—SEPT '83
IBM SYSTEM MONTHLY STATEMENT—SEPT !83
UNIVAC MONTHLY USERID SUMMARY—SEPT '83
UNIVAC UTIL. & CHARGES SUMMARY—SEPT '83
UNIVAC MONTHLY RUN SUMMARY—SEPT '83
UNIVAC FISCAL YTD UTIL. & CHARGE (PPS)—SEPT '83
UNIVAC FISCAL YTD UTIL.& CHARGE (FOI REQ) — SEPT'83
SAMPLE MANAGEMENT REPORTS FOR A SINGLE RPIO
RPT 4—TOTAL USE SUMMARY
RPT 5—TOTAL USE SUMMARY
RPT 6—TTL USE SUMMARY -
RPT 7—TTL USE SUMMARY -
RPT 8—TTL USE SUMMARY -
RPT 9—TTL USE SUMMARY -
RPT 10-TTL USE SUMMARY -
RPT 11-TTL USE SUMMARY -
RPT 12-TTL USE.SUMMARY -
- COMPUTER CHARGES (AUG)
- DP BUDGET (AUG)
BY ALLOWANCE HOLDER (AUG)
BY AH BUDGET (AUG)
BY DECISION UNITS (AUG)
BY DECISION UNIT BUDGET
BY PROGRAM ELEMENT (AUG)
BY PROGRAM ELEMENT BUDGET
RESOURCE CHARGES BY ACCT
10/4/83
10/4/83
10/1/83
10/1/83
10/1/83
10/1/83
10/1/83
9/9/83
9/9/83
10/2/83
10/2/83
10/2/83
10/2/83
10/2/83
10/2/83
10/2/83
KOOO SECURITY/DISASTER PLANNING
K0005 RTP SECURITY MANUAL (REVISED 6/29/79, 12/5/82) 4/3/79
K0007 WSC SECURITY MANUAL (DRAFT) - 11/28/83
K0010 OS 1100 LOCAL ENHANCEMENT (REV. 9/16/80) 7/24/79
K0020 PRIVACY ACT BRIEFING NO DATE
K0021 PRIVACY ACT INFORMATION BRIEFING STATEMENT NO DATE
K0030 TOXICS CBI SECURITY MANUAL (DRAFT) NOV '83
K0031 CBI BRIEFING NO DATE
K0032 . TSCA CBI SECURITY MANUAL TEST FORM NO DATE
K0033 CONTRACTOR CBI EMPLOYEE STATEMENT MAY '80
K0034 SDC EMPLOYEE CONFIDENTIALITY AGREEMENT NO DATE
K0035 CBI BRIEFING STATEMENT NO DATE
K0040 EPA EMPLOYEE SECURITY AWARENESS PAMPHLET AUG '83
K0050 SDC SECURITY REPORTING PROCEDURE—RTP(REV.3/9/82) 6/18/80
K0060 WSC SECURITY CONTROL LETTER 3/24/83
K0070 WSC SECURITY CONTROL UPDATE LETTER ' 8/17/83
K0080 POP ACCESS VIOLATION NOTICE 10/6/83
K0090 LOGON FAILURES DAILY REPORT—SAMPLE (UNIVAC) 10/25/83
K0095 RACF FAILURES DAILY REPORT—SAMPLE 10/16/83
K0100 MEMO OF CONTINGENCY AGREEMENT—USAFAC (UNIVAC) 1/27/82
K0110 MEMO OF CONTINGENCY AGREEMENT—NIRC (IBM) 3/30/83
K0120 RTP DISASTER RECOVERY PLAN - 6/30/79
a KOI21 CRITICAL SYSTEMS SURVEY NO DATE
K0122 DISASTER RECOVERY SURVEY SUMMARY 6/12/79
K0123 USER APPLICATION PROFILE FORM NO DATE
,. KOI24 NCC USER'S QUESTIONNAIRE (FORM) ' NO DATE
K0125 NCC USER'S QUESTIONNAIRE (SAMPLE—REGION X) 12/26/78
K0130 WSC FLOOR PLAN (NOT CURRENT) NO DATE
K0135 WSC FLOOR PLAN—NEW SITE NO DATE
KOI40 SECURITY OUTLINE FY84 NO DATE
K0150 APPROVAL FORM—COMPUTER ROOM AREA ACCESS - NO DATE
K0155 SAMPLE RESPONSE — DISASTER RECOVERY MEMO (#178) 4/27/83
K0160 WSC SECURITY INCIDENT LETTER (OPEN DOOR) 9/6/83
LOOP
ASSET MANAGEMENT
-------�
9-10
L0030 RTF HARDWARE COMPONENT INVENTORY NO DATE
L0040 TAPE LISTS—IBM, UNIVAC, DEC AUG '83 NO DATE
L0060 PDP STANDARD HARDWARE/SOFTWARE CONFIG.(HANDWRIT.) 9/13/83
1,0070 PDP IAS RLSE011 DOCUMENTATION . 7/21/83
LOO80 SOFTWARE/PACKAGES BY COMPUTER SYSTEM NO DATE
L0090 FY83 PROJECTED SOFTWARE DICTIONARY NO DATE
L0100 PERSONAL PROPERTY SYSTEM (PPS) REPORT 5/20/83
L0110 PPS SYSTEM INPUT FORM JUNE '79
L0120 GUIDE FOR CTRL OF GOVT PROPERTY BY CONTRACTORS , NOV '81
L0130 PPS USER DOCUMENTATION NO DATE
L0140 EPA PROCUREMENT INFORMATION NOTICE . 9/18/81
L0150 INVENTORY CONTROL SYSTEM REPORTS
L0160 PPS DETAIL LIST—ACCT 30
L0170 PROPERTY MANAGEMENT REGULATIONS
L0180 OBJECT CLASSIFICATIONS (1982) NO DATE
L0185 PROCUREMENT/REQUEST ORDER FORM (EPA FORM 1900-8T) FEB '83
L0190 SAMPLE PROCUREMENT/REQUEST ORDER 8/26/83
-------�
10-1
APPENDIX 10
MANAGEMENT REVIEW INTERVIEWEES
Data Processing Division, Office of Information Resources Management
Woody Briggs Don Fulford Ted Harris
Lloyd Hedgepeth Maureen Johnson George LaForest
Susan Martin Oira Obenschain Jim Platten
Tom Rogers Dennis Schur Jerry Slaymaker .
Joan Swain Ernie Watson ' Joe Wilson
Don Worley
Facilities Management Contractor - System Development Corporation
Calvin Berg Cheryl Clark Jim Clark
Ron Courtney Bill Craig Bob Eaton
Mike Favitta Will Findell Murray Glass
Gerald Groon Clancey Knowles Sally Kopitzke
Gene MacAdams Bob McCarthy David McCoy
Hari Nath Walt Pavlic Nell Pell
Floyd Schwartz Jim Stephenson Dave Taylor
Fred Wallace Ken Wheeler
Office of Information Resources Management (Washington)
Mary Buckman Steve Schilling
Property Management and Supply Section, Office of Administration (Washington)
Mary Beard Frank Powers
Office of Administration (Research Triangle Park)
Allan Baker (Property)
Harry Richardson (Finance)
Fran Woodard (Immediate Office)
Office of Pesticides and Toxic Substances
Elgin Fry Gene Hankinson
-------�
-------�
11-1
ADABAS
ADP
ADPE
ADP/MIS
AMDAHL
AMPB
AMS
ARIS
BEST 1
CAE
CBI
CGI
CICS
OASD
DCN
DEC
DPD
EPPMRs
EXCPs
FIMAS
FM Contract(or)
FMO
FMS
GFE
APPENDIX 11
GLOSSARY
A data base management system developed by Software AG.
Automatic Data Processing.
Automatic data processing equipment.
ADP inventory report required by GSA.
A manufacturer of large computers.
Architectural Management and Planning Branch
American Management Systems, Inc.
ADP Resources Management Information System.
A commercial program which models computer system
performance.
Contractor acquired equipment.
Confidential business information^
Cap Gemini, Inc.
Customer Information Control System - a teleprocessing
monitor produced by IBM.
Direct Access Storage Device.
Document control number.
Digital Equipment Corp., a computer manufacturer.
Data Processing Division within the Office of Information
Resources Management.
EPA's Property Management Regulations.
Execute Channel Programs.
c
NCC Facility Impact Monitoring and Analysis System.
Facilities management contract(or).
EPA Financial Management Division.
EPA Financial Management System.
Government furnished equipment.
-------�
11-2
6SA
IAG
IBM
MIDSD
MIPS
MTBF
MTTR
NCC
OA
ODP/RTP
OIRM
OMB
OMISS
0PM
OPP
OTS
PCMD
POP 11/70
PO
PPS
PR
RPIO
RTP
U.S. General Services Administration,
Interagency agreement.
International Business Machines, Inc. - a major computer and
office equipment manufacturer.
Management Information and Data Systems Division (old
organization).
Million instructions per second.
Mean time between failures.
Mean time to repair.
EPA's National Computer Center, encompassing operations in
Research Triangle Park, North Carolina, and in Washington,
D.C.
Office of Administration (old organization - now Office of
Administration and Resources Management).
Office of Data Processing in Research Triangle Park, N.C.
\
%
Office of Information Resources Management.
Office of Management and Budget, Executive Office of the
President.
Office of Management Information and Support Services (old
organization - now Office of Information Resources Manage-
ment ).
U.S. Office of Personnel Management.
Office of Pesticide Programs.
Office of Toxic Substances.
Procurements and Contracts Management Division.
A minicomputer manufactured by Digital Equipment Corp.
Purchase order.
EPA's Personal Property System.
Procurement request.
Responsible Program Implementation Official - an element of
EPA's budget structure.
Research Triangle Park, North Carolina.
-------�
11-3
SDC System Development Corporation.
SF-120 Excess property form.
SPERRY A computer manufacturer, previously Sperry-Univac.
TSCA Toxic Substances Control Act.
TSSMS HCC's Time Sharing Services Management System.
VDU Video display unit.
VAX A minicomputer manufactured by Digital Equipment Corp.
WIC Washington Information Center - new NCC computer facility in
Waterside Mall.
WSC Washington Service Center - previous NCC computer facility
in Waterside mall.
-------�
-------�
12-1
APPENDIX 12
\ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
| National Computer Center
Rweareh Triangle Park, North Carolina 27711
January 24, 1984
MEMORANDUM
SUBJECT: Comments on Draft Final Audit Report
FROM: Donald W. Fulford, Acting Director C] a Q l r
Data Processing Division (MD-34) *-/
-------�
12-2
B) Generally speaking, we believe a positive tone is roost productive in
achieving desirable change. In several cases, negative connotations are
given where no purpose would seem to exist. Examples include:
. Where a recommendation is made to perform comprehensive reviews
which are already done to some extent, it is preferable to state
"should continue", "should expand", or "should more actively
pursue," etc., rather than implying that the organization should
begin the proposed activity. Also, the use of modifying terms
such as "relatively" and "occasionally" are sometimes used in
situations where little, if any, real improvement is possible
except at resource costs which are neither feasible nor obtain-
able under current conditions.
C) The acronym "WIC" for Washington Information Center should be used through-
out instead of "WSC" to reflect the new nomenclature.
D) The Second Appendix 7 titled "NCC Management" should be Appendix 8 with
corresponding page number changes.
E) The First Appendix 7 titled "Equipment and Software Acquisition Control"
contains several references to "MIDSD". As was mentioned in our review of
the Interim Audit Report dated November 17, 1983, these should be changed
to reflect our current organization.
SPECIFIC
Table of Contents: III-G should read "Equipment and Software...."
Table of Contents: Appendices, 7 same.
Executive Summary, Page 1, Section A, "perform a comprehensive review,"
recommend change to "continue to perform comprehensive reviews".
Page 1, Section B, first bullet: Insert "more" between "take" and "active".
Also, in second line, replace "creating" with "promoting the use of".
Page 1, Section B, second bullet: Replace "review" with "formalize".
Page 1, Section C: Replace second sentence with "The NCC, in conjunction with
the Program Offices, should develop and implement an ADP Coordination
Training and Orientation course for ADP Coordinators which would establish
their responsibilities and enable them to more effectively carry out their
assigned functions."
Page 2, second bullet: EPA is in compliance with A-121.
-------�
12-3
Page 2, Section E, second bullet: Insert "take measures where possible to"
before "strictly enforce".
Page 2, Section E, third bullet: See General Comment A.
Page 2, Section E, bullet five: See General Comment A. Also, insert "in
conjunction with the Program Offices" after "OIRM" and delete "both NCC
facilities and".
t
Page 2, Section E, bullet seven: Need more specific information regarding
"standard agreements."
Page 3, Section F: See memo dated December 21, 1983, General, Section CSD
regarding risk analysis and disaster recovery plans.
Page 3, Section 6, bullet three: "recordkeeping" is missing an e.
Page 4, bullet two: Insert "NCC" as second word in sentence.
Page 1-1, Section C, line 4: Insert "is" after "NCC". Also, in Paragraph 2,
second sentence, "organization" shouTd be "organizational" and "which was
implemented" should be inserted after "activities".
Page 1-2, last bullet: All recommendations should be located in Chapter III
rather than spread throughout the document.
Page II-l, Section 1, last paragraph: "Utilization" is misspelled.
Page II-l, Section 2, Paragraph 2: There is currently no intent to provide
3270 terminal access capability to the SPERRY users.
Page II-2, first paragraph: "Utilization" is missing an i.
Page II-2, Section B, Paragraph 2: As was indicated previously, this consump-
tion relates largely to jobs submitted by users. The NCC initiated several
efforts in the past to encourage greater use of microfiche. During FY83
DPO management established several tasks in the FM Contractor Work Plan to
review periodic reports, both machine and manually produced, with an
objective of reducing the volume of reports. This was successfully com-
pleted.
Page II-2, Section 8, Paragraph 4: As was stated in previous memos, mainte-
nance of the EPA ADP Manual is not the responsibility of the NCC and there-
fore requires identification of the responsible organization.
-------�
12-4
Page II-3, Section 6: As noted previously in the November 17*, 1983 response,
"DPD policy has been to allow users to procure packages with which they
are familiar, and to operate on the mainframes with certain stipulations
to ensure no adverse impact on other users." .
Page II-4, Section D, Paragraph 1: In reference to DMS-1100 specifically,
and the cost of software packages in general, in our December 21, 1983
review, we made the following comments on Page 4: "Unit costs for printing
decreased; hence, rates were lowered, reflecting DPD policy to pass along
savings realized due to efficiency of operations. It should also be noted
that rates applied were comparable to those of commercial timeshare centers,"
and "DPD policy has been to permit access of all software systems by all
users. Some may not need to use them, but there is currently no cost-
effective method to charge by individual use of specific library systems.'1'
Actual billings exceeded cost of printing.
Page II-H, Section D, Paragraph 2: Packages is misspelled.
Page II-5, Paragraph 2: With respect to the glass wall at MIC, this entire
area is fully contained within a controlled area, and DPD Management feels
that this provides an increased surveillance and monitoring capability for
the computer room area.
Page II-5, Section 5: See General Comment A regarding responsibilities and
authority.
Page II-7, Section 2: Refer to previous memos regarding backup arrangements.
Page II-7, Section 4, last sentence: SPERRY disaster recovery processing
will be done in batch mode and therefore, there is no requirement for a
telecommuniations network. With regard to IBM disaster recovery, Postal
Service backup site has a telecommunications network which is very similar
to EPA's and provides adequate capabilities to accomplish disaster recovery
processing.
Page I1-8, Paragraph 6: Refer to General Comment A. There is no agency
requirement for software inventory. NCC currently has an up-to-date
inventory of their software; however, we cannot enforce similar require-
ments on other EPA components. OIRM needs to develop a policy to be
carried out by Program Offices.
Page 11-10, Section 6: There is no apparent basis for this conclusion. The
Audit Team should clarify this comment so it can be properly discussed.
Page III-l: A.l.a, There was a comprehensive review of performance goals in 83
-------�
12-5
Page III-2, Section 1, Paragraph B: Refer to previous comment regarding
paper usage.
Page III-2, Section 2, Paragraph B: Archiving data sets within 45 days or less
would require undue staff and computer workload to recover files required
for monthly production runs.
Page II1-3, Section 3, Paragraph B: Refer to previous comment regarding use
of software packages.
Page III-3, Section 4, Paragraph B: Refer to previous comment regarding main-
tenance of EPA AOP Manual.
Page III-3, Section 5, Paragraph A: Believe "competitive" should be
"compatible".
Page III-3, Section 5, Paragraph B: HCC continually reviews the utilization
of the Sperry System. If workload continues to decrease, NCC will
conduct a detailed analysis.
Page III-3, Section 6, Paragraph B: NCC has implemented procedures to
encourage users to determine the reliability of archived tape files.
Current DPD resources preclude the performance of this activity by the
Data Center.
Page III-4,C,l,b: DPD does not concur with making individual user survey
results available for general distribution; however, overall results could
be provided.
Page III-4,C,2,b: ADP Coordinators' duties vary considerably between program
offices as does the job classification of designated personnel. This
responsibility would, therefore, appear to more appropriately reside
within the individual program offices.
Page III-5,2,b: Refer to previous comment on full costing activities.
Page III-6,5,b: This concept has previously been investigated, and it was
determined that the resources, both in labor and system overhead to properly
accomplish this recommendation would be cost prohibitive and place undue
cost burdens on the user community as a whole. Responsibility and authority
for monitoring account funds and expenditures resides with the program
offices, not with the NCC.
Page III-6,7,b: This concept has previously been investigated and determined
not to be cost-effective at the present time and beyond the current extent,
as pVeviously discussed in our memo of December 21, 1983. In addition,
-------�
12-6
the example used (DMS-1100) is inappropriate since this product was provided
to the NCC as a "no cost" item, although DPD does pay a nominal annual main-
tenance fee.
Page III-6,8,b: This recommendation has been previously investigated and
found to be cost and resource prohibitive to implement to any extent beyond
what is currently in place due to architectural and data set catalog organi-
zation differences.
Page III-7,9,b: DPD has recognized for some time that a problem exists in
this area; however, current procedures associated with billing report
production are adequate if followed. Several alternatives are being
investigated to alleviate this problem for program offices, but current
solutions involve possible detrimental aspects either in areas of security
or in production of unreasonable amounts of paper. Perhaps a better
solution can be found in providing training in areas of responsibility for
both ADP Coordinators and ADP Account Managers. While NCC can assist in
this matter, it cannot be totally responsible for implementation and enforce-
ment of procedures at program offices.
Page 111-8,3: "c" should probably be 'V.
Page in-9,5,b, third bullet: Since November 1983, a system has been imple-
mented in cooperation with the RTP Personnel Management Division, to ensure
that EPA personnel undergo security debriefing upon departure, and user
ID's and passwords are removed. Similarly, SDC contractor personnel have
followed this procedure as part of ongong contract requirements.
Page 111-10,8,a & b: As was stated in the previous memo and in General
Comment A, DPO has provided input into the Office of Toxic Substances
regarding security incident procedures. We do not have responsibility or
authority to enforce adoption or implementation of these procedures.
Page 111-11,11,a, first bullet: Emergency shut-off valve has been installed
which minimizes this problem in a cost-effective manner.
Page 111-11,11,a, third bullet: This room has been authorized for equipment
storage as it currently exists.
Page 111-11,11,b, first bullet, last sentence: This is not a viable solution
and would cause serious problems if leakage did occur by extending the
time of detection.
Page 111-11,11,b, second bullet: This is cost prohibitive and appears unwar-
ranted since the entire computer area at RTP is contained within a controlled
area, which is also within a controlled area.
-------�
12-7
Page III-12,12,b: The computer area at WIC resides totally within a controlled
area as does the corridor. In addition, DPD feels that the glass wall
provides increased surveillance and monitoring of the computer area which
would be reduced by covering the wall.
Page 11-14,5,a, Line 2: "Simultaneously" is misspelled.
Page 111-17,3: New position descriptions were developed for the recent
reorganization and are current.
Page III-17,4,b: An internal time accounting system is inappropriate and
contrary to RTP union contracts.
Page III-17,5,a: Do not understand the issue. Definitions of evaluation
criteria appear on the form as scores between 0-5. Specific terms of
quality are associated with each numerical criterion. With respect to
participation by users, several methods for encouraging response have been
investigated; however, the NCC has no authority to require participation.
Page III-18,6,a. Change "Contract Evaluation Board" to "Performance Evaluation
Board". • - .
Page 111-18,6,a, last sentence: Replace "Contractor billings" with "the
ability of the contractor to bill".
Page III-18,6,b, last sentence, first paragraph: Insert "for the coming
evaluation period" after "evaluation criteria".
Page 111-18,7,a: Change last word in first line from "identify" to "project".
Appendix 1-3, first paragraph, line 1: Potomac Scheduling/Tandem front-end
processors will provide SPERRY users only with IBM-compatible RJE support.
This should in no way be construed as an attempt to provide IBM-compatible
3270 support to the SPERRY user community and should have no affect oh
demand processing for that system.
Appendix 1-3, second paragraph: "Modification" should be plural and "System"
should be inserted after "Executive".
Appendix 1-4, first paragraph: Suggest striking "seem to" as they
-------�
12-8
Appendix 1-7,2, second paragraph, line 1, "are" should be "is". Also, in
third paragraph, the formula for calculation of mean time between failure
is in error. Actually, both sites report MTBF and MTBPF (mean time between
production failure) which is a more useful management guide. The formulas
are as follows:
MTBF = (24 x days/mo)/# failures, or 1, whichever is greater.
MTBPF * Production hours/failures + 1.
Appendix 1-8, paragraph 4: Requires further clarification to make the desired
point clear.
Appendix 1-9,2: Refer to comment made on Appendix 1-3, first paragraph,
regarding Potomac Scheduling/Tandem FEP.
Appendix 1-10,F: Refer to above comment on Appendix 1-3, first paragraph,
line 1.
Appendix l-10,F,l,b: Refer to previous comment. We reiterate that all
recommendations should be contained in one section to avoid confusion.
Appendix 1-11,2: The real issue should perhaps be concerned with the
configuration being modeled. Due to the many significant changes occur-
ring in the IBM-compatible area; e.g., implementation of CICS and ADABAS
addition of 4341, installation of new models and versions of the operating
system, etc., development of a representative model is extremely difficult
to accomplish.
Appendix 2-2, paragraph 2, last line: "are" should be "is".
Appendix 2-3,l,a(4): The EPA staff is now 27 instead of "approximately" 28.
Appendix 2-3,B: Organization of section is inconsistent.
Appendix 2-4,(6), third sentence: Instead of "has been one of the reasons
that" substitute "This may have contributed to the resignation of" and
place a period after "staff", deleting "have resigned." Also, in last
full sentence, strike one "the."
Appendix 2-4, 2: This recommendation has been previously covered and is
redundant.
Appendix 2-7, first sentence: Reading of archive tapes does not maintain
readability. Suggest replacing word "maintain" with "ascertain".
Appendix 2-3,4: NCC has no responsibilities, authority or staff resources
available to monitor systems design or operational effectivity.
-------�
12-9
Appendix 2-8,5: As was stated in our previous memo, a comprehensive runbook
standard has been in existence for some time, and the statement in para-
graph 2 is not correct. The Format and Content Standards for Production
Control Runbooks predates both the Gas Cylinder Inventory System runbook
and DIPS Runbook Specifications. The Standards Runbook does, not relate to
a specific production control application, as does the DIPS Runbook
Specification, but to any production application, and as such provides a
more than adequate standard for the preparation of any specific application's
runbook. The specific needs for each runbook vary greatly in conjunction
with the scope of the support provided to the application by the Production
Control Section.
Perhaps the Audit Team is not aware that basically two types of production
control support are provided by the NCC. In the past, production control
for SPERRY users was provided which involved considerably more than "moni-
toring" of the execution of a particular job. This is more in line with
the production control services intended for use with the payroll system.
IBM Production Control is relatively new (approximately two years) to the
Data Center and consists primarily of the scheduling of particular produc-
tion runs to ensure that sufficient resources are available when required
in order for jobs to complete successfully.. This may, perhaps, in part
account for the Audit Team's belief that standards did not previously exist.
Appendix 2-10,0,1,a, second bullet: As was stated in our previous comments,
the EPA ADP manual is the responsibility of OIRM.
Appendix 2-12,3, last paragraph: These reports are now consistent.
Appendix 2-13,E,3: See our comments, Page 2-8 regarding re-runs. We feel
that all recommendations must be consolidated for effectiveness.
Appendix 2-13,E,4: See our comments, Page 2-8 regarding Runbook.
Appendix 3-4, first complete sentence: This is not correct as more production
control is provided for systems running on the SPERRY configuration.
Appendix 3-4,2, second paragraph, line 7: "Calla" should be "calls".
Appendix 3-6, chart representing percentage of user responses: Method of
calculating response is totally misleading in that it is based upon the
actual number of responses related to the total number of users. For the
sake of clarity, we feel the percentage should be based upon the actual
number of responses related to number of users requesting participation
in the evaluation process.
-------�
12-10
Appendix 4-4, bullet four: See previous comment regarding QMS 1100. Also,
Part 2 of bullet four, line 3, substitute "charging" for "changing".
Appendix 4-6, first full paragraph, line 6: He do not know what is meant by
"initial...levels".
Appendix 5-l,A,l, Paragraph 3, last line: Substitute "briefly" for "briefing".
Also, last sentence on page, the period after "regulations" should be a comma.
Appendix 5-12, fourth —: As previously commented in my December 21, 1983
memorandum, in regard to the comment, "very recently assigned responsibili-
ties for security review of remote sites", this is a planned activity, but
has not been formally assigned as it involves additional requirements for
which resources must be made available.
Appendix 5-13, fourth bullet: Suggest deleting.
Appendix 5-13, fifth bullet: Suggest changing "required by" to "defined in",
and striking "does not appear to exist" and substituting "no longer meets
on a scheduled basis."
Appendix 5-13, ninth bullet: . "read" should be "reads" and "(but not daily}11
should be "(but not necessarily on a daily basis}".
Appendix 5-17,0,3, Paragraph 1: See our previous statements concerning OTS
Security Manuals.
Appendix 5-18, first complete paragraph, line 1: Strike "there was" as
redundant. Also, in second complete paragraph, line 7, "inpart" should be
two words.
Appendix 6-7, F,l: Systems operating on SPERRY which require disaster support
have all indicated that operation in the batch mode will meet their
requirements in an emergency situation. NIRC telecommunications network
is virtually a duplicate of the NCC network.
Appendix 6-7,F,2: Same as previous comments regarding OTS systems.
Appendix 6-7,F,3: The last sentence is not accurate. Please refer to my
December 21, 1983 memo, General Comment C, regarding periodic DPD polling
of System Managers.
Appendix 7-4, Paragraph 5: Change "MIDSD" and in last paragraph next to last
sentence, make "agreements" singular.
Appendix 7-5: Second paragraph is not really clear and needs to be rewritten
for clarity and intent.
-------�
-a
Appendix 7-11,C,l,a: What is Intended in regard to the term "site" manager
as compared to Technical Manager?
Appendix 7-12,2,C, second bullet: Add "ly" to "independent".
Appendix 7-13,0, fourth line: PPS does "provide" for a field, but does not
"designate" a field for that specific use.
Appendix 7-13,F: Please refer to my November 17, 1983 memo, comment U-13f.
Appendix 7-14,0,1 and 7-15: Correct references to MIDSD.
Appendix 7-16, next to last paragraph: Substitute "PPS" for "PES".
Appendix 7-17, first paragraph: As was stated, "SDC" must be changed to "FM
Contractor". Also, last sentence of paragraph reads more accurately if
"the accurate identification of equipment at each site" is replaced by
"identification of equipment by location."
After this point, references to Appendix 8 actually refer to the "second"
Appendix 7.
Appendix 8-2,8,1: Make both references to "organization" "organizational".
Appendix 8-3,C, Line 2: Strike "does" and substitute "do". Also, see our
earlier comments regarding bargaining unit employee prohibitions on internal
timekeeping systems.
Appendix 8-4,b: Item "S" should be defined as "Courier Service"; "T" as
"Special Projects"; "U" as "Operational Support Equipment".
Appendix 8-5, first paragraph: In order for the figures to relate to each
other properly, staff on board should read "224".
Appendix 8-5,C,l,a, second line: "contract" should read "Contractor",
and b should have "staff" inserted after "NCC/EPA".
Appendix 8-6, first bullet: Suggest adding "and management" after "planning".
Appendix 8-6 through 8-7,C: Suggest the turnover figures be reverified based .
on current official count before publication.
Appendix 8-8,F: As noted previously, all position descriptions have recently
been completed.
-------�
-------�
-------�
-------� |