:S::
           •v>. .
           • '• • OFFICE OF INSPECTOR GENERAL
a
Audit Report
            EPA Needs to Improve
            Change Controls for Integrated
            Financial Management System
            Report No. 2004-P-00026
            August 24, 2004
    P-

-------
Report Contributors:
                         James Rothwell
                         Anita Mooney
                         Neven Morcos
Abbreviations
CMS
CFO
EPA
FAR
FDW
GAO
IFMS
NIST
OARM
OCFO
DIG
OMB
RACF
Change Management System
Chief Financial Officer
Environmental Protection Agency
Federal Acquisition Regulation
Financial Data Warehouse
Government Accountability Office
Integrated Financial Management System
National Institute of Standards and Technology
Office of Administration and Resources Management
Office of the Chief Financial Officer
                         '•<
                         'JvS
Office of Inspector General  \i.
                         •   •%
                            i+i'
Office of Management and Budget
Resource Access Control Facility

-------
                         UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
                                       WASHINGTON, D.C. 20460
                                                                         OFFICE OF
                                                                      INSPECTOR GENERAL
                                   August 24, 2004
MEMORANDUM
SUBJECT:        EPA Needs to Improve Change Controls for Integrated Financial
                  Management System
                  Assignment No. 2003-000909
                  Audit Report No. 2004-P-00026
FROM:           Patricia H. Hill, Director /s/
                  Business Systems Audits (242IT)

TO:               Charles E. Johnson, Chief Financial Officer
                  Office of the Chief Financial Officer (2710)

                  David O'Connor, Acting Assistant Administrator
                  Office of Administration and Resources Management (3101A)
This is our final report on the subject audit conducted by the Office of Inspector General (OIG)
of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe
the problems the OIG has identified and corrective actions the OIG recommends. This report
represents the opinion of the OIG and the findings contained in this report do not necessarily
represent the final EPA position. Final determinations on matters in this report will be made by
EPA managers in accordance with established audit resolution procedures.

Action Required

In accordance with EPA Manual 2750, you are required to provide a written response to this
report within 90 calendar days of the date of this report. You should include a corrective actions
plan for agreed upon actions, including milestone dates. We have no objections to the further
release of this report to the public. .For your convenience, this report will be available at
http://www.epa. gov/oig.

If you or your staff have any questions regarding this report, please contact me at
(202) 566-0894, or James Rothwell, Assignment Manager, at (202) 566-2570.
                                      fi

-------
cc:    Lorna McAlister, OCFO
      Kristina Mainess OCFO
      Juanita Galbreath, OCFO
      Rich Lemley, OARM
      Sandy Womack, OARM
      Wes Carpenter, OARM

-------
                     Executive Summary
Purpose
            We conducted this audit to evaluate the adequacy of Environmental Protection
            Agency (EPA) Office of the Chief Financial Officer (OCFO) policies, procedures,
            and practices for controlling financial application development and software
            changes to EPA's Integrated Financial Management System (IFMS). IFMS is
            integral to the preparation of the Agency's financial statements. We evaluated
            operational management and security controls used to govern software
            modifications for this system to address the following questions:

            •  Do security controls provide reasonable assurance that access to software
               libraries is limited to authorized individuals and, consequently, that software
               modifications are properly controlled?

            •  Do the operational controls provide reasonable assurance that system software
               modifications and processing features are properly authorized?

            •  Do the operational controls ensure all new and revised software is properly
               tested and approved before it is placed into production?
Results of Review
            We found a general breakdown of security controls that could undermine the
            integrity of IFMS software libraries and financial system data. Duties were not
            adequately segregated, individuals used an inappropriate ID or continued to have
            system access after no longer needing it, and contractor personnel were granted
            access to IFMS without a successful background security check.  Numerous
            accountability and contractual issues contributed to this, including OCFO not
            having a system for identifying employee responsibilities related to IFMS
            security, and management not performing a risk assessment of IFMS's general
            support system.  As a result, there was a high risk that system programmers could
            make unauthorized or unapproved changes to system software and data used for
            EPA's accounting and financial reporting.

            Also, OCFO is not managing the contract for IFMS software modifications in a
            manner that ensures the proper authorization, acceptance, and approval of all new
            and revised software.  OCFO management is not properly using its Change
            Management System to manage change activities for IFMS and provide technical
            direction to contractor staff. Although we had previously identified contract
            management problems, OCFO continued to use contract practices that gave the
            appearance of an improper personal service relationship with the contractor. A
            personal services relationship was clearly demonstrated when OCFO Financial

-------
             Systems Staff orally instructed the contractor to bypass documented channels and
             correct erroneous transactions totaling over $222 million by entering negative
             debits and positive credits "directly" into IFMS.

             Further, OCFO management has not instituted a formal, structured change control
             process for IFMS to ensure software program modifications are properly
             authorized, tested, and approved. Such controls are needed to reduce the risk of
             unauthorized programs or modifications being implemented, and to provide for
             system security certification and accreditation.  However, OCFO management did
             not implement formal change controls, as agreed to in a 1998 Office of Inspector
             General report. Inadequate change controls over IF MS software modifications
             places the Agency at risk that the availability, confidentiality, and integrity  of
             EPA's accounting and financial reporting functions could be compromised.

Recommendations

             We are making various recommendations to OCFO to improve IFMS controls. In
             particular, we recommend that OCFO perform a risk assessment of the Endevor
             system used to control IFMS development, testing, and maintenance, and develop
             a security plan for Endevor. We also recommend that OCFO remove access for
             all contractor personnel without a pending personnel security screening request or
             a final acceptable background check.  Further, we recommend that OCFO
             establish a systematic process for identifying key responsibilities, and holding
             employees accountable. In addition, we recommend that the Acting Assistant
             Administrator for Administration and Resources Management finalize pertinent
             guidance and procedures.

Agency Response and  OIG Comments

             The Chief Financial Officer concurred with our recommendations and generally
             outlined appropriate corrective actions to improve security and change controls
             over IFMS.  The Acting Assistant Administrator for Administration and
             Resources Management did not concur with our recommendations concerning
             contractor background investigations, asserting that "suitability" background
             investigations of Federal contractors are not required. Management stated its
             existing, interim procedures were sufficient to guide offices that chose to initiate
             background investigations. However, current EPA policy and Federal guidance
             strongly recommend screening comparable to that for Federal staff, and we
             strongly urge such screening.  The Federal government is operating in a high risk
             environment, and extra care needs to be taken to ensure non-Federal workers have
             acceptable backgrounds before trusting them with access to sensitive data and
             systems.
                                         11

-------
                    Table of Contents
Executive Summary 	  i
 Chapters
     1     Introduction  	  1


     2     Security Controls Inadequate to Protect
           Integrity of IFMS Software Libraries 	  5


     3     Contract Practices Over IFMS Software Modifications
           Need Improvement  	  13

     4     Change Control Process Does Not Ensure
           Proper Authorization, Testing, and Approval 	  17
 Appendices
     A     Applicable Criteria	  23

     B     Office of the Chief Financial Officer Response to Draft Report	  27

     C     Office of Administration and Resources Management
           Response to Draft Report  	  31

     D     Distribution	 39
                                  in

-------
IV

-------
                               Chapter  1
                                Introduction
Purpose
            We conducted this audit to evaluate the adequacy of Environmental Protection
            Agency (EPA) Office of the Chief Financial Officer (OCFO) policies, procedures,
            and practices for controlling financial application development and software
            changes to EPA's Integrated Financial Management System (IFMS).  We
            evaluated operational management and security controls used to govern software
            modifications for this system to address the following questions:

            •  Do security controls provide reasonable assurance that access to software
               libraries is limited to authorized individuals and, consequently, that software
               modifications are properly controlled?

            •  Do the operational controls provide reasonable assurance that system software
               modifications and processing features are properly authorized?
                Do the operational controls ensure all new and revised software is properly
                tested and approved before it is placed into production?
Background
             IFMS is a customized version of Federal Financial System software, which is
             maintained and modified through contracted services. The contract requires EPA
             to use its Change Management System to identify and prioritize changes to IFMS
             system software. EPA purchases vendor updates for IFMS through an annual
             licensing agreement. EPA controls the changes to IFMS by grouping them into a
             sub-release; to date, EPA has implemented 10 sub-releases to IFMS.

             The integrity of IFMS data is integral to EPA's financial management operations
             because it is the central system and interfaces with numerous other administrative,
             financial, and mixed financial systems. IFMS supports such core financial
             management activities as general ledger, budget execution, funds control,
             accounts payable, disbursements, accounts receivable and collections, travel and
             project cost accounting, fixed assets, and standard reporting functions.

-------
Scope and Methodology
             We conducted this audit from May 2003 to March 2004 in accordance with
             Government Auditing Standards, issued by the Comptroller General of the United
             States.  Our work was performed with Agency officials at EPA Headquarters in
             Washington, DC. In addition, we performed work with the Financial Data
             Warehouse system manager and the Delivery Order Project Officer for the facility
             support contract at Research Triangle Park, North Carolina. We also obtained and
             reviewed contract documents from the General Services Administration that
             pertained to the Inter-Agency Grant for maintaining and operating the Endevor
             system.

             To evaluate the IFMS software libraries' security controls, we reviewed IFMS's
             security plan, and evaluated personnel screening procedures for systems
             contractor staff.  We also tested and observed Endevor operational security
             procedures for monitoring and moving software changes made in 2003. Further,
             we tested and observed Resource Access Control Facility (RACF) security used
             in 2003 for access to IFMS libraries.

             To determine whether IFMS operational controls provided reasonable assurance
             that software modifications were properly  authorized, we reviewed: Federal
             regulations, Agency and OCFO policies, the IFMS Security Plan, and pertinent
             contract documents. Specifically, we evaluated contract administration for seven
             software development tasks during fiscal 2003, as well as the approval process
             used by EPA prior to placing these changes into production. We reviewed similar
             documents to determine whether IFMS operational controls ensure that new and
             revised software are properly tested and approved prior to being implemented.
             Specifically, we evaluated the testing and approvals for the seven system software
             modifications made and placed in production by EPA in fiscal 2003.

             Limited Review of Financial Data Warehouse Performed

             As part of the original scope of our review, we had planned to review the
             Financial Data Warehouse (FDW) system as well as IFMS. However, during our
             preliminary research phase, we found that  management had not instituted a formal
             change control process over FDW, as specified in the Federal Information System
             Controls Audit Manual. We notified OCFO management of this weakness and,
             accordingly, did not pursue audit field work on FDW. In September 2003, the
             Comptroller took the first step toward developing a formal change control process
             by issuing a policy to establish an oversight structure for managing software
             changes to the FDW. We reviewed the policy and found that it does not contain
             sufficiently detailed procedures for the change control process being
             implemented.  As such, we suggested that OCFO management expand upon the
             existing policy by developing and implementing a formal change control process
             with standardized procedures and techniques. We subsequently limited the scope

-------
             of our work to permit OCFO time to implement the new policy and develop new
             procedures.

             Prior Audit Coverage

             The Office of Inspector General (OIG) noted issues related to internal software
             changes in a prior report, Management of EPA's Technical Support Contract for
             Core Financial Systems Needs Improvement, Report No. E1NMG6-15-0003-
             9100034, dated November 5,1998. Among other things, the report noted that
             management needed to establish internal software change policies and procedures
             to provide management oversight and approval of core software development or
             enhancement projects, and discontinue direct supervision of contractor staff
             (i.e., personal services activities). Similar conditions noted in our current audit
             are discussed in Chapters 3 and 4.
Internal Controls
             Our assessment of IFMS's software change control process and related security
             controls indicate EPA's core financial system is at risk for fraud, waste, and
             mismanagement.  In planning and performing our audit, we limited our work to
             addressing operational and security controls associated with IFMS software
             modifications. During the period of our review, OCFO reported an internal
             control weakness due to the lack of a system security certification process for
             contractor personnel. Nevertheless, EPA's Administrator gave an unqualified
             statement of assurance in the Agency's Fiscal 2003 Integrity Act Report, based on
             OCFO's annual self-assessment of its internal management and financial control
             systems.

Compliance with Laws and Regulations

             We identified noncompliances with portions of the Federal Acquisition
             Regulation related to contract management administration processes. (See
             Chapter 3.)

-------

-------
                               Chapter 2

           Security Controls  Inadequate to Protect
_ Integrity of IFMS Software Libraries _

            We found a general breakdown of security controls that could undermine the
            integrity of IFMS software libraries and financial system data Duties were not
            adequately segregated, individuals used an inappropriate ID or continued to
            have system access after no longer needing it, and contractor personnel were
            granted access to IFMS without a successful background security check.
            Despite many Federal and Agency policies, guidance, and procedures,
            numerous accountability and contractual issues contributed to poor management
            of the change control process and led to the general breakdown of security
            controls. This included OCFO not having a system for identifying employee
            responsibilities related to IFMS security, and management not performing a risk
            assessment of Endevor, the general support system used to control access to
            IFMS software libraries.  As a result, there was a high risk that system
            programmers could make unauthorized changes to system software and data
            used for EPA's accounting and financial reporting.

 System Supports IFMS Change Control Process

            Endevor is an off-the-shelf general support system used to control the
            development, testing, and maintenance of IFMS libraries and software. EPA
            uses a contractor to administer Endevor but relies on EPA employees to perform
            associated Information Security Officer and RACF administration duties.
            Endevor provides controls over the movement of program code through the
            system life cycle management phases of IFMS. Endevor uses three basic
            "environments" to control libraries and software:
                                   ~yy^U>t^
             ; Quality Assurance
                                 Contractor personnel use to develop software code and perform
                                 initial tests.
EPA module experts subsequently use for formal testing, such as
systems testing.
                                 The software code is stored and executed from system software
                                 libraries.
            These environments are further divided into multiple sequential life cycle stages.
            The environments and stages provide approval controls to ensure the system
            software advances in an orderly fashion through the systems life cycle stages and
            maintain access controls within stages. Software is migrated by Endevor
            sequentially from development to production environments. The IFMS Security

-------
             Plan states that Endevor's purpose is to ensure software code is approved by EPA
             personnel prior to moving the code, or revised code, into production. IFMS
             operations use Endevor to provide for data set and functional security by using
             RACF. A user is identified through a RACF-defmed User-ID, and is
             authenticated through the password supplied with the User-ID at logon.

             Numerous Federal regulations, industry best practices, and Agency policies and
             procedures provide benchmarks for evaluating EPA practices in dealing with
             security controls over the IFMS software change control process. This includes
             criteria from the Office of Management and Budget (OMB), Government
             Accountability Office (GAO), and NIST.  The applicable criteria are listed in the
             following table, while further details are provided in Appendix A.
                  OMB Circular A-123, Management Accountability and Control
                  OMB Circular A-130, Appendix III, Security of Federal Automated Information
                  GAO Federal Information System Controls Audit Manual
                  NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information
                  Technology Systems
                  NIST SP 800-64, Security Considerations in the Information Development Life Cycle
                  NIST SP 800-18, Guide for Developing Security Plans for Information Technology
                  Systems
                  EPA's Information Security Manual
                  OCFO Policy Announcement 98-08, Amendment 1, Procedures for On-line Access to
                  EPA's Integrated Financial Management System
                  IFMS Security Plan
                  EPA's Application RACF Security Administrator's Guide
                  Implementation Report for IFMS 5.1, Release 1 Using Endevor V3.6
Improved Security Controls Needed

             Logical Access Controls Over IFMS Software Inadequate

             OCFO management had not established or instituted adequate logical access
             controls to protect the integrity of IFMS software libraries and data.  We
             examined user access rights for 27 individuals, including 14 contractor personnel,
             .who either: (1) possessed the ability to approve and move changes through
             Endevor, or (2) had access to Endevor through functionally-based RACF Groups.
             Specifically, we found the following:

                 Functions Not Segregated. Sensitive change management functions had not
                 been adequately segregated between contractor personnel to prevent any
                 individual from controlling all critical stages of the process. We identified six
                 EPA contractors who had the ability to both approve and move program code
                 within each Endevor environment and from one environment to the next.
                 Segregating sensitive duties would preclude the contractor from making
                 unauthorized and perhaps untrackable changes.

-------
   Unneeded Access Remained. Five individuals no longer needing access to
   Endevor had not been removed from the RACF or RACF groups. This
   included a contractor who had not worked at EPA for several years. This
   Endevor contractor had a separate RACF User-ID and was assigned access
   rights through two of the five RACF groups.  Further, management was not
   maintaining and using the RACF groups to control member access based on
   each group's functional roles, as intended by the 1995 Implementation
   Report for IFMS 5.1. Instead, individual users were assigned RACF User-
   IDs and given direct access rights within the various Endevor environments.
   This dual approach circumvented role-based access rights meant to enforce
   separation of duties, and allowed these individuals to bypass internal
   controls for modifying software code.

   Sharing of User-IDs. Multiple contractor personnel routinely accessed
   Endevor environments using another individual's User-ID.  Specifically,
   OCFO is allowing EPA contractors to use the User ID of OCFO's RACF
   Administrator to monitor the IFMS nightly cycle, which, subsequently, gives
   them access to IFMS production data.  This presents an integrity risk because
   an "administrator" typically possesses advanced access rights.

   Multiple IDs Used. Some OCFO employees possessed multiple RACF
   User-IDs, although OCFO management had not justified and obtained a
   formal waiver from EPA's National Technology Systems Division, as
   required by Agency procedures.  Individuals possessing multiple IDs may
   loan out one or more of these IDs to other users, thus giving them
   inappropriate access rights and eliminating a verifiable audit trail.

Contractor Personnel Granted Access to IFMS Without Successful
Security Screening

OCFO granted contractor staff sensitive access rights to IFMS production
software and data even though OCFO had not requested or received assurance
through the personnel security screening process that these individuals did not
pose a significant risk to the integrity of the system. The contracts for Endevor
and IFMS require that contractor staff submit background information to OCFO
as a basis for initiating the security screening process. Of the at least
10 contractor staff assigned to the contracts, we found the following:

•  Only three had acceptable "suitability" screenings. Further, for one of those
   three, the Office of Personnel Management had returned the request for
   screening stating EPA needed to adjudicate it; the Office of Environmental
   Information performed the adjudication, but OCFO had not been notified of
   the results.

•  While the Office of Personnel Management had returned another two  requests
   for screenings, OCFO had not revised and resubmitted them.

-------
             •   OCFO had never initiated requests for contractor security screening for the
                remaining five contractor staff, including one for the individual serving in the
                sensitive role as an Endevor System Manager.

             In addition, OCFO did not actively try to determine the status of requests that it
             had submitted for processing. Some'of the requests had been pending a
             considerable length of time (sometimes more than a year), while OCFO
             continued to allow those contractors to perform duties that could have
             ultimately jeopardized the Agency's ability to produce accurate, complete, and
             reliable financial information and reports.

             Endevor Logs Not Reviewed to Detect Problems or Assess Risk

             OCFO personnel did not review Endevor audit logs, which are needed to give
             management assurance that only authorized change control activity is being
             conducted by recognized users. Endevor can produce a variety of reports that
             identify the User-ID associated with each system action, as well as when the
             action was performed. Neither OCFO's RACF Administrator nor the
             Information Security Officer requests these reports or review them periodically
             to detect problems or assess risk to the IFMS change control process.

Numerous Issues Contributed to Inadequate Management of
Change Control Process

             The primary factors contributing to the breakdown of security, controls over
             OCFO's change management process for IFMS included the following:

             •   Management never performed a risk assessment for Endevor nor created a
                security plan to (1) describe the controls in place or planned to meet security
                requirements, or (2) delineate responsibilities and expected behavior for
                individuals who access the system.  Although Endevor supported multiple
                OCFO systems, management had not recognized its significance to the
                financial system infrastructure.

             •   The Office of Administration  and Resources Management's Security
                Management Division had not issued official policies and procedures to
                EPA's regional and program offices for defining the roles, responsibilities,
                and office interactions to ensure security screenings for non-Federal
                personnel.  The OCFO Delivery Order Project Officer expressed confusion
                about his role and responsibilities. In April 2004, the Security Management
                Division issued a memo with interim guidance  for handling screenings in a
                consistent, structured, and timely manner, but the Division is still working
                on additional guidance as well as training.

-------
             •  The Statement of Work for the Endevor contract does not accurately reflect
                OCFO's current policy for screening contractor personnel who access
                1FMS. The Statement only requires a National Agency Check, although
                'Amendment 1 of OCFO Policy 98-08 now indicates contractors should
                undergo a National Agency Check with Inquiries and Credit prior to being
                granted access to IFMS.

             •  OCFO has not established a system that clearly identifies key responsibilities
                or roles related to IFMS security and Endevor contract administration, and
                holds employees accountable for successful performance. In many cases,
                position descriptions do not accurately reflect an employee's current
                responsibilities or sufficiently detail significant duties related to Endevor
                contract management, information security oversight, or RACF
                administration. OCFO management acknowledged these concerns and, as a
                first step, is revising position descriptions for Financial Systems Staff.

             •  OCFO experienced considerable employee turnover because Financial
                Systems Staff employees either retired or were transferred to other divisions,
                and staff in key roles may not fully understand and execute assigned duties.

Security Weaknesses Threaten IFMS Data Integrity

             The security control weaknesses noted significantly impact management's ability
             to place reliance on the integrity of data EPA uses for accounting and financial
             reporting purposes.  In our opinion, the Agency faces the risk that unauthorized
             changes could be made to IFMS system software and data.  The general
             breakdown of logical access controls could allow system programmers and
             analysts to surreptitiously modify, destroy, or change production system software
             and data.  Unsafe practices are exacerbated by the facts that (1) OCFO is not
             using available audit logs to oversee change control activities, and (2) contractor
             staff are not receiving satisfactory security screenings before being granted
             sensitive access rights to IFMS software and data. These weaknesses could
             impede OCFO's ability to produce reliable data for financial managing and
             Congressional reporting purposes, and also could result in a disruption of IFMS
             operations.

Recommendations

             We recommend that the Chief Financial Officer:

             2.1    Perform a risk assessment of the Endevor system and, subsequently,
                 " develop a security plan for Endevor in accordance with NIST guidance,
                   such as NIST Special Publication 800-18.

             2.2   Update the Endevor Statement of Work to comply with current policies.

-------
             2.3    Remove access for all contractor personnel without a pending personnel
                    security screening request or a final acceptable background check.

             2.4    Establish a systematic process that will (1) clearly identify key
                    responsibilities of roles related to IFMS security and Endevor contract
                    administration; (2) ensure employees are adequately trained to perform
                    assigned duties; and (3) hold employees accountable for successful
                    performance of their roles by revising position descriptions and
                    performance agreements.

             We recommend the Acting Assistant Administrator for Administration and
             Resources Management:

             2.5    Finalize the existing Interim Procedures for Conducting Background
                    Investigations in a formal Agency-level policy.

             2.6    Provide interim guidance on duties and responsibilities of coordinators for
                    background investigations.

             2.7    Provide training for Agency Delivery Order Project Officers and
                    background security check coordinators for requesting background
                    investigations of non-Federal personnel.

Agency Comments  and OIG Evaluation

             The Chief Financial Officer (CFO) and the Acting Assistant Administrator for
             OARM both provided responses to the security-related recommendations in our
             draft report. The CFO concurred on four recommendations and identified several
             actions to address reported weaknesses, such as updating the Endevor Statement
             of Work to comply with Agency policies.  The Acting Assistant Administrator for
             OARM did not concur with the three recommendations concerning contractor
             background investigations.

             The CFO agreed to perform a risk assessment of the Endevor system and to
             incorporate the results into IFMS's security plan. However, in our opinion, the
             best approach would be to create separate security plans for Endevor and IFMS.
             The CFO assumed operational responsibility for Endevor from EPA's Working
             Capital Fund and, as such, we believe that Endevor is a general support system
             and should not be combined with the security plan for the IFMS application. If
             the CFO still wants to prepare one, overarching security plan for the IFMS and
             Endevor systems, then it should be based on separate risk assessments of Endevor
             and IFMS. Moreover, the level of system information included in the overarching
             security plan should be sufficient to adequately (1) describe the controls in place
             or planned to meet security requirements,  and (2) delineate responsibilities and
             expected behavior for individuals who access the system.
                                         10

-------
The CFO also agreed to establish a systematic process for securing IFMS, and
listed several documents and actions taken that help employees understand their
security responsibilities. However, OCFO needs to do more to ensure employees
are held accountable for successfully performing their security roles.  Therefore,
we believe OCFO needs to (1) revise position descriptions for employees with
IFMS security or Endevor contract administration responsibilities, and (2) update
their performance standards to ensure accountability for these sensitive roles.
Because these actions address security issues, the CFO should enter specific dates
for these actions in the Agency's ASSERT system as a Plan of Action and
Milestones.

The Acting Assistant Administrator for OARM did not agree to act on the report's
recommendations, stating that background suitability screening of Federal
contractors is not required by Federal or Agency-wide policy. Management stated
that its interim procedures were sufficient to guide those program and regional
offices that initiated background investigations due to internal requirements, and
therefore, it did not need to finalize guidance or provide additional training to
project officers or background security check coordinators.  We disagree with
management's decision to take no further action to formalize and strengthen the
security screening process for contractor personnel. Both current EPA policy and
NIST guidance strongly recommend that contractors have a comparable
suitability screening to perform information'technology work. Formalizing
Agency-wide procedures would bring needed structure and consistency to the
personnel screening process, and help clarify levels of risk and minimum
screening requirements for non-Federal workers.

The Federal government is operating in a high risk environment and
implementing wartime security operations, and we believe EPA and other
agencies need to do more to screen non-Federal workers. Extra carelieeds to be
taken to ensure non-Federal workers have acceptable, verifiable financial and
lawful backgrounds before trusting them with sensitive access to data and
systems, which could allow them access to privacy and credit card information
or to disburse government funds. The Acting Assistant Administrator for
OARM has been delegated the responsibility for maintaining an adequate
Agency-level program for personnel security. We believe the current risk is not
acceptable and management needs to react promptly and positively to the
minimum corrective actions outlined above.

The Acting Assistant Administrator also noted that the term "security
clearance" refers to investigations  performed for individuals who need to access
national security information, and, as such, we have modified the report to use
the terms "background security check" or "personnel security screening."
                             11

-------
12

-------
                               Chapter 3

            Contract Practices Over IFMS Software

	      Modifications Need improvement	


             OCFO did not manage the contract for IFMS software modifications in a manner
             that ensured the proper authorization, acceptance, and approval of all new and
             revised software.  In particular, OCFO management did not properly use its
             Change Management System (CMS) to manage change activities for IFMS and
             provide technical direction to contractor staff, as required in the contract. Both
             the Federal Acquisition Regulation (FAR) and EPA policy outline acceptable  .
             procedures. Although we had previously identified contract management
             problems, OCFO continued to use contract practices mat gave the appearance of
             an improper personal service relationship with the contractor.  This close working
             relationship with the contractor does not provide acceptable contract management
             controls to protect the integrity of IFMS system software or data. A personal
             services relationship was clearly demonstrated when OCFO Financial Systems
             Staff orally instructed the contractor to bypass documented channels and correct
             erroneous transactions totaling over $222 million by entering negative debits and
             positive credits "directly" into IFMS.

CMS Contractually Required

             CMS is a Lotus Notes application developed by EPA and required by the contract
             for managing IFMS change activities. OCFO's Financial Systems Staff are
             required to use CMS to provide the contractor with technical direction for the
             tasks outlined in the Statement of Work. As such, an IFMS module expert should
             generate a work request - the primary means of prioritizing, identifying, and
             assigning work - within CMS to request contractor action.  Subsequently, the
             contractor would use CMS to receive direction and provide deliverables for
             IFMS's requirements and specifications. The contractor is only to accept work
             requests found in CMS or otherwise specifically approved by the Delivery Order
             Project Officer or Alternate Delivery Order Project Officer.

             FAR Part 37.104 and EPA Order 1901.1A address personal services. FAR
             indicates an employer-employee relationship under a service contract occurs
             when, as  a result of the contract's terms or the manner of its administration during
             performance, contractor personnel are subject to the relatively continuous
             supervision and control of a Government officer or employee. Agencies are not
             to award  personal services contracts unless specifically authorized by statute.
             EPA Order 1901.1A, "Use of Contractor Services to Avoid Improper Contracting
             Relationships," states that technical direction shall be issued in writing from the
             authorized designee or, if provided orally, the technical direction must be
             confirmed in writing within 5 calendar days.
                                        13

-------
CMS Not Used to Manage Change Activities
             EPA did not use CMS to ensure the proper authorization, acceptance, and
             approval of all new and revised IFMS software, as required by the contract.  For
             example, the OCFO Financial Systems Staff did not use CMS to provide technical
             direction to the contractor staff and to document acceptance and approval of
             deliverables. Acceptance should signify that management has reviewed the
             deliverable and determined it meets contractual requirements; approval should
             denote the formal, contractual approval by the Delivery Order Project Officer.
             That Project Officer should then use the CMS  approval as a basis for concurring
             with the contractor's requests for interim and final payments for the work. These
             controls ensure the contractor's work meets contractual expectations and is of a
             reasonable quality to warrant additional resources and proceeding to the next step.

             We reviewed the CMS work requests for the seven software modifications
             implemented in August 2003,  as the IFMS 5.1 el0 Sub-Release, at a cost of
             $235,308.  As of October 2003, for the 28 deliverables marked "required" in
             CMS, we found that:

             •  Fourteen (50%) had been marked received.
             •  Eight (29%) had been marked accepted by the module expert.
             •  Six (21%) had been marked approved by the Delivery Order Project Officer.

             A breakdown by percentage for each of the modifications follows in the table:
      1
^m?m
      3
   Ml
      5
   '""' "t-ii!;:;
                                              100%
                              	8
                                               60%
25%  	
                                               0%
33%

20%
5i
 6%
 0%
                             33%
                             ;50%i;|
                             20%
                             0%
             For 7 of the 28 deliverables, those initially marked as "required" in the CMS work
             request were later determined not to be necessary as a result of verbal discussions
             between the OCFO Financial Systems Staff and the contractor. Agreeing to
             decisions verbally without changing requirements in CMS treats contractors as
             employees and gives the appearance of personal services. In addition, because
             some required deliverables were not marked delivered, from a contractual
             standpoint it appeared that the Delivery Order Project Officer had concurred on
             payments for work not performed. Because other deliverables were never
             formally accepted or approved, it also appeared that the Delivery Order Project
                                         14

-------
             Officer had concurred on payments for work that may not have met contractual
             requirements.

Position Descriptions Not Reflective of Employee Duties

             We believe the above condition occurred, in part, because the current position
             descriptions for Financial Systems Staff personnel are outdated and not reflective
             of assigned Delivery Order Project Officer contracting responsibilities. OCFO
             employees' formal performance agreements and annual performance appraisals
             do not hold them accountable for satisfactory performance of contract
             management responsibilities. As such, OCFO management has not assessed how
             well these duties were carried out or whether they were performed in accordance
             with pertinent regulations, policies, and procedures.  OCFO has acknowledged
             that existing Financial Systems Staff position descriptions are generic and lack
             details identifying employees' actual responsibilities, and are taking steps to
             revise them.

OCFO Did Not Address the Previously  Noted Inadequacies

             OCFO management did not address contract management problems previously
             noted in the OlG's 1998 report, but rather continued to use contract practices that
             give the appearance of an improper personal service relationship with the
             contractor. The 1998 report had recommended that management use CMS to
             document technical direction to contractor staff and provide an audit trail of all
             contract activity and contract deliverables.  However, due to staff turnover,
             Financial Systems Staff management could not provide an explanation as to why
             corrective actions had not been taken.

Management Relationship Inadequate to Protect Integrity

             OCFO Financial Systems Staffs close working relationship with the contractor
             for software development does not provide acceptable contract management
             controls to protect the integrity of IFMS system software or data. For example,
             the staff orally instructed the contractor to correct erroneous transactions totaling
             over $222 million by entering negative debits and positive credits "directly" into
             IFMS. Encouraging a contractor with  application programming authority to
             process accounting  entries is an inadequate segregation of duties and substantially
             increases IFMS's vulnerability to fraud, manipulation, and abuse. Specifically,
             the circumvention of internal controls increases the possibility that other
             unauthorized system software changes or modifications of accounting information
             could be made directly to the production version of IFMS.
                                        15

-------
Recommendations

             We recommend that the Chief Financial Officer:

             3.1     Continue Financial Systems Staff efforts to develop position descriptions
                    that more accurately reflect the actual contracting roles and.
                    responsibilities for Financial Systems Staff employees, and explicitly
                    incorporate contract management responsibilities in applicable
                    performance agreements.

             3.2     Instruct Financial Systems Staff to:

                  (a)     Discontinue the practice of providing verbal technical direction to
                         contractor staff (i.e., personal services activities).

                  (b)     Document all meetings and other verbal directions to the contractor.

                  (c)     Use CMS to document acceptance and approval of deliverables
                         received from the contractor.

Agency Comments and OIG  Evaluation

             In responding to our draft report, the Chief Financial Officer concurred with both
             recommendations. In particular, management agreed to continue reviewing
             Financial Systems Staff employees' position descriptions to ensure they include
             appropriate contracting roles and responsibilities. This action, in conjunction with
             incorporating contract management responsibilities in applicable performance
             agreements, should fully satisfy the intent of the recommendation.
                                          16

-------
                              Chapter 4

         Change Control Process Does Not Ensure

        Proper Authorization, Testing, and Approval

            OCFO management has not instituted a formal, structured change control process
            for IFMS to ensure software program modifications are properly authorized,
            tested, and approved. EPA's security plan, which requires strong internal controls
            over the change control process to reduce the risk of unauthorized programs or
            modifications being implemented into the production environment, also serves as
            a basis for system security certification and accreditation. However, OCFO
            management did not implement formal change controls, as agreed to in a 1998
            OIG report. Inadequate change controls over IFMS software modifications places
            the Agency at risk that the availability, confidentiality, and integrity of EPA's
            accounting and financial reporting functions  could be compromised.

Testing of Modifications Involves Various Stages

            Testing of modifications or replacement software moves through a series of test
            stages.  This includes:

            •  Unit Testing: Testing individual modules of program code.
            •  Integration Testing: Testing groups of modules that must work together.
            •  System Testing: Testing the entire system.

            The contractor performs the unit testing by developing a unit test plan,
            documenting the results, and delivering them both to OCFO. Unit testing
            determines whether individual program modules perform to user specifications.
            OCFO module experts subsequently conduct the integration and system tests, to
            ensure that related system components and the system as a whole perform to
            specifications. At the completion of the testing phase, the system owner, who has
            developmental and execution authority for the system, recommends
            implementation; the sponsor, who is authorized by the system owner to initiate
            system development, approves the implementation of the modified or replacement
            software.

            GAO, OMB, and NIST provide criteria and best practices for formal internal
            control procedures.  In December 2003, EPA issued an Interim Agency System
            Life Cycle Management Policy (Interim EPA Order 2100.4), which, along with
            the rescinded directive (EPA Directive 2100, Chapter 17), assigns system
            managers the responsibility for managing their system's life cycle process and
            products in compliance with Agency and Federal policy. The Interim Order
            requires EPA management to review and document its approval or disapproval in
            a decision document at each of the five system life cycle phases before the system
            may advance to the next phase. Further, the IFMS Security Plan, dated
                                       17

-------
             September 2002, states that a formal change control process should be in place,
             and that all changes to the application software should be tested and approved
             prior to being placed into production. All changes are to be documented.  Further
             details on criteria are in Appendix A.

Change Control  Process Inadequate

             OCFO Not Following Agency Process for Authorizing Projects

             OCFO management did not adhere to the Agency's process, as established by
             EPA's new Interim EPA Order 2100.4 as well as the directive it replaced, for a
             decision paper to authorize and establish the project for the IFMS sub-release.
             The new interim order also requires a decision paper to authorize the start of a
             project, and expands upon this requirement to include a formal authorization at
             the end of each system life cycle phase.  Audit work  disclosed that EPA's
             Financial Systems Staff formally notified OCFO management once it had
             determined which enhancements should be included  in a planned system sub-
             release. However,  we could not find any formal OCFO concurrence for the 2003
             sub-release information provided by the staff to the Comptroller.  Based on
             available evidence, it appears that OCFO management did not formally authorize
             the proposed software modifications prior to development, testing, and
             implementation.

             Inadequate Control Process for Testing and Approval

             OCFO management has not instituted a formal change control process for testing
             changes made to IFMS system software.  Further, the existing informal process is
             not adequate to ensure all new and revised software is properly tested and
             approved. While Financial Systems Staff had conducted systems testing for all
             seven software modifications implemented as part of the August 2003 IFMS sub-
             release, the staff had only done the integration testing for 43 percent of the
             modifications (three of seven). Both tests play important roles to ensure the
             modified software will operate as intended without negatively impacting the other
             system operations or degrading system performance. However, a module expert
             stated that the Financial Systems Staff considers system testing to be more
             important than integration testing; hence, they maintain detailed documentation
             for system testing but not integration testing results.  This module expert also
             indicated the staff has plans to eliminate integration testing and only perform
             system testing in the future, but we believe that would be inappropriate.

             IFMS's Security Plan recognizes the importance of both integrated and system
             testing, and requires that they be performed and documented as part of the change
             management process because the system is mission-critical. OCFO is required to
             develop and document a test plan to ensure the right combination of functions are
             being tested. The results of the test must also be documented, because they serve
             as a means for comparing actual test results and those anticipated in the test  plan.
                                         18

-------
These documents provide the basis for management to certify that controls are
adequate for operational purposes.  The following table shows the lack of
integration and system test plans and corresponding documented results for each
of the 2003 sub-release software modifications.
        1
        2
        3
        4
        5
        6
        7
Yes
No
Yes
No
Yes
No
No
                 ::-:::-•:•.:•;-.::.iĞ<|>*:^ :,:*,? ••- • • :••:;—;
                 :::;:;:!K::t:.:43%;;:ivv!]!:r: .!.:;.;:::-:•;:-:
 Yes
 No
 Yes
 No
 Yes
 No
 No

::::: !Q !:: f •:"!
•:^:,>i^-:;
ii
 Yes
 Yes
 Yes
 Yes
 Yes
 No
 Yes

:l^;ij!
 Yes
 Yes"
 Yes
 Yes
 Yes
 Yes
 Yes

msMi
Furthermore, in those instances where the Financial Systems Staff conducted
integration and system tests, it did not maintain an evidentiary trail to support
satisfactory supervisory reviews and management approvals of the test plans and
corresponding test results. Financial Systems Staff personnel indicated that
testing results are discussed verbally with their team leader and acceptance is
verbally communicated by the team leader to the module expert; no formal,
written approval is provided.

Based on our review of testing documentation, we believe the Chief for Financial
Systems did not have an adequate basis for recommending implementation of the
2003 August IFMS sub-release. Relying on the informal, verbal acceptance and
approval processes for system and integration testing, the Financial Systems Staff
sent a formal memorandum to the Director for Financial Management to request
concurrence on implementation of the sub-release.  The Director formally
responded with an approval to proceed with installation. In our opinion,  the Chief
for Financial Systems did not have adequate evidence to support the decision.
IFMS Certification and Accreditation Not Based on a
Structured and Disciplined Control Process

IFMS was authorized to operate in 2002, based on a security risk assessment and
security plan process that did not strongly emphasize the importance of a
structured, disciplined approach to managing, controlling, and documenting
system changes;  Subsequent to the 2002 authorization, NIST published new
guidelines for Security Certification and Accreditation of Federal information
                             19

-------
             systems, formally recognizing configuration and management control as an
             essential element for maintaining a system's security accreditation (i.e., formal
             authorization to operate). Although this newer requirement did not exist when
             IFMS was formally authorized to operate, it is a current and compelling reason for
             management to establish and enforce a structured process for documenting
             information system changes and assessing the impact of the those changes on the
             security of the system.


OCFO Did Not Address Previously  Identified Control Weaknesses

             OCFO management did not implement formal change controls, as recommended
             in the prior 1998 OIG report. In response to previously noted weaknesses, OCFO
             had agreed to establish internal software change control policies and procedures
             that would provide management oversight and approval of core system software
             development and enhancement projects. Due to staff turnover, Financial Systems
             Staff management could not provide an explanation as to why actions had not
             been taken to correct continuing contract management problems.

             According to Interim EPA Order 2100.4, it is EPA's goal that all major
             application systems will be developed using a methodology equivalent to at least
             the Software Engineering Institute's Capability Maturity Model Level 3.  For
             IFMS to meet that goal, the change control process for IFMS system software
             would need  to be reengineered so that it is documented, standardized, and
             integrated into a standard software management control process for OCFO.

Uncontrolled System Software Changes Could Compromise
Availability, Confidentiality, and Integrity of IFMS Data

             Uncontrolled change controls over IFMS software modifications places the
             Agency at risk that the availability, confidentiality, and integrity of EPA's
             accounting and financial reporting functions could be compromised. System
             software changes should be carefully controlled and approved since relatively
             minor program changes, if done incorrectly, can compromise or have a significant
             negative impact on overall data reliability. Moreover, a structured and disciplined
             process for managing, controlling, and documenting changes is an essential
             element for  maintaining system accreditation. The absence of such a vital control
             process could negatively impact the Authorizing Official's decision to continue
             system operations, because this lapse of controls could pose an unacceptable level
             of risk to Agency operations, assets, or individuals.

             If management does not develop and implement structured controls to ensure
             software modifications are properly authorized, tested, and approved, program
             changes could result in erroneous processing, weakened access controls, or
             weakened system edits. -Furthermore, without an orderly, disciplined process for
             testing and approving new and modified programs prior to their implementation,
             management cannot ensure that (1) IFMS programs will operate as intended,
                                         20

-------
             (2) no unauthorized software changes have been incorporated into pending
             releases, or (3) an adequate basis exists for providing required system security
             certification and accreditation.

Recommendations

             We recommend that the Chief Financial Officer:

             4.1    Identify an OMB-reportable Plan of Action and Milestones to establish
                   and implement anew, structured change control process over IFMS using
                   a methodology that meets the specifications published in EPA's interim
                   system life cycle management policy and procedures.

             4.2    Within 90 days, reauthorize and accredit IFMS in accordance with NIST
                   800-37, assessing the security risks in place at that point of time. If the
                   risk to Agency operations, assets, or individuals cannot be addressed
                   within this timeframe, then consider issuing an Interim Authorization to
                   Operate, in accordance with NIST guidance, until such time as the new
                   policy and procedures are fully implemented.

Agency Comments and  OIG  Evaluation

             In responding to our draft report, the Chief Financial Officer concurred with both
             recommendations.  The CFO noted that anew CMS system is currently under
             development and that management is studying NIST guidance to determine what
             action is required for re-authorizing and re-accrediting IFMS. We are concerned
             with the focus of the CFO's response, because replacing CMS alone will not fully
             address the intent of our recommendations. CMS is only used to manage the
             "contract" for IFMS's change management activities. This is only a portion of the
             IFMS change control process, which also includes management's initial
             authorization of projects, integrated and systems testing, the system owner's
             formal recommendation for implementation, and the final approval to implement
             the modified or replacement software into the production environment. As such,
             to fully address the intent of our recommendations, the CFO will also need to
             develop, document, and implement a structured change control process for IFMS
             that complies with EPA's interim system life cycle management policy and
             procedures, and incorporates the new CMS.
                                        21

-------
22

-------
                                                                         Appendix A

                                  Applicable Criteria

Numerous Federal regulations, industry best practices, and Agency policies and procedures
establish the baseline for evaluating OCFO's practices in securing and processing changes to
IFMS.  Details follow.

•  Appendix III to OMB Circular A-130, Security of Federal Automated Information
   Resources, dated November 2000.  This defines adequate security as "security
   commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or
   unauthorized access to or modification of information." This includes assuring that systems
   and applications used by the agency operate effectively and provide appropriate
   confidentiality, integrity, and availability.  Appendix III also indicates that agencies should
   assure that each system appropriately uses effective security products and techniques,
   consistent with standards and guidance from NIST. Also, Appendix III discusses the need
   for a security plan and a risk assessment for Federal agencies' general support systems.

•  OMB Circular A-123, Management Accountability and Control, dated June 1995. The
   Circular establishes specific management control standards requiring separation of duties and
   supervision, and access to and accountability of resources.

*  The Chief Financial Officers Act of 1990. This Act requires financial management systems
   to comply with internal control standards.

•  Federal Financial Management Improvement Act, dated September 1996. This Act
   identifies internal controls as an integral part of improving financial management systems.

•  Federal Information System Controls Audit Manual (FISCAM), dated January 1999.
   This GAO manual states mat a formal change control  process includes instituting policies,
   written procedures, and techniques that help ensure all programs and program modifications
   are properly authorized, tested, and approved. Also, this manual represents government-wide
   information technology best practices, such as for logical access controls and segregation of
   duties issues for software change controls.

•  NIST. NIST represents Federal guidance covering security controls over general support
   systems and applications.  Several NIST Special Publications (SPs) apply:

          NIST SP 800-37, Guide for the Security Certification and Accreditation of
          Federal Information Systems, dated May 2004.  This stresses the importance of
          adequate configuration management and control, recognizing it as an essential
          element for maintaining a system's security accreditation. Security certification and
          accreditation is part of a dynamic, ongoing risk management process, which
          culminates in a formal authorization to operate an information system based on the
          state of security at a specific point in time. NIST emphasizes that the inevitable
          changes to an information system (including software) and the potential impact those
                                         23

-------
       changes may have on agency operations, agency assets, or individuals, requires an
       orderly and disciplined, approach to managing, controlling, and documenting changes
       so as to ensure an ongoing assessment of their impact on system security.

       NIST SP 800-14, Generally Accepted Principles and Practices for Securing
       Information Technology Systems, dated September 1996. This gives
       recommendations on how proper segregation of duties should be established, and on
       how appropriate logical access controls should be implemented.

       NIST SP 800-64, Security Considerations in the Information Development Life
       Cycle, dated October 2003. This discusses issues and gives recommendations for
       personnel security screenings.

       NIST SP 800-18, Guide for Developing Security Plans for Information
       Technology Systems, dated December 1998. This provides detailed guidance on
       creating security plans for general support  systems.

GAO's Standards for Internal Control in the Federal Government, dated November
1999. The Standards require management to document, test, and approve modifications to
software before placing them into production.

EPA Order 2100.4, Interim Agency System Life Cycle Management Policy, dated
December 2003. EPA issued this Interim Order and rescinded Chapter 17 of EPA Directive
2100, which nevertheless was in effect during the  2003 IFMS sub-release process. The new
policy applies to all information systems developed, enhanced, or maintained by or for EPA,
including applications and general support systems. OCFO's change control procedures and
practices are based on the Agency's system development life cycle concepts. EPA's System
Life Cycle Management Policy consists of five phases. One of the phases is the Operation
and Maintenance phase, which requires OCFO to operate and maintain IFMS software using
a configuration management process.  Periodic risk assessments, testing, certification, and
reauthorization must be conducted during this phase.  The new policy states that systems
must be developed in a rigorous manner that lessens and manages risk. •

The Interim Order further establishes important roles and responsibilities for controlling
changes to system software during the operation and maintenance phase.  This policy, as well
as the rescinded  Chapter 17, assigns system managers the responsibility for managing their
system's life cycle process and products in compliance with Agency and Federal policy.
While Chapter 17 assigned responsibility for formally approving system enhancements to the
system sponsor, the Interim Order assigns this responsibility to the system owner. In
particular, it notes that the System Owner is responsible for ensuring (1) adherence to the
System Life Cycle Management Policy, and (2) that all management and  security controls are
in place and operational. In addition, it defines the IFMS System Owner's responsibilities,
which include recommending the implementation  of changes to system software. The
Interim Order also states the IFMS System Manager controls daily operations. Further, the
System Sponsor must concur with advancement of the software modifications, replacements,
or enhancements to each life cycle phase.  In addition, the Senior Information Resources
                                      24

-------
Management Official is the Authorizing Official that approves the security plan authorizing
operations.

Further, the Interim Order requires EPA management to review and document its approval or
disapproval in a decision document at each of the five system life cycle phases before the
system may advance to the next phase.  The accompanying Interim Agency System Life
Cycle Procedures further define the Implementation Phase, which requires testing and a
written authorization to process prior to beginning operations. Testing the system ensures
that it works as specified in the requirements and design specifications, and that it meets
applicable standards of performance, reliability, integrity, and security.

EPA's Information Security Manual (ISM), dated December 1999. The Manual sets
forth requirements and provides guidance for securing Agency information resources in
accordance with EPA and Federal security policies and mandates. Specifically, the Manual
lists requirements for personnel security screenings, logical access controls, and establishing
proper segregation of duties.

OCFO Policy Announcement 98-08, Amendment 1, Procedures for On-line Access to
EPA's Integrated Financial Management System (IFMS), dated March 2002. This
identifies requirements for personnel security screenings. Specifically, it requires that
background screenings include, at least, a successful National Agency Check with Inquiries
and Credit before giving contractor personnel access to IFMS.

IFMS Security Plan, dated September 2002. The IFMS Security Plan states that a formal
change control process should be in place and that all changes to the application software
should be tested and approved prior to being placed into production.  The Plan also states that
the process for testing revisions to the software should include EPA performing testing first
in an integrated test environment and then in a more comprehensive system test environment
Further, the Plan states that all changes to the application software should be documented,
including integrated test plans, system test plans, and test results. Finally, The IFMS
Security Plan identifies local and Agency provisions for the IFMS Security Administrator to
use for maintaining proper segregation of duties, and establishing appropriate logical access
controls.

EPA's Application RACK Security Administrator's Guide, dated February 1996.  The
Guide provides procedural guidance required for EPA program offices to perform RACF
administration. The Guide outlines requirements for RACF User-ID administration.  For
instance, the Guide prohibits the sharing of User-IDs and individuals from owning more than
one User-ID, unless the National Technology Services Division receives a justification from
the system owner and approves the exception.

The Implementation Report for IFMS 5.1, Release 1 Using Endevor V3.6, dated
February 1995. The Report identifies EPA's responsibility and procedures for maintaining
RACF groups associated with Endevor.
                                      25

-------
26

-------
                                                                                         Appendix B
                   Office of the Chief Financial  Officer
                            Response to Draft Report
MEMORANDUM

DATE:

SUBJECT:
FROM:
TO:
July 23,2004

OIG Audit Report: EPA Needs to Improve Change Controls for
Integrated Financial Management System
2003-000909

Charles E. Johnson, Chief Financial Officer 1st
Office of the Chief Financial Officer

Patricia H. Hill, Director
Business Systems Audits
        Thank you for the opportunity to respond to the findings and recommendations made in the draft report entitled, "EPA
Needs to Improve Change Controls for Integrated Financial Management System." Attached is our response to the specific audit
findings and recommendations made in the report. Comments from the Office of Administration and Resources Management
were provided under separate cover.

        We agree with the OIG emphasis on the importance of change controls. However, we disagree with the OIG assertion
that there is a general breakdown of security controls that could undermine the integrity of our financial system and data. Our
office exerts significant effort to ensure that security controls provide reasonable assurance, limit access to authorized
individuals, and properly integrate software modifications. To this end, we continually initiate actions that will enhance our
existing controls. For example, a recently developed automated annual security recertification system, grounded in the concepts
of least privilege and proper separation of duties, is being used to update access rights, privileges, roles for Integrated Financial
Management System and the Financial Data Warehouse users. Actions are also underway to replace the antiquated Change
Management System. Additionally, key change control roles and responsibilities are clearly defined and employed by our trained
systems experts.

        We acknowledge that there is always room for improvement in any process and welcome your continued evaluation of
our efforts.

        If you have any questions concerning this response, please contact Lorna McAllister, Acting Director, Office of
Financial Management at 202-564-4905 or Juanita Galbreath, Staff Director, Financial Systems Staff at 202-564-1560.

Attachment

cc:      Mike  Ryan
                                                   27

-------
                 RESPONSE to DRAFT AUDIT of EPA's CHANGE CONTROL for
                    THE INTEGRATED FINANCIAL MANAGEMENT SYSTEM

                            FINDINGS AND RECOMMENDATIONS

2 - Security Controls Inadequate to Protect Integrity of IFMS Software Libraries

We recommend that the Chief Financial Officer (OCFO):

2.1    Perform a risk assessment of the Endeavor system and, subsequently, develop a security
       plan for Endeavor in accordance with NIST guidance, such as NIST Special Publication 800-
       18.

       FSS Response: Concur

       Endeavor is not a system. Rather, it is a software tool used to automate, control and monitor
       application development and maintenance.  It maintains complete source code audit trials and
       provides source code library management Junctions.  Access to Endeavor menus and options is
       controlled by Resource Access Control Facility (RACF).

       Endeavor does not meet the  NIST 800-18 definition of a "major application" or "general support
       system." that requires a security plan. Endeavor:
           •   is not mission critical;
           •   is not reviewed under the Agency's annual IT Investment review process as a Major
              Application "Full CPIC";
           •   does not have high confidentiality requirements,  i.e., contain confidential business
              information, trade secrets, privacy information or any other highly confidential information;
           •   does not have high availability requirements;
           •   does have high integrity requirements.

       However, to further ensure financial systems integrity, we will include endeavor in the IFMS
       security plan and risk assessment.

2.2    Update the Endeavor Statement of Work to comply with current policies.

       FSS Response: Concur

       We  have reviewed the Statement of Work (SOW) for the IAG and found that it does have a
       requirement for a National Agency Check (MAC). We will request that GSA update the SOW to
       require at a minimum a National Agency Check with Inquiries and Credit (NACIC).

       Note:  Our contractor currently has a security clearance through another Federal agency for which
       she performs additional work.
                                            28

-------
2.3    Remove access for all contractor personnel without a pending personnel security screening
       request or a final acceptable clearance.

       FSS Response: Concur

       We have reviewed the personnel security information of each contractor and in accordance with
       EPA Information Security Manual (ISM), Directive 2195, A-1, section 10, taken the appropriate
       action.                                                      '   .

2.4    Establish a systematic process that will:

       (1) Clearly identify key responsibilities of roles related to IFMS security and Endevor
       contract administration; (2) ensure employees are adequately trained to perform assigned
       duties; and (3) hold employees accountable for successful performance of their roles.

       FSS Response: Concur

       Current OCFO, FSS guidance, policies, assignment matrix's and employee performance plans
       clearly identify key roles and responsibilities and enforce accountability. Additionally, FSS
       employees receive continual training to better prepare them to successfully fulfill their
       responsibilities,                                                       ,
           Ğ   The IFMS Security Features Users Guide (SFUG) clearly identifies roles and
               responsibilities and provides the information that a user needs to enter IFMS and start
               working within its security constraints, and it explains the user's role in maintaining the
               security of the system.
           Ğ   The IFMS Procedures for Online Access provides procedures for  controlling on-line
               access.
           Ğ   The entire Financial Systems Staff received 8 hours of IFMS Security Training in October
               2003, and 16 hours IFMS refresher training in December of 2003. In addition, Internal
               ongoing training is provided by each staff subject matter expert to other staff members.
       Additional applicable documentation available to FSS and IFMS end-users is:
           •   PA 98-08, FSS Policies and Procedures for On-line Access to the EPA's Integrated
               Financial Management System (IFMS), September 1998 available at
               http://intranet.epa.gov/ocfo/policies/policy/pa98-08a.pdf
           •   IFMS Computer Based Instruction (CBT) available at
               http://intranet.epa.gov/ocfo/systems/fsb/tfms.htmScbt

2.5    Finalize the existing Interim Procedures for Conducting Background Investigations in a
       formal Agency-Level policy. Addressed by OARM

2.6    Provide interim guidance on duties and responsibilities of coordinators for background
       investigations. Addressed by OARM

2.7    Provide training for Agency Delivery Order Project Officers and security clearance
       coordinators for requesting background investigations of non-Federal personnel.
       Addressed by OARM
                                              29

-------
3 - Contracting Practices Over IFMS Software Modifications Need Improvement

3.1    Continue Financial Systems Staff efforts to develop Position Descriptions that more
       accurately reflects the actual contracting roles and responsibilities for Financial System
       Staff employees, and explicitly incorporate contract management responsibilities in
       applicable performance agreements.

       FSS Response: Concur

       The FSS Director will continue to review staff position descriptions to include the appropriate
       contracting roles and responsibilities.

3.2    Instruct Financial Systems Staff to:
       (a) Discontinue the practice of providing verbal technical direction to contractor staff (i.e.,
       personal services activities), (b) Document all meetings and other verbal directions to the
       contractor, (c) Use CMS to document acceptance and approval of deliverables received
       from the contractor.

       FSS Response: Concur

       The Director of FSS has instructed the responsible parties to (1) document all  meetings with and
       directions provided to the contractor and (2) use CMS to document acceptance and approval of all
       deliverables from the contractor. The contractor has been notified in writing to not accept any
       verbal instructions from Financial Systems Staff,

4- Contracting Practices Over IFMS Software Modifications Need Improvement

4.1    Identify an OMB-reportable Plan of Action and Milestones (POAM) to establish and
       implement a new, structured change control process over IFMS using a methodology that
       meets the specifications published in EPA's interim   system life cycle management policy
       and procedures.

       FSS Response: Concur

       A new Change Management System is currently under development. The POAM will include
       Policies and Standard Operating Procedures.

4.2    Reauthorize and accredit IFMS in accordance with NIST 800-37 if the new change  control
       process cannot be implemented within the next 90 days.

       FSS Response: Concur

       Due to fiscal year-end close-out and IFMS sub-release requirements, we do not expect  to
       implement the new CMS in the next 90 days.  We are currently studying the new
       NIST guidance to determine what action is required.
                                            30

-------
                                                                     Appendix C

 Office of Administration and Resources Management

                      Response to Draft Report

                                     July 21, 2004
MEMORANDUM

SUBJECT:   Response to Draft Audit Report: EPA Needs to Improve Change Controls for
            Integrated Financial Management System

FROM:      David J. O'Connor, Acting Assistant Administrator /S/

TO:         Patricia H. Hill, Director
            Business System Audits

      I appreciate the opportunity to review the subject audit report and to provide this response
to your recommendations directed to OARM.  Our Security Management Division is very
supportive of Agency efforts to improve security of its financial management systems and has
endeavored to assist OCFO in their background investigations of contractor employees.

      I believe the use of the term "security clearance" in connection with your audit is
inappropriate because clearances are required only when access to national security information
is needed which is not applicable for the tasks identified in your audit cases. Furthermore., even
if such clearances were needed, the Department of Defense, not EPA, has the authority to grant
them.

      The substantive issue in your draft report that is relevant to OARM is "suitability"
background investigations which are currently mandated only for federal employees to determine
if they are "fit for service." No federal or EPA-wide policy currently requires suitability
screening of contractors.  A few offices, including OCFO, have elected to establish such a policy
and we provide support for the processing and adjudication of these investigations. However,
because of the limited nature of these, we do not believe that our interim procedures need to be
formalized or expanded Agency-wide at this time.

      Attached is a detailed response to your audit recommendations from Rich Lemley,
Director of the Office of Administrative Services. Please direct any further inquiries regarding
this response to Rich at 564-8400.

cc:    Rich Lemley
      Wes Carpenter
      Sandy Womack-Butler

Attachment
                                       31

-------

32

-------
                                        July 14,2004
MEMORANDUM

SUBJECT:   Response to Draft Audit Recommendations Regarding Interim Procedures for
             Conducting Background Investigations on Non-Federal EPA Workers

FROM:      Rich Lemley, Director /S/
             Office of Administrative Services

TO:          Patricia H. Hill, Director
             Business System Audits

       I am pleased to provide this response to the recommendations contained in the subject
report pertaining to our Security Management Division. I hope you will find this information
useful and request that you direct any further questions to me at 564-8400.

       As you know, background suitability screening of federal contractors is not required by
any federal or Agency-wide policy. However, because a few EPA program offices have elected
to screen some contractors, in early 2004, our Security Management Division issued an internal
memo regarding "Interim Procedures for Conducting Background Investigations on Non-Federal
EPA Employees." This document states that it applies only to those programs and regions with
internal policies in place requiring background investigations and it clarifies the process for
initiating them through the Office of Personnel Management (OPM). Because the Agency has
not established a mandatory EPA-wide formal policy regarding these investigations, we do not
believe that the interim procedures should be finalized into such a document as you recommend
in 2.5 below.

2.5    Finalize  the existing Interim Procedures for Conducting Background Investigations in a
       formal Agency-level policy.

Response:    No federal or Agency-wide policy exists for suitability screening of contractors so
             the interim procedures should remain limited to those EPA programs and regions
             that voluntarily have elected to conduct such investigations.

2.6    Provide interim guidance on duties and responsibilities of coordinators for background
investigations.

Response:    The Security Management Division has already provided guidance on procedures
             to follow for initiating suitability background investigations  of contractors
             through OPM. The duties and responsibilities of program and regional
             coordinators should be established by their respective offices, if needed.
                                          33

-------
2.7    Provide training for Agency Delivery Order Project Officers and security clearance
       coordinators for requesting background investigations of non-Federal personnel.

Response:     Currently, very few EPA personnel are involved in requesting background
              investigations of non-federal personnel and the Security Management Division
              has worked with them on an individual basis to explain the procedures.  We do
           .   not believe that formal training is required at this time.
                                          34

-------
APR 26 2004

MEMORANDUM

SUBJECT:  Interim Procedures for Conducting Background
          Investigations on Non-Federal EPA Workers

FROM:      Wesley J. Carpenter,  Chief /s/
           Security Management Division

TO:        All Program and Regional Security Representatives
          These procedures are directed at those EPA Programs and
Regions with internal policies in place requiring background
investigations for non-federal workers performed through the Office of
Personnel Management (0PM).   For those Programs and Regions without
existing internal policies,  these procedures are not mandatory.

          The process for non-federal background investigations at EPA
is set forth in a six step process.  Of those six steps, only step one
and step six require involvement of the Program or Regional Office.
All steps require participation and collaboration with OARM's Security
Management Division  (SMD), Personnel Security Branch.  The six step
process outlined below will improve communications and the overall
awareness of personnel security within the Agency.

NOTE: A new standard is currently being developed to establish minimum
personnel security suitability requirements for non federal employees
supporting EPA.  Once finalized, it will supplement the SMD's existing
procedures.  In the interim, based on previous SMD guidance, Programs
and Regions should use the formal process set out below.

Step Is The Programs and  Regions must complete and submit the required
paperwork to the Personnel Security Branch.

•     The  Program or Regional  Contracting  Officer  Representative  (COR)
must complete and submit  a cover memo and contractor security
documents to the Personnel Security Branch to initiate the process

      *     Cover memorandum, including:

           -ğ     Name and telephone number of  COR;

           ->     Name and telephone number of  points  of  contact for
                 obtaining additional  information  and notification  of
                 adjudication  determination, if different  from  the  COR;

           ->     Contract number;
                                   35

-------
           ->    Name of contractor(s) for whom security paperwork is
                provided;

           ->    Identification of type of background investigation
                requested; and

           -ğ    Funding information.

     *•     Non-federal  security documents,  including:

           ->•    SF-85P, Questionnaire for Public Trust Positions; or

           -+    SF-85, Questionnaire for Non-Sensitive Positions;

           ->    Two FD-258, Federal Bureau of Investigation
                fingerprint charts;

           -*•    SF-86A, Continuation Sheet for Questionnaires, when
                applicable; and

           ->•    Credit Release Authorization Form  (for investigations
                requiring a credit check: MBI, LBI or NACI with
                Credit).

     NOTE: The SF-85 PS Questionnaire is not required and should not
           be used.  In addition,  Part I  of the SF-85P or SF 85 form
           will be completed by the Personnel Security Branch; the
           Programs  and Regions should not complete it.

•    The cover memorandum and contractor security  documents  should be
hand-delivered or mailed to the Personnel Security Branch at:

     ••     US EPA
           Attention:  Personnel Security Branch
           1200 Pennsylvania Ave.,  NW
           Mail Code 3206M,  East Building - Room B414
           Washington,  DC 20460

Step 2: The Personnel Security Branch will enter the information into
its database, file copies of the information, and review the contents
of the case papers.

Step 3s The Personnel Security Branch will initiate the investigation
through OPM.

Step 4: OPM will conduct the investigation and forward the completed
investigation to the Personnel Security Branch for adjudication.   On
average, this process takes 2 to 8 months to complete.
                                  -2-
                                   36

-------
Step 5: The Personnel Security Branch will favorably or unfavorably
adjudicate the case and provide the results to the  Program or Regional
COR.

Step 6: The Program or Regional COR will review the adjudicative
results and take  action based on the findings and recommendations. 0PM
is notified of final adjudicative action.

   Questions  regarding these procedures should  be directed to
Kelly  Glazier, Chief, Personnel Security  Branch at 202-564-0351.
                                  37

-------
38

-------
                                                                      Appendix D
                                Distribution
Chief Financial Officer (2710A)
Acting Assistant Administrator for Administration and Resources Management (3101 A)
Acting Director, Office of Financial Management (2733R)
Director, Office of Administrative Services (3201A)
Director, Technical Information Security Staff (283IT)
Audit Coordinator, OCFO (271OA)
Audit Coordinator, OARM (3102A)
Audit Coordinator, OEI (2812T)
Agency Follow-up Official (271 OA)
Agency Follow-up Coordinator (2724A)
Associate Administrator for Congressional and Intergovernmental Relations (1301 A)
Associate Administrator for Public Affairs (1701 A)
Inspector General (241OT)
                                        39

-------
'-  \


-------