United States Office Of Information
Environmental Protection Resources Management
Agency Washington, D.C. 20460
v>EPA 2100
Information Resources
Management Policy Manual
-------�
&EPA
Classification No.:
Approval Date:
P
7/19/96
INFORMATION RESOURCES MANAGEMENT POLICY MANUAL
1. PURPOSE. This Transmittal issues revised material for the IRM Policy Manual.
2. EXPLANATION. The revised Chapter 10, Records Management, integrates Agency
records management principles and organization with Federal records management requirements,
and includes electronic records.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the Checklist in front of
the manual.
Remove Paes
Chapter 10, dtd 7/21/87
Insert Pages
/ s, /Chapter 10, dtd 7/19/96
\
I Mei Chan, Central Directives Officer
Organization and Management Consulting Services
SPECIAL NOTICE
We need your help in keeping our Directives System mailing list current. Please send
corrections of your mailing address (including mail code, street address, addressee's name, etc.)
to e-mail address CHAN-I-MEIor call 202-260-6654. Your help is greatly appreciated.
Originator
EPA Form 1315-12(5-86)
Organization and Management Consulting Services
Office of Administration and Resources Management
-------�
ROUTINfi AND TRANSMITTAL SLIP
9/22/87
TO) fMhm*oMM«y*ibe4Lraomftum6«r.
John Hart
SW 259-
Initials
Bte
NeteMdRMum
FerC
ForConwtton
ChtaMH.
For Your intonmHon
Cuotdlmiten
RCMAMS
SUBJECT: EPA IBM POLICY MANUAL
ATTACHED IS A COPY OF THE AGENCY'S IBM FOLKS
MANUAL. WE HAVE PHQVIDUJL3BEBB LABQS BD9EBRS
SO THAT YOU CAN MAINTAIN OHM POLICY GUIDELINES
WITH THE POLICY MANUAL.
00 MOt uw MB torn n •
-
Jean Sannon/lMSD
Rootn No.—™8WO-
Phonv No*
479-8673
• UA QMi
-------�
EPA
Classification No.:
Approval Date:
2100 CHG 10
10/23/95
AGENCY LIBRARY
290411
1 COPY
IRM POLICY MANUAL
1. PURPOSE. This Transmittal issues revised material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 8, Information Security, establishes EPA's
Agencywide Information Security Program and assigns roles and
responsibilities for information security within EPA.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Chapter 8, dtd 7/21/87
Insert Pages
Chapter 8, dtd 10/23/95
David R. Alexander, Director
Organization and Management Consulting Services
Originator
1315-12(s-861 Qrganization and Management consulting Services
Office of Human Resources and Organizational Services
-------�
£EPA
Classification No.: 2100 CHG 9
Approval Date: 7/17/95
IRM POLICY MANUAL
1. PURPOSE. This Transmittal issues new material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 19 establishes an agency-wide Information
and Date Management Program.
3. FILING INSTRUCTIONS. Post.receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Insert Pages
Table of Contents, dtd 5/1/95i/ Table of Contents, dtd 7/yj/35
Chapter 19, dtd 7/17/95,
.
Judith M. King, VKi
Agency Management Analysis Branch
Originator
EPA Form 1315-12(5-86)
Management and Organization Division
Office of Administration and Resources Management
-------�
S-EPA
Classification No.:
Approval O.ate:
2100 CHG 6
9/28/94
Addressee
INFORMATION RESOURCES MANAGEMENT POLICY MANUAL
1. PURPOSE. This Transmittal provides new material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 17, System Life Cycle Management.
establishes the life cycle requirements of EPA's automated
information applications systems.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of- the Manual.
Remove Pages
Insert Pages
Table of Contents, dtd 6/1/93 Jable of Contents, dtd 9/28/94
Chapter 17, 9/28/94
Robert A. English, Gftief
Agency Management Analysis Branch
Originator
EPA Form 1315-12(5-861
Management and Organization Division
Office of Administration and Resources Management
-------�
INTRODUCTION
-------�
£EPA
Classification No.: 2100 CHG 8
Approval Date: 5/1/95
oi Rf::(/i .1 vt:.s i -ii.r.
.=5401
I.OM r-;h-^OiJI«,!:i.(-:
IRM POLICY MANUAL
1. PURPOSE. This Transmittal. issues new material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 18 establishes principles and requirements
that govern the acquisition of Agency Federal Information Processing
(FIP) resources.
3. FILING INSTRUCTIONS. Post receipt of this -Transmittal on the
Checklist in front of the Manual.
Remove Pages
i/Table of Contents, 'dtd 12/21/94
Insert Pages
l/^able of Contents, dtd 5/1/95
I/Chapter 18, dtd 5/1/95
Judith M.
Agency Management
Chief
lysis Branch
Originator
EPA Form 1315-12 (5-86)
Management and Organization Division
Office of Administration and Resources Management
-------�
6-EPA
Classification No.:
Approval Date:
2100 CHG 7
12/21/94
IRM POLICY MANUAL
1. PURPOSE. This Transmittal issues revised material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 7 covers the principles that govern the
realm of Agency telecommunications including voice, video and all
data communications. It defines the roles and responsibilities of
organizations involved in the planning, design, development,
delivery, operation and maintenance of voice, video and data
communications.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Insert Pacres
\/yTable of Contents, dtd 9/28/94
V Chapter 7, dtd 6/6/88
/Table of Contents, dtd 12/21/94
I/Chapter 7, dtd 12/21/94
Judith M. Kinj3 Chief
Agency Management Analysis Branch
Originator
EPA Form 1315-12 (5-86)
Management and Organization Division
Office of Administration and Resources Management
-------�
•SEPA
Classification No.:
Approval O.ate:
2100 CHG 6
9/28/94
i'90-lri
1 niP
LIBRARY
INFORMATION RESOURCES MANAGEMENT POLICY MANUAL
1. PURPOSE. This Transmittal provides new material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 17, System Life Cycle Management.
establishes the life cycle requirements of EPA's automated
information applications systems.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Table of Contents, dtd 6/1/93
Insert Pages
Table of Contents, dtd 9/28/94
Chapter 17,' 9/28/94
Robert A. English, Onief
Agency Management Analysis Branch
Originator
EPA Form 1315-12 15-861
Management and Organization Division
Office of Administration and Resources Management
-------�
3 EPA
Classification No.:
Approval Date:
2100 CHG 5
5/25/1993
6/1/1993
Addressee
INFORMATION RESOURCES MANAGEMENT POLICY MANUAL
1. PURPOSE.
Policy Manual.
This Transmittal provides new material for the IRM
Chapter 15, Electronic Office Equipment Access
, assigns responsibilities and requirements to
2. EXPLANATION.
for the Disabled
ensure that disabled employees have access to electronic office
equipment. Chapter 16, EPA Internal Electronic signature Policy.
defines the roles and responsibilities that govern the use of
electronic signatures.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Table of Contents, dtd 4/20/1993
Insert Pages
Table of Contents, dtd 6/1/1993
Chapter 15, dtd 5/25/1993
Chapter 16, dtd 6/1/1993
Robert A. English,
Agency Management Analys
Originator
EPA Form 131 $.12(5-86)
Management and Organization Division
Office of Administration and Resources Management
-------�
&EPA
Classification No.: 21(JO CHG
Approval Date: 4/20/1993
Addressee
IRM POLICY MANUAL
1. PURPOSE. This Transmittal provides new material for the IRM
Policy Manual.
2. EXPLANATION. Chapter 14, EPA Rulemakina Docket Policy.
establishes the principles and defines the roles and
responsibilities governing the management of EPA rulemaking
dockets.
3. FILING INSTRUCTIONS. Post receipt of this Transmittal on the
Checklist in front of the Manual.
Remove Pages
Table of Contents, dtd
Insert Pages
Table of Contents, dtd 4/20/93
Chapter 14, dtd 4/20/93
r •
Robert A. English, :hief
Agency Management Analysis Branch
Originator
EPA Form 1315-12(5-861
Management and Organization Division
Office of Administration and Resources Management
-------�
SEPA
Classification No.:
Approval Date: •
2100
7/21/87
Addressee
INFORMATION RESOURCES MANAGEMENT
POLICY MANUAL - 1987 Edition
1. PURPOSE; This Transmittal provides the new Information
Resources Management Policy Manual.
2. EXPLANATION; The IRM Policy Manual establishes a policy
framework for the Information Resources Management Program in
EPA.
3. SUPERSESSION; The ADP Manual and all its changes.
4. . FILING INSTRUCTIONS; Post receipt of date of this
Transmittal on the Checklist in front of the Manual. File
the attached material in a three ring binder.
Kathy Pejrfruccelli, Director
Management and Organization Division
Originator
EPA Form 1316-12 (5-86)
Information Management and Services Division/OIFM
-------�
CHECKLIST OF EPA TRANSMITTALS
TITLE
INFORMATION RESOURCES MANAGEMENT POLICY MANUAL
When kept current, this checklist permits the user to see at a glance which transmittals have been filed.
SERIES
SERIES
SERIES
NUMBER
DATE
NUMBER
DATE
NUMBER
DATE
TIAL
2100
7/21/87
(M A/
tf
EPA Fern 1315-4 (R«». 7-73)
PREVIOUS EDITIONS ARE OBSOLETE.
-------�
IRM POLICY MANUAL 2100 CH6 9
7/17/95
TABLE OF CONTENTS
Introduction 1
IRM Management Controls/Review and Approval 2
Mission-Based Planning 3
•State/EPA Data Management 4
Software Management 5
ADP Resources Management 6
Telecommunications • 7
Information Security 8
Information Collection 9
Records Management 10
Privacy 11
Library Services 12
Locational Data. 13
EPA Rulemaking Docket Policy 14
Electronic Office Equipment Access
for the Disabled 15
EPA Internal Electronic Signature Policy 16
System Life Cycle Management 17
Acquisition of Federal Information Processing Resources 18
Information and Data Management 19
APPENDICES
Glossary
Primary IRM Laws and Regulations
-------�
IRH POLICY MANUAL 2100
7/2 V87
INTRODUCTION
1. PURPOSE. This manual establishes a policy framework for the
Information Resources Management (IRM) Program in the U.S.
Environmental Protection Agency (EPA) (also referred to as
the Agency). Information Resources Management means planning,
budgeting, organizing, directing, training and controlling
information. It encompasses both information itself and
related resources such as personnel, equipment, funds and
technology. This document is intended to provide EPA with a
structure for the implementation of the Brooks Act of 1965,
the Paperwork Reduction Act of 1980, the Privacy Act of 1974,
the Freedom of Information Act of 1966, as amended in 1974
and 1986, the Federal Records Management Amendments of 1976
and policies and regulations issued by the Office of Manage-
ment and Budget (OMB) and the General Services Administration
(GSA), the two primary oversight agencies for Federal IRM
programs.
In addition, this manual establishes the authorities and
responsibilities under which the IRM Program will function at
EPA. The manual is limited to the IRM policy domain in order
to provide the primary documents in a concise and consolidated
manner. Detailed procedures and operating guidelines such as
the EPA Freedom of Information Act, Privacy Act and Records
Management Manuals are issued separately.
2. SCOPE AND APPLICABILITY. This manual applies to all EPA
organizations and their employees. It also applies to the
facilities and personnel of agents (including State agencies,
contractors and grantees) of the EPA-who are involved in IRM
related activities.
3. BACKGROUND. The Paperwork Reduction Act of 1980 (P.L. 96-511),
herein referred to as the "Act," introduced Information
Resources Management to the Federal Government, emphasizing
information as a resource with, associated costs and values.
The Act established a broad mandate for agencies to perform
their information activities in an efficient, effective
manner. Concepts advanced by the Act through the IRM approach
include the life cycle management of information activities
(i.e., creation, collection, and use); information functions
(i.e., automatic data processing, records management, reports
management, and telecommunications); the integrated approach
to managing information resources (i.e., total systems concept)
and the promotion and use of new technologies to improve the
effective use and dissemination of information.
-------�
IRM POLICY MANUAL 2100
7/21/87
The objectives of this Act are to reduce costs, improve the
efficiency and effectiveness of information systems and
information technology in the Federal Government and to
provide specific mechanisms to control and reduce the paperwork
burden on the public.
The Act requires each agency head to designate a senior
official to carry out the agency's information management
activities in an effective and efficient manner and in full
compliance with the information policies and guidelines
prescribed by the Director of OMB.
Among other things, the Act requires each agency to:
0 Develop and maintain an inventory of its information
systems and review periodically its information management
activities
0 Ensure its information systems do not overlap with each
other or duplicate the systems of other agencies
0 Assign to the designated senior official the responsibility
for the conduct of and accountability for any acquisitions
made pursuant to delegations of authority from GSA.
The Act also states that the Director of OMB, with the advice
and assistance of the Administrator of GSA, shall selectively
review, at least once every three years, the information
management activities of each Federal agency.
4. FEDERAL AUTHORITIES. A number of Federal laws, regulations
and policies prescribe, recommend or suggest policies, proce-
dures and reporting requirements for managing information
resources in all Federal agencies. Specific references will
be made in the subsequent chapters of this manual. A compen-
dium of key legislation, directives and regulations is found
in Appendix B of this manual. The exhibit on the following
page presents a structural framework for Information Resources
Management in EPA.
5. EPA IRM AUTHORITIES AND ORGANIZATION. The primary
responsibility for managing EPA's IRM Program is shared by
the Office of Policy, Planning and Evaluation (OPPE) and the
Office of Administration and Resources Management's Office
of Information Resources Management (OIRM). Other Offices
listed on pages iv-vi are also involved with supporting the
Agency's IRM Program.
ii
-------�
FRAMEWORK FOR EPA INFORMATION RESOURCES
MANAGEMENT MANAGEMENT POLICIES
PRIMARY
LEGISLATION
BROOKS ACT
OF 1965
PAPERWORK
REDUCTION ACT
OF 1980
PRIMARY
FEDERAL
POLICY
SECONDARY
FEDERAL
POLICY/
FEDERAL
INFORMATION
RESOURCE
MQMT.REO.
«SA)
iHHfOUCr
EPAIRM
POLICY
FREEDOM OF
INFORMATION
ACT OF 1966
I
FEDERAL RECORDS
ACT OF 1950
J
ACQUISITION
REGULATIONS
(OSA)
ACCOUNT1NQ
OFFICE
REPORTS
NATIONAL
ARCHVESft
RECORDS
AOMMSTRAHON
QUDANCE
INFORHATtONaYSTBBAfO) ^TECHNOLOGYHAfUOafMT
HOP
EXAMPLES OF
EPAIRM POLICY
GUIDELINES*:
PROCEDURES
STATBCPA
atntaur
8CHVEC RE08TRV
OUTA
vace
ETA SYSTEM
BESBN1 ^
oevacnen
PUT
BUOOETHO
I
svsrae
ffWACY
eoueermi
PRIWICY
«CT
AOPWVCW
-------�
IRM POLICY MANUAL 210°
7/2V87
a. Office of Policy, Planning and Evaluation. The Assistant
Administrator for Policy, Planning and Evaluation (OPPE)
is the Senior Official responsible for directing and
overseeing the Agency's activities administered under the
Paperwork Reduction Act of 1980. The Assistant Adminis-
trator of OPPE has delegated much of the Act's authority
to the the Director, Office of Information Resources
Management (OIRM). However, the Assistant Administrator
of OPPE has retained authority for managing and developing
policy for EPA's IRM Program in regulatory situations,
reviewing all Agency rules, regulations and other data
collection instruments to ensure that the Agency does
not impose an unnecessary paperwork burden on the public.
This Assistant Administrator also retains authority for
managing the clearing process for data collection instru-
ments. The vehicle for this activity is the Information
Collection Request (ICR) clearance process. OPPE is
also responsible for collecting, preparing and submitting
the Agency's Information Collection Budget (ICB) to the
Office of Management and Budget (OMB).
b. Office of Information Resources Management. The Director,
OIRM, has the primary functional responsibility for IRM
policy development and overall management of the Agency's
IRM Program. This includes the planning, development
and operation of information systems and services in
support of the Agency's administrative, programmatic and
research functions. It also includes administering
Agency programs for library systems and services, records
management, information security as well as implementing
the requirements of the Privacy Act. OIRM is also
responsible for:
0 Acquisition management of office automation hardware
and software
0 Review and approval of technical specifications for
software requested by OARM, ORD and the program
offices
0 Management of Agency-wide ADP support contracts.
iv
-------�
IRM POLICY MANUAL 2100
7/2V87
c. Office of Administration and Resources Management, RTP
(OARM-RTP
(NDPD-RTP
and the National Data Processing Division
The Director, OIRM, has delegated to the
Director, Office of Administration and Resources Manage-
ment-RTF (OARM-RTP), functional responsibility for the
acquisition, management and operation of ADP resources
including telecommunications resources as defined in
Chapters 6 and 7 of this Manual. The Director, OIRM has
delegated to the Director, OARM-RTP, authority to
approve requisitions for ADP equipment, computer services
and telecommunications. The Director, National Data
Processing Division (NDPD), is responsibile for implementing
these functions. In particular, this includes:
0 Acquisition management of hardware not delegated to
the Senior IRM Officials
0 Acquistion of general purpose, non-application
specific software such as operating systems, data
base management systems, etc.
0 Approval of system-oriented proprietary software.
Office of General Counsel. The Office of General Counsel
provides legal opinions, legal counsel and litigation
support for the Agency's implementation of the requirements
of the Privacy Act and the Freedom of Information Act.
Office of the Administrator. In coordination with the
Office of General Counsel, the Office of the Administrator
manages the implementation of the requirements of the
Freedom of Information Act.
Office of External Affairs. The Office of External
Affairs (OEA) manages EPA's press services, serves as
congressional liaison and coordinates communications with
State and local governments. OEA also has responsibility
for the review and clearance of proposed legislation and
reports on current and pending legislation.
Assistant Administrators, Associate Administrators,
Regional Administrators, Heads of Headquarters staff
Offices, the General Counsel and the Inspector General.
These senior managers are responsible for ensuring that
activities carried out by their respective organizations
-------�
IRM POLICY MANUAL 2100
7/2 V87
comply with Federal and EPA IRM policies and regulations.
To assist them in meeting their IRM responsibilities, the
General Counsel and the Inspector General and each Assis-
tant Administrator, Associate Administrator and Regional
Administrator have designated a Senior Information Resources
Management Official (SIRMO), whose responsibilities are
described in the following section. It should be noted
that the SIRMO in the Office of Executive Support for
the Office of the Administrator serves the two Associate
Administrators as well as all of the Staff Offices in
the Office of the Administrator.
h. Senior Information Resources Management Official. Senior
Information Resources Management Officials (SIRMOs) are
responsible for directing and managing office-wide
information resources planning and budgeting and for
assuring that the information systems and information
technology acquisitions within their organizations comply
with Federal and EPA policies and regulations.
i. IRM Steering Committee. The IRM Steering Committee is
chaired by the Director, OIRM, and has members representing
EPA national and Regional programs, the EPA research
community and the States. The Committee is responsible
for advising OIRM concerning IRM policies, resources and
priorities and assisting OIRM in communicating and
implementing these policies and priorities within EPA.
The Committee assists OIRM in conducting periodic reviews
of the Agency's information resources and the policies
and programs for managing these resources and in designing
improvements where needed.
6. OBJECTIVES. The objectives of EPA's IRM Program are to:
a. Support program and administrative components in the
fulfillment of their responsibilities by providing them
with high-quality information services in the most
efficient and cost-effective manner.
b. Use effectively the capabilities afforded through rapidly
evolving information related resources and technologies
in support of the Agency's mission and implementation of
EPA's basic programs, with a focus on achieving environ-
mental results.
vi
-------�
IRM POLICY MANUAL 2100
7/21/87
c. Ensure that EPA information, goals, policies, plans and
strategies comply with Federal IRM laws and regulations
and that they support Agency missions.
d. Facilitate the integration and coordination of information
systems across media, functional and program lines.
e. Provide adequate security for proprietary or privileged
information maintained in EPA information systems.
f. Minimize unnecessary duplication of information systems
and data bases.
g. Reduce the Federal information collection burden on
members of the public and on State and local governments.
h. Promote data sharing with states and other Federal
agencies to achieve environmental results.
i. Provide effective automated data processing systems,
computing and telecommunications resources and facilities.
j. Promote productive utilization of EPA's human resources
in support of the Agency's mission.
vii
-------�
CHAPTER 1
-------�
IRM POLICY MANUAL 2100
7/21/87
CHAPTER 1 - IRM MANAGEMENT CONTROLS/REVIEW AND APPROVAL
1. PURPOSE. This policy establishes the principles and
requirements that govern the management controls over BPA's
IRM Program. This policy also defines the general delegations
of authority which reflect the decentralized management
structure of the IRM program. The framework of this policy
draws from the basic management functions of planning,
budgeting, acquisition, data management and evaluation to
present a comprehensive management overview of EPA's IRM
Program.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
organizations and their employees. It also applies to the
facilities and personnel of agents (including State agencies,
contractors and grantees) of EPA who are involved in IRM
activities.
3. BACKGROUND.
a. As noted in Section 5-c of this chapter, the Office of
Information Resources Management (OIRM) has been delegated
primary responsibility for managing EPA's IRM Program.
However, the decentralized nature of this program requires
the involvement and cooperation of all organizational
units on an Agencywide basis.
b. The delegations of authority in EPA's IRM Program reflect
the decentralized management structure of the Agency.
c. Management controls involved with EPA's IRM Program
reflect a combination of internal Agency organizational
requirements as well as those imposed on all Federal
agencies by Congress and oversight agencies.
4. AUTHORITIES. (See Appendix B for further detail.)
a. OMB Circulars A-130, A-ll, A-76, A-127, A-123, OMB
Bulletins 86-12 and 86-19.
b. Federal Information Processing Standards Publications
(FIPS PUBS).
c. Federal Information Resources Management Regulations
(FIRMRs).
1-1
-------�
IRM POLICY MANUAL 2100
7/2 V87
d. The Brooks Act (P.L. 89-306).
e. The Paperwork Reduction Act of 1980 (P.L. 96-511).
f. 6SA Bulletins.
5. DELEGATIONS OF AUTHORITY.
a. As noted in the introduction of this manual, the EPA
Administrator has designated the Assistant Administrator
for Policy, Planning and Evaluation (OPPE) as the Senior
Official responsible for directing and overseeing EPA's
activities administered under the Paperwork Reduction Act
of 1980.
b. While the Assistant Administrator for OPPE has delegated
much of the authority under the Act, he retained authority
for managing and developing policy for EPA's IRM Program
in regulatory situations, reviewing all Agency rules and
regulations and other data collection instruments to
ensure that the Agency does not impose an unnecessary
paperwork burden on the public. The Assistant Adminis-
trator for OPPE also retains authority for managing the
clearance process for data collection instruments. The
vehicle for this activity is the Information Collection
Request (ICR) clearance process. OPPE is also responsible
for collecting, preparing and submitting the Agency's
Information Collection Budget (ICB) to OMB. The Assistant
Administrator for OPPE has delegated authority to
manage other functions related to EPA's IRM Program to
the Assistant Administrator for Administration and
Resources Management (OARM) who in turn has redelegated
the authority in this area to the Director, OIRM.
c. The Director, OIRM, has primary functional responsibility
for IRM policy development and overall management of the
Agency's IRM Program. This includes the planning, develop-
ment and operation of information systems and services
in support of the Agency's administrative, programmatic
and research functions. It also includes administering
Agency programs for library systems and services, records
management, information security and implementation of
the requirements of the Privacy Act.
1-2
-------�
IRM POLICY MANUAL 2100
7/2 V87
d. EPA's Delegations Manual (Delegation 1-10) on automatic
data processing (ADP), a copy of which is found in
Exhibit 1-A of this chapter, cites the authorities which
were originally delegated to the Assistant Administrator
for Administration and Resources Management (OARM) and
which have been subsequently redelegated to the Director,
OIRM. This includes the authority to approve requisitions
for ADP equipment, telecommunications, studies and services,
including the authority to determine and approve:
(1) The ADP technical content of solicitation packages.
(2) The evaluation criteria to be used for evaluation of
ADP components of proposals.
(3) Preaward procedures for ADP components of proposals,
including nominations for membership on the evaluation
panel, contractor demonstrations and benchmarks and
facility reviews as required.
(4) Postaward procedures for ADP components of procurements
including acceptance testing and site inspection.
ADP supplies (i.e., diskettes, tape, paper, cables) are
considered as normal office supplies. They are exempt
from the management controls applied to EPA's IRM program.
The authority to approve requisitions for ADP equipment,
computer services and telecommunications was redelegated
by the Director, OIRM, to the Director, OARM-RTP. A
further delegation has been made to the Director, NDPD.
e. Subject to certain conditions, the authority to approve
acquisitions for microcomputer equipment, software and
support services that conform to Agency standards has
been delegated by the Director, OIRM, to:
(1) Assistant Administrators
(2) Associate Administrators
(3) Inspector General
(4) General Counsel
(5) Regional Administrators
1-3
-------�
IRM POLICY MANUAL 2100
7/21/87
As noted in this delegation, which is found in Exhibit 1-B of
this chapter, the officials specified above may further
redelegate their authority in this area to their Senior
Information Resources Management Officials (SIRMOs), provided
that formal notification is provided to the Director, OIRM.
6. CONTROLS RELATED TO BASIC MANAGEMENT FUNCTIONS. The following
sections describe management controls for IRM planning,
budgeting, acquisition, data management and evaluation of
IRM activities and requirements.
a. IRM Planning.
(1) Mission-based Planning. EPA is highly dependent on
its information resources to carry out program and
administrative functions in a timely, efficient and
accountable manner. Because of the expensive and
capital intensive nature of information and informa-
tion technology, it is Federal policy that all
managers plan effectively for the acquisition and
management of information and information technology
through the annual preparation of mission-based IRM
plans. (Reference Chapter 2 of this manual). In
EPA, all national program managers and Regional
offices submit their plans to the Director, OIRM,
who is responsible for reporting the contents of
the plans to the Administrator and other senior EPA
management officials. Mission-based IRM plans are
tied to the budget process-and are used to support
investment decisions made during the budget
preparation process.
(2) Planning Requirements for Acquiring and Managing
Personal computers (PCs). The basic purpose of the
PC Plan is to ensure that appropriate provisions
are made to provide effective management and support
of this technology. All Headquarters and Regional
offices must submit a PC Plan and qualify for a
delegation of PC approval authority in order to
acquire personal computer hardware or software.
Delegations will be made to those offices that have
(1) designated a SIRMO to exercise the delegation
on behalf of the Assistant or Regional Administrator,
(2) received OIRM approval for their PC Plan and
(3) designated and arranged appropriate training
for a PC Site Coordinator(s) to manage PC ordering,
1-4
-------�
IRH POLICY MANUAL 2100
7/21/87
processing and user support and develop security
provisions for safeguarding these resources. Plans
must be approved by the SIRMO in order to receive
consideration by OIRM. Delegated officials, including
PC Site Coordinators, will review PC procurement
requests in light of approved plans and may then
submit approved procurement requests to PCMD for
placement/issuance of PC orders under the contract.
(3) Information Collection. The principles governing
the information collection planning process are
described in greater detail in Chapter 9 of this
manual. From a management control perspective, it
is important that Agency managers determine, before
the information collection is initiated, that data
are not already available elsewhere in the program.
Agency or external sources. It is also necessary in
the planning stage to design statistically valid
sampling and collecting efforts and to determine
that the cost of collecting the data does not exceed
the value of the data to the program and EPA mission
accomplishment.
(4) OMB Bulletin for Federal Information Systems and
Technology Planning - OMB issues a bulletin on an
annual basis which requires all Federal agencies to
submit their strategic plans for information systems
and technology. This plan contains the following
kinds of information: a description of the agency's
program priorities and a discussion of how informa-
tion technology is being used to meet those priorities;
a list of the agency's major information systems;
and a description of significant information technology
initiatives.
(5) OMB Bulletin for Management Review/Management
Improvement Planning - The Office of the Comptroller
is responsible for coordinating and reporting EPA's
management improvement plan to OMB. OIRM contributes
to the Agency's plan by reporting milestones for
initiatives which will improve the overall management
of the Agency from an IRM perspective.
1-5
-------�
IRN POLICY MANUAL 2100
7/21/87
b. Budgeting.
(1) Section 43 of OMB Circular A-ll, "Preparation and
Submission of Budget Estimates" - In EPA, this
reporting requirement is referred to as "Short-Term
ADP Planning." This report identifies and documents
the Agency's information technology activities, the
cost of those activities and the program initiatives
that the technology supports. OIRM is responsible
for coordinating the collection and reporting of
this information for the Agency.
(2) Timeshare Budget - OARM-RTP with the assistance of
OIRM, and in consultation with Agency components,
prepares and submits the Agency timeshare budget.
Timeshare requests are represented as a program
element (PE) in the Agency's budget which is submitted
to OMB. Once the budget is approved by Congress,
OIRM administers the timeshare budget throughout
the Agency in accordance with the needs and requests
of Agency components and OARM-RTP guidance.
(3) Environmental Monitoring Budget Special Analysis -
The purpose of this periodic analysis is to evaluate
the investments supporting the Agency's environmental
monitoring strategies. All major program offices
are required to provide their individual monitoring
analysis with their budget submissions. OPPE is
responsible for assessing these reviews. The final
product evaluates the resource requirements and
priorities for monitoring activities across the
Agency.
(4) Information Collection Budget - During the third
quarter of each fiscal year, OMB issues a bulletin
which requires that agencies submit their projected
reporting burden on the public for the forthcoming
fiscal year. OPPE is responsible for coordinating
and reporting the information collection budget for
EPA.
1-6
-------�
IRM POLICY MANUAL 2100
7/21/87
c. Procurement/Acquisition.
(1) Acquisitions are evaluated to meet GSA and other
applicable regulations. Policies on EPA's IRM
acquisitions are enforceable by OIRM, the Grants
Administration Division (GAD) and the Procurement
and Contracts Management Division (PCMD).
(2) From a management control perspective, PCMD inserts
language into contracts to ensure that the contractors
adhere to certain standards. Some of these standards
are mandated by the Federal Information Resources
Management Regulations (FIRMRs), Federal Standards
and the Federal Information Processing Standards
(FIPS). Other standards are developed by OIRM and
NDPD. They are responsible for determining what
standards apply to a particular procurement.
(3) OIRM provides ADP support services through centrally
managed and administered contracts; program offices
may submit procurement requests for such services to
OIRM. OIRM provides guidance on effective utiliza-
tion of these contracts and prepares the required
delivery orders which are issued by PCMD.
d. Data Management. In the operation of any of EPA's
automated systems there are a number of controls which
are imposed in order to maintain efficiency and effective-
ness. The following is a brief list of principal controls
that program and system managers need to observe in the
development, operation and maintenance of their systems:
(1) Data Standards - Organizations responsible for
system management are responsible for conforming
with established Agency data standards. OIRM is
responsible for establishing the data standards for
the Agency and ensuring that those standards meet
the Agency objective of promoting data sharing.
Chapter 5 of the EPA Policy Manual provides further
information on this subject.
(2) Systems Documentation - It is Agency policy that
adequate documentation must be developed for all EPA
automated systems. This is important to ensure
management control and continuity of service. Without
adequate documentation, full utilization of a system
cannot be realized.
1-7
-------�
IRM POLICY MANUAL 2100
7/21/87
(3) Acceptance Testing - Prior to implementing a system,
appropriate acceptance testing must be conducted.
Such activity serves to determine the reliability of
functions as well as identify problems, both in the
documentation and in the actual operation of the
system. Acceptance testing must include proper
documentation of test results.
(4) Systems Security - As stated in Chapter 8 of this
manual, "It is EPA policy to protect adequately
sensitive information and sensitive applications
from improper use, alteration or disclosure, whether
accidental or deliberate. Information and applica-
tions will be protected to the extent required by
applicable law and regulations in accordance with
the degree of their sensitivity in order to ensure
the cost-effectiveness of the security program."
(5) User Support and Training - To ensure optimally
efficient operation of Agency information systems,
it is critical that EPA managers provide their
staff adequate user support and training.
e. IRM Evaluations. The following evaluations and reviews
are conducted to help the Agency assess the adequacy of
its information systems and resources:
(1) Special Studies and Management Reviews - A variety
of special studies and reviews are conducted by
OIRM alone or in concert with Agency program offices.
The scope of such reviews may vary depending on the
subject matter and the goals and objectives
established for the review or study.
(2) ADP Reviews - These reviews are conducted by OIRM
as well as program managers. All ADP review activity
must be coordinated with the Office of the Inspector
General which has the lead responsibility to perform
independent reviews of EPA's activities. An ADP
review is an evaluation of an information system,
ADP equipment, operations or an ADP organization,
to determine if the intended or expected functions
are being accomplished. The general purpose of
such a review is to improve management of information
resources by ensuring that ADP systems and services
are being managed in compliance with standards,
1-8
-------�
IRM POLICY MANUAL 2100
7/21/87
operating procedures and policies. (Specific guidance
on conducting this type of review is found in the
Agency's Directives System - EPA 2115 Guide for ADP
Review).
(3) Contract Performance Reviews - OIRM, in concert with
PCMD, conducts regular (three times per year) reviews
of contractor performance through meetings with
delivery order project officers and the contractor
under the ADP support contracts managed by OIRM.
These meetings provide a forum to share information
about experiences during delivery order performance
that relate to key performance and contract
administration issues.
(4) Risk Analyses - OMB Circular A-130 requires that all
automated installations undergo a periodic risk
analysis to ensure that appropriate, cost-effective
safeguards are in place. This risk analysis will
be conducted on new installations, on existing
installations undergoing significant change and on
existing installations at least every 5 years.
(5) GSA Triennial Review - This review is a government-
wide three-year planning and reporting cycle set
forth to meet the requirements established by the
Paperwork Reduction Act of 1980. Agencies are
required to perform reviews of their information
resources management activities and prepare synopses
and updates of these reviews to GSA on a yearly
basis for a three-year duration. The objective of
the Triennial Review Program is to ensure that
agencies are carrying out their information manage-
ment activities in an efficient, effective and
economical manner. OIRM is responsible for managing
the review process with input from the program
offices.
f. IRM Reporting Requirements.
(1) External - The following is a list of external
reporting requirements related to EPA's IRM program:
(a) OMB Bulletin for Federal Information Systems and
Technology Planning
(b) OMB Bulletin for Management Review/Management
Improvement Planning
1-9
-------�
IRM POLICY MANUAL
2100
7/21/87
(c) Section 43 of OMB Circular A-ll
(d) GAO Systems Inventory
(e) ADP Equipment Data Systems to GSA
(£) Information Collection Budget
(g) Information Security Program Data to GSA
(hj Privacy Act Annual Report to OMB
(2) Internal - The following is a list of internal
reporting requirements relating to EPA's IRM program:
(a) Mission-Based Plans
(b) PC Plans
(c) Information System Inventory Updates
(d) Timeshare Budget
(e) Special IRM Budget Analysis (Addendum)
(f) Environmental Monitoring Budget Special Analysis
1-10
-------�
IRM POLICY MANUAL 2100
7/2V87
EXHIBIT 1-A
DELEGATIONS 1200 TN95
3/26/84
GENERAL, ADMINISTRATIVE AND MISCELLANEOUS
1-10. ADP
1. AUTHORITY. To approve requisitions for ADP equipment,
telecommunications, studies, and services, including the
authority to determine and approve:
a. The ADP technical content of solicitation packages
b. The evaluation criteria to be used for evaluation of ADP
components of proposals
c. Preaward procedures for ADP components of proposals,
including membership on the evaluation panel, contractor
demonstrations and benchmarks, and facility reviews as
required
d. Postaward procedures for ADP components of procurements
including acceptance testing and site inspection.
2. TO WHOM DELEGATED. The Assistant Administrator for
Administration and Resources Management.
3. REDELEGATION AUTHORITY. These authorities are redelegated
to the Director, Office of Information Resources Management.
The authority to approve requisitions for ADP equipment,
computer services, and telecommunications is further
redelegated to the Director, Office of Administration and
Resources Management, RTF. All of the above authorities may
be redelegated further.
-------�
CHAPTER 2
-------�
IRM POLICY MANUAL 2100
7/2V87
CHAPTER 2 - MISSION-BASED PLANNING
1. PURPOSE. This policy establishes the principles that govern
Agencywide planning for EPA's investments in and management
of information resources and technology. This policy also
defines roles and responsibilities for implementing these
principles.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
national program managers and Regional offices.
3. BACKGROUND.
a. Information is an Agency asset, just as property, funds
and personnel are Agency assets. EPA is highly dependent
upon its information resources to carry out program and
administrative functions in a timely, efficient and
accountable manner.
b. Information and information technology represent an
expensive and capital intensive investment of EPA's
human and other operational resources. It is essential,
therefore, that EPA plan for its investment and manage-
ment of information resources.
c. As a result, an Agencywide Information Resources Management
(IRM) planning process must be established. Furthermore,
as required by OMB Circular A-130, planning must be based
in programs and missions to ensure that the acquisition
and use of information resources support the requirements
of EPA's program and administrative functions.
d. Investment decisions on the acquisition and use of
information resources can be made only through the budget
process. Planning must be tied to the budget so that
budget decisions are derived from plans and, conversely,
so that budgetary constraints are reflected in the plans.
e. The management, control and responsibility for information
resources within EPA is decentralized. Consequently,
planning for information investments and management is
also decentralized. The value of a decentralized process
is that it engages the active participation of EPA managers
in the decision-making process and allows them to respond
to environmental as well as administrative priorities
as they change over time.
2-1
-------�
IRM POLICY MANUAL 2100
7/2 V87
4. AUTHORITIES.
a. OMB Circular A-130, Management of Federal Information
Resources.
5. POLICY. It is EPA policy to plan effectively for the
acquisition and management of information and information
technology through the annual preparation of mission-based
information resource management (IRM) plans.
a. Mission-based IRM plans are strategic in nature covering
a three-to-five year period and updated annually to
reflect real-time changes in each major national program
office.
b. Mission-based IRM plans are linked to the Agency's Priority
List which defines the Agency's mission and to the Agency's
Operating Guidance which specifies IRM priorities and
actions over a one-to-two year period.
c. The plans will be tied to the budget process and will be
completed in time to support investment decisions made
during the budget preparation process.
d. Mission-based IRM planning explicitly evaluates information
requirements necessary to achieve EPA and program missions
and priorities. These requirements are assessed in the
context of existing and planned resources and Agencywide
policies and standards governing the effective management
of information and information technology.
e. Planning for significant investments in and management of
information must be supported by analyses of the life
cycle of the information requirement from the initial
stages of information system design through operational
stages of system start-up and maintenance. Consideration
must be given to the full range of information support
needs from data collection and entry to ongoing training,
user support, quality control and system administration.
e. Mission-based IRM plans must be evaluated periodically to
ensure that EPA and program missions and priorities are
fully supported. In particular, any planning for signifi-
cant investments must be evaluated through such analyses
as information requirements studies, benefit-cost
assessments and life cycle planning studies.
2-2
-------�
IRM POLICY MANUAL 2100
7/2 V87
6. RESPONSIBILITIES.
a. The Office of Information Resources Management is
responsible for:
(1) Developing and issuing guidance for the development
of mission-based information resources management
plans in accordance with OMB Circular A-130.
(2) Determining, in consultation with the IRM Steering
Committee and Senior IRM Officials, which major
national programs are responsible for preparing and
updating mission-based IRM plans.
(3) Developing and issuing guidance for an Agencywide
review of information investments.
(4) Providing guidance to the Administrator and EPA's
senior management on EPA's investment in and manage-
ment of information resources and technology.
(5) Responding to OMB and other external requests on
EPA's plans and budgets for the acquisition and use
of information technology.
b. The Assistant Administrators, Associate Administrators,
General Counsel, Inspector General and Regional Adminis-
trators are responsible for:
(1) Appointing a Senior IRM Official who is responsible
for management and oversight of the information
resource management program in his/her respective
organization. The Senior IRM Official in the Office
of Executive Support for the Office of the Adminis-
trator serves the two Associate Administrators as
well as all of the Staff Offices in the Office of
the Administrator.
c. Senior IRM Officials for major national programs are
responsible for:
(1) Ensuring the development of mission-based resource
management plans responsive to EPA and program
information requirements.
2-3
-------�
IRM POLICY MANUAL 2100
7/2V87
(2) Ensuring that these plans are integrated into budgets
for information investments which are reflected in
formal planning and budgeting submissions.
(3) Establishing an information resource management
program consistent with the organizational mission,
organizational information plans and Agency policy.
c. The National Data Processing Division is responsible
for:
(1) Translating the mission-based plan into specific
ADP resources requirements.
(2) Developing the actual Timeshare Budget required to
provide the ADP resource requirements identified by
(1).
7. DEFINITIONS.
a. "Mission-based Planning" refers to the planning for an
agency's investments and management of information
resources and technology that are required to achieve
the agency's missions and priorities. These plans are
tied to the budget process and are used to support invest-
ment decisions made during the budget preparation process.
These plans are strategic in scope but are updated annually
to reflect progress in implementation, program changes,
changes that affect information requirements and advances
in technology.
b. "Life Cycle Costs" means the sum.total of all the direct,
indirect, recurring, nonrecurring and other related costs
incurred or predicted to be incurred in the formulation
of requirements and feasibility studies, and in the
design, development, production, operation, maintenance
and support of an information system throughout its
useful life.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines for the
Agency's Mission-based Planning Program will be issued on an
annual basis under separate cover.
2-4
-------�
CHAPTER 3
-------�
IRH POLICY MANUAL 2100
7/21/87
CHAPTER 3 - STATE/EPA DATA MANAGEMENT
1. PURPOSE. This policy establishes the principles that govern
the management and sharing of data between EPA and State
environmental agencies and the information systems that
handle these data. This policy also defines roles and
responsibilities for implementing and ensuring adherence to
these principles.
2. SCOPE AND APPLICABILITY. This policy is applicable to all
EPA programs and Regional offices that develop and operate
information systems that are used by the States or that
contain data reported to EPA by States.
3. BACKGROUND.
a. The underlying rationale for EPA's policy on State
delegation includes a recognition that more effective
environmental protection results when Federal goals and
regulations are implemented in a fashion that is respon-
sive to the diversity of local conditions. EPA's policies
on information management must reflect this same balance
of compliance with Federal statutes and priorities and
responsiveness to local diversity.
b. Federal policy, as most recently set forth in OMB Circular
A-130, specifies that Federal agencies may "not require
Federal information systems that unduly restrict the
prerogatives of heads of State and local government
units..."
c. EPA remains responsible and accountable to the President,
the Congress and the public for progress toward meeting
national goals and for ensuring that Federal statutes
are adequately enforced. In accordance with "EPA Policy
on Oversight of Delegated Environmental Programs," April
4, 1984, the Agency has the responsibility to oversee
the conduct of delegated inter-governmental programs, to
enhance State capabilities to administer environmental
protection programs and to analyze the status of State,
regional and national environmental quality through
ongoing monitoring and data collection efforts.
d. EPA's policy of delegating program implementation
responsibility to States means that the ultimate
effectiveness of the Agency depends, to a very large
3-1
-------�
IRM POLICY MANUAL 2100
7/2V87
extent, on the effectiveness of State program managers.
Among the several factors that determine the success of
State program managers is their capacity to obtain and
use management and environmental information.
e. EPA's ability to oversee and support State performance
of delegated programs, and to report on these programs
to the President, the Congress and the public, is also
heavily dependent upon accurate and timely State
information resources and systems.
f. EPA seeks to improve environmental decisions by more
consistent and reliable estimation of health risk based
on sound data and analysis methods and by integrating
permitting, regulatory and compliance efforts across
program lines. Improvement in the information management
systems will result in more timely, quality assured data,
a more integrated risk assessment and overall better
State/EPA program management.
g. Although each has requirements that differ in detail and
emphasis, there are substantial benefits to EPA and to
State agencies if both have timely, reliable access to
the same basic management and environmental information.
h. Host EPA programs have developed data systems to receive
State reports and to provide the reports and analysis
required by national program managers. There are substan-
tial benefits to EPA when States agree to meet Agency
reporting requirements by entering data directly into
these systems. In at least some cases, States also
benefit by gaining access to data and information systems
capabilities that they cannot develop on their own.
However, the benefits to States from using EPA information
systems to report or to process data depend on several
factors:
(1) The existing State investment in its own information
systems
(2) The accessibility and reliability of the EPA systems
for both entering and retrieving data
(3) The reliability and quality of EPA user support
3-2
-------�
IRM POLICY MANUAL 2100
7/21/87
(4) The extent to which EPA systems contribute to State
management objectives as the integration of environ-
mental and management data, both across programs
delegated from EPA and other State programs
(5) The costs in using such systems both in actual
dollars and resources necessary for use.
4. AUTHORITIES.
a. OMB Circular A-130, Management of Federal Information
Resources.
5. POLICY. It is EPA policy that Agency reporting requirements
and information systems will be responsive to the information
needs of State environmental agencies and will take into
account the diversity among States in terms of organization,
resources and program responsibilities. EPA systems that
process and store data obtained from States will adhere to
data management policies that avoid duplication of data and
effort and promote integrated environmental program planning
and management, both within States and between States and
EPA. EPA will assure timely and reliable State access to
any Agency information system that contains data obtained
from States in response to EPA reporting requirements.
a. As required by OMB Circular A-130, EPA will adhere to
reporting and information systems policies that do not
unduly restrict State prerogatives to plan and manage
information resources in response to State policy and
management priorities.
b. EPA information systems that process and store data
provided by States in response to EPA reporting require-
ments will, insofar as practical, be developed and operated
to accommodate State management needs. More specifically:
(1) EPA will ensure that States are afforded an active
role in developing, improving and modifying informa-
tion systems through the establishment of user
groups, policy groups and other mechanisms which
promote continuing State/Federal interaction.
(2) EPA will, insofar as practical, design such systems
with the flexibility to accommodate State needs for
related data standards that facilitate State informa-
tion systems planning and the integration of data
across EPA and State program lines.
3-3
-------�
IRH POLICY MANUAL 2100
7/2V87
(3) EPA will develop such systems in adherence to
technology and data standards that facilitate State
information systems planning and the integration
of data across EPA and State program lines.
(4) EPA will design such systems to accept direct,
electronic transmission of data from States that
operate their own information systems.
(5) EPA will design such systems to support direct,
electronic transmission of data to States from EPA
systems to support local data analysis.
(6) EPA will strive to achieve consistency in design
and access methods consistent with current industry
technology.
c. New EPA systems and data bases developed to process and
store data obtained from State environmental agencies
shall be designed to support timely and reliable State
access to these data. Existing EPA systems that contain
State data should allow for timely and reliable State
access. Timely and reliable State access will vary
according to the nature of the data and the system;
however, for EPA's major national systems and data bases,
it means:
(1) Direct, on-line State access to current data files
(2) The use of software and data communications techno-
logies that adhere to Agency standards and that
support efficient State access for reporting and
retrieval of data
(3) The provision of documentation and user assistance
to State users on a consistent and current basis.
d. For those States which agree to meet EPA reporting
requirements by directly entering data into EPA systems,
the Agency will regard such data as the official State
record of the delegated program. EPA will not unilaterally
change these data, since doing so would force the State
to maintain a separate system of records.
e. EPA will allow the States at their option to enter data
regarding non-delegated programs into the EPA systems.
3-4
-------�
IRM POLICY MANUAL 2100
7/21/87
However, States are not mandated to meet the same
requirements in the non-delegated programs that they are
obliged to meet for the delegated ones.
f. EPA will support the use of State grant funds to develop
State information resources and technology to the extent
that doing so is consistent with the purposes for which
these funds were appropriated. EPA will seek State
proposals which assign funds from one or more EPA grants
for information resources and technology that:
(1) Promote the integration of environmental planning
and management across State and EPA program lines
(2) Foster improved data sharing between EPA and the
State.
g. EPA will design and manage its computing and data
communications network to support timely and reliable
State access to EPA systems and data bases. EPA's pursuit
of this goal will be based on the following assumptions:
(1) The achievement of this goal is dependent on the
constraints of available resources.
(2) EPA does not seek to be the primary or the "first
choice" computing resource for any State environmental
agency.
(3) EPA does not seek to provide computing and
telecommunications services to States in lieu of
or in competition with either State or commercial
sources.
h. EPA recognizes one of the advantages of sharing data is
reduced reporting by the States. Therefore, if a State
is entering data directly into the EPA system, EPA will,
insofar as practicable, adhere to data management policies
that avoid duplication of data and effort and not require
that the State report this information in additional
formats.
6. RESPONSIBILITIES.
a. The Office of Information Resources Management shall:
(1) Develop guidelines and programs to ensure that
3-5
-------�
IRM POLICY MANUAL 2100
7/2V87
Agency reporting requirements and information systems
are defined and implemented in accord with this
policy.
(2) Provide guidance and assistance to Assistant
Administrators, Associate Administrators and Regional
Administrators in implementing the requirements
of this policy.
(3) Plan and oversee the acquisition, deployment and
use of information technology within EPA to ensure
support for effective management and sharing of
data by EPA and State environmental agencies.
(4) Ensure EPA compliance with Federal statutes and
regulations governing the acquisition, operation
and use of information technology employed to share
data between EPA and State agencies.
(5) Evaluate and report on the effectiveness of Agency
activities in achieving the goals of this policy.
b. National Data Processing Division shall:
(1) Design and manage the acquisition and operation of
data processing and telecommunications resources to
support effective management and exchange of data
between EPA and State environmental agencies.
(2) Develop standards for EPA data processing and
telecommunications technology services that support
the goals of this policy.
(3) Provide technical advice and assistance to EPA and,
upon request, to State environmental agencies
concerning the acquisition and implementation of
information technology to achieve the goals of this
policy.
c. Assistant Administrators and Associate Administrators
shall assure:
(1) That State agency requirements for information and
information technology are addressed in the design
and implementation of EPA programs.
3-6
-------�
IRM POLICY MANUAL
7/21/87
(2) That the information systems and data management
practices of programs and activities under their
direction are in accord with this policy.
(3) Effective State participation in the design and
operation of national information systems and data
bases that contain data reported by States and
provide timely and reliable access by States to
such data bases.
d. Regional Administrators shall assure that:
(1) State requirements for information and information
technology are effectively addressed in State delega-
tion agreements, State grants and other agreements
between EPA and States.
(2) Regional procedures for handling and validating
State-reported data guarantee the integrity and
accessibility of such data as required by this
policy.
(3) The Regional Office has an effective program to
foster and support State/EPA data management and
sharing that meets at a minimum EPA Federal reporting
requirements.
e. The Office of Administration shall:
(1) Develop and implement policies and procedures to
assure that information collection and processing
activities performed by EPA contractors and grantees
comply with this policy.
7. DEFINITIONS.
a. "Data" refers to a collection of unorganized facts that
have not yet been processed into information.
b. "Data Base" is a collection of integrated data that can
be used for a variety of applications.
c. "Data Communications" refers to computer-to-computer,
computer-to-device, device-to-computer communications
and other communications such as a record, tele-processing
and telemetry.
3-7
-------�
IRM POLICY MANUAL 2100
7/21/87
d. "Information Technology" refers to the hardware and
software used in connection with government information,
regardless of the technology involved, whether computers,
telecommunications, micrographics or others.
e. "Software" refers to computer programs, procedures,
rules and associated documentation pertaining to the
operation of a computer system.
f. "Telecommunications" is the transmission and/or reception
of information by telephone, telephone lines, telegraph,
radio or other methods of communication over a distance.
The information may be in the form of voice, pictures,
text and/or encoded data.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines will
be issued under separate cover.
3-8
-------�
CHAPTER 4
-------�
IRM POLICY MANUAL 2100
7/2V87
CHAPTER 4 - SOFTWARE MANAGEMENT
1. PURPOSE. This policy establishes the principles and
requirements that govern the planning, acquisition, develop-
ment, maintenance and use of Agency software resources.
This policy also defines the roles and responsibilities for
implementing these principles and requirements.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
organizations and their employees. It also applies to the
personnel of agents (including State agencies, contractors
and grantees) of EPA who are involved in the design, develop-
ment, acquisition, operation and maintenance of Agency
software, data and information systems. The requirements of
this policy apply to existing as well as new or modified/
enhanced software systems.
3. BACKGROUND.
a. Directly or indirectly, most EPA managers are involved
with automated information systems or the information
resources management process. This involvement can be
with the information itself and related resources, e.g.,
personnel, equipment, funds, systems and technology
(hardware and software). As agencies become increasingly
dependent on information technology to accomplish their
basic missions, .it is essential that these technologies
be acquired and used in a rational way.
b. The EPA software management program is needed to manage
and protect EPA information as a valuable national resource;
promote cross-media analysis and information interchange
for environmental results; reduce costs while maximizing
benefits for program management and improve the quality,
uniformity and maintenance of software products.
c. The objectives of EPA's software management program
include the following:
(1) Secure EPA's investment in information collection,
processing, dissemination, use, storage and
disposition.
4-1
-------�
IRM POLICY MANUAL 2100
7/2 V87
(a) Much of EPA's software investment is "custom"
software (i.e., developed by in-house or
contractor staff), as opposed to software
commercially marketed or developed by other
government agencies.
(b) It is important that systems development,
operation and maintenance be managed to ensure
that this investment yields software products
which are sound, maintainable and not subject
to disruption.
(2) Improve the quality, uniformity and maintenance of
software systems.
(a) Decisions regarding the selection of such
items as computer environment, programming
languages, processing techniques, ergonomic
screen design, terminal key functions and
documentation products have been left up to the
individual project officer, contractor or
in-house developers.
(b) This has resulted in some successful systems,
while others have been hampered by maintenance
difficulties attributed to the lack of an
effective software management program.
(3) Improve the cost-effective acquisition, development,
maintenance and ongoing operation of software systems.
(a) EPA spends a significant amount of its information
resource dollars on custom software development,
maintenance and ongoing operation of information
systems.
(b) Improving the cost-effectiveness of these efforts
can be achieved by standardizing techniques,
methods, products and tools for systems
engineering for all phases of the information
systems life cycle and by the acquisition and
use of commercial software where appropriate.
(4) Promote inter-agency cooperation and sharing of
software and data.
4-2
-------�
IRM POLICY MANUAL 2100
7/2 V87
(5) Improve the end-user computing environment and
access to EPA's information resources.
(a) EPA is increasingly, relying on end-user
computing. The key to end-user computing is
the availability of easy-to-use software tools
and "ready-to-go" applications software.
(b) This can be achieved through several measures,
including standardizing and supporting software
tools for the end-user computing environment;
providing training, software revisions and user
support; expanding the "information center"
approach to support the end-user computing
environment; promoting access by Agency staff
to information systems and resources; and
developing and disseminating systems engineering
standards and guidelines for all software life
cycle phases of end-user developed applications.
(6) Develop plans for future software investments in
areas with high payoff for the Agency's mission.
(a) While tools such as fourth generation languages
have measurable benefits and significant
productivity gains, there are future areas of
software investment which promise even greater
benefits and gains.
(b) These include greater reliance on generic,
off-the-shelf software applications, as opposed
to developing custom software; office automation
software with greater levels of integration of
functions, features and capabilities; expert
systems or artificial intelligence applications
for EPA mission and program goals; geographic
information systems for environmental analysis;
and the development and enforcement of software
engineering standards to gain a greater degree
of discipline and rigor in the software process.
d. The policies described in the remainder of this chapter
provide a framework for establishing this software management
program.
4-3
-------�
IRN POLICY MANUAL 2100
7/21/87
4. AUTHORITIES.
a. OMB Circular No. A-130, Management of Federal Information
Resources, December 12, 1985.
b. NBS PIPS PUB 38, Guidelines for the Documentation of
Computer Programs and Automated Data Systems, February 15,
1976.
c. NBS FIPS PUB 64, Guidelines for Documentation of Computer
Programs and Automated Data Systems for the Initiation
Phase, August 1, 1979.
d. NBS FIPS PUB 105, Guidelines for Software Documentation
Management, June 6, 1984.
e. NBS FIPS PUB 106, Guidelines on Software Maintenance.
f. NBS FIPS PUB 101, Guidelines for Lifecycle Validation,
Verification and Testing of Computer Software.
g. EPA Office Systems Feasibility Study, Implementation and
Operational Guidelines, January 1985 (OIRM).
h. EPA ADABAS Application Development Procedures Manual,
October 17, 1984 (revised December 2, 1985), NDPD.
5. POLICY. It is EPA policy to enhance the management of software
throughout its life cycle. It is also EPA policy that software
developed by or acquired for the Agency will use EPA standard
software tools and adhere to EPA standards and guidelines.
a. The use of existing government and commercially available
and tested software application packages is required
wherever technically and economically feasible.
b. Whenever custom programming is required, maximum use of
automated tools for software design, development, testing
and maintenance will be made.
c. EPA offices and staff will jointly acquire and share
software resources wherever possible. This applies to
the acquisition of proprietary software products and
development of software under contract or with in-house
resources. Software that has the potential for being
shared will be developed or acquired after an evaluation
of the general requirements of interested offices.
4.4
-------�
IRM POLICY MANUAL 2100
7/21/87
d. Copyright laws and other measures designed to protect
legitimate proprietary interests in software and data
must be rigidly enforced. Classified and unclassified
data and software must be protected from improper access,
use, alteration, manipulation or unauthorized disclosure
as a result of criminal, fraudulent or other improper
actions.
e. In the absence of overriding efficiency considerations,
all software resources must: satisfy functional require-
ments; provide interfaces consistent with users' needs
and skill levels; meet users' availability needs; provide
data integrity; provide response times acceptable to
users under routine and unusual conditions (i.e., peak
workloads, equipment failure); and meet users' security
requirements.
f. EPA program officials will adhere to Federal Information
Processing Standards (PIPS) and guidelines as published
or adapted for the Agency in developing, documenting,
maintaining and using software applications.
g. EPA program officials managing the development or ongoing
operation of software applications are responsible for
the management of life cycle costs, conformance to soft-
ware standards and data base administration procedures,
training, operations maintenance and user support and
evaluation.
h. The development of all application systems will conform
to the Agency's system development life cycle methodology.
i. The use of fourth generation or other non-procedural
languages and tools is recommended in lieu of third
generation, procedural language-based custom development
efforts. Customized third generation or procedural
languages and tools may be required to meet functional
requirements for reasons of security, portability and
efficiency. The use of assembler languages is restricted
to exceptional situations, such as when modifying an
existing program written in assembler language, writing
a program for an operating system and an application
requiring the use of assembler language.
j. All EPA applications systems development efforts must
use the Agency's standard application programming
languages.
4-5
-------�
IRM POLICY MANUAL 2100
7/21/87
k. Applications should be designed to require the least
possible amount of computer operator and programmer
support for execution.
1. EPA program officials will periodically review all
software resources to determine and prevent obsolescence
of software. Indicators of obsolescence include:
dependence on obsolete peripherals; running in an emulation
mode; inadequate operating system or documentation and
more than 5 years since the last substantial redesign.
m. Information technology provided to EPA employees and
their agents is to be used for official business only.
EPA managers and supervisors are responsible for ensuring
appropriate use of this technology by their employees.
6. RESPONSIBILITIES.
a. The Office of Information Resources Management (OIRM) is
responsible for:
(1) Managing information resources, functions and
activities within EPA, in accordance with the Paper-
work Reduction Act of 1980 (P.L. 96-511), Federal
Information Processing Standards (PIPS), OMB Circular
No. A-130 (Management of Federal information Resources)
and other Federal regulations.
(2) Defining EPA software management/engineering policies,
standards and guidelines in the interests of
standardization, productivity and effective management
of software and information resources.
(3) Review and approval of technical specifications for
software requested by OARM, ORD and the program
offices.
(4) Publishing plans and guidance for administrative,
program and research/laboratory systems.
(5) Conducting compliance reviews.
4-6
-------�
IRM POLICY MANUAL 2100
7/21/87
b. The Assistant Administrators, Associate Administrators,
Regional Administrators, Laboratory Directors, Headquarters
Staff Directors, General Counsel and Inspector General
are responsible for:
(1) Ensuring compliance with software management policies,
standards and guidelines.
(2) Managing the software life cycle, process and products
within their program(s).
c. The Senior IRM Officials are responsible for:
(1) Approving microcomputer proprietary software.
(2) initially approving requisitions for acquisitions
of information technology prior to their review by
NDPD and/or OIRM.
d. The Director, National Data Processing Division, is
responsible for:
(1) Acquiring all general purpose, non-application
specific software such as operating systems, data
base management systems, etc.
(2) Approving system-oriented proprietary software.
e. The Procurement and Contracts Management Division and
the Grants Administration Division are responsible for:
(1) Ensuring that all policy, standards and guidelines
specified by OIRM are incorporated in Requests for
proposals (RFPS), interagency Agreements (lAGs),
Cooperative Agreements, Grants, Contracts and
Sub-Contracts.
f. Each EPA Manager, Supervisor, or Project Officer engaged
in information resources management activities is
responsible for:
(1) Conforming to the software management/engineering
program policies, methods, standards, guidelines
and techniques contained in this and related
documents.
4-7
-------�
IRN POLICY MANUAL 2100
7/21/87
g. Each EPA employee, contractor and grantee engaged in
information resources management activities is responsible
for:
(1) Conforming to Agency software management/engineering
program policies, methods, standards, guidelines
and techniques.
7. DEFINITIONS
a. "Application Software" means software specifically produced
for the functional use of a computer system, e.g., payroll,
inventory control, environmental monitoring and scientific
modeling.
b. "Artificial Intelligence, Expert, or Knowledge-based
Systems" refers to a class of systems that employ decision
rules developed through human experience and from human
knowledge to solve problems that require a high degree
of human expertise.
c. "Data Base Management System (DBMS)" is the software
product that provides data structure containing unrelated
data stored, so as to optimize accessibility, control
redundancy and offer multiple views of the data to multiple
application programs.
d. "Documentation" refers to information to support the
effective design, management, operation, maintenance and
transferability of ADP resources, and to facilitate
the interchange of information. Documentation includes
analysis, technical documents and specifications which
are produced in the software life cycle (e.g., project
request, feasibility study, cost/benefit, functional
requirements, data requirements, system/subsystem
specifications, program specifications, data base specifi-
cations, test plan, user's manual, operations manual,
test reports and maintenance procedures).
e. "Fourth Generation (4GL) Programming Language" refers to
modern programming languages (e.g., INFO, FOCUS) designed
for end-users or to increase programmer productivity,
which have a number of tools such as English language
4-8
-------�
IRM POLICY MANUAL 2100
7/21/87
syntax, dictionaries, screen builders and reference to
data by name. These languages tend to be dependent on
specific computer architectures and are not usually
transportable. They usually imply a proprietary Data
Base Management System (DBMS) or Data Management System
(DMS).
f. "Geographic Information System (CIS)" is a system that
combines geographic and/or cartographic analysis capabi-
lities with a computer data base system that can support
data entry, data management, data manipulation and data
display.
g. "Non-procedural Language" see definition for Fourth
Generation (4GL) Programming Language under "e".
h. "Procedural or High Order Language" see definition for
Third Generation Language (3GL) under "o".
i. "Software" means computer programs, procedures, rules
and possibly associated documentation and data pertaining
to the operation of a computer system.
j. "Software Engineering" refers to the discipline of-applying
software tools, techniques and methodologies to promote
software quality and productivity.
k. "Software Life Cycle" is the period of time beginning
when a software product is conceived and ending when
the product no longer performs the functions for
which it was designed. The software life cycle is
typically broken into phases, such as requirements,
design, programming and testing, installation and
operation and maintenance.
1. "Software Maintenance" means the performance of those
activities required to keep a software system operational
and responsive after it is accepted and placed into
operation. It is the set of activities which result
in changes to the originally accepted (baseline)
product. These changes consist of modifications
required to: (1) insert, delete, extend and enhance
the baseline system (perfective maintenance); (2)
adapt the system to changes in the processing environment
(adaptive maintenance) and (3) fix errors (corrective
maintenance).
4-9
-------�
IRN POLICY MANUAL 2100
7/2 V87
m. "Software Tools" refers to packaged, often commercial,
computer program(s) used to help develop, test, analyze
or maintain computer programs, data and information
systems. Examples include statistical software such
as SAS, SPSS, sort systems, etc.
n. "Testing" refers to examining the behavior of a program
by executing the program on sample data sets.
o. "Third Generation (3GL) Programming Language" is a
programming language that usually includes features such
as nested expressions and parameter passing, that can
run on a variety of different computer systems and are
independent of machine architecture (e.g., COBOL, BASIC,
FORTRAN, PL/I). It is a problem oriented language
that facilitates the expression of a procedure as an
explicit algorithm. In contrast to fourth generation
programming language, third generation programming
language is usually independent of a data base
management system and is transportable between different
computer architectures.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines for
the Agency's software management program will be issued
under separate cover.
4-10
-------�
CHAPTER 5
-------�
IRM POLICY MANUAL 2100
7/23/87
CHAPTER 5 - DATA STANDARDS
1. PURPOSE. This policy establishes the EPA Data Standards
Program. The purpose of this program is to provide consistent
definition of data and to facilitate cross-media use of data.
This policy sets forth Agency principles on data standards
and assigns organizational responsibilities for implementing
and administering common data standards.
2. SCOPE AND APPLICABILITY. This policy applies to all
Environmental Protection Agency (EPA) organizations and
their employees. It also applies to the facilities and
personnel of agents (including contractors and grantees) of
EPA who design, develop, operate or maintain Agency information
and information systems. This policy applies to automated
and manual systems developed for programs or administrative
purposes. The requirements of this policy apply to existing
data elements as well as new data elements.
3. BACKGROUND.
a. Integration of information and data bases is difficult
because program offices use disparate formats and names
for similar data elements.
b. There is a need to make and support decisions based on
standard information and data collected that cuts across
the Agency's programs.
c. Specific programs, such as the Ground-water program,
have an increasing need to share data from other programs,
other agencies, States and local governments. This adds
credence to the need for acceptable data standards to
facilitate exchange of information.
d. Information technology has reached a point at which the
sharing of data among automated systems is technically
feasible.
e. The Agency has implemented standards for hardware and
software that facilitate the sharing of data among programs.
f. To support effectively the use of common definitions of
environmental data with State programs, EPA must have
common definitions for data elements and an intra-agency
capability to share data.
5-1
-------�
IRM POLICY MANUAL 2100
7/2 V87
g. Organizations outside EPA have been establishing data
standards which are accepted nationally or internationally.
These pre-existing standards, such as Chemical Abstract
Service (CAS) registry numbers, may serve as the best
data standard for certain data elements.
h. There is a growing need for agreement on the definition
of Agencywide parametric data entities such as "site"
and "facility."
i. The Agency has a facilities inventory system that lists
facilities regulated by the various programs in EPA.
The inventory includes the different names and addresses
for a single facility. This system will be a critical
part of the Agency data standards effort.
j. At a minimum, there are six major areas which would
benefit from the use of data standards: data used in
more than one program, facilities and site data, geographic
data, measurement data, health and environmental effects
data and core office systems data.
4. AUTHORITIES.
a. 15 CFR, Part 6 Subtitle A, Standardization of Data Elements
and Representations.
b. OMB Circular A-1.30, Management of Federal Information
Resources.
5. POLICY. It is EPA policy to create and maintain consistency
in the form of data elements that have more than one applica-
tion within the Agency. This consistency will permit the
cross media approach necessary to achieve environmental
results. The data standards will reflect the Agency's program
priorities.
a. As required by OMB Circular A-130, EPA will adhere to
Federal Information Processing Standards (FIPS), except
where it can be demonstrated that the costs of using a
standard exceed the benefits of the standard or will
impede the Agency in accomplishing its mission.
b. All organizational components of EPA, their contractors
or grantees will promote the full utilization of Federal
and Agency data standards and representations in the
design and development of information systems.
5-2
-------�
IRM POLICY MANUAL 2100
7/21/87
c. Data elements/ codes and representations already in use
by the Agency will be evaluated and adopted as Agency
standards wherever practicable.
d. Data elements/ codes and representations may be recommended
for standardization by any program office within EPA.
e. Geographical information systems developed by the Agency
must conform to an established set of appropriate data
standards which permit the use of the system by all
relevant programs and state agencies.
f. All relevant facilities or sites data must be stored in
the Agency's facility or site inventory systems.
6. RESPONSIBILITIES.
a. The Office of Information Resources Management (OIRM)
shall:
(1) Provide effective leadership in developing,
promulgating and enforcing the policies of the
Agency data standards program.
(2) Coordinate the evaluation and approval process of
all data standards with the Assistant Administrators,
Regional Administrators, Office Directors and Senior
Information Resources Management Officers.
(3) Exercise final approval authority for the adoption
of data standards. Grant waivers to the implementa-
tion of approved Agency data standards.
(4) Support other EPA data administration efforts, e.g.,
encourage cross reference files for non-standard
information. Encourage the use of data element
dictionaries.
(5) Propose and apply effectively data elements or
representations for use by more than one organizational
component of EPA as Agency standards.
(6) Publish and promulgate approved Agency standards in
an EPA Data Standards Catalog.
b. Assistant Administrators, Associate Administrators,
Regional Administrators, Laboratory Directors, Headquarters
Staff Office Directors, General Counsel, Inspector General,
and SIRMOs shall:
5-3
-------�
IRN POLICY MANUAL 2100
7/21/87
(1) Implement approved Agency data standards that are
published under the provisions of this policy.
(2) Establish an organization-wide data standards work
group which reviews and provi .ies information and
comments on proposed data standards.
(3) Propose the adoption of data standards for Agency
use within the environmental community.
(4) Submit requests for waivers or deferments to the use
of Agency data standards to OIRM.
7. DEFINITIONS.
a. "Data Element" is a unit of information used to describe
data characteristics and attributes, e.g., eyes - blue or
BL.
b. "Data Standards" are standards used generally, but not
exclusively, for automated systems to ensure that one
type of data is defined the same way in all systems. A
similar definition means having the same name, the same
number of maximum characters and the same type and content
of data in all systems where a specific data item appears.
c. "Information Technology" refers to the hardware and
software used in connection with government information,
regardless of the technology involved, whether computers
telecommunications, micrographics or others.
d. "Media" means Water, Air, Hazardous Waste and Pesticides
and Toxic Substances program offices.
e. "System" is the organized set of procedures used to
collect, transmit and disseminate information whether
automated or manual.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines for the
Agency data standards program will be issued under' separate
cover.
5-4
-------�
CHAPTER 6
-------�
IRM POLICY MANUAL 2100
7/21/87
CHAPTER 6 - ADP RESOURCES MANAGEMENT
1. PURPOSE. To establish policies pertaining to the acquisition,
management and operation of Agency automated data processing
(ADP) resources.
2. SCOPE AND APPLICABILITY. This policy applies to all Agency
national programs and Regional offices. Within this policy,
ADP resources are defined as the following:
a. Large-scale, mainframe computers located at the National
Computer Center, RTF.
b. Distributed processors located anywhere in the Agency.
c. Microcomputers used as desktop computing resources located
anywhere in the Agency.
d. Data communications equipment including switching,
concentration and front-end processors located anywhere
in the Agency.
e. Data facilities used as intra-office, inter-office or
wide-band network circuits.
f. Operating system software, telecommunications software,
multi-user, third party application software.
3. BACKGROUND. The OMB and GSA require that each Federal Agency
establish internal policies and procedures for the efficient
management of ADP resources. The National Data Processing
Division, OARM-RTP, within the authority of the Office of
Information Resources Management, provides the following:
a. Computing and telecommunications services to Agency
allowance holders at a pre-determined level as defined in
general or specific Service Level Agreements.
b. Planning, oversight, management, operation and acquisition
of all automated data processing resources in the Agency.
c. Assessment and introduction of new computing and
telecommunications resources as appropriate to maintain
effective and efficient delivery of automated data
processing services.
6-1
-------�
IRH POLICY MANUAL 2100
7/21/87
4. AUTHORITIES.
a. Public Law 89-306, The Brooks Act, which provides for
the economic and efficient purchase, lease, maintenance,
operation and utilization of ADP resources by Federal
departments and agencies.
b. Public Law 98-369, Competition in Contracting Act, which
requires, among other things, that full and open
competition be utilized in the acquisition of supplies
and services and that specifications not be unnecessarily
restrictive of competition.
c. OMB Circular A-130, Management of Federal Information
Resources, which establishes policy for the management
of Federal information resources.
d. FIRMR, 41 CFR, Chapter 201, which provides Government-wide
policies, procedures and guidelines pertaining to the
procurement and management of ADP resources.
5. POLICY.
a. EPA will plan, budget, acquire, maintain and operate all
ADP resources in a cost-effective manner consistent with
applicable Federal standards and regulations and which meet
the documented mission needs of the various programs within
the Agency.
b. EPA will operate the National Computer Center as a
computing and telecommunications facility designed to
provide large mainframe computing services to EPA
employees and contractors.
c. EPA will operate the National Data Communications
System which will provide terminal access and host-to-host
communications between and among all computing resources
in the Agency.
d. EPA will provide management oversight, including procedures
operating policy and change control for minicomputers
and microcomputers located anywhere in the Agency.
e. Information technology provided to EPA employees and their
agents is to be used for official business only. EPA
managers and supervisors are responsible for ensuring
appropriate use of this technology by their employees.
6-2
-------�
IRM POLICY MANUAL 2100
7/21/87
6. RESPONSIBILITIES.
a. Office of Information Resources Management is responsible
for:
(1) Providing management guidelines and planning oversight
for all Agency ADP resources.
(2) Managing a planning process which identifies the ADP
requirements of the various programs in the Agency.
(3) Acquisition management of office automation.
(4) Acquisition of information technology supporting
scientific and technical applications.
b. The National Data Processing Division is responsible
for:
(1) Planning and acquisition management of hardware
not delegated to the Senior IRM Officials.
(2) The operation and maintenance of all centralized,
mainframe ADP resources.
(3) Delegation, where appropriate, for the operation
and maintenance of Agency ADP resources (distributed
processors and microcomputers) to other programs
within the Agency.
(4) Compliance with all applicable Federal regula-
tions addressing acquisition, operation and
accounting (including full-costing and chargeback)
of ADP resources.
(5) Preparing procedures and guidance for the operation,
maintenance and use of Agency ADP resources.
(6) Administering the Agency's timeshare accounting
and billing systems and procedures.
(7) Developing and managing the Agency's ADP security
and facility disaster recovery procedures.
(8) Providing ADP training and user support.
6-3
-------�
IRM POLICY MANUAL 2100
7/21/87
c. The Assistant Administrators, Associate Administrators
Regional Administrators, Headquarters Staff Office
Directors, Laboratory Directors, General Counsel, and
Inspector General are responsible for:
(1) Ensuring compliance with the policies, standards
and guidance for the use of Agency ADP resources.
(2) Developing mission-based requirements for ADP
resources e.g., computer capacity planning.
(3) Operating and maintaining, as defined by NDPD, all
delegated resources.
(4) Administering the Agency's timeshare accounting for
their organization.
(5) Providing ADP training and user support for their
organization.
d. The Senior Information Resources Management Officials
(SIRMOs) are responsible for:
(1) initial approval of requisitions for acquisition
of information technology prior to their review by
NDPD and/or OIRM.
7. DEFINITIONS.
a. "Automated Data Processing" (ADP) refers to the production,
conversion, reduction, destruction, storage, transfer or
communication of data by electronic digital computers
and related peripheral devices. The term "electronic
data processing" (EDP) and ADP are frequently used inter-
changeably with no significant distinction. Automated
mated data processing may be performed by a stand-alone
unit or by several connected units.
b. "Automated Data Processing Equipment" refers to electronic
components and equipment regardless of use, size, capacity
or price that are designed to be applied to the solution
or processing of a variety of problems or applications.
c. "Central Processing Unit (CPU)" is that part of a computer
that interprets and executes program instructions and
communicates with the input, output and storage devices.
It consists of the control unit and the arithmetic/logic
unit.
6-4
-------�
IRM POLICY MANUAL 21fl0
7/2 V87
d. "Data Communications" refers to computer-to-computer,
computer-to-device and device-to-computer communications
and other communications such as a record, tele-processing
and telemetry.
e. "Distributed Processing" involves the use of computers
of intelligent terminals at a number of sites that share
the control, storage and/or computing functions of the
central computing system, thus giving the end user data
processing capabilities. The various stations, or network
nodes, are connected by telecommunications lines.
f. "Hardware" refers to physical equipment such as the
computer and its related peripheral devices, tape drives,
disk drives, printers, etc.
g. "Mainframe" connotes a large computer.
h. "Microcomputer" is one of a large variety of general
purpose computers manufactured utilizing one or more
micro-processors. Microcomputers can range from computers
with relatively small amounts of memory to computers
with large amounts of random access memory and several
peripheral devices. Typically, an end user microcomputer
is of desktop size and requires no special environmental
site preparation.
i. "Minicomputer" refers to a computer somewhere in size
between a microcomputer and a mainframe. These units
are characterized by higher performance than microcomputers,
richer instruction sets, higher price and a proliferation
of high-level languages, operating systems and networking
methodologies.
j. "Network" is a computer system using data communications
equipment to connect two or more computers.
k. "Operating System" refers to software that controls and
supports the execution of computer programs and contributes
to optimal use of the computing system. An operating
system may provide services such as resource allocation,
scheduling, input/output control, error recovery and
data management. Although operating systems are
predominantly software, partial or complete firmware
implementations are possible.
6-5
-------�
ZRM POLICY MANUAL 2100
7/21/87
1. "Service Level Agreement" refers to a documented contract
between the National Data Processing Division (NDPD) and
any client organization which describes the services
which will be provided by NDPD to the client. There are
two basic types of Service Level Agreements. One is a
generic documented service description which applies to
all client organizations and the other is a specific
agreement with an individual client organization. The
latter is developed primarily where the level of service
requested is beyond the normal service levels contained
in the generic service agreement. Service Level Agreements
generally contain a description of availability, capacity,
workload, performance, reliability and cost.
m. "Telecommunications" refers to the transmission and/or
reception of information by telephone, telephone lines,
telegraph/ radio or other methods of communications over
a distance. The information may be in the form of voice,
pictures, text and/or encoded data.
n. "Timeshare" is a procedure that allows many users to
simultaneously access and use the resources of a central
computer through remote terminals.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines regarding
the management of the Agency's ADP resources will be issued
under separate cover.
6-6
-------�
CHAPTER 7
-------�
IRM POLICY MANUAL 2100
12/21/94
CHAPTER 7 - TELECOMMUNICATIONS
1. PURPOSE. This policy establishes the principles that govern
the electronic transfer of information between and among
Agency sites and organizational components, and also between
and among the Agency and the larger environmental protection
community (e.g., State and local government, grantees, and
contractors). It also defines the roles and responsibilities
of organizations involved with the planning, design,
development, delivery, operation, and maintenance of Agency
telecommunications services.
2. SCOPE AND APPLICABILITY. Agency telecommunications
includes all voice, video, and data communications (e.g.,
communication via telephone, electronic mail and bulletin
board services, voice processing, video/audio conference,
satellite, radio frequency, and facsimile equipment),
including directory, locator, and operator services.• This
policy affects all employees of the Agency and the larger
EPA community, e.g., its contractors, grantees, and
participants in cooperative agreements. The EPA-State data
exchange is also importantly a part of the Agency
telecommunications plan and program.
3. BACKGROUND. The EPA is an information-intensive
organization, both in terms of production and consumption.
Agency telecommunications provide the infrastructure through
which Agency business is conducted. The stringent
timeframes associated with much of.this business demand
maintenance of an efficient, effective, and reliable
telecommunications environment. The design, development,
and maintenance of such an environment requires compatible
equipment, procedures, and close coordination between the
central service organization and its clients.
4. AUTHORITIES.
a. Public Law 89-306, Brooks Act of 1965.
b. Public Law 98-369, Competition in Contracting Act of
1984.
c. Public Law 96-511, Paperwork Reduction Act of 1980, as
amended.
d. Public Law 10.0-235, Computer Security Act of 1987.
e. Public Law 93-579, Privacy Act of 1974.
f. Federal IRM Regulation (FIRMR), Part 210-21.6, Use of
Government Telephone Systems
g. FIRMR Part 201-39, Acquisition of Federal Information
Processing Resources by Contracting.
h. FIRMR Part 201-20.305.1, Regulatory Delegations.
7-1
-------�
IRM POLICY MANUAL 2100
12/21/94
i. FIRMR Part 201-20.305.2, Special Agency Delegations.
j. FIRMR Part 201-20.306, Delegation of Authority for
Telecommunications Resources.
k. FIRMR Part 201-21.601, Authorized Use of Long Distance
Telecommunications Services.
1. FIRMR Part 201-21.603, Listening-in to or Recording
Telephone Conversations.
m. FIRMR Part 201-24.102, Consolidated Local
.Telecommunications Services.
n. FIRMR Part 201-24.203, Telecommunications Assistance
Programs and Services.
o. FIRMR Bulletins:
(1) C-3, Federal ADP and Telecommunications Standards
Index.
(2) C-9, Nonmandatory 6SA Services and Assistance
Programs.
(3) C-10, Telecommunications Accessibility for Hearing
and Speech Impaired Individuals.
(4) C-15, Mandatory Local Telecommunications Services.
(5) C-16, Emergency Telecommunications.
(6) C-18, Federal Telecommunications System (FTS2000).
(7) C-19, Information System Security (INFOSEC).
(8) C-20, National Security and Emergency Preparedness
(NSEP) Telecommunications.
p. Code of Federal Regulations (CFR) Title 5, Part 735 and
Title 41, Part 201.
g. Manual of Regulations and Procedures for Federal Radio
Frequency Management, National Telecommunications and
Information Administration (NTIA), U.S. Department of
Commerce.
r. OMB Circular A-130, Management of Federal Information
Resources.
s. Federal Information Processing Standards.
5. POLICY.
a. The Agency's telecommunications network is planned,
acquired, and managed as a corporate resource.
b. All Agency telecommunications activities and operations
shall be in conformance with prevailing Federal law and
regulations, and with pertinent General Services
Administration (6SA) and National Telecommunications
and Information Administration (NTIA) policies and
procedures, for Federal agencies.
c. Since consistency and compatibility are essential to
reliable, accurate communications within EPA and its
larger community, any project or program involving
7-2
-------�
IRM POLICY MANUAL 2100
12/21/94
connection to the Agency network system or use of
telecommunications, including provisions for the
maintenance of current systems, is subject to Agency
policy and review and approval by central Agency
network systems management.
d. Agency access to the Internet is provided by the
central Agency network systems management. Individual
Headquarters or Regional Offices, laboratories or field
sites shall not procure commercial subscription
services for use within any EPA facility or install
analog modems within any EPA facility for the purpose
of Internet access without approval.of the central
Agency network systems management.
e. All requirements for use of radio frequencies,
including purchase of radio equipment that emits radio
frequencies and inauguration of change in the use of
any frequency and radio call signs will be submitted to
the central Agency network systems management for
review and coordination with the National
Telecommunications and Information Administration's
Frequency Assignment Sub-Committee.
f. Since telecommunications is a rapidly-changing
technology, operational standards and procedures are
developed and modified, as appropriate, by the central
Agency network systems management to assure the
integrity and currency of the Agency telecommunications
capability.
g. In accordance with,the Agency's systems life cycle
management policy, all Agency application development
efforts, including those supported by contractors shall
include an evaluation for overall system architecture
needs, including telecommunications implications. This
evaluation shall be made available for central Agency
network systems management review prior to application
development. The initial description of system network
and capacity and security needs shall be included in
the System Management Plan. All application
development collaboratively undertaken by EPA within
the larger EPA community (e.g., grantees, multinational
organizations, State agencies) shall be similarly
reviewed.
h. In planning for any relocation or facility
modification, telecommunications requirements shall be
specifically addressed, and appropriate funding
7-3
-------�
IRM POLICY MANUAL 2100
12/21/94
obtained.
i. Provision of all Agency telecommunications services,
including planning, acquisition, installation,
management, and operations, shall be accomplished
through the Telecommunications Service Request (TSR)
system and approval procedures established in Agency
operational directives.
j. Direct connection from a non-EPA Local Area Network
(LAN) (e.g., State LAN) to the EPA network is
specifically prohibited, owing to potential instability
this would introduce.
k. Telecommunication services provided to EPA employees,
contractors, and grantees are to be used for official
business only. Official business may include personal
emergency calls and calls determined by a supervisor to
be necessary in the interest of the government.
1. All long distance telephone charges to EPA are subject
to supervisory review. Where possible, employees will
be asked to review records of calls placed from their
assigned lines or extensions, to verify that calls were
placed for official business.
m. Making unauthorized calls at government expense, even.
if the caller intends to reimburse the government, is
prohibited by Federal law (31 U.S.C. 1348(b)).
Employees who place unauthorized calls at Government
expense will be required to pay for the .cost of the
calls and will be subject to disciplinary action
according to the EPA Order No. 3120.1A, "Conduct and
Discipline." Repeated abuse may result in suspension
or dismissal.
n. Call detail reports as maintained by EPA are subject to
the requirements of the Privacy Act. All EPA locations
and programs operating a system to generate call detail
reports must comply with the provisions of the Privacy
Act, including publication, disclosure, and record
security provisions.
o. Listening to and recording telephone conversations
without specific legal authorization is prohibited. No
unannounced telephone recording devices of any kind
shall be installed or used in EPA without formal
approval from the General Services Administration.
7-4
-------�
IRM POLICY MANUAL 2100
12/21/94
6. RESPONSIBILITIES.
a. The Office of Information Resources Management is
responsible for providing central Agency network
systems- management services including:
(1) telecommunications design, acquisition, planning,
installation, management and operation;
(2) developing and promulgating policy, procedures,
standards and guidance governing the operation of
the Agency's telecommunications network and
services (this includes development and
acquisition of Agency applications requiring
telecommunications support and guidance on the
security of telecommunications systems);
(3) providing technical assistance and guidance for
the Agency in implementing the requirements of
Federal and Agency telecommunications law,
regulation and policy;
(4) providing the Designated Agency Representative to
act for the Agency in transactions with the
General Services Administration (6SA) to obtain
FTS2000 services;
(5) maintaining the Agency central personnel locator
database suitable for electronic distribution and
for directory publication;
(6) coordinating with the General Services
Administration all Agency requests for installing
devices to listen-in to or record telephone
conversations; and
(7) reviewing and approving Agency telecommunication
system and service procurements and changes that
require GSA approval under the FIRMR.
b. The Office of Acquisition Management is responsible for
reviewing all contracts to ensure compliance with
acquisition-related Federal and Agency
telecommunications law, regulations, and policy, such
as the Brooks Act and the FIRMR.
c. The Assistant Administrators, Associate Administrators,
Staff Offices within the Office of the Administrator,
the General Counsel, the Inspector General, and
7-5
-------�
IRM POLICY MANUAL 2100
12/21/94
Regional Administrators are responsible for ensuring
that:
(1) systems and applications designed and developed
for their respective Offices comply with
applicable Federal telecommunications law,
regulations, and Agency policy;
(2) any necessary funding for telecommunications
relocation or facility modification is obtained
for their respective Support Accounts as described
(in section S.h) above; and
(3) Agency locator information is authenticated and
updated for each organizational component and
location for their respective organizations as
personnel join or leave the organization.
d. Regional Administrators and Laboratory Directors are
responsible for telephone operations in Regional
Offices and laboratories, respectively, not otherwise
assigned to the central Agency systems network
management.
e. The Senior Information Resources Management Officials
(SIRMOs) are responsible for assisting their Assistant
Administrators and Regional Administrators in:
(l) maintaining .current awareness of Agency
telecommunications policy and directives for
applicability and implementation in their
respective organizations; and
(2) assuring that relevant Agency information on
telecommunications is appropriately distributed.
f. EPA Managers and supervisors are responsible for making
sure their employees are knowledgeable of and adhere to
the Agency's telecommunications policy.
g. Each EPA employee, contractor, and grantee is
responsible for complying with the Agency's
telecommunications policy.
7. DEFINITIONS.
a. "Central Agency network system management11 refers
specifically to the organization within the Office, of
Information Resources Management responsible for the
7-6
-------�
IRM POLICY MANUAL 2100
12/21/94
telecommunications function. The Agency's major
system managers in program offices are key clients and
advisors to the central network management group.
b. The Agency telecommunications network includes the Wide
Area Network (WAN), the Metropolitan Area Network
(MAN), Local Area Networks (LANs), connectivity to the
Internet, FTS2000, and to the States.
(1) "Local Area Network" (LAN) is a communications
system that connects a number of personal
computers/workstations and their peripheral
components within a small geographical area,
usually a single building or a single floor in a
building.
(2) "Metropolitan Area Network" (MAN) is a
communications system that connects computers
and/or LANs over a metropolitan area or campus.
Typically MANs provide connectivity for
organizational components in the same geographic
area that are not co-located in a building.
(3) "Wide Area Network"(WAN) is a communication system
that connects computers and/or LANs over a very
large area, e.g. nationwide.
(4) "Internet," or "the Internet," is a
collaboratively managed network of networks which
provides access to thousands of domestic and
foreign networks for file and message transfer and
for remote login capability.
c. "EPA-State data exchange" refers to the sharing of data
between EPA and State environmental agencies through
telecommunications technologies.
d. "FTS2000" is the term applied to the mandatory-use
contracts for national networks/telecommunications
services and X.400 message transfer to Federal
agencies, managed by the General Services
Administration (6SA).
e. "Telecommunications facilities" means equipment used
for such modes of transmission as.telephone, data,
facsimile, video, radio, audio, and such corollary
items as switches, wire, cable, access arrangements,
and communications security facilities.
7-7
-------�
IRM POLICY MANUAL 2100
12/21/94
f. "Telecommunications resources" means telecommunications
equipment, facilities, software and services.
g. "Telecommunications.services" means the transmission,
emission, or reception of signals, signs, writing,
images, sounds, or intelligence of any nature, by wire,
cable, satellite,' fiber optics, laser, radio, or any
other electronic, electromagnetic, or acoustically
coupled means. The term includes the
telecommunications facilities necessary to provide such
services.
h. "Telecommunications Service Request? (EPA Form 5020-1)
is the single Agency form approved for requesting
telecommunications technical assistance and/or
services, and for documenting approvals required by
Agency telecommunications directives.
i. "Locator" is the centralized Agency database containing
all employee names, mailing address, and telephone
numbers. It is made available in electronic form and
published in hard copy.
j. " Protocol" refers to a specific set of rules,
procedures, standards, or conventions applying to
format and timing of data transmission between two
devices. A standard procedure that two data devices
must accept and use to be able to understand each
other.
k'. "Wireless" refers communication techniques that utilize
methods of transmission other than electrical signals
through wires. These methods usually rely on some form
of atmospheric wave propagation, such as radio
frequency, microwave or infrared.
8. PROCEDURES. STANDARDS AND GUIDANCE.
a. National Data Processing Division Operational
Directives contain procedural information relating to
the operation of and obtaining services from the
central Agency network systems management.
b. The Federal Information Processing Standards (FIPS)
address a variety of topics dealing with
telecommunications, including standards and computer
network protocols.
7-8
-------�
IRM POLICY MANUAL 2100
12/21/94
c. The Federal Information Resources Management Regulation
(FIRMR) and FIRMR Bulletins also address a variety of
telecommunications issues, including the acquisition,
management and use of this FIP resource.
7-9
-------�
CHAPTER 8
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
CHAPTER 8 - INFORMATION SECURITY
1. PURPOSE. This document establishes a comprehensive,
Agencywide security program to safeguard Agency
information resources. This document sets forth the
Agency's information security policy for both manual
and automated systems and assigns individual and
organizational responsibilities for implementing and
administering the program.
2. SCOPE AND APPLICABILITY. This document applies to all
EPA organizations and their employees. It also applies
to the facilities and personnel of agents (including
contractors) of the EPA who are involved in designing,
developing, operating, maintaining, or accessing Agency
information and information systems.
3. BACKGROUND.
a. Information is an Agency asset, just as property,
funds, and personnel are Agency assets. The EPA
is highly dependent upon its information resources
to carry out program and administrative functions
in a timely, efficient and accountable manner.
b. The EPA relies on its information collection
authority under various enabling statutes to
effectively fulfill its environmental missions.
The willingness of the regulated community and
State and local agencies to supply requested
information in a cooperative and timely fashion
depends on their confidence that the information
will be adequately protected.
c. The Agency's information resources are exposed to
potential loss and misuse from a variety of
accidental and deliberate causes. This potential
loss and misuse can take the form of destruction,
disclosure, alteration, delay or undesired
manipulation. Moreover, the Agency can be subject
to acute embarrassment and litigation if certain
business or personal information is inadvertently
or maliciously disclosed.
d. As a result, it is essential that an overall
program be established to preserve and adequately
8-1
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
protect the Agency's information resources. At
the same time, it is equally essential that the
program not unnecessarily restrict information
sharing with other Federal agencies, universities,
the public, and State and local environmental
authorities. Such information sharing has
historically played a vital role in the overall
fulfillment of the Agency's environmental mission.
e. The management, control,.and responsibility for
information resources within EPA are
decentralized. Consequently, the management and
responsibility for information security are also
decentralized. An important example of this is
the expanding use of personal computers,
networking, distributed data bases and
telecommunications. These trends place new
responsibilities on office managers, research
personnel and others not previously considered
information processing professionals. The
"computer center" can not be relied upon to
protect Agency operations. Controls must be
implemented and maintained where they are most
effective.
f. In determining responsibilities for information
security, it is useful to define a framework of
owner/custodian/user. Owners are those who create
or maintain information. Custodians are typically
suppliers of information services who possess,
store, process, and transmit the information.
These roles are often not discrete: the owner is
often the principal custodian and user of the
information.
g. All Federal information and information systems
are sensitive for at least one of three reasons:
the need for availability, the need for integrity,
and/or.the need for protection from
disclosure(confidentiality) . Compromising any of
these three security goals (i.e., availability,
integrity, or confidentiality) may have a
significant impact on Agency programs or
operations.
4. AUTHORITIES.
a. Computer Security Act of 1987
8-2
-------�
IRM POLICY MANUAL 2100 CH6 10
10/23/95
b. Office of Management and Budget (OMB) Circular
A-130, Management of Federal Information Resources
c. Privacy Act of 1974, as amended
d. Paperwork Reduction of 1995 (P.L. 104-13)
e. Trade Secrets Act, 18 U.S.C Section 1905
f. The Freedom of Information Act of 1974 (5 U.S.C.
Section 552)
5. POLICY. It is EPA policy to adequately protect
sensitive information and sensitive applications,
maintained in any medium (e.g., paper, computerized
data bases, etc.), from improper use, alteration, or
disclosure, whether accidental or deliberate. EPA
declares all of the Agency's information to be
sensitive. In order to ensure the cost-effectiveness
of the security program, information and applications
will be protected to the extent required by applicable
law and regulation in accordance with the degree of
their sensitivity.
a. Sensitivity levels for information and information
systems (i.e., low, medium, high) shall be
determined by the responsible information managers
within each organization, as described in Section
3 of the EPA Information Security Manual.
b. Information security measures will be applied
judiciously to ensure that automated systems
.operate effectively and accurately and to ensure
the continuity of operation of automated
information systems and facilities that support
critical agency functions.
c. As required by OMB Circular No. A-130, all
automated installations will undergo a periodic
risk analysis to ensure that appropriate,
cost-effective safeguards, commensurate with the
installation's level of sensitivity, are in place.
This risk analysis will be conducted on new
installations, on existing installations
undergoing significant change, and on existing
installations at least every five years.
d. within an installation risk analysis, an
organization may choose to define t'^e security
8-3
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
safeguards which serve as general protection
standards for application and manual systems at
the installation. These comprehensive
installation-wide risk analyses can eliminate the
need for performing individual risk analyses and
security plans for systems not warranting
individual analyses and plans (e.g., low-sensitive
systems). The EPA Information Security Manual,
the EPA Risk Analysis Guideline, and PIPS PUB 65,
Guideline for Automatic Data Processing Risk
Analysis, contain guidance for performing risk
analyses.
e. Appropriate administrative, physical, and
technical safeguards shall be incorporated into
all new .automated data processing (ADP)
application systems (including personal
computer-based applications) and major
modifications to existing systems.
f. As required by OMB Circular A-130, all new
applications will undergo a control review leading
to formal certification. Existing sensitive
applications will be recertified every three
years. In instances where application safeguards
are adequately defined within an installation's
risk analysis, as described in 5c, separate
application control reviews and
certification/recertifications are not necessary.
g. Appropriate ADP security requirements will be
incorporated into specifications for the
acquisition of ADP-related services and products.
h. An information security awareness.and training
program will be established so that all Agency and
contractor personnel are aware of their
information security responsibilities.
i. Microcomputers which store or process moderately
or highly sensitive information must incorporate
the safeguards necessary to ensure the protection
of the information. If adequate information
security cannot be maintained, an alternative
system configuration must be used.
j. Information security violations will be promptly
reported to appropriate officials, and the
Inspector General when warranted.
8-4
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
k. Federal and contractor personnel participating in
the design, development, operation, or maintenance
of sensitive applications, or accessing sensitive
information, shall have an appropriate level of
background screening (ranging from minimal
background checks to full background
investigations) depending on the sensitivity of
the information to be handled, and the risk and
magnitude of loss or harm that could be caused by
the individual.
6. RESPONSIBILITIES.
a. The Office of Information Resources Management is
responsible for:
(1) Developing and defining an information
security program in accordance with all
applicable Federal laws, regulations, and
executive orders.
(2) Ensuring that all Agency organizational units
are in compliance with the information
security program.
(3) Establishing training criteria and
coordinating the development of an
information security awareness training
program.
(4) Providing guidance on selecting and
implementing safeguards.
(5) Participating as it deems appropriate, in
management and internal control reviews
conducted by the Office of the Comptroller to
ensure compliance with the information
security program.
(6) Establishing the minimum information security
control environment required by the Agency to
protect both its ADP resources and its
information from theft, damage, and
unauthorized use.
b. Each "Primary Organization Head" (defined by EPA
Order 1000.24 as the Deputy Administrator,
Assistant Administrators, Regional Administrators,
the Inspector General and the General Counsel) is
8-5
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
responsible for:
(1) Ensuring that sensitive information and
applications within the organization are
adequately protected.
(2) Establishing an organization-wide program for
information security consistent with
organizational mission and Agency policy,
including assigning responsibility for the
security of each installation to a management
official(s) knowledgeable in information
technology and security. Each Primary
Organization Head must ensure that their
organization's information security program
provides security-awareness training based on
the security awareness training criteria
established by OIRM.
(3) Providing annual assurance to the Assistant
Administrator for Administration and
Resources Management that organizational
information resources are adequately
protected. This will be done as part of the
internal control review process required
under OMB Circular No. A-123 (revised) and
implemented under EPA Order 1000.24.
(4) Ensuring that all automated installations
within the organization undergo a periodic
"risk analysis" to ensure that appropriate,
cost-effective safeguards, commensurate with
the installation's level of sensitivity, are
in place.
(5) Ensuring the continuity of operations of
automated information systems and facilities
that support critical functions.
(6) Ensuring that appropriate safeguards are
incorporated into all new organizational
information systems and major modifications
to existing systems; that all new
organizational information systems undergo an
information security review leading to formal
certification; and-that existing sensitive
information systems are recertified every
three years.
8-6
-------�
IRM POLICY MANUAL 2100- CHG 10
10/23/95
(7) Ensuring that Federal employees and
contractor personnel understand their
security responsibilities and that
organizational security regulations are
properly distributed.
(8) Ensuring that all organizational procurements
of ADP equipment, software, and services
incorporate adequate security provisions.
c. The Director, Facilities Management and Services
Division (FMSD), is responsible for:
(1) Establishing and implementing physical
security standards, guidelines, controls, and
procedures in accordance with EPA information
security policy.
(2) Establishing.and implementing standards and
procedures for National Security Information
in accordance with EPA information security
policy and all applicable Federal laws,
regulations, and executive orders, including
the Atomic Energy Act of 1954, as amended,
and regulations issued under that Act.
d. Office of Grants and Debarment is responsible for:
(1) Ensuring that Agency interagency agreement
policies, solicitations, and award documents
contain provisions (as promulgated by OIRM)
concerning the information security
responsibilities of interagency contractors.
This also applies to grantees that access EPA
information or information systems.
(2) Establishing procedures to ensure that
interagency contractors (and grantees
accessing EPA information or information
systems) are in compliance with their
information security responsibilities.
Violations shall be reported as appropriate
to the Project Officer, OIRM official, and/or
Inspector General. Specific violations
involving National Security Information shall
be reported to the Director, FMSD, the
Inspector General, and the Contracting
Officer.
8-7
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
e. The Office of Acquisition Management is
responsible for:
(1) Ensuring that Agency contract policies,
solicitations, and award documents contain
provisions (as promulgated by OIRM)
concerning the information security
responsibilities of contractors.
(2) Establishing procedures to monitor contractor
compliance with information security
responsibilities as specified in contracts
let by the Agency.
f. Each Project Officer (PO), Delivery Order Project
Officer (DOPO), and Work Assignment Manager (WAM)
is responsible for:
1) Ensuring contractor compliance with
information security requirements on
individual contracts, delivery orders, or
work assignments, respectively. Violations
shall be reported as appropriate to the
Contracting Officer, OIRM official, and/or
Inspector General. Specific violation's
involving National Security Information shall
be reported to the Director, FMSD, the
Inspector General, and the Contracting
Officer.
2) Ensuring that contractors have the
appropriate level of background screening
when accessing EPA information or information
systems under a contract (PO responsibility),
delivery order (DOPO responsibility), or work
assignments (WAM responsibility).
g. The Office of Inspector General is responsible
for:
(1) Establishing and implementing personnel
security procedures for the screening^ of all
individuals (both Federal and contractor
personnel) participating in the design,
development, operation, or maintenance of
sensitive applications as well as those
having access to sensitive data.
(2) Reviewing allegations of waste, abuse,
8-8
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
mismanagement, or criminal activity involving
information security.
h. The Office of the Comptroller is responsible for:
(1) Allowing OIRM to review written internal
control reports so that OIRM is aware of the
status of information security weaknesses.
i. Senior Information Resource Management Officials
(SIRMOs) are responsible for approving information
security plans and certifying sensitive systems
within their primary organizations.
j. Information Security Officers (ISOs) are
responsible for ensuring that comprehensive
information security programs are in place for
installations within their organizations.
k. EPA Information Managers are responsible for
designating sensitivity levels for information,
conducting the appropriate security planning and
testing activities (including risk analyses), and
ensuring that only authorized individuals (Federal
personnel and contractors) access Agency
information and information systems.
1. Each EPA Manager and Supervisor is responsible
for:
(1) Ensuring his/her employees are knowledgeable
of their information security
responsibilities.
(2) Ensuring that his/her employees adhere to the
organizational information security program
established by the applicable Primary
Organization Head.
m. Each EPA Employee, Contractor, and Grantee is
responsible for:
(1) Complying fully with his/her information
security responsibilities.
(2) Limiting his/her access only to information
and systems he/she is authorized to see and
use.
8-9
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
(3) Adhering to all Agency and organizational
information security policies, standards, and
procedures.
(4) Reporting information security violations to
the responsible Information Security Officer
and the Information Manager. Violations
involving National Security Information shall
also be reported to the Director, FMSD, the
Inspector General, and the Contracting
Officer.
7. DEFINITIONS.
a. "Application" means an application of information
technology which is software used in connection
with Government information, regardless of the
technology involved. The technology could be
computers, telecommunications, etc.
b. "Applications Security" means the set of controls
that makes an information system perform
accurately, reliably, and only those functions it
was designed to perform. The set of controls
typically includes the following: programming,
access, source document, input data, processing
storage, output, and audit trail.
c. "Confidential Business Information" (CBI) includes
trade secrets, proprietary, commercial, financial,
and other information that is afforded protection
from disclosure under certain circumstances as
described in statutes administered by the Agency.
Business information is entitled to confidential
treatment if: (1) business asserts a
confidentiality claim; (2) business shows it has
taken its own measures to protect the information;
(3) the information is not publicly available; or
(4) disclosure is not required by statute and the
disclosure would either cause competitive harm or
impair the Agency's ability to obtain necessary
information in the future. Examples include TSCA
and FIFRA information and information from the
Contracts Payment System.
d. "Confidential Agency Information" (CAI) includes
information used within the Agency that, if not
afforded protection from disclosure, could result
in unfair contracting practices, or in some way
8-10
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
may adversely effect Agency personnel or property.
Examples include internal budget information that
reveals funds available for various contracting
services. Disclosure of this information prior to
negotiations could result in inflated contract
estimates. Information about an upcoming
procurement is confidential and of great value to
potential bidders. Also included is information
regarding projections or recommendations for
personnel changes, whether Federal or contractor,
that may cause an individual to become disgruntled
and act adversely.
e. "Confidentially-sensitive Information" is
information that requires protection from
unauthorized disclosure under Federal statutes.
Specific types of confidentially-sensitive
information include:
Confidential Business Information (CBI),
Confidential Agency Information (CAI),
Privacy Act. Information,
Some Freedom of Information Act-exempt
information,
Enforcement confidential information, and
Budgetary information prior to OMB release.
f. "Information" is any communication or
representation of knowledge such as facts, data,
or opinions in any medium or form, including
•automated, textual, numerical, graphic,
cartographic, narrative, or audiovisual forms.
g. "Information Security" encompasses three different
types of security: application security,
installation security, and personnel security. In
total, information security involves the
precautions taken to protect the confidentiality,
integrity, and availability of information.
h. "Information System" means the organized
collection, processing, transmission and
dissemination of information in accordance with
defined procedures, whether automated or manual.
i. "Installation" means the physical location of one
or more computer or office automation systems,
whether automated or manual. An automated
installation consists of one or more computer or
8-11
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
office automation systems including related
peripheral and storage units, central processing
units, telecommunications, and operating and
support system software.
j. "Installation Security" includes the use of locks,
badges, and similar measures to control access to
the installation and the measures required for the
protection of the structure housing the
installation from accident, fire, and
environmental hazards. In addition to the above
physical security measures, installation security
also involves ensuring continuity of operations
through disaster planning.
k. "National Security Information" (NSI) means
information that is classified as Top Secret,
Secret, or Confidential under Executive Order
12958 or predecessor orders, and includes
"Restricted Data" and "Formerly Restricted Data"
protected under the provisions of the Atomic
Energy Act of 1954, as amended, and regulations
issued under that Act. The specific techniques
and responsibilities for NSI are beyond the scope
of this policy.
1. "Personnel Security" involves the use of various
techniques, including investigations, to screen
both Federal and contractor personnel
participating in the design, development,
operation, or maintenance of sensitive
applications as well as those having access to
sensitive data. The level of screening required
under OMB Circular A-130 varies from minimal
checks to full background investigations depending
on the sensitivity of the information to be
handled, and the risk and magnitude of loss or
harm that could be caused by an individual.
m. "Physical Security" means the procedures and
controls to provide for the protection of
personnel, facilities, materials, equipment, and
documents against any threat other than overt
military action.
n. "Privacy" is the right of an individual to control
the collection, storage, and dissemination of
information about himself/herself to avoid the
potential for substantial harm, embarrassment,
8-12
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
inconvenience, or unfairness.
o. "Risk Analysis" is a means of measuring and
assessing the relative vulnerabilities and threats
to a collection of sensitive data and the people,
systems, and installations involved in storing and
processing that data. Its purpose is to determine
how protective techniques can be effectively
applied to minimize potential loss. Risk analyses
may vary from an informal, quantitative review of
a microcomputer installation to a formal, fully
quantified review of a major computer center.
p. "Security Violation" means any waste, fraud,
abuse, or mismanagement of information resources.
q. "Sensitive Information" All EPA information is
sensitive for at'least one of three reasons: the
need for availability, the need for integrity,
and/or confidentiality--the need for protection
from disclosure. (This last category includes
confidentially-sensitive information; see
definition.) The level of sensitivity for EPA's
information is rated as low, medium, or high as
determined by the responsible information manager.
While EPA does maintain National Security
•Information (see definition), the specific
techniques and responsibilities for NSI are beyond
the scope of this chapter.
r. "Sensitive Application" - An application that
processes sensitive information or an application
that requires protection because of the loss or
harm that could result from the improper operation
or deliberate manipulation of the application
itself. Automated decision-making applications
are highly sensitive if the wrong automated
decision could cause serious loss.
8. PROCEDURES AND GUIDELINES. Standards, procedures, and
guidelines for the Agency's Information Security
Program are identified and issued under separate cover
in the Information Security Manual. This manual
identifies and references, as appropriate, existing
procedures in the information security area, such as
the Freedom of Information Act Manual, Privacy Act
Manual, the Records Management Manual, Confidential
Business Information manuals (e.g., the TSCA Security
8-13
-------�
IRM POLICY MANUAL 2100 CHG 10
10/23/95
Manual) and Agency Public Information and
Confidentiality Regulations at 40 CFR part 2.
Additional information regarding security of the
Agency's ADP resources can be found in the National
Data Processing Division's Operational Directives.
9. PENALTIES FOR UNAUTHORIZED DISCLOSURE OF INFORMATION.
a. EPA employees are subject to appropriate penalties
if they knowingly, willfully, or negligently
disclose confidential information (including CBI,
CAI, and National Security Information) to
unauthorized persons. EPA has legal and
regulatory requirements to protect confidential
information such as the requirements for
protecting CBI at 40 CFR § 2.221. Penalties may
include, but are not limited to, a letter of
warning, a letter of reprimand, suspension without
pay, dismissal, loss or denial of access to
confidential information (including National
Security Information), or other penalties in
accordance with applicable law and Agency rules
and regulations, which can include criminal or
civil penalties. Each case will be handled on an
individual basis with a full review of all the
pertinent facts. The severity of the security
violation or the pattern of violation will
determine the action taken.
b. Non-EPA personnel who knowingly, willfully, or
negligently disclose confidential information to
unauthorized persons may be subject to appropriate
laws and sanctions.
8-14
-------�
CHAPTER 9
-------�
IRM POLICY MANUAL 2100
7/2V87
CHAPTER 9 - INFORMATION COLLECTION
1. PURPOSE. This policy establishes objectives, responsibilities
and procedures for preparation, review and clearance of
Agency efforts to collect or obtain information from the
public in support of Agency missions.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
organizational units and their employees. It also applies
to agents of EPA (including State agencies, contractors and
grantees) who are involved in information collection activities,
3. BACKGROUND.
a. The Paperwork Reduction Act of 1980 (P.L. 96-511) was
formulated to remedy deficiencies Congress perceived in
Federal information related activities, particulatly
related to the paperwork burden imposed by Government on
the public. The Act and resultant OMB and GSA policy
intend for the creation or collection of information to
be carried out within the context of efficient and
economical management.
b. EPA can be characterized as an 'information-based1 agency
in the sense that in developing and implementing its
programs, it constantly requires the collection or genera-
tion of data. Indeed, in many cases, this information
component plays the decisive role determining both the
resources that the Agency will need and the substantive
direction that its programs will take. Given its
importance to the organization, therefore, the decision
to collect information ought to reflect the policy
interests of the Agency.
c. This chapter presents those policy interests with respect
to information so that decisions to collect or generate
and maintain data can be made in a principled and
coordinated manner on an Agencywide basis.
d. The Agency's information policy rests on the following
two general premises:
9-1
-------�
IRM POLICY MANUAL 7/21/87
(1) That justification for an information collection
must derive from the role that this information
plays in supporting a program mission of the Agency.
(2) That, given a number of acceptable options for
using information to support a program mission, an
information collection ought to represent the
most economical alternative in terms of both cost
to the Agency and burden on the public.
Sections 5-a through 5-c of this chapter expand on this
first premise. Sections 5-d through 5-f expand on the
second.
4. AUTHORITIES.
a. Paperwork Reduction Act of 1980 (Public Law 96-511).
b. OMB Regulation 5 CFR 1320, Controlling Paperwork and
Burden on the Public.
c. OMB Circular A-130, Management of Federal Information
Resources.
5. POLICY.
a. The data requirements of the information collection must
be clearly dictated by the need to support decisions
that serve an identifiable program mission. Data
requirements here include:
(1) The data elements being collected. Each data element
must be clearly relevant to the decisions to be
supported.
(2) The number of individuals about whom (and from
whom) these data elements are being collected.
This "quantity" of information must be appropriate
to what the decisions at hand require.
(3) The requirements for quantifiable levels of precision
in survey estimates. The level of precision chosen
must reflect the survey's intended role in a decision-
making process.
9-2
-------�
IRM POLICY MANUAL 2100
7/21/87
(4) The choice of individuals about whom (and from
whom) data elements are being collected in case
studies. The analysis plan for such a study must
explain why this approach is being taken and why
study of the individuals in questions is relevant
to the decisions to. be made.
b. The provisions for collecting, storing and managing the
data must be appropriate to the decisions the information
will be used to support, taking into account:
(1) The data requirements themselves
(2) Who will be providing the data
(3) Who will be using the data
(4) The time frame within which that use will occur.
c. The cost of the information collection (in terms both of
resources expended by the Agency and of burden imposed
on the public) must be commensurate with both the
importance of the program mission in question and the
contribution that the information makes to decisions
that serve this mission. Specifically/
(1) Taking into account both the use of information
and the cost, the information collection should
result in a net social benefit—that is, whether or
not this can be quantified, in some clear sense the
information should be worth more than it costs to
collect
(2) The proportion of the Agency's resources (including
the amount of burden placed on the public) devoted
to the collection and use of the information should
reflect the relative priority of the program mission
being served.
d. The information collection must reflect the choice of
the least costly alternative that will satisfy the
decision-making needs to the given program mission. In
this context, "cost" represents the total of Agency and
public resources devoted to supplying, collecting,
processing, storing and using the information.
9-3
-------�
IRM POLICY MANUAL 2100
7/2 V87
e. The information collection must not generate a body of
data that duplicates information already available to
the Federal government—bearing in mind that what counts
as "duplicate data" will be relative to the decision-making
needs which the data will be used to satisfy.
f. The information collection should be designed to maximize
its usefulness by ensuring that, so long as costs do not
rise disproportionately and program priority needs are
not compromised:
(1) The collection takes advantage of the opportunities
to serve multiple needs/ both within and outside the
Agency
(2) The data are collected and maintained in a form that
is compatible with the broadest range of information
systems to which they are likely to be relevant.
6. RESPONSIBILITIES.
a. The Office of Policy, Planning and Evaluation is
responsible for:
(1) Overseeing Agency compliance with Federal information
collection policies and guidelines.
(2) Promulgating and maintaining Agency guidance for
compliance with Federal information collection
requirements under the Paperwork Reduction Act.
(3) Reviewing proposed legislation or regulations which
involve information collection requirements to
assess the costs to the Agency and the paperwork
burden imposed on the public.
(4) Providing training and technical assistance to
Agency personnel in the development and clearance
of information collection requests.
(5) Reviewing each information collection request to
ensure consistency with Federal policy and criteria
specified in Section 1320.4(b) of the Paperwork
Reduction Act that the collection of information:
9-4
-------�
IRM POLICY MANUAL 2100
7/21/87
(a) Is the least burdensome necessary for the
proper performance of the Agency functions to
comply with legal requirements and achieve
program objectives
(b) Is not duplicative of information otherwise
accessible to the Agency
(c) Has utility and good quality. The agency must
seek to minimize the cost to itself of collection,
processing, and using the information, but
shall not do so by means of shifting dispropor-
tionate costs or other burdens onto the public.
(6) Coordinating OMB clearance of EPA information
collection requests including responding to inquiries
from OMB, maintaining records of transmittals and
clearances and notifying program offices of OMB
action.
(7) Coordinating the annual submission of an Information
Collection Budget for the Agency.
b. The Assistant Administrators, Associate Administrators,
General Counsel, Inspector General and Regional Adminis-
trators are responsible for:
(1) Implementing the guidelines required by the Office
of Management and Budget under the Paperwork Reduction
Act of 1980 within their offices.
(2) Ensuring that their information collection activities
within their offices shall have received prior OMB
clearance and the appropriate OMB control number.
(3) Reviewing and approving their offices' information
collection requests for submission to OMB.
(4) Ensuring that their information collections are not
duplicative, require as little burden from respondents
as possible and have practical utility.
9-5
-------�
IRM POLICY MANUAL 210°
7/21/87
7. DEFINITIONS.
a. "Burden" - refers to the total time, effort, or financial
resources expended by persons to provide information to
the Agency. This includes the time to read or hear,
develop, modify, construct or assemble; to conduct tests,
inspections, polls, observations necessary to obtain the
information; to organize, review, maintain, disclose, or
report the information; and to store, file or maintain
the information.
b. "Information Collection" - refers to obtaining or
soliciting facts or information by the Agency through
the use of written report forms, application forms,
schedules, questionnaires, reporting or recordkeeping
requirements, or other similar methods calling for either
answers to:
(1) Identical questions posed to, or identical reporting
or recordkeeping requirements imposed on, ten or
more persons, other than agencies, instrumentalities,
or employees of the United States
(2) Questions posed to agencies, instrumentalities, or
employees of the United States which are to be used
for general statistical purposes.
c. "information Collection Request" - refers to the method
by which the Agency communicates the specifications for
a collection of information to potential respondents,
including a written report form, application form,
schedule, questionnaire, oral communication, reporting
or recordkeeping requirement or other similar method.
d. "Information Collection Budget" - refers to a limit
imposed annually by OMB allowing the Agency to conduct
information collection activities. The figure is expressed
in hours of burden on the public.
e. "Practical utility" - refers to the ability of the Agency
to use the information it collects, particularly the
capability to process such information in a timely and
useful fashion.
9-6
-------�
IRM POLICY MANUAL 7/21/87
£. "Recordkeeping Requirement" - is a requirement imposed
by the Agency on persons or businesses to maintain
specified records that are not customarily kept as
ordinary business records. These records are not
necessarily provided to the Agency.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines will
be issued under separate cover.
9-7
-------�
CHAPTER 10
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
CHAPTER 10 - RECORDS MANAGEMENT
PURPOSE. This policy defines the mission and
principles of the Agency's records management program,
incorporates applicable Federal requirements into
standard Agency practices/ enumerates basic records
management program requirements/ and sets forth
responsibilities for records management. Since all
Agency staff are involved in creating, maintaining, and
using Agency records, it is imperative that everyone
understand their records management responsibilities.
This Agency-wide policy provides the framework for
specific guidance and detailed operating procedures
governing records management organization,
responsibilities, and implementation.
SCOPE AND APPLICABILITY. This policy applies to all
records of the Environmental Protection Agency (EPA),
as defined under the Federal Records Act (44 U.S.C.
3101), regardless of medium (including paper,
microform, electronic/ audiovisual/ and record copies
of Agency publications), which are created/ collected/
processed, used, stored, and/or disposed of by EPA
organizations, employees, and facilities, as well as
those acting as its agents, such as States, Indian
tribes, contractors, or grantees.
3. BACKGROUND.
a. The Federal Records Act of 1950, as amended,
requires all Federal agencies to make and preserve
records containing adequate and proper
documentation of their organization, function,
policies, decisions, procedures, and essential
transactions. These records are public property
and must be managed according to applicable laws
and regulations.
b. Records are broadly defined by statute and
regulation to include all recorded information,
regardless of medium or format, made or received
by EPA and its agents under Federal law or in
connection with the transaction of public
10-1
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
business, and either preserved or appropriate for
preservation because of their administrative,
legal, fiscal, or informational value.
c. Records are a valuable information resource whose
uses go beyond facilitating immediate operational
needs. Records serve a number of broader purposes
including: longer-term administrative and program
planning needs, evidence of Agency activity, use
by other Programs in the Agency, protection of the
legal and financial rights of the Government and
its citizens, effective oversight by Congress and
other authorized agencies, and the retention of an
official record for historical purposes. Records
serve as the Agency's memory; they are of critical
importance in ensuring that the organization
continues to function effectively and efficiently.
d. Not all documentary materials used by EPA and its
agents are records. Examples of documentary
materials that are not records include library and
reference materials, stocks of publications and
processed documents maintained for distribution,
extra copies of documents made or acquired only
for convenience of reference (often called
technical reference materials), and personal
papers.
e. Records should be managed as an Agency asset
throughout their life cycle, which consists of
three basic stages: creation, active maintenance
and use, and disposition. The records life cycle
is initiated by the creation, collection or
receipt of records in the form of data or
documents in the course of carrying out EPA's
administrative and programmatic responsibilities.
The life cycle continues through the processing
and active use of the information in the record,
until the record is determined to be inactive.
The final step in the life cycle is disposition
which frequently includes transfer to inactive
storage, followed by transfer to the National
Archives or destruction.
10-2
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
f. As records move through the information life
cycle/ they require management by: "sponsors" who
create them/ or cause them to be created/ and who
are responsible for their continued maintenance
and disposition; users who have a need for the
information in the records; and custodians who
have physical custody of the record at various
stages in the life cycle.
g. EPA organizations, staff, and their agents who
create/ utilize/ and acquire custody or possession
of Agency records do not thereby retain, a
proprietary interest in such records. Official
Agency records are public assets and belong to the
Government, not to Programs by virtue of their
possession or to individuals by virtue of their
position as Agency officials. Penalties for the
willful and unlawful destruction/ removal from
files and private uses of official records are
found in 18 U.S.C. 2071.
h. Records management is defined as planning,
controlling, directing, organizing, training,
promoting, and other managerial activities
involved with respect to records creation, records
maintenance and use, and records disposition in
order to achieve adequate and proper documentation
of the policies and transactions of the Federal
Government and effective and economical management
of agency operations.
i. EPA is required under Federal statute (44 U.S.C.
31) to establish a records management program,
defined as a planned, coordinated set of policies,
procedures, and activities needed to manage an
agency's recorded information. Essential elements
include issuing up-to-date records management
program directives, properly training those
responsible for implementation, and carefully
evaluating the results to ensure adequacy,
effectiveness,' and efficiency. Chapter 36 of the
Code of Federal Regulations (36 CFR 1222.20) and
OMB Circular A-130, Management of Federal
Information Resources, require that agencies
integrate records management into the overall
10-3
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
information resources management (IRM) program.
This policy is intended to be read in the context
of the entire IRM Policy Manual and the Records
Management Manual (Directive 2160). It is not
comprehensive in covering all information
resources management (IRM) requirements affecting
records management, and it is not intended to be
considered in isolation from other EPA IRM
policies articulated in this manual. Program
Offices wishing to manage their records
electronically should carefully review all
pertinent Federal IRM regulations and Agency
policies to ensure that the records they create
will meet all requirements. This is especially
true for areas such as electronic signatures/
which have legal and audit implications.
4. AUTHORITIES.
a. 5 U.S.C. 552 (The Freedom of Information Act as
amended).
b. 5 U.S.C. 552a (The Privacy Act of 1974).
c. 5 U.S.C. 553 (Administrative Procedures Act).
d. 5 CFR 1320.16 (Collection of information
prescribed by another agency).
e. 5 CFR 1320.17 (Interagency reporting).
f. 18 U.S.C. 2071 (Destruction of Records).
g. 18 U.S.C. 2701-2707 (The Electronic Communications
Privacy Act of 1986).
h. 31 U.S.C. 1101 et. seq. (Budget and Accounting
Procedures Act of 1921).
i. 44 U.S.C. 29 (Records Management by the Archivist
of the United States and the Administrator of
General Services).
10-4
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
j. 44 U.S.C. 31 (Records Management by Federal
Agencies).
k. 44 U.S.C. 33 (Disposal of Records).
1. 44.U.S.C. 35 (Paperwork Reduction Act of 1980, as
amended).
m. 44 U.S.C. 3504(e) (Paperwork Reduction
Reauthorization Act of 1995).
n. 36 CFR 1220 to 1238 (Records Management).
o. 41 CFR 201-6 to 201-11 (Records Management).
p. OMB Circular A-130/ Management of Federal
Information Resources.
q. Applicable Federal Information Processing
Standards (FIPS) publications.
5. POLICY. It is EPA policy to manage Agency records
effectively and efficiently throughout their life cycle
in order to facilitate accomplishment of the Agency's
programmatic and administrative missions/ to preserve
official Agency records in accordance with applicable
statutory and regulatory requirements,, and to promote
access to information by EPA staff/ Agency partners/
and the public as appropriate. This is to be
accomplished through adequate and proper documentation
of all EPA organizations/ their functions/ policy
decisions/ procedures/ and essential transactions in a
manner that promotes accountability, establishes a
historical record, and protects the legal and financial
rights of the Government and the privacy of
individuals.
a. EPA shall plan and establish a framework for
managing and overseeing a comprehensive
Agency-wide records management program.
b. This framework shall be integrated into the EPA's
information resources management program to
promote effective management/ communication/
10-5
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
sharing, and transfer of information regardless of
the medium or format in which it exists.
c. EPA shall inform its employees and agents of their
responsibilities to manage the Agency's records/
and ensure that records management staff receive
adequate training to carry out their
responsibilities.
d. EPA shall manage records throughout their life
cycle which includes the following components:
(1) Records creation/collection - An official
record shall be created to appropriately
document all Agency functions/ policies/
decisions/ procedures and essential
transactions. Programs shall develop
recordkeeping requirements for all official
Agency records for which they are
responsible.
(2) Records maintenance and use - Record filing,
indexing and storage systems shall be
designed and documented to the extent
appropriate and necessary/ to maximize the
usefulness of the records and allow retrieval
throughout their life cycle.
(3) Records disposition - Records disposition
schedules for all Agency records shall be
submitted to and approved by the Archivist of
the United States. No records may be
destroyed without an approved disposition.
Once dispositions are approved/ they' must be
carried out in a timely manner.
e. EPA shall create/ maintain, and store records only
in media and formats that adhere to Federal
standards (e.g., National Archives and Records
Administration (NARA) standards for magnetic tape
storage). Within those parameters/ Program
Offices should select a medium (e.g./ paper/
microform, or optical) based on whether it is
technically feasible and cost-effective, responds
to Agency requirements, and allows for efficient
10-6
-------�
IBM POLICY MANUAL 2100 CHG 12
7/19/96
information integration and dissemination where
necessary.
f. Program Offices are encouraged to develop
technology applications (such as electronic
document filing, data base applications/ or
conversion to microfilm or optical disk) to
improve the management of Agency records. When
planning all technology applications/ EPA shall
include records management requirements in the
mission needs and requirements analyses in order
to determine what impact/ if any/ the application
will have on the Agency's ability to document its
activities. To the extent that the system or
application impacts the Agency's recordkeeping/
the following requirements shall be incorporated:
(1) Records creation - Applications shall allow
for the creation and maintenance of records
sufficient to meet the documentation needs of
the Agency.
(2) Records storage - Records shall be physically
located and maintained in an economical
manner which allows for easy retrieval/
access/ and dissemination if appropriate.
(3) Records disposition - The records within the
information system shall be scheduled and the
system shall be capable of deleting records
or transferring them to NARA as required by
their disposition schedule.
g. All official records created or collected by EPA
shall be inventoried at least triennially in order
to provide a complete and comprehensive accounting
of the Agency's holdings. Records that are not
needed on-site for current business should be
retired to a Federal records center for storage.
h. Records collected/ created, or maintained by the
Agency shall be safeguarded commensurate with the
risk and magnitude of the harm that would result
from the loss, misuse, unauthorized access to or
10-7
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
modification of information. Appropriate
safeguards shall be adopted to ensure
confidentiality and overall security as specified
in the Privacy Act and the Computer Security Act.
(Also see Chapters 8 and 11 of this Manual, EPA
Manual 7700, and applicable program-specific
legislation and manuals.)
Standardized filing systems/structures shall be
developed where appropriate to provide an
effective mechanism which facilitates ease of use,
access, and disposition. Records shall be
organized and indexed in such a manner as to be
easily accessible to Agency employees and the
public, as defined in Federal regulations, and to
allow for integration across programs and
information systems.
Program Offices must be able to provide the
National Archives with a copy of all electronic
records scheduled for permanent retention in a
format that conforms to standards found in 36 CFR
1228.188.
The Agency shall establish a program for vital
records. The program shall be responsible for
identifying and appropriately safeguarding records
defined as crucial to continuing ope cation of
essential Agency functions during an emergency,
and those that are essential to protecting the
rights and interests of the Agency and the
individuals directly affected by its activities.
6. RESPONSIBILITIES.
a. The Administrator is responsible for creating and
preserving records that adequately and properly
document the organization, functions, policies,
decisions, procedures, and essential transactions
of EPA. This responsibility is delegated to the
Assistant Administrator for Administration and
Resources Management (who also serves as the
Designated Senior Official for IRM), and
10-8
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
redelegated to the Office of Information Resources
Management.
The Office of Information Resources Management
(OIRM) is responsible for leadership, planning,
overall policy, and general oversight of the
records management in the Agency, and its
incorporation into the broader information
resources management framework. OIRM shall:
(1) Incorporate records management requirements
and policies into the Agency's overall IRM
policy and planning.
(2) Designate an Agency Records Officer
responsible for:
Leading and managing the Agency-wide
national records management program.
Advising OIRM on records management
issues and developing Agency-wide
records management policies, procedures,
guidance and training materials.
Coordinating the approval of the
Agency's records disposition schedules
and the transfer of records to the
National Archives.
Coordinating records management issues
with other Federal agencies, including
Federal oversight agencies, such as the
Office of Management and Budget (OMB),
National Archives and Records
Administration (NARA), and the General
Services Administration (GSA).
Providing technical advice and training
to all Agency organizations on
establishing and maintaining effective
records management programs.
Serving as the Agency Vital Records
Officer and coordinating with the
10-9
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
Agency's emergency management program.
(3) Promulgate and communicate Agency-wide
policies and guidance that reflect records
management missions and goals/ and
incorporate Federal requirements.
(4) Designate a vital records officer and other
records management contact points required by
regulations.
(5) Assign overall responsibility for the records
management aspects of centrally provided
information technology infrastructure,
including national local area network
applications.
(6) Ensure that senior Agency staff are aware
of their records management responsibilities.
(7) Conduct periodic evaluations of records
management programs within the Agency as part
of the Agency's IRM review and oversight
program.
c. Assistant Administrators/ Associate
Administrators, Regional Administrators/
Laboratory Directors, the General Counsel/ the
Inspector General, and Heads of Headquarters Staff
Offices shall:
(1) Designate a Records Liaison Officer (RLO)
accountable to the Senior Information
Resources Management Official (SIRMO) or
other official designated to oversee the
program. The RLO serves as a point of
contact for the Agency Records Officer and is
responsible for managing and ensuring the
implementation of an appropriate records
management program tailored to the
organization's requirements.
(2) Implement a records management program within
their area of responsibility to accomplish
10-10
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
the objectives identified in Federal
regulations and Agency policies and
procedures. Program components include
responsibilities for:
Identifying recordkeeping requirements
for major programmatic and
administrative records series in all
media.
Evaluating the value of records within
their span of responsibility to serve as
a basis for assigning records retention
and disposition instructions and
implementing the most responsive and
cost-effective means for managing them.
Developing standardized file plans and
indexing approaches where appropriate to
simplify the use of, access to, and
integration of information within the
organization.
Inventorying and scheduling records
created and maintained by the
organization.
Implementing approved records
dispositions/ while ensuring that no
records are destroyed without proper
authorization as specified in the
Federal Records Act.
Systematically reviewing records
disposition schedules, file plans, and
procedures on a triennial basis to
ensure that they are current and
updating them as necessary.
Conducting a program of regular internal
records management reviews to assist
programs in implementing appropriate
records management procedures.
Assisting in planning and implementing
10-11
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
information management technology and
reviewing and•approving the purchase of
records management equipment and
services.
Implementing a vital records program.
Providing oversight for contractors
managing official Agency records.
Providing records management briefings
for all managers within their
organizations.
(3) Develop records management oversight roles
and communication networks with all program
units including field offices and other
facilities to ensure that the records
management program is implemented at all
sites under their program jurisdiction.
(4) Develop and disseminate directives and
operating procedures, as needed, to
supplement Agency-wide policy to meet the
unique records management needs of their
organizations and to support a records
management program within the organization.
d. The General Counsel shall assist in determining
what records are needed to provide adequate and
proper documentation of Agency activities and in
specifying appropriate retentions for Agency
records.
e. The Inspector General shall assist in determining
the retention of Agency records that may be needed
for internal audit purposes.
f. Agency managers are responsible for ensuring that
their programs are properly documented and that
records created by their programs are managed
according to relevant regulations and policies.
g. Information system mangers (program managers) are
responsible for overseeing the creation and use of
10-12
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
electronic records in keeping with federal
regulations and Agency policy. This includes
coordination with the records officer to establish
recordkeeping requirements including a retention
period and to implement authorized disposition
instructions for system information and
documentation. Systems managers also coordinate
with records officers to develop specific
information resource management plans to meet
future system information needs.
h. ADP or Information Technology Managers are
responsible for managing ADP resources/ as well as
notifying the systems managers and records
officers of technology changes that would affect
access, retention, or disposition of system
records.
i. All Agency staff and agents of EPA shall:
(1) Conduct work in accordance with Federal
records management regulations and the Agency's
records management policy and procedures.
(2) Create and manage the records necessary to
document their official activities. This includes
creating appropriate records documenting meetings,
conversations, electronic mail messages, telephone
calls and other forms of communication that affect
the conduct of official Agency business.
(3) Only destroy records in accordance with
approved records disposition schedules and never
remove records from the Agency without
authorization.
(4) File personal papers and nonrecord materials
separately from official Agency records.
7. DEFINITIONS.
Definitions are taken from A Federal Records Management
Glossary (1993), published by the National Archives and
Records Administration.
10-13
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
a. "Adequacy of Documentation" is a standard of
sufficiently and properly recording actions and/or
decisions.
b. "Administrative Records," as used in this
directive/ are the records which reflect routine,
transitory, and internal housekeeping activities
relating to subjects and functions common to all
offices. Examples include training, personnel,
and travel reimbursement files.
c. "Disposition Schedules" are documents that provide
continuous authority to. dispose of recurring
series or systems of records, or to transfer them
to the National Archives and its national network
of Federal Records Centers.
d. "File" is an arrangement of records. The term is
used to denote papers, photographs, photographic
copies, maps, machine-readable information, or
other recorded information regardless of physical
form or characteristics, accumulated or maintained
in filing equipment, boxes, or machine-readable,
or on shelves, and occupying office or storage
space.
e. "File Plan" is (1) a plan designating the physical
location(s) at which an Agency's files are to be
maintained, the specific types of files to be
maintained there, and the organizational
element(s) having custodial responsibility; or (2)
a document containing the identifying number,
title or description, and disposition of files
held in an office.
f. "Filing System" is a set of policies and
procedures for organizing and identifying files or
documents to speed, their retrieval, use and
disposition. May be either manual or automated.
Sometimes called a recordkeeping system.
g. "Inventory" is a survey of Agency records and
nonrecord materials conducted primarily to develop
records schedules and also to identify various
records management problems, such as improper
10-14
-------�
IRM POLICY MANUAL 2100 CHG 12
7/1.9/96
applications of recordkeeping technology.
h. "National Archives and Records Administration"
(NARA) establishes policies and procedures for
managing U.S. Government records. NARA assists
Federal agencies in documenting .their activities/
administering records management programs,
scheduling records, and retiring noncurrent
records to Federal records centers, and conducts
periodic evaluations of Agency programs for
compliance.
i. "Nonrecord Materials" are U.S. Government-owned
informational materials excluded from the legal
definition of records. Includes extra copies of
documents kept only for convenience of reference,
stocks of publications and of processed documents,
and library or museum materials intended solely
for reference or exhibition. Also called
nonrecords.
j. "Official Agency Records" are the documentation,
including all background materials, resulting from
specific transactions, operations or processes
which are accumulated and maintained in filing
equipment. Official Agency records include
information recorded on any medium including
paper, microform, cards, film, audio tape, optical
disk, or magnetic media.
k. "Personal Papers" are nonofficial, or private,
papers relating solely to an individual's own
affairs. Must be clearly designated as such arid
kept separate from the agency's records. Also
called personal files or personal records.
1. "Programmatic Record" refers to records created,
received, and maintained by EPA in the conduct of
its mission functions for which the Agency is
accountable. The term is used in contrast to
administrative, housekeeping, or facilitative
records.
m. "Recordkeeping Requirements" are statements in
statutes, regulations, or directives that provide
10-15
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
general and specific information on particular
records to be created and maintained by the
Agency.
n. "Records" means all books/ papers/ maps/
photographs/ machine-readable materials/ or other
documentary materials, regardless of physical form
or characteristics, made or received by an agency
of the U.S. Government under Federal law or in
connection with the transaction of public business
and preserved or appropriate for preservation by
that agency or its legitimate successor as
evidence of the organization/ functions, policies/
decisions/ procedures, operations, or other
activities of the Government or because of the
informational value of the data in them. (44
U.S.C. 3101, Definition of Records)
o. "Records Management" means the planning,
controlling, directing, organizing, training,
promoting, and other managerial activities
involved with respect to records creation, records
maintenance and use, and records disposition in
order to achieve adequate and proper documentation
of the policies and transactions of the Federal
Government and effective and economical management
of agency operations.
p. "Records Management Program" refers to the
planned, coordinated set of policies, procedures,
and activities needed to manage an agency's
recorded information. Encompasses the creation,
maintenance and use, and disposition of records,
regardless of media. Essential elements include
issuing up-to-date program directives, properly
training those responsible for implementation, and
carefully evaluating the results to ensure
adequacy, effectiveness, and efficiency.
q. "Records Series" are file units or documents
arranged according to a filing system or kept
together because they relate to a particular
subject or function, result from the same
activity, document a specific kind of transaction,
take a particular form, or have some other
10-16
-------�
IRM POLICY MANUAL 2100 CHG 12
7/19/96
relationship arising out of their creation,
receipt/ or use, such as restrictions on access
and use. Also called a record series.
"Vital Records" mean essential Agency records that
are needed to meet operational responsibilities
under national security emergencies or other
emergency or disaster conditions (emergency
operating records) or to protect the legal and
financial rights of the Government and those
affected by Government activities (legal and
financial rights records.
Vital Records Program" means the policies, plans,
and procedures developed and implemented and the
resources needed to identify, use, and protect the
essential records needed to meet operational
responsibilities under national security
emergencies or other emergency or disaster
conditions or to protect the Government's rights
or those of its citizens. This is a program
element of the Agency's emergency management
program.
8. PROCEDURES AND GUIDELINES. In order to translate the
Agency policy requirements into standard practices,
OIRM has issued detailed policies in EPA Directive 2160
and the Agency Records Disposition Schedules. In
addition, OIRM has developed numerous guidance and
procedural documents to communicate best practices for
managing and administering EPA's records management
program. A current listing of those documents, as well
as a listing of records management guidance issued by
other Federal agencies such as the Office of Management
and Budget and the National Archives and Records
Administration is available from the Agency Records
Officer.
10-17
-------�
CHAPTER 11
-------�
IRM POLICY MANUAL 2100
7/2 V87
CHAPTER 11 - PRIVACY
1. PURPOSE. This policy establishes Agency principles for
protecting the privacy of individuals who are identified in
the Environmental Protection Agency's information systems and
informs Agency employees and officials of their rights and
responsibilities under the Privacy Act (5 U.S.C. 552a). It
supplements the EPA regulations in Part 16, Title 40, Code of
Federal Regulations (CFR) and the Agency's Privacy Act Manual.
2. SCOPE AND APPLICABILITY. This policy applies to any records
under the control of the Agency from which information on a
subject individual is retrieved by a personal identifier
assigned to the individual. The identifier may be the name
of the individual, a number, a symbol or any other specific
retriever assigned to such individual. This policy applies
to such records maintained by the Agency in-house or maintained
by a contractor or grantee on behalf of the Agency to accomplish
an Agency function.
3. BACKGROUND. In order to protect individual privacy, Congress
passed the Privacy Act of 1974 (5 U.S.C. 552a) which sets
forth requirements for Federal agencies when they collect,
maintain or disseminate information about individuals. The
Act requires that Federal agencies respect the privacy of
individuals by (a) collecting a minimum of information neces-
sary on individuals, (b) safeguarding the information and
(c) allowing individuals to inspect and correct any erroneous
information. The EPA has developed this policy and the
Privacy Act Manual to implement these requirements.
4. AUTHORITIES.
a. The Privacy Act of 1974, 5 U.S.C. 552a, as amended.
b. OMB Circular No. A-130, Management of Federal Information
Resources.
c. OMB's Privacy Act Implementing Guidelines published at 40
Federal Register 28948.
d. 40 CFR Part 16, EPA's Privacy Act Regulations.
11-1
-------�
IRM POLICY MANUAL 21°0
7/21/87
5. POLICY.
a. The Agency will safeguard personal privacy in its
collection, maintenance, use and dissemination of informa-
tion about individuals and make such information available
to the individual in accordance with the requirements of
the Privacy Act.
b. To the greatest extent practicable, information about an
individual shall be collected directly from the individual
if the information may be used to make decisions with
respect to the individual's rights, benefits and privileges
under Federal programs.
c. Information that the Agency collects and maintains about
individuals shall be relevant and necessary to the
accomplishment of the Agency's purpose as required by
statute or Executive Order. The office concerned shall
establish the relevancy of and need for the information,
as well as the authority to collect it.
d. The information that is maintained in a System of Records
shall be kept as accurate, relevant, current and complete
as possible to ensure fairness to the individual.
e. At least sixty days prior to creation of a new System of
Records or significant alteration to an existing System,
the Agency shall submit documentation to OMB and the
Congress and publish a notice of the System in the Federal
Register.
f. When EPA creates a new Privacy Act system of records, it
must prepare a written Privacy Act Statement. Each time
the Agency requests that an individual provide information,
including a social security number, to be maintained in
the Privacy Act system of records, the Privacy Act State-
ment shall be made available to the individual. The
Statement will inform the individual of the legal authority
for collecting the information, whether disclosure of
the information by the individual is mandatory or voluntary,
the purpose for which the information is being collected,
the routine uses which may be made of the information,
and the effects on the individual if the individual does
not provide the information. When EPA asks an individual
11-2
-------�
IRM POLICY MANUAL 2100
7/21/87
to provide his or her social security number and that
number is not to be incorporated into a Privacy Act
system of records, the Agency must, nevertheless, inform
the individual of the authority for collecting the social
security number, the uses to be made of the number, and
whether disclosure of the number by the individual is
voluntary or mandatory.
g. The Agency, upon written request from a subject individual,
shall notify the individual that it is maintaining a
record on him/her and must grant the individual access to
the record, unless the Agency has published a rule exempting
the System of Records from this requirement. In addition,
the Agency shall amend such record upon request, unless
the Agency has published a rule exempting the System from
this requirement, whenever the subject individual proves
that the record is not accurate, relevant, current or
complete. If the Agency does not grant access to or
amend an individual's record upon request, it shall
inform the individual of its refusal to grant access to
or amend such record and advise him/her of his/her appeal
rights.
h. The Agency must not disclose information from records
maintained in a System of Records to any person or agency,
except with the written consent of the individual to whom
the record pertains. There are, however, twelve exceptions
which permit disclosures without consent of the individual.
Any other disclosure of the records (other than to the
subject individual) is unauthorized. See the Privacy Act
Manual for further discussion of these exceptions.
i. Except for disclosures to EPA officials and employees
with an official need to know and disclosures required
to be made under the Freedom of Information Act, an
accounting of the disclosures that are made from a System
of Records must be maintained by the System Manager.
Each accounting must include the date, nature and purpose
of disclosure and the name and address of the person or
agency to whom the disclosure was made. The accounting
must be retained for the life of the record or for five
years after disclosure, whichever is longer.
6. RESPONSIBILITIES.
a. The Assistant Administrators, Inspector General, General
Counsel, Associate Administrators, Regional Administrators,
Laboratory Directors and Headquarters Staff Office
Directors are responsible for:
11-3
-------�
IRM POLICY MANUAL 2100
7/21/87
(1) implementing the Privacy Act and the requirements
specified in this policy and the Privacy Act Manual
within their respective areas. They are responsible
for designating an appropriate EPA employee to serve
as System Manager for an existing or proposed System
of Records.
b. Director, Information Management and Services Division,
(IMSD), Office of Information Resources Management is
responsible for providing overall management and policy
guidance.
c. The Chief, Information Management Branch, IMSD, is the
Privacy Policy Officer and is responsible for policy,
procedures and oversight of the Act. He/she administers
activities related to establishment, alteration or
termination of Systems.
d. The General Counsel serves as the EPA Privacy Appeals
Officer and is responsibile for interpreting the Act,
reviewing Privacy Act notices, regulations, policy state-
ments and related documents for legal form and substance
and deciding all written appeals of negative determinations.
e. The Director, Personnel Management Division is responsible
for reviewing proposed or altered systems for personnel
management implications.
f. Each Manager and Supervisor is responsible for implementing
the provisions of this Manual and the privacy Act Manual
within their respective areas.
g. The System Manager is responsible for:
(1) Applying approved Privacy Act policies and procedures
relating to an existing or proposed System of Records
and, when appropriate, implementing additional practices
and procedures to cover special conditions or situa-
tions that may arise within the System of Records.
In addition, the System Manager is responsible for:
(a) Preparing documentation required by the Privacy
Act, including notices of new, altered or termi-
nated System of Records for publication in the
Federal Register.
11-4
-------�
IRM POLICY MANUAL 2100
7/2 V87
(b) Making initial decisions whether to grant an
individual access to his/her records or amend
such records and whether to extend the date of
initial determination concerning requests for
access to or amendment of records under the
Act.
(c) Safeguarding the System under his/her
jurisdiction.
(d) Informing employees having access to a System
of Record of the penalties under the Privacy
Act.
7. DEFINITIONS.
a. "Access" means availability of a record to a subject
individual.
b. "Disclosure" means the availability or release of a record
to anyone other than the subject individual.
c. "Individual" means a citizen of the U.S. or an alien
lawfully admitted for permanent residence. It does not
include businesses or corporations and, in certain
circumstances, may not include sole proprietorships,
partnerships or persons acting in a business capacity
identified by the name of one or more persons.
d. "Maintain" means to collect, use or disseminate when
used in connection with the term "record"; and, to have
control over or responsibility for a System of Records
when used in connection with the term, "System of Records."
e. "Personal identifier" is any individual number, symbol
or other identifying designation assigned to an individual,
but not a name, number, symbol or other identifying
designation that identifies a product, establishment or
action.
f. "Record" means any collection or grouping of information
about an individual that is maintained by the agency,
including but not limited to the individual's education,
financial transactions, medical history and criminal or
employment history and that contains his/her name or an
identifying number, symbol or other identifyier assigned
to the individual, such as a finger or voice print or
photograph.
11-5
-------�
IRM POLICY MANUAL 210°
7/21/87
g. "Routine use" means, with respect to the disclosure of a
record to a person or agency other than EPA, the use of
a record for a purpose which is compatible with the
purpose for which the record was collected. It includes
disclosures required to be made by statute other than
the Freedom of Information Act, 5 U.S.C. 552. It does
not include other disclosures which are permitted to be
made without the consent of the subject individual pursuant
to Section 552a(b) of the Privacy Act, such as disclosures
to EPA employees who have official need for the record,
to the Bureau of the Census, to the General Accounting
Office or to the Congress.
h. "Subject individual" is the individual to whom a record
pertains.
i. "System Manager" is the EPA employee designated as the
responsible manager of a System of Records.
j. "System of Records" within the meaning of the Privacy Act
is a group of any records under the control of the Agency
from which information is retrieved by an individual's
name or some personal identifier, such as a social security
number assigned to the individual.
8. PROCEDURES AND GUIDELINES. Procedures for carrying out the
provisions of this Chapter are found in the Privacy Act
Manual. Other guidance is found in:
a. Forms Management Manual, Chapter 1, for forms developed
in connection with the Privacy Act.
b. Federal Acquisition Regulations Subpart 24.1 and EPA
Acquisition Regulations Subpart 15-24.1 for contracts
involving collection and maintenance of information on
individuals.
c. Delegations Manual 1-33 for authority to make
determinations on appeals from the initial denial and
to make determinations on correction or amendment.
d. Reports Management Manual, Chapter 4, for policy on
collecting information from the public.
e. Records Management Manual, Chapters 1 and 3, for
management and disposal of records.
11-6
-------�
IRN POLICY MANUAL 2100
7/21/87
f. Freedom of Information Act Manual for Freedom of
Information procedures.
g. Federal Register Document Drafting Handbook for
preparation of Federal Register documents.
h. Facilities and Support Services Manual, Security Volume,
Part III, Chapter 13, for security requirements for
Privacy Act data.
9. PENALTIES. The Privacy Act imposes criminal penalties directly
on individuals if they violate certain provisions of the
Act. Any Federal employee, for instance, is subject to a
misdemeanor charge and a fine of not more than $5,000 whenever
such employee:
a. Knowing that disclosure is prohibited, willfully discloses
in any manner records in a System of Records to any person
or agency not entitled to access to such records.
b. Willfully maintains a System of Records without publishing
the prescribed public notice on the System in the Federal
Register.
c. Knowingly and willfully requests or obtains any record
from any System .of Records under false pretenses. (The
penalty for violation of this provision is not limited
to Federal employees).
(The System Manager is responsible for making employees
working with a System of Records fully aware of these
provisions and the corresponding penalties.)
11-7
-------�
CHAPTER 12
-------�
IRM POLICY MANUAL 2100
7/21/87
CHAPTER 12 - LIBRARY SERVICES
1. PURPOSE. This policy establishes principles that govern the
operation of the EPA library network.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
employees and contractors responsible for providing informa-
tion/library services. It also applies to officials who
contribute to the Headquarters library official collection
of EPA reports.
3. BACKGROUND. Efficient and cost-effective access to information
and data about the environment and related scientific,
technical, management, and policy information is critical to
the ability of the U.S. Environmental Protection Agency
(EPA) to carry out its mission. EPA recognized this when it
established a library network in the early 1970*s to support
staff in EPA Headquarters, the 10 Regional Offices, and in
the 13 research laboratories and field sites across the
country. This approach is consistent with OMB Circular A-130,
"Management of Federal Information Resources", which states
that the collection of information by Federal agencies be
carried out within the context of efficient, effective, and
economical management.
4. AUTHORITIES. OMB Circular A-130, Management of Federal
Information Resources.
5. POLICY. It is EPA policy that the library network provide
EPA staff with access to high quality, cost-effective informa-
tion and data about environmental and related issues critical
to carrying out the Agency's mission. The librarians, as
information brokers, shall promote the available information
resources through outreach to EPA staff. The EPA libraries
shall provide State agencies and the general public with
access to the library collection. EPA program managers
shall provide the EPA library network with copies of final
technical reports and guidance. Copies of these documents
shall also be sent to the National Technical Information
Service (NTIS).
6. RESPONSIBILITIES. The Information Services Branch which is
part of the Information Management and Services Division,
Office of Information Resources Management, serves as the
12-1
-------�
IRM POLICY MANUAL 21n°
7/21/87
"National Program Manager" and is responsible for coordi-
nating the major activities of the EPA library network. In
the Regional Offices, responsibility for managing the library
function is generally placed in the Regional Management
Divisions, although in a few Regions the libraries are the
responsibility of the Office of Public Affairs. In the
laboratories, responsibility f;or managing the libraries may
vary from site to site. The role of the National Program
Manager is to work with the library network and its managers
to provide the following services:
a. Assessment of EPA program staff needs for information and
provision of services to meet those needs.
b. Online searches of commercial databases and, as appropriate,
EPA databases, to supply EPA staff with needed information.
Where possible, provision of State environmental agencies
with relevant information services.
c. Access to the EPA library network collection of books,
journals, maps, and materials produced in microform.
d. Access to information resources of other federal, academic
and special libraries through interlibrary loan.
e. Development of specialized services, e.g.. Hazardous
Waste Collection, guides to information resources,
including documents, databases, and directory information
and selective dissemination assistance.
f. Coordination with other related EPA functions.
g. Provision of translation services to EPA staff.
12-2
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
CHAPTER 14 - EPA RULEMAKING DOCKET POLICY
1. PURPOSE. Thi'S policy (establishes the principles and
defines ithe ro/les .and responsibilities that .govern the
management of EPA rulemaking dockets.
2. SCOPE AND APPLICABILITY. .This policy applies to. all EPA
organizations and their, employees and to EPA contract
personnel who are involved in the collection,
processing, dissemination use, storage and/or
disposition of EPA rulemaking docket information. It
applies to automated.and manual rulemaking docket data
in, all subject areas, except data restricted by national
security, Confidential Business. Information privileges
or Privacy Act considerations.
3. BACKGROUND.
a. -EPA. is an information intensive agency. The
Agency's extensive reliance on data as a basis for
decision making stems directly from its mission and
the requirements of its regulatory and monitoring
activities.
b. Under 44 U.S.C. 3101 the head of each Federal
agency ."shall make and preserve records containing
adequate, and proper 'documentation of the
organization, functions, policies, decisions,
procedures, and essential transactions of the
Agency..."
c. For substantive rulemaking, agencies are required
to develop a "rulemaking record" or "administrative
record", that reflects both public participation in
the rulemaking procedures and support the factual
conclusions upon .which the rule is based (5 U.S.C.
553, Administrative Procedures Act and Executive
Order 12,2.91,on Federal Regulation).
d. The information that supports a proposed or final
rule must be made available to.the public
concurrently with the publication of that.rule.
e. Several EPA.programs .are required to maintain .a
rulemaking record by statute, such .as the. .Clean Air
14-1
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
Act, or by regulation. Within EPA such a record is
commonly called a rulemaking docket.
Specific authorities for major dockets are provided
in Access EPA Manor EPA Dockets.
f. EPA strives to provide the public with information
necessary to make comments for consideration in the
EPA rulemaking process. EPA programs involved in
regulatory development may find that establishing a
rulemaking docket is an effective way to fulfill
requirements for developing an administrative
record and providing public access, even if the
creation of a rulemaking docket is not required by
a specific statute or regulation.
g. A rulemaking docket is a set of documents collected
and maintained specifically to provide EPA
regulations development staff and the public with
ready access to copies of the Agency records that
support the basis for EPA rulemaking actions. EPA
Program and Regional offices contribute to the
development and operation of EPA dockets.
h. EPA has major docket facilities in Headquarters.
In addition to these major dockets, there are a
number of smaller dockets located in Headquarters
and Regional offices.
i. A well-managed system of dockets is essential to
the success of the Agency's mission. Operation of
the dockets should be consistent to the extent
possible throughout the Docket Network to
facilitate ease of access for the public.
j. Dockets represent an important information
repository, the integrity of which must be
protected and maintained. File integrity is
particularly important since incompleteness
could cause delays in promulgating a final
rule and possibly result in legal action
against Agency.
k. Each rulemaking docket generally includes, but is
not limited to:
(1) A copy of each proposed rule, final rule or
14-2
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
other rulemaking notice (e.g., Advance Notice
of Proposed Rulemaking) for a regulatory
action signed by the Administrator (or
Assistant Administrator or his/her designee in
the case of a supplemental notice).
(2) All documents cited in Federal Register
notices of rulemaking activities.
(3) Information considered by the Agency in
drafting a proposed or final rule. This
includes data, analyses, reports, and minutes;
summaries and transcripts of public meetings
and hearings; records of ax parte
communications including telephone calls,
memoranda and letters; and public statements
made by EPA employees in their official
capacities.
(4) Public comments received by the Agency
in response to Federal Register notices of
proposed rulemaking in which the Agency has
requested written comments.
(5) Comments from government agencies.
(6) Written comments received by the Office of
Management and Budget (OMB) from outside
parties on Agency rulemaking actions.
Procedures have been established with OMB
to ensure that such comments are provided
to EPA through the Office of General Counsel
and forwarded to the Program Office for
inclusion in the rulemaking dockets.
(7) Written summaries of communications between
EPA staff and OMB or other persons outside EPA
regarding significant new factual data or
information affecting a rulemaking (including
meetings with interest groups).
4. AUTHORITIES.
a. Executive Order 12,291
b. The Paperwork Reduction Act of 1980 (P.L. 96-511),
as amended.
14-3
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
c. 5 U.S.C. 552, Freedom of Information Act as
amended.
d. 5 U.S.C. 553, Rulemaking
e. 44 U.S.C. 3101, Records management by agency heads;
general duties
f. 40 CFR 2, Public Information
POLICY. It is EPA policy that:
a. Rulemaking dockets shall provide complete and
accurate documentation of rulemaking activity.
This is most important since the information in the
docket is used by the public to comment on proposed
rules.
b. Rulemaking dockets shall contain duplicate copies
of the original files. The original files are
retained and managed by the responsible Program
Office.
c. Docket materials shall be safeguarded and
adequately protected to ensure file integrity.
d. Information contained in EPA dockets shall be
organized and indexed in a manner that
facilitates ready access and retrieval.
e. Information protected by Confidential Business
Information (CBI) considerations, national security
or the Privacy Act cannot be physically placed in
the rulemaking docket but should be incorporated by
reference within the docket files.
f. Docket records shall be managed in the most
efficient and cost-effective manner, utilizing
sound records management principles and practices.
g. Requests for information shall be handled in a
responsive, timely manner.
h. The docket should not be made available to the
public earlier than on the date the Administrator
signs the proposed rule.
14-4
-------�
IRN POLICY MANUAL 2100 CHG 4
4/20/93
i. Agency docket facilities shall operate during
normal business hours and shall be situated in
locations that are easily accessible to the public.
j. Agency docket facilities shall follow a uniform fee
schedule as is prescribed in 40 CFR Part 2.120,
Fees; Payment; Waiver.
6. RESPONSIBILITIES.
a. The Office of Information Resources Management
shall:
(1) Provide effective leadership in developing and
promoting docket management policies and
coordinating activities of the EPA Docket
Network, (e.g., produce annually docket
directory, ACCESS EPA Major EPA Dockets).
(2) Develop standards and provide advice, guidance
and technical assistance for managing the
Agency's rulemaking dockets.
(3) Evaluate the effectiveness of the Agency's
dockets by conducting periodic surveys and
studies as•needed.
(4) Issue records management policy, directives
and instructional materials governing the
organization, maintenance and disposition of
all records in Agency dockets.
(5) Develop standards and .provide technical
assistance for conversion of manual, paper-
based docket systems to microform or
electronic media.
(6) Provide advice in developing a uniform
index-ing system for Agency dockets and
maintaining docket integrity.
(7) Coordinate issues relating to the location of
Agency rulemaking dockets.
(8) Establish uniform procedures to guide the
operation of Agency rulemaking dockets.
14-5
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
b. The Office of General Counsel shall provide legal
guidance for all Agency regulatory activities and
ensure that the legal requirements for Agency
rulemaking dockets are met.
c. Assistant, Associate and Regional Administrators,
the General Counsel; the Inspector General; and
Heads of Staff Offices to the Administrator shall:
(1) Ensure that the rulemaking dockets within
their organizations conform to Agency
standards and policy.
(2) Furnish the docket program managed by their
organizations with complete and accurate
rulemaking information on a timely basis.
(3) Ensure that each docket program within their
organization has a Rulemaking Docket Manager
who has overall responsibility for:
(a) Ensuring the information in their docket
is organized in accordance with EPA's
Uniform Rulemaking Docket Manual
(b) Ensuring that the information in their
dockets is complete, legible, well-
organized and readily available for
access and dissemination.
(c) Ensuring that docket materials are stored
in a secure manner and that adequate
measures are taken to maintain and verify
the integrity and completeness of the
file.
(d) Coordinating with Program or Regional
staff to ensure the docket is current,
accurate, and complete and that all
inactive material is removed in
accordance with the Agency's records
management disposition schedules.
(e) Ensuring that clients are able to obtain
copies of materials.
14-6
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
7. DEFINITIONS.
a. The "Rulemaking Docket" is a collection of
documents that is the basis for EPA rulemaking
actions. Some statutes refer to a "rulemaking
record or a docket," and others refer to the
"record." Those same terms are often used to
describe the collection of documents available to
the public which reflect the Agency's consideration
and promulgation of a rule, or "public docket."
Since and "administrative record" is not usually
formally identified until a challenge to an Agency
rule, the "public docket" and the "record" will not
necessarily be the same.
b. The "Administrative Record" is a set of documents
that is the basis for any Federal agency
administrative action, including, but not limited
to, rulemaking.
Under the Administrative Procedures Act (APA), any
judicial review of a final agency action is based
on the administrative record. Administrative
actions that are not rules may include denials of
citizens' petitions, individual permit decisions,
and exemption decisions. These actions are
typically based in an administrative record.
8. PROCEDURES and GUIDELINES.
a. Guidelines for docket management are found in
EPA's "Uniform Rulemaking Docket Manual."
Copies are available from the EPA Distribution
Center, PM 215.
b. Procedures for processing Freedom of
Information Act (FOIA) requests are found in
the EPA's "Freedom of Information Manual."
Copies are available through the EPA
Distribution Center, PM-215.
c. Procedures governing records management are
found in the "EPA Records Management Manual."
Copies of this manual are available from the
14-7
-------�
IRM POLICY MANUAL 2100 CHG 4
4/20/93
Agency's Distribution Center, PM-215. Agency
Record Control Schedules are available from
the Office of Information Resources
Management's Information Management and
Services Division, PM-211D.
d. Procedures for informal, and formal rulemaking
can be found in the "Administrative Procedure
Act".
14-8
-------�
Chapter 15
-------�
SECTION II-L
-------�
IBM POLICY MANUAL
2100 CHG 5
5/25/93
1. PURPOSE. This policy outlines objectives and assigns
organizational responsibilities, in compliance with Federal
lavs and regulations, so that EPA may provide disabled
employees access to electronic office equipment and
telecommunications devices equivalent to that which is
provided for non-disabled employees.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
organizations and their employees.
3. BACKGROUND.
a. The Federal Information Resources Management Regulation
(FIRMR) includes an accessibility policy implementing
Section 508 of the Rehabilitation Act Amendments of
1986. Federal agencies have a responsibility to
establish information environments that are accessible
to individuals with disabilities. These
responsibilities include assessing, planning for, and
meeting accessibility requirements of individuals with
disabilities when procuring electronic office
equipment.
b. Computer accommodation has become an integral aspect of
information resources management within the Federal
Government. Computer accommodation is the acquisition
and modification of end user computing equipment to
minimize the functional limitations of employees to
promote productivity and ensure access to electronic
office equipment.
c. The goal of accessibility is to provide equivalent
access to information resources by non-disabled and
disabled individuals. This includes access to data
bases, applications programs, and communications
capabilities.
15-1
-------�
IBM POLICY MANUAL 2100 CHG 5
5/25/93
d. Technological advances for non-disabled individuals
also offer great long-term improvements in
telecommunications accessibility for individuals with
hearing and speech impairments. Such advances include
electronic mail; facsimile; teleconferencing; LAN-based
video imaging; text-based information services and
messaging; digital speaker phone; telecommunication
device for the deaf (TDD); special modified computer
keyboards; messaging beepers with full LCD display; and
remote, real-time transcription/translation
capabilities. Many of these services are available to
agencies through FTS2000, GSA's long-distance
telecommunications service. The flexibility inherent
in these new telecommunications capabilities makes it
possible to accommodate the special requirements of
speech and hearing impaired individuals.
e. 6SA is the lead Federal oversight agency providing
advisory services and technical assistance to help
Federal managers and employees with problems related to
extending office automation technologies for productive
use by individuals with disabilities. The GSA has
established a Clearinghouse on Computer Accommodation
(COCA) in the Office of GSA Information Resources
Management to provide this type of assistance to
agencies.
f. EPA's Washington Information center (WIC) and its
Regional counterparts work closely with Agency managers
and the Office of Human Resources Management to ensure
that disabled employees.in need of specialized computer
or telecommunications equipment are accommodated. The
WIC and its Regional counterparts have also been
instrumental in helping client organizations obtain and
install appropriate computer accommodation products to
assist persons with disabilities.
4. AUTHORITIES.
a. Section 508 of the Rehabilitation Act Amendments of
1986.
b. FIRMR, Section 201.20.103-7 "Accessibility Requirements
for Individuals with Disabilities."
c. FIRMR, Section 201-18 "Planning and Budgeting."
d. FIRMR Bulletin - C-8 "Information Accessibility for
Employees with Disabilities," January 30, 1991.
15-2
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
e. FIRMR Bulletin - C-10 "Telecommunications Accessibility
for Hearing and Speech Impaired Individuals,n January
30, 1991.
f. 40 CFR Part 12 "Enforcement of Non-Discrimination on
the Basis of Handicap in the Environmental Protection
Agency," August 16, 1987.
g. 29 CFR 1614.203(c) "Reasonable Accommodation."
h. Public Lav 100-542, The Telecommunications
Accessibility Enhancement Act of 1988.
i. FIRMR Amendment on Electronic Office Equipment
Accessibility for Handicapped Employees (P.L. 99-506,
Section 508).
5. POLICY.
a. No EPA employee shall, on the basis of disability, be
excluded from participation in, be denied the benefits
of, or otherwise be. subjected to discrimination under
any program or activity conducted by the Agency.
b. EPA shall provide disabled and non-disabled employees
equivalent access to electronic office and
telecommunications equipment to the extent such needs
are determined by the Agency in accordance with Federal
regulations and to the extent the required
accessibility can be provided by industry. In
providing equivalent access, EPA shall make reasonable
accommodation to provide:
(1) access to and use of the same data bases and
application programs by disabled and non-disabled
employees;
(2) enhancement capabilities for manipulating data
(i.e., special peripherals) to attain equivalent
end-results by disabled and non-disabled
employees; and
(3) access to and use of equivalent telecommunications
equipment by disabled and non-disabled employees.
c. EPA shall consider electronic office equipment and
telecommunications accessibility for disabled employees
when conducting determinations of need and requirements
analyses for FIP resources.
15-3
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
d. EPA management and technical personnel shall work
closely with contracting officials when contracting for
new or additional FIP resources to ensure accessibility
to FIP resources by individuals with disabilities.
e. In accordance with FIRMR 201-17.001, EPA shall acquire
FIP resources for individuals with disabilities that
result in the most advantageous alternative to the
Government after consideration of sharing and reuse of
existing FIP resources and use of 6SA services when
appropriate.
f. EPA shall provide training and education on electronic
office equipment and telecommunication devices for
disabled individuals, including services and features
of the 6SA relay service.
g. EPA shall publish access numbers for Telecommunication
Device for the Deaf (TDD) and TDD-related devices in
Agency telephone directories and provide such numbers
to GSA for inclusion in the Federal TDD Directory.
h. EPA shall display in its facilities the standard logo
specified by GSA for indicating the presence of TDD or
TDD-related equipment.
6. RESPONSIBILITIES.
a. The Assistant Administrator for Administration and
Resources Management is the Designated Senior Official
(DSO) for IRM and is responsible for:
(1) Ensuring EPA compliance with Federal regulations
governing accessibility of electronic office
equipment and telecommunication devices to
disabled employees.
(2) Ensuring that all disabled employees are provided
reasonable accommodation for access to electronic
office equipment and telecommunication technology.
(3) Ensuring that all Agency officials and employees
are informed of their responsibilities and rights
addressed in EPA's policy on accessibility to
electronic office equipment.
(4) Ensuring that contracts for new and additional FIP
resources provide provisions to facilitate access
to FIP resources by disabled individuals.
(5) Monitoring Agency progress toward achieving
accessibility goals.
15-4
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
b. The Director, Office of Hunan Resources Management is
responsible for:
(1) consulting with disabled employees on an
individual basis to identify their needs and
inform them of Agency and Federal resources.
(2) Referring disabled employees to the WIC, its
Regional counterparts, or National Data Processing
Division for technical services when necessary.
(3) Incorporating awareness training on the technology
needs of disabled employees into EPA's general
management training curriculum.
c. The Director, Office of Information Resources
Management is responsible for:
(1) Developing Agency policy which reflects Federal
requirements governing accessibility to
information technology by disabled employees.
(2) Reviewing progress made toward achieving
information technology accessibility for EPA
disabled end-users.
(3) Incorporating accessibility issues into the Agency
Five Year Information Technology Plan.
d. The Director, National Data Processing Division is
responsible for:
(1) Appointing a representative to serve as EPA's
liaison with GSA's COCA and as the Agency's lead
technical advisor on accessibility issues.
(2) Obtaining information on successful EPA
applications of computer and telecommunications
support for disabled EPA employees, and providing
that information to the GSA COCA for sharing
government-wide.
(3) Providing technical advice to Agency managers and
disabled employees on the use of computers and
telecommunication devices to support the job
performance of disabled employees.
(4) Reviewing and approving all telecommunication
changes and procurements subject to FIRMR review.
15-5
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
(5) Providing telecommunications assistance to all
field locations.
(6) Ensuring that TDD and TDD-related device telephone
numbers are included in EPA telephone directories
and ensuring that these numbers are provided to
GSA for inclusion in the Federal TDD Directory.
e. The Director, Office of civil Rights is responsible
for:
(1) Coordinating the development and implementation of
civil rights policies and supporting program
offices to ensure that no qualified EPA employee
shall, on the basis of a disability that is
subject to reasonable accommodation, be excluded
from participation in, be denied the benefits of,
or otherwise be subjected to discrimination under,
any program or activity conducted by the Agency.
f. The Director, Office of Acquisition and Management is
responsible for:
(1) Ensuring that Agency solicitation documents and
contracts address the needs of disabled employees
by incorporating functional specifications
addressing input, output and documentation issues.
(2) Ensuring that prospective vendors can demonstrate
the ability to provide EPA with equivalent or
better access to proposed replacement FIP
resources than to accommodation hardware or
software currently in place.
(3) Specifying in Agency solicitations and contracts
that the Agency be permitted to install additional
accommodation devices, peripherals, or software
that may be acquired from a third party, without
voiding the maintenance and warranty agreements of
the contract, provided such devices or peripherals
conform to the electrical specifications of the
system and can be connected through standard
expansion slots or peripheral ports.
g. The Director, Facilities Management and Services
Division is responsible for:
(1) Ensuring that signs are displayed in EPA
facilities using the standard logo specified by
GSA for indicating the presence of TDD or TDD-
related equipment.
15-6
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
h. Assistant Administrators, Associate Administrators,
Regional Administrators, Laboratory Directors,
Headquarters Staff Directors, General Counsel and the
Inspector General are responsible for:
(1) Ensuring that employees within their organizations
comply with the Federal and Agency regulations and
policies governing accessibility to electronic
office equipment and telecommunication devices by
disabled employees.
(2) Providing information as requested by GSA or OARM
on the computer and telecommunication
accommodations of disabled employees in their
organization.
i. Senior IRM Officials are responsible for:
(1) Providing contracting officials, for inclusion in
the solicitation, an inventory and description of
any current accommodation hardware or software
within the organization they represent along with
the resources scheduled for replacement or
modification.
(2) Ensuring that the accessibility needs of their
current and future employees are addressed in
their organization's component of the Agency's
Five Year Information Technology Plan.
j. Personal Computer Site Coordinators (PCSCs) are
responsible for:
(1) Providing basic technical assistance at the
workstation to persons with disabilities, and
obtaining further guidance and assistance from the
National Data Processing Division, the WIC and/or
its Regional counterparts as needed.
k. Each EPA Manager or Supervisor is responsible for:
(1) Identifying requirements of disabled employees.
(2) Referring disabled employees to the Agency's
National Data Processing Division, the WIC, and/or
its Regional counterparts for technical services
when necessary.
15-7
-------�
IBM POLICY MANUAL 2100 CHG 5
5/25/93
(3) Ensuring that no current or prospective EPA
employee within their organizational unit shall,
on the basis of disability, be denied reasonable
accommodation or access to electronic office
equipment and telecommunication devices.
(4) Working with the Office of Human Resources
Management, NDPD, WIC, and/or its Regional
counterpart's personnel to ensure the electronic
office equipment and telecommunication device
needs of disabled employees are met.
7. DEFINITIONS.
a. "Disabled" refers to any person who has a physical or
mental impairment, including a hearing or speech
impairment, that substantially limits .a major life
activity, has a record of such impairment, or is
regarded as having such an impairment.
b. "Major life activity", includes functions such as caring
for oneself, walking, seeing, hearing, speaking,
breathing, learning, and working.
c. "Reasonable Accommodation," per 29 CFR 1614.203(c), may
include, but shall not be limited to:
• making facilities readily accessible to and usable
by handicapped persons, and
• job restructuring, part-time or modified work
schedules, acquisition or-modification of
equipment or devices, appropriate adjustment or
modification of examinations, the provision of
readers and interpreters, and other similar
actions.
In determining reasonable accommodation, factors to
consider may include:
the overall size of the EPA organization with
respect to the number of employees, number and
type of facilities and size of budget;
the type of Agency operation, including the
composition and structure of the Agency's work
force; and
• the nature and the cost of the accommodations.
15-8
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
d. "Special peripheral" is defined in Section 508 of
Public Law 99-506 as a special needs aid that provides
access to electronic equipment that is otherwise
inaccessible to a disabled individual.
e. "Telecommunications Device for the Deaf" (TDD) is a
device that permits people with hearing and/or speech
impairments to communicate over a standard telephone
with another TDD user or through a relay operator to
reach a non-TDD user.
f. "Senior Information Resources Management Officials
(SIRMOs)" are EPA officials responsible for directing
and managing office-wide information resources planning
and budgeting and for assuring that the information
systems and information technology acquisitions within
their organizations comply with Federal and EPA
policies and regulations.
8. FEDERAL GUIDANCE.
a. 40 CFR Chapter 1 §12.150 (a)(2) stipulates that an
Agency must seek to accommodate persons with
disabilities for use of electronic office equipment,
but that it is not required to take any action that it
can demonstrate would result in a fundamental
alteration in the nature of a. program or activity, or
in an undue financial and administrative burden.
b. FIRMR Bulletin C-8, "Information Accessibility for
Employees with Disabilities," (Attachment A) contains a
detailed explanation of the major areas that need to be
considered in developing specifications, in conjunction
with requirements determination, to ensure electronic
equipment accessibility for disabled employees (i.e.,
input alternatives, output alternatives and
documentation).
c. FIRMR Bulletin C-10 "Telecommunications Accessibility
for Hearing and Speech Impaired Individuals" includes
three attachments. Attachment A addresses the Federal
Information Relay Service (FIRS). Attachment B
includes the Federal Telecommunications Devices for the
Deaf (TDD) Directory, and Attachment C provides
guidance on Agency Telecommunications Accessibility
Planning.
15-9
-------�
IRM POLICY MANUAL 2100 CHG 5
5/25/93
d. "Managing End User Computing for Users with
Disabilities" (6SA KGD-91-1-I) provides guidance to
agency managers determining accommodation strategies
for PIP resource accessibility. This handbook stresses
the importance of consulting with individual users as a
first step to assessing technology requirements. It is
available from COCA at the address noted below.
9. SERVICES OF GSA/S CltBAJRJflGHOUSE ON COMPUTER ACCOMMODATION
(COCA).
a. Responds to requests for general information on
frequently used hardware/software and workstation
furnishings to accommodate individuals with
disabilities.
b. Assists agencies with researching specific hardware,
software, and communications problems associated with
an employee's electronic office equipment and
telecommunication device accommodation requirements.
c. Provides on-going consultative/technical assistance to
agencies during planning, acquisition, and installation
of individual and agency-wide office automation
systems.
d. Conducts workshops on computer accommodation
procedures.
e. The address and phone number are:
General Services Administration
Clearinghouse on Computer Accommodations
Room 2022
KGDO
18th and F Sts., N.W.
Washington, DC 20405
(202) 523-1906 (TDD)
(202) 501-4906 (voice)
15-10
-------�
Chapter 16
-------�
E. SUPPLY &
PROCUREMENT
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
CHAPTER 16 - EPA INTERNAL ELECTRONIC SIGNATURES POLICY
1. PURPOSE.
This policy establishes the criteria for the use and
validity of electronic signatures associated with internal
electronic transactions within the Environmental Protection
Agency. They are intended to ensure that, as Agency
programs implement this technology, they do so in a manner
that is both consistent across the Agency and compatible
with the practices of other government agencies and members
of the regulated community. A uniform approach encourages
cost effectiveness and potential for. future connectivity and
integration of enterprise-wide electronic processing
applications.
2. SCOPE AND APPLICABILITY.
This policy applies to any electronic transaction originated
by .any employee, contractor, or grantee working for any EPA
organizational unit that involves providing approval,
authorization, or certification, via the use of electronic
signature,.for actions or data.
a. This policy specifically applies to any such electronic
transaction that:
(1) Is being implemented as a replacement for (or
complement to) a paper form or document originated
by an employee, contractor, or grantee of an EPA
organizational unit;
(2) Involves the use of Agency enterprise-wide data
processing, data storage and data communications
facilities;
(3) Replaces (or complements) documents or forms that
require originator signature certification; or
(4) Involves, or implies, procurements, financial
commitments, obligations, certification of time
and attendance, or disbursements.
16-1
-------�
IBM POLICY MANUAL 2100 CHG 5
6/1/93
b. An electronic signature solution should not be
considered when a requirements analysis indicates
there is no clearly defined, cost or productivity
advantage to be gained from the application. If the
requirements analysis demonstrates a clear need for
encrypted signatures, then the application-will conform
to standards cited in applicable Federal Information
Processing Standards (FIPS) and Agency policies.
3. BACKGROUND.
a. General
(1) Innovations in computer technology now allow the
creation, processing and maintenance of documents
in electronic form — without requiring creation
of corresponding paper media.
(2) Automated information processing is rapidly
becoming the preferred mode for management and
transfer of information in business and
government. Automation of administrative
procedures has demonstrated that:
(a) Information can be processed more quickly;
(b) Costs of rekeying data are mitigated;
(c) Data accuracy is increased.
(3) Many forms and documents used in EPA mission and
administrative activities require signatures of
the responsible officials. The uses of electronic
signatures may include, but are not limited to:
(a) Certification of the transmission, receipt,
and authorization of data;
(b) Authorization or approval of an official
action.
(c) Certification and validation of the accuracy
of Agency databases.
16-2
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
<4) Procedures for the use of electronic signatures in
creating and processing documents must provide
adequate safeguards for the application,
transmission, verification, and security of a
signature and any accompanying data or
information. If security profiles are modified,
the system should be equipped with an audit trail
capability to provide the User ID, time and date
of the last person who made the modifications.
(5) Pursuant to Par. 4, AUTHORITIES, of this policy,
as such information migrates into an electronic
environment, it is essential to ensure that all
official documents are developed, processed, and
maintained consistent with applicable Federal and
Agency policies regarding electronic
recordkeeping.
b. Existing Technology Areas As Management Controls for
Electronic Signatures
The following technology areas used individually or in
concert as controls can provide effective electronic
signature systems:
(1) Signature authentication allows users to verify
the approval authority of a transmission. It is
usually used in combination with other
technologies to provide a complete electronic
signature system. Signature authentication
methods include:
(a) Personal identification numbers (PINs)
(b) passwords
(c) facsimile signatures
(d) token card readers
(e) message authentication coding (MAC)
(f) MAC incorporating encryption techniques, e.g.
through the use of public or private keys.
(2) Message authentication provides the ability to
confirm that the message received is exactly the
same as the message that was sent. A major
concern associated with electronic forms and
signatures is an unauthorized user's ability to
16-3
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
change an electronic form after it has been
signed.
(a) Message authentication systems use varying
procedures to calculate a message
authentication code (MAC) based on the
contents of the message. Some of these
processes may involve cryptographic
techniques. For example, message
authentication systems may use private key
encryption to calculate the MAC, requiring
that both the sender and receiver know the
key.
(b) If the message changes, the MAC code
calculated on the receiver's side will be
different from the attached MAC code
calculated on the sender's side.
(c) Message authentication may provide two forms
of security. It:
(1) Verifies the information has not been
altered from the moment the MAC was
generated to the time it was checked.
(2) May also assure the receiver of the
sender's.identity, e.g. through shared
knowledge of the secret key used to
calculate the MAC.
(3) Data encryption systems conceal message meaning by
changing intelligible messages into unintelligible
ones to everyone except the transmitter and
receiver. Data encryption:
(a) Can be used to safeguard signatures and
signature authentication codes from
disclosure during transmission and when data
files containing signatures are stored.
(b) Requires the use of keys to encrypt and
decrypt data.
(c) Can use public key, private key, or secret
key encryption algorithms.
16-4
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
(4) Access control systems are designed to limit
access to computer systems, including operating
system files, and applications, including
application programs and data files. Limiting
access to systems and applications limits the
population of users that can actually append a
signature code to a message. Access control
systems, at a minimum, should provide user
identification, login control, access
authorization, and auditing capabilities.
For a more detailed discussion of the above
technologies, please refer to the report entitled,
"Existing Technology Solutions for Electronic
Signatures."1
AUTHORITIES.
a. Internal Control Systems. OMB-Circular A-123, August
16, 1983
b. The Paperwork Reduction Act of 1980 (P.L. 96-511)
c. United States Code 31-USC-1501
d. The Federal Managers Financial Integrity Act of 1982
(PL 97-225, approved 9/8/1992)
e. Federal Records Management. National Archives and
Records Administration (NARA) 36 CFR 1220
f. Review and Evaluation. NARA 41 CFR 201-22
g. The Computer Matching and Privacy Act of 1987,
5-USC-522a (as amended)
h. Management of Federal Information Resources. OMB
Circular A-130
i. Computer Security Act of 1987
j. FIPSPUB46-1 — Data Encryption Standard; Jan. 22, 1988
1 EPA, OIRM/IMSD, April 1992.
16-5
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
k. FTPSPUB14QA — General Security Requirements for
Equipment Using the Data Encryption Standard; April 14,
1982
1. EPA 2100 Information Resources Management Policy Manual-
1987
m. EPA Directive 2182: EPA System Design and
Development Guidance, Volumes A&B, plus the supplement:
Development of Image Processing Systems in the EPA;
1989/1990
n. EPA Directive 2195: EPA Information Security Manual;
5. POLICY.
EPA is committed to support the implementation of integrated
electronic processing applications which expedite the
workload and reduce duplicative activities, consistent with
applicable Federal and agency.policies regarding electronic
recordkeeping and security.
a. For all EPA internal administrative applications
involving.the use of electronic approval, signature and
distribution procedures, an electronic signature will
be deemed as legally binding as a paper signature,
provided each application is developed, implemented,
and monitored in accordance with this policy.
b. When a determination has been made to fully automate a
paper-based system that employs written signatures, all
affected Agency offices shall use electronic
signatures.
c. Any application involving the use of enterprise-wide
data processing, storage and communications systems
will be considered an Agency wide application and will
conform to the use of electronic signature solutions
promulgated by the National Data Processing Division
(NDPD).
d. For applications not involving the use of enterprise-
wide data processing, storage, or communications
systems, no specific electronic signature technical
solutions are mandated as policy. However, all
electronic signature applications must provide for
16-6
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
signature and message authentication with the specific
authentication techniques appropriate for the level of
financial and legal risk inherent in the application.
In addition, each solution must conform to applicable
Federal Information Processing Standards (FIPS), as
well as all standards and procedures for the
maintenance of electronic records promulgated by the
National Archives and Records Administration- (NARA). A
list of commercially available security packages is
provided in the document entitled "Existing Technology
Solutions for Electronic Signatures" (see Section 9).
When an electronic message containing a signature is
signed, transmitted, and received, the following
requirements must be met:
(1) Signature Authentication:
(a) The electronic signature must establish
sender/user authenticity;
(b) It must be possible to assure with a
reasonable degree of certainty that the
sender's signature has not' been forged;
(c) Sufficient audit trails must be provided to
resolve disputes, with a reasonable degree of
certainty, involving cases where an
individual disavows sending a message.
(2) Message Authentication:
(a) It must be possible to assure, with a
reasonable degree of certainty, that a
document and its signature have not been
changed after it is signed.
Electronic information and forms processing
applications involving the use of electronic signatures
must incorporate signature and message authentication,
as above, and may incorporate the following additional
considerations:
(1) The need for the signature on a document to be
obscured from disclosure during transmission
(i.e., data encryption);
16-7
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
(2) The need for only a few individuals to have access
to signing, processing, or viewing capabilities
(i.e., access control).
g. Consistent with the goal of enterprise-wide
compatibility, only digital signature applications are
addressed by this policy. Analog, or facsimile
signatures are not necessarily electronic, may be
forged, and will not be considered valid for
determining signature authenticity.
h. Any application involving the use of electronic
signatures on enterprise-wide data processing, storage
and communications systems will be considered a
"sensitive system" from the perspective of EPA's
Information Security Program.
6. RESPONSIBILITIES.
a. The Assistant Administrators, Associate Administrators,
all Heads of Headquarters Staff Offices reporting to
the Administrator, General Counsel, Inspector General,
and Regional Administrators are responsible for:
(1) Reviewing all currently automated systems within
their respective organizations to determine
applicability to this policy and establishing
procedures to ensure current and future systems
comply with the requirements of this policy.
Reviews may be performed by EPA staff or
contractor resources; they must completed in a
timely manner, formally documented, and results
submitted to OIRM.
(2) For all relevant systems, conducting a risk
analysis and vulnerability assessment every three
years to ensure the security of electronic records
systems, consistent with oversight responsibili-
ties specified in FMFIA obligations. Consult the
EPA Information Security Manual and Risk Analysis
Guidelines for assistance.
(3) Identifying a specific technical approach for all
required technology areas that cost-effectively
addresses the risks of the application.
16-8
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
(4) Determining the level of security required for any
proposed application of electronic signature and
developing, or modifying, the System Security Plan
to incorporate electronic signature issues.
(5) Meeting EPA's requirements under the Federal
Managers' Financial Integrity Act so that controls
are in place, evaluated regularly, and. practiced
to ensure that this policy is carried out in their
respective programs, activities, and operations
using electronic signature.
b. The Office of Information Resources Management (OIRM)
is responsible for:
(1) Providing training and awareness about the policy;
(2) Providing guidance and assistance in implementing
this policy;
(3) Ensuring that information security and Privacy Act
issues have been met;
(4) Receiving and responding to waiver requests;
(5) Periodically reviewing electronic signature
applications to ensure that electronic records are
being maintained in accordance with applicable
Federal and Agency policies and procedures.
(6) Re-evaluating/revalidating the policy within 5
years of approval;
c. The Assistant Administrator, Office of Administration
and Resources Management (OARM), is responsible for
addressing any appeals to waiver decisions made by
OIRM.
d. The National Data Processing Division (OARM/RTP) is
responsible for developing and maintaining policies
and procedures for the acceptable use of specific
commercially available electronic signature hardware
components and software packages as requested by OIRM.
Funding will be required for product testing,
documentation and policy development/implementation.
16-9
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
e. The Office of General Counsel is responsible for
advising Agency staff on legal issues pertaining to the
use of electronic signatures, including, but not
limited to:
(1) Admissibility of electronic signature information
in civil or criminal litigation;
(2) Internal Agency disputes when signature audit
trails are questioned;
(3) Appeals for waiver decisions;
(4) Information law issues pertaining to the Freedom
of Information Act, the Privacy Act, and
confidential business information.
f. Senior Information Resources Management Officials
(SIRMOs) are. responsible for:
(1) Assuring compliance with this policy and its
procedures on distributed systems operated by
their staff members;
(2) Signing and submitting any waiver requests.
h. Owners of electronic signature applications are
responsible for compliance with the provisions of this
policy.
7. DEFINITIONS.
Access Control - A method of providing security designed to
limit access to computer systems and applications. Types of
access control include:
o User Identification Codes
o Login Control
o Auditing.
Auditing - The practice of recording specific security-
relevant events. By recording these events, it is possible
to detect intrusion attempts by unauthorized users, monitor
undesirable activity at a site, or general auditing of
16-10
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
various aspects of systems usage. For example, events that
should be audited include:
o Selected uses of files and hardware devices
o Logins, logouts, and break-in attempts
o Activities of specific users
o Changes to passwords
o Changes to security profiles.
Automated Information Processing - The electronic creation,
processing, and exchange of information without the creation
of corresponding paper media.
Data Decryption - The process of converting ciphertext (an
encrypted message) into readable form.
Data Encryption - A security method which conceals message
meaning by changing intelligible messages to unintelligible
ones. Encryption is the.process in which plaintext messages
are converted into apparently random nonsense, called
ciphertext, using an encryption algorithm and a data
encryption "key".
Data Encryption Key - A bit string that controls a data
encryption algorithm. The data encryption algorithm will
produce a different output depending on the specific key
used.
Electronic Record - Any information that is recorded in a
form that only a computer can process and that satisfies the.
definition of a Federal record in 44 USC 3301 (see "Records"
below).
Electronic Reporting - The computer-to-computer exchange of
information in a standard format via either an electronic
(e.g., dial-up telecommunications links, dedicated computer-
to-computer links) or magnetic (e.g., diskettes, tapes)
medium.
Electronic Signature - A data element, entered into a
computer by an authorized person, that is used for noting
the ownership, approval, acceptance, or certification of
another object (e.g., a document or message). Electronic
signatures provide the same validation and authentication
capabilities as hand written signatures.
16-11
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
Encryption Key Management - The generation, distribution,
entry, and destruction of encryption keys. While data
encryption algorithms are publicly known, depending on the
specific key used, a unique output will be produced.
Therefore, it is the encryption key that provides the
desired security. Two key management systems exist:.
o Private key management
o Public key management.
Form - For the purpose of this policy, any paper or
electronic document with blanks for the insertion of data or
information, circulated within EPA, that requires approval
involving signature certification (e.g., travel
authorization, travel voucher, procurement request/purchase
order, etc.).
Internal Reporting - For the purpose of this policy, the
distribution or exchange of information within the EPA and
between EPA and any entities with which the Agency has a
contractual relationship.
Login Control - Specifies the conditions users and programs
must meet for gaining access to a system. For example, a
user usually requires a valid user ID and password before
access to a system is provided. Additional methods used to
control login include:
o Type of computer login (e.g., local, dial-up, remote,
network, batch)
o Type of terminal or remote computer
o Time of day/day of week.
Message Authentication - A method of detecting changes to a
message after it has been signed electronically. After
signing a message, the sender calculates a Message
Authentication Code (MAC) based on the contents of the
message. This code is appended to the message and
transmitted. The message recipient performs the same
calculations on the received message. If the calculated MAC
and the received MAC are the same, the message was not
altered after the message was signed.
16-12
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
Message Authentication code (MAC) - The code used by message
authentication systems to validate transmitted messages.
This code is calculated by performing a series of
mathematical calculations on a signed message.
Private Key - A cryptographic key used with a public key
cryptographic algorithm, uniquely associated with an entity,
and not made public.
Public Key - A cryptographic key used with a public key
cryptographic algorithm, uniquely associated with an entity,
and possibly made public.
Public Key (Asymmetric) Cryptographic Algorithm - A
cryptographic algorithm that uses two related keys, a public
key and a private key; at least one of the two keys is the
cryptographic inverse of the other such that data encrypted
by the one key can be decrypted by the other; further, the
two keys have the property that given the public key it is
computationally infeasible to derive the private key.
Records - (From 44 USC 3301) In records management parlance,
this term refers to recorded information of continuing
administrative, fiscal, legal, historical or informational
value, including published materials, papers, maps,
photographs, microfilm, audiovisual, machine-readable
materials (ADP tapes/disks) or other documentary material,
regardless of physical form or characteristics, made or
received by the agency that evidences organizations, made or
received by the agency that evidences organization,
functions, policies, decisions, procedures, operations or
other activities of the Government.
Risk Analysis - The process of methodically and
comprehensively examining a system to identify the areas
that pose a threat of failure to the system.
Secret Key - A cryptographic key used with a secret key
cryptographic algorithm, uniquely associated with one or
more entities, and not made public.
Secret Key (Symmetric) Cryptographic Algorithm - A
cryptographic algorithm that uses a single, secret key for
both encryption and decryption.
16-13
-------�
IRM POLICY MANUAL 2100 CHG 5
6/1/93
Signature Authentication - A code, used to identify the
sender, appended to a message before transmission. This
code is validated by the message recipient. A variety of
user authentication techniques exist, including:
o Personal identification numbers (PINs)
o Passwords
o Facsimile signatures.
User Identification Codes (User ZD) - A code used to
identify system users to applications, data, devices, or
services. If an invalid user ID is used, then access to the
system or application is denied.
8. WAIVERS.
Requests for waivers from specified provisions of the policy
may be submitted to the Director of the Office of
Information Resources Management. Waiver requests, must be
signed by the relevant Senior IRM Official prior to
submission to the Director, OIRM.
a. Waiver Procedures:
(1) Agency offices must submit any waiver requests to
the Director, OIRM.
(2) The Director, OIRM has sole authority to grant a
waiver. Decisions may be appealed to the
Assistant Administrator, OARM.
9. GUIDELINES.
a. . Existing Technology Solutions for Electronic
Signatures. EPA
b. Electronic Forms and Authentication Practices. General
Services Administration.
c. Federal Records Management. National Archives and
Records Administration (NARA) 36 CFR 1220
d. LAN System Manager Guidance. EPA
e. LAN Security Documents. EPA
16-14
-------�
IRM POLICY MANUAL 2100 CH6 5
6/1/93
f. EPA Information Security Manual.
g. EPA Information Security Manual for Personal Computers.
h. EPA Risk Analysis Guidelines. OIRM. [Draft]
i. Data Encryption standard ~ FIPS Publication 46-1,
National Institute of Standards and Technology,
January, 1988
j. Public Kev Cryptography. Special Publication 800-2,
National Institute of Standards and Technology,
April, 1991
10. EFFECTIVE DATE;
a. All existing Agency systems utilizing electronic
signatures must be reported to the Director, OIRM,
within 120 days of the effective date of this policy.
b. Existing systems already employing electronic
signatures will have 3 years from the effective date to
comply with the policy.
16-15
-------�
-------�
OPPT3
-------�
IRM POLICY MANUAL 2100.CHG 6
9/28/94
CHAPTER 17 - SYSTEM LIFE CYCLE MANAGEMENT
1. PURPOSE. This policy establishes the life cycle
requirements of EPA's automated information application
systems. Roles and responsibilities for implementing these
requirements are also delineated. Observance of these
requirements will ensure full value is obtained from Agency
investments in data and information systems.
2. SCOPE AND APPLICABILITY. All automated information
application systems that are developed, produced or
maintained by or for the EPA are subject to this policy.
Formal review requirements vary according to system category
(see Exhibit 17-A) . This policy applies to all EPA
organizational units and their employees. It also.applies
to agents of the EPA who support the initiation, analysis,
design, development, operation and retirement of Agency
information systems.
3. BACKGROUND.
a. The'Agency depends on information to accomplish its
mission; EPA's data and information systems are among
its most valuable assets and are critical to the
Agency's ability to provide the public with access to
environmental information.
b. Development of information systems is difficult, and
often complex and expensive. Agency system life cycle
management requirements are designed to meet applicable
Federal requirements, ensure management involvement at
key decision points, obtain and sustain corporate
commitment for information systems, and coordinate
information systems-related activities.
c. System life cycle management promotes involvement by
users, program managers and information resource
managers in system development and enhancement efforts.
It establishes a process by which Agency managers are
directly accountable for making key decisions about how
resources are expended for system development and
enhancement efforts.
d. EPA relies frequently upon contractors and other agents
for assistance in building and operating its
information systems. System life cycle management
establishes practices and periodic review requirements
that mitigate the uncertainties involved in using
17-1
-------�
IRM POLICY MANUAL 2100 CHG 6
9/28/94
extramural support.
e. EPA is committed to managing its information systems in
a cost effective manner and ensuring its systems meet
mission needs. Using guidance provided by oversight
agencies including the Office of Management and Budget
(OMB), the General Services Administration (GSA), and
the General Accounting Office (GAO), the Agency
conducts periodic reviews to assess how well its
systems are meeting these key objectives.
4. AUTHORITIES.
a. 44 U.S.C. .Chapter 35, Paperwork Reduction Act of 1986.
b. EPA Hardware and Software Standards.
c. Federal Records Act of 1950, as amended (44 U.S.C.
Chapter 3101-3107, Records Management by Federal
Agencies).
d. OMB Circular No. A-ll, Exhibit 43, Data on Acquisition,
Operation, and Use of Information Technology Systems,
May 28,1986.
e. OMB Circular No. A-130, Management of Federal
Information Resources, June 25, 1993.
f. FIRMR 201-2, Designated Senior Officials.
g. FIRMR Subchapter B, Management and Use of Information
and Records, Part 201-6, Predominant Considerations.
h. FIRMR Subchapter C, Management and Use of FIP
Resources, 201-17, Predominant Considerations.
i. FIRMR 201-22, Review and Evaluation.
5. POLICY.
a. All information systems shall support the- mission of
the Agency. Plans for information systems shall be
included in Agency and organizational budget and
planning processes as appropriate (see Chapter 2 on
Mission-Based Planning).
b. System life cycle management at EPA is based on a set
of generic stages in a typical system development or
enhancement project. EPA does not require use of a
17-2
-------�
IRM POLICY MANUAL 2100 .CHG 6
9/28/94
specific system life cycle methodology, as this would
be unduly restrictive when uniformly applied across the
wide range of EPA's varied information systems
development and enhancement projects.
c. The generic information system life cycle at EPA
consists of eight major stages:
(1) Initiation - a request for the development of a
system to meet a need for information or to solve
a problem for the individual making the request.
(2) Requirements analysis - determination of what is
required to automate the function(s) identified by
the organization.
(3) Design - the stage that specifies the automated
and manual functions and procedures, the computer
programs, and data storage techniques that meet
the requirements identified and the security and
control techniques that assure the integrity of
the system.
(4) Programming - coding of the program modules that
implement the design.
(5) Testing and quality assurance - ensuring that the
system works as intended and that it meets
applicable organization standards of performance,
reliability, integrity and security.
(6) Installation and Operation - incorporation and
continuing use of the new system by the
organization.
(7) Maintenance/enhancement - Resolving problems not
detected during testing, improving the performance
of the product and modifying the system to meet
changing requirements. (Full-scale enhancements
require full life cycle analysis.)
(8) Retirement - the stage which ends use of the
system.
New systems development and enhancement/replacement
projects must go through these eight major stages noted
above. Systems may cycle through various stages
multiple times. Developers of EPA information systems
shall consult with the intended user community
17-3
-------�
IRM POLICY MANUAL 2100. CHG 6
9/28/94
throughout the systems' life cycle to ensure the system
is meeting mission needs.
d. The way a specific methodology is applied to the
generic life cycle must be documented (see section 5'. e
e. Appropriate levels of management shall review and
approve or disapprove system development or
enhancement \replacement projects. These reviews by
management shall occur, at a minimum, at the end of
each stage of the generic life cycle as implemented for
the chosen methodology. These management decisions
shall be documented by means of signatures on formal
decision papers. For new system development ,or
enhancement projects, the first two decision papers
have special characteristics.
(1) The System Charter decision paper, which is
developed during the initiation stage of a. new
system development or enhancement project, shall
document :
a) the information management and mission
need(s) to be met;
b) the intended user community;
c) the sponsoring organizatibn(s) ;
d) the projected time frame for the project;
e) the likely system category, based on expected
scope and cost (see Exhibit 17 -A) ;
f) a preliminary estimate of the range of
potential life cycle costs;
g) the appropriate management levels for review
and approval of decision papers; and
h) the manager of the system.
(2) The System Management Plan (SMP) decision paper
shall be produced at the conclusion of the
analysis stage and shall be updated as the project
progresses. Exhibit 17 -A sets forth required
Agency management review levels for SMPs. The SMP
shall subsume the System. Charter and shall include
17-4
-------�
IRM POLICY MANUAL 21'00 CHG 6
9/28/94
at a minimum:
a) the system's purpose, mission need, and
goals;
b) the system's scope, including the.system's
funding organization(s), intended primary and
secondary user community and any known or
intended interactions with other systems;
c) assumptions and constraints influencing the
system;
d) the life cycle methodology to be used in
managing the system's life cycle and its key
decision points;
e) the appropriate levels of management review
and approval;
f) the projected date to begin operation and an
estimate of total system life from initiation
to retirement;
g) an estimate of total life cycle costs, broken
out.by stages;
h) an acquisition strategy and alternatives;
i) a cost-benefit analysis including an analysis
of technical alternatives;
j) a description of the system's architectural
context, technical requirements, anticipated
security issues, platform and network
capacity needs; and
k) the system's data architecture, in
compliance with Agency and Federal data
standards.
(3) Following are the minimum contents required for
formal decision papers other than those produced
for the Charter and the System Management Plan:
a) the current status of the system;
b) an estimate of the cost.of the next stage(s)
for which approval is sought in the decision
17-5
-------�
IRM POLICY MANUAL 2100.CHG 6
9/28/94
paper and an assessment of projected vs.
actual costs to date;
c) a description of the work to be accomplished
in the next stage(s) of the system
development or enhancement project;
d) identification of any programmatic policy or
procedural decisions needed to address
constraints influencing the success of the
next stage(s); and
e) an analysis of appropriate alternatives.
(4) System Management Plans shall link appropriately
with Agency and Organizational IRM Strategic and
Multi-Year Implementation Plans.
(5) No more than 15% of the estimated cost of the next
stage or $250,000, whichever is less, may be
expended prior to approval of the formal decision
paper.
(6) The SMP shall be updated to reflect actual and
planned changes as new system decision papers are
approved and a baseline version of the SMP shall
be retained for reference.
(7) Throughout the life cycle of the system,
management of the system shall be conducted in
accordance with the SMP, as updated.
f. EPA personnel shall develop all decision papers to
ensure government control over system decisions. EPA
staff may use any and all available source material,
including contractor-generated material, in the
development of formal decision papers.
g. The EPA Executive Steering Committee for Information
Resources Management (IRM) and all other EPA managers
involved in reviewing system decision papers shall
provide decisions within 30 days of receipt of the
decision paper.
h. All systems shall be categorized in one of the
following four types:
(1) Major Agency Systems,
17-6
-------�
IRM POLICY MANUAL 2100 CHG 6
9/28/94
(2) Major AAship/Regional Systems,
(3) Significant Program Office Systems, and
(4) Local Office or Individual Use Systems.
Each category reflects a combination of factors such as
the system's cost and organizational scope. See
Exhibit 17-A for the specific thresholds which
determine a system's category.
i. The level of detail for decision papers shall be
appropriate to the category of the system. The
approving managers may establish more extensive
decision point requirements for individual systems than
required by this policy.
j. All information systems shall comply with appropriate
Federal and Agency IRM policies, standards, and.
procedures throughout their life cycles. Recognizing
that legacy systems may not conform completely with
current Agency architectures and standards, system
enhancement projects shall move into conformance with
these architectures and standards, as appropriate, as
projects proceed.
k. To maximize the return on the Agency's investment in
its information systems, sufficient documentation is
needed at each stage of the life cycle to support
effective management of Agency resources and to
facilitate the interchange of information amoifg
managers, developers, programmers, operators and users.
17-7
-------�
IRM POLICY MANUAL. 2100 CHG 6
9/28/94
The following are key documents (in addition to the
system charter, system management plan, and decision
papers) produced at different stages of the system life
cycle:
(1) needs statement and initiation request
(2) feasibility study
(3) risk analysis
(4) cost/benefit analysis
(5) functional requirements analysis
(6) functional security and internal control
requirements analysis
(7) data requirements analysis
(8) data management plan
(9) quality assurance plan
(10) system/subsystem, program and database
specifications
(11) validation, verification and testing plan and
specifications
(12) system acceptance plan
(13) schedules for each phase and records of schedule
changes
(14) user manual
(15) operations/maintenance manual
(16) installation conversion plan
(17) test analysis and security evaluation report
(18) software maintenance plan
(19) post implementation review plan
(20) evaluation and assessment of information system
obsolescence
(21) change control memos or forms
(22) system security plan
(23) disaster recovery plan
6.. RESPONSIBILITIES.
a. The Designated Senior Official (DSO) for IRM is
responsible for establishing policies and procedures to
implement all Federal IRM mandates including, but not
limited to, the Paperwork Reduction Act of 1980 and its
amendments (P.L. 96-511), Federal Information
Processing Standards (FIPS), Federal IRM Regulations
(FIRMR), OMB Circular No. A-130 (Management of Federal
Information Resources), OMB Circular No. A-11 (Data on
Acquisition, Operation, and Use of Information
Technology Systems) and other Federal regulations.
17-8
-------�
IRM POLICY MANUAL 2100 CHG 6
9/28/94
b. EPA's Executive Steering Committee for IRM is
responsible for review and approval/disapproval of
System Management Plans for systems which meet any of
the following criteria:
(1) Mission critical for multiple AAships;
(2) Mission critical for multiple Regions;
(3) Agency core financial system;
(4) Estimated costs exceed $25 million over the life
of the system;'
(5) Estimated costs exceed $5 million in one year.
c. The Assistant Administrators, Associate Administrators,
Regional Administrators, Laboratory Directors,
Headquarters Staff Directors, General Counsel, and the
Inspector General are responsible for:
(1) Ensuring compliance with system life cycle
management policies, procedures and standards.
(2) Managing the system life cycle, process and
products within their organizations in compliance
with Agency and Federal policy.
(3) Reviewing and approving/disapproving System
Management Plans for systems sponsored by their
organization which meet any of the following
criteria:
a) Mission critical for their AA/ship or a joint
mission critical project with another AAship
or Region;
b) Agency core financial system;
c) Estimated to exceed $10 million throughout
the lifecycle or $1 million in annual costs.
d. The Senior IRM Officials (SIRMOs) for the
organization(s) funding the project(s) are responsible
for:
(1) Reviewing and approving/disapproving System
Management Plans for systems sponsored by their
17-9
-------�
IRM POLICY MANUAL 2100.CHG 6
9/28/94
AAship or Region;
(2) Coordinating all reviews and approvals outside the
Office Directorship, such as the Executive
Steering Committee for IRM, Assistant or Regional
Administrator, and Director of the Office of
Information Resources Management (OIRM).
e. The Director, OIRM is responsible for:
(1) Reviewing and approving/disapproving System
Management Plans for projects meeting any of the
following the criteria before they go to the
Executive Steering Committee for IRM:
(a) Mission critical for one or more AAships or
Regions;
(b) Agency core financial system;
(c) Estimated to exceed $25 million over the
life of the system or $5 million in annual
costs.
(2) Conducting, at his/her discretion, additional
system life cycle management reviews to complement
the reviews required to be conducted periodically
by system sponsors.
f. The Director, National Data Processing Division is
responsible for providing technical consultation to
reviewers of System Management Plans concerning the
description of the system's architectural context,
technical requirements, anticipated security issues,
platform and network capacity needs to ensure
conformance with the Agency's technology architecture.
g. System Sponsors are responsible for:
(1) Reviewing and approving/disapproving system
decision papers.
(2) Conducting periodic system life cycle management
reviews to evaluate costs and efficiency of
operation, and ensure the system is continuing to
meet mission needs.
17-10
-------�
IRM POLICY MANUAL 2100 .CHG 6
9/28/94
h. System Managers are responsible for:
(1) Managing the system's life cycle process and
products within their program(s) in compliance
with Agency and Federal policy.
(2) Preparing System Management Plans and other
decision papers.
(3) Obtaining review and approval of all decision
papers.
i. The Office of Acquisition Management and the Office of
Grants and Debarment are responsible for ensuring that
this policy is incorporated, as appropriate, in
Requests for Proposals, contracts, interagency
agreements, cooperative agreements, and grants.
j. Each EPA employee engaged in system life cycle
management activities is responsible for conforming to
this policy, and related procedures and standards.
7. DEFINITIONS.
a. "Agents of EPA" refers to anyone who is directed to use
EPA resources.
b. "Applications system" refers to an information system
composed of one or more units of software supported by
automated data processing equipment (ADPE) and
automating the work methods and procedures to Collect,
store, process and disseminate information to support
specific agency missions.
c. "Application systems life cycle management" is the
process of administering an application system over its
entire life cycle, from the time span between the
establishment of a need for a system to the end of its
operational use. The life cycle is divided into
discrete phases with formal milestones established as
points of management controls.
d. VAppropriate level of management" is the first level of
management whose scope of responsibility includes the
Agency major user and funding organization(s). For
example, if a system is used or funded by multiple
AAships and/or Regions, those AAs and RAs sponsoring
the project and the Executive Steering Committee for
17-11
-------�
IRM POLICY. MANUAL 2100 .CHG 6
9/28/94
IRM are the appropriate level of management. If its
use and funding is restricted to one organization, that
organization's manager is the appropriate level of
management.
e. "Decision papers" describe system activities which
require management approval. The complexity and
formality of the decision papers should be appropriate
to the system's category.
f. "Decision points" refer to specific points in a
system's life cycle. The generic decision points in a
life cycle are at the junctures between each of the six
stages identified in the generic life cycle.
g. "Decision Threshold" refers to the level of system
review and approval authority required for system
decisions as determined by the category of information
system.
h. "Guidance" refers to a recommended approach that
promotes compliance with policies and procedures. It
includes hints, examples, and lessons-learned.
i. "Information" refers to any communication or reception
of knowledge (e.g., facts, data or opinions) in any
medium or form, including textual, numerical, graphic,
cartographic, narrative or audiovisual forms.
j. "Information Application System" refers to the
organized collection, processing, maintenance,
transmission, and dissemination of information* in
accordance with defined procedures. Models are
included in this definition.
k. "Information resources management activities" refers to
planning, budgeting, organizing, directing, training,
and administrative control associated with government
information resources. The term encompasses both
information itself and the related resources, such as
personnel, equipment, funds, and information
technology.
1. "Information system category" refers to the manner in
which systems are classified according to a combination
of factors including the system's type, cost, and
organizational scope in terms of use and funding. All
systems are categorized in one of the following four
categories:
17-12
-------�
IRM POLICY MANUAL 2100 CHG 6
9/28/94
(1) Major Agency Systems;
(2) Major AAship/Regional Systems;
(3) Significant Program Office Systems;
(4) Local Office or Individual Use Systems.
See Exhibit 17-A for the specific thresholds which
determine a system's category.
m. "Major information system" refers to a system that
requires special continuing management attention
because of its importance' to an agency mission; its
high development, operating or maintenance costs; or
its significant impact on the administration of agency
programs, finances, property, or other resources.
n. "Mission critical" refers to a system whose operation
is essential to the organization's mission.
o. "Procedures" refer to instructions on how to perform
work in order to meet the established standards. They
should explain in detail the method to complete a task
or job. Forms and work flows are considered
procedures.
p. "Standards" refer to the measures by which
implementation of policy can be determined. They
provide a basis of comparison, and are objective,
clear, concise, technical descriptions. They are
usually determined externally (e.g., Federal f
Information Processing Standards).
q. "System" refers to an organized set of functions, data,
procedures, hardware, software, communications and/or
documentation which enables an organization to solve a
specific information management problem. A system need
not be automated, but most instances of life cycle
management apply to automated systems.
r. "System Charter" documents the information management
problem to be resolved, the scope of the problem in
terms of the user, sponsoring and funding
organization(s), the time frame, the likely system
category, the appropriate level of management for
review and approval, and manager of the system.
17-13
-------�
IRM POLICY MANUAL 2100 .CHG 6
9/28/94
s. "System development or enhancement project" 'refers to
the creation of new systems, enhancement of an existing
system, or perfective, adaptive, corrective maintenance
of an existing system, for which the estimated cost of
would exceed $100,000. A system development or
enhancement project typically encompasses all eight
stages of the generic information system life cycle.
t. "System life cycle" refers to the complete time span of
a system from the origin of the idea that leads to the
creation of the system to the end of its useful life.
The stages of the life cycle are as defined in section
5.c. of this policy. There is obviously variance in
life cycle periods among systems. To calculate total
life cycle costs, a defined life cycle period needs to
be established for each system development/modification
project. Twelve years is cited in a number of
references as an average system life cycle period.
u. "System life cycle costs" refers to sum total of the
direct, indirect, recurring, nonrecurring, and other
related costs incurred, or estimated to be incurred, in
the design, development, production, operation,
maintenance, and support of a system over its
anticipated useful life span. Costs include but are
not limited to equipment, software, personnel (both
Agency and contractor), timeshare, and
telecommunications.
v. "System life cycle methodology" refers to the jEormal
documentation of the phases of an information''system,
beginning with the initiation through to the retirement
phase. The methodology describes the precise
objectives for each phase and the results required for
each phase before the next one can commence. It may
provide specialized forms for the presentation of the
documentation throughout each phase.
w. "System Management Plan" (SMP) is the key document
which provides the overall framework for the management
of the system. Basic components of the SMP 'are
addressed in Section 5.f(2) of this policy.
x. "System sponsor" refers to the manager of any EPA
organizational unit which funds an information system.
Generally, the system sponsor will be the same as the
appropriate level of management for decision paper
approval.
17-14
-------�
IRM POLICY MANUAL 2100 CH6 6
9/28/94
s. "System development or enhancement project" refers to
the creation of new systems, enhancement of an existing
system, or perfective, adaptive, corrective maintenance
of an existing system, for which the estimated cost of
would exceed $100,000. A system development or
enhancement project typically encompasses all eight
stages of the generic information system life cycle.
t. "System life cycle" refers to the complete time span of
a system from the origin of the idea that leads to the
creation of the system to the end of its useful life.
The stages of the life cycle are as defined in section
5.c. of this policy. There is obviously variance in
life cycle periods among systems. To calculate total
life cycle costs, a defined life cycle period needs to
be established for each system development/modification
project. Twelve years is cited in a number of
references as an average system life cycle period.
u. "System life cycle costs" refers to sum total of the
direct, indirect, recurring, nonrecurring, and other
related costs incurred, or estimated to be incurred, in
the design, development, production, operation,
maintenance, and support of a system over its
anticipated useful life span'. Costs .include but are
not limited to equipment, software, personnel (both
Agency and contractor), timeshare, and
telecommunications.
v. "System life cycle methodology" refers to the formal
documentation of the phases of an information system,
beginning with the initiation through to the retirement
phase. The methodology describes the precise
objectives for each phase and the results required for
each phase before the next one can commence. It may
provide specialized forms for the presentation of the
documentation throughout each phase.
w. "System Management Plan" (SMP) is the key document
which provides the overall framework for the management
of the system. Basic components of the SMP are
addressed in Section 5.f(2) of this policy.
x. "System sponsor" refers to the manager of any EPA
organizational unit which funds an information system.
Generally, the system sponsor will be the same as the
appropriate level of management for decision paper
approval.
17-15
-------�
IRM POLICY MANUAL 2100 CHG 6
9/28/94
8. PROCEDURES. STANDARDS AND GUIDANCE. The Office of
Information Resources Management will issue procedures,
standards and guidance for Agency system life cycle
management under separate cover. Other relevant Federal and
Agency guidance documents which should be followed are noted
below:
a. FIPS PUB 38, Guidelines for the Documentation of
Computer Programs and Automated Data Systems,
February 15, 1976.
b. FIPS PUB 64, Guidelines for Documentation of Computer
Programs and Automated Data Systems for the Initiation
Phase, August 1, 1979.
c. FIPS PUB 65, Guideline for ADP Risk Analysis, August 1,
1979.
d. FIPS PUB 73, Guidelines for Security of Computer
Applications, June 30, 1980.
e. FIPS PUB 101, Guidelines for Life Cycle Validation,
Verification and Testing of Computer Software, June 6,
1983.
f. FIPS PUB 102., Guideline for Computer Security
Certification and Accreditation, Sept. 27, 1983.
g. FIPS PUB 105, Guidelines for Software Documentation
Management, June 6, 1974.
h. FIPS PUB 106, Guidelines on Software Maintenance, June
15, 1984.
i. FIPS PUB 124, Guideline on Functional Specifications
for Database Management Systems , Sept. 30, 1986.
j. OMB Circular 94, Guidelines and Discount Rates for
Benefit-Cost Analysis of Federal Programs; October 29,
1992.
k. OMB Circular 109, Major Systems Acquisitions, April 5,
1976.
1. EPA Information Technology Architecture Road Map.
17-16
-------�
IRM POLICY MANUAL
2100 CHG 6
9/28/94
Exhibit 17-A
SYSTEM
CATEGORY
1. Major
Agency
System
2. Major
AAship or
Regional
System
3 . Significant
Program
Office
System
4 . Local
Office or
Individual
Use System
THRESHOLD CRITERIA
(System category is determined by
the highest threshold reached
under either the scope OR cost
criteria.)
Scope
Mission Critical
for Multiple
AAships or
Regions ; or
Agency Core
Financial System
Mission Critical
for 1 AAship 'or
Regional Office
Mission Critical
in Program
Office
Systems Below
Category 3
Thresholds
Cost
>$25 million
throughout the
lifecycle or $5
million
annually
>$10 million
throughout the
lifecycle or >
$1 million
annually
>$2 million
throughout the
lifecycle or
>$100,000
annually
<$100, 000
annually for
one project
SYSTEM
MANAGEMENT
PLAN(SMP)
MUST BE
REVIEWED
BY:
Funding
Org.
AA/RA,
Dir. OIRM,
Exec.
Steering
Comm . for
IRM.
Funding
Org.
SIRMO(s) &
AA/RA
Funding
Org.
SIRMO(s)
SIRMO or
official
designee
17-17
-------�
IRM POLICY MANUAL 23-°0 C110 8
5/1/95
CTTAPTER 18 - ACQUISITION OF FEDERAL INFORMATION PROCESSING
RESOURCES
1. PURPOSE. This policy establishes principles and
requirements that govern the acquisition of Agency Federal
Information Processing .(PIP) resources. It also defines the
roles and responsibilities for implementing these principles
and requirements to ensure appropriate management
accountability.
2. SCOPE AND APPLICABILITY. This policy applies to all EPA
organizations and their employees. It also applies to
personnel who are involved in the acquisition of FIP
resources for the Agency.
3. BACKGROUND.
a. The Federal Information Resources Management Regulation
(FIRMR) is the principal regulation governing the
acquisition of FIP resources.
b. FIP resources include the following major categories:
equipment, software, services, support services
(including maintenance), and related supplies and
systems.
c. Acquisition, as defined in FIRMR Part 201-20, consists
of a series of steps beginning with a requirements
analysis and ending with the implementation of the most
advantageous alternative to satisfy the requirement.
This cyclical set of activities is designed to provide
the Government with efficient and effective technology
and services to support information needs.
d. Acquisition, as defined in FIRMR Part 201-20, also
includes obtaining FIP resources from sources external
to the Agency (e.g., through contracts issued by other
Federal agencies), and through in-house sources (e.g.,
using in-house Agency employees or existing Agency
contracts) or development (e.g., re-engineering
existing software).
e. The General Services Administration (GSA), the Federal
oversight agency which issues the FIRMR, has primary
authority to contract for FIP resources. GSA
redelegates this authority to individual agencies
through a Delegation of Procurement Authority (DPA) to
each agency's Designated Senior Official (DSO) for
18-1
-------�
IRM POLICY MANUAL 2100 CH6 8
5/1/95
Information Resources Management (IRM) . An agency's
ability to retain its DPA from GSA depends on how well
it manages this delegation. GSA makes this
determination through its IRM Review Program.
4. AUTHORITIES.
a. Public Law 89-306, Brooks Act, vests in the
Administrator of the GSA the authority and
responsibility to provide for the economic and
efficient purchase, lease, maintenance, operation and
utilization of automated data processing (ADP)
resources by Federal departments and agencies.
b. Public Law 98-369, Competition in Contracting Act,
requires, among other things, that full and open
competition be utilized in the acquisition of supplies
and services, and that specifications not be
unnecessarily restrictive of competition.
c. The Office of Federal Procurement Policy Act contains
provisions regarding inherently governmental functions
and procurement integrity that apply to contractors and
government officials involved with Federal
procurements.
d. 44 U.S.C. Chapter 35, Paperwork Reduction Act of 1986,
significantly expands the Brooks Act definition of
automatic data processing equipment (ADPE) to reflect
the merging of ADP, communications, and related
technologies.
e. The Administrator of GSA redelegates the authority to
contract for FIP resources to agency heads through
Delegations of Procurement Authority (DPA).
f. 41 CFR, Chapter 201.20 and 201.39, FIRMR, provides
Government-wide policies, procedures and guidelines
pertaining to the acquisition and management of FIP
resources. Chapter 201-18 addresses the requirement
for FIP acquisitions to be consistent with agency IRM
plans.
g. 48 CFR, Chapter 15, EPA Acquisition Regulation (EPAAR),
codifies the policies and procedures of EPA which
implement and supplement the FAR.
18-2
-------�
IRM POLICY MANUAL 2100 CHG 8
5/1/95
h. Executive Order 12845, issued April 1993, requires
agencies to purchase energy-efficient computer
equipment.
i. Office of Management and Budget (OMB) Circular A-11,
Section 43, includes a requirement for agencies to
submit information on acquisition plans for information
technology, including telecommunication systems.
j. OMB Circular A-76, Policies for Acquiring Commercial or
Industrial Products and Services Needed by the
Government, contains policies and procedures for
determining whether functions should be performed by
outside sources (such as contractors) or by Government
personnel. The Circular also includes requirements for
performance-based statements of work.
k. OMB Circular A-109, issued August 1976, in part
describes the cycle for the ADP Systems Acquisition
Process.
1. OMB'Circular A-130, Management of Federal Information
Resources, establishes policy for the management of
Federal information resources. Among other
requirements, it addresses the need for agencies to
conduct IRM planning, with special focus on the
information lifecycle.
5. POLICY.
a. EPA shall plan, budget and acquire all FIP resources in
a cost-effective manner consistent with the FAR, FIRMR,
and EPAAR, as well as applicable Executive Orders, and
other Federal and EPA IRM-related regulations and
policies. FIP resources shall meet and support the
documented mission-related needs of EPA Program and
Regional Offices, and Laboratories, and shall be
consistent with the Agency's IRM Plans, and technology
and information architectures.
b. Delegations of Procurement Authority are redelegated to
Program and Regional Offices and Laboratories based on
those organizations' demonstrated competence in IRM.
Some factors demonstrating competence include an
organization's compliance with Federal and Agency IRM
and procurement policies, procedures, standards, and
conformance with approved IRM Plans. Other factors
include effective organizational structure, adequate
resources, well-trained staff, and effective
18-3
-------�
IRM POLICY MANUAL 2100 CHG 8
5/1/95
performance in IRM functional areas as well as
procurement management.
c. EPA organizations shall ensure that, when applicable,
acquisition of FIP resources complies with the-FIRMR
requirements for Requirements Analysis, Analysis of
Alternatives, and development of an .Implementation
Plan. These analyses and the planning documents must
be commensurate with the size and complexity of the FIP
resources needed.
d. EPA organizations shall acquire FIP resources in a
manner that minimizes total lifecycle costs and avoids
duplication of effort and resources.
e. EPA organizations shall ensure that acquisition of
their computer equipment is compliant with energy
efficient requirements as stipulated by Executive Order
12845.
f. EPA organizations shall consider the needs of persons
with disabilities in the acquisition of FIP resources.
These persons may include employees, contractor
personnel and members of the public who may use,
develop, maintain or operate a proposed system.
g. Appropriate information security requirements will be
incorporated into specifications for the acquisition of
FIP resources.
h. EPA organizations shall track FIP resource estimates
and actual costs according to Federal and Agency
planning, budgeting and procurement requirements. In
addition, EPA organizations shall ensure that all
FIRMR-applicable FIP resource-related contract costs
are tracked against the specific ceiling established by
the contract.
6. RESPONSIBILITIES.
a. The Assistant Administrator for Administration and
Resources Management (OARM) is the Designated Senior.
Official (DSO) responsible for the conduct of and
accountability for acquisition of FIP resources made
under a DPA from GSA. The DSO may redelegate GSA's
exclusive authorities for FIP resources to qualified
Agency officials. However, such redelegation does not
relieve the DSO from responsibility and accountability
for acquiring FIP resources.
18-4
-------�
IRM POLICY MANUAL 2100 CHG 8
5/1/95
b. The Director, Office of Information! Resources
Management (OIRM) is responsible for:
(1) Organizing and managing an Agency-wide IRM
planning process which integrates PIP resources
acquisition activities with IRM planning and
budgeting.
(2) Providing guidance and direction to client
organizations involved in procurement of FIP
resources.
(3) Negotiating and managing the redelegation process
of FIP acquisition authority to client
organizations.
(4) Reviewing and approving procurement packages for
FIP equipment, software, services and/or support
services where this authority for review and
approval has not been further redelegated.
(5) Resolving FIRMR applicability issues in
procurement actions.
(6) Recommending, when appropriate, alternative
acquisition methods or sources, and promoting
coordination with other research, programmatic
and/or Regional IRM efforts.
(7) Developing, in consultation with the client
organization. Implementation Plans for
acquisitions of FIP resources to ensure
conformance and compatibility with the Agency's
technology architecture.
(8) Reviewing and approving, if appropriate, waiver
requests to purchase non-energy efficient computer
equipment and/or non-standard hardware and
software.
(9) Approving and forwarding FIP resource acquisition
Agency Procurement Requests (APRs) to GSA for
approval when a DPA is required.
(10) Coordinating and forwarding progress reports to
6SA, as required in DPAs.
c. The Office of the Administrator, Assistant
Administrators, Associate Administrators, Regional
18-5
-------�
IRM POLICY MANUAL 2100 CH6 8
5/1/95
Administrators, General Counsel, and Inspector General
are responsible for providing effective implementation
of this policy within their respective organizations.
d. Senior IRM Officials are responsible for consulting
with their Senior Resource Officials and other key
management and technical personnel to review and
approve all applicable FIP resource acquisitions and
associated documents to:
(1) Ensure compliance with Federal, EPA and
Program/Regional Office policies, standards,
directives, regulations, approved IRM plans, and
planning and budgeting requirements and processes.
(2) Ensure that FIP resource requirements are not
fragmented into separate procurements in an
attempt to circumvent the delegated thresholds.
(3) Identify, resolve or justify potentially
duplicative procurement activities, as well as
opportunities to "share" FIP resources, within
their organizations and/or with other Agency
organizations.
e. Client organization managers and staff who originate
requirements for acquisition of FIP resources (System
Managers, Project Officers, etc.) are responsible for:
(1) Adhering to the Federal and Agency policies and
procedures governing the acquisition of FIP
resources.
(2) Documenting the initial determination of FIRMR
applicability.
(3) Determining if a DPA is required for their
procurement action and developing an APR, if
needed..
(4) Developing the Requirements Analysis, the Analysis
of Alternatives, and Implementation Plan (if
appropriate) to ensure that the acquisition is
cost effective and fully meets their mission
needs.
(5) Verifying the adequacy and soundness of technical
content, and accuracy and completeness of
documentation.
18-6
-------�
IRM POLICY MANUAL 2100 CHG. 8
5/1/95
(6) Obtaining appropriate review and approval from
their organization's Senior IRM Official and other
key officials noted in this policy.
(7) Categorizing and tracking FIP resource estimates
and actual costs according to Federal and Agency
planning, budgeting and procurement requirements.
(8) Tracking FIRMR-applicable FIP resource costs in
contracts to ensure the DPA is not exceeded and to
allow appropriate budgetary reporting.
(9) Submitting progress reports to OIRM, as required
by the DPA.
f. The Office of Acquisition Management (0AM) is
responsible for:
(1) The acquisition of the Agency's central
information processing resources, including
telecommunications (voice, video and data.)
(2) Providing client organizations with technical
assistance on Federal and Agency procurement laws,
regulations, and policies.
(3) Performing final quality assurance, review, and
approval of all Agency FIP resource acquisitions.
(4) Ensuring that the procurement of FIP resources
includes a well-documented audit trail.
(5) Ensuring that all procurements of FIP resources
comply with Federal and Agency procurement laws,
regulations and policies.
7. DEFINITIONS.
a. Acquisition, as defined in FIRMR Part 201-20, consists
of a series of steps beginning with a requirements
analysis and ending with the implementation of the most
advantageous alternative to satisfy the requirement
(e.g., actual award of the contract). Acquisition also
includes obtaining FIP resources from sources external
to the Agency, and through in-house sources or
development.
b. Acquisition Lifecvcle is the period covering all
acquisition-related activities. The lifecycle begins
18-7
-------�
IRM POLICY MANUAL 2100 CHG 8
5/1/95
when Agency needs are established and ends with the
disposal of the FTP resources.
c. Agency Procurement Request (APR) is a request to GSA by
an agency for contracting authority above their
regulatory or specific agency delegation.
d. Analysis of Alternatives is the process of identifying,
analyzing and documenting feasible alternatives that
satisfy requirements for FIP resources.
e. Automated Data Processing (ADP) refers to the
production, conversion, reduction, destruction,
storage, transfer or communication of data by
electronic digital computers and related peripheral
devices. The term "electronic data processing" (EDP)
and ADP are frequently used interchangeably with no
significant distinction. Automated data processing may
be performed by a stand-alone unit or by several
connected units.
f. Delegation of Procurement Authority (DPA) is the
authority provided by the GSA to Federal agencies which
allows them to contract for FIP resources above the
dollar ceilings found in regulatory or specific agency
delegations.
g. Federal Information Processing (FIP) Equipment is any
equipment or interconnected system or subsystem of
equipment used in the automatic acquisition, storage,
manipulation, management, movement, control, display,
switching, interchange, transmission, or reception of
data or information.
h. Federal Information Processing (FIP) Resources include
equipment, software, services, support services
(including maintenance), and related supplies and
systems.
i. Federal Information Processing (FIP) Software is any
software, including firmware, specifically designed to
make use of and extend the capabilities of FIP
equipment.
j. Federal Information Processing (FIP) Supplies are any
consumable item designed specifically for use with FIP
equipment, software, services, or support services.
18-8
-------�
IRM POLICY MANUAL 2100 CHG 8
5/1/95
k. Federal Information Processing (PIP) Support Services
are any commercial, non-personal services, including
FIP maintenance, used in support of FIP equipment,
software, or services.
1. Implementation Plan describes the tasks,
responsibilities, resources and schedules necessary to
ensure successful implementation of the FIP
acquisition.
m. Information architecture refers to the technologies,
interfaces, and geographical locations of functions
involved within an agency's information activities.
n. Life Cycle Costs refers to the sum total of the direct,
indirect, recurring, nonrecurring, and other related
costs incurred, or estimated to be incurred, in the
design, development, production, operation,
maintenance, and support of a system over its
anticipated useful life span. Costs include, but are
not limited to, equipment software, personnel (both
agency and contractor), timeshare and
telecommunications.
o. Requirements Analysis is the process of determining and
documenting an agency's requirements for FIP resources.
p. Technology architecture refers to the configuration of
the Agency's hardware platforms, software tools and
data communications that together to form the
infrastructure within which the Agency's information
systems operate.
8. PROCEDURES AND GUIDELINES. Procedures and guidelines
regarding EPA acquisition of FIP resources will be issued
under separate cover. The GSA publishes an Acquisition
Guide Series to help promote effective and efficient
acquisition of FIP resources. These Guides are available
from the GSA IRM Reference Center, 18th and F Streets, NW,
Washington, DC 20405; telephone (202) 501-4860. See Chapter
17 of the EPA IRM Policy Manual for the Agency's policy on
system life cycle management.
18-9
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
Chapter 19 - INFORMATION AND DATA MANAGEMENT
1. PURPOSE. The purpose of this chapter of the Environmental
Protection Agency's (EPA's) IRM Policy Manual is to:
a. Assure the utility of EPA's information and data in
meeting legislative and mission requirements.
b. Establish principles for EPA's management of
information and data.
C. Implement those components of Federal information
management policy relating to information and data
management as articulated in OMB Circular A-130,
Management of Federal Information Resources.
d. Assign organizational responsibilities for EPA's
management of information and data.
e. Establish the EPA Information and Data Management
Program to implement this policy and to enable
integration of information and data across
environmental programs.
2. SCOPE AND APPLICABILITY.
a. This policy applies to all EPA employees and their
agents involved in EPA's information and data
management activities. These activities include
management of information and data from planning,
through creation, processing, dissemination, use, and
storage to disposition. They also include all
activities related to sharing and integration of
information and data.
b. This policy explicitly applies to the implementation of
any information or data management related requirement
in any EPA enabling legislation or regulation.
c. This policy explicitly applies to all information or
data management related activities encountered in the
preparation of proposed legislation and regulations by
EPA officials and staff.
d. AUTHORITIES.
e. The Paperwork Reduction Act of 1980 (44 U.S.C. Chapter
35) as amended.
19-1
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
f. Office of Management and Budget Circular A-130,
Management of Federal Information Resources.
3. BACKGROUND.
a. The Environmental Protection Agency, like other
governmental agencies and private organizations working
to protect the environment worldwide, relies upon the
availability of accurate information in fulfilling its
mission. Some information used by EPA is created by
the Agency itself. Other information, equally critical
to EPA's mission, is created by State and local
governments or private industry and submitted to or
shared with EPA according to agreements.
Fulfillment of EPA's environmental mission requires the
active, coordinated efforts of partners within
government, private industry and the public. Sharing
of information and data with all.organizations and
individuals working for protection of the environment
enhances the effectiveness of EPA and its partners in
fulfilling that mission. EPA information once
considered of interest to only one media area (such as
water or air) is now understood to be of importance
Agencywide. Identification and documentation of Agency
information requirements will help make integration and
sharing of information and data feasible, effective and
efficient.
b. The Paperwork Reduction Act established a broad mandate
for agencies to perform their information management
activities in an efficient, effective, and economical
manner. It also assigned the Director of the Office of
Management and Budget responsibility for maintaining a
comprehensive set of information resources management
policies, and for promoting the application of
information technology to improve the use and
dissemination of information*in the operation of
Federal programs. To fulfill these responsibilities,
OMB issued and maintains Circular No. A-130, Management
of Federal Information Resources.
Circular A-130 requires agency heads to develop and
implement internal agency information policies that
conform to the policies set forth in the Circular.
These Circular A-130 policies address the twofold
definition of information resources management as
stated in the Circular (i.e., information itself and'
the resources associated with information). These
19-2
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
policies'are further titled "Information Management" -
the management of Federal information; and "Information
Systems and Information Technology Management" - the
planning, acquisition, operation, and management of
Federal information systems and technology.
Further, Circular A-130 assigns to the Department of
Commerce responsibility for the development and
issuance of Federal Information Processing Standards
and guidelines necessary to ensure the efficient and
effective management and use of information technology.
Those standards and guidelines are published by the
National Institute of Standards and Technology.
This chapter of the IRM Policy Manual addresses
information and data management aspects .of EPA's
internal management practices for information,
information activities, information systems, and
information technology as specified in Circular A-130.
It is responsive to the following broad objectives:
(1) managing information as a valuable strategic
resource, as important as financial and personnel
resources;
(2) enhancing the value of data by assuring its
accuracy, integrity and availability;
(3) performing information and data management
activities in an integrated, efficient, effective,
and economical manner;
(4) maximizing the usefulness of information and data,
improving .service delivery to the public, reducing
information collection burden on the public, and
lowering the cost of program administration; and
(5) recognizing changes in the technical, legal and
operational environment EPA faces when managing
information technology.
c. This policy is intended to be read in the context of
the entire IRM Policy Manual. It is not comprehensive
in covering the requirements of Circular A-130, and it
is not intended to be considered in isolation from
other EPA IRM policies articulated in this manual.
19-3
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
4. POLICY.
a. EPA information and data resources will support Agency
missions and programs as agreed upon in Agency
strategic plans. EPA shall collect or create only that
information and data necessary for the proper
performance of agency functions and which has practical
utility. Practical utility is understood to include
such qualities of information as accuracy, adequacy,
and reliability.
b. EPA information and data resources will be treated as
Agency resources and managed in a reasonable,
efficient, effective, and economical manner. EPA will
plan in an integrated manner for managing information
and data throughout its life cycle. Agency information
and data management plans will consider the creation,
collection, processing, dissemination, use, storage,
and disposition of information and data resources.
c. EPA information and data requirements will be
identified, defined, and documented. Agency
information and data requirements, including
appropriate security requirements, will be identified
and defined in the routine course of system
development, re-engineering, or. enhancement. The
information requirements that each information system
is intended to meet will be documented.
d. Information and data collected and stored by EPA will
be identified, defined **nri documented. EPA will
maintain an inventory of the information and data in
Agency information systems.
e. Documentation of EPA information and data requirements
and collections will be shared. To the-extent
permitted by the confidentiality requirements of
Federal law, regulation, and policy, EPA will share
Agency metadata in order to improve the compatibility
and efficiency of Agency information systems and
improve access to Agency information and data resources
for all potential users, including the public.
f. nnmimgnf-a t-i cm of EPA information and data requirements
and collections will address the quality of the data.
To enable the fullest use of EPA information and data
resources, all necessary steps will be taken to ensure
that data are of known and .specified quality. Quality
is understood to include such characteristics as
19-4
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
accuracy, adequacy, and reliability.
g. EPA will promote information and data, exchange and
snaring. To the extent permitted by the
confidentiality requirements of Federal law,
regulation, and policy, the Agency will support
efficient use and effective stewardship of information
and data resources by exchanging and sharing
information and data both within and outside the
Agency.
h. EPA will use Agency-vide standards to establish
essential •infnrmai-iem and data resources management
controls. The Agency will adopt applicable
international, national and Federal Information
Processing Standards for data where appropriate or
required. When needed, Agency-specific standards will
be developed. All preparation of legislation and
regulations as well as information system designs,
developments, redesigns, modernizations,
implementations, and life cycle management will comply
or ensure.compliance with Agency data standards.
i. EPA employees will be adequately trained to effectively
manage -r**i/f use •»•nfmrmstt~fon anri /faf-a resources.
Decentralization of information technology has placed
the management of information and information
technology directly in the hands of nearly all EPA
personnel. The Agency will ensure that EPA employees
who work with EPA information and data resources have
appropriate knowledge of how to manage and use
information and data.
5. RESPONSIBILITIES.
a. The EPA Designated Senior Official for IRM shall:
(1) Ensure that the Agency Strategic Plan addresses
information management, including information and
data sharing, and includes high-level information
requirements.
(2) Organize and lead the ongoing development of an
Agencywide information architecture identifying
the information and data required to support
Agency missions.
(3) Lead the compilation and ensure the availability
of an inventory of information and data in Agency
19-5
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
information systems.
(4) Lead the development and promulgation of Agency-
wide standards to establish essential management
controls for information and data.
(5) Implement this policy by establishing and
supporting an EPA Information and Data Management
Program and appoint an Information and Data
Management Officer for EPA who shall be
responsible for administration of the Program.
(6) Ensure the coordination required for development
of training responsive to the specific needs of
the EPA Information and Data Management Program.
b. The Information and Data Management Officer shall:
(1) Administer the Information and Data Management
Program.
(2) Participate in the IRM strategic planning and
budgeting process and work to see that sufficient
funds are allocated for information and data
management activities through the budget process.
(3) Develop and promulgate Agencywide standards and
management controls for data resources, working
with the National Institute of Standards and
Technology, other Federal agencies, and non-
Federal organizations, as appropriate, in the
development of data standards.
(4) Direct efforts to develop those components of an
information architecture focusing on data.
(5) Develop and oversee centralized coordination of
mission-related data standardization efforts
Agencywide.
(6) Create a repository to manage and control
essential Agency metadata resources and make these
resources easily accessible within and outside the
Agency.
c. Each EPA Primary Organization Head (see definition)
shall:
(1) Ensure active and appropriate participation of the
19-6
-------�
IRM POLICY MANUAL 2100 CHG .9
7/17/95
Primary Organization in development of the Agency
IRM Strategic Plan.
(2) Ensure that the Primary Organization Strategic
Plan addresses information management, including
information and data sharing, and includes high-
level. Primary Organization information
requirements.
(3) Sponsor and support the ongoing development of a
Primary Organization information architecture
identifying the information and data required to
support Primary Organization missions.
(4) Implement the EPA Information and Data Management
Program within the Primary Organization and ensure
that information and data management activities
performed for the Primary Organization by
contractors.adhere to Agency information and data
management policy and program requirements.
(5) Contribute to the development of standards by
directing appropriate Primary Organization
management and staff to actively participate in
such development efforts.
(6) Share documentation of information and data
requirements and collections of the Primary
Organization with other EPA Primary Organizations.
(7) Ensure that documentation of EPA information and
data requirements and collections addresses the
quality of the data.
(8) Ensure that Primary Organization employees are
appropriately trained to effectively manage and
use information and data resources.
6. DEFINITIONS. All definitions are taken from Office of
Management and Budget's Circular A-130 or the National
Institute of Standards and Technology's Special Publication
500-208 (March 1993) unless otherwise noted.
a. Data. Facts or figures from which a conclusion can be
drawn. Representation of facts, concepts, or
instructions in a formalized manner suitable for
communication, interpretation, or processing by humans
or by automatic means. Any representations such as
characters or analog quantities to which meaning is, or
19-7
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
might be, assigned.
b. Data (Resources) Management. The responsibilities for
planning and controlling the data resources and
functions of an organization which relate to
collecting, cataloging, processing, storing,
communicating, and disposing of data consistent with
the overall goals and objectives of an enterprise.
c. Data Requirement. A documented need, determined
through analysis, for data resources to meet an
agency's information requirements. (Adapted from "A
Guide for Requirements Analysis and Analysis of
Alternatives,." Information Resources Management
Service, U.S. General Services Administration, January
1990)
d. Data Resources. All data created manually or by
automated means that an enterprise treats as a resource
for information used in decision making and problem
solving. (Adapted}
e. Designated Senior Official for IRM. An agency official
with broad responsibility and accountability for
information resources management as defined by the
Office of Management and Budget in Circular A-130.
Within EPA, that official is the Assistant
Administrator for Administration and Resources
Management. (EPA Delegations Manual, Chapter 1-84.
Information Resources Management, 1200 TN 343,
11/29/93.)
f. Information. Any communication or representation of
knowledge such as facts, data, or opinions in any
medium or form, including textual, numerical, graphic,
cartographic, narrative, or audiovisual forms.
g. Information Architecture. A collection of logical
constructs used to define and control the integration
of information systems.
h. Information Life Cycle. The stages through which
information passes, typically characterized as creation
or collection, processing, dissemination, use, storage,
and disposition.
i. Information Management. The application of general
management principles including planning, budgeting,
directing, and controlling the processing, the
19-8
-------�
IRM POLICY MANUAL 2100 CHG 9
7/17/95
handling, and the uses of an organization's
information.
j. Information Requirement. A documented need, determined
through analysis, for information resources to perform
an agency's mission. (Adapted from "A Guide for
Requirements Analysis and Analysis of Alternatives,"
Information Resources Management Service, U.S. General
Services Administration, January 1990)
k. Information Resources. All information created
manually or by automated means that an enterprise
treats as a resource for decision making and problem
solving.
1. Information System. The organized collection,
processing, maintenance, transmission, and
dissemination of information in accordance with defined
procedures, whether automated or manual.
m. Metadata. Information about an organization's
information and data activities. This includes the
characteristics, resources, usage, activities, systems,
and holdings of data.
n. Primary Organization. A component of EPA managed by a
Primary Organization Head (namely, the EPA Deputy
Administrator, Assistant Administrator, Regional
Administrator, the Inspector General and the General
Counsel.) (Derived from EPA Order 1000.24)
o. Primary Organization Head. The EPA Deputy
Administrator, Assistant Administrators, Regional
Administrators, the Inspector General and the General
Counsel. (Derived from EPA Order 1000.24)
8. STANDARDS AND PROCEDURES; EPA data standards and procedures
implementing this policy will be issued under separate
cover.
19-9
-------�
APPENDIX A
-------�
IRN POLICY MANUAL 2100
7/2V87
APPENDIX A - GLOSSARY
1. Administrative Records - The records which reflect routine,
transitory, internal housekeeping activities relating to
subjects and functions common to all offices.
2. Agency Records Management Officer - The title of the designated
staff official whose responsibility is 'to plan, develop and
coordinate the agency records management program.
3. Application Security - The set of controls that makes an
information system perform, in an accurate and reliable
manner, only those functions it was designed to perform.
The set of controls includes the following: programming,
access, source document, input data, processing, storage,
output and audit trail.
4. Application Software - Software specifically produced for
the functional use of a computer system, e.g., payroll,
inventory control, environmental monitoring and scientific
modeling.
5. Artificial Intelligence, Expert, or Knowledge-based Systems -
A class of systems that employs decision rules developed
through human experience and from human knowledge to solve
problems that require a high degree of human expertise.
6. Automatic Data Processing - The production, conversion,
reduction, destruction, storage, transfer or communication
of data by electronic digital computers and related
peripheral devices. The term "electronic data processing"
(EDP) and "automatic data processing" (ADP) are frequently
used interchangeably with no significant distinction.
Automatic data processing may be performed by a stand alone
unit or by several connected units.
7. Automatic Data Processing Equipment - Electronic components
and equipment regardless of use, size, capacity or price
that are designed to be applied to the solution or processing
of a variety of problems or applications.
8. Central Processing Unit (CPU) - That part of a computer that
interprets and executes program instruction and communicates
with the input, output and storage devices. It consists of
the control unit and the arithmetic/logic unit.
A-l
-------�
IRM POLICY MANUAL 2100
7/21/87
9. Classified Records - Records which are restricted to
processing or use by cleared individuals, and require special
protection, e.g., "top secret," "secret" or "confidential."
10. Commercially Available Software - Software that is available
through lease or purchase in the commercial market from a
concern representing itself to have ownership or marketing
rights in the software. Software that is furnished as part
of the ADP system but that is separately priced is included.
11. Confidential Business Information - This type of information
includes trade secrets, proprietary and commercial/financial
information. Business information is entitled to confidential
treatment if: (1) business asserts a confidential claim,
(2) business shows it has taken its own measures to protect
the information, (3) the information is not publicly available
or (4) disclosure is not required by statute and the disclosure
would either cause competitive harm or impair the Agency's
ability to obtain necessary information in the future.
12. Core Systems Standards - The EPA term for a set of standards
for end-user interface, software engineering, data interchange
and documentation for general purpose computer software to
perform functions which are common to many different offices
(e.g., project tracking or correspondence control). Core
systems are targeted for the personal computer (PC) and
office automation computer systems.
13. Current Records - Records or files presently in the physical
custody of organizational units, the maintenance of which is
required in the conduct of current work.
14. Data - Collection of unorganized facts that have not yet
been processed into information.
15. Data Base - Collection of integrated data that can be used
for a variety of applications.
16. Data Base Management - A systematic approach to storing,
updating and retrieval of information stored as data items,
usually in the form of records in a file.
17. Data Base Management System (DBMS) - The software product
that provides a data structure containing unrelated data
stored so as to optimize accessibility, control redundancy
and offer multiple views of the data to multiple application
programs.
A-2
-------�
IRM POLICY MANUAL ?100
7/21/87
18. Data Communications - Computer-to-computer, computer-to-
device and device-to-computer communications and other
communications such as a record, tele-processing and telemetry.
19. Data Element - A unit of information used to describe data,
data characteristics and attributes, e.g., eyes - blue .or
BL.
20. Data Standards - Standards used generally, but not
exclusively, for automated systems to ensure that one type
of data is defined the same way in all systems.
21. Designated Senior Official - The individual appointed by the
head of an agency who has responsibility for directing the
agency's activities administered under the Paperwork Reduction
Act of 1980.
22. Distributed Processing - Involves the use of computers or
intelligent terminals at a number of sites thatUshare the
control, storage and/or computing functions of the central
computing system, thus giving the end-user data .processing
capabilities. The various stations, or network Anodes, are
connected by telecommunications lines.
23. Distributed Network - This term refers to a network
architecture in which nodes, or communications processors,
are connected directly or indirectly to each other and share
the communications processing functions.
24. Documentation - Information to support the effectVive design,
management/ operation, maintenance and transferability of
ADP resources, and to facilitate the interchange of informa-
tion. Documentation includes analysis, technical documents
and specifications which are produced in the software life
cycle (e.g., project request, feasibility study, benefit/cost
analysis, functional requirements, data requirements, system/
subsystem specifications, test plan, users' manual, operations
manual, test reports and maintenance procedures).
25. Electronic Digital image Storage and Retrieval Systems - The
technology that converts and stores images and information
in digital form..
26. Electronic Mail - A generic term describing the use .of
digital computer and other technologies (e.g., facsimile) in
the generation and transmission or distribution of messages.
A-3:
-------�
IRM POLICY MANUAL 2100
7/2 V87
27. End-Users - The ultimate customers or recipients of computer
services.
28. Essential Elements of Information (EEIs) - This term is
modeled after the Department of Defense and National
Aeronautics and Space Administration Data Item Descriptions
(DIDs). The EEIs represent the set of information for a
given system's life cycle products (e.g./ software management
plan/ software design document) that are required for a
specific systems development project or for an existing
system's operation. EEIs are required for the successful
management of a project.
29. Federal Records Centers - The depositories established by
the National Archives and Records Administration for the
housing of non-current, inactive or permanent records pending
ultimate disposition in accordance with the Agency Record
Retention and Control Schedules.
30. Filing Equipment - Any equipment used to provide storage for
information, e.g., lateral, vertical, mechanized and ADP.
31. Filing Supplies - Items such as folders, guides, cross-
reference sheets and charge-out cards.
32. Fourth Generation (4GL) Programming Language - The term
refers to modern programming languages (e.g., INFO, FOCUS)
designed for end-users or to increase programmer productivity,
which have a number of tools such as English language syntax,
dictionaries, screen builders and reference to data by name.
These languages tend to be dependent on specific computer
architectures and are not usually transportable. They
usually imply a proprietary database'management system
(DBMS) or data management system (DMS).
33. Geographic Information System (CIS) - A computer-based
system that combines geographic and/or cartographic analysis
capabilities with a computer data base system that can
support data entry, data management, data manipulation and
data display capabilities.
34. Hardware - Physical equipment such as the computer and its
related peripheral devices, tape drives, disk drives, printers,
etc.
A-4
-------�
IRM POLICY MANUAL 2100
7/21/87
35. Highly Sensitive Information - Information whose loss would
seriously affect the agency's ability to function, threaten
the national security or jeapardize human life and welfare.
Specifically, information of this type includes National
Security Information, information critical to the performance
of a primary agency mission, information that is life critical
and financial information related to check issuance, funds
transfer and similar asset accounting/control functions.
36. Host Computer - Central computer to which computers or
other input/output devices are connected in a distributed
data processing environment.
37. Information - Any communication or reception of knowledge
such as facts, data or opinions, including numerical, graphic
or narrative forms, whether oral or maintained in any medium,
including computerized data bases, paper, microform or
magnetic tape.
38. Information Collection Budget (ICB) - An annual submission
to the Office of Management and Budget (OMB) of burden on
the public related to information that Federal agencies
propose to collect from non-Federal sources during a fiscal
year. ("Burden" includes, but is not limited to, the estimated
time required to read instructions and generate, review,
report and keep records on information in response to Federal
requests or requirements.) The ICB is similar to EPA's
fiscal budget except that it deals in burden hours rather
than dollars and is not submitted to Congress.
39. Information Management - The processes necessary for the
creation, use and disposal of information regardless of the
media on which it is recorded.
40. Information Processing - To copi, exchange, read, combine
mathmetically or logically, record, store, transmit or write
information from one medium or format to another.
41. Information Resources Management (IRM) - The planning,
budgeting, organizing, directing, training and controls
associated with information. The term encompasses both
information itself and related resources such as personnel,
equipment, funds and technology.
A-5
-------�
IRM POLICY MANUAL 7/21/87
42. IRM Steering Committee - At EPA this group is chaired by the
Director, Office of Information Resources Management (OIRM)
and has members representing EPA national and Regional
programs, the EPA research community and the States. The
Committee is responsible for advising OIRM concerning IRM
policies, resources and priorities and assisting OIRM in
communicating and implementing these policies and priorities
within EPA. The Committee assists OIRM in conducting periodic
reviews of the Agency's information resources and the policies
and programs for managing these resources and in designing
improvements where needed.
43. Information Security - This term encompasses three different
types of security:applications security, installation
security and personnel security. In total, information
security involves the precautions taken to protect the
confidentiality, integrity and availability of information.
44. Information System - The organized collection, processing,
transmission and dissemination of information in accordance
with defined procedures, whether automated or manual.
45. Information Systems Inventory (ISI) - A collection of
descriptive data regarding the Agency's automated and manual
information systems. The data base for EPA's ISI resides on
an IBM PC/AT and provides for the retrieval of over 500
manual and automated information systems and applications
which have been identified by administrative and program
offices.
46. Information Technology - The hardware and software used in
connection with government information, regardless of the
technology involved, whether computers, telecommunications,
micrographics or others.
47. Installation - The physical location of one or more information
systems, whether automated or manual. An automated installa-
tion consists of one or more computer or office automation
systems, including related peripheral and storage units,
central processing units, telecommunications and operating
and support system software. Automated installations may
range in size from large centralized computer centers to
stand-alone personal computers.
A-6
-------�
IRM POLICY MANUAL \*fJ9 /0_
7/21/0/
48. Installation Security - The use of locks, badges and similar
measures to control access to the installation and the
measures required for the protection of the structure housing
the installation from accident, fire and environmental
hazards. In addition to the above physical security measures,
installation security also involves ensuring continuity of
operations through disaster planning.
49. Life Cycle The complete time span of a system from the
origin of the idea that leads to the creation of the system
to the end of its useful life.
50. Life Cycle Costs - The sum total of all the direct, indirect,
recurring, nonrecurring and other related costs incurred or
predicted to be incurred in the formulation of requirements
and feasibility studies, and in the design, development,
production, operation, maintenance and support of an
information system throughout its useful life.
51. Mainframe - This term connotes a large computer.
52. Maintenance of Records - This term refers to the grouping,
filing, storing and safeguarding of business records.
53. Major Information System - An information system that requires
special continuing management attention because of its
importance to an agency mission; its high development,
operating or maintenance costs; or its significant impact on
administration of agency programs, finances, property or
other resources. In this context, high development, operating
or maintenance cost means either (1) the cost of initial
development from conception through implementation exceeds
one million dollars or (2) the cost of operating and main-
taining the system in any fiscal year exceeds 500 thousand
dollars.
54. Management Information System (MIS) - A computer-based or
manual information system having applications in support of
management activities.
55. Microcomputer - One of a large variety of general purpose
computers manufactured utilizing one or more microprocessors.
Microcomputers can range from computers with relatively small
amounts of memory to computers with large amounts of random
A-7
-------�
IRM POLICY MANUAL 2100
7/21/87
access memory and several peripheral devices. Typically, an
end-user microcomputer is of desktop size and requires no
special environmental site preparation.
56. Microfilm - High resolution film containing an image or
images greatly reduced in size from the original that is
recorded on the film.
57. Microfiche - A sheet of film containing multiple microimages
in a grid pattern. It usually contains a heading or title
which can be read without magnification.
58. Microform - Any form containing microimages.
59. Micrographics - The science and technology of document and
information microfilming and associated microform systems
including microfilm, microfiche and microimages.
60. Minicomputer - A computer somewhere in size between a
microcomputer and a mainframe. These units are characterized
by higher performance than microcomputers, richer instruction
sets, higher price and a proliferation of high-level languages,
operating systems and networking methodologies.
61. Mission-based Planning - The process of planning for an
agency's investments in and management of information
resources and technology that are required to achieve the
agency's missions and priorities. At EPA all national
program managers and Regional offices are responsible for
developing mission-based plans for their respective organiza-
tions. Mission-based plans are tied to the budget process
and are used to support investment decisions made during
the budget preparation process. These plans are strategic
or long range in scope but are updated annually to reflect
progress in implementation, program changes, changes that
affect information requirements and advancements in technology.
62. National Security Information - Information that is classified
as "Top Secret," "Secret" or "Confidential" under Executive
Order 12356 or predecessor orders.
63. Network - Computer system using data communications equipment
to connect two or more computers.
64. Non-procedural Language - See definition for Fourth Generation
(4GL) Language.
A-8
-------�
IRM POLICY MANUAL 2100
7/21/87
65. Official Record File - Used in the context of records
management, this term refers to documentation including all
background material resulting from specific transactions,
operations or processes which are accumulated and maintained
in files equipment. They may include any media such as
film, microfilm, cards, papers and magnetic tapes and disks.
66. Operating System - Software that controls and supports the
execution of computer programs and contributes to optimal
use of the computing system. An operating system may provide
services such as resource allocation, scheduling, input/
output control, error recovery and data management. Although
operating systems are predominantly software, partial or
complete firmware implementations are possible.
67. Permanent Records - Records of continuing value which are
considered to be so important or unique in documenting the
history of the Agency or for informational content that
they should be preserved "forever" as part of the National
Archives of the United States.
68. Personal Computer - Microcomputer used by individuals for
various personal uses in the home or office.
69. Procedural or High Order Language - See definition for
Third Generation Language (3GL).
70. Program - Step-by-step set of instructions that directs the
computer to perform certain operations.
71. Program Records - Records created, received and maintained
by an agency in the conduct of the mission functions for
which it is responsible. The term is used in c'ontrast with
administrative or facilitative records.
72. Proprietary - Any item, usually commercial software or a
specialized data base, for which the Government or public
does not have unlimited rights.
73. Privacy - The right of an individual to control the
collection, storage and dissemination of information about
himself/herself to avoid the potential for substantial
harm, embarassment, inconvenience or unfairness.
A-9
-------�
IRM POLICY MANUAL 2100
7/2V87
74. Records - In records management parlance, this term refers
to recorded information of continuing administrative, fiscal,
legal, historical or informational value, including published
materials, papers, maps, photographs, microfilm, audiovisual,
machine-readable materials (ADP tapes/disks) or other
documentary material, regardless of physical form or charac-
teristics, made or received by the agency that evidences
organization, functions, policies, decisions, procedures,
operations or other activities of the Government.
75. Records Control Schedules - This term refers to the list of
scheduled reviews of agency records to determine their
disposition.
76. Records Management - This term describes the management of
the media on which information is recorded and the control
of all the agency's program and administrative records.
77. Records Management Officer - The title of the designated
staff officials whose responsibilities are to assist the
operating Agency Records Management Officer by carrying out
the policies of the records management program in their
respective organizational units.
78. Risk Analysis - A means of measuring and assessing the
relative vulnerabilities and threats to a collection of
sensitive data and the people, systems and installations
involved in storing and processing that data. Its purpose
is to determine how security measures can be effectively
applied to minimize potential loss. Risk analyses may vary
from an informal, quantitative review of a microcomputer
installation to a formal review of a major computer center.
79. Semi-active Records - This term refers to records worthy of
preservation, that have long term permanent value and will
be retired from expensive office space and equipment to the
area Federal Records Center for storing, servicing and
ultimate disposition in accordance with Agency Records
Control Schedules.
80. Senior information Management Official (SIRMO) At EPA this
term has been used to designate those individuals who are
responsible for directing and managing information resources
planning and budgeting and for assuring that the information
systems and information technology acquisitions within their
organizations comply with Federal and EPA policies and
regulations.
A-10
-------�
IRH POLICY MANUAL 2100
7/21/87
81. Sensitive Application Systems - Systems that process sensitive
information and require protection because of the loss or
harm which could result from the improper operation or
deliberate manipulation of the application itself. Automated
decision-making application systems are highly sensitive if
the wrong decision could cause serious loss.
82. Sensitive Information - Information that requires protection
due to the risk and magnitude of loss or harm that could
result from inadvertent or deliberate disclosure, alteration
or destruction of the information.
83. Service Level Agreement - A Service Level Agreement is a
documented contract between the National Data Processing
Division (NDPD) and any client organization which describes
the services which will be provided by NDPD to the client.
There are two types of Service Level Agreements. One is a
generic documented service description which applies to all
client organizations and the other is a specific agreement
with an individual client organization. The latter is
developed primarily where the level of service requested is
beyond the normal service levels contained in the generic
service agreement. Service Level Agreements generally
contain a description of availability, capacity, workload,
performance, reliability and cost.
84. Software - Computer programs, procedures, rules and associated
documentation pertaining to the operation of a computer
system.
85. Software Engineering - This term refers to the discipline
of applying software tools, techniques and methodologies to
promote software quality and productivity.
86. Software Life Cycle - The period of time beginning when a
software product is conceived and ending when the product
no longer performs the function for which it was designed.
The software life cycle is typically broken into phases
such as requirements, design, programming and testing,
installation and operation and maintenance.
87. Software Maintenance - The performance of those activities
required to keep a software system operational and responsive
after it is accepted and placed into operation. It is the
A-ll
-------�
IRM POLICY MANUAL 2100
7/21/87
set of activities which result in changes to the originally
accepted (baseline) product. These changes consist of
modifications required to: (1) insert, delete, extend and
enhance the baseline system (performance maintenance); (2)
adapt the system to changes in the processing environment
(adaptive maintenance); and (3) fix errors (corrective
maintenance).
88. Software Tools - This term refers to packaged, often
commercial computer program(s) used to help develop, test,
analyze or maintain computer programs, data and information
systems. Examples include statistical software such as SAS,
SPSS, sort systems, etc.
89. System - The organized set of procedures used to collect,
process and array information whether automated or manual.
90. Telecommunications - The transmission and/or reception of
information by telephone, telephone lines, telegraph, radio
or other methods of communication over a distance. The
information may be in the form of voice, pictures, text
and/or encoded data.
91. Telecommuncations Network - An interconnected set of locations
or devices linked by communications facilities, including
telephone lines and microwave and satellite connections.
92. Temporary Records - Records created incidental to performance
of the mission of the agency and considered to be of short
term value.
93. Testing - This term refers to the examination of the behavior
of a program by executing the program on sample data sets.
94. Third Generation (3GL) Programming Language - A programming
language that usually includes features such as nested
expressions and parameter passing, that can run on a variety
of different computer systems and are independent of machine
architecture (e.g., COBOL, BASIC, FORTRAN, PL/1). It is a
problem oriented language that facilitates the expression
of a procedure as an explicit algorithm. In contrast to
fourth generation programming language, third generation
programming language is normally independent of a data base
management system and is transportable between different
computer architectures.
A-12
-------�
IRM POLICY MANUAL 7/21/87
95. Threshold - A point, usually expressed in dollars, above
which specific actions are required. For instance, a sole-
source procurement of data processing equipment having an
estimated value below the $250,000 threshold does not require
a delegation of procurement authority from the General
Services Administration, while a procurement above that
threshold does require a delegation.
96 Timeshare - This procedure allows many users to access and
use simultaneously the resources of a central computer
through remote terminals. Access privileges are usually
PL..chased by (or charged back to) the user, based on a
formula 'of various unit prices. The chargeback formula may
include charges for use of the computer's central processing
unit, adding or altering data on a computer storage disk,
computer tape handling and storage and the amount of time a
user has interacted with the computer (connect time). Other
items may be included in the chargeback formula which are
inherent in delivering the computer services to the user.
97. Triennial Review - This review is a government-wide three-
year planning and reporting cycle set forth to meet the
requirements established by the Paperwork Reduction Act of
1980. Agencies are required to perform reviews of their
information resources management activities and prepare
synopses and updates of these reviews to GSA on a yearly
basis for a three-year duration. The objective of the
Triennial Review Prpgram is to ensure that agencies are
carrying out their information management activities in an
efficient manner. In EPA OIRM is responsible for managing
the review process with input from the program offices.
98. Vital Records - Records essential to the continued operation
of the Agency and to the preservation of the legal rights
and interests of employees and individual citizens, in
wartime and disaster.
99. Voice Communications - The transmission and switching of
voice traffic by public and private facilities. The public-
switched network is an example of a public facility; private
branch exchanges (PBX) and private voice lines exemplify
private facilities.
100. Word Processing - computer-based system for inputting,
editing, storing and printing of documents.
A-13
-------�
APPENDIX B
-------�
IRM POLICY MANUAL 2100
7/21/87
APPENDIX B - PRIMARY FEDERAL IRM STATUTES AND REGULATIONS
1. Brooks Act, Oct. 30, 1965, Public. Law 89-306
This Act is the primary law governing the overall Federal
acquisition and management of automatic data processing
equipment. Passed in 1965, the Act requires Federal agencies
to purchase, lease, maintain, operate and utilize ADP equipment
in an economical and efficient manner. The Act also provides
for coordinated government-wide ADP management with specific
roles for the General Services Administration, the Department
of Commerce and the Office of Management and Budget.
2. Paperwork Reduction Act of 1980, Public Law 96-511
The primary objective of this Act is to reduce paperwork and
enhance the economy and efficiency of the government and
private sector by improving Federal information policy develop-
ment and implementation. It established a new management
structure for the government's information activities. The
structure is composed of (1) an OMB Office of Information
and Regulatory Affairs to develop and implement consistent
information policy and (2) senior officials appointed within
each agency to ensure effective and efficient management of
the agency's information resources. The following broad
objectives for improving the management of Federal information
resources were established:
a. Coordinating, integrating and, to the extent practicable
and appropriate, making uniform, Federal information
policies and practices.
b. Minimizing the Federal paperwork burden for individuals,
State and local governments and others.
c. Minimizing the cost to the Federal government of collecting,
maintaining, using and disseminating information.
d. Making maximum use of information collected by the Federal
government.
e. Ensuring that automatic data processing and
telecommunications technologies are acquired and used by
the Federal government in a manner that improves service
B-l
-------�
IRM POLICY MANUAL 2100
1/21/81
delivery and program management, increases productivity,
reduces waste and fraud and reduces the information
processing burden for the Federal government and for
persons who provide information to the Federal government.
f. Ensuring that the collection, maintenance, use and
dissemination of information by the Federal government
is consistent with applicable laws relating to
confidentiality and privacy.
3. Privacy Act of 1974, Public Law 93-579
The Act provides certain safeguards for individuals against
an invasion of personal privacy by requiring agencies to
identify what records are being collected, maintained, used
or disseminated on an individual; provide access and copies
of such records; ensure the lawful purpose and prevent misuse
of such records. The Act imposes criminal penalties directly
on individuals if they violate certain provisions of the
Act.
4. Freedom of Information Act of 1966, Public Law 89-487, as
amended by Public Law 93-502, Nov. 21, 1974, amended Nov/Dec.
1986
The Act allows the public to inspect and copy certain general
agency information, agency rules, opinions, orders and
proceedings. The 1974 amendments established: (1) time
limits for agency determinations, (2) index publications,
(3) uniform fees for search and duplication and (4) require-
ments for an annual report.
5. Federal Records Management Amendments of 1976, Public Law
94-575
The amendments required the establishment of standards and
procedures to ensure efficient and effective Federal records
management practices. Specific goals are (1) accurate and
complete documentation of the policies and transactions of
the Federal government; (2) control of the quantity and
quality of records produced; (3) establishment and maintenance
of control mechanisms to prevent the creation of unnecessary
records and to prevent ineffective and uneconomical agency
operations; (4) simplified activities, systems and procedures
for records creation, maintenance and use; (5) judicious
preservation and disposal of records; and (6) continuous
attention to records—from creation to disposition—with
emphasis on the prevention of paperwork.
B-2
-------�
IRM POLICY MANUAL 2100
7/2V87
6. Competition in Contracting Act of 1984, Public Law 98-369
The Competition in Contracting Act considerably strengthened
the regulations governing all procurements. It requires each
agency to designate a "competition advocate" and requires
full and open competition in as many procurements as possible.
Significantly, the Act considers both "competitive negotiation"
and purchases from negotiated schedule contracts as full and
open competition. The Act prescribes the following exceptions
that justify noncompetitive procurements:
a. The property or services are available from only one
reponsible source.
b. There is "unusual and compelling urgency."
c. It is desirable to award the contract to a particular
source in order to maintain the existence of a supplier
or to meet the terms of an international agreement.
d. Noncompetitive procurement is specifically authorized by
statute.
e. The disclosure of the agency's needs would compromise
national security.
f. The head of the agency determines that is it "necessary
in the public interest" to use noncompetitive procedures
and notifies Congress in writing 30 days before award of
the contract.
In addition, the Act established a special procedure to
resolve disputes between agencies and vendors of ADP equipment.
Under this procedure, the Board of Contract Appeals at GSA
is given authority to suspend procurement authority if neces-
sary, and to issue a decision on the protest within 45 working
days after the protest is filed.
7. OMB Circular A-130, Management of Federal Information Resources
Issued by OMB to implement the Paperwork Reduction Act, OMB
Circular A-130 supercedes several other circulars and provides
guidance for Federal agencies in adopting and implementing
the Information Resources Management (IRM) approach mandated
by the Act. Under Circular A-130, Federal agencies shall:
B-3
-------�
IRM POLICY MANUAL 2100
7/21/87
a. Establish multi-year strategic planning processes for
acquiring and operating information technology that meet
program and mission needs, reflect budget constraints
and form the basis for their budget requests.
b. Establish systems of management control that document
the requirements that each major information system is
intended to serve and provide for periodic review of
those requirements over the life of the system in order
to determine whether the requirements continue to exist
and whether the system continues to meet the purposes
for which it was developed.
c. Make the official whose program the information system
supports responsible and accountable for the products of
that system.
d. Meet information processing needs through interagency
sharing and from commercial sources, when it is cost-
effective, before acquiring new information processing
capacity.
e. Share available information processing capacity with
other agencies to the extent practicable and legally
permissible.
f. Acquire information technology in a competitive manner
that minimizes total life cycle costs.
g. Ensure that existing and planned major information systems
do not unnecessarily duplicate information systems
available from other agencies or from the private sector.
h. Acquire off-the-shelf software from commercial sources,
unless the cost-effectiveness of developing custom software
is clear and has been documented.
i. Acquire or develop information systems in a manner that
facilitates compatibility.
j. Assure that information systems operate effectively and
accurately.
B-4
-------�
IRM POLICY MANUAL 2100
7/2V87
k. Establish a level of security for all agency information
systems commensurate with the sensitivity of the informa-
tion and the risk and magnitude of loss or harm that
could result from improper operation of the information
systems.
1. Assure that only authorized personnel have access to
information systems.
m. Plan to provide information systems with reasonable
continuity of support, should their normal operations be
disrupted in an emergency.
n. Use Federal Information Processing and Telecommunications
Standards except where it can be demonstrated that the
costs of using a standard exceed the benefit or the
standard will impede the agency in accomplishing its
mission.
o. Not require program managers to use specific information
technology facilities or services unless it is clear
and is convincingly documented, subject to periodic
review, that such use is the most cost-effective method
for meeting program requirements.
p. Account for the full costs of operating information
technology facilities and recover such costs from
government users.
q. Not prescribe Federal Information system requirements
that unduly restrict the prerogatives of heads of State
and local government units.
r. Seek opportunities to improve the operation of government
programs or to realize savings for the government and
the public through the application of up-to-date informa-
tion technology to government information activities.
8. OMB Circular A-ll, Transmittal Memorandum No. 54f Preparation
and Submission of Budget Estimates, July 19, 1983
Circular No. A-ll provides instructions relating to the
annual budget process. It includes information on reviewing
estimates for new or expanding programs that reflect
determinations made pursuant to Executive Order No. 12291,
the Paperwork Reduction Act of 1980 and the "information
collection budget" process.
B-5
-------�
IRM POLICY MANUAL 2100
7/21/87
9. OMB Circular A-76, Policies for Acquiring Commercial or
Industrial Services Needed by Government, March 29, 1979
This Circular establishes the general policy that "the
government's business is not to be in business" and that
government agencies should rely on the private sector to
obtain commercial or industrial goods and services. Government
commercial or industrial activities are allowed only on a
very limited exception basis, which recognizes that certain
activities are inherently governmental and should be performed
by Federal employees. A Cost Comparison Handbook implements
the principles contained in the Circular. The handbook
provides detailed instructions for developing a comprehensive
and valid comparison of the estimated cost to the government
of acquiring a product or service by contract versus providing
it with in-house, government resources. The handbook attempts
to establish consistency, ensure that all substantive factors
are considered in making cost comparisons and achieve a
desirable level of uniformity among agencies in comparative
cost analyses.
10. OMB Circular A-121, Cost Accounting, Cost Recovery, and
Inter-agency Sharing of Data Processing Facilities/
Sept. 16, 1980
This Circular establishes policies to promote effective and
efficient management and use of certain data processing
facilities. The policies prescribe business-like procedures
which require agencies to:
a. Account for the full cost of operating data processing
facilities.
b. Allocate all costs to users according to the service
they receive.
c. Share excess data processing capacity with other agencies.
d. Recover the cost of interagency sharing.
e. Evaluate interagency sharing as a means of supporting
major new data processing applications.
11. OMB Circular A-123, Internal Control Systems, Aug. 16, 1983
This Circular prescribes policies and standards to be followed
by executive departments and agencies in establishing,
maintaining, evaluating, improving and reporting on internal
B-6
-------�
IRM POLICY MANUAL 7/21/87
controls in their program and administrative activities.
Agencies must maintain effective systems of accounting and
administrative control. All levels of management must
involve themselves in assuring the adequacy of controls.
New programs must be designed so as to incorporate effective
systems of internal control. All systems must be evaluated
on an ongoing basis and weaknesses, when detected, must be
promptly corrected. Reports are to be issued, as required
by the Federal Managers' Financial Integrity Act, on internal
control activities and the results of evaluations.
12. OMB Circular A-127, Financial Management Systems
This Circular prescribes policies and procedures to be
followed by executive departments and agencies in developing,
operating, evaluating and reporting on financial management
systems. The Circular establishes objectives for financial
management and accounting systems which all agencies are
required to meet. The objectives are concerned with ensuring
that financial management data are recorded, stored and
reported in a manner to facilitate systems operations (i.e.,
ensuring financial management data meet the criteria of
usefulness, timeliness, reliability, completeness, compara-
bility, consistency, efficiency and economy); systems
integrity; support for management and full financial
disclosure.
The Circular also requires agencies to establish and maintain
a single, integrated financial management system, which may
be supplemented by subsidiary systems. The intent of this
requirement is to ensure that data entered into the agency's
financial management system is entered only once and trans-
ferred automatically to appropriate accounts or other parts
of the system or systems. New or substantially revised
systems must be developed on an interagency basis and must
be designed to meet the needs of all participating agencies.
Agencies are allowed to expend funds only for financial
management systems that meet the requirements of Circular
A-127.
13. Federal Information Processing Standards (FIPS) (Dept. of
Commerce
A series of documents issued by the National Bureau of
Standards (DOC) in accordance with the Brooks Act of 1965,
Public Law 89-306. The FIPs contain standards and guidelines
concerned with the standardization of computer hardware,
B-7
-------�
IRM POLICY MANUAL ?/2?/o-7
7/21/87
software (data representations, operative systems, programming
languages) and systems. FlPs are mandatory for each Federal
agency.
14. Federal Information Resource Management Regulations (FIRMR)
(GSA), 41 CFR Chapter 201
Regulations published by the General Services Administration
to provide guidance for the procurement, utilization and
disposition of ADP resources and equipment by each Federal
agency.
15. National Archives and Records Administration Regulation
36 CFR 1220 and 41 CFR 201-22
Regulations issued by the National Archives and Records
Administration to establish standard records management
practices throughout the Federal government.
B-8
-------� |