^£D sr-^
* A \
USBj
V PRO^
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
FY 2017
EPA Management
Challenges
17-N-0219
May IS, 2017
-------�
Abbreviations
DWSRF
Drinking Water State Revolving Fund
EPA
U.S. Environmental Protection Agency
FTE
Full-Time Equivalent
FY
Fiscal Year
GAO
U.S. Government Accountability Office
MATS
Management Audit Tracking System
OIG
Office of Inspector General
SDWA
Safe Drinking Water Act
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
U.S. Environmental Protection Agency 17-N-0219
\ Office of Inspector General May 18,2017
® J
At a Glance
What Are Management
Challenges?
According to the Government
Performance and Results Act
Modernization Act of 2010,
major management challenges
are programs or management
functions, within or across
agencies, that have greater
vulnerability to waste, fraud,
abuse and mismanagement,
where a failure to perform well
could seriously affect the ability
of an agency or the federal
government to achieve its
mission or goals.
EPA's Fiscal Year 2017 Management Challenges
What We Found
Attention to agency management challenges could result in stronger
results and protection for the public, and increased confidence in
management integrity and accountability.
The EPA Needs to Improve Oversight of States, Territories and Tribes
Authorized to Accomplish Environmental Goals:
• The EPA has made important progress, but our work continues to identify
challenges throughout agency programs and locations, and many of our
recommendations are still not fully implemented.
As required by the Reports The EPA Needs to Improve Its Workload Analysis to Accomplish Its Mission
Consolidation Act of 2000, Efficiently and Effectively:
we are providing issues we # neec|S identify its workload needs so that it can more effectively
consider as the U.S. prioritize and allocate limited resources to accomplish its work.
Environmental Protection
Agency's (EPA's) major
management challenges for The EPA Needs to Enhance Information Technology Security to Combat
fiscal year 2017. Cyber Threats:
• Though the EPA continues to initiate actions to further strengthen or improve
its information security program, the agency lacks a holistic approach to
managing accountability over its contractors, and lacks follow-up on
corrective actions taken.
This report addresses all of the
EPA's strategic goals and
cross-agency strategies.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oiq.
Listing of OIG reports.
-------�
^tDsx
* Q
| M % UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
1 \^|yy | WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
May 18, 2017
MEMORANDUM
SUBJECT: EPA's Fiscal Year 2017 Management Challenges
Report No. 17-N-02
FROM: Arthur A. Elkins Jr.
TO: Scott Pruitt, Administrator
We are providing you with a list of areas that the Office of Inspector General (OIG) considers as major
management challenges confronting the U.S. Environmental Protection Agency (EPA). The project
number for this report was OPE-FY17-0003. According to the Government Performance and Results
Act Modernization Act of 2010, major management challenges are programs or management functions,
within or across agencies, that have greater vulnerability to waste, fraud, abuse and mismanagement,
where a failure to perform well could seriously affect the ability of an agency or the federal government
to achieve its mission or goals.
The Inspector General Act of 1978, as amended, directs Inspectors General to provide leadership to the
agency through audits, evaluations and investigations, as well as additional analysis of agency
operations. The enclosed management challenges reflect findings and themes resulting from many such
efforts. Drawing high-level agency attention to these key issues is an essential component of the OIG's
mission.
The Reports Consolidation Act of 2000 requires our office to annually report what we consider the most
serious management and performance challenges facing the agency. Additional challenges may exist in
areas that we have not yet reviewed, and other significant findings could result from additional work.
The attachment summarizes what we consider to be the most serious management and performance
challenges facing the agency, and assesses the agency's progress in addressing those challenges.
Challenges
Page
The EPA Needs to Improve Oversight of States, Territories and Tribes Authorized to
Accomplish Environmental Goals
1
The EPA Needs to Improve Its Workload Analysis to Accomplish Its Mission Efficiently
and Effectively
7
The EPA Needs to Enhance Information Technology Security to Combat Cyber Threats
11
-------�
Like the U.S. Government Accountability Office does with its High-Risk List, each year we assess the
agency's efforts against the following five criteria required to justify removal of management challenges
from the prior year's list:
1. Demonstrated top leadership commitment.
2. Agency capacity - people and resources to reduce risks, and processes for reporting and
accountability.
3. Corrective action plan - analysis identifying root causes, targeted plans to address root causes,
and solutions.
4. Monitoring efforts - established performance measures and data collection/analysis.
5. Demonstrated progress - evidence of implemented corrective actions and appropriate
adjustments to action plans based on data.
The U.S. Government Accountability Office's 2017 High-Risk Series report describes these five criteria
as a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the
criteria leads to progress, while satisfying all of the criteria is central to removal from the list.
This year, we retained three management challenges from last year's list due to persistent issues, and
dropped one issue (management oversight to combat waste, fraud and abuse). The management
challenge was removed due to agency efforts in addressing issues we identified.
We will post this report to our website at www.epa.gov/oig. We welcome the opportunity to discuss our
list of challenges and any comments you or your staff might have.
Attachment
-------�
CHALLENGE: The EPA Needs to Improve Oversight of States, Territories
and Tribes Authorized to Accomplish Environmental Goals
CHALLENGE FOR THE AGENCY
In recent years, our work has identified the absence of
robust oversight by the U.S. Environmental Protection
Agency (EPA) of states, territories and tribes
authorized to implement environmental programs
under several statutes. The EPA has made important
progress, but recent and ongoing EPA Office of
inspector General (OIG) and U.S. Government
Accountability Office (GAO) work continues to support
this as an agency management challenge.
BACKGROUND
To accomplish its mission, the EPA develops regulations and establishes programs that implement
environmental laws. Many federal environmental laws establish state, territorial and tribal
regulatory programs that give states, territories and tribes the opportunity to enact and enforce
laws. The EPA may authorize states, territories and tribes to implement environmental laws when
they request authorization and the EPA determines a state, territory or tribe capable of operating
the program consistent with federal standards. The EPA performs oversight of state, territorial and
tribal programs to provide reasonable assurance that they achieve national goals to protect human
health and the environment. Oversight of state, territorial and tribal activities requires that the EPA
establish and maintain consistent national baselines that state, territorial and tribal programs must
meet; monitor state, territorial and tribal programs to determine whether they meet federal
standards; and ensure that federal dollars expended help achieve oversight objectives.
The EPA relies heavily on authorized states, territories and tribes to obtain environmental program
performance data and implement compliance and enforcement programs. For example:
• Forty-nine states, five territories (American Samoa, Guam, Commonwealth of the Northern
Mariana Islands, Puerto Rico and the U.S. Virgin Islands) and one tribe administer the
Public Water Supply Supervision program under the Safe Drinking Water Act.
• Forty-eight states, one territory (Guam), and the District of Columbia are authorized to
administer the Resource Conservation and Recovery Act hazardous waste program.
• Forty-six states fully and one territory (U.S. Virgin Islands) partially administer point
source programs (National Pollutant Discharge Elimination System) under the Clean
Water Act.
• Every state and territory, as well as one tribe, administer Title V of the Clean Air Act,
designed to regulate the largest sources of air pollution.
These states, territories and tribes perform a critical role in supporting the EPA's duty to execute
and enforce environmental laws. However, the EPA has the authority and responsibility to enforce
iGuaml
l&rrwxar Samoal
17-N-0219
1
-------�
environmental laws when states, territories and tribes do not. Many EPA programs implement a
variety of formal and informal oversight processes that are not always consistent across EPA
regions and the states, territories and tribes.
THE AGENCY'S PROGRESS
We have identified EPA oversight of authorized state, territorial and tribal programs as an agency
management challenge since fiscal year (FY) 2008. The EPA has made progress in reviewing and
measuring inconsistencies in its oversight of state, territorial and tribal programs; using EPA
authority when states, territories and tribes have failed to use their delegated authority; and
revising EPA policies to improve consistency in oversight.
Since 2008, the EPA has made state oversight an agency priority. The EPA included oversight in the
EPA's FYs 2012-2015 Action Plans for Strengthening State, Tribal, and International Partnerships. The
EPA formed a senior-level workgroup that noted additional recommendations on state oversight,
including improving consistency for identifying regional and state roles during EPA program review,
and developing an initial set of common principles. In 2013, the EPA developed the new key
performance indicator, referred to as Oversight of State Delegations Key Performance Indicator.
The EPA also adopted a cross-agency strategy on "Launching a New Era of State, Tribal, Local, and
International Partnerships" in its FYs 2014-2018 Strategic Plan, and revised its planning and
commitment-setting process beginning in FY 2017 to provide "earlier and more meaningful
engagement with states and tribes."
In 2016, the EPA released "Promoting Environmental Program Health and Integrity: Principles and
Best Practices for Oversight of State Permitting Programs," for the agency and states to use to
enhance the efficiency and effectiveness of the oversight system. The agency developed this
document to "deliver on a commitment in the EPA's cross-agency strategy to launch a new era of
state, tribal, local and international partnerships and to help respond to recommendations for
strengthening oversight from the EPA's Office of Inspector General." According to the agency, it
continues to improve its state oversight practices to ensure consistency by, for example, establishing
the State Program Health and Integrity Workgroup. This interagency workgroup is composed of the
EPA's national program offices for air, enforcement and water, as well as states and media
associations; it gathers and analyzes information on oversight of state practices, identifies gaps, and
develops solutions. In August 2016, as a result of the efforts from the workgroup, the agency released
a set of principles and best practices for EPA and state collaboration in promoting environmental
program health and integrity.
The EPA has made additional changes in response to recommendations in our reports. For example:
• In 2016, the EPA completed all corrective actions to address recommendations from a
September 2014 report where we found that the EPA was not adequately overseeing
significant portions of most states' Clean Water Act pretreatment and permit programs. We
recommended that the EPA improve sharing of Toxic Release Inventory data, develop a list of
chemicals beyond the priority pollutants for inclusion among the chemicals subject to
17-N-0219
2
-------�
discharge permits, confirm compliance with hazardous waste notification requirements, and
track required submittals of toxicity tests and violations. Because of the completed corrective
actions, there is greater assurance that states are using permits to minimize potentially
harmful contamination of water resources.
• In response to a February 2015 report, the EPA completed all corrective actions to address
findings that EPA Region 8 was not conducting inspections at establishments in North
Dakota that produce pesticides or inspections of pesticides imported into the state. In
response to our recommendations, the EPA initiated inspections, developed a multi-year
plan for future inspections, compiled a list of the inspections conducted annually for
Region 8's North Dakota end-of-year report, and reviewed the end-of year report to confirm
that inspections have been initiated. It is expected that these corrective actions will help
address the risk that pesticides are not in compliance with federal law, toxics are going
undetected, and adverse human health and environmental impacts are occurring.
• The EPA completed all corrective actions to address recommendations from a July 2014
report. That report found that while the EPA and the states we reviewed took many actions
to reduce Drinking Water State Revolving Fund (DWSRF) unliquidated balances, those
actions had not reduced DWSRF unliquidated balances to below 13 percent of the
cumulative federal capitalization grants awarded, which the Office of Water stated was the
focus of its efforts. As a result, $231 million of capitalization grant funds remained idle, loans
were not issued, and communities did not implement needed drinking water improvements.
We also noted that states' fundable lists did not reflect projects that would be funded in the
current year, and overestimated the number of projects that will receive funding. The
completed corrective actions—such as requiring states with unliquidated obligations that
exceed the Office of Water's 13-percent-cutoff goal to project future cash flows to ensure
funds are expended as efficiently as possible—should help address the issues reported.
• In our September 2015 early warning report, we recommended that EPA Region 9 exercise
fiduciary responsibility and withhold FY 2015 funds of $8,787,000 for the Hawaii DWSRF
capitalization grant until the region is satisfied with corrective action plan implementation
progress. After being briefed on our report, EPA Region 9 initiated an enforcement action
against the Hawaii Department of Health for not meeting its loan commitment and
disbursement targets. EPA Region 9 advised Hawaii that the FY 2015 DWSRF capitalization
grant would be withheld and the region may withhold further awards.
• In 2009, we found that High Priority Violations under the Clean Air Act were not being
addressed in a timely manner because regions and states did not follow policy, EPA
headquarters did not oversee regional and state High Priority Violations performance, and
EPA regions did not oversee state High Priority Violations performance. We recommended
that the EPA revise the High Priority Violations policy to improve the EPA's ability to oversee
High Priority Violation cases and clarify the roles and responsibilities of EPA headquarters
and regions, the states, and local agencies. The EPA issued its revised policy in August 2014.
17-N-0219
3
-------�
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required to
justify removal: (1) an action plan, (2) monitoring efforts, and (3) demonstrated progress. EPA
leadership needs to demonstrate an organizational commitment to correcting problems with the
agency's oversight of key state programs designed to protect human health and the environment. To
demonstrate this commitment, the agency should show it has the capacity and has developed a
framework for addressing oversight issues. The agency also needs to develop a system for monitoring
state, tribal and territory oversight effectiveness so that it can work toward demonstrating its progress
in correcting this management challenge. As such, we are maintaining this issue as a management
challenge for FY 2017, and we continue to conduct reviews of the EPA's oversight of authorized
programs:
• In an October 2016 report, we found that EPA Region 5 had the authority and sufficient
information to issue a Safe Drinking Water Act (SDWA) Section 1431 emergency order to
protect residents in Flint, Michigan, from lead-contaminated water as early as June 2015.
EPA Region 5 had information that systems designed to protect Flint drinking water from lead
contamination were not in place, Flint residents had reported multiple abnormalities in the
water, and test results from some homes showed lead levels above the federal action level.
However, EPA Region 5 did not issue an emergency order until January 21, 2016, because the
region concluded the state's actions were a jurisdictional bar preventing the EPA from issuing a
SDWA Section 1431 emergency order. This occurred despite the EPA's 1991 guidance on SDWA
Section 1431 orders clarifying that if state actions are deemed insufficient the EPA can and
should proceed with a SDWA Section 1431 order. EPA Region 5 did not intervene under SDWA
Section 1431, the conditions in Flint persisted, and the state continued to delay taking action to
require corrosion control or provide alternative drinking water supplies. Corrective actions are
pending.
• In a June 2016 report on the EPA's financial oversight of Superfund state contracts, we found
that the EPA incurred total obligations and expenditures in excess of the authorized cost
ceiling for 51 of the 504 active and closed contracts; did not perform timely, complete and
accurate financial closings for 20 such contracts to ensure that both the EPA and the state
had satisfied their cost share requirement; and did not have all the up-to-date information
needed for an accurate Superfund state contract accrual calculation. The agency agreed with
the recommendations, and corrective actions are pending.
• In a May 2016 report, we found that EPA Region 9 needed improved internal controls for
oversight of Guam's consolidated cooperative agreements. We noted that EPA Region 9 project
files were not readily available to third parties, and EPA Region 9 did not ensure reliability of
Guam Environmental Protection Agency Safe Drinking Water Information System data. Without
adequate internal controls and oversight, more than $67 million in consolidated cooperative
agreement funds may not be administered efficiently and effectively, thus reducing the impact
those funds could have on protecting human health and the environment. The agency agreed
with our recommendations, and corrective actions are pending.
• In March 2016, we reported that EPA efforts to bring small drinking water systems into
compliance through enforcement and compliance assistance resulted in some improvement
17-N-0219
4
-------�
over time. However, across EPA Regions 2, 6 and 7, we found inconsistencies in adherence to
the EPA's Enforcement Response Policy. Within our sample, 10 of the systems never received
a formal enforcement order, only three of 20 enforcement orders met the timeliness
standard in the Enforcement Response Policy, and few cases were escalated by the EPA or
state when noncompliance persisted. The agency agreed with our recommendations and
proposed adequate corrective actions, which are pending.
• In a July 2015 report, we found that the EPA needs to improve oversight of permit issuance
for hydraulic fracturing using diesel fuels, and address any related compliance issues.
Evidence shows that companies have used diesel fuels during hydraulic fracturing without
EPA or primacy state underground injection control Class II permits. The EPA has also not
determined whether primacy states and tribes are following the agency's interpretive
memorandum for issuing permits for hydraulic fracturing using diesel fuels. Enhanced EPA
oversight can increase assurance that risks associated with diesel fuel hydraulic fracturing are
being adequately addressed. The agency agreed with our recommendations or proposed
actions that met the intent of our recommendations. The corrective actions are pending.
• In an April 2015 report, we found that the U.S. Virgin Islands did not meet program
requirements for numerous activities related to implementing Clean Air Act, Clean Water
Act, SDWA and Underground Storage Tank/Leaking Underground Storage Tank programs.
EPA Region 2 oversight had not identified program deficiencies uncovered by our review, or
implemented procedures to ensure that deficiencies identified by EPA Region 2 were
corrected. Moreover, we found that deficiencies continued in the U.S. Virgin Islands despite
EPA Region 2 oversight uncovering them in prior years. Since the EPA retains responsibility
for programs implemented on its behalf—such as those in the U.S. Virgin Islands—we
concluded that the agency needs to act to ensure that the public and environment are
protected. We made 19 recommendations, ranging from withdrawing the U.S. Virgin
Islands' authority to implement EPA programs, to providing additional EPA oversight. The
EPA agreed, and has committed to taking appropriate corrective actions. Two
recommendations with agreed-to corrective actions remain pending.
• In October 2014, we reported weaknesses in EPA oversight of state and local Title V
programs' fee revenue practices. Title V permitting requirements are designed to reduce
violations and improve enforcement of air pollution laws for the largest sources of air
pollution, such as petroleum refineries and chemical production plants. We found that Title V
program expenses often exceeded revenue, even though the Clean Air Act requires these
programs to be solely funded by permit fees. We recommended that the EPA assess, update
and re-issue its 1993 Title V fee guidance as appropriate; establish a fee oversight strategy to
ensure consistent and timely actions to identify and address violations; emphasize and
require periodic reviews of Title V fee revenue and accounting practices; address shortfalls in
staff expertise as regions update their workforce plans; and pursue corrective actions as
necessary. The EPA has committed to taking appropriate corrective actions, and completion
of actions is pending.
17-N-0219
5
-------�
GAO has also conducted reviews of the EPA's oversight of states, territories and tribes, and made
recommendations to address identified deficiencies. For example, in 2016, GAO reported that the
EPA had not collected necessary information or conducted oversight activities to determine
whether state and EPA-managed Underground Injection Control class II programs are protecting
underground sources of drinking water. Some of the recommendations from GAO were that the
EPA require programs to report well-specific inspections data, clarify guidance on enforcement data
reporting, and analyze the resources needed to oversee programs. In 2015, GAO found that
financial indicators collected by the EPA as part of its oversight responsibilities do not show states'
abilities to sustain their Clean Water and Drinking Water State Revolving Funds. GAO recommended
that the EPA update its financial indicator guidance to include measures for identifying the growth
of the states' funds. GAO also recommended that, during the reviews, the EPA develop projections
of state programs by predicting the future lending capacity.
While important progress has been made, our work continues to identify challenges throughout
agency programs and locations, and many of our recommendations remain to be fully implemented.
We continue to perform work in this area and will continue to monitor the agency's progress in
addressing this challenge.
17-N-0219
6
-------�
CHALLENGE: The EPA Needs to Improve Its Workload Analysis to
Accomplish Its Mission Efficiently and Effectively
CHALLENGE FOR THE AGENCY
The EPA has not fully implemented controls and
a methodology to determine workforce levels
based upon analysis of the agency's workload.
The EPA's program and regional offices have not
conducted a systematic workload analysis or
identified workforce needs for budget
justification purposes. The EPA's ability to assess
its workload—and subsequently estimate workforce levels necessary to carry out that workload —
is critically important to mission accomplishment. Due to the broad implications for accomplishing
the EPA's mission, we have included this as an agency management challenge since 2012.
BACKGROUND
In 2010, we reported that the EPA did not have policies and procedures requiring that workforce
levels be determined based upon workload analysis, In 2011, we reported that the EPA does not
require program offices to collect and maintain workload data. Without such data, program offices
are limited in their ability to analyze their workload and justify resource needs. The GAO also
reported in October 2011 that the EPA's process for budgeting and allocating resources does not
fully consider the agency's current workload. In March 2010, the GAO reported that it had brought
this issue to the attention of EPA officials through reports in 2001, 2005, 2008 and 2009.
Since 2005, EPA offices have studied workload issues at least six different times, spending nearly
$3 million for various contractors to study the issues. However, for the most part, the EPA has not used
the findings resulting from these studies. According to the EPA, the results and recommendations from
the completed studies were generally not feasible to implement.
Over the past decade, the EPA's workforce levels have declined, with significant reductions in
FYs 2012 through 2015, when levels declined by over 2,100 positions (including losses due to early-
outs and buyouts in 2014). Without a clear understanding of its workload, it is unclear whether this
decline jeopardizes the EPA's ability to meet its statutory requirements and overall mission to
protect human health and the environment, or if the decline represents a natural and justifiable
progression, because the EPA has completed major regulations implementing environmental
statutes and states have assumed primacy over most media programs.
THE AGENCY'S PROGRESS
The agency has not yet adopted an overall plan to address workforce analysis, but has initiated
some limited pilots and surveys to address the issue.
17-N-0219
7
-------�
In 2013, we conducted a follow-up review of actions the EPA has taken to address previous OIG
recommendations. We found that the EPA:
• Initiated pilot projects in Regions 1 and 6 to analyze the workload for air State
Implementation Plans and permits, as well as water grants and permits.
• Surveyed numerous front-line agency managers on the functions performed, thereby
creating an inventory of common functions among program offices.
• Through the Office of the Chief Financial Officer, consulted with 23 other federal agencies
about their workload methodologies. As a result of that analysis, the EPA selected an approach
referred to as the "Table Top" method used by the U.S. Coast Guard, designed to use subject
matter experts and actual data to provide estimates of workload. The Table Top approach
provides flexibility in implementation, which allows for differences in organizational functions
and workloads rather than attempting to fit all regions and programs into a one-size-fits-all
approach. The EPA has conducted limited testing on this approach within two program areas-
grants and Superfund Cost Recovery. According to EPA officials, while the methodology
appears promising for grants, it became overly complicated for Superfund Cost Recovery.
The EPA did not report a workable agencywide workforce analysis plan from these limited 2013
actions.
During 2014, the EPA continued to test the workload model in other areas, including:
• Working with Grant Project Officers to evaluate and try to balance uneven workloads.
• Developing a Project Officer Estimator Tool for organizations to examine Project Officer
workloads.
• Working with Grants Specialists to refine the Interagency & Grants Estimator Tool.
• Submitting a Draft Funds Control Manual to the Office of Management and Budget, and
receiving and incorporating the Office of Management and Budget's comments.
The EPA did not report a workable agencywide workforce analysis plan from these 2014 actions.
In January 2016, the EPA issued a draft Funds Control Manual. The manual is intended to fulfill the
EPA's corrective actions for several unimplemented recommendations from prior OIG reports on
workload analysis. The manual highlights several tools the EPA has developed to help programs
examine and understand connections between hours of work (or full-time equivalents (FTEs)) and
specific tasks, products, results or outcomes. The EPA says that the tools are designed to
complement existing financial, budget and program information that organizations already track
and use.
The manual highlights four major types of workload analysis tools that the EPA has used: surveys,
benchmarking, existing data, and analytical tools (such as the U.S. Coast Guard's Table Top analytical
framework). In response to many stakeholders' requests (including OIG's) to explain how the EPA's
work hours tie to specific results produced, the manual says it is important to stress that it is
17-N-0219
8
-------�
extremely difficult to demonstrate this tie for many agency activities (such as research or regulatory
development), so workload analyses generally should be targeted at task-driven areas, such as
grants or contract awards.
The EPA has yet to implement and report the results of the funds management manual.
In the latest response to this management challenge, the EPA stated that rather than trying to create
detailed FTE models, the agency focused its workload analysis on current operations. The agency
found that detailed FTE models created a sense of false precision; quickly became out of date due to
changing regulations, requirements and systems; and were overly sensitive to relatively small
changes in the inputs.
In the FY 2016 Agency Financial Report, the agency responded:
As acknowledged by the OIG, the inherent difficulties in applying workload analysis to
the highly variable, multi-year, and non-linear activities that comprise the majority of
the EPA's work, limit the utility of detailed FTE-based workload analyses for broader
agency program estimates. The agency has found greater value in using trend and
macro-level workload reviews to estimate program needs. For example, as part of the
FY 2016 budget process, the agency examined broad workload trends as a basis to move
resources to address major challenges identified. As a result, the agency provided 65
additional FTEs for air program work and 40 FTEs for the Office of General Counsel legal
support. In each of these areas, the agency's senior management considered longer-
term trends and overall staffing rather than individual tasks and portions of FTEs. For
legal work, the agency considered statistics showing increased litigation and legal review
requirements. It is important to note that the "current flexibility to move resources"
granted by Congress remains extremely limited and the increased resources requested
in the President's Budget were not appropriated. Nonetheless, the agency maximized
the available flexibilities and provided the full FTE increments to those programs in
FY 2016.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria
required to justify removal: (1) agency capacity, (2) an action plan, and (3) monitoring efforts. The
EPA has not developed and implemented a definitive workload analysis system. The EPA needs to
more broadly quantify what its full workload entails so that it can more effectively prioritize and
allocate available resources to accomplish agency work. The EPA's ability to assess its workload and
estimate workforce levels necessary to carry out that workload is critical to mission
accomplishment. As such, we are maintaining workload analysis as a management challenge for
FY 2017. In February 2016, we announced the start of preliminary research on the EPA's Superfund
workload allocation. The evaluation objective is to determine whether the EPA's distribution of
Superfund resources among EPA regions supports the current regional workload.
17-N-0219
9
-------�
The agency also needs to complete its workforce planning tool. The agency is piloting a workforce
planning tool during the first quarter of FY 2017. The tool compares needed skills with the current
supply of skills so that competency gaps can be identified and addressed through strategic hiring and
training/development. The EPA states that the use of the tool will (1) allow the agency to assess the
workforce regularly at all organization levels, ensuring agency employees possess the skills and
abilities necessary to meet current and future mission goals and objectives; and (2) align workforce
planning with agency and organizational strategic plans, corresponding action plans and budget.
According to the agency, the pilot will allow insight and emphasis on workforce flexibility and
development to facilitate faster adjustment to change and improved workplace performance,
supporting maximum responsiveness as job functions, roles and technology evolve. It is expected that
the workforce planning tool will be available agencywide by the end of FY 2017. We will continue to
monitor agency progress through this and other ongoing work.
17-N-0219
-------�
CHALLENGE: The EPA Needs to Enhance Information Technology Security
to Combat Cyber Threats
CHALLENGE FOR THE AGENCY
Information security and implementing a
robust cybersecurity mechanism capable of
combating the ever-increasing threat to the
agency's data and network remains a
management challenge at the EPA. Despite
progress made by the agency to strengthen
cybersecurity, recent audit work continues to
highlight that fully implementing information
security throughout the EPA requires
continued senior level emphasis to address
long-standing weaknesses within the
information security program. Most notably,
the EPA has yet to implement practices for its
information security program to be
considered effective for the five
Contingency
Planning
Recover
Incident Response
Respond
Cybersecurity
Framework
Risk Management
Contractor Systems
Identify
Information Security
Continuous
Monitoring
Detect
Security and Privacy
Training
Configuration
Management
Identity and Access
Management
Protect
Cybersecurity Framework Security Functions
defined by the National Institute of Standards
and Technology. Likewise, our audits note the
need for management to take further action to resolve audit findings designed to improve the
effectiveness and efficiency of the agency's computer network operations, and address emerging
challenges the agency faces in managing contractors that provide critical support for agency systems.
BACKGROUND
We first reported information security as a management challenge in FY 2001, and the growing
reliance on interconnected networks and systems—as well as more sophisticated and financially
supported adversaries—make this area equally important today. The EPA's Office of Environmental
Information is primarily responsible for information technology management. Over the years, the
agency made strides to strengthen its policy framework and processes, and made marked
improvements in securing the EPA's network infrastructure and systems. However, during this same
period, cyber threats have become increasingly sophisticated, which continues to underscore the need
to proactively manage and bolster the agency's cybersecurity capabilities.
Cyber attacks could have a devastating impact on the EPA's computer systems and network, thereby
potentially disrupting agency operations, as well as the lives and operations of employees and
businesses who entrust the agency with their most sensitive personal or confidential business
information. GAO has recognized information security as a governmentwide high-risk area since 1997.
In September 2016, GAO reported that:
17-N-0219
-------�
• Cyber incidents in FY 2016 grew 1,300 percent from the previous year.
• Federal agencies reported 77,183 incidents in FY 2015—over 10,000 more than the previous
year.
• Federal agencies inconsistently implemented key laws and policies designed to establish a
framework for overseeing federal information security.
GAO notes that federal systems are "inherently at risk," and that this poses challenges because the
information technology environment is complex, diverse and often geographically dispersed. Like other
agencies, the EPA has a similarly complex information technology environment that is widely dispersed
throughout 24 headquarters and regional offices across the nation. As such, the increased presence of
cyber threats to systems that support EPA operations calls on management vigilance and commitment
to protect the agency's network. If the EPA is to realize a fully implemented information security
program or have effective processes to identify, respond to and correct security vulnerabilities that
place agency data and systems at risk, more effort is needed to increase the agency's capabilities to
achieve effective practices for the five Cybersecurity Framework Security Functions.
THE AGENCY'S PROGRESS
In response to our FY 2016 management challenges, the EPA indicated that it "understands the threat
and pervasiveness of cyber-attacks and is aware of the potential impact to the Agency's mission if
information assets are compromised." The EPA cited that it has published 5-year Information Security
and Continuous Monitoring and Risk Management strategic plans. The EPA explained that these plans
identify where the agency will provide risk-based protection for the agency's network. The EPA also
noted the following plans or actions taken to address our growing concerns:
• Establish a 30-day maximum number of days that an account can remain inactive before the
system automatically disables the account's technology function in the agency.
• Develop a process to manage annual security assessments, which includes oversight by the
Senior Agency Information Security Official.
• Coordinate with the U.S. Department of Homeland Security and U.S. General Services
Administration to implement capabilities under the Continuous Diagnostics and Mitigation
Program, which includes vulnerability management.
We acknowledge that the EPA continues to initiate actions to further strengthen or improve its
information security program. However, our audit work from the past 6 years continues to highlight
that the EPA faces challenges in addressing outstanding weaknesses within its information security
program, and in managing contractors that provide key support in operating or managing systems on
behalf of the agency.
17-N-0219
-------�
Addressing Outstanding Weaknesses
Our FY 2016 report on the agency's progress in completing corrective actions associated with
information technology security recommendations made in FYs 2010-2012 found that the agency did
not ensure that agreed-to corrective actions were:
• Fully implemented or carried out timely.
• Recorded accurately or managed effectively in the Management Audit Tracking System (MATS).
• Verified to have actually fixed the identified weakness.
Despite steps taken to correct many of the recommendations highlighted in this report, our current
audit work disclosed that further management emphasis is needed to address the overarching concern
with how the EPA manages the weaknesses within the agency's information security program. For
example, the program office responsible for overseeing the EPA's information security program lacks a
permanent or full-time employee to serve as its Audit Follow-Up Coordinator—a critical position for
monitoring the completion of audit recommendations that impact the agencywide information
security program. Furthermore, as noted in the EPA's December 2016 Enterprise Information Security
Metric Report, several offices made little to no progress in completing plans of actions and milestones
that address weaknesses in the EPA's information security program. Our audit determined that
emphasis is needed to ensure completion of agency agreed-to weaknesses in the program.
Analysis of the EPA's actions taken to address information security audit recommendations
OIG Report and
Recommendation
Reviewed
Agency
Completed
Agreed-to
Corrective
Action(s)?
Corrective
Action(s) Timely
Completed as
Agreed-to?
Completion
Date
Accurately
Recorded in
MATS?
Documentation
Maintained to
Support Actions
Taken Readily
Available?
Agency Verified
Action(s) Taken
Actually Fixed the
Deficiency?
Agency
Continued to
Implement the
Action(s)?
Report 10-P-0058
Recommendation 2-1
No
No
No
No
No
No
Report 11-P-0159
Recommendation 2
No
No
No
No
No
No
Report 11-P-0277
Recommendation 2
No
No
No
No
No
No
Report 12-P-0836
Recommendation 12
No
No
No
No
No
No
Report 12-P-0899
Recommendation 8
No
No
No
No
No
No
Report 13-P-0257
Recommendation 5
Yes
Yes
No
No
Yes
Yes
Compliance
Percentage by
Element Reviewed
17%
17%
0%
0%
17%
17%
Source: OIG analysis.
Our FY 2016 annual audit of the EPA's information security program disclosed that more work is
needed by the agency to achieve managed and measurable information security functions to manage
cybersecurity risks. In this regard, the EPA's information security program was not graded as effective
for any of the Cybersecurity Framework Security Functions defined by the National Institute of
Standards and Technology. The table below summarizes the four areas where the EPA did not receive a
positive rating and significant management emphasis is needed.
17-N-0219
-------�
Results of testing assessed as "Not Met"
Cybersecurity
Framework FISMA Metric
Security Function Domain Federal Information Security Modernization Act Metric
Identify
Risk
Management
Contractor
System
EPA did not implement an insider threat detection and prevention program,
including the development of comprehensive policies, procedures, guidance and
governance structures, in accordance with Executive Order 13587 and the
National Insider Threat Policy.
EPA did not establish or implement a process to ensure that contracts/
statements of work/solicitations for systems and services include appropriate
information security and privacy requirements and material disclosures; Federal
Acquisition Regulation clauses; and clauses on protection, detection and
reporting of information.
EPA did not obtain sufficient assurance that the security controls of systems
operated on the organization's behalf by contractors or other entities and
services provided on the organization's behalf meet Federal Information Security
Modernization Act requirements, Office of Management and Budget policy, and
applicable National Institute of Standards and Technology guidelines.
Protect
Identity and
Access
Management
Security and
Privacy Training
EPA did not ensure that all users are only granted access based on least
privilege and separation-of-duties principles.
EPA did not ensure that accounts are terminated or deactivated once access is
no longer required or after a period of inactivity, according to organizational
policy.
EPA did not identify and track status of specialized security and privacy training
for all personnel (including employees, contractors and other organization users)
with significant information security and privacy responsibilities requiring
specialized training.
Respond
Incident
Response
EPA did not integrate incident response activities with organizational risk
management, continuous monitoring, continuity of operations, and other
mission/business areas, as appropriate.
EPA did not capture qualitative and quantitative performance metrics on the
performance of its incident response program. The organization did not ensure
that the data supporting the metrics was obtained accurately and in a
reproducible format, or that data is analyzed and correlated in ways that are
effective for risk management.
EPA did not implement its defined incident response technologies. Also, the
tools are not interoperable to the extent practicable; do not cover all components
of the organization's network; and have not been configured to collect and retain
relevant and meaningful data consistent with the organization's incident
response policy, procedures and plans.
EPA incident response stakeholders did not implement, monitor and analyze
qualitative and quantitative performance measures across the organization and
did not collect, analyze and report data on the effectiveness of the organization's
incident response program.
EPA did not implement processes for consistently implementing, monitoring and
analyzing qualitative and quantitative performance measures across the
organization; and is not collecting, analyzing and reporting data on the
effectiveness of its processes for performing incident response.
EPA data supporting incident response measures and metrics are not obtained
accurately, consistently and in a reproducible format.
17-N-0219
14
-------�
Cybersecurity
Framework FISMA Metric
Security Function Domain Federal Information Security Modernization Act Metric
EPA uses technologies for consistently implementing, monitoring and analyzing
qualitative and quantitative performance across the organization; however, the
data are not consistently collected, analyzed and reported on the effectiveness
of its technologies for performing incident response activities.
EPA has not defined or implemented incident response performance measures
that include data on the implementation of its incident response program for all
sections of the network.
Recover
Contingency
Planning
EPA did not test its Business Continuity Plan and Disaster Recovery Plan for
effectiveness and update plans as necessary.
EPA did not determine alternate processing and storage sites based upon risk
assessments that ensure that the potential disruption of the organization's ability
to initiate and sustain operations is minimized, and are not subject to the same
physical and/or cybersecurity risks as the primary sites.
Source: OIG analysis.
FISMA: Federal Information Security Modernization Act
In addition, our FY 2016 annual report of EPA financial statements disclosed that information technology
processes need to be improved to protect the integrity of EPA data used for decision-making, and that
the EPA lags behind in taking steps to remediate long-standing information system controls needed to
protect financial data. In particular, our audit noted that the EPA lacks (1) documentation to identify the
equipment needed to restore operations and network connectivity for the financial and mixed-financial
applications housed at its data center, (2) controls to monitor the actions of contractors with direct
access to data within the agency's core financial application, and (3) offsite data storage plans for key
financial applications. Additionally, the EPA has yet to remediate a FY 2009 weakness to implement
controls within its financial systems to ensure personnel with incompatible duties cannot process
financial transactions. Also, the agency has yet to address multiple long-standing weaknesses with regard
to how the EPA manages user accounts for its financial applications.
Managing Contractors
Increased management oversight is needed to ensure agency contractors comply with mandated
information system security requirements.
• In our FY 2015 report on EPA contract systems, we noted that personnel with oversight
responsibilities for contractor systems were not aware of the requirements outlined in
EPA information security procedures. As a result, EPA contractors did not conduct the
required annual security assessments, did not provide security assessment results to the
agency for review, and did not establish the required incident response capability. Data
breaches costing from $1.4 million to over $12 million could have occurred for the
systems included in our review if compromised.
• Our FY 2015 audit of the EPA's administration of cloud services disclosed that the EPA is not
fully aware of the extent of its use of cloud services, and thereby is missing an opportunity
to help make the most efficient use of its limited resources regarding cloud-based
17-N-0219
-------�
acquisitions. We found that inadequate oversight of a cloud service provider resulted in the
agency placing an EPA system within the vendor's network that (1) did not comply with
federal security requirements, and (2) contained vendor terms of service that were not
compliant with the Federal Risk and Authorization Management Program.
• Our FY 2015 annual audit of the EPA's information security program disclosed that agency
management of contractor systems requires significant management attention to correct
deficiencies noted in this area. We found that significant improvements are needed to (1) ensure
contractors comply with required security controls, (2) maintain an accurate inventory of
contractor systems, and (3) identify contractor systems that interface with EPA systems.
The EPA took steps to address some of the recommendations noted in the above reports.
Nonetheless, current audit work continues to note that the EPA lacks a holistic approach to managing
accountability over its contractors and ensuring personnel responsible for overseeing contractors are
aware of their responsibilities.
• Our FY 2016 annual audit of the EPA's information security program disclosed that the agency
did not identify and track the status of specialized security training for contractors with
significant information security responsibilities.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria
required to justify removal: (1) agency capacity, (2) an action plan, (3) monitoring efforts, and
(4) demonstrated progress. The EPA has taken steps to address many of our audit
recommendations. However, the following actions remain to address cybersecurity challenges:
1. Verify that the Audit Follow-Up Coordinator function in the Office of Environmental Information
has sufficient staffing to be effective, and ensure managers and staff understand the process
for this function and report concerns with workload.
2. Develop and implement a process that:
a) Strengthens internal controls for monitoring and completing corrective actions on all
open audits.
b) Maintains appropriate documentation to support completion of corrective actions; if
delegated to sub-offices, the process should include regular inspections by the Office
of Environmental Information's Audit Follow-Up Coordinator.
c) Specifies when sub-offices must report corrective actions as completed.
d) Requires verification that corrective actions fixed the issue(s) that led to the
recommendation.
e) Requires sub-offices to continue to use the improved processes.
f) Requires Office of Environmental Information managers to update the office's
Audit Follow-Up Coordinator on the status of upcoming corrective actions.
3. Take steps to remediate weaknesses identified during the FY 2016 annual audit of the EPA's
information security program.
17-N-0219
-------�
4. Develop a process to train EPA Contract Officer Representatives on their responsibilities for
monitoring the contractors to ensure they meet specified EPA information security
responsibilities. This includes (a) monitoring that contractors that operate information
systems on behalf of the EPA perform the mandated information security assessments, and
(b) ensuring that contractors with significant information security responsibilities complete
required role-based training.
5. Implement plans to review all EPA contracts and task orders, and place the EPA-developed
contract clause requiring contractors to complete role-based training into all EPA contracts
and task orders.
6. Implement a process to create a listing of agency contractor personnel with significant
information security responsibilities who require role-based training; validate that the
identified contractor personnel complete the annual role-based training requirement, and
report the information as required by the Federal Information Security Modernization Act.
-N-0219
-------� |