I VMfS ? U.S. ENVIRONMENTAL PROTECTION AGENCY \OFFICE OF INSPECTOR GENERAL Improved Internal Controls Needed in the Gulf of Mexico Program Office Report No. 13-P-0271 May 30, 2013 ------- Report Contributors: Patrick Gilbride Randy Holthaus Raul Adrian Lisa Bergman Abbreviations ANSP Agency Network Security Policy CIO Chief Information Officer COTR Contracting Officer's Technical Representative EPA U.S. Environmental Protection Agency FISMA Federal Information Security Management Act FMFIA Federal Managers' Financial Integrity Act FTE Full Time Equivalent FY Fiscal Year GAO U.S. Government Accountability Office GMPO Gulf of Mexico Program Office GPRA Government Performance and Results Act IMO Information Management Officer ISO Information Security Officer ISP Information Security Policy IT Information Technology LAN Local Area Network NCCR National Coastal Condition Report NIST National Institute of Standards and Technology OEAEE Office of External Affairs and Environmental Education OEI Office of Environmental Information OIG Office of Inspector General OMB Office of Management and Budget OW Office of Water SIO Senior Information Officer Hotline To report fraud, waste, or abuse, contact us through one of the following methods: email: OIG Hotline@epa.gov write: EPA Inspector General Hotline phone: 1-888-546-8740 1200 Pennsylvania Avenue, NW fax: 202-566-2599 Mailcode 2431T online: http://www.epa.gov/oiq/hotline.htm Washington, DC 20460 ------- tfED STAf. *. U.S. Environmental Protection Agency 13-P-0271 Office of Inspector General May 30 2013 / rn \.o At a Glance Why We Did This Review The Gulf of Mexico is one of the U.S. Environmental Protection Agency's (EPA's) Large Aquatic Ecosystem programs. Due to its size and rich biodiversity, the Gulf is critically important for the nation's environmental and economic well-being. Recent environmental disasters, such as Hurricane Katrina and the BP Deepwater Horizon oil spill, have focused national attention on the Gulf region. Consequently, our objective was to determine whether the Gulf of Mexico Program Office (GMPO) had established effective internal controls over program operations. This report addresses the following EPA Goal or Cross-Cutting Strategy: • Protecting America's waters. Improved Internal Controls Needed In the Gulf of Mexico Program Office For further information, contact our Office of Congressional and Public Affairs at (202) 566-2391. The full report is at: www.epa.aov/oia/reports/2013/ 20130530-13-P-0271.pdf What We Found Two of GMPO's performance measures are unrealistic in that they do not reflect what the office was set up to achieve. The two unrealistic measures involve the size of the hypoxic zone and the National Coastal Condition Report Index. Further, one strategic objective (environmental education) is not being measured. This occurred because GMPO had not performed an assessment of its strategic objectives and performance measures, as required by governmentwide internal control standards. As a result, some of the functions that GMPO performs are not being properly measured and, thus, GMPO's resources might not be used in the most efficient or effective way. GMPO management did not ensure that its Local Area Network (LAN) was secure, did not have primary information security controls in place, and did not ensure the contractor met the security requirements in the LAN contract. This occurred because the GMPO's former Acting Director was not trained on and therefore not technically knowledgeable of federal and agency IT security requirements. As a result, GMPO's LAN is vulnerable to individuals and groups with malicious intentions, and EPA has not received the full benefit of the $749,755 paid over 4 years for LAN security services. The GMPO Web page displayed inaccurate data for over 18 months. GMPO did not perform a review of the content before posting, use a Content Manager to review the content, or follow EPA's Web governance policies or content review procedures. This occurred because GMPO personnel were not aware of the EPA Web governance policies or content review procedures. Because information posted on EPA's Web pages is accessed by the public, inaccurate data can negatively impact EPA's credibility. Recommendations and Planned Agency Corrective Actions We recommend that GMPO conduct a risk assessment of its strategic objectives and measures, and work with the Office of Water to adjust those measures as needed to accurately reflect GMPO's mission. We recommend that GMPO and Region 4 officials correct the LAN security controls deficiencies. We also recommend that GMPO complete actions to establish an office Web content review process. Further, we recommend that the Office of Environmental Information address LAN deficiencies and, along with the Office of External Affairs and Environmental Education, monitor GMPO Web actions. EPA agreed with 12 of our 13 recommendations and proposed a satisfactory alternative corrective action for the remaining recommendation. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL May 30, 2013 MEMORANDUM SUBJECT: Improved Internal Controls Needed in the Gulf of Mexico Program Office Report No. 13-P-0271 FROM: Arthur A. Elkins Jr. TO: See Below This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. Final determination on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. Action Required The agency concurred with recommendations 1 through 12, and proposed a satisfactory alternative corrective action for recommendation 13. Therefore, we accept EPA's response and planned corrective actions for all 13 recommendations and no further response is needed. We have no objections to the further release of this report to the public. We will post this report to our website at http://www.epa.gov/oig. If you or your staff have any questions regarding this report, please contact Richard Eyermann, Acting Assistant Inspector General for Audit, at (202) 566-0565 or Eyermann.Richard@epa.gov; or Patrick Gilbride, Product Line Director, at (303) 312-6969 or Gilbride.Patrick@epa.gov. Addressees: Nancy Stoner, Acting Assistant Administrator, Office of Water Malcolm D. Jackson, Assistant Administrator and Chief Information Officer, Office of Environmental Information Ben Scaggs, Director, Gulf of Mexico Program Office A. Stanley Meiburg, Acting Regional Administrator, Region 4 Tom Reynolds, Associate Administrator, Office of External Affairs and Environmental Education ------- Improved Internal Controls Needed in the Gulf of Mexico Program Office 13-P-0271 Table of Contents Chapters 1 Introduction 1 Purpose 1 Background 1 Scope and Methodology 3 Prior Audit Reports 3 2 GMPO's Performance Measures Need Improvement 4 Federal Laws, Standards, and Policies Require Risk Assessment 4 Two GMPO Performance Measures Are Unrealistic 5 One Key GMPO Activity Not Measured 5 GMPO Did Not Perform a Programmatic Risk Assessment 6 GMPO's Performance Not Properly Assessed and Resources May Not Be Used in the Most Efficient Manner 6 Conclusions 7 Recommendations 7 Agency Comments and OIG Evaluation 7 3 GMPO's Local Area Network Not Secured 8 Requirements for Information Security Controls 8 GMPO Management Did Not Secure Its LAN and Received No Oversight From OW IT Managers 11 GMPO Manager Was Not Trained on IT Security and OW IT Managers Were Not Aware of LAN 12 GMPO LAN Is Vulnerable and EPA Paid for Security Not Received 12 EPA Management Actions Taken During Our Audit 12 Conclusions 13 Recommendations 13 Agency Comments and OIG Evaluation 14 4 GMPO Needs a Process to Review Data Prior to Posting on the EPA Public Access Website 15 Requirements for Web Management and Content Review 15 GMPO Posted Inaccurate Data on the EPA Public Access Website 16 GMPO Personnel Were Not Aware of Web Content Review Requirements and EPA Management Did Not Monitor for Compliance 16 Inaccurate Data Can Impact EPA's Credibility 16 EPA Management Actions Taken During Our Audit 17 Recommendations 17 Agency Comments and OIG Evaluation 17 -continued- ------- Improved Internal Controls Needed in the 13-P-0271 Gulf of Mexico Program Office Status of Recommendations and Potential Monetary Benefits 18 Appendices A Details on Scope and Methodology 20 B Agency Response 22 C Distribution 27 ------- Chapter 1 Introduction Purpose The purpose of this audit was to determine whether the U.S. Environmental Protection Agency's (EPA's) Gulf of Mexico Program Office (GMPO) had established effective internal controls over program operations. According to the U.S. Government Accountability Office (GAO), there are five standards of internal control: Table 1: GAO Five Standards of Internal Control 1. Control Environment Management and employees should establish and maintain an environment throughout the organization that sets a positive and supporting attitude toward internal control and conscientious management. 2. Risk Assessment Internal control should provide for an assessment of the risks the agency faces from both external and internal sources. 3. Control Activities Internal control activities help ensure that management's directives are carried out. Control activities should be effective and efficient in accomplishing the agency's control objectives. 4. Information and Communications Information should be recorded and communicated to management and others within the entity who need it, and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. 5. Monitoring Internal control monitoring should assess the quality of performance over time and ensure that audit and other review findings are promptly resolved. Source: Office of Inspector General (OIG) summary of GAO's Standards for Internal Control in the Federal Government, GAO/AIMD-OO-21.3.1, November 1999. Background The Gulf of Mexico is a critical body of water from an economic, recreational, and ecological standpoint. With about 60 percent of the continental United States waterways draining into the Gulf, it provides a vast array of economic benefits to the nation, including oil and gas production, fisheries, and leisure income. Recent high profile disasters that occurred in the Gulf have focused public and political attention on the region. EPA's GMPO was created in 1988 to protect, maintain, and restore the health and productivity of the Gulf of Mexico while maintaining the economic well-being of the Gulf region. GMPO's mission is non-regulatory in nature, relying on a collaborative approach to work with other government and community organizations in the region. 13-P-0271 1 ------- EPA established GMPO as a semi-autonomous program. As such, it draws input from state and federal partners in the Gulf region. Its strategic and budgetary direction comes from the Office of Water (OW), while it receives administrative support and oversight from EPA Region 4. GMPO's offices are located at Stennis Space Center, Mississippi. GMPO's strategic partners in the Gulf include the Gulf of Mexico Alliance, which represents the five adjacent state governments (Florida, Alabama, Mississippi, Texas and Louisiana); the Gulf of Mexico Business Coalition; the Gulf Coast Ecosystem Restoration Task Force;1 and various other federal agencies, such as the National Oceanic and Atmospheric Administration, U.S. Fish and Wildlife Service, and U.S. Geological Survey. From fiscal years (FYs) 2009 to 2012, GMPO provided $11.8 million for various environmental and community projects through cooperative agreements, interagency agreements, and contracts (table 2). During that period, GMPO's budget and full time equivalent (FTE) resources remained relatively constant. Table 2: GMPO Yearly Budget Figures, 2009-2012 FY Budget ($ millions) Project funding ($ millions) FTEs 2009 $4.6 $2.5 14.0 2010 6.0 3.9 14.0 2011 4.5 2.8 13.0 2012 5.5 2.6 12.9 Totals $20.6 $11.8 Source: OW budget reports as of July 18, 2012. GMPO is supported by a local area network (LAN) for information technology (IT) applications. The LAN consists of a network switch, file server, approximately 20 workstations, and connections to the EPA-wide area network. A contractor manages the GMPO LAN under an EPA IT service contract. The GMPO's Deputy Director served as the security manager and contracting officer's technical representative for the LAN. GMPO maintains Web pages on EPA's public access website2 where it posts information about its mission, activities, and accomplishments. GMPO staff manage Web page content with oversight provided by the GMPO Director and Deputy Director. 1 Per the RESTORE Act, the Gulf Coast Ecosystem Restoration Task Force has now transitioned to the Gulf Coast Ecosystem Restoration Council. 2 The EPA public access website address is http://www.epa.gov/gmpo/index.html. 13-P-0271 2 ------- Scope and Methodology We conducted our audit from May 2012 to March 2013 in accordance with generally accepted government auditing standards. Those standards require that we obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our evaluation objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our objectives. We based our review on GAO's Standards for Internal Control in the Federal Government issued in 1999, GAO's Internal Control Management and Evaluation Tool issued in 2001, and other federal criteria and EPA policies pertaining to internal controls. We also reviewed federal criteria and EPA policies and procedures for information security, such as the Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB) Circular A-130, the National Institute of Standards and Technology (NIST) Special Publication 800-53, and the EPA Agency Network Security Policy (ANSP). We conducted a site visit at GMPO's headquarters at the Stennis Space Center, Mississippi; interviewed staff and management; and reviewed controls in place. We also conducted interviews with officials from Regions 4 and 6, OW, and other GMPO stakeholders. Appendix A provides further details on our scope and methodology. Prior Audit Reports GAO issued a report in July 2012, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses, GAO-12-696. The report stated that security control weaknesses pervaded EPA's systems and networks, thereby jeopardizing the agency's ability to sufficiently protect the confidentiality, integrity, and availability of its information and systems. The report also found that EPA did not always update system security plans to reflect current agency security control requirements; did not assess management, operational, and technical controls for agency systems based on risk at least annually; and did not implement a corrective action process to track and manage all weaknesses when remedial actions were necessary. 13-P-0271 3 ------- Chapter 2 GMPO's Performance Measures Need Improvement Two of GMPO's performance measures do not reflect what GMPO was designed to achieve and can legitimately influence. Further, one key GMPO activity is not being measured. Applicable federal criteria, such as GAO's Internal Control Management and Evaluation Tool issued in 2001 and the Government Performance and Results Act (GPRA) Modernization Act issued in 2010, stress the importance of continually assessing the relevance and validity of performance measures through risk assessment. GMPO officials acknowledged that they have not performed a risk assessment of GMPO's strategic objectives and corresponding performance measures. As a result, the functions that GMPO performs are not being properly measured and GMPO's resources may not be used in the most efficient or effective way. Federal Laws, Standards, and Policies Require Risk Assessment The GPRA Modernization Act of 2010 (Public Law 111-352) states that an agency's strategic plans shall contain an identification of key factors external to the agency that could significantly affect the achievement of the general goals and objectives. The law also states that the head of each agency shall make available on its public website and to OMB an update on agency performance which shall explain where a performance goal has not been met, if the performance goal is impractical or infeasible, why that is the case, and what action is recommended. GAO's Standards for Internal Control in the Federal Government (GAO/AIMD- 00- 21.3.1), November 1999, states that risk assessment is the identification and analysis of relevant risks associated with achieving the strategic objectives, and forming a basis for determining how risks should be managed. The GAO Internal Control Management and Evaluation Tool (GAO-01-1008G), August 2001, states that assumptions made in strategic plans and budgets should be consistent with the agency's historical experience and current circumstances. It further states that activity-level (i.e., program- or mission-level) objectives flow from, and are linked with, the agency's entitywide objectives and strategic plans, and are reviewed periodically to assure that they have continued relevance. EPA Order 1000.24 CHG 2, Management's Responsibility for Internal Control, July 18, 2008, states, in accordance with GAO's Standards for Internal Control in the Federal Government, that risk assessment is the identification and analysis of relevant risk associated with achieving the agency's mission. It further states that program managers should identify internal and external risks that may prevent the organization from efficiently and effectively meeting its objectives. 13-P-0271 4 ------- Two GMPO Performance Measures Are Unrealistic During our review we found that two of GMPO's core performance measures required them to achieve targets that they did not have direct control over. The first of these measures is the hypoxia measure (SP-40),3 which is a measure that calls for reductions in nutrient releases into the Mississippi River. As mentioned in Chapter 1, GMPO was created with a non-regulatory mission and has no authority to regulate or enforce the amount of nutrients released upstream into the Mississippi River. As a result, GMPO does not have the ability to directly influence this issue. The second measure is the National Coastal Condition Report (NCCR) 3-year index measure (GM-435). EPA publishes the NCCR in collaboration with other federal agencies (National Oceanic and Atmospheric Administration, U.S. Fish and Wildlife Service, and U.S. Geological Survey). The report covers all the coastal regions of the country; however, measure GM-435 only refers to the results pertaining to the Gulf of Mexico region. The overall index for the Gulf is a compilation of five individual indices measuring a broad range of environmental conditions: water quality, sediment quality, benthic zone conditions, condition of coastal habitats, and fish tissue contaminants. This index is expressed in terms of a 5-point scale which rates the condition of the Gulf as good, fair, or poor. We spoke to subject matter experts within OW and GMPO and, based on their opinions, it is not fair to expect that a small program like GMPO, with a non- regulatory mission and a $5.5 million budget and 13 FTEs, could legitimately affect this comprehensive rating. OW reported in 2011 that GMPO failed to meet its targets under this measure four separate times during the period 2007 to 2011.4 One Key GMPO Activity Not Measured An important aspect of GMPO's work—namely, environmental education for underserved and underrepresented communities—is not captured by any of GMPO's current performance measures. Based on our interviews with GMPO management and staff, we estimated that about 1.8 of its 12.9 FTEs were devoted to environmental justice-related tasks in FY 2012, yet GMPO did not measure this activity. Environmental education was one of the strategic objectives for FY 2012, but progress achieved in this area is currently not being gauged by any of the performance indicators set for GMPO by OW (as shown in table 3). 3 EPA assigns codes to all programmatic performance measures. These codes are used for tracking each program's annual commitments in an internal performance tracking database system. For the measures discussed in this chapter, the acronyms "GM" and "SP" stand for "Gulf of Mexico" and "Strategic Plan," respectively. 4 National Water Program Best Practices and End of Year Performance Report, FY 2011. 13-P-0271 5 ------- Table 3: GMPO FY 2012 Strategic Objectives/Performance Measures Objectives (per OW National Program Manager's Guidance & FY 2012 President's Budget) Corresponding Performance Measure Healthy/resilient coastal habitats • Restore/enhance/protect cumulative number of acres of coastal marine habitats. • National Coastal Condition Report 3-year index. Sustainable coastal barriers • Restore/enhance/protect cumulative number of acres of coastal marine habitats. Wise management of sediments/nutrient levels • Reduce releases of nutrients throughout the Mississippi Riverto reduce size of the hypoxia zone (5-year average). • National Coastal Condition Report 3-year index. • Bi-national early detection system for harmful algal blooms. Improved science monitoring/management efforts for water quality/seafood safety • Restore water and habitat quality standards in impaired segments in 13 priority areas. • National Coastal Condition Report 3-year index. Environmental education for underserved/ underrepresented communities • None Source: OIG analysis of information obtained from OW's website and GMPO's Chief Scientist. GMPO Did Not Perform a Programmatic Risk Assessment GMPO did not conduct a risk assessment of its programmatic performance measures. GMPO officials stated that they did not perform a risk assessment of their programmatic performance measures because, due to its unique nature as a semi-independent program, its strategic objectives were set in consultation with external stakeholders. GMPO officials stated, however, that they had recently begun the process of formally assessing GMPO's goals and objectives in a manner consistent with its non-regulatory mission, in the context of OW's strategic plan. As a result of this process, GMPO officials developed a new set of performance measures that they believe will more accurately convey the work GMPO performs. GMPO submitted its proposed measures to OW for consideration on January 11, 2013. Performance Not Properly Assessed and Resources Be Used in the Most Efficient Manner By not having performance measures in place that reflect what GMPO was designed to achieve or that do not capture all of the program's key activities, GMPO's performance is not being assessed in a comprehensive manner. Consequently, OW cannot report an accurate assessment of the program results to OMB. Further, some of GMPO's limited resources are being spent on activities associated with the two unrealistic performance measures and, as a result, those resources may not be spent in the most efficient manner. GMPO's May Not 13-P-0271 6 ------- Conclusions By not conducting a risk assessment of its programmatic performance measures, GMPO was unable to determine that there was a high risk of not achieving the results required by two of the measures, as described in this chapter. Further, environmental education was a strategic goal for GMPO in FY 2012 yet no performance measure was assigned for this activity. As a result, GMPO is being held accountable for measures it cannot realistically achieve, and is also not being held accountable for one key mission-related activity it performs. Recommendations We recommend that the Director, Gulf of Mexico Program Office: 1. Conduct a risk assessment of GMPO strategic control objectives and programmatic performance measures. We recommend that the Assistant Administrator for Water: 2. Evaluate the results of GMPO's risk assessment and work with GMPO management to make the necessary changes to its objectives and measures, so GMPO can accurately measure performance. Agency Comments and OIG Evaluation OW and GMPO concurred with recommendations 1 and 2, but requested guidance to better understand how to conduct a risk assessment. In subsequent discussions, we provided additional information on the subject from the Office of the Chief Financial Officer's website and also encouraged OW and GMPO to speak with the Office of the Chief Financial Officer for more guidance. Based on those discussions, OW agreed to complete corrective actions for recommendation 1 by December 31, 2013, and for recommendation 2 by June 30, 2014. EPA also requested in its response to our draft report that we delete remarks by one of the members of OW's Accountability Staff. We made that deletion from this report as it does not affect the message conveyed. Appendix B contains EPA's official response. 13-P-0271 7 ------- Chapter 3 GMPO's Local Area Network Not Secured GMPO management did not secure the GMPO LAN and did not ensure the contractor met the security requirements in the LAN contract. OW IT managers did not provide oversight for the GMPO LAN. Federal laws, directives, and standards for information security and EPA policies require EPA to provide information security protection. GMPO's former Acting Director, serving as the GMPO security manager and LAN contracting officer's technical representative (COTR), was not trained on, and therefore not technically knowledgeable of, federal and agency IT security requirements. Further, one OW IT manager was not aware that the GMPO LAN existed and another OW IT manager believed that GMPO received IT support from Region 4. Without adequate security controls, the GMPO LAN is vulnerable to individuals and groups with malicious intentions who may launch attacks against the LAN or use it to launch attacks against other computer systems and networks, such as the EPA-wide area network. In addition, EPA has not received the full benefit of the $749,755 paid over 4 years for the LAN services because the contractor did not fulfill the mandated security requirements contained in the contract. Requirements for Information Security Controls Federal guidance provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets. EPA information security policies establish and define the principles to meet the security controls requirements in FISMA, OMB circulars, and other federal and agency standards. EPA contracts for the GMPO LAN services include references to the federal and agency information security requirements that the contractor must meet to properly protect IT resources. Federal Information Security Laws, Directives, and Standards FISMA requires each federal agency to develop, document, and implement an agencywide information security program. The program should provide security for the information and information systems that support the operations and assets of the agency, including those that other agencies, contractors, or other sources provide or manage. According to FISMA, each agency is responsible for providing information security protections, commensurate with risk, for information collected or maintained by, or on behalf of, the agency, and information systems used or operated by the agency or on its behalf. FISMA requires that a chief information officer or a comparable official of the agency be responsible for developing and maintaining an agencywide information security 13-P-0271 8 ------- program. FISMA also requires agencies to maintain and update annually an inventory of major information systems, including those provided or managed by another agency, contractor, or other source. FISMA requires that agencies comply with security control standards issued by NIST. OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources, issued November 28, 2000, sets forth four security controls: (1) assignment of responsibility for security, (2) security planning, (3) periodic review of security controls, and (4) management authorization (currently called security authorization). This Circular also states that if one of these basic controls is missing, an agency should consider identifying a deficiency in accordance with OMB and the Federal Managers' Financial Integrity Act (FMFIA) reporting requirements. NIST Special Publication 800-53, Revision 3,5 provides detailed information on the security control standards, their function, and purpose. Security controls are safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are three general classes of security controls: management, operational, and technical. Security training is an operational security control that requires the organization to provide role-based security-related training to information system managers before authorizing access to the system or performing assigned duties. EPA Information Security Policies EPA's Office of Environmental Information (OEI) manages and issues information technology/information management-related policies. During our audit, we reviewed EPA's operations for the period 2009 through 2012. During this period, four IT security policies applicable to EPA networks were in effect for various amounts of time. The first was the ANSP, Chief Information Officer (CIO) 2150.0, November 2007, which was in effect until it was superseded in August 2011 by the Interim ANSP, CIO 2150.1. This policy was then superseded by the Interim Agency Information Security Policy (ISP), CIO 2150.2 of April 2012. The Interim ISP was then replaced in August 2012 by the policy that is currently in effect, the ISP, CIO 2150.3. The ANSP of 2007 was in effect for the greatest amount of time during our review period. The ANSP of 2007 was the security policy for the EPA network and associated IT resources. This policy established and defined the principles needed to meet the security controls requirements in FISMA, OMB circulars, and other federal and agency standards. Listed below are some of the IT managers' responsibilities for information security. 5 NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, was issued in August 2009 and updated May 1, 2010. 13-P-0271 9 ------- Senior Information Officers (SIOs) are responsible for the following for their respective offices: • Ensuring effective processes and procedures are established and implemented for compliance with agency information and IT policies, procedures, operations, and standards. • Ensuring IT personnel manage operating systems effectively, including use of an internal monitoring program to evaluate policy effectiveness that is consistent with federal and agency security standards and requirements. • Ensuring that personnel are sufficiently trained to comply with federal and agency security standards and requirements. The Information Management Officer (IMO) is responsible for: • Implementing and administering network security policy within their organization. • Conducting comprehensive assessments of management, operational, and technical security controls in an information system. • Determining and certifying the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. • Making accreditation recommendations to the SIO serving as the Authorizing Official. Information Security Officer (ISO) responsibilities include: • Ensuring that periodic testing of security controls is conducted and those controls are operating effectively. • Assisting general support system and major application managers in planning for and establishing adequate security for the general support system or major application as appropriate.6 • Providing ongoing user security awareness and training. Another ANSI' requirement was that the agency must monitor contractor compliance with information security responsibilities as specified in agency contracts. 6 OMB Circular No. A-130, Appendix III. defines "general support system" as an interconnected set of information resources under the same direct management control which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a LAN including smart terminals that supports a branch office, an agencywide backbone, or a communications network. 13-P-0271 10 ------- EPA Contracts for LAN Services GMPO obtained LAN services through two IT support contracts for the period covering 2004 through 2016.7 The first contract ended in October 2011. The period of performance for the second contract began in October 2011 and contained option years through 2016. The statement of work or performance work statement for each of the contracts contained the requirement to implement EPA's security policies. The second contract also stated that the contractor shall comply with FISMA. The total amount GMPO paid for the LAN services contracts from 2009 through 2012 was $749,755. GMPO paid $540,382 for the first contract from 2009-2011 and $209,373 for the second contract from 2011-2012. GMPO Management Did Not Secure Its LAN and Received No Oversight From OW IT Managers GMPO management did not provide security controls, and OW IT managers did not provide oversight for the GMPO LAN. Specifically, GMPO and OW IT managers did not establish security controls for assigning responsibility for security, security planning, or periodic review of security controls for 2009 through 2012. The OW and GMPO IT managers also did not obtain authorization to operate the GMPO LAN and did not include it in the EPA system inventory. In addition, the former Acting Director certified several statements in the GMPO 2011 FMFIA assurance letter and supporting documents that were not factual. These statements were: 1. GMPO's Information Security Plan and LAN Contingency Plan were developed in accordance with FISMA and EPA requirements. 2. Periodic security reviews and updates are conducted to ensure that the GMPO Information Security Plan is effectively implemented. 3. GMPO's Security Plan has been certified by a third party vendor to test security controls. 4. OW had conducted semiannual IT security reviews that resulted in no issues being identified. The GMPO LAN security planning did not comply with FISMA and EPA requirements, did not contain evidence that periodic security reviews or third party vendor security certification were provided by the GMPO, and the OW ISO verified that there were no IT security reviews conducted by OW for the GMPO LAN. While the 2011 FMFIA assurance letter cited the former Acting Director as the GMPO security manager, the OW SIO never assigned the person that position or the associated responsibilities. 7 The first contract was 68-W-04-005, awarded January 8, 2004; the second contract was HHSN263999900033I, awarded August 25, 2011. 13-P-0271 11 ------- GMPO Manager Was Not Trained on IT Security and OW IT Managers Were Not Aware of LAN GMPO's former Acting Director, serving as the GMPO security manager, was not trained on and therefore not technically knowledgeable of federal and agency IT security requirements. The GMPO Chief of Staff did not have any knowledge that the former Acting Director had taken any specialized security training, and was unable to provide any support showing that the Acting Director took such courses. The former Acting Director also served as the COTR and did not ensure the contractor met the LAN contract requirements to comply with FISMA and EPA's security policies. Since the same person served as both the COTR and the GMPO security manager, there was no separation of duties to ensure proper management and oversight. In addition, one OW IT manager was not aware that the GMPO LAN existed and another OW IT manager believed that GMPO received IT support from Region 4. GMPO LAN Is Vulnerable and EPA Paid for Security Not Received Without adequate security controls, the GMPO LAN is vulnerable to individuals and groups with malicious intentions who may obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks such as the EPA-wide area network. According to the GAO, "Federal agencies have experienced a significant rise in security incidents in recent years, with data from the U.S. Computer Emergency Readiness Team showing an increase in security incidents and events from 29,999 in 2009 to 42,887 in 20 ll."8 In addition, EPA has not received the full benefit of the $749,755 paid over 4 years for LAN services because the contractor did not fulfill the FISMA and EPA security requirements contained in the contract. Statements in the FMFIA assurance letter about LAN security were misleading. As a result, OW managers did not have reliable information to detect and correct LAN security problems. Additionally, the GMPO LAN deficiencies should be assessed by agency management to determine whether they are reportable under FMFIA. EPA Management Actions Taken During Our Audit During the course of our review, we informed GMPO and OW IT management of the information security deficiencies identified for the LAN. GMPO and OW IT management took two corrective actions. In December 2012, the GMPO Acting Chief of Staff informed us that the GMPO Director and the Regional Administrator for Region 4 had agreed that Region 4 would assume IT support for the GMPO LAN and associated computer equipment. Region 4 assumed 8 GAO Report, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses, GAO-12-696, July 19, 2012. 13-P-0271 12 ------- IT support for the GMPO LAN in April 2013. The OW ISO coordinated with GMPO management in October 2012 and added the LAN to the EPA information system inventory. Conclusions GMPO management should take immediate action to secure the LAN in accordance with federal and agency information security requirements and complete the corrective actions initiated during our audit. Properly protecting the GMPO LAN also helps protect other interconnected IT resources such as the EPA-wide area network. In addition, converting the LAN support to Region 4 IT managers and discontinuing the LAN services contract could result in reduced costs and potential savings for EPA. Recommendations We recommend that the Regional Administrator, Region 4: 3. Require the Region 4 SIO to assign a technically knowledgeable person to be the security manager of the GMPO LAN. 4. Require the Region 4 SIO to provide necessary role-based security-related training to information system managers and staff before authorizing them access to the system or before performing assigned duties. 5. Require the Region 4 ISO and IMO to work with the LAN security manager to plan and implement IT security controls—including system security planning, periodic review of security controls, and authorization to operate the LAN—that comply with FISMA, OMB, and NIST requirements and guidance. 6. Require the Region 4 ISO and IMO to work with the LAN security manager to establish a plan of action and milestones to correct the LAN deficiencies as required by NIST Special Publication 800-53.9 We recommend that the Director, Gulf of Mexico Program Office: 7. Establish internal controls to prevent the LAN security manager duties and the LAN COTR duties from being assigned to the same individual. 8. Require the COTR to enforce the contract and make sure the LAN contractor meets system security requirements in the contract. 9 NIST Special Publication 800-53, Revision 3, defines a plan of action and milestones as a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for milestones. 13-P-0271 13 ------- 9. Provide OW with notice of the erroneous statements and claims made in prior years' FMFIA assurance letters regarding IT system security. We recommend that the Assistant Administrator for Environmental Information and Chief Information Officer: 10. Assess the LAN deficiencies identified in this report to determine whether they should be reported under FMFIA, and act accordingly. Agency Comments and OIG Evaluation EPA concurred with all of the recommendations in this chapter. We reviewed EPA's proposed corrective actions and agree that they adequately address our recommendations. Subsequent to our receipt of EPA's official response to the draft report, we contacted personnel from GMPO and Region 4 to clarify some of the completion dates for the proposed corrective actions. Those dates are shown in the Status of Recommendations chart on page 18 of this report. Appendix B contains EPA's official response. 13-P-0271 14 ------- Chapter 4 GMPO Needs a Process to Review Data Prior to Posting on the EPA Public Access Website The GMPO Web page, on the EPA public access website, displayed inaccurate data for over 18 months. GMPO did not perform a review of the content before posting, use a Content Manager to review the content, or follow EPA's Web governance policies or content review procedures. The GMPO personnel were not aware of the EPA Web governance policies or content review procedures. Also, the CIO and the Associate Administrator for the Office of External Affairs and Environmental Education (OEAEE) did not ensure that the GMPO complied with the EPA Web governance policy and content review procedures. Inaccurate data can negatively impact EPA's credibility with the public. Requirements for Web Management and Content Review OEI issues policies and procedures that govern EPA's public access website. The Web Governance and Management10 policy established that the EPA will operate and maintain a public access website to assist in fulfilling the agency's mission—to protect the environment and public health. The Web Content Types and Review Procedure11 established the steps for keeping content on the EPA website current. The procedure also states that EPA's website is a fundamental communication tool for every agency program and region and that effective management of information is essential. EPA's Policy for Web Governance and Management EPA's Web Governance and Management policy12 states that OEI and the OEAEE share responsibility for governance of EPA's public access website. The Web Council provides representative advice for content and infrastructure to the National Web Content and Infrastructure Managers and, through them, to the Associate Administrator for OEAEE and Assistant Administrator for OEI. The Web Council disseminates information from agency leadership to the Web community. Regional and program offices provide quality content and appropriate infrastructure to communicate the agency's work and mission, adhering to the Web governance and management policy. The policy states that ultimate accountability for these regional and program areas is at the most senior level, typically at the assistant administrator or regional administrator level, who must 111 Web Governance and Management, CIO 2180.0, September 7, 2006. 11 Web Content Types and Review Procedure, CIO-2180-P-06.0, March 16, 2011. 12 This policy refers to the Office of Public Affairs which was subsequently replaced by OEAEE. 13-P-0271 15 ------- provide sufficient resources and ensure that Web resource allocation is aligned with agency and program priorities. EPA's Web Content Types and Review Procedure The Web Content Types and Review Procedure established procedures for determining the content type and review schedules for all content posted on the EPA website. The procedure identifies roles and responsibilities, defines terms, and provides steps to review Web content. The procedure states that EPA's website is a fundamental communication tool for every agency program and region and that effective management of information is essential. Distinguishing content types and identifying appropriate review schedules are critical to keeping the website current and up to date. Otherwise, Web visitors may have difficulty locating information or determining what information accurately describes current EPA policy decisions and activities. The CIO and the Associate Administrator for OEAEE are jointly responsible for monitoring compliance with this procedure. GMPO Posted Inaccurate Data on the EPA Public Access Website The GMPO Web page, on the EPA public access website, contained inaccurate data for over 18 months. Specifically, the Web page contained inaccurate funding figures in a chart titled The Gulf of Mexico Program at Work, 1988-2010, which showed the amount that each of the five Gulf states spent on projects over that period. The notice on the Web page stated that it was last updated December 14, 2010, or about 18 months prior to our identifying the issue in June 2012. There was no evidence of any oversight or monitoring of GMPO's Web page content or posting by other offices and the inaccurate data went undetected. GMPO Personnel Were Not Aware of Web Content Review Requirements and EPA Management Did Not Monitor for Compliance GMPO did not perform a review of the content before posting, use a Content Manager to review the content, or follow the Web Governance and Management or the Web Content Types and Review Procedures. The GMPO personnel were not aware of the EPA Web guidance or the content review procedures. Also, the CIO and the Associate Administrator for OEAEE did not ensure that GMPO complied with the EPA Web governance policy and content review procedures. Inaccurate Data Can Impact EPA's Credibility Inaccurate data can negatively impact EPA's credibility. The information posted on EPA Web pages is accessed by the public and must be accurate to maintain the public trust and best represent the Administrator and the agency. 13-P-0271 16 ------- EPA Management Actions Taken During Our Audit In June 2012, we identified this issue to GMPO management. GMPO took immediate action and removed the previously identified Web page. The GMPO Director initiated the development of a Web content review process within the office. In addition, GMPO management coordinated with and agreed that the Region 4 Office of External Affairs would provide the GMPO with Web content review and oversight. These corrective actions address part of the causes of this issue. Recommendations We recommend that the Director, Gulf of Mexico Program Office: 11. Complete development of and implement a Web content review process within the GMPO to validate the accuracy of data and review the quality of content to comply with the Web Governance and Management, and the Web Content Types and Review Procedure. 12. Complete and implement the agreement with the Region 4 Office of External Affairs for Web content review and oversight. We recommend that the Assistant Administrator for Environmental Information and Chief Information Officer, and the Associate Administrator for External Affairs and Environmental Education: 13. Establish a schedule for monitoring the GMPO in their enforcement of Web Content Types and Review Procedure. Agency Comments and OIG Evaluation EPA concurred with recommendations 11 and 12. We reviewed EPA's proposed corrective actions and agree that they adequately address our recommendations. Regarding recommendation 13, EPA initially expressed nonconcurrence due to a misunderstanding of what they thought the OIG wanted the agency to do. We discussed this matter with personnel from OEI and OEAEE on April 29, 2013. Based on that discussion, we clarified with them that the agency's proposed alternative corrective action would satisfy the intent of our recommendation. EPA personnel provided a planned completion date of September 30, 2014, for the proposed corrective action for recommendation 13. Appendix B contains EPA's official response. 13-P-0271 17 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Planned Rec. Page Completion No. No. Subject Status1 Action Official Date 7 Conduct a risk assessment of GMPO strategic control objectives and programmatic performance measures. 0 Director, Gulf of Mexico 12/31/2013 Program Office 13 Evaluate the results of GMPO's risk assessment and work with GMPO management to make the necessary changes to its objectives and measures, so GMPO can accurately measure performance. Require the Region 4SIO to assign a technically knowledgeable person to be the security manager of the GMPO LAN. 0 Assistant Administrator 06/30/2014 for Water Regional Administrator, 04/05/2013 Region 4 13 Require the Region 4SIO to provide necessary role- based security-related training to information system managers and staff before authorizing them access to the system or before performing assigned duties. 13 Require the Region 4 ISO and IMO to work with the LAN security manager to plan and implement IT security controls—including system security planning, periodic review of security controls, and authorization to operate the LAN—that comply with FISMA, OMB, and NIST requirements and guidance. 13 Require the Region 4 ISO and IMO to work with the LAN security manager to establish a plan of action and milestones to correct the LAN deficiencies as required by NIST SP 800-53. Regional Administrator, 09/30/2013 Region 4 O Regional Administrator, 09/30/2013 Region 4 O Regional Administrator, 09/30/2014 Region 4 13 Establish internal controls to prevent the LAN security manager duties and the LAN COTR duties from being assigned to the same individual. 13 Require the COTR to enforce the contract and make sure the LAN contractor meets system security requirements in the contract. C Director, Gulf of Mexico 04/05/2013 Program Office C Director, Gulf of Mexico 04/05/2013 Program Office 10 14 Provide OW with notice of the erroneous statements and claims made in prior years' FMFIA assurance letters regarding IT system security. 14 Assess the LAN deficiencies identified in this report to determine whether they should be reported under FMFIA, and act accordingly. C Director, Gulf of Mexico 05/13/2013 Program Office O Assistant Administrator for 09/30/2013 Environmental Information and Chief Information Officer 17 Complete development of and implement a Web content review process within the GMPO to validate the accuracy of data and review the quality of content to comply with the Web Governance and Management, and Web Content Types and Review Procedure. C Director, Gulf of Mexico 02/28/2013 Program Office POTENTIAL MONETARY BENEFITS (In $000s) Claimed Agreed To Amount Amount 13-P-0271 18 ------- RECOMMENDATIONS POTENTIAL MONETARY BENEFITS (In $000s) Rec. Page No. No. Subject Status1 Planned Completion Action Official Date Claimed Amount Agreed To Amount 12 17 Complete and implement the agreement with the Region 4 Office of External Affairs for Web content review and oversight. 13 17 Establish a schedule for monitoring the GMPO in their enforcement of EPA's Web Content Types and Review Procedure. Director, Gulf of Mexico Program Office Assistant Administrator for Environmental Information and Chief Information Officer, and Associate Administrator for External Affairs and Environmental Education 02/28/2013 09/30/2014 10 = recommendation is open with agreed-to corrective actions pending C = recommendation is closed with all agreed-to actions completed U = recommendation is unresolved with resolution efforts in progress 13-P-0271 19 ------- Appendix A Details on Scope and Methodology We conducted our audit from May 2012 to March 2013 in accordance with generally accepted government auditing standards. The information we reviewed covered the period 2009 through 2012. Our scope was limited to assessing whether GMPO had established effective internal controls over its operations. As such, our tests and audit procedures were designed to provide us with enough evidence to make such determinations. During our audit, we reviewed federal criteria, including: • GPRA Modernization Act of 2010 (Public Law 111-352). • Federal Information Security Management Act of 2002 (FISMA - 44 USC-3541). • Federal Managers Financial Integrity Act of 1982 (FMFIA - Public Law 97-255). • OMB Circular A-13 0, Management of Federal Information Resources, November 28, 2000. • GAO Standards for Internal Control in the Federal Government (GAO/AIMD-OO-21.3.1), November 1999. • GAO Internal Control Management and Evaluation Tool (GAO-01-1008G), August 2001. • NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems. We reviewed EPA plans and policies, including: • EPA Order 1000.24 CHG 2, Management's Responsibility for Internal Control, July 18, 2008. • EPA's 2011 -2015 Strategic Plan. • Agency Network Security Policy (ANSP), CIO 2150.0, approved November 27, 2007. • Interim Agency Network Security Policy (ANSP), CIO 2150.1, approved August 22, 2011. • Interim Agency Information Security Policy (AISP), CIO 2150.2, April 9, 2012. • Interim Security Policy (ISP), CIO 2150.3, August 6, 2012. • Web Governance and Management, CIO 2180.0, September 7, 2006. • Web Content Types and Review Procedure, CIO 2180-P-06.0, March 16,2011. We also reviewed GMPO documentation, including: • Selected contracts, grants, and cooperative agreements. • FMFIA Letters of Assurance and supporting schedules for 2011 and 2012. • 2011 Work Plan and Accomplishments. • Memorandum of Understanding between GMPO, Region 4, Region 6, and OW (1999 amendment). • Physical inventory reports as of May 2012. 13-P-0271 20 ------- During our audit, we interviewed: • GMPO management and staff. • The following OW officials: Director of the Office of Wetlands, Oceans and Watersheds; representatives from the Resource Management Staff, including the Associate Director; the ISO; and the IMO. • The following Region 4 officials: Director and staff from the Water Protection Division; Deputy Assistant Regional Administrator and staff from the Office of Policy and Management (including the Comptroller and the Branch Chief for Grants Finance and Cost Recovery); ISO; LAN Administrator; and Director of External Affairs. • The following OEI officials: the Senior Agency Information Security Officer, and staff from the Policy and Program Management Branch. • Officials from the Gulf Coast Ecosystem Restoration Task Force, including the Executive Director and the Communications and Engagement Coordinator. 13-P-0271 21 ------- Appendix B Agency Response April 19, 2013 MEMORANDUM SUBJECT: Response to Office of Inspector General Draft Report/Project No. OA-FY12- 0480, "Improved Internal Controls Needed in the Gulf of Mexico Program Office," dated March 6, 2013 FROM: Nancy K. Stoner Acting Assistant Administrator TO: Arthur A. Elkins, Jr. Inspector General Thank you for the opportunity to respond to the issues and recommendations in the subject audit report. Following is a summary of the U.S. Environmental Protection Agency's overall position, along with its position on each of the report recommendations. For those report recommendations with which the agency agrees, we have provided either high-level intended corrective actions and estimated completion dates. For those report recommendations with which the agency does not agree, we have explained our position and proposed alternatives to the recommendations. For your consideration, we have included a Technical Comments Attachment to supplement this response. AGENCY'S OVERALL POSITION The agency concurs with twelve of the thirteen recommendations detailed in the report. We do not concur with the remaining one recommendation, and have provided explanations, as required by EPA Manual 2750 - Audit Management Procedures. AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS Agreements No. Recommendation High-Level Intended Corrective Action(s) Estimated Completion by FY 1 The Director, Gulf of Mexico Program Office, conduct a risk assessment of GMPO strategic control objectives and programmatic performance measures. The Director of the Gulf of Mexico Program requests further information from the OIG on the official procedure for conducting a Risk Assessment on developing programmatic performance measures Completion Date unknown until guidance is provided 2 The Assistant Administrator, Office of Water, evaluate the The Assistant Administrator, Office of Water, requests further information from the Completion Date unknown until 13-P-0271 22 ------- results of GMPO's risk assessment and work with GMPO management to make the necessary changes to its objectives, measures, so GMPO's can accurately measure performance. OIG on the official procedure for conducting a Risk Assessment on developing programmatic performance measures. guidance is provided 3 The Regional Administrator, require the Region 4 SIO to assign a technically knowledgeable person to be the security manager of the GMPO LAN. Region 4 has taken GMPO servers from their network and placed within the Region 4 office in Atlanta. The LAN Administrators and Information Security Officer (ISO) will manage the GMPO LAN. Completed 4 The Regional Administrator, require the Region 4 SIO to provide necessary role-based security-related training to information system managers and staff before authorizing them access to the system or before performing assigned duties. All Regional/Agency employees are required to take annual security training. GMPO staff will also be required to take this training as an Agency annual requirement. To be completed by end of FY13 5 The Regional Administrator, require the Region 4 ISO and IMO to work with the LAN security manager to plan and implement IT security controls; including system security planning, periodic review of security controls, and authorization to operate for the LAN that comply with FISMA, OMB, and NIST requirements and guidance. The GMPO will be included in the Region 4 Security Plan and Certification & Accreditation process, which will ensure compliance with FISMA, OMB, and NIST requirements. To be completed by end of FY13 6 The Regional Administrator, require the Region 4 ISO and IMO to work with the LAN security manager to establish a plan of action and milestones to correct the LAN deficiencies as required by NIST SP 800-53. The Regional Administrator Plan of Action & Milestones (POAMs) will be generated from the annual Certification & Accreditation reviews and these findings will be addressed by the Region 4 ISO, IMO, and LAN Administrators. To be completed by end of FY14 7 The Gulf of Mexico Program, Director, establish internal controls to prevent the LAN security manager duties and The Gulf of Mexico Program Office has completed the transition from our Local LAN Server to the Region 4 Server. Our Completed April 2013 13-P-0271 23 ------- the LAN COTR duties from being assigned to the same individual. LAN Security Manager is located in Region 4 and our LAN COTR is also in Region 4 and is two separate individuals. 8 The Gulf of Mexico Program, Director, require the COTR to enforce the contract and make sure the LAN contractor meets system security requirements in the contract. The Gulf of Mexico Program Office LAN IT Support is now under a new contract with Region 4. Region 4 is responsible for making sure the system security requirements are met under the new contract. LAN Contractor in Region 4 meets the system security requirements. Completed April 2013 9 The Gulf of Mexico Program Office, Director, provide OW with notice of the erroneous statements and claims made in prior years' FMFIA assurance letters regarding IT system security. The Gulf of Mexico Program Office, Director and/or Chief of Staff will discuss past submittals of our FMFIA Assurance letters regarding IT system security, with OW staff. To be completed by end of April 10 The Assistant Administrator for Environmental Information and Chief Information Officer, assess the LAN deficiencies identified in this report to determine whether they should be reported under FMFIA, and act accordingly OEI concurs with the recommendation. QTR4FY13 11 Gulf of Mexico Program Office, Director, complete development of and implement a Web content review process within the GMPO to validate the accuracy of data and review the quality of content to comply with the Web Governance and Management, and Web Content Types and Review Procedure. The Gulf of Mexico Program Office has developed a Web Content Review Standard Operation Procedures document which they follow internally to validate the accuracy of the data and comply with all EPA Web procedures. GMPO is now under the administrative structure of Region 4 Office of Information and External Affairs for our Web Content and review, and they are following the EPA's official Web review and revision processes. Completed February 2013 12 Complete and implement the agreement with Region 4 Office of External Affairs for Web content review and oversight. The Gulf of Mexico Program Office has an official agreement with Region 4 Office of External Affairs and is under their review and oversight. Completed February 2013 13-P-0271 24 ------- Disagreements No. Recommendation Agency Explanation/Response Proposed Alternative 13 The Assistant Administrator for Environmental Information and Chief Information Officer, and the Associate Administrator for External Affairs and Environmental Education, establish a schedule for monitoring the GMPO in their enforcement of EPA's Web Content Types and Review Procedure. The Office of Environmental Information and the Office of External Affairs and Environmental Education concur with the goal of recommendation 13, and are taking steps to solve the issue. We are building a new Web publishing system that will allow for automatic and timely enforcement of the Web Content Types and Review Procedure. Content owners will receive multiple notices directing them to review their content. If they still fail to review their content on time, the content will automatically be removed from EPA's website. All EPA pages, including those owned by GMPO, will be in this system by the end of FY 2014. Per the EPA Web Governance and Management Policy (httD://www.eDa.20v/irmDoli8/Dolicies/21800.Ddf). OEAEE (previously named OPA) and OEI oversee governance of epa.gov. We establish policy, procedures, and standards, working with each office and region through the Web Council. The Web Content Types and Review procedure is one of many such governing documents. Web Council members, in turn, work with their colleagues to ensure compliance with requirements. Until the new Web publishing system is fully operational at the end of FY 2014, OEI and OEAEE will remind the Web Executive Board, Web Council, and the EPA Web community of the importance of following EPA Web policies, procedures, and standards. We will specifically highlight the importance of the Web Content Types and Review Procedure. However, it is important to note that OEI and OEAEE do not concur with the idea of a special monitoring schedule for GMPO. Our offices lack the resources to create schedules for monitoring specific programs' compliance with requirements. Ultimate accountability for content rests with each office and region. See Agency Response 13-P-0271 25 ------- CONTACT INFORMATION If you have any questions regarding this response, please contact, Michael Mason at 202 564- 0572 or at mason.michael@epa.gov. Attachment cc: Malcolm Jackson Ben Scaggs Gwendolyn Keyes Fleming James O'Hara Mike Shapiro Diane Altsman Dorothy Rayfield Larry Lincoln Michael Mason Marilyn Ramos Scott Dockum Patrick Gilbride Melissa Heist Randy Holthaus Lisa Bergman Raul Adrian 13-P-0271 26 ------- Appendix C Distribution Office of the Administrator Assistant Administrator for Water Assistant Administrator for Environmental Information and Chief Information Officer Director, Gulf of Mexico Program Office Regional Administrator, Region 4 Associate Administrator for External Affairs and Environmental Education Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Principal Deputy Assistant Administrator for Water Principal Deputy Assistant Administrator for Environmental Information Deputy Administrator, Region 4 Associate Administrator for Congressional and Intergovernmental Relations Audit Follow-Up Coordinator, Office of Water Audit Follow-Up Coordinator, Office of Environmental Information Audit Follow-Up Coordinator, Region 4 13-P-0271 27 ------- |