I VMfS ? U.S. ENVIRONMENTAL PROTECTION AGENCY
\OFFICE OF INSPECTOR GENERAL
Improved Internal Controls
Needed in the
Gulf of Mexico Program Office
Report No. 13-P-0271
May 30, 2013

-------
Report Contributors:	Patrick Gilbride
Randy Holthaus
Raul Adrian
Lisa Bergman
Abbreviations
ANSP
Agency Network Security Policy
CIO
Chief Information Officer
COTR
Contracting Officer's Technical Representative
EPA
U.S. Environmental Protection Agency
FISMA
Federal Information Security Management Act
FMFIA
Federal Managers' Financial Integrity Act
FTE
Full Time Equivalent
FY
Fiscal Year
GAO
U.S. Government Accountability Office
GMPO
Gulf of Mexico Program Office
GPRA
Government Performance and Results Act
IMO
Information Management Officer
ISO
Information Security Officer
ISP
Information Security Policy
IT
Information Technology
LAN
Local Area Network
NCCR
National Coastal Condition Report
NIST
National Institute of Standards and Technology
OEAEE
Office of External Affairs and Environmental Education
OEI
Office of Environmental Information
OIG
Office of Inspector General
OMB
Office of Management and Budget
OW
Office of Water
SIO
Senior Information Officer
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
email: OIG Hotline@epa.gov	write: EPA Inspector General Hotline
phone: 1-888-546-8740	1200 Pennsylvania Avenue, NW
fax:	202-566-2599	Mailcode 2431T
online:
http://www.epa.gov/oiq/hotline.htm
Washington, DC 20460

-------
tfED STAf.
*. U.S. Environmental Protection Agency	13-P-0271
Office of Inspector General	May 30 2013
/ rn

\.o At a Glance
Why We Did This Review
The Gulf of Mexico is one of
the U.S. Environmental
Protection Agency's (EPA's)
Large Aquatic Ecosystem
programs. Due to its size and
rich biodiversity, the Gulf is
critically important for the
nation's environmental and
economic well-being. Recent
environmental disasters, such
as Hurricane Katrina and the
BP Deepwater Horizon oil spill,
have focused national attention
on the Gulf region.
Consequently, our objective
was to determine whether the
Gulf of Mexico Program Office
(GMPO) had established
effective internal controls over
program operations.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Protecting America's waters.
Improved Internal Controls Needed In the
Gulf of Mexico Program Office
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2013/
20130530-13-P-0271.pdf
What We Found
Two of GMPO's performance measures are unrealistic in that they do not reflect
what the office was set up to achieve. The two unrealistic measures involve the
size of the hypoxic zone and the National Coastal Condition Report Index.
Further, one strategic objective (environmental education) is not being measured.
This occurred because GMPO had not performed an assessment of its strategic
objectives and performance measures, as required by governmentwide internal
control standards. As a result, some of the functions that GMPO performs are not
being properly measured and, thus, GMPO's resources might not be used in the
most efficient or effective way.
GMPO management did not ensure that its Local Area Network (LAN) was
secure, did not have primary information security controls in place, and did not
ensure the contractor met the security requirements in the LAN contract. This
occurred because the GMPO's former Acting Director was not trained on and
therefore not technically knowledgeable of federal and agency IT security
requirements. As a result, GMPO's LAN is vulnerable to individuals and groups
with malicious intentions, and EPA has not received the full benefit of the
$749,755 paid over 4 years for LAN security services.
The GMPO Web page displayed inaccurate data for over 18 months. GMPO did
not perform a review of the content before posting, use a Content Manager to
review the content, or follow EPA's Web governance policies or content review
procedures. This occurred because GMPO personnel were not aware of the EPA
Web governance policies or content review procedures. Because information
posted on EPA's Web pages is accessed by the public, inaccurate data can
negatively impact EPA's credibility.
Recommendations and Planned Agency Corrective Actions
We recommend that GMPO conduct a risk assessment of its strategic objectives
and measures, and work with the Office of Water to adjust those measures as
needed to accurately reflect GMPO's mission. We recommend that GMPO and
Region 4 officials correct the LAN security controls deficiencies. We also
recommend that GMPO complete actions to establish an office Web content
review process. Further, we recommend that the Office of Environmental
Information address LAN deficiencies and, along with the Office of External
Affairs and Environmental Education, monitor GMPO Web actions. EPA agreed
with 12 of our 13 recommendations and proposed a satisfactory alternative
corrective action for the remaining recommendation.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
May 30, 2013
MEMORANDUM
SUBJECT: Improved Internal Controls Needed in the Gulf of Mexico Program Office
Report No. 13-P-0271
FROM: Arthur A. Elkins Jr.
TO:
See Below
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems
the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of
the OIG and does not necessarily represent the final EPA position. Final determination on matters in this
report will be made by EPA managers in accordance with established audit resolution procedures.
Action Required
The agency concurred with recommendations 1 through 12, and proposed a satisfactory alternative
corrective action for recommendation 13. Therefore, we accept EPA's response and planned
corrective actions for all 13 recommendations and no further response is needed. We have no objections
to the further release of this report to the public. We will post this report to our website at
http://www.epa.gov/oig.
If you or your staff have any questions regarding this report, please contact Richard Eyermann,
Acting Assistant Inspector General for Audit, at (202) 566-0565 or Eyermann.Richard@epa.gov;
or Patrick Gilbride, Product Line Director, at (303) 312-6969 or Gilbride.Patrick@epa.gov.
Addressees:
Nancy Stoner, Acting Assistant Administrator, Office of Water
Malcolm D. Jackson, Assistant Administrator and Chief Information Officer,
Office of Environmental Information
Ben Scaggs, Director, Gulf of Mexico Program Office
A. Stanley Meiburg, Acting Regional Administrator, Region 4
Tom Reynolds, Associate Administrator, Office of External Affairs and
Environmental Education

-------
Improved Internal Controls Needed in the
Gulf of Mexico Program Office
13-P-0271
	Table of Contents
Chapters
1	Introduction		1
Purpose		1
Background		1
Scope and Methodology		3
Prior Audit Reports		3
2	GMPO's Performance Measures Need Improvement		4
Federal Laws, Standards, and Policies Require Risk Assessment		4
Two GMPO Performance Measures Are Unrealistic		5
One Key GMPO Activity Not Measured		5
GMPO Did Not Perform a Programmatic Risk Assessment		6
GMPO's Performance Not Properly Assessed and Resources
May Not Be Used in the Most Efficient Manner		6
Conclusions		7
Recommendations		7
Agency Comments and OIG Evaluation		7
3	GMPO's Local Area Network Not Secured		8
Requirements for Information Security Controls		8
GMPO Management Did Not Secure Its LAN and Received
No Oversight From OW IT Managers		11
GMPO Manager Was Not Trained on IT Security and OW IT
Managers Were Not Aware of LAN		12
GMPO LAN Is Vulnerable and EPA Paid for Security Not Received	12
EPA Management Actions Taken During Our Audit		12
Conclusions		13
Recommendations		13
Agency Comments and OIG Evaluation		14
4	GMPO Needs a Process to Review Data Prior to
Posting on the EPA Public Access Website		15
Requirements for Web Management and Content Review		15
GMPO Posted Inaccurate Data on the EPA Public Access Website		16
GMPO Personnel Were Not Aware of Web Content Review Requirements
and EPA Management Did Not Monitor for Compliance		16
Inaccurate Data Can Impact EPA's Credibility		16
EPA Management Actions Taken During Our Audit		17
Recommendations		17
Agency Comments and OIG Evaluation		17
-continued-

-------
Improved Internal Controls Needed in the	13-P-0271
Gulf of Mexico Program Office
Status of Recommendations and Potential Monetary Benefits		18
Appendices
A Details on Scope and Methodology		20
B Agency Response 		22
C Distribution 		27

-------
Chapter 1
Introduction
Purpose
The purpose of this audit was to determine whether the U.S. Environmental
Protection Agency's (EPA's) Gulf of Mexico Program Office (GMPO) had
established effective internal controls over program operations. According to the
U.S. Government Accountability Office (GAO), there are five standards of internal
control:
Table 1: GAO Five Standards of Internal Control
1. Control
Environment
Management and employees should establish and maintain an environment
throughout the organization that sets a positive and supporting attitude
toward internal control and conscientious management.
2. Risk Assessment
Internal control should provide for an assessment of the risks the agency
faces from both external and internal sources.
3. Control Activities
Internal control activities help ensure that management's directives are
carried out. Control activities should be effective and efficient in
accomplishing the agency's control objectives.
4. Information and
Communications
Information should be recorded and communicated to management and
others within the entity who need it, and in a form and within a time frame
that enables them to carry out their internal control and other responsibilities.
5. Monitoring
Internal control monitoring should assess the quality of performance over
time and ensure that audit and other review findings are promptly resolved.
Source: Office of Inspector General (OIG) summary of GAO's Standards for Internal Control in the
Federal Government, GAO/AIMD-OO-21.3.1, November 1999.
Background
The Gulf of Mexico is a critical body of water from an economic, recreational, and
ecological standpoint. With about 60 percent of the continental United States
waterways draining into the Gulf, it provides a vast array of economic benefits to the
nation, including oil and gas production, fisheries, and leisure income. Recent high
profile disasters that occurred in the Gulf have focused public and political
attention on the region.
EPA's GMPO was created in 1988 to protect, maintain, and restore the health and
productivity of the Gulf of Mexico while maintaining the economic well-being of the
Gulf region. GMPO's mission is non-regulatory in nature, relying on a collaborative
approach to work with other government and community organizations in the region.
13-P-0271
1

-------
EPA established GMPO as a semi-autonomous program. As such, it draws input
from state and federal partners in the Gulf region. Its strategic and budgetary
direction comes from the Office of Water (OW), while it receives administrative
support and oversight from EPA Region 4. GMPO's offices are located at Stennis
Space Center, Mississippi.
GMPO's strategic partners in the Gulf include the Gulf of Mexico Alliance,
which represents the five adjacent state governments (Florida, Alabama,
Mississippi, Texas and Louisiana); the Gulf of Mexico Business Coalition; the
Gulf Coast Ecosystem Restoration Task Force;1 and various other federal
agencies, such as the National Oceanic and Atmospheric Administration,
U.S. Fish and Wildlife Service, and U.S. Geological Survey.
From fiscal years (FYs) 2009 to 2012, GMPO provided $11.8 million for various
environmental and community projects through cooperative agreements,
interagency agreements, and contracts (table 2). During that period, GMPO's
budget and full time equivalent (FTE) resources remained relatively constant.
Table 2: GMPO Yearly Budget Figures, 2009-2012
FY
Budget
($ millions)
Project funding
($ millions)
FTEs
2009
$4.6
$2.5
14.0
2010
6.0
3.9
14.0
2011
4.5
2.8
13.0
2012
5.5
2.6
12.9
Totals
$20.6
$11.8

Source: OW budget reports as of July 18, 2012.
GMPO is supported by a local area network (LAN) for information technology
(IT) applications. The LAN consists of a network switch, file server,
approximately 20 workstations, and connections to the EPA-wide area network.
A contractor manages the GMPO LAN under an EPA IT service contract. The
GMPO's Deputy Director served as the security manager and contracting officer's
technical representative for the LAN.
GMPO maintains Web pages on EPA's public access website2 where it posts
information about its mission, activities, and accomplishments. GMPO staff
manage Web page content with oversight provided by the GMPO Director and
Deputy Director.
1	Per the RESTORE Act, the Gulf Coast Ecosystem Restoration Task Force has now transitioned to the Gulf Coast
Ecosystem Restoration Council.
2	The EPA public access website address is http://www.epa.gov/gmpo/index.html.
13-P-0271
2

-------
Scope and Methodology
We conducted our audit from May 2012 to March 2013 in accordance with
generally accepted government auditing standards. Those standards require that
we obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our evaluation objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our objectives.
We based our review on GAO's Standards for Internal Control in the Federal
Government issued in 1999, GAO's Internal Control Management and
Evaluation Tool issued in 2001, and other federal criteria and EPA policies
pertaining to internal controls. We also reviewed federal criteria and EPA policies
and procedures for information security, such as the Federal Information Security
Management Act (FISMA), Office of Management and Budget (OMB) Circular
A-130, the National Institute of Standards and Technology (NIST) Special
Publication 800-53, and the EPA Agency Network Security Policy (ANSP).
We conducted a site visit at GMPO's headquarters at the Stennis Space Center,
Mississippi; interviewed staff and management; and reviewed controls in place.
We also conducted interviews with officials from Regions 4 and 6, OW, and other
GMPO stakeholders. Appendix A provides further details on our scope and
methodology.
Prior Audit Reports
GAO issued a report in July 2012, Information Security: Environmental
Protection Agency Needs to Resolve Weaknesses, GAO-12-696. The report stated
that security control weaknesses pervaded EPA's systems and networks, thereby
jeopardizing the agency's ability to sufficiently protect the confidentiality,
integrity, and availability of its information and systems. The report also found
that EPA did not always update system security plans to reflect current agency
security control requirements; did not assess management, operational, and
technical controls for agency systems based on risk at least annually; and did not
implement a corrective action process to track and manage all weaknesses when
remedial actions were necessary.
13-P-0271
3

-------
Chapter 2
GMPO's Performance Measures Need Improvement
Two of GMPO's performance measures do not reflect what GMPO was designed
to achieve and can legitimately influence. Further, one key GMPO activity is not
being measured. Applicable federal criteria, such as GAO's Internal Control
Management and Evaluation Tool issued in 2001 and the Government
Performance and Results Act (GPRA) Modernization Act issued in 2010, stress
the importance of continually assessing the relevance and validity of performance
measures through risk assessment. GMPO officials acknowledged that they have
not performed a risk assessment of GMPO's strategic objectives and
corresponding performance measures. As a result, the functions that GMPO
performs are not being properly measured and GMPO's resources may not be
used in the most efficient or effective way.
Federal Laws, Standards, and Policies Require Risk Assessment
The GPRA Modernization Act of 2010 (Public Law 111-352) states that an
agency's strategic plans shall contain an identification of key factors external to
the agency that could significantly affect the achievement of the general goals and
objectives. The law also states that the head of each agency shall make available
on its public website and to OMB an update on agency performance which shall
explain where a performance goal has not been met, if the performance goal is
impractical or infeasible, why that is the case, and what action is recommended.
GAO's Standards for Internal Control in the Federal Government (GAO/AIMD-
00- 21.3.1), November 1999, states that risk assessment is the identification and
analysis of relevant risks associated with achieving the strategic objectives, and
forming a basis for determining how risks should be managed.
The GAO Internal Control Management and Evaluation Tool (GAO-01-1008G),
August 2001, states that assumptions made in strategic plans and budgets should
be consistent with the agency's historical experience and current circumstances.
It further states that activity-level (i.e., program- or mission-level) objectives flow
from, and are linked with, the agency's entitywide objectives and strategic plans,
and are reviewed periodically to assure that they have continued relevance.
EPA Order 1000.24 CHG 2, Management's Responsibility for Internal Control,
July 18, 2008, states, in accordance with GAO's Standards for Internal Control in
the Federal Government, that risk assessment is the identification and analysis of
relevant risk associated with achieving the agency's mission. It further states that
program managers should identify internal and external risks that may prevent the
organization from efficiently and effectively meeting its objectives.
13-P-0271
4

-------
Two GMPO Performance Measures Are Unrealistic
During our review we found that two of GMPO's core performance measures
required them to achieve targets that they did not have direct control over. The
first of these measures is the hypoxia measure (SP-40),3 which is a measure that
calls for reductions in nutrient releases into the Mississippi River. As mentioned
in Chapter 1, GMPO was created with a non-regulatory mission and has no
authority to regulate or enforce the amount of nutrients released upstream into the
Mississippi River. As a result, GMPO does not have the ability to directly
influence this issue.
The second measure is the National Coastal Condition Report (NCCR) 3-year
index measure (GM-435). EPA publishes the NCCR in collaboration with other
federal agencies (National Oceanic and Atmospheric Administration, U.S. Fish
and Wildlife Service, and U.S. Geological Survey). The report covers all the
coastal regions of the country; however, measure GM-435 only refers to the
results pertaining to the Gulf of Mexico region. The overall index for the Gulf is a
compilation of five individual indices measuring a broad range of environmental
conditions: water quality, sediment quality, benthic zone conditions, condition of
coastal habitats, and fish tissue contaminants. This index is expressed in terms of
a 5-point scale which rates the condition of the Gulf as good, fair, or poor. We
spoke to subject matter experts within OW and GMPO and, based on their
opinions, it is not fair to expect that a small program like GMPO, with a non-
regulatory mission and a $5.5 million budget and 13 FTEs, could legitimately
affect this comprehensive rating. OW reported in 2011 that GMPO failed to meet
its targets under this measure four separate times during the period 2007 to 2011.4
One Key GMPO Activity Not Measured
An important aspect of GMPO's work—namely, environmental education for
underserved and underrepresented communities—is not captured by any of
GMPO's current performance measures. Based on our interviews with GMPO
management and staff, we estimated that about 1.8 of its 12.9 FTEs were devoted
to environmental justice-related tasks in FY 2012, yet GMPO did not measure this
activity. Environmental education was one of the strategic objectives for
FY 2012, but progress achieved in this area is currently not being gauged by any
of the performance indicators set for GMPO by OW (as shown in table 3).
3	EPA assigns codes to all programmatic performance measures. These codes are used for tracking each program's
annual commitments in an internal performance tracking database system. For the measures discussed in this
chapter, the acronyms "GM" and "SP" stand for "Gulf of Mexico" and "Strategic Plan," respectively.
4	National Water Program Best Practices and End of Year Performance Report, FY 2011.
13-P-0271
5

-------
Table 3: GMPO FY 2012 Strategic Objectives/Performance Measures
Objectives
(per OW National Program Manager's
Guidance & FY 2012 President's Budget)
Corresponding Performance Measure
Healthy/resilient coastal habitats
•	Restore/enhance/protect cumulative number of acres of
coastal marine habitats.
•	National Coastal Condition Report 3-year index.
Sustainable coastal barriers
• Restore/enhance/protect cumulative number of acres of
coastal marine habitats.
Wise management of sediments/nutrient
levels
•	Reduce releases of nutrients throughout the Mississippi
Riverto reduce size of the hypoxia zone (5-year average).
•	National Coastal Condition Report 3-year index.
•	Bi-national early detection system for harmful algal blooms.
Improved science monitoring/management
efforts for water quality/seafood safety
•	Restore water and habitat quality standards in impaired
segments in 13 priority areas.
•	National Coastal Condition Report 3-year index.
Environmental education for underserved/
underrepresented communities
• None
Source: OIG analysis of information obtained from OW's website and GMPO's Chief Scientist.
GMPO Did Not Perform a Programmatic Risk Assessment
GMPO did not conduct a risk assessment of its programmatic performance
measures. GMPO officials stated that they did not perform a risk assessment of
their programmatic performance measures because, due to its unique nature as a
semi-independent program, its strategic objectives were set in consultation with
external stakeholders. GMPO officials stated, however, that they had recently
begun the process of formally assessing GMPO's goals and objectives in a
manner consistent with its non-regulatory mission, in the context of OW's
strategic plan. As a result of this process, GMPO officials developed a new set of
performance measures that they believe will more accurately convey the work
GMPO performs. GMPO submitted its proposed measures to OW for
consideration on January 11, 2013.
Performance Not Properly Assessed and Resources
Be Used in the Most Efficient Manner
By not having performance measures in place that reflect what GMPO was
designed to achieve or that do not capture all of the program's key activities,
GMPO's performance is not being assessed in a comprehensive manner.
Consequently, OW cannot report an accurate assessment of the program results to
OMB. Further, some of GMPO's limited resources are being spent on activities
associated with the two unrealistic performance measures and, as a result, those
resources may not be spent in the most efficient manner.
GMPO's
May Not
13-P-0271
6

-------
Conclusions
By not conducting a risk assessment of its programmatic performance measures,
GMPO was unable to determine that there was a high risk of not achieving the
results required by two of the measures, as described in this chapter. Further,
environmental education was a strategic goal for GMPO in FY 2012 yet no
performance measure was assigned for this activity. As a result, GMPO is being
held accountable for measures it cannot realistically achieve, and is also not being
held accountable for one key mission-related activity it performs.
Recommendations
We recommend that the Director, Gulf of Mexico Program Office:
1.	Conduct a risk assessment of GMPO strategic control objectives and
programmatic performance measures.
We recommend that the Assistant Administrator for Water:
2.	Evaluate the results of GMPO's risk assessment and work with GMPO
management to make the necessary changes to its objectives and
measures, so GMPO can accurately measure performance.
Agency Comments and OIG Evaluation
OW and GMPO concurred with recommendations 1 and 2, but requested guidance
to better understand how to conduct a risk assessment. In subsequent discussions,
we provided additional information on the subject from the Office of the Chief
Financial Officer's website and also encouraged OW and GMPO to speak with the
Office of the Chief Financial Officer for more guidance. Based on those
discussions, OW agreed to complete corrective actions for recommendation 1 by
December 31, 2013, and for recommendation 2 by June 30, 2014.
EPA also requested in its response to our draft report that we delete remarks by one
of the members of OW's Accountability Staff. We made that deletion from this
report as it does not affect the message conveyed.
Appendix B contains EPA's official response.
13-P-0271
7

-------
Chapter 3
GMPO's Local Area Network Not Secured
GMPO management did not secure the GMPO LAN and did not ensure the
contractor met the security requirements in the LAN contract. OW IT managers did
not provide oversight for the GMPO LAN. Federal laws, directives, and standards
for information security and EPA policies require EPA to provide information
security protection. GMPO's former Acting Director, serving as the GMPO
security manager and LAN contracting officer's technical representative (COTR),
was not trained on, and therefore not technically knowledgeable of, federal and
agency IT security requirements. Further, one OW IT manager was not aware that
the GMPO LAN existed and another OW IT manager believed that GMPO
received IT support from Region 4. Without adequate security controls, the GMPO
LAN is vulnerable to individuals and groups with malicious intentions who may
launch attacks against the LAN or use it to launch attacks against other computer
systems and networks, such as the EPA-wide area network. In addition, EPA has
not received the full benefit of the $749,755 paid over 4 years for the LAN services
because the contractor did not fulfill the mandated security requirements contained
in the contract.
Requirements for Information Security Controls
Federal guidance provides a comprehensive framework for ensuring the
effectiveness of information security controls over information resources that
support federal operations and assets. EPA information security policies establish
and define the principles to meet the security controls requirements in FISMA,
OMB circulars, and other federal and agency standards. EPA contracts for the
GMPO LAN services include references to the federal and agency information
security requirements that the contractor must meet to properly protect IT
resources.
Federal Information Security Laws, Directives, and Standards
FISMA requires each federal agency to develop, document, and implement an
agencywide information security program. The program should provide security
for the information and information systems that support the operations and assets
of the agency, including those that other agencies, contractors, or other sources
provide or manage. According to FISMA, each agency is responsible for
providing information security protections, commensurate with risk, for
information collected or maintained by, or on behalf of, the agency, and
information systems used or operated by the agency or on its behalf. FISMA
requires that a chief information officer or a comparable official of the agency be
responsible for developing and maintaining an agencywide information security
13-P-0271
8

-------
program. FISMA also requires agencies to maintain and update annually an
inventory of major information systems, including those provided or managed by
another agency, contractor, or other source. FISMA requires that agencies comply
with security control standards issued by NIST.
OMB Circular No. A-130, Appendix III, Security of Federal Automated
Information Resources, issued November 28, 2000, sets forth four security
controls: (1) assignment of responsibility for security, (2) security planning,
(3) periodic review of security controls, and (4) management authorization
(currently called security authorization). This Circular also states that if one of
these basic controls is missing, an agency should consider identifying a deficiency
in accordance with OMB and the Federal Managers' Financial Integrity Act
(FMFIA) reporting requirements.
NIST Special Publication 800-53, Revision 3,5 provides detailed information on
the security control standards, their function, and purpose. Security controls are
safeguards or countermeasures employed within an organizational information
system to protect the confidentiality, integrity, and availability of the system and
its information. There are three general classes of security controls: management,
operational, and technical. Security training is an operational security control that
requires the organization to provide role-based security-related training to
information system managers before authorizing access to the system or
performing assigned duties.
EPA Information Security Policies
EPA's Office of Environmental Information (OEI) manages and issues
information technology/information management-related policies. During our
audit, we reviewed EPA's operations for the period 2009 through 2012. During
this period, four IT security policies applicable to EPA networks were in effect for
various amounts of time. The first was the ANSP, Chief Information Officer
(CIO) 2150.0, November 2007, which was in effect until it was superseded in
August 2011 by the Interim ANSP, CIO 2150.1. This policy was then superseded
by the Interim Agency Information Security Policy (ISP), CIO 2150.2 of April
2012. The Interim ISP was then replaced in August 2012 by the policy that is
currently in effect, the ISP, CIO 2150.3. The ANSP of 2007 was in effect for the
greatest amount of time during our review period.
The ANSP of 2007 was the security policy for the EPA network and associated
IT resources. This policy established and defined the principles needed to meet
the security controls requirements in FISMA, OMB circulars, and other federal
and agency standards. Listed below are some of the IT managers' responsibilities
for information security.
5 NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems
and Organizations, was issued in August 2009 and updated May 1, 2010.
13-P-0271
9

-------
Senior Information Officers (SIOs) are responsible for the following for their
respective offices:
•	Ensuring effective processes and procedures are established and
implemented for compliance with agency information and IT policies,
procedures, operations, and standards.
•	Ensuring IT personnel manage operating systems effectively, including
use of an internal monitoring program to evaluate policy effectiveness that
is consistent with federal and agency security standards and requirements.
•	Ensuring that personnel are sufficiently trained to comply with federal and
agency security standards and requirements.
The Information Management Officer (IMO) is responsible for:
•	Implementing and administering network security policy within their
organization.
•	Conducting comprehensive assessments of management, operational, and
technical security controls in an information system.
•	Determining and certifying the extent to which the controls are
implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the system.
•	Making accreditation recommendations to the SIO serving as the
Authorizing Official.
Information Security Officer (ISO) responsibilities include:
•	Ensuring that periodic testing of security controls is conducted and those
controls are operating effectively.
•	Assisting general support system and major application managers in
planning for and establishing adequate security for the general support
system or major application as appropriate.6
•	Providing ongoing user security awareness and training.
Another ANSI' requirement was that the agency must monitor contractor
compliance with information security responsibilities as specified in agency
contracts.
6 OMB Circular No. A-130, Appendix III. defines "general support system" as an interconnected set of information
resources under the same direct management control which shares common functionality. A system normally
includes hardware, software, information, data, applications, communications, and people. A system can be, for
example, a LAN including smart terminals that supports a branch office, an agencywide backbone, or a
communications network.
13-P-0271
10

-------
EPA Contracts for LAN Services
GMPO obtained LAN services through two IT support contracts for the period
covering 2004 through 2016.7 The first contract ended in October 2011. The
period of performance for the second contract began in October 2011 and
contained option years through 2016. The statement of work or performance work
statement for each of the contracts contained the requirement to implement EPA's
security policies. The second contract also stated that the contractor shall comply
with FISMA. The total amount GMPO paid for the LAN services contracts from
2009 through 2012 was $749,755. GMPO paid $540,382 for the first contract
from 2009-2011 and $209,373 for the second contract from 2011-2012.
GMPO Management Did Not Secure Its LAN and Received
No Oversight From OW IT Managers
GMPO management did not provide security controls, and OW IT managers did
not provide oversight for the GMPO LAN. Specifically, GMPO and OW IT
managers did not establish security controls for assigning responsibility for
security, security planning, or periodic review of security controls for 2009 through
2012. The OW and GMPO IT managers also did not obtain authorization to operate
the GMPO LAN and did not include it in the EPA system inventory.
In addition, the former Acting Director certified several statements in the GMPO
2011 FMFIA assurance letter and supporting documents that were not factual.
These statements were:
1.	GMPO's Information Security Plan and LAN Contingency Plan were
developed in accordance with FISMA and EPA requirements.
2.	Periodic security reviews and updates are conducted to ensure that the
GMPO Information Security Plan is effectively implemented.
3.	GMPO's Security Plan has been certified by a third party vendor to test
security controls.
4.	OW had conducted semiannual IT security reviews that resulted in no
issues being identified.
The GMPO LAN security planning did not comply with FISMA and EPA
requirements, did not contain evidence that periodic security reviews or third
party vendor security certification were provided by the GMPO, and the OW ISO
verified that there were no IT security reviews conducted by OW for the GMPO
LAN. While the 2011 FMFIA assurance letter cited the former Acting Director as
the GMPO security manager, the OW SIO never assigned the person that position
or the associated responsibilities.
7 The first contract was 68-W-04-005, awarded January 8, 2004; the second contract was HHSN263999900033I,
awarded August 25, 2011.
13-P-0271
11

-------
GMPO Manager Was Not Trained on IT Security and OW IT Managers
Were Not Aware of LAN
GMPO's former Acting Director, serving as the GMPO security manager, was not
trained on and therefore not technically knowledgeable of federal and agency IT
security requirements. The GMPO Chief of Staff did not have any knowledge that
the former Acting Director had taken any specialized security training, and was
unable to provide any support showing that the Acting Director took such courses.
The former Acting Director also served as the COTR and did not ensure the
contractor met the LAN contract requirements to comply with FISMA and EPA's
security policies. Since the same person served as both the COTR and the GMPO
security manager, there was no separation of duties to ensure proper management
and oversight. In addition, one OW IT manager was not aware that the GMPO
LAN existed and another OW IT manager believed that GMPO received IT
support from Region 4.
GMPO LAN Is Vulnerable and EPA Paid for Security Not Received
Without adequate security controls, the GMPO LAN is vulnerable to individuals
and groups with malicious intentions who may obtain sensitive information,
commit fraud, disrupt operations, or launch attacks against other computer
systems and networks such as the EPA-wide area network. According to the
GAO, "Federal agencies have experienced a significant rise in security incidents
in recent years, with data from the U.S. Computer Emergency Readiness Team
showing an increase in security incidents and events from 29,999 in 2009 to
42,887 in 20 ll."8 In addition, EPA has not received the full benefit of the
$749,755 paid over 4 years for LAN services because the contractor did not fulfill
the FISMA and EPA security requirements contained in the contract.
Statements in the FMFIA assurance letter about LAN security were misleading.
As a result, OW managers did not have reliable information to detect and correct
LAN security problems. Additionally, the GMPO LAN deficiencies should be
assessed by agency management to determine whether they are reportable under
FMFIA.
EPA Management Actions Taken During Our Audit
During the course of our review, we informed GMPO and OW IT management of
the information security deficiencies identified for the LAN. GMPO and OW IT
management took two corrective actions. In December 2012, the GMPO
Acting Chief of Staff informed us that the GMPO Director and the Regional
Administrator for Region 4 had agreed that Region 4 would assume IT support for
the GMPO LAN and associated computer equipment. Region 4 assumed
8 GAO Report, Information Security: Environmental Protection Agency Needs to Resolve Weaknesses, GAO-12-696,
July 19, 2012.
13-P-0271
12

-------
IT support for the GMPO LAN in April 2013. The OW ISO coordinated with
GMPO management in October 2012 and added the LAN to the EPA information
system inventory.
Conclusions
GMPO management should take immediate action to secure the LAN in
accordance with federal and agency information security requirements and
complete the corrective actions initiated during our audit. Properly protecting the
GMPO LAN also helps protect other interconnected IT resources such as the
EPA-wide area network. In addition, converting the LAN support to Region 4
IT managers and discontinuing the LAN services contract could result in reduced
costs and potential savings for EPA.
Recommendations
We recommend that the Regional Administrator, Region 4:
3.	Require the Region 4 SIO to assign a technically knowledgeable person to
be the security manager of the GMPO LAN.
4.	Require the Region 4 SIO to provide necessary role-based security-related
training to information system managers and staff before authorizing them
access to the system or before performing assigned duties.
5.	Require the Region 4 ISO and IMO to work with the LAN security
manager to plan and implement IT security controls—including system
security planning, periodic review of security controls, and authorization
to operate the LAN—that comply with FISMA, OMB, and NIST
requirements and guidance.
6.	Require the Region 4 ISO and IMO to work with the LAN security
manager to establish a plan of action and milestones to correct the LAN
deficiencies as required by NIST Special Publication 800-53.9
We recommend that the Director, Gulf of Mexico Program Office:
7.	Establish internal controls to prevent the LAN security manager duties and
the LAN COTR duties from being assigned to the same individual.
8.	Require the COTR to enforce the contract and make sure the LAN
contractor meets system security requirements in the contract.
9 NIST Special Publication 800-53, Revision 3, defines a plan of action and milestones as a document that identifies
tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any
milestones in meeting the tasks, and scheduled completion dates for milestones.
13-P-0271
13

-------
9.	Provide OW with notice of the erroneous statements and claims made in
prior years' FMFIA assurance letters regarding IT system security.
We recommend that the Assistant Administrator for Environmental Information
and Chief Information Officer:
10.	Assess the LAN deficiencies identified in this report to determine whether
they should be reported under FMFIA, and act accordingly.
Agency Comments and OIG Evaluation
EPA concurred with all of the recommendations in this chapter. We reviewed
EPA's proposed corrective actions and agree that they adequately address our
recommendations. Subsequent to our receipt of EPA's official response to the draft
report, we contacted personnel from GMPO and Region 4 to clarify some of the
completion dates for the proposed corrective actions. Those dates are shown in the
Status of Recommendations chart on page 18 of this report.
Appendix B contains EPA's official response.
13-P-0271
14

-------
Chapter 4
GMPO Needs a Process to Review Data Prior to
Posting on the EPA Public Access Website
The GMPO Web page, on the EPA public access website, displayed inaccurate
data for over 18 months. GMPO did not perform a review of the content before
posting, use a Content Manager to review the content, or follow EPA's Web
governance policies or content review procedures. The GMPO personnel were not
aware of the EPA Web governance policies or content review procedures. Also,
the CIO and the Associate Administrator for the Office of External Affairs and
Environmental Education (OEAEE) did not ensure that the GMPO complied with
the EPA Web governance policy and content review procedures. Inaccurate data
can negatively impact EPA's credibility with the public.
Requirements for Web Management and Content Review
OEI issues policies and procedures that govern EPA's public access website.
The Web Governance and Management10 policy established that the EPA will
operate and maintain a public access website to assist in fulfilling the agency's
mission—to protect the environment and public health. The Web Content Types
and Review Procedure11 established the steps for keeping content on the EPA
website current. The procedure also states that EPA's website is a fundamental
communication tool for every agency program and region and that effective
management of information is essential.
EPA's Policy for Web Governance and Management
EPA's Web Governance and Management policy12 states that OEI and the
OEAEE share responsibility for governance of EPA's public access website. The
Web Council provides representative advice for content and infrastructure to the
National Web Content and Infrastructure Managers and, through them, to the
Associate Administrator for OEAEE and Assistant Administrator for OEI.
The Web Council disseminates information from agency leadership to the Web
community. Regional and program offices provide quality content and appropriate
infrastructure to communicate the agency's work and mission, adhering to the
Web governance and management policy. The policy states that ultimate
accountability for these regional and program areas is at the most senior level,
typically at the assistant administrator or regional administrator level, who must
111 Web Governance and Management, CIO 2180.0, September 7, 2006.
11	Web Content Types and Review Procedure, CIO-2180-P-06.0, March 16, 2011.
12	This policy refers to the Office of Public Affairs which was subsequently replaced by OEAEE.
13-P-0271
15

-------
provide sufficient resources and ensure that Web resource allocation is aligned
with agency and program priorities.
EPA's Web Content Types and Review Procedure
The Web Content Types and Review Procedure established procedures for
determining the content type and review schedules for all content posted on the
EPA website. The procedure identifies roles and responsibilities, defines terms,
and provides steps to review Web content. The procedure states that EPA's
website is a fundamental communication tool for every agency program and
region and that effective management of information is essential. Distinguishing
content types and identifying appropriate review schedules are critical to keeping
the website current and up to date. Otherwise, Web visitors may have difficulty
locating information or determining what information accurately describes current
EPA policy decisions and activities. The CIO and the Associate Administrator for
OEAEE are jointly responsible for monitoring compliance with this procedure.
GMPO Posted Inaccurate Data on the EPA Public Access Website
The GMPO Web page, on the EPA public access website, contained inaccurate
data for over 18 months. Specifically, the Web page contained inaccurate funding
figures in a chart titled The Gulf of Mexico Program at Work, 1988-2010, which
showed the amount that each of the five Gulf states spent on projects over that
period. The notice on the Web page stated that it was last updated December 14,
2010, or about 18 months prior to our identifying the issue in June 2012. There
was no evidence of any oversight or monitoring of GMPO's Web page content or
posting by other offices and the inaccurate data went undetected.
GMPO Personnel Were Not Aware of Web Content Review
Requirements and EPA Management Did Not Monitor for Compliance
GMPO did not perform a review of the content before posting, use a Content
Manager to review the content, or follow the Web Governance and Management
or the Web Content Types and Review Procedures. The GMPO personnel were
not aware of the EPA Web guidance or the content review procedures. Also, the
CIO and the Associate Administrator for OEAEE did not ensure that GMPO
complied with the EPA Web governance policy and content review procedures.
Inaccurate Data Can Impact EPA's Credibility
Inaccurate data can negatively impact EPA's credibility. The information posted
on EPA Web pages is accessed by the public and must be accurate to maintain the
public trust and best represent the Administrator and the agency.
13-P-0271
16

-------
EPA Management Actions Taken During Our Audit
In June 2012, we identified this issue to GMPO management. GMPO took
immediate action and removed the previously identified Web page. The GMPO
Director initiated the development of a Web content review process within the
office. In addition, GMPO management coordinated with and agreed that the
Region 4 Office of External Affairs would provide the GMPO with Web content
review and oversight. These corrective actions address part of the causes of this
issue.
Recommendations
We recommend that the Director, Gulf of Mexico Program Office:
11.	Complete development of and implement a Web content review process
within the GMPO to validate the accuracy of data and review the quality
of content to comply with the Web Governance and Management, and the
Web Content Types and Review Procedure.
12.	Complete and implement the agreement with the Region 4 Office of
External Affairs for Web content review and oversight.
We recommend that the Assistant Administrator for Environmental Information
and Chief Information Officer, and the Associate Administrator for External
Affairs and Environmental Education:
13.	Establish a schedule for monitoring the GMPO in their enforcement of
Web Content Types and Review Procedure.
Agency Comments and OIG Evaluation
EPA concurred with recommendations 11 and 12. We reviewed EPA's proposed
corrective actions and agree that they adequately address our recommendations.
Regarding recommendation 13, EPA initially expressed nonconcurrence due to a
misunderstanding of what they thought the OIG wanted the agency to do. We
discussed this matter with personnel from OEI and OEAEE on April 29, 2013.
Based on that discussion, we clarified with them that the agency's proposed
alternative corrective action would satisfy the intent of our recommendation.
EPA personnel provided a planned completion date of September 30, 2014, for
the proposed corrective action for recommendation 13.
Appendix B contains EPA's official response.
13-P-0271
17

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Planned
Rec. Page	Completion
No. No.	Subject	Status1 Action Official	Date
7 Conduct a risk assessment of GMPO strategic control
objectives and programmatic performance measures.
0 Director, Gulf of Mexico 12/31/2013
Program Office
13
Evaluate the results of GMPO's risk assessment and
work with GMPO management to make the necessary
changes to its objectives and measures, so GMPO can
accurately measure performance.
Require the Region 4SIO to assign a technically
knowledgeable person to be the security manager of the
GMPO LAN.
0 Assistant Administrator 06/30/2014
for Water
Regional Administrator, 04/05/2013
Region 4
13 Require the Region 4SIO to provide necessary role-
based security-related training to information system
managers and staff before authorizing them access to the
system or before performing assigned duties.
13 Require the Region 4 ISO and IMO to work with the
LAN security manager to plan and implement IT security
controls—including system security planning, periodic
review of security controls, and authorization to operate
the LAN—that comply with FISMA, OMB, and NIST
requirements and guidance.
13 Require the Region 4 ISO and IMO to work with the LAN
security manager to establish a plan of action and
milestones to correct the LAN deficiencies as required by
NIST SP 800-53.
Regional Administrator, 09/30/2013
Region 4
O Regional Administrator, 09/30/2013
Region 4
O Regional Administrator, 09/30/2014
Region 4
13 Establish internal controls to prevent the LAN security
manager duties and the LAN COTR duties from being
assigned to the same individual.
13 Require the COTR to enforce the contract and make sure
the LAN contractor meets system security requirements
in the contract.
C Director, Gulf of Mexico 04/05/2013
Program Office
C Director, Gulf of Mexico 04/05/2013
Program Office
10
14 Provide OW with notice of the erroneous statements and
claims made in prior years' FMFIA assurance letters
regarding IT system security.
14 Assess the LAN deficiencies identified in this report to
determine whether they should be reported under FMFIA,
and act accordingly.
C Director, Gulf of Mexico 05/13/2013
Program Office
O Assistant Administrator for 09/30/2013
Environmental Information
and Chief Information
Officer
17 Complete development of and implement a Web content
review process within the GMPO to validate the accuracy
of data and review the quality of content to comply with
the Web Governance and Management, and Web
Content Types and Review Procedure.
C Director, Gulf of Mexico 02/28/2013
Program Office
POTENTIAL MONETARY
BENEFITS (In $000s)
Claimed Agreed To
Amount Amount
13-P-0271
18

-------
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec. Page
No. No.
Subject
Status1
Planned
Completion
Action Official	Date
Claimed
Amount
Agreed To
Amount
12	17 Complete and implement the agreement with the
Region 4 Office of External Affairs for Web content review
and oversight.
13	17 Establish a schedule for monitoring the GMPO in their
enforcement of EPA's Web Content Types and Review
Procedure.
Director, Gulf of Mexico
Program Office
Assistant Administrator for
Environmental Information
and Chief Information
Officer, and Associate
Administrator for External
Affairs and Environmental
Education
02/28/2013
09/30/2014
10 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
13-P-0271
19

-------
Appendix A
Details on Scope and Methodology
We conducted our audit from May 2012 to March 2013 in accordance with generally accepted
government auditing standards. The information we reviewed covered the period 2009 through
2012. Our scope was limited to assessing whether GMPO had established effective internal
controls over its operations. As such, our tests and audit procedures were designed to provide us
with enough evidence to make such determinations.
During our audit, we reviewed federal criteria, including:
•	GPRA Modernization Act of 2010 (Public Law 111-352).
•	Federal Information Security Management Act of 2002 (FISMA - 44 USC-3541).
•	Federal Managers Financial Integrity Act of 1982 (FMFIA - Public Law 97-255).
•	OMB Circular A-13 0, Management of Federal Information Resources,
November 28, 2000.
•	GAO Standards for Internal Control in the Federal Government
(GAO/AIMD-OO-21.3.1), November 1999.
•	GAO Internal Control Management and Evaluation Tool (GAO-01-1008G),
August 2001.
•	NIST Special Publication 800-53, Revision 3, Recommended Security Controls for
Federal Information Systems.
We reviewed EPA plans and policies, including:
•	EPA Order 1000.24 CHG 2, Management's Responsibility for Internal Control,
July 18, 2008.
•	EPA's 2011 -2015 Strategic Plan.
•	Agency Network Security Policy (ANSP), CIO 2150.0, approved November 27, 2007.
•	Interim Agency Network Security Policy (ANSP), CIO 2150.1, approved August 22, 2011.
•	Interim Agency Information Security Policy (AISP), CIO 2150.2, April 9, 2012.
•	Interim Security Policy (ISP), CIO 2150.3, August 6, 2012.
•	Web Governance and Management, CIO 2180.0, September 7, 2006.
•	Web Content Types and Review Procedure, CIO 2180-P-06.0, March 16,2011.
We also reviewed GMPO documentation, including:
•	Selected contracts, grants, and cooperative agreements.
•	FMFIA Letters of Assurance and supporting schedules for 2011 and 2012.
•	2011 Work Plan and Accomplishments.
•	Memorandum of Understanding between GMPO, Region 4, Region 6, and OW
(1999 amendment).
•	Physical inventory reports as of May 2012.
13-P-0271
20

-------
During our audit, we interviewed:
•	GMPO management and staff.
•	The following OW officials: Director of the Office of Wetlands, Oceans and Watersheds;
representatives from the Resource Management Staff, including the Associate Director;
the ISO; and the IMO.
•	The following Region 4 officials: Director and staff from the Water Protection Division;
Deputy Assistant Regional Administrator and staff from the Office of Policy and
Management (including the Comptroller and the Branch Chief for Grants Finance and
Cost Recovery); ISO; LAN Administrator; and Director of External Affairs.
•	The following OEI officials: the Senior Agency Information Security Officer, and staff
from the Policy and Program Management Branch.
•	Officials from the Gulf Coast Ecosystem Restoration Task Force, including the Executive
Director and the Communications and Engagement Coordinator.
13-P-0271
21

-------
Appendix B
Agency Response
April 19, 2013
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Report/Project No. OA-FY12-
0480, "Improved Internal Controls Needed in the Gulf of Mexico Program
Office," dated March 6, 2013
FROM: Nancy K. Stoner
Acting Assistant Administrator
TO:	Arthur A. Elkins, Jr.
Inspector General
Thank you for the opportunity to respond to the issues and recommendations in the subject audit
report. Following is a summary of the U.S. Environmental Protection Agency's overall position,
along with its position on each of the report recommendations. For those report
recommendations with which the agency agrees, we have provided either high-level intended
corrective actions and estimated completion dates. For those report recommendations with which
the agency does not agree, we have explained our position and proposed alternatives to the
recommendations. For your consideration, we have included a Technical Comments Attachment
to supplement this response.
AGENCY'S OVERALL POSITION
The agency concurs with twelve of the thirteen recommendations detailed in the report. We do
not concur with the remaining one recommendation, and have provided explanations, as required
by EPA Manual 2750 - Audit Management Procedures.
AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS
Agreements
No.
Recommendation
High-Level Intended Corrective Action(s)
Estimated
Completion by FY
1
The Director, Gulf of Mexico
Program Office, conduct a risk
assessment of GMPO strategic
control objectives and
programmatic performance
measures.
The Director of the Gulf of Mexico Program
requests further information from the OIG on
the official procedure for conducting a Risk
Assessment on developing programmatic
performance measures
Completion Date
unknown until
guidance is
provided
2
The Assistant Administrator,
Office of Water, evaluate the
The Assistant Administrator, Office of
Water, requests further information from the
Completion Date
unknown until
13-P-0271
22

-------

results of GMPO's risk
assessment and work with
GMPO management to make
the necessary changes to its
objectives, measures, so
GMPO's can accurately
measure performance.
OIG on the official procedure for conducting
a Risk Assessment on developing
programmatic performance measures.
guidance is
provided
3
The Regional Administrator,
require the Region 4 SIO to
assign a technically
knowledgeable person to be
the security manager of the
GMPO LAN.
Region 4 has taken GMPO servers from their
network and placed within the Region 4
office in Atlanta. The LAN Administrators
and Information Security Officer (ISO) will
manage the GMPO LAN.
Completed
4
The Regional Administrator,
require the Region 4 SIO to
provide necessary role-based
security-related training to
information system managers
and staff before authorizing
them access to the system or
before performing assigned
duties.
All Regional/Agency employees are required
to take annual security training. GMPO staff
will also be required to take this training as
an Agency annual requirement.
To be completed
by end of FY13
5
The Regional Administrator,
require the Region 4 ISO and
IMO to work with the LAN
security manager to plan and
implement IT security
controls; including system
security planning, periodic
review of security controls,
and authorization to operate
for the LAN that comply with
FISMA, OMB, and NIST
requirements and guidance.
The GMPO will be included in the Region 4
Security Plan and Certification &
Accreditation process, which will ensure
compliance with FISMA, OMB, and NIST
requirements.
To be completed
by end of FY13
6
The Regional Administrator,
require the Region 4 ISO and
IMO to work with the LAN
security manager to establish a
plan of action and milestones
to correct the LAN
deficiencies as required by
NIST SP 800-53.
The Regional Administrator Plan of Action
& Milestones (POAMs) will be generated
from the annual Certification &
Accreditation reviews and these findings will
be addressed by the Region 4 ISO, IMO, and
LAN Administrators.
To be completed
by end of FY14
7
The Gulf of Mexico Program,
Director, establish internal
controls to prevent the LAN
security manager duties and
The Gulf of Mexico Program Office has
completed the transition from our Local
LAN Server to the Region 4 Server. Our
Completed April
2013
13-P-0271
23

-------

the LAN COTR duties from
being assigned to the same
individual.
LAN Security Manager is located in Region
4 and our LAN COTR is also in Region 4
and is two separate individuals.

8
The Gulf of Mexico Program,
Director, require the COTR to
enforce the contract and make
sure the LAN contractor meets
system security requirements
in the contract.
The Gulf of Mexico Program Office LAN IT
Support is now under a new contract with
Region 4. Region 4 is responsible for
making sure the system security
requirements are met under the new contract.
LAN Contractor in Region 4 meets the
system security requirements.
Completed April
2013
9
The Gulf of Mexico Program
Office, Director, provide OW
with notice of the erroneous
statements and claims made in
prior years' FMFIA assurance
letters regarding IT system
security.
The Gulf of Mexico Program Office,
Director and/or Chief of Staff will discuss
past submittals of our FMFIA Assurance
letters regarding IT system security, with
OW staff.
To be completed
by end of April
10
The Assistant Administrator
for Environmental
Information and Chief
Information Officer, assess
the LAN deficiencies
identified in this report to
determine whether they
should be reported under
FMFIA, and act accordingly
OEI concurs with the recommendation.
QTR4FY13
11
Gulf of Mexico Program
Office, Director, complete
development of and
implement a Web content
review process within the
GMPO to validate the
accuracy of data and review
the quality of content to
comply with the Web
Governance and Management,
and Web Content Types and
Review Procedure.
The Gulf of Mexico Program Office has
developed a Web Content Review Standard
Operation Procedures document which they
follow internally to validate the accuracy of
the data and comply with all EPA Web
procedures. GMPO is now under the
administrative structure of Region 4 Office
of Information and External Affairs for our
Web Content and review, and they are
following the EPA's official Web review and
revision processes.
Completed
February 2013
12
Complete and implement the
agreement with Region 4
Office of External Affairs for
Web content review and
oversight.
The Gulf of Mexico Program Office has an
official agreement with Region 4 Office of
External Affairs and is under their review
and oversight.
Completed
February 2013
13-P-0271
24

-------
Disagreements
No.
Recommendation
Agency Explanation/Response
Proposed Alternative
13
The Assistant
Administrator for
Environmental
Information and Chief
Information Officer, and
the Associate
Administrator for
External Affairs and
Environmental
Education, establish a
schedule for monitoring
the GMPO in their
enforcement of EPA's
Web Content Types and
Review Procedure.
The Office of Environmental Information and the
Office of External Affairs and Environmental
Education concur with the goal of
recommendation 13, and are taking steps to solve
the issue.
We are building a new Web publishing system
that will allow for automatic and timely
enforcement of the Web Content Types and
Review Procedure. Content owners will receive
multiple notices directing them to review their
content. If they still fail to review their content on
time, the content will automatically be removed
from EPA's website.
All EPA pages, including those owned by GMPO,
will be in this system by the end of FY 2014.
Per the EPA Web Governance and Management
Policy
(httD://www.eDa.20v/irmDoli8/Dolicies/21800.Ddf).
OEAEE (previously named OPA) and OEI
oversee governance of epa.gov. We establish
policy, procedures, and standards, working with
each office and region through the Web Council.
The Web Content Types and Review procedure is
one of many such governing documents. Web
Council members, in turn, work with their
colleagues to ensure compliance with
requirements.
Until the new Web publishing system is fully
operational at the end of FY 2014, OEI and
OEAEE will remind the Web Executive Board,
Web Council, and the EPA Web community of
the importance of following EPA Web policies,
procedures, and standards. We will specifically
highlight the importance of the Web Content
Types and Review Procedure.
However, it is important to note that OEI and
OEAEE do not concur with the idea of a special
monitoring schedule for GMPO. Our offices lack
the resources to create schedules for monitoring
specific programs' compliance with requirements.
Ultimate accountability for content rests with each
office and region.
See Agency Response
13-P-0271
25

-------
CONTACT INFORMATION
If you have any questions regarding this response, please contact, Michael Mason at 202 564-
0572 or at mason.michael@epa.gov.
Attachment
cc: Malcolm Jackson
Ben Scaggs
Gwendolyn Keyes Fleming
James O'Hara
Mike Shapiro
Diane Altsman
Dorothy Rayfield
Larry Lincoln
Michael Mason
Marilyn Ramos
Scott Dockum
Patrick Gilbride
Melissa Heist
Randy Holthaus
Lisa Bergman
Raul Adrian
13-P-0271
26

-------
Appendix C
Distribution
Office of the Administrator
Assistant Administrator for Water
Assistant Administrator for Environmental Information and Chief Information Officer
Director, Gulf of Mexico Program Office
Regional Administrator, Region 4
Associate Administrator for External Affairs and Environmental Education
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Principal Deputy Assistant Administrator for Water
Principal Deputy Assistant Administrator for Environmental Information
Deputy Administrator, Region 4
Associate Administrator for Congressional and Intergovernmental Relations
Audit Follow-Up Coordinator, Office of Water
Audit Follow-Up Coordinator, Office of Environmental Information
Audit Follow-Up Coordinator, Region 4
13-P-0271
27

-------