I VMfS ? U.S. ENVIRONMENTAL PROTECTION AGENCY
*VOFFICE OF INSPECTOR GENERAL
Congressionally Requested
Inquiry Into the EPA's Use of
Private and Alias Email Accounts
Report No. 13-P-0433
September 26, 2013

-------
Report Contributors:
Rudolph M. Brevard
Michael Goode
Eric K. Jackson Jr.
Teresa Richardson
Gina Ross
Sabrena Stewart
Abbreviations
CFR	Code of Federal Regulations
EPA	U.S. Environmental Protection Agency
GAO	U.S. Government Accountability Office
NARA	National Archives and Records Administration
NRPM	National Records Management Program
OIG	Office of Inspector General
OMB	Office of Management and Budget
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
email:	OIG Hotline@epa.gov	write: EPA Inspector General Hotline
phone:	1-888-546-8740	1200 Pennsylvania Avenue, NW
fax:	202-566-2599	Mailcode 2431T
online:	http://www.epa.gov/oiq/hotline.htm	Washington, DC 20460

-------
^£Dsrx U.S. Environmental Protection Agency
^	u.o. i-iiviiuiimeiiuai nuicuuuii Myciiuy	13-P-0433
\ Office of Inspector General	September 26,2013

At a Glance
*L pro^^
Why We Did This Review
We conducted this audit in
response to a request by the
U.S. House of Representatives
Committee on Science, Space,
and Technology for information
about the U.S. Environmental
Protection Agency's (EPA's)
practices when using private and
alias email accounts to conduct
official business.
The EPA's records management
program is managed through the
agency's National Records
Management Program. The
agency's records officer, located
within the Office of
Environmental Information,
is responsible for leading the
program in accordance with EPA
policy, procedures, and federal
statutes and regulations.
This report addresses the
following EPA theme:
• Embracing EPA as a high
performing organization.
Congressionally Requested Inquiry Into the EPA's
Use of Private and Alias Email Accounts
For further information,
contact our public affairs
office at (202) 566-2391.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130926-13-P-0433.pdf
What We Found
We found no evidence that the EPA used, promoted or encouraged the use of private
"non-governmental" email accounts to circumvent records management
responsibilities or reprimanded, counseled or took administrative actions against
personnel for using private email or alias accounts for conducting official government
business. EPA senior officials said they were aware of the agency records
management policies and, based only on discussions with these senior officials, the
OIG found no evidence that these individuals had used private email to circumvent
federal recordkeeping responsibilities.
The previous EPA Administrator and the then Acting EPA Administrator who followed
were issued two EPA email accounts. One account was made available to the public
to communicate with the EPA Administrator and the other was used to communicate
internally with EPA personnel. This was the common practice for previous
Administrators. The practice is widely used within the agency and is not limited to
senior EPA officials. These secondary EPA email accounts present risks to records
management efforts if they are not searched to preserve federal records.
The agency recognizes it is not practical to completely eliminate the use of private
email accounts. However, the agency had not provided guidance on preserving
records from private email accounts. The EPA has not implemented oversight
processes to ensure locations provide consistent and regular training on records
management responsibilities, and employees complete available training on their
delegated National Records Management Program duties. Inconsistencies in
employee out-processing procedures pose risks that federal records are not identified
and preserved before an employee departs the agency. EPA also lacks an automated
tool to create federal records from its new email system.
Recommendations and Planned Agency Corrective Actions
We recommend that the assistant administrator for the Office of Environmental
Information develop and implement oversight processes to update agency guidance
on the use of private email accounts, train employees and contractors on records
management responsibilities, strengthen relationships between federal records
preservation and employee out processing, and deliver a system to create federal
records from the new system. The EPA concurred with many of our
recommendations but did ask that we clarify aspects of two findings. The agency has
either completed recommended actions or plans to take corrective actions to address
our findings.
Noteworthy Achievements
EPA created a records policy to provide guidance to personnel regarding roles and
responsibilities for records management. In fiscal year 2009, the EPA declared
electronic content management an agency-level weakness. In its fiscal year 2012
Agency Financial Report, the EPA cited as part of its corrective action plan that it
launched two pilot projects to evaluate tools for eDiscovery and the management of
email records. Over the past 4 years, the EPA has taken various actions to close out
this agency-level weakness.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
September 26, 2013
MEMORANDUM
SUBJECT: Congressionally Requested Inquiry Into the EPA's Use of
Private and Alias Email Accounts
Report No. 13-P-0433
FROM: Arthur A. Elkins Jr.
TO:
Renee Wynn, Acting Assistant Administrator and Chief Information Officer
Office of Environmental Information
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems
the OIG identified and the corrective actions the OIG recommends. This report represents the opinion of
the OIG and does not necessarily represent the final EPA position.
Action Required
The EPA agreed with all five of our recommendations. The agency completed agreed-upon corrective
actions associated with recommendations 1 and 2 and the OIG considers these recommendations closed.
Recommendations 3 through 5 are considered open with agreed-upon corrective actions pending.
We accept EPA's response and planned corrective actions and no further response is needed.
If you or your staff have any questions regarding this report, please contact Richard Eyermann, the acting
assistant inspector general for the Office of Audit, at (202) 566-0565 or evermann.richard@epa.gov; or
Rudolph Brevard, director for Information Resources Management Audits, at (202) 566-0893 or
brevard.rudv@epa. gov.

-------
Congressionally Requested Inquiry Into the EPA's
Use of Private and Alias Email Accounts
13-P-0433
Table of C
Chapters
1	Introduction 		1
Purpose 		1
Background 		1
Noteworthy Achievements		2
Scope and Methodology		3
2	The EPA's Use of Private and Alias Email Accounts		5
Results of Review		5
The EPA Lacks Records Management Policies and Procedures
Regarding Private Email Account Usage		6
The EPA Lacks Records Management Training for
Private and Alias Email Usage		7
The EPA Lacks Practices for Collecting and Preserving Records
Records for Employees Separating From Regional Offices		8
The EPA Lacks Tool to Place Email in Its Electronic Content
Management System for Its New Email System 		10
Agency Actions Prior to Issuance of Final Report		10
Recommendations		11
Agency Response and OIG Evaluation		12
Status of Recommendations and Potential Monetary Benefits		13
Appendices
A Agency Response to Draft Report
B Distribution	
14
22

-------
Chapter 1
Introduction
Purpose
We conducted this audit in response to a U.S. House of Representatives
Committee on Science, Space, and Technology request for information about
whether the U.S. Environmental Protection Agency (EPA) follows applicable
laws and regulations when using private and alias email accounts to conduct
official business. Specifically, in response to the committee's request, the Office
of the Inspector General (OIG) sought to determine whether the EPA:
•	Promoted or encouraged the use of private or alias email accounts to
conduct official government business.
•	Reprimanded, counseled, or took administrative actions against any
employees using private or alias email accounts.
•	Established and implemented email records management policies and
procedures for collecting, maintaining and accessing records created from
any private or alias email accounts.
•	Provided adequate training to employees concerning the use of private or
alias email accounts to conduct official government business.
•	Established and implemented oversight processes to ensure employees
comply with federal records management requirements pertaining to
electronic records from private or alias email accounts.
Background
National Archives and Records Administration
The National Archives and Records Administration (NARA) is responsible for
overseeing agencies' adequacy of documentation and records disposition
programs and practices. NARA issues regulations and provides guidance and
assistance to federal agencies on ensuring adequate and proper documentation of
the organization, functions, policies, decision, procedures and essential
transactions of the federal government; and ensuring proper records disposition,
including standards for improving the management of records.
Private and Alias Email
Private email accounts for the purposes of this review are defined as any
non- ".gov" email addresses used to conduct EPA business. Alias email is defined
as a secondary "epa.gov" account used to conduct EPA business. EPA stated that
13-P-0433
1

-------
alias email accounts have been used by prior EPA Administrators given the large
volume of emails sent to their public EPA accounts.
Agency Record Management
The EPA manages its official records through its National Records Management
Program (NRMP). The Office of Information Collection within the EPA's Office
of Environmental Information oversees the NRMP. The agency records officer is
responsible for leading the NRMP in accordance with the EPA policy,
procedures, and federal statutes and regulations. The agency records management
program lists the following as the agency records officer's responsibilities:
•	Developing an overall records management strategy.
•	Producing and updating EPA records management policies, procedures,
standards and guidance.
•	Cooperating with other units in developing policies and guidance on the
application of technology to records management.
•	Conducting specialized briefings on records management.
•	Assisting records programs across the agency with advice and technical
expertise.
Noteworthy Achievements
The EPA took steps to improve its records management practices. For example,
the EPA created a records policy to provide guidance to personnel on the roles
and responsibilities pertaining to records management. In addition, in fiscal year
2009, the EPA declared electronic content management an agency-level
weakness. In its fiscal year 2012 Agency Financial Report, the EPA stated that it
has either completed or initiated the following corrective actions to address this
agency-level weakness:
•	Established a new Quality Information Council Electronic Content
Subcommittee.
•	Developed a charter for the subcommittee.
•	Established two enterprise-wide workgroups under the subcommittee.
•	Developed interim procedures to address the storage and preservation of
electronically stored information.
•	Launched two pilot projects to evaluate tools for eDiscovery and the
management of email records. The results of the pilot projects will be used to
inform the subcommittee's decisions on future policy or tool implementation.
The agency has also stated that it will develop a validation strategy to assess the
effectiveness of various activities undertaken to redress the identified weakness.
The validation strategy will consist of processes that allow the agency to review
and determine whether policies and tools are being implemented and utilized.
13-P-0433
2

-------
Scope and Methodology
We conducted this audit from December 2012 to June 2013. We performed this
audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient
and appropriate evidence to provide a reasonable basis for our findings and
conclusions based on the audit objectives.
To obtain a broad understanding of EPA officials records management
responsibilities, we reviewed agency records management policies and procedures;
the Code of Federal Regulations (CFR) in 36 CFR Chapter XII - National Archives
and Records Administration; Office and Management Budget (OMB) Circular
A-123, Management's Responsibilities for Internal Control; and OMB Circular
A-130, Management of Federal Information Resources.
We met with the then Acting EPA Administrator (currently the Deputy
Administrator), staff and officials from the Office of the Administrator, officials
from the Office of General Counsel, and appointed or acting assistant and
regional administrators from the following program and regional offices, to gather
an understanding of their background and experience with federal records
requirements:
•	Office of Environmental Information
•	Office of Air and Radiation
•	Office of International and Tribal Affairs
•	Office of Research and Development
•	Office of Chemical Safety and Pollution Prevention
•	Region 2, New York, New York
•	Region 3, Philadelphia, Pennsylvania
•	Region 6, Dallas, Texas
•	Region 8, Denver, Colorado
•	Region 9, San Francisco, California
We met with offices' information management officers, senior information
officials, regional records officers, records liaison officers, email administrators,
human resource directors, and Freedom of Information Act officers responsible
for implementing and complying with the EPA federal records guidance. We also
met with the EPA representative responsible for the direct oversight of the
agency's NRMP regarding that oversight and to obtain an understanding of the
implemented internal controls around EPA's ability to maintain electronic records
and other records management practices.
We also met with the former Region 8 regional administrator to gain his
perspective on what EPA could do to strengthen its electronic records
management practices. We requested interviews with the most recent former
EPA Administrator and general counsel to gain their perspective on the agency's
13-P-0433
3

-------
records management practices. We did not receive a response from these two
former employees on our requests for interviews.
We followed up on the status of recommendations made by the U.S. Government
Accountability Office (GAO) in its report National Archives and Selected
Agencies Need to Strengthen Email Management (GAO-08-742), issued
June 2008. The report recommended that the EPA:
•	Revise the agency's policies to ensure that they appropriately reflect
NARA's requirement on instructing staff on the management and
preservation of email messages sent or received from nongovernmental
email systems.
•	Develop and apply oversight practices, such as reviews and monitoring of
records management training and practices, that are adequate to ensure
that policies are effective and staff are adequately trained and
implementing policies appropriately.
The GAO noted that the EPA was in the process of improving the implementation
of its electronic content management system in order to collect federal records
within the agency's email system.
13-P-0433
4

-------
Chapter 2
The EPA's Use of Private and Alias Email Accounts
The EPA lacks internal controls to ensure the identification and preservation of
records when using private and alias email accounts for conducting government
business. The agency lacks controls to ensure agency employees and contractors
are trained on the records management responsibilities and a process to create
records from its new email system. Federal guidance issued by NARA requires
agencies to appropriately identify and preserve records for its decisions. Federal
guidance also specifies records management training requirements as well as the
requirements when using automated systems to preserve email records. The
weaknesses noted occurred because the EPA had not created records management
policies and procedures for private email account usage, and had not conducted
oversight to ensure employees and contractors were provided consistent and
regular training on records management responsibilities. Further, the EPA lacks
controls to ensure out-processing procedures identify potential records, and lacks
an automated process to create federal records from its new email system. If these
critical issues are not corrected, the agency faces the risk that records needed to
document the EPA's decisions would not be available. This could potentially
undermine the public's confidence in the transparency of the EPA's operations
and ultimately erode the public's trust in the agency's stewardship of the nation's
environmental programs.
Results of Review
We found no evidence to support that the EPA used, promoted, or encouraged the
use of private email accounts to circumvent records management responsibilities.
Furthermore, EPA senior officials indicated that they were aware of the agency
records management policies and, based only on discussions with these senior
officials, the OIG found no evidence that these individuals had used private or alias
email to circumvent federal recordkeeping responsibilities. We noted that the
previous EPA Administrator and the subsequent Acting EPA Administrator
(the Deputy Administrator) each had two EPA email accounts, one intended for
messages from the public and one for communicating with select senior EPA
officials. Interviews with selected assistant and regional administrators and records
management officials disclosed that the practice of assigning personnel access to
multiple email accounts is widely practiced within the agency. We found no
evidence to support that the EPA reprimanded, counseled or took administrative
actions against personnel for using private and alias email accounts.
Personnel have access to multiple EPA email accounts for various purposes.
These include sending out mass email notifications, transmitting or receiving
documents in support of special projects, or linking the email account to an
agency publicly available website to provide the public with a method to
13-P-0433
5

-------
correspond with the EPA. Each of these additionally assigned email accounts
could potentially contain federal records or other documents subject to Freedom
of Information Act requests or litigation holds. Our audit disclosed that these
secondary email accounts present risks to the agency's records management
efforts if they are not searched to preserve federal records.
In addition to needed improvements over internal controls surrounding secondary
email accounts, more oversight is needed to strengthen policies and procedures
regarding the use of private email accounts, processes for training employees and
contractors on their records management responsibilities, and practices for
preserving records when employees depart the agency. The EPA should also ensure
that it implements a tool to create records directly from its new email system.
The EPA Lacks Records Management Policies and Procedures
Regarding Private Email Account Usage
The EPA lacks consistent practices regarding what steps employees should take to
preserve federal records when they use private email accounts for conducting
government business. Instead, in October 2012, in response to increased attention
brought on the agency due to media articles and inquires into the EPA records
retention practices, EPA officials placed an alert on its Intranet advising employees
the following:
"Do not to use any outside mail systems to conduct official Agency
business. If, during in an emergency, you use a non-EPA email
system, you are responsible for ensuring that any email records and
attachments are saved in your offices' recordkeeping system."
Title 36 CFR Chapter XII - National Archives and Records Administration,
Part 1236, states that agencies that allow employees to send and receive official
electronic mail messages using a system not operated by the agency must ensure
that federal records sent or received on such systems are preserved in the
appropriate agency recordkeeping system.
The EPA had not developed or implemented policies or procedures regarding the
preservation of email messages sent or received from private email systems.
While the EPA alert advises employees not to use outside email systems to
conduct official business, the alert does not instruct employees on the
management and preservation of email messages sent from outside email systems
if it were to occur. Senior agency officials and office representatives cited reasons
why the complete nonuse of personal electronic equipment (which includes
computers, mobile devices and email accounts) when the employee is not within
the office is not practical.
Senior agency officials and office representatives noted as one reason the
proliferation of personal mobile devices that are not allowed access to the agency's
13-P-0433
6

-------
network. The officials also cited as another reason the increased use of unscheduled
telework, during which employees unexpectedly worked off site when they did not
have their assigned government equipment with them. However, given these
growing concerns, the EPA had not taken steps to provide employees guidance as
to when they may use private electronic equipment—including computers, mobile
devices and email accounts—to conduct government business.
Without effective records management policies and procedures that address
collecting, maintaining and accessing records created from private email
accounts, the EPA risks the possibility that agency personnel are not conducting
government business in a manner consistent with management's desires. The EPA
also risks the possibility that agency personnel are not capturing potential records
needed to document agency decisions.
The EPA Lacks Records Management Training for Private and Alias
Email Usage
The EPA lacks internal controls to ensure that personnel are trained on their
responsibilities for preserving records from private and alias accounts used to
conduct official government business. As noted, the EPA does not have formal
guidance on the use of private email accounts and subsequently has not provided
training in this area. Further, the agency has not conducted training on its existing
records management policies and procedures, which govern government records
since 2009. Our discussion with agency representatives raises doubt as to whether
the EPA will meet the latest requirement to inform all personnel of their records
management responsibilities.
Federal guidance requires training of personnel on their records management
responsibilities. Specifically:
•	NARA states that federal agencies must provide guidance and training to
all agency personnel on their records management responsibilities,
including identification of federal records, in all formats and media.
•	OMB Circular A-123 reiterates management's responsibility for
establishing internal control to train personnel to possess the proper
knowledge and skills to perform their assigned duties. OMB Circular
A-130 requires agencies to train all employees and contractors on their
federal records management responsibilities.
•	OMB Memorandum M-12-18, Managing Government Records, requires
agencies to inform employees of their records management responsibilities
by December 31, 2014.
The EPA had not provided records management training to employees and
contractors in over 3 years. The agency last provided agencywide records
13-P-0433
7

-------
management training in fiscal years 2007 and 2009. While the training discussed
creating records within government email systems, neither of these two training
courses addressed the usage of private email accounts to conduct official
government business. The training also has not been updated to place emphasis on
creating records when employees are assigned secondary email accounts. The
agency plans to incorporate the use of private or secondary email accounts in
future training courses to fulfill the OMB training requirement to inform
employees of their records management responsibilities. However the agency has
not established a firm date for when it would develop or offer the training course.
The EPA's NRMP did not establish controls to ensure consistent training of
records management responsibilities within the regional and program offices or
ensure employees with specific NRPM responsibilities took available training.
We noted that the EPA created an organizational structure for its records
management program with clearly defined roles and responsibilities. The EPA
also has training available for agency records officers, liaisons and coordinators.
However, the agency lacked processes to ensure the structure functioned as
intended and specialized training was taken when needed.
According to a program office records liaison officer, the officers rely upon the
headquarters NRPM official to provide training for them to use to train their
personnel. Records liaison officers could not provide records to show how many
personnel within their offices were trained on records management
responsibilities in general or specifically trained on the office's policy on using
personnel email accounts when conducting official government business. Our
interviews also disclosed that the agency relies upon the records liaison officers to
take additional training to carry out their delegated duties and the agency does not
monitor whether the records liaison officers took training.
The lack of consistent records management training increases the risk that agency
employees neither understand nor fully comply with federal records management
requirements. This also has led to records management training, when given,
being delivered in an ad hoc and informal manner with no measure to ensure the
information reached the specified target audience. As such, we believe the agency
has limited assurance that all applicable personnel are trained on records
management responsibilities, and raises questions as to whether any provided
training was delivered in sufficient frequency to ensure personnel could
appropriately carry out their responsibilities.
The EPA Lacks Practices for Collecting and Preserving Records for
Employees Separating From Regional Offices
The EPA lacks internal controls to ensure that regional offices consistently collect
and preserve electronic records for separating employees. Our audit disclosed that
regional offices lacked processes for notifying individuals with records
management responsibilities about employee separation from the agency, to
13-P-0433
8

-------
ensure that all records were identified before the employee's departure.
Management at regional offices did not consistently validate that separating
employees turned over electronic records. This included collecting and preserving
electronic records in alias email accounts known as "mail-in accounts," as well as
files on flash drives and external hard drives.
EPA Order 3110.5A and Employee Separation Checklist Form 3110-1 outline the
agency's employee separation procedures. The procedures state that management
is responsible for certifying receipt of items listed on Form 3110-1, which
includes the identification and transfer of agency records. The procedure assigns
departing employees with responsibility to identify and transfer agency records.
The procedure also assigns the employee's supervisor and program office records
manager responsibility to validate the receipt of records through signature.
Weaknesses within regional separation procedures exist due to the NRMP
manager not conducting oversight to ensure that federal records procedures were
fully integrated. Our review disclosed that regional notification procedures for
departing employees did not allow time to identify and preserve official records.
We also found that managers with records responsibilities did not consistently
take steps to validate collection and preservation of records before employee
departure. For example:
•	Regions lacked internal controls to ensure employee separation checklists
reached individuals with records management responsibilities in order for
them to preserve federal records. This included taking steps to have
employees search for potential records residing within alias email
accounts the employee manages or on other electronic media devices
within the employee's control.
•	Some employees bypass their supervisor or administrative officer and go
directly to the regional human resource office to start the separation
process. As such, individuals tasked with records management
responsibilities do not know that an employee is departing until the
employee arrives with the separation checklist for clearance signature.
•	Regional separation checklists did not include an area where regional office
managers tasked with records management responsibilities could sign off on
employee separation forms. Some regional separation checklist forms did
not include an agency requirement to identify and transfer records.
•	Regional office managers not tasked with records management
responsibilities were signing off on employee separation forms without
conducting steps to ensure that collection and preservation of the separating
employees' electronic records had occurred. One regional human resource
staff member also stated that they typically have to sign off on employee
clearance forms for employees who depart at the end of the year, when most
supervisors are taking leave (use or lose) at holiday time.
13-P-0433
9

-------
Without effective employee separation processes that ensure identification and
collection of agency records from all electronic media used for collection and
storage, the EPA risks losing historical records that support its decisions. EPA
human resource offices are signing off that agency records were preserved even
though they were not in a position to know this information. The weaknesses have
also left regional counsels with insufficient time to have employees search to
ensure that all records are preserved for ligation holds, and with the information to
prompt employees to search for records that may be contained within alias email
accounts, flash drives and external hard drives.
The EPA Lacks Tool to Place Email in Its Electronic Content
Management System for Its New Email System
The EPA deployed its new email system without the capability to place new email
system records in its electronic content management system. During its audit, the
GAO noted that email records retention in the EPA was primarily a print-and-file
system and noted that the EPA developed an oversight plan and pilot-tested a
records management survey tool.
Subsequent to the GAO report, in fiscal year 2009, the EPA declared electronic
content management an agency-level weakness. In its fiscal year 2012 Agency
Financial Report, the EPA noted that inconsistencies in how electronic content is
maintained and stored have started to impact critical processes related to
electronic records management. The EPA cited as part of its corrective action plan
that it would launch two pilot projects to evaluate tools for eDiscovery and the
management of email records.
The EPA implemented its new email system without providing a means for agency
employees to create federal records in the agency's electronic content management
system. During the past 4 fiscal years, the EPA has been taking steps to complete
corrective actions to close out the electronic content management agency-level
weakness by the projected completion date of fiscal year 2013. Based on
information on the agency's electronic content management website, employees are
directed to print and file email records until an electronic content management
system is in place to store records. However, the website provides no information
as to when the EPA would provide a solution for creating federal records from its
new email system. We believe that the EPA will not be in a position to close out
the agency-level weakness by its projected fiscal year 2013 completion date.
Agency Actions Prior to Issuance of Final Report
On June 28, 2013, the EPA issued Interim Records Management Policy
CIO 2155.2. This policy states that official agency business should first and
foremost be done on official EPA information systems (e.g., email, instant
messaging, computer work stations, and shared service solutions). The policy
specifies that the record creator must ensure that any use of a non-governmental
13-P-0433
10

-------
system does not affect the preservation of federal records for Federal Records Act
purposes, or the ability to identify and process those records, if requested, under
the Freedom of Information Act or for other official business (e.g., litigation or
congressional oversight requests.).
Also, on July 31, 2013, the agency deployed its new mandatory records
management training for all agency staff, contractors and grantees that have
access to EPA information systems. The EPA indicated that over 30 percent of
agency employees have already taken the training.
Recommendations
We recommend that the assistant administrator and chief information officer,
Office of Environmental Information:
1.	Develop and implement records management policies and procedures
regarding the use of private email accounts when conducting official
government business.
2.	Develop internal controls to ensure that all EPA employees and contractors
complete training on their records management responsibilities.
3.	Develop and implement internal controls to monitor and track completion
of training for personnel with specific delegated duties and
responsibilities outlined in the NRMP guidance.
4.	Conduct outreach with all EPA offices to ensure that locally developed
separation policies and procedures, as well as the associated employee
separation checklist, include records management retention practices
consistent with agency guidance. This should include ensuring that:
a.	Locations' out-processing procedures contain practices where
notifications are sent to individuals with records management
responsibilities in a timely manner to aid in capturing electronic
records from separating employees.
b.	Locations include steps to have employees search for potential
records residing within alias email accounts that the employee
manages or on other electronic media devices within the
employee's control.
c.	Locations have special out-processing procedures that contain a
method for collecting records from departing employees during
the holiday season or times of limited staffing.
13-P-0433
11

-------
d. Locations update their locally developed out-processing checklist
to ensure an area exists for where records managers can note their
records management certifications as required by agency policy.
5. Establish a revised date for when the EPA will implement an
electronic content management tool to capture email records within the
agency's new email system.
Agency Response and OIG Evaluation
The agency provided a corrective action plan with milestones to address all the
report recommendations. The agency completed corrective actions associated with
recommendations 1 and 2 and the OIG considers these recommendations closed.
Recommendations 3, 4 and 5 are considered open with corrective actions pending.
Although the EPA agreed to perform corrective actions for our recommendations,
the agency believed the report did not:
•	Recognize the distinction between secondary accounts used by EPA
Administrators for a specific purpose and secondary email accounts used
for purposes such as sending out mass email notifications, transmitting or
receiving documents in support of special projects, or linking the email
account to an agency publicly available website to provide the public with a
method to correspond with the EPA.
•	Reflect the issuance of the EPA Interim Records Management Policy
CIO 2155.2 on June 28, 2013, which strongly discourages the use of private
non-EPA email accounts
Our audit disclosed that the agency uses secondary email accounts similarly
throughout the EPA. These secondary email accounts can send and receive email
messages as well as create records that could be subject to Freedom of Information
Act or litigation requests. The agency also had not implemented policies that make
distinctions between secondary email accounts used by senior agency official and
secondary email accounts used for other purposes. As such, we made no
differentiation between these accounts during our audit. Our audit disclosed that
secondary email accounts pose risks to the agency and the EPA should take steps to
strengthen the management control structure surrounding these accounts.
We updated the final report to recognize that the EPA issued its interim records
management procedure subsequent to the OIG issuing its discussion draft report.
13-P-0433
12

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
12
Develop and implement records management
policies and procedures regarding the use of
private email accounts when conducting official
government business.
Develop internal controls to ensure that all EPA
employees and contractors complete training on
their records management responsibilities.
Develop and implement internal controls to monitor
and track completion of training for personnel with
specific delegated duties and responsibilities
outlined in the NRMP guidance.
Conduct outreach with all EPA offices to ensure
that locally developed separation policies and
procedures, as well as the associated employee
separation checklist, include records management
retention practices consistent with agency
guidance. This should include ensuring that:
a.	Locations' out-processing procedures contain
practices where notifications are sent to
individuals with records management
responsibilities in a timely manner to aid in
capturing electronic records from separating
employees.
b.	Locations include steps to have employees
search for potential records residing within
alias email accounts that the employee
manages or on other electronic media devices
within the employee's control.
c.	Locations have special out-processing
procedures that contain a method for
collecting records from departing employees
during the holiday season or times of limited
staffing.
d.	Locations update their locally developed out-
processing checklist to ensure an area exists
for where records managers can note their
records management certifications as required
by agency policy.
Establish a revised date for when the EPA will
implement an electronic content management tool
to capture email records within the agency's new
email system.
Assistant Administrator and 6/28/13
Chief Information Officer,
Office of Environmental
Information
Assistant Administrator and 7/31/13
Chief Information Officer,
Office of Environmental
Information
Assistant Administrator and
Chief Information Officer,
Office of Environmental
Information
Assistant Administrator and
Chief Information Officer,
Office of Environmental
Information
12/31/13
12/31/13
Assistant Administrator and
Chief Information Officer,
Office of Environmental
Information
12/31/13
0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
13-P-0433	13

-------
Appendix A
Agency Response to Draft Report
August 27, 2013
MEMORANDUM
SUBJECT: Response to the Office of Inspector General Draft Report No. OA-FY13-0113
Congressionally Requested Inquiry into the EPA's Use of Private and Alias Email
Accounts, dated July 19, 2013
FROM: Renee P. Wynn
Acting Assistant Administrator and Chief Information Officer
TO:	Arthur A. Elkins, Jr.
Inspector General
Thank you for the opportunity to respond to the issues and recommendations described in Draft
Report No. OA-FYI3-0113.
Over the last several months, the agency has undertaken many important actions designed to
improve the agency's records management and preservation program. Because of the connection
between these efforts and some of the issues discussed in your draft report, and because we
believe the report should be evaluated with an understanding of these efforts, I detail the efforts
below.
Improved Training on Information Management Responsibilities
The EPA has launched a multi-faceted training effort to ensure every employee at the agency
understands his or her records management responsibilities. First and foremost in the agency's
training program is mandatory training for all employees of the EPA on records management. On
July 31,2013, Deputy Administrator Robert Perciasepe announced the availability of this new
training, reminding employees that "records management is the daily responsibility of every EPA
employee." The training focuses on the foundations of records management, providing guidance
on how to identify and preserve Federal records. Less than three weeks after the training was
announced - and more than a month before the training must be completed on September 30,
2013 - over 30% of agency employees have already taken the training.
In addition to training for all employees, the EPA is working with the Department of Justice's
Office of Information Policy on in-depth training for the agency's Freedom of Information Act
(FOIA) professionals. The Office of Information Policy is the office within the Department of
Justice that develops guidance for Executive Branch agencies on our responsibilities under
FOIA, and is understood by government and non-government organizations alike as the
government's foremost FOIA experts. The EPA is excited to welcome DOJ for this training,
which the agency expects to conduct in September 2013.
13-P-0433
14

-------
Following up on 2013's Records Management training, the EPA will conduct mandatory training
for all of our employees on their individual and collective responsibilities tttlder FOIA in 2014.
This training is expected to focus on the requirements of FOIA; the importance of timely,
accurate responses; and the role every employee plays in the agency's efforts to comply with the
Act. In addition to these training modules, the EPA has completely overhauled our Records
intranet site. This site, at http://intranet.epa.gov/records, serves as an agency-wide records
management resource, and provides guidance to employees as well as links to a variety of
information law resources.
Updated Policies For Employee Conduct
In addition to a renewed focus on training for employees, the EPA has begun the process of
reviewing, updating, and reissuing agency policies for the effective management of agency
information resources. First among that effort was a review of the agency's Records Policy, with
the specific intent of addressing the use of personal email and consolidating our records retention
schedules to make them easier for staff to use and more adaptable to electronic records
management tools.
In June 2013, the EPA issued its Interim Records Management Policy CIO-2155.2, which
strongly discourages the use of private non-EPA email accounts, stating that "Official Agency
business should first and foremost be done on official EPA information systems." Further, the
Interim Policy goes on to instruct employees on how to manage and preserve email messages
sent from outside email systems if use of a non-EPA email system were to occur. The Interim
Policy instructs employees that once the electronic files have been captured in an approved EPA
records management system, they should be removed from non-EPA information systems, unless
subject to an obligation to preserve the files in their original location. The EPA initiated the
process to finalize this policy shortly after issuing in interim form.
On September 30th, the EPA will issue its first agency-wide Interim FOIA Procedures. The EPA
expects these procedures will increase consistency and predictability in the processing of FOI A
requests across the agency's programs and regions. The procedures define key roles and
responsibilities in the processing of FOI A requests, and detail the basic steps of processing a
request from receipt to document collection to production.
Advanced Technology for Managing Agency Information
The EPA has also embarked on an ambitious effort to improve the technology available to
employees for managing, preserving, and producing agency information. In 2010, the EPA
established the Electronic Content Subcommittee of the Quality and Information Council. (The
Council was established in 1999, to address enterprise-wide information management issues and
to develop agency policies to guide the EPA in the areas of information technology and
information management.) The Electronic Content Subcommittee was established to focus
particularly on the challenge of creating, preserving, maintaining., and retrieving the range of
electronic information at the agency. Under the auspices of that Committee, the agency's
eDiscovery Workgroup led the way in launching an enterprise-wide litigation hold solution
in October of2012. For the first time, the EPA now issues, maintains, tracks, and monitors all
litigation holds issued to agency employees in a single system. This consolidation helps the
13-P-0433
15

-------
agency ensure it is preserving all information subject to a litigation-based preservation
obligation, and increases consistency and efficiency at the same time. The Workgroup has also
made significant progress towards the full launch of electronic search and review tools that will
be used for more comprehensive and efficient information requests and document productions.
The agency is also poised to release an "HZ Records" tool to assist employees with their records
management obligations. The EZ Records tool will allow employees to designate emails as
records with just one click of a mouse, increasing the likelihood that employees will preserve
email records as soon as they are created. To help encourage use of the tool, in October 2013, the
EPA will launch an Agency-wide, mandatory training on how to capture email records using the
new EPA-developed tools for records preservation.
Response to the Draft Report
The agency has welcomed this evaluation by the Office of Inspector General. The "Agency's
Response to Report Recommendations" attachment details EPA's response to each
recommendation and provides an estimated date of completion. In addition to the responses to
the Report's specific recommendations, the agency would also like to respond to certain aspects
of the narrative portions of the report as well.
Specifically on the use of private, non-EPA email accounts, the report correctly finds that the
agency has not "promoted or encouraged the use of private ' non-governmental' email accounts to
conduct official government business." In fact, the agency has taken many steps to discourage
the use of non-EPA email accounts unless necessitated by special circumstances. Since 2009, the
agency has stated both in its records training for senior officials and on its records intranet site
Frequently Asked Questions that EPA staff generally should not use non-government email
accounts to conduct official agency business. EPA's records officer provides this information as
part of the on-boarding process for political appointees and senior officials in Headquarters, as
well as consults with Records Liaison Officers to provide this information to officials located in
the agency's regional office. We believe that the report should more clearly recognize these
previous efforts to provide guidance on this issue. In addition, the report does not reflect that all
employees at headquarters receive basic records management training as part of the onboarding
process, and are provided information about the extensive self-help section of the Records
Program intranet site.
The agency believes that the report could be more helpful for our efforts to improve our records
management program by making a clearer distinction among the types of email accounts
addressed in the report. The report uses both "private" and "personal" to describe email accounts
that are not maintained on an EPA system. We encourage the OIG to use consistent
nomenclature in the final report, to ensure all recipients of the report understand the guidance
provided.
We also strongly encourage the OIG to more clearly distinguish between non-EPA email
accounts and "secondary" official epa.gov email accounts. Secondary epa.gov accounts are
official government accounts that are assigned to an employee to a program within the EPA as
part of that employee's or programs official government duties. Emails sent to or from these
13-P-0433
16

-------
accounts are sent two or from the EPA email system in the same manner and form as an email to
or from a "primary" account is sent to or from the EPA email system. These accounts are
different from non-EPA email accounts, and, as such the two may require different actions to
ensure compliance with an employee's information management responsibilities.
Additionally, the report also seems to conflate various types of secondary official epa.gov email
accounts. There are a variety of uses for secondary accounts that are different from a regular, day
to day email account of a single employee. Currently, the agency has only identified a need for
the Administrator or Deputy Administrator to have a secondary account that is specific to her or
him and that is used as her or his day to day official government email account. These secondary,
official government accounts permit the Administrator and Deputy Administrator to conduct
agency business by maintaining a manageable, working email account for daily correspondence
with staff and other officials, and the EPA's practice of issuing such accounts has been reported
and documented to the National Archives and Records Administration (NARA) since 2008. This
practice is appropriate and commonplace within the federal government. The Administrator's
primary account, which is provided to the public, is rendered impractical because of the large
volume (over 1 million emails annually) of mail it receives from outside the agency. The EPA
actively monitors both the primary and secondary accounts, and ensures that all emails to either
type of account are properly reviewed for preservation under the Federal Records Act and
produced under the FOIA or other production obligation. The agency strongly believes that the
final report should more clearly reflect the very limited existence and use of this type of
secondary official email account.
The other types of "secondary" accounts discussed in the report are generally not accounts
assigned to or used by an individual employee for her day to day email communications. These
accounts are also used for practical purposes, such as sending out mass email notifications,
transmitting or receiving documents in support of special projects, or linking the email account
to a publicly available website of the agency to provide the public with a method to correspond
with the EPA. An example of this type of secondary account is the "contact us" email account for
the EPA's Sun Wise program. This account is used to answer questions from the public about the
Sun Wise program and is designated as Sun Wise Staff (sunwise@epa.gov). This type of
secondary account might be more clearly identified as a "group" account or "special purpose"
account. We strongly believe that the final report should make this distinction, and clarify the
draft report's conclusion that: "This practice is widely used within the agency and not limited to
senior officials." My office has no information that indicates the use of "secondary" day to day
government email accounts, such as the one used by the Administrator and which was the
subject of the Congressional inquiry, is widely used within the agency, and the draft report does
not include information to the contrary.
The use of both types of secondary accounts is authorized and appropriate, therefore, the agency
has not reprimanded, counseled, or taken administrative actions against personnel using the
accounts for conducting official government business. Use of secondary accounts does not alter
or interfere with the preservation requirements under the Federal Records Act or disclosure
requirements under the Freedom of Information Act and Congressional document requests.
Further, all agency-issued email accounts, including primary accounts and any type of secondary
accounts, are subject to the same current agency records policies and procedures for managing
13-P-0433
17

-------
records, both created and received on these accounts and are subject to the current agency
disclosure policies for responding to information requests. In addition, the report does not
indicate in the Scope and Methodology section that staff members who manage the
secondary official government account assigned to the Administrator were consulted during this
audit. I believe that these individuals may provide valuable additional information about existing
practices and procedures for capturing and producing records from these accounts to ensure the
agency complies with preservation and disclosure requirements.
Finally, while the agency agrees with many of the recommendations in the report, some of the
recommendations (specifically 3 and 4) go beyond the issue of "Private and Alias" email account
usage. As you can see from the information detailed above, these recommendations relate to
issues already identified and actively being addressed by the EPA's Office of Environmental
Information (OEI).
Our response to your recommendations is attached.
We look forward to discussing this report with you and to working with your office to improve
EPA's records management program. If you have any questions regarding this response, please
contact John Ellis, Agency Records Officer, of the Office of Information Collection/Collection
Strategies Division/Records and Content Management Branch on (202) 566-1643.
Attachment
cc: Vaughn Noga
Andrew Battin
Jeff Wells
John Moses
Erin Collard
John Ellis
Scott Dockum
Brenda Young
13-P-0433
18

-------
AGENCY'S RESPONSE TO RECOMMENDATIONS: OIG Report OA-FY13-113
No.
Draft Report Recommendation
Agency Response
Estimated
Completion by
Quarter and FY
1.
Develop and implement records
management policies and
procedures regarding the use of
private email accounts when
conducting official government
business, (page 11)
EPA issued an Interim Records
Management Policy CIO-2155.2,
on June 28, 2013 which strongly
discourages the use of private
non-EPA email accounts and
instructs employees on the
management and preservation of
email messages sent from outside
email systems if it were to occur.
EPA has initiated a process to
finalize Records Management
Policy CIO-2155 .2
Completed Q3
FY2013
In progress Q3
FY2014
2.
Develop internal controls to
ensure that all EPA employees
and contractors complete training
on their records management
responsibilities, (page 11)
EPA developed mandatory
records management training for
all EPA staff, contractors and
grantees. The training was
deployed agencywide July 31,
2013 and is to be completed by
September 30, 2013.
In progress - Q4
FY2013
3.
Develop and implement internal
controls to monitor and track
completion of training for
personnel with specific delegated
duties and responsibilities outlined
in the National Records
Management Program (NRMP)
guidance, (page 11)
Records Liaison Officers are
required to obtain the NARA
Certification in Federal Records
Management. This training is
tracked by NARA and
periodically reported to the
Agency Records Officers.
Although this recommendation
does not appear to specifically
relate to private or secondary
email accounts, the NRMP will
request an updated report from
NARA and follow-up with any
RLO that has not received the
certification. Non compliance
will be reported to the
management for appropriate
action.
Q1 FY2014
4.
Conduct outreach with all EPA
offices to ensure that locally
developed separation policies and
procedures, as well as the
associated employee separation
checklist, include records
management retention practices
consistent with agency guidance.
EPA's National Records
Management Program, via the
Quality and Information Council's
agency-wide Records Workgroup,
has been working with OARM to
develop a consolidated employee
separation and transfer procedure.
Although this recommendation
Q1 FY 2014
13-P-0433
19

-------

This should include ensuring that:
a. Locations' out-processing
procedures contain practices
where notifications are sent to
individuals with records
management responsibilities in a
timely manner to aid in capturing
electronic records from separating
employees, (page 11)
does not appear to specifically
relate to private or secondary
email accounts, the procedure will
include a requirement that
Records Liaison Officers, Records
Contacts and Document Control
Staff are notified 2 weeks in
advance of an employee's
separation, when possible. This
will alert the staff with specific
records management
responsibilities to aid separating
staff in capturing their records.

4.
b. Locations include steps to have
employees search for potential
records residing within alias email
accounts that the employee
manages or on other electronic
media devices within the
employee's control, (page 11)
EPA's National Records
Management Program, via the
Quality and Information Council's
agency-wide Records Workgroup,
and OARM will include in the
separation process and procedures,
steps to have employees search for
potential records residing within
the secondary or group email
accounts that the employee
manages. A checklist will also be
provided which will include all
possible locations where records
(paper and electronic) might be
found.
Q1 FY 2014
4.
c. Locations have special out-
processing procedures that contain
a method for collecting records
from departing employees during
the holiday season or times of
limited staffing, (page 11)
Although this recommendation
does not appear to specifically
relate to private or secondary
email accounts, the EPA's
National Records Management
Program, via the Quality and
Information Council's agency-
wide Records Workgroup, and
OARM will include in the
separation procedure safeguards to
ensure that separating employee
information is captured during the
holiday season and other times of
limited staffing.
Q1 FY 2014
4.
d. Locations update their locally
developed out-processing
checklist to ensure an area exists
for where records managers can
note their records management
certifications as required by
agency policy, (page 12)
Although this recommendation
does not appear to specifically
relate to private or secondary
email accounts, the EPA's
National Records Management
Program and OARM will include
in the separation process and
procedures an out-processing
checklist to ensure an area exists
Q1 FY2014
13-P-0433
20

-------


for records managers to certify as
required by policy.

5.
Establish a revised date for when
the EPA will implement an
electronic content management
tool to capture email records
within the agency's new email
system, (page 12)
In addition to the Lotus Notes
email records solution, which is
already developed, an email
records solution for MS Office
365 is underdevelopment.
Although this recommendation
does not appear to specifically
relate to private or secondary
email accounts, the EPA will
deploy agency-wide the email
records solution for both Lotus
Notes and MS Office 365.
Q4FY2013
Q1 FY2014

No.
Findings
Agency Explanation/Response
Proposed Alternative
1.
The report states that, "the
previous EPA Administrator and
current Acting EPA Administrator
each had two EPA email accounts,
one intended for messages from
the public and one for
communicating with select senior
officials." (page 5) Further the
report notes, "that the practice of
assigning personnel access to
multiple email accounts is widely
practiced within the agency."
(page 5)
This statement does not recognize
the distinction between secondary
accounts used by EPA
Administrators for a specific
purpose, and secondary email
accounts used for purposes such
as sending out mass email
notifications, transmitting or
receiving documents in support of
special projects, or linking the
email account to an agency
publicly available website to
provide the public with a method
to correspond with the EPA.
Revise the report to
recognize this
distinction.
2.
The report states that "EPA had
not developed or implemented
policies or procedures regarding
the preservation of email
messages sent or received from
private email systems." (page 6)
Further, the report notes that
[EPA], ".. .does not instruct
employees on the management
and preservation of email
messages sent from outside email
systems if it were to occur." (page
6)
Please modify the statement to
reflect the issuance of the EPA
Interim Records Management
Policy CIO-2155.2, on June 28,
2013 which strongly discourages
the use of private non-EPA email
accounts and instructs employees
on the management and
preservation of email messages
sent from outside email systems if
it were to occur.
EPA has initiated the process to
finalize EPA Records
Management Policy CIO-2155.2
Revise the report to
indicate that EPA put
in place policy and
procedures and
training regarding the
proper management of
email records sent
from private accounts.
In progress Q3
FY2014
13-P-0433
21

-------
Appendix B
Distribution
Office of the Administrator
Assistant Administrator for Environmental Information and Chief Information Officer
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Principal Deputy Assistant Administrator for Environmental Information
Director, Office of Information Collection, Office of Environmental Information
Deputy Director, Office of Information Collection, Office of Environmental Information
Audit Follow-Up Coordinator, Office Environmental Information
13-P-0433
22

-------