^EDSr^
* A x>
\Wl
V pro^
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Information Technology
EPA Lacks Processes
to Validate Whether
Contractors Receive
Specialized Role-Based
Training for Network
and Data Protection
Report No. 17-P-0344
July 31, 2017

-------
Report Contributors:
Rudolph M. Brevard
Vincent Campbell
Eric K. Jackson, Jr.
Scott Sammons
Abbreviations
CIO
Chief Information Officer
COR
Contracting Officer's Representative
COTR
Contracting Officer Technical Representative
EPA
U.S. Environmental Protection Agency
FISMA
Federal Information Security Modernization Act
FY
Fiscal Year
IT
Information Technology
OAM
Office of Acquisition Management
OARM
Office of Administration and Resources Management
OEI
Office of Environmental Information
OIG
Office of Inspector General
OMB
Office of Management and Budget
Cover photos: OIG-created photo collage compiled from EPA photos.
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions

-------
July 31, 2017
x^fcD S?/w
• U.S. Environmental Protection Agency	17-P-0344
	 % Office of Inspector General
® I
At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA),
Office of Inspector General
(OIG), conducted this audit to
determine what processes the
EPA uses to verify that agency
contractors with significant
information system security
responsibilities meet
established specialized
training duties.
Role-based training is
continuous education that
improves current knowledge,
skills and abilities for particular
job functions. Under the Chief
Information Officer's Federal
Information Security
Modernization Act (FISMA)
Metrics, agencies are
responsible for identifying and
reporting specialized security
training, such as role-based
training, for all personnel
(including contractors) with
significant information security
responsibilities.
This report addresses the
following EPA goal or
cross-agency strategy:
• Embracing EPA as a high-
performing organization.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oia.
Listing of OIG reports.
EPA Lacks Processes to Validate Whether
Contractors Receive Specialized Role-Based
Training for Network and Data Protection
What We Found
The EPA is unaware of the number of agency
contractors who have significant information security
responsibilities and require role-based training. This
is attributed to the following factors:
•	EPA personnel overseeing contractors are not
aware of contractor role-based training
requirements.
•	The agency has not included role-based training
requirements in all awarded contracts.
The EPA is unaware
whether information
security contractors
possess the skills and
training needed to
protect the agency's
information, data and
network from security
breaches.
• The EPA lacks a process to track and report contractors' role-based training.
In addition, the EPA did not report contractor training status in its fiscal years
2015 and 2016 Chief Information Officer's Annual FISMA reports submitted to
the Office of Management and Budget. FISMA guidance requires agencies to
train and oversee personnel (including contractors) who have significant
responsibilities for information security, and report on the effectiveness of the
information security program.
Insufficient awareness, contract requirements, and oversight of role-based
training increase the risk that EPA contractors may lack the knowledge or skills
necessary to protect the agency from cyberattacks. The agency also has
insufficient information to manage risks to its data and network.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Administration and
Resources Management update the EPA Acquisition Guide to include the newly
developed cybersecurity contract clauses that agency personnel must include in
all EPA contracts, and include the cybersecurity contract clauses in all existing
and future information technology contracts. We also recommend that the Office
of Environmental Information implement a process for agency personnel to
maintain a listing of contractor personnel required to take role-based training and
report this information in the Chief Information Officer's Annual FISMA reports.
The agency concurred with our recommendations and provided planned
corrective actions with estimated completion dates. One recommendation has
been resolved with corrective action completed. All remaining recommendations
are resolved with corrective actions pending.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
July 31, 2017
MEMORANDUM
SUBJECT: EPA Lacks Processes to Validate Whether Contractors Receive Specialized
Role-Based Training for Network and Data Protection
Report No. 17-P-034"
FROM: Arthur A. Elkins Jr.
TO:
Steven Fine, Acting Assistant Administrator and Chief Information Officer
Office of Environmental Information
Donna J. Vizian, Acting Assistant Administrator
Office of Administration and Resources Management
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U.S.
Environmental Protection Agency (EPA). The project number for this audit was OA-FY16-0104. This
report contains findings that describe the problems the OIG has identified and corrective actions the OIG
recommends. This report represents the opinion of the OIG and does not necessarily represent the final
EPA position.
Action Required
You are not required to provide a written response to this final report. We consider all recommendations
resolved. Should you choose to provide a final response, we will post your response on the OIG's public
website, along with our memorandum commenting on your response. Your response should be provided
as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the
Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want
to be released to the public; if your response contains such data, you should identify the data for
redaction or removal along with corresponding justification.
We will post this report to our website at www.epa.gov/oig.

-------
EPA Lacks Processes to Validate Whether	17-P-0344
Contractors Receive Specialized Role-Based
Training for Network and Data Protection
		Table of C	
Purpose		1
Background		1
Responsible Offices		1
Federal and EPA Guidance		2
Scope and Methodology		2
Results of Audit		4
EPA Does Not Monitor Contract Personnel Who Have Significant
Information Security Responsibilities		5
EPA Has Not Consistently Included Requirements for Contract
Personnel to Complete Role-Based Training		6
EPA Has Not Implemented an Oversight Process to Track and Report
Contractor Compliance With Role-Based Training		7
Conclusion		7
Recommendations		8
Agency's Response and OIG Evaluation		9
Status of Recommendations and Potential Monetary Benefits		11
Appendices
A OARM's Response to Draft Report Recommendations		12
B OARM's Updated High-Level Corrective Action Plan		16
C OEI's Response to Draft Report Recommendations		24
D OEI's Updated High-Level Corrective Action Plan		26
E Distribution		28

-------
Purpose
The Office of Inspector General (OIG) for the U.S. Environmental Protection
Agency (EPA) conducted this audit to determine what processes the EPA uses to
verify that agency contractors with significant information system security
responsibilities meet established specialized training requirements.
Background
Under the Chief Information Officer's Federal
Information Security Modernization Act (FISMA)
Metrics, agencies are responsible for identifying
and reporting specialized security training, such as
role-based training, for all personnel (including
contractors) with significant information security
responsibilities.
System administrators and network engineers are examples of positions that
require an individual to perform significant information security responsibilities.
Role-based training for a system administrator may include tutorials on
performing configuration changes on an application or system, or reviewing
system logs to detect suspicious activity. Role-based training for a network
engineer may include tutorials on establishing firewall rules, or that highlight the
consequences of not implementing security controls.
On March 10, 2016, the EPA had obligated $546,470,844 for 688 information
technology (IT) contract task orders. These IT contracts include various
operational IT and telecommunication services, as well as IT equipment.
Many of the positions included in these contracts require contractors to
perform duties requiring specialized training.
Responsible Offices
The Office of Information Security and Privacy, within the Office of
Environmental Information, is responsible for managing the EPA's information
security training program. This office is also responsible for tracking and
reporting the training status of personnel (including contract employees) who
have significant information security responsibilities and are required to take
role-based training. The Office of Acquisition Management, within the Office of
Administration and Resources Management, is responsible for planning and
administering contracts for the agency. Contracting Officer's Representatives
(CORs) and Contracting Officer Technical Representatives (COTRs) from all
EPA offices are responsible for monitoring contracts to verify that all
requirements are being met.
Role-based training is
role-specific training
for an individual based
on their functional job
and responsibilities.
17-P-0344
1

-------
Federal and EPA Guidance
Office of Management and Budget (OMB) Circular No. A-130, Managing
Information as a Strategic Resource, Appendix I, requires agencies to provide
role-based training to employees and contractors who perform assigned security
duties.
The U.S. Department of Homeland Security's Chief Information Officer's
FISMA Metrics require federal agencies to annually report the number of network
users and other staff who have significant information security responsibilities
and successfully completed role-based training.
The EPA's guidance is outlined in Chief Information Officer (CIO) 2150-P-02.2,
Information Security-Awareness and Training Procedures, which was approved
February 16, 2016. Provisions pertaining to role-based security training include
the following requirements:
•	EPA personnel, contractors or others working on behalf of the
EPA, and who have significant security responsibilities shall
receive initial specialized training and annual refresher training
specific to their security responsibilities.
•	Service managers, in coordination with EPA officers and officials, shall
verify that service providers develop and maintain role-based training,
education and credentialing requirements to confirm that "contractors
designated as having significant information security responsibilities
receive adequate training with respect to such responsibilities."
•	EPA Information Security Officers shall "identify all individuals
requiring role-based security-related training within their
respective program offices or regions."
•	"Training or instruction for contractors should be identified or
described" in the statement of work or the performance work
statement.
Scope and Methodology
We performed our audit from March 2016 through April 2017. We conducted this
performance audit in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our findings and conclusions based on our audit
objectives.
17-P-0344
2

-------
We reviewed federal and EPA criteria related
to our objective. We assessed a judgmentally
selected sample of five IT contracts from the
EPA's 688 IT contracts valued at approximately
$546.5 million on March 10, 2016. Table 1
shows the five IT contracts we reviewed, which
are valued at $165.6 million.
Table 1: EPA contracts reviewed
Contract
number
Responsible
office
Purpose
Amount
1
Office of
Environmental
Information
Custom application management
contract at the EPA's National
Computer Center
$71,148,530
2
Office of
Environmental
Information
IT hosting services at the EPA's
National Computer Center
$45,917,563
3
Office of
Environmental
Information
General IT contract for active
directory services, desktop
applications, security partitioning,
remote access and other
services
$36,284,637
4
Office of
Administration
and Resources
Management
Operation and maintenance
support for the EPA Acquisition
System
$8,054,699
5
EPA Region 6
IT service and support for
EPA Region 6
$4,207,700
Value of contract task orders reviewed
$165.6 million
Source: EPA-compiled data.
We also performed the following activities:
•	Determined whether the contract language requires contractors with
significant information system security responsibilities to complete
specialized role-based training on a periodic basis.
•	Interviewed CORs and a COTR to obtain additional information on the
requirement for roles and duties of the contractors, and whether those
contractors should have completed specialized role-based training for
individuals with significant information security responsibilities.
•	Interviewed EPA management responsible for tracking and reporting the
training status of EPA employees and contractors who have significant
information security responsibilities, and are required to complete
specialized role-based training.
There were no prior audit recommendations for the OIG to do follow-up.
Sixty-nine (10 percent) of the
EPA's 688 IT contract task
orders are each greater than
$1 million. The 69 contracts
also make up 92 percent
($500.5 million) of all monies
obligated for IT contracts.
17-P-0344
3

-------
Results of Audit
The EPA is unaware of the number of contractors who have significant
information security responsibilities and require role-based training. As noted in
Figure 1, our analysis of the five reviewed IT contracts valued at $165.6 million
disclosed that four of the five reviewed contracts had contractor personnel who
performed duties with significant information security responsibilities and were
required to complete role-based training.
Only one of the four
contracts with contractor
personnel who had
significant information
security responsibilities
contained language
requiring those individuals
to complete role-based
training. That contract was
valued at $4.2 million. The
remaining three contracts
(valued at $153.4 million)
did not contain such
language.
Furthermore, the EPA
did not report contractor
training status in its fiscal
year (FY) 2015 CIO
Annual FISMA Report
submitted to OMB. During
our FY 2016 FISMA audit,
we confirmed the agency
still had not collected or
reported data for FY 2016.
Federal law and EPA guidance require employees and contractors to complete
role-based training. FISMA requires agencies to train and oversee personnel
(including contractors) with significant responsibilities for information security,
and to report to the agency head on the effectiveness of the information security
program. FY 2015 and FY 2016 CIO FISMA Metrics issued by the U.S.
Department of Homeland Security required federal agencies to report to OMB the
number of network users and other staff who have significant information security
responsibilities. Agencies were also required to report the number of users who
have successfully completed role-based training.
Figure 1: Analysis of five IT contracts reviewed
for role-based training requirements
Contract values in millions
$4.2
¦	No training required
¦	Did not contain training requirements
~ Contained training requirements
Source: Information compiled by the EPAOIG.
17-P-0344
4

-------
The EPA lacks internal controls to know how many contractors require role-based
training. In part, this is attributed to the following:
•	EPA personnel overseeing contractors are not aware of contractor role-
based training requirements.
•	The agency has not included role-based training requirements in all
awarded contracts.
•	The EPA has not implemented an oversight process to track and report
contractor compliance with role-based training.
As a result, EPA management lacks the necessary data to make risk-based
decisions about the capabilities of its contractor workforce charged with
protecting the confidentiality, integrity and availability of the agency's network
and data.
EPA Does Not Monitor Contract Personnel Who Have Significant
Information Security Responsibilities
The agency's CORs are responsible for managing four of the five sampled IT
contracts, but they could not accurately identify the number of contractor
employees associated with the contracts and task orders, or individuals who have
significant information security responsibilities. Three CORs stated that to their
knowledge, contractors performing significant information security duties on
those contracts are not completing the required annual role-based training. One
of these CORs was unaware that role-based training was required for contractors
who have significant information security responsibilities. This COR believed the
training was only required for federal employees. Only one COTR ensured that
contract personnel completed role-based training.
The EPA Acquisition Guide provides the agency with guidance for acquiring
goods and services. Our review of this guidance found that it lacks requirements
related to tracking, monitoring and reporting on the status of contractors with
significant information security responsibilities who have completed required
specialized training.
We also contacted Information Security Officers from two EPA program offices.
Information Security Officers are responsible for identifying contract personnel
required to take role-based training, and we asked the officers what steps EPA
program offices took to verify contractors completed the required training.
Information Security Officers indicated that role-based training is targeted to
federal employees. According to the officers, they do not track contractors, even
though officers are required to identify all individuals requiring role-based
security-related training within their respective program offices or regions as
prescribed in CIO 2150-P-02.2, Information Security-Awareness and Training
Procedures.
17-P-0344
5

-------
After the release of our draft report, Office of Acquisition Management (OAM)
officials indicated that they developed Interim Policy Notice # 17-01, Use of 22
Cybersecurity Tasks, which identifies 22 cybersecurity tasks that are to be
included in existing and new performance work statements and statements of
work. One cybersecurity task requires the contractor to ensure that contractor
personnel with significant information security responsibilities complete
specialized information security training based on the requirements defined in the
EPA's role-based training program.
EPA Has Not Consistently Included Requirements for Contract
Personnel to Complete Role-Based Training
We learned from an EPA official that, as of the beginning of FY 2017, the agency
has developed standard information security contract clauses to require
contractors to comply with federal and EPA information security requirements,
including requirements to complete role-based training. The EPA official stated
that the agency is in the process of reviewing all new FY 2017 contracts to verify
that new contracts contain the clauses. However, the official said no milestone
dates have been established to review existing contracts for the inclusion of the
clauses.
Our analysis revealed that four of the five IT contracts in our sample included
positions requiring an individual to perform significant information security
responsibilities, such as system administrators and privileged users. As noted in
Figure 1, only one of the four contracts contained language requiring contractors
to complete role-based training.
In December 2016, OAM officials indicated that they developed Interim Policy
Notice # 17-01. The policy states that the EPA's Office of Environmental
Information (OEI) is responsible for including any of the 22 subject tasks as
necessary in its new statements of work and performance work statements.
OEI must also coordinate with OAM to process any necessary resultant
contract/solicitation modifications or amendments that OAM makes. The policy
further states that CORs who do not work in OEI should seek assistance from OEI
when choosing which, if any, of the 22 subject tasks must be added or included in
the COR's performance work statement or statement of work.
In June 2017, OEI notified EPA program and regional offices that any offices
requesting IT products or services would have to complete a checklist that
includes the 22 cybersecurity tasks when submitting procurement requests.
OEI further indicated that after June 30, 2017, OAM will no longer accept any
procurement requests that do not include this checklist.
17-P-0344
6

-------
EPA Has Not Implemented an Oversight Process to Track and Report
Contractor Compliance With Role-Based Training
OEI is responsible for overseeing the agency's information security program, but
the office is not aware of the status of contractors who have completed role-based
training because the office has not established a process to track and report this
data. CIO 2150-P-02.2, Information Security-Awareness and Training
Procedures requires the CIO to ensure that role-based security training is
completed by agency personnel, and that effective tracking and reporting
mechanisms are in place.
An EPA official indicated that currently the agency only tracks and reports
information on whether EPA federal employees with significant information
security responsibilities have completed role-based training. The EPA official
stated that there were no plans to track and report the status of role-based training
for contractors because the agency was unaware of any requirement to report this
as part of its CIO FISMA data submission to OMB.
The agency official indicated that CIO FISMA Metrics did not specifically
require reporting this data for contract employees. However, our review of the
FY 2016 CIO FISMA Metrics revealed that personnel with significant
information security responsibilities is defined in the following manner: "Those
with significant security responsibilities include administrators and users with
privileged network accounts and those that affect security."
The FY 2016 CIO FISMA Metrics contain the following definition of a privileged
network:
A network account with elevated privileges, which is typically
allocated to system administrators, network administrators, and
others who are responsible for system/application control,
monitoring, or administration functions.
Our analysis revealed that four of the five sampled IT contracts contained
positions that require an individual to perform significant information security
responsibilities, such as system administrators and privileged users. Given that
these contractors have system access that would enable them to bypass security
controls designed to detect malicious or suspicious activities on EPA systems, the
agency should have included contractors with privilege accounts in its FISMA
data reported to OMB.
Conclusion
Periodic role-based training provides the EPA with a mechanism to enhance the
technical knowledge and skills of its workforce, who perform significant
information security duties. These duties help to protect the EPA's security
17-P-0344
7

-------
infrastructure for environmental applications, including those applications
developed and managed by contractors. Without consistently developing
contractor employees' specialized skills in positions to combat ever-increasing
cyberattacks, EPA applications are more likely to be compromised by a security
breach where personally identifiable and other information could be lost or
altered. This could lead to compromised identities, or the potential for
environmental data used to protect and improve human health and the
environment being altered or erased.
By not tracking and reporting the training status of contractors with significant
information security responsibilities, the EPA does not have an accurate
assessment of its information security workforce, and cannot accurately plan and
budget for remediating security risks.
Recommendations
We recommend that the Assistant Administrator for Administration and
Resources Management:
1.	Update the EPA Acquisition Guide to include cybersecurity tasks
contained in Interim Policy Notice # 17-01, Use of 22 Cybersecurity Tasks
(December 2016).
2.	Develop and implement a strategy to include the information security
contract clause requiring contractors to complete role-based training into
all existing and future information technology contracts and task orders.
We recommend that the Assistant Administrator for Environmental Information
and Chief Information Officer:
3.	Work with the Assistant Administrator for Administration and
Resources Management to implement a process that requires appropriate
agency personnel to maintain a listing of contractor personnel who have
significant information security responsibilities and are required to take
role-based training. This process should require appropriate agency
personnel to validate and report to the Chief Information Security Officer
that all relevant contractor personnel have completed role-based training.
4.	Include the number of contractors who have significant information
security responsibilities and have completed the required role-based
training in the Chief Information Officer's Annual Federal Information
Security Modernization Act reports submitted to the Office of
Management and Budget.
17-P-0344
8

-------
Agency's Response and OIG Evaluation
The EPA's Office of Administration and Resources Management disagreed that
it should implement Recommendation 1, and indicated that OEI should be
responsible for implementing the recommendation. However, EPA policy places
responsibility for the acquisition process with OAM. We noted that after the
release of our draft report, OAM developed a new interim policy that identified
22 cybersecurity tasks that agency personnel must be aware of and include in all
agency contracts. As such, we revised Recommendation 1 to request that the
Office of Administration and Resources Management update the EPA Acquisition
Guide to include the interim policy. OAM concurred with the revised
Recommendation 1 and provided a planned corrective action with a milestone
date of October 31, 2019. Recommendation 1 is resolved pending completion of
the corrective plan.
OAM agreed with Recommendation 2 and further indicated that it has developed
an interim policy that contains tasks for the contractor to complete to ensure that
contractor personnel with significant information security responsibilities
complete specialized information security training based on the requirements
defined in the EPA role-based training program. OEI further distributed these
cybersecurity tasks to agency officials. OEI provided a planned corrective action
with a milestone date of June 30, 2017 for Recommendation 2. The
recommendation is resolved and closed with corrective action completed.
OEI disagreed, in part, with Recommendation 3. The agency indicated that
additional personnel outside of OEI have responsibility for tracking and validating
whether contractors with significant information security have completed role-
based training. OEI agreed that it should develop a process to confirm all required
training has been performed. We noted that EPA policy holds the CIO responsible
for ensuring the completion of role-based security training, and for ensuring that
tracking and reporting mechanisms are in place. While the CIO may collaborate
with other EPA offices, the CIO remains ultimately responsible for executing
these functions. We revised Recommendation 3 to include language that states
appropriate agency personnel should maintain a listing of contractor personnel
who have significant information security responsibilities required to take role-
based training, and to validate and report this information to the Senior Agency
Information Security Officer.
The agency requested that we further revise Recommendation 3 to include
working with the Office of Administration and Resources Management
to develop this process, and that the information derived from this new process
should be reported directly to the Chief Information Security Officer. As such, we
revised Recommendation 3 to incorporate the suggested language. OEI provided a
planned corrective action with a milestone date of December 31, 2018.
Recommendation 3 is resolved pending completion of the corrective plan.
17-P-0344
9

-------
OEI agreed with Recommendation 4 and provided a planned corrective action
with a milestone date of September 30, 2017. Recommendation 4 is resolved
pending completion of the corrective plan.
17-P-0344
10

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS






Potential





Planned
Monetary
Rec.
Page



Completion
Benefits
No.
No.
Subject
Status1
Action Official
Date
(in $000s)
Update the EPA Acquisition Guide to include cybersecurity
tasks contained in Interim Policy Notice # 17-01, Use of 22
Cybersecurity Tasks (December 2016).
Assistant Administrator for
Administration and
Resources Management
10/31/19
Develop and implement a strategy to include the information
security contract clause requiring contractors to complete
role-based training into all existing and future information
technology contracts and task orders.
Assistant Administrator for
Administration and
Resources Management
6/30/17
Work with the Assistant Administrator for Administration
and Resources Management to implement a process that
requires appropriate agency personnel to maintain a listing of
contractor personnel who have significant information security
responsibilities and are required to take role-based training. This
process should require appropriate agency personnel to validate
and report to the Chief Information Security Officer that all
relevant contractor personnel have completed role-based
training.
Include the number of contractors who have significant
information security responsibilities and have completed the
required role-based training in the Chief Information Officer's
Annual Federal Information Security Modernization Act reports
submitted to the Office of Management and Budget.
Assistant Administrator
for Environmental
Information and Chief
Information Officer
12/31/18
Assistant Administrator
for Environmental
Information and Chief
Information Officer
9/30/17
C = Corrective action completed.
R = Recommendation resolved with corrective actions pending.
U = Recommendation unresolved with resolution efforts in progress.
17-P-0344
11

-------
Appendix A
I £ \
i2B/
V ^
PR0^°
man,
[May 18, 2017]
OARM's Response to Draft Report Recommendations
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Report No. OA-FY16-0104, "EPA
Does Not Track Contractors Required to Take Role-Based Trainingdated April
19, 2017
FROM: Donna Vizian, Acting Assistant Administrator
TO:	Arthur A. Elkins, Jr., Inspector General
Office of Inspector General
Thank you for the opportunity to respond to the issues and recommendations in the subject audit
report. Following is a summary of the Office of Administration and Resources Management's
overall position, along with its position on each of the report recommendations to the OARM.
OARM'S OVERALL POSITION:
Overall, the agency concurs with the findings and recommendations of this report.
O ARM's RESPONSE TO REPORT RECOMMENDATIONS #1 AND #2:
Agreements
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20480
OFFICE OF
No.
Recommendation
Agency Explanation/Response
Completion Date
1
Require contracting
officer's representatives and
contracting officer technical
The EPA's Chief Information
Officer 2150-P-02.2,
Information Security-
12/31/2017
17-P-0344
12

-------
No.
Recommendation
Agency Explanation/Response
Completion Date

representatives to confirm
that contractors who have
significant information
security responsibilities
have completed the required
role-based training in
accordance with federal and
EPA policy and procedures.
Awareness and Training
Procedures, in addressing role-
based security training for all
information systems state:
" The SAISO, in coordination with
SOs, ISOs, IMOs, IOs, Managers
and Supervisors, for EPA-operated
systems, shall; and SMs, in
coordination with the SAISO, IOs,
ISOs and IMOs, for systems
operated on behalf of the EPA,
shall ensure service providers:
Develop and maintain role based
training, education and
credentialing requirements to
ensure EPA employees and
contractors designated as having
significant information security
responsibilities receive adequate
training with respect to such
responsibilities. "
It appears that the Office of
Environmental Information
would have the primary role in
the implementing this
recommendation.
To the extent it is determined
that the EPA, under any given
contract and as identified by the
program or technical
requisitioner, requires that
contractor personnel with
elevated access must be
provided specialized security
training, such as role-based
training, and that such
requirement is identified or
described in the contract
statement of work or
performance work statement,
the Office of Administration and
Resources Management/Office
of Acquisition Management will
require the contracting officer's
representative (which include

17-P-0344
13

-------
No.
Recommendation
Agency Explanation/Response
Completion Date


contracting officer's technical
representative) to confirm that
contractor personnel who have
significant information security
responsibilities have completed
the required role-based training
in accordance with federal and
EPA policy and procedures.
It is contemplated that this
confirmation will be obtained
from the COR periodically, and
no less than annually.
The OARM/OAM will also
ensure that the CORs
appointment memorandum for
contract CORs where such a
requirement is present in the
contract, explicitly include the
responsibility to monitor and
report on the required
completion of role-based
training by contractor personnel.

2
Develop a strategy to
include the information
security contract clause
requiring contractors to
complete role-based training
into all existing and future
information technology
contracts and task orders.
The OARM/OAM concurs with
the development of a strategy to
include the proper clause(s) in
existing and future contracts,
not just IT contracts, but all
contracts to which this would
apply. For example, a mission
support contract under which
some IT services are provided
may need to have the clauses
also.
The OARM/OAM will
collaborate with the OEI and
other agency personnel with IT
expertise in the development of
this strategy.
12/31/2017
17-P-0344
14

-------
No.
Recommendation
Agency Explanation/Response | Completion Date
CONTACT INFORMATION. If you have any questions regarding this response, please contact
Celia Vaughn, Chief of Staff, Office of Acquisition Management, at 202-564-1047.
17-P-0344
15

-------
Appendix B
^tDSrx
/ £ \
i2B/
V	ro°
^ PR0^°
MAN,
[June 19, 2017]
OARM's Updated High-Level Corrective Action Plan
High-Level Corrective Action Plan as of June 19, 2017:
OARM's RESPONSE TO REPORT RECOMMENDATIONS #1 AND #2:
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C, 20480
OFFICE OF
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date
1
Require contracting
The EPA's Chief
Update the EPA's
OAM does not feel
October 31,

officer's
Information Officer 2150-
Acquisition Guide,
comfortable setting
2019

representatives and
P-02.2, Information
to include the
any date for this


contracting officer
Security-Awareness and
Interim Policy
Interim Policy


technical
Training Procedures, in
Notice #17-01
Notice (IPN) # 17-


representatives to
addressing role-based
Use of 22
01-Use of22


confirm that
security training for all
Cybersecurity Tasks
Cybersecurity Tasks


contractors who have
information systems state:
(December 2016)
(December 2016),


significant
" The SAISO, in

because this is really


information security
coordination with SOs,

an OMB


responsibilities have
ISOs, IMOs, IOs,

initiative. EPA, in


completed the
Managers and

being proactive,


required role-based
Supervisors, for EPA-

developed/prepared


training in
operated systems, shall;

the IPN as official


accordance with
and SMs, in coordination

agency acquisition


federal and EPA
with the SAISO, IOs, ISOs

policy to be


policy and
and IMOs, for systems

followed. With that


procedures.
operated on behalf of the
EPA, shall ensure service
providers: Develop and
maintain role based
training, education and

said, an estimated
milestone date
would be October
31,2019. This is
contingent upon the:

17-P-0344
16

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date


credentialing requirements
to ensure EPA employees
and contractors
designated as having
significant information
security responsibilities
receive adequate training
with respect to such
responsibilities."
It appears that the Office
of Environmental
Information would have
the primary role in the
implementing this
recommendation.
To the extent it is
determined that the EPA,
under any given contract
and as identified by the
program or technical
requisitioner, requires that
contractor personnel with
elevated access must be
provided specialized
security training, such as
role-based training, and
that such requirement is
identified or described in
the contract statement of
work or performance work
statement, the Office of
Administration and
Resources
Management/Office of
Acquisition Management
will require the contracting
officer's representative
(which include
contracting officer's
technical representative) to
confirm that contractor
personnel who have
significant information
security responsibilities
have completed the

1)	use of the tasks in
solicitations and the
receipt of
comments/feedback
from the vendor
communities; and/or
2)	OMB's release of
cybersecurity
clauses via FAR
(FAC-xx).

17-P-0344
17

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date


required role-based
training in accordance
with federal and EPA
policy and procedures.
It is contemplated that this
confirmation will be
obtained from the COR
periodically, and no less
than annually.
The OARM/OAM will
also ensure that the CORs
appointment memorandum
for contract CORs where
such a requirement is
present in the contract,
explicitly include the
responsibility to monitor
and report on the required
completion of role-based
training by contractor
personnel.



2
Develop a strategy to
include the
information security
contract clause
requiring contractors
to complete role-
based training into
all existing and
future information
technology contracts
and task orders
The OARM/OAM concurs
with the development of a
strategy to include the
proper clause(s) in existing
and future contracts, not
just IT contracts, but all
contracts to which this
would apply. For example,
a mission support contract
under which some IT
services are provided may
need to have the clauses
also.
The OARM/OAM will
collaborate with the OEI
and other agency
personnel with IT
expertise in the
development of this
strategy.
Develop and
implement a
strategy to include
the information
security contract
clause requiring
contractors to
complete role-based
training into all
existing and future
information
technology contracts
and task orders
It is noted that OAM
issued Interim
Policy Notice (IPN)
# 17-01 - Use of 22
Cybersecurity Tasks
(December 2016) &
addressed
specialized
information security
training for staff
with significant
security
responsibilities,
https: //oamintra. era.
ao v/node/8 ? q =node/
158
The IPN 17-01
established policy
regarding the use of
cybersecurity tasks
and states:
06/30/2017
17-P-0344
18

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date




"(a) In accordance
with Deputy
Director Cobert's
guidance, the
Offices of
Environmental
Information (OEI)
and Acquisition
Management
(OAM) must
collaborate to
provide expertise for
recommending any
contract changes or
solicitation changes
for new
procurements, or
any changes to
existing PWSs or
SOWs to
incorporate the 22
subject
cybersecurity tasks
as necessary.
(b)	OEI, as the
Agency's
cybersecurity
technical experts, is
responsible for
including any of the
22 subject tasks as
necessary in its new
SOWs and PWSs,
and coordinating
with OAM in
processing any
necessary resultant
contract/solicitation
modifications or
amendments that
OAM makes.
(c)	Contracting
Officer's
Representatives
(CORs) who do not
work in OEI should
seek assistance

17-P-0344
19

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date




from OEIwhen
choosing which if
any of the subject
22 tasks must be
added or included
in the COR's PWS
or SOW. A COR
may want to include
an OEI
representative as a
cybersecurity
consultant on the
advanced
procurement plan
(APP) team for new
requirements for
information
systems."
Task H -
Specialized
Information Security
Training for Staff
with Significant
Security
Responsibilities
addresses
contractor
requirements when
tasked with such
responsibilities as
follows:
"(a) The Contractor
must ensure that
Contractor
personnel with
significant
information security
responsibilities
complete specialized
information security
training based on
the requirements
defined in the EPA
role-based training
program (program
provided after
Contract award).

17-P-0344
20

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date




The objective of the
information security
role-based training
is to develop an EPA
information security
workforce with a
common
understanding of the
concepts, principles,
and applications of
information security
to ensure the
confidentiality,
integrity and
availability of EPA's
information and
information systems.
The Contractor is
required to report
training completed
to ensure
competencies are
addressed. The
Contractor must
ensure employee
training hours are
satisfied in
accordance with
EPA Security and
Privacy Training
Standards (provided
after Contract
award). The
Contracting
Officer's
Representative
(COR) will provide
additional
information for
specialized
information security
training based on
the requirements in
paragraph (b).
(b) The following
role-based

17-P-0344
21

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date




requirements are
provided:
[Program office
adds role-based
requirements;
otherwise write
"none " or "not
applicable "]
(c)	The Contractor
must ensure that all
IT and Information
Security personnel
receive the
necessary technical
(for example,
operating system,
network, security
management, and
system
administration) and
security training to
carry out their
duties and maintain
certifications.
(d)	The Contractor
agrees to insert in
each subcontract or
consultant
agreement placed
hereunder,
provisions which
shall conform
substantially to the
language of this
requirement,
including this
paragraph, unless
otherwise authorized
by the Contracting
Officer. "
As confirmed by the
OIG, corrective
action is satisfied by
the collaborative
actions already
taken by OAM and

17-P-0344
22

-------
No.
Recommendation
Agency Response
Revised
Recommendation
Agency Response
Planned
Milestone
Date




OEI in developing,
distributing and
requiring the 22
Cybersecurity
Tasks. Any contract
changes or
solicitation changes
for new
procurements, or
any changes to
existing PWSs or
SOWs must
incorporate the 22
subject
cybersecurity tasks,
if any when
applicable, and as
necessary, for
procurement
requests initiated
after June 30, 2017.

17-P-0344
23

-------
Appendix C
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20480
OFFICE OF
ENVIRONMENTAL
INFORMATION
[May 19, 2017]
OEI's Response to Draft Report Recommendations
MEMORANDUM
SUBJECT: Revised Response to Office of Inspector General Draft Report No. OA-FY16-
0104 "EPA Does Not Track Contractors Required to Take Role-Based Training
Dated April 19, 2017
FROM: Steven Fine,
Acting Chief Information Officer
TO:	Arthur A. Elkins, Jr.
Inspector General
Thank you for the opportunity to respond to the issues and recommendations in the subject audit
report. Following is a summary of the Office of Environmental Information's (OEI) overall
position, along with its position on each of the report recommendations to OEI.
OEI'S OVERALL POSITION:
The agency agrees with the recommendations, with some points of clarification.
OEI'S RESPONSE TO REPORT RECOMMENDATIONS #3 AND #4:
No.
Recommendation
Agency Explanation/Response
Completion Date
3
Implement a process that
requires appropriate Agency
personnel to maintain a
OEI agrees with the revised
recommendation, with a few
clarifications. First, we would
12/31/2018
17-P-0344
24

-------
No.
Recommendation
Agency Explanation/Response
Completion Date

listing of contractor
personnel who have
significant information
security responsibilities
required to take role-based
training. This process
should require appropriate
Agency personnel to
validate and report to the
Senior Agency Information
Security Officer that all
relevant contractor
personnel have completed
role-based training.
ask that the recommendation be
changed from "Implement a
process" to state that "OEI will
work with the Assistant
Administrator for
Administration and Resources
Management to implement a
process." This may require
actions from Contracting
Officer Representatives and
would necessitate coordination
with OARM. Second, OEI
would attest that Agency
personnel should respond to the
Chief Information Security
Officer, not the SAISO, that all
relevant contractor personnel
have completed role-based
training.

4
Include the number of
contractors who have
significant information
security responsibilities and
have completed the required
role-based training in the
EPA's Federal Information
Security Modernization Act
reports submitted to the
Office of Management and
Budget.
OEI agrees in part that based
upon a recent change in A-130,
Appendix I, this requirement
can be met by the end of FY 17.
9/30/2017
CONTACT INFORMATION. If you have any questions regarding this response, please contact
Carrie Hallum, OEI's Audit Follow Up Coordinator, at 202-566-1274.
cc: Carrie Hallum
Robert McKinney
Sean Kelly
Ken Schifter
Renee Gutshall
Karen Maher
17-P-0344
25

-------
Appendix D
^	\	UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
I	o
% V\l/y *	WASHINGTON, D.C. 20460
PRO^°
OFFICE OF
ENVIRONMENTAL
INFORMATION
[June 19, 2017]
OE/'s Updated High-Level Corrective Action Plan
High-Level Corrective Action Plan as of June 19, 2017:
OEI's RESPONSE TO REPORT RECOMMENDATIONS #3 AND #4:
Recommendation
Agency
Revised
Agency Response
Planned

Response
Recommendation

Milestone
Date
3 .Implement a
We disagree to
Implement a
OEI agrees with the
12/31/2018
process to maintain a
some extent. It is
process that
revised

listing of agency
the responsibility
requires
recommendation,

contractor personnel
of the COR to
appropriate
with a few

who have significant
inform the ISO of
Agency personnel
clarifications. First,

information security
the contractor
to maintain a
we would ask that the

responsibilities that
personnel that
listing of
recommendation be

require role based
require privilege
contractor
changed from

training, and validate
access, that
personnel who
"Implement a

that all relevant
person also
have significant
process" to state that

contractor personnel
initiates the
information
"OEI will work with

have completed the
documentation
security
the Assistant

required role-based
for the person to
responsibilities
Administrator for

training.
have privilege
required to take
Administration and


access. The IMO
role-based
Resources


also validates the
training. This
Management to


documentation to
process should
implement a


ensure that the
require appropriate
process." This may


person has
Agency personnel
require actions from

17-P-0344
26

-------
Recommendation
Agency
Revised
Agency Response
Planned

Response
Recommendation

Milestone
Date

completed the
to validate and
Contracting Officer


training and signs
report to the
Representatives and


the RoB. The ISO
Senior Agency
would necessitate


and System
Information
coordination with


Owner have
Security Officer
OARM. Second, OEI


"Line of Sight"
that all relevant
would attest that


on their IT
contractor
Agency personnel


Personnel, it
personnel have
should respond to the


should not fall
completed role-
Chief Information


upon OEI to
based training.
Security Officer, not


maintain a

the SAISO, that all


dynamic list of

relevant contractor


the Agency's

personnel have


contractors.

completed role-based


However, OEI

training.


agrees that it




should confirm




(e.g., through




communication




from the CO,




COR, IMO, or




ISO—process to




be determined)




that all required




training has been




performed.



4. Include the
OEI agrees in


09/30/2017
number of
part that based



contractors who have
upon a recent



significant
change in A-130,



information security
Appendix I, this



responsibilities and
requirement can



have completed the
be met by the end



required role-based
of FY 17.



training in the EPA's




Federal Information




Security




Modernization Act




reports submitted to




the Office of




Management and




Budget




17-P-0344
27

-------
Appendix E
Distribution
The Administrator
Chief of Staff
Assistant Administrator for Environmental Information and Chief Information Officer
Assistant Administrator for Administration and Resources Management
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Principal Deputy Assistant Administrator and Deputy Chief Information Officer,
Office of Environmental Information
Deputy Assistant Administrator, Office of Administration and Resources Management
Director, Office of Information Security and Privacy, Office of Environmental Information
Director, Office of Acquisition Management, Office of Administration and Resources
Management
Director, Office of Resources, Operations and Management, Office of Administration
and Resources Management
Deputy Director, Office of Resources, Operations and Management, Office of Administration
and Resources Management
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Environmental Information
Audit Follow-Up Coordinator, Office of Administration and Resources Management
Audit Follow-Up Coordinator, Office of Acquisition Management, Office of Administration
and Resources Management
17-P-0344
28

-------