U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
EPA Can Better Address
Risks to the Security of the
Nation's Drinking Water
Through New Authorities,
Plans, and Information
Report No. 13-P-0349 August 21, 2013
n
-------�
Report Contributors: Dan Engelberg
Anne Declerck
Stacey Banks
Allison Dutton
Andre von Hoyer II
Abbreviations
CIPAC
Critical Infrastructure Partnership Advisory Council
DHS
U.S. Department of Homeland Security
EPA
U.S. Environmental Protection Agency
ERP
Emergency Response Plan
FMFIA
Federal Managers' Financial Integrity Act of 1982
FY
Fiscal Year
GAO
U.S. Government Accountability Office
GPRA
Government Performance and Results Act of 1993
HSPD
Homeland Security Presidential Directive
ICR
Information Collection Request
NHSRC
National Homeland Security Research Center
OHS
Office of Homeland Security
OIG
Office of Inspector General
OMB
U.S. Office of Management and Budget
ORD
Office of Research and Development
OW
Office of Water
SAR
Sector Annual Report
SSP
Sector Specific Plan
VA
Vulnerability Assessment
WARN
Water/Wastewater Agency Response Network
WLA
Water Laboratory Alliance
WSD
Water Security Division
WSI
Water Security Initiative
Cover photo: A drinking water facility in Washington, D.C. (EPA photo)
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
email: OIG Hotline@epa.gov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue, NW
fax: 202-566-2599 Mailcode 2431T
online:
http://www.epa.gov/oiq/hotline.htm
Washington, DC 20460
-------�
x^ED ST/ff.
* - U.S. Environmental Protection Agency 13-P-0349
i \ Office of Inspector General August 21,2013
s
"V—'—J"
% V|// "
At a Glance
Why We Did This Review
We conducted this review to
determine how the
U.S. Environmental Protection
Agency (EPA): (1) ensures that
its efforts and initiatives are
safeguarding the nation's
drinking water supply from
attacks and natural disasters;
and (2) addressed
recommendations and
suggestions from prior
evaluations of the water
security program.
Over 297 million people in the
United States were served by
51,460 community water
systems as of September 2010.
The September 11, 2001,
attacks prompted a national
effort to secure critical
infrastructure and resources,
including drinking water. Since
the 2001 attacks, there have
also been a number of natural
disasters, such as Hurricanes
Katrina and Irene. These
events have threatened
individual drinking water
systems, resulting in unsafe
drinking water and shortages.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Protecting America's waters.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
EPA Can Better Address Risks to the Security
of the Nation's Drinking Water Through
New Authorities, Pians, and information
What We Found
EPA has implemented a number of activities to promote the security of drinking
water systems. However, strategic planning and internal controls for the water
security program need to be strengthened to allow the Agency to measure the
program's performance and progress in drinking water systems' preparedness,
prevention, response, and recovery capabilities. EPA's strategic planning in this
area is hampered by its limited authority over water security, the voluntary nature
of its water security activities, and concerns related to protecting information.
These impediments could be overcome by the water security program utilizing
available data; using alternative methods to gather data; and seeking additional
authority from Congress to collect, protect, and utilize information from water
systems. EPA should also expand its internal controls to meet Federal Managers'
Financial Integrity Act requirements.
EPA has made progress improving water security by taking corrective actions
based on the recommendations and suggestions from prior evaluations.
However, the Agency has not fully addressed three Office of Inspector General
(OIG) suggestions to establish a baseline and measure improvements, despite
agreeing with OIG's assessment. Additional work remains for EPA, as the lead
federal agency for the water sector, to enhance its efforts to manage the water
security program and help reduce risks to drinking water systems and the public.
Recommendations and Planned Agency Corrective Actions
We recommend that EPA develop a comprehensive strategic plan, assess water
security by gathering available data and incorporating measures into national
guidance, and improve internal controls by developing a program review strategy
and a multi-year review plan. We also recommend that EPA seek additional
authority from Congress and utilize the authority, if granted, to develop a baseline
and outcome measures. EPA initially agreed with four recommendations in the
draft report. After further discussions with the Agency, the OIG modified the three
remaining recommendations to seek additional authority and develop a baseline
and outcome measures. As a result of these discussions and modifications, the
Agency has also concurred with the remaining recommendations. The
recommendations are resolved with corrective actions underway.
Noteworthy Achievements
The full report is at:
www.epa.aov/oia/reports/2013/
20130821-13-P-0349.pdf
EPA developed the Water Security Initiative and Water Laboratory Alliance.
The Agency also supported the establishment of many intrastate mutual aid and
assistance agreements called Water/Waste water Agency Response Networks.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
August 21, 2013
MEMORANDUM
SUBJECT: EPA Can Better Address Risks to the Security of the Nation's Drinking Water
Through New Authorities, Plans, and Information
Report No. 13-P-0349
FROM: Arthur A. Elkins Jr.
TO:
Nancy Stoner, Acting Assistant Administrator
Office of Water
This is our report on the subject evaluation conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the problems
the OIG has identified and corrective actions the OIG recommends. This report represents the opinion of
the OIG and does not necessarily represent the final EPA position. Final determinations on matters in
this report will be made by managers in accordance with established audit resolution procedures.
Action Required
You are not required to provide a written response to this report because you agreed to all
recommendations and provided corrective actions and planned completion dates that meet the intent of
our recommendations. All recommendations are resolved and open with corrective actions underway.
Please update the EPA's Management Audit Tracking System as you complete the planned corrective
actions for the OIG's recommendations. The OIG may make periodic inquiries on your progress in
implementing these corrective actions. Please notify my staff if there is a significant change in agreed-to
corrective actions. We will post this report to our website at http://www.epa.gov/oig.
If you or staff have any questions regarding this report, please contact Carolyn Copper,
Assistant Inspector General for Program Evaluation, at (202) 566-0829 or copper.carolyn@epa.gov;
or Dan Engelberg, Director for Water, at (202) 566-0830 or engelberg.dan@epa.gov.
-------�
EPA Can Better Address Risks to the Security of the Nation's
Drinking Water Through New Authorities, Plans, and Information
13-P-0349
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Noteworthy Achievements 4
Scope and Methodology 5
2 Strengthening Strategic Planning and Internal Controls
Will Enhance EPA's Drinking Water Security Program 7
EPA Assists Drinking Water Systems 7
EPA Needs Improved Strategic Planning for Water Security 8
Information Challenges Hinder Strategic Planning 11
EPA Needs Additional Internal Controls for Water Security 13
Prior Recommendations Implemented but Some Suggestions Remain 15
Conclusion 15
Recommendations 16
Agency Comments and OIG Evaluation 17
Status of Recommendations and Potential Monetary Benefits 18
Appendices
A Prior Drinking Water Security Reports 19
B Agency Response to the Draft Report and OIG Comments 20
C Distribution 24
-------�
Chapter 1
Introduction
Purpose
The purpose of this evaluation was to determine how effectively the
U.S. Environmental Protection Agency (EPA) water security program is
assisting drinking water systems protect against potential attacks and natural
disasters. Our specific objectives were to determine:
• How EPA ensures its efforts and initiatives are safeguarding the nation's
drinking water supply from attacks and natural disasters.
• How EPA addressed recommendations and suggestions from prior
evaluations of the water security program.
Background
Drinking water is one of the nation's most vital resources. Over 297 million
people in the United States were served by 51,460 community water systems as of
September 2010. Potential threats to this resource include biological, chemical,
and radiological contamination, and destruction of water infrastructure. The
September 11, 2001, terrorist attacks prompted a national effort to secure critical
infrastructure and resources, including drinking water. Since the 2001 attacks
there have also been a number of natural disasters, such as Hurricanes Katrina and
Irene. These events have threatened individual drinking water systems, resulting
in unsafe drinking water and shortages.
The Bioterrorism Act and Homeland Security Presidential Directives
EPA's authority to assist drinking water systems with protecting the drinking
water supply against threats is primarily based on the Bioterrorism Act of 2002,
and is further reinforced through two Homeland Security Presidential Directives
(HSPDs). The Bioterrorism Act contained a one-time requirement for most
drinking water systems1 to submit a vulnerability assessment (VA)2 and
emergency response plan (ERP)3 certification to EPA by the end of 2004.
1 Community water systems serving a population greater than 3,300 persons had to comply with the Bioterrorism
Act of 2002.
2 A VA is a review of a drinking water system and its components to determine the likelihood that a terrorist attack
or other intentional acts could substantially disrupt the ability of the system to provide a safe and reliable supply of
drinking water.
3 An ERP addresses the threats identified in the VA and includes the water system's plans, procedures, and
identification of equipment that can be used in the event of a terrorist attack or other intentional act.
13-P-0349
1
-------�
HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection, and
HSPD-9, Defense of United States Agriculture and Food, describe EPA's general
responsibilities when dealing with terrorist attacks and natural disasters. These
HSPDs have led to a range of water security activities, as discussed in chapter 2.
The HSPDs do not provide EPA authority to require specific security measures at
drinking water systems.
HSPD-7 was issued in 2003. It established a national policy for the federal
government to identify, prioritize, and protect critical infrastructure from terrorist
attacks and natural disasters. It also designated EPA as the lead federal agency for
ensuring the protection of the water sector. This involves assisting drinking water
systems with protecting against terrorism and natural disasters. EPA does this by
encouraging the use of risk management strategies. EPA supports the water sector
by offering tools, training, and technical assistance. EPA is the sector-specific
agency for the water sector and develops the Water Sector Specific Plan (Water
SSP). The Water SSP is part of the overall National Infrastructure Protection Plan
developed by the Department of Homeland Security (DHS) 4 The Water SSP
details risk-based protection strategies. The Water SSP describes the processes
and activities that enable protection and increased resilience of water sector
infrastructure. EPA is required to submit a Water Sector Annual Report (SAR) to
DHS as part of its sector responsibilities. The SAR details EPA's water security
activities. These activities are designed to mitigate risks, outline annual progress,
and provide updates on water sector activities that are conducted or planned for
the year.
HSPD-9 was issued in 2004. It requires EPA to develop a robust and
comprehensive surveillance and monitoring program. This program provides
early detection of contaminants in water systems. HSPD-9 also directs EPA to
develop a network of water quality laboratories to support the surveillance
program. EPA has pursued these responsibilities through its Water Security
Initiative (WSI) and Water Laboratory Alliance (WLA).
Organizational Structure of EPA's Water Security Program
EPA's Water Security Division (WSD) is the lead office for the water security
program. WSD is located within the Office of Water (OW) and is supported by
three other EPA offices: the Office of Homeland Security (OHS) in the
Administrator's Office, the Office of Research and Development's (ORD's)
National Homeland Security Research Center (NHSRC), and the Office of Solid
Waste and Emergency Response's Office of Emergency Management.
Coordination and collaboration efforts are needed because there are multiple
offices involved in water security. An organizational chart of the water security
program is in figure 1.
4 The National Infrastructure Protection Plan provides the framework for integrating the nation's critical
infrastructure and key resource protection efforts across all sectors to achieve the goal of a safer, more secure nation.
13-P-0349
2
-------�
Figure 1: EPA water security organizational chart
i U.S. Environmental Protection Agency
Office of Homeland
Security In the
Administrator's
Office
Offte. of Solid VMol
and Emerging
v,.
...y
Office of Research
and Development
national HomoUrtd
Security Rtwwrch
Center
Office of Water
Offl.ee of
Groundwater and
|-k
security uivtston
( Offlca of
&>> tiSfo. m t &utfsa +.t4 *
• Wd'Slti Wi^ vv3 ~
Source: EPA, Water SSP: An Annex to the National Infrastructure Protection Plan (2010).
EPA Water Security Funding
Current funding levels have declined from about $175.6 million in fiscal year (FY)
2002 when EPA received the authority to oversee the VAs. According to budget
data provided by EPA personnel, EPA's water security program was funded at
approximately $22 million across the four water security program offices for
FY 2012. WSD received the largest portion of this funding—$12.4 million—
of which $7.3 million was allotted to the WSI and WLA programs.
Strategic Planning and Internal Controls
Congress has made strategic planning and internal controls cornerstones for
managing federal agency operations. Strategic planning is an essential business
practice for ensuring that programs efficiently achieve desired goals. Internal
controls provide a mechanism for managing program performance. They also
protect against program risk. The Government Performance and Results Act of
1993 (GPRA) and the Federal Managers' Financial Integrity Act of 1982
(FMFIA) set the principles and processes that underlie accomplishing federal
agencies' missions, goals, and objectives. These acts support results-oriented
management which, in the case of the water security program, would be ensuring
effective water security efforts and initiatives.
13-P-0349
-------�
GPRA requires agencies to develop strategic plans, set performance goals, and
report annually on performance. Performance is assessed using outcome
performance measures that are compared to a baseline to gauge progress. EPA
supplements this agency-level reporting with program-level guidance. National
Program Manager Guidance is issued annually by EPA program offices to
provide direction on programmatic priorities and implementation strategies.
FMFIA establishes specific requirements regarding internal controls. These
requirements include an annual evaluation and report about the internal control
systems that are used to protect the integrity of programs. Internal controls
include policies, procedures, performance measures, reviews, and other activities.
Effective internal controls provide assurance for the timely detection or
prevention of risks to the design or operation of a program. FMFIA requires
federal agencies to establish internal controls in accordance with U.S. Office of
Management and Budget (OMB) Circular A-123 and U.S. Government
Accountability Office (GAO) standards.
EPA Order 1000.24 is the Agency's strategy and framework for implementing
FMFIA. Agencies must submit annual statements concerning their internal
controls' effectiveness at meeting FMFIA requirements and GAO standards.
This is done through an annual assurance letter process. Each EPA program office
submits an assurance letter to the EPA Administrator. These letters provide the
basis for an annual statement of assurance to the President and Congress. EPA is
required to identify key programs and develop program review strategies (referred
to hererafter as "strategies") as part of this process. The strategies must identify
and rank the risks of not achieving program objectives. The strategies must also
outline the internal controls used to mitigate those risks. Each EPA office must
also assess the effectiveness of its programs' internal controls using a multi-year
internal control review plan (referred to hereafter as "multi-year plan"). This plan
establishes priorities for assessing the internal controls based on risk levels
assigned to programs in the strategy. The multi-year plan determines which
programs and specific controls will be reviewed and in what order for each EPA
office.
Noteworthy Achievements
EPA has conducted a number of activities to assist drinking water systems in
addressing water security threats. These activities include:
• The Water Security Initiative: EPA developed and piloted a drinking
water contamination warning system in five major cities. EPA also
published interim guidance for other systems based on lessons learned
from the pilots.
13-P-0349
4
-------�
• The Water Laboratory Alliance: EPA has worked to establish a national
network of laboratories to analyze water samples in the event of a terrorist
attack or natural disaster. Notably, EPA has developed a WLA national
response plan and has conducted exercises to test and obtain feedback on
the feasibility of the plan.
• Water/Wastewater Agency Response Networks (WARNs):
EPA supported establishing intrastate mutual aid and assistance agreements
among water systems. These agreements outline how water systems assist
each other with responding to and recovering from emergencies.
Agreements exist in 47 states and the National Capital Region.
Scope and Methodology
We conducted this evaluation from February 2012 to February 2013 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the evaluation to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our evaluation objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on
our evaluation objectives. The scope of this evaluation was focused on drinking
water security. Our scope excluded chemical security, cyber security, and
wastewater facilities.
We reviewed the Bioterrorism Act and HSPDs 7 through 10. We also reviewed
the 2010 Water SSP Annex; the Water SAR; EPA's water security strategic
planning documents; and relevant prior reports by GAO, Congressional Research
Service, and EPA OIG. We also reviewed OW's National Program Manager
Guidance.
We conducted interviews at EPA headquarters with personnel from WSD, OHS,
NHSRC, and Office of Emergency Management. We distributed an information
request to these offices. The request asked to identify budgets and staffing, water
security efforts and initiatives (activities) and performance measures.
We collected information updates on EPA corrective actions taken due to prior
EPA OIG and GAO water security report recommendations and suggestions.5
Further, we interviewed water security staff from EPA Regions 3 and 5.
We interviewed staff from the DHS Office of Infrastructure Protection.
Additional staff interviews were held with the Association of State Drinking
Water Administrators, American Water Works Association, and National Rural
Water Association. We followed up with GAO staff on past GAO water security-
related reports and prior recommendations.
5 OIG suggestions were offered to EPA when not all elements needed for a recommendation were present;
e.g., when the evaluation process was abbreviated.
13-P-0349
5
-------�
We analyzed EPA's strategic planning elements. We also analyzed the FMFIA
management integrity process for internal controls in place for the water security
program. We focused our analysis of FMFIA management integrity processes for
internal controls on EPA OW. We did this because WSD plays the lead role in
EPA's water security efforts.
Prior Audit Coverage
We collected information on the status of EPA's corrective actions for
recommendations and suggestions from past evaluations as part of answering our
second evaluation objective. We identified nine drinking water security-related
reports between 2003 and 2008. Six reports were issued by EPA OIG and three by
GAO (appendix A). The prior reports are discussed in chapter 2. The OIG also
issued reports about the effectiveness of EPA's strategic planning efforts and on
applying FMFIA. These reports relate to improving programmatic operations,
internal controls, and the management integrity process. They also highlight the
importance strategic planning and internal controls play in achieving
programmatic success.
13-P-0349
6
-------�
Chapter 2
Strengthening Strategic Planning and
Internal Controls Will Enhance
EPA's Drinking Water Security Program
EPA has implemented a number of activities to promote the security of drinking
water systems. However, strategic planning and internal controls for the water
security program need to be strengthened to allow the Agency to measure the
program's performance and progress in drinking water systems' preparedness,
prevention, response, and recovery capabilities. EPA's strategic planning is
hampered by its limited authority over water security, the voluntary nature of its
water security activities, and concerns related to protecting information. These
impediments could be overcome by the water security program utilizing available
data, using alternative methods to gather data, and seeking additional authority
from Congress to collect, protect, and utilize information from water systems.
Additionally, EPA's water security program has not fully met FMFIA
requirements for internal controls. EPA has made progress in improving water
security by taking corrective actions based on the recommendations and several
suggestions from prior evaluations. However, the Agency has not fully addressed
three OIG suggestions from earlier reports, despite agreeing with the OIG's
assessment. EPA, as the lead federal agency for the water sector, needs additional
strategic planning and internal controls in order to ensure it effectively assists
drinking water systems in the protection of the nation's drinking water, has
current information on the state of drinking water security, and helps reduce risks
to drinking water systems and the public.
EPA Assists Drinking Water Systems
EPA administers a number of activities to promote water security and assist
drinking water systems to protect against terrorist attacks and natural disasters.
These activities include providing training, tools, technical assistance, and
guidance. They also include conducting water security-related research and
working with the water sector on water security activities. The water sector
consists of EPA, other federal agencies, states, local agencies, water systems, and
water associations. EPA serves as chair of the Water Government Coordinating
Council, which, along with its private sector counterpart, forms the water sector
component of DHS's Critical Infrastructure Partnership Advisory Council
(CIPAC). CIPAC supports critical infrastructure protection, including the water
sector. Below are some examples of EPA's water security activities.
13-P-0349
7
-------�
Prevention and Preparedness
• WSI is an ongoing pilot program featuring a contamination warning and
detection system EPA started in five cities.
• EPA's water security program provides access to the Water Information
Sharing and Analysis Center for EPA staff and state drinking water
officials. The Water Information Sharing and Analysis Center is a
subscription service that shares threat information with drinking water
systems.
• NHSRC shares various tools and technical assistance based on its water
security research. This research is related to VAs; emergency response
planning; and contaminant sampling, analytical, and mitigation
methodologies.
• WSD provides training and hosts webinars on water security-related tools.
WSD also works with states to design water sector exercises.
Response and Recovery
• EPA supports WARNs, an intrastate mutual aid network for water systems
developed, through outreach, technical assistance, tabletop exercises, and
development of operational plans.
• The WLA provides water sample analysis support during a terrorist attack
or natural disaster.
• NHSRC conducts research and develops strategies to address
decontamination challenges such as treatment protocols, disposal of
decontamination waste, and the persistence of contaminants in water
infrastructure.
As a result of EPA's activities, water systems now have access to resources
which were not previously available. Information gathered from the WSI pilot
programs is used to improve current tools for contamination monitoring systems.
Water security training and exercises allow water systems to develop
relationships with other systems; local, state, and federal entities; and responders.
Exercises also enable water systems to test their ERPs.
EPA Needs Improved Strategic Planning for Water Security
The water security program needs to adopt a more thorough strategic planning
process in order to assess its performance and guide future actions. Effective
strategic planning involves five essential elements and should be framed by a
comprehensive plan. The five essential strategic planning elements are outcome
goal(s), long-term and annual outcome performance measure(s), output
performance measure(s), and baseline(s).6 EPA has carried out significant
6 The five essential elements of strategic planning are identified in the GPRA Modernization Act of 2010,
OMB Circular A-l 1, and prior OIG reports.
13-P-0349
8
-------�
strategic planning efforts within the water security program. However, the
Agency would benefit from a comprehensive strategic plan to guide its efforts
across the four program offices that contribute to water security. A coordinated
and collaborative planning approach is necessary to connect each office's
activities to EPA's water security goals. EPA is also missing three of the five
essential strategic planning elements that would allow it to better manage the
water security program. The lack of these elements impacts EPA's ability to
determine whether its activities are effective in assisting water systems to identify
vulnerabilities.
Strategic Planning Efforts Are Not Comprehensive
EPA does not have a comprehensive water security strategic plan containing the
five essential strategic planning elements. Such a plan would link the activities of
the four program offices involved to EPA's overall water security goals. EPA's
water security program has instituted multiple strategic planning initiatives since
the implementation of the Bioterrorism Act of 2002 and periodically reviews its
current activities. These initiatives do not collectively or individually address all
five of the essential strategic planning elements.
Examples of existing water security planning documents include: (1) the Water
SSP that serves as EPA's water security strategic plan, (2) WSD's Business Plans
used to make the Water SSP operational, (3) ORD's Homeland Security Strategic
Research Action Plan which identifies the water sector's research needs, and
(4) OW's SAR which details annual progress and updates on water sector activities
being conducted or planned. A comprehensive strategic plan would allow EPA to
organize the collective efforts of the four program offices toward water security.
OHS recently collaborated with EPA program offices on a homeland security
strategic review to identify future areas of work. The review covered eight areas
and included water security. OHS completed a work plan to address these areas in
May 2013. OHS's strategic review does not contain all five essential strategic
planning elements.
Strategic Planning Elements Are Needed
EPA also does not have all of the necessary strategic planning elements for the
water security program in place. EPA's water security program has two of the five
elements (see table 1). However, EPA has not established a water security
baseline, or annual and long-term outcome performance measures. These
elements would allow EPA to understand how effective its activities are in
assisting water systems and better manage the program. The documents listed
below identify the water security program's outcome goals and output
performance measures. The documents also allow the agency to set output targets
and keep track of activities.
13-P-0349
9
-------�
Table 1: Essential strategic planning elements—water security program
Strategic planning elements
EPA's water
security
program
Strategic planning documents
Outcome Goal'
Yes
Water SSP
Water SAR
ORD's Strategic Research Action Plan
Long-Term Outcome Performance
Measures
No
None Identified
Annual Outcome Performance Measures
No
None Identified
Output Performance Measures"
Yes
Water SAR
WSD's Annual Business Plans
Baseline for Program Measurement
No
None Identified
Source: OIG Analysis of water security program documents provided by EPA.
Water Security Baseline
None of the water security planning documents we reviewed contains a
baseline from which to measure the current status of water security. A
baseline is an essential strategic planning component and is a reference
point against which progress can be measured. A baseline is necessary to
set and achieve water security goals. The effectiveness of any strategic
planning effort is weakened if performance cannot be measured against a
baseline. To establish a water security baseline, EPA needs to gather
security information about a water system's preventative measures,
preparedness, response capability, and resiliency. A general example of
baseline data for water security could include the percentage of
community water systems that have an ERP, conduct ERP training and
exercises, and review and update their ERP on a periodic basis. Once a
water security baseline is established the Agency should be able to
develop outcome performance measures to measure progress.
Annual and Long-Term Outcome Performance Measures
EPA does not identify annual or long-term outcome performance measures
in any of the water security planning documents although it identifies output
measures. While performance measures should distinguish between
outcomes and outputs, there should be a logical connection between them,
with outputs supporting outcomes. Annual and long-term outcome
performance measures indicate progress toward overall water security
7 An outcome goal is the result or achievement toward which effort is directed. An outcome goal can be long- or
short-term and may be expressed specifically or broadly. Progress against goals should be monitored using a suite of
supporting targets, measures, and timeframes.
8 An output measure is the tabulation, calculation, or recording of an activity or effort and can be expressed in a
quantitative or qualitative manner.
13-P-0349
10
-------�
goals, over the course of a year and several years, respectively. These
outcome measures indicate what is being accomplished, whether results are
being achieved, and indicate changes in conditions the program is trying to
influence. Examples of performance measures could include the following:
• Annual: By the end of a specified annual date, a specific
percentage of large community water systems will have an ERP,
conduct ERP training and exercises, and review and update their
ERP on a periodic basis.
• Long-Term: By the end of a specified long-term date, a specific
percentage of large community water systems will have an ERP,
conduct training on their ERP, carry out exercises on their ERP, and
review and update their ERP on a periodic basis.
OW's National Program Manager Guidance for FY 2012 does not have
any performance measures for the water security program. This is despite
water security being identified as one of the 26 key programs through the
FMFIA process and a national water program priority for the fiscal year.
A foundation for water security performance measures in the National
Program Manager Guidance could be provided by a comprehensive
strategic plan.
Information Challenges Hinder Strategic Planning
Many of the problems with EPA's strategic planning stem from the lack of
information about water security. EPA lacks information about water systems,
such as VAs, ERPs, and other data necessary to accurately evaluate the program's
status and progress. While the water security program is voluntary and lacks
regulatory provisions to collect and protect information beyond the Bioterrorism
Act requirements, the Agency has not used existing sources or alternative
methods to collect information from water utilities. The lack of information
impacts EPA's ability to understand how its water security activities are assisting
the water sector to protect against terrorism and natural disasters.
Limitations of EPA's Water Security Program
EPA does not have specific knowledge of water systems' security levels. This is
because of the Agency's limited authority, the voluntary nature of its program, and
concerns associated with protecting information from public disclosure under the
Freedom of Information Act. According to EPA, drinking water systems decide if
and how they will use EPA's water security program. EPA does not have authority
to require water systems to submit security information; utilize training, tools,
technical assistance, or guidance; or implement security enhancements or update
their VAs and ERPs. Since EPA lacks the authority, the Agency has not requested
any updates on VAs or ERPs since the Bioterrorism Act statutory deadline in 2004.
13-P-0349
11
-------�
Currently, EPA may not be able to protect from disclosure information gathered
outside of the Bioterrorism Act under the Freedom of Information Act.
WSD advised OIG that the program attempts to develop meaningful metrics.
However, a means to collect information directly from water systems for outcome
measures does not currently exist. WSD depends on its working relationships with
water systems and attendance at conferences to gather anecdotal water security
information.
Approaches for Collecting Water Security Data
OW currently collects various output measures that provide an idea of how
prepared and resilient water systems are if an event occurs. These data focus on
outputs but could be helpful for the establishment of a baseline and measurement
of water security progress. EPA, however, does not use these output measures to
manage the program. Examples of pertinent output measures include: the number
of trainings conducted; the number of water systems participating in WARNs;
lessons learned from actual incidents, drills and exercises; and the 18 measures
suggested by the CIPAC. OW also collects data in response to metrics in the
Water SAR.
OW has also not used alternative information collection methods, such as an
Information Collection Request (ICR), to gather more information about system
preparedness and responsiveness. This information could include system data on
preparedness and resiliency, such as security features and enhancements, staff
security training, and the number of drills and exercises participated in. It could
also include whether any EPA-based security tools are used by systems, and if
VAs and ERPs are updated. OW has cited a number of reasons why an ICR may
be impractical, including the cost of conducting an ICR, the lack of a statutory
basis for obtaining OMB approval, and the unwillingness of water systems to
provide such information.
Currently, OW does not have any statutory authority to collect, protect, and utilize
new information from the water sector. As such, EPA is limited in knowing how
effective its efforts are in assisting the water sector to protect against terrorism
and natural disasters. In 2009, EPA's Assistant Administrator for Water testified
before the Subcommittee on Energy and the Environment Committee on Energy
and Commerce, U.S. House of Representatives, about the proposed Drinking
Water Security Act of 2009, which primarily addressed chemical security at
drinking water systems. The proposed act also considered risks in general and
would have extended drinking water security requirements for drinking water
systems as well as authority for the Agency. However, it did not pass both
chambers of Congress. In January 2013, the Secure Water Facilities Act was
referred to the Senate Committee on Environment and Public Works and would
expand the requirements for vulnerability assessments, site security plans, and
emergency response plans for both the Agency and drinking water systems.
13-P-0349
12
-------�
This bill also proposes performance standards and provides protection for water
security information within vulnerability assessments and site security plans.
The bill currently remains with the committee. Additional authority could
improve EPA's effectiveness in carrying out its water security duties and
may further enable the Agency to establish a baseline and outcome
performance measures.
EPA Needs Additional Internal Controls for Water Security
In its FY 2010 FMFIA Assurance Letter, OW identified the water security
program as one of 26 key programs. OW established a strategy and multi-year
plan for the WSD and its water security activities. We determined that, overall,
the strategy and multi-year plan lack several elements required by FMFIA, as
implemented by OMB and EPA guidance.
Program Review Strategy
OW's water security strategy does not fully comply with the internal control
standards in OMB Circular A-123, which are based upon the GAO Standards for
Internal Control. Therefore it also does not fulfill FMFIA requirements.9 There
are five required GAO standards for internal controls: control environment, risk
assessment, control activities, information and communications, and monitoring.
OW must address and comply with each of these standards in its water security
strategy. Also, the purpose of the strategy is to identify the risk associated with
the program and the internal controls to mitigate the risk. EPA Order 1000.24
directs that strategies meet the program's needs. The strategy should be evaluated
regularly because it serves as the basis for the FMFIA assurance letters.
According to OMB Circular A-123, internal controls do not guarantee the success
of an agency's programs or the absence of waste, fraud, and mismanagement.
Rather, internal controls are an essential means of managing the risks associated
with the operations of the water security program, such as ineffective tools,
insufficient training, waste of taxpayers' dollars, and natural disasters. A strategy
with inadequate internal controls will often fail to identify program risks and
result in unaddressed vulnerabilities pertaining to preparedness, prevention,
response, and recovery. Therefore, the application of additional internal controls
in the water security strategy will lead to improvements in program operations,
FMFIA compliance, and reduced programmatic risk. Examples of some of the
shortcomings in the water security strategy are discussed below.
9 EPA OIG's 2009 report, EPA Should Use FMFIA to Improve Programmatic Operations (Report No. 09-P-0203),
found that EPA had not used FMFIA to improve program operations as intended. Further, the report stated that EPA
offices were not developing strategies that systematically and annually assess the effectiveness of internal controls
or include elements such as GPRA. These conclusions are aligned with observations noted from the water security
program during this evaluation.
13-P-0349
13
-------�
Control Activities
OW identified VAs, ERPs, tools, and technical assistance as water security
strategy control activities. Control activities are policies, procedures,
mechanisms, and performance measures. They mitigate the program's risk
and fulfill the program's objective of helping water systems enhance their
security and response capability. However, VAs and ERPs are insufficient
control activities. They are handled by drinking water systems and not by
WSD. In fact, there is no requirement for water systems to update VAs or
ERPs, or submit updates to EPA. Further, OW does not currently use the
information contained within VAs or ERPs that was originally submitted by
the end of 2004. OW only has immediate control over its tools and technical
assistance, which are appropriately identified as control activities.
Monitoring
The strategy also does not incorporate an adequate process for monitoring.
According to the GAO standards and EPA Order 1000.24, the monitoring
aspect of the strategy should assess the quality of a program's
performance over time. Monitoring can include periodic reviews, self-
assessments, audits, comparisons of detective and preventative data,
reconciliations, and separate external evaluations. Monitoring should be
performed continually as part of the agency's operations. OW identified
conference calls, meetings, and conferences for the monitoring activities
in the water security strategy. However, while these may be acceptable
means for monitoring, our review of recent meeting minutes did not reveal
any substantive discussions about internal controls. Therefore, we do not
have evidence to suggest that the use of meetings, conferences, and calls
for monitoring are effective to evaluate how well the program's internal
controls are performing.
Multi-Year Internal Control Review Plan
OW's multi-year plan does not have an adequate process for evaluating the water
security program's internal controls. Along with the program review strategy, the
multi-year plan is an Agency requirement, for FY 2010 and beyond, intended to
establish more systematic and rigorous reviews of internal controls over
programmatic operations. A multi-year plan evaluates implemented internal
controls identified in the strategy for effectiveness at assessing the program's
operations. The multi-year plan is designed so any weaknesses or deficiencies can
be identified and corrected. Examples of sources of information EPA could use
for the multi-year plan are provided in OMB Circular A-123, EPA Order 1000.24,
and EPA's Management Integrity Program-FY 2011 Annual Guidance for
Assessing Internal Control over Programmatic Operations. Internal control
reviews for the multi-year plan can be done with audits, questionnaires, site visits,
external evaluations, and internal self-assessments. Similar to the water security
13-P-0349
14
-------�
strategy previously discussed, conference calls, meetings, and conferences were
identified as what the internal control evaluation process would include. Although
they may serve as ways to review a program's internal controls, we determined
that there were no significant discussions on the program's internal controls or
potential deficiencies during the minutes we reviewed. Without improvement in
the multi-year plan, water security program operations cannot be properly
assessed. Any weaknesses that would hinder the program from reaching its goals
may be overlooked and program management subsequently would not improve.
Prior Recommendations Implemented but Some Suggestions Remain
EPA has addressed OIG and GAO recommendations pertaining to EPA's drinking
water security program. EPA has also addressed six of the 11 OIG suggestions.
However, three pertinent suggestions have not been fully addressed. Although
OIG does not formally track EPA adherence to or implementation of suggestions,
these past suggestions offered meaningful information on how to make
improvements. Nonetheless, the priority is that the Agency address agreed-to
recommendations, which was accomplished.
EPA has implemented both OIG recommendations to evaluate VAs for
completeness and prioritization of its research activities. However, EPA has not
established a baseline or outcome-focused performance indicators (measures),
which were outlined in three prior OIG suggestions. In 2003, EPA had agreed
with OIG's assessment for needed performance measures and baseline. EPA has
made a significant effort to enlist the assistance of the CIPAC workgroup to be
responsive to these OIG suggestions. Thus far, this effort has not resulted in the
development of any of the missing performance measure elements: outcome
performance measures and a baseline. As a result of this evaluation, OIG found
that the missing performance elements continued to limit EPA's ability to
measure the water security program effectiveness and progress. For these reasons,
we have elevated these prior suggestions to recommendations.
Additionally, GAO made two drinking water security recommendations which
EPA has implemented. GAO directed EPA to assess the need for public policy
tools to encourage the Water ISAC to continue its protection activities and
increase information sharing. GAO also directed EPA to consider how to best
allocate security-related funds to drinking water systems and how security-
enhancing activities should be supported. Both of these recommendations have
been implemented and closed out by GAO.
Conclusion
EPA has taken a number of steps to assist drinking water systems to protect the
nation's drinking water against terrorist threats and natural disasters. However,
EPA's strategic planning and internal control processes for water security must be
13-P-0349
15
-------�
improved to enhance programmatic operations and minimize risks to critical
infrastructure. We acknowledge that EPA's strategic planning process in this area
has been hampered by a number of impediments, namely, its lack of statutory
authority, the voluntary nature of the water security program, and concerns
pertaining to protecting security information. However, the Agency has not sought
additional authority from Congress recently or utilized all available approaches to
establish a water security baseline and outcome performance measures. Without
additional authority, the water security program will be unable to fully gauge its
effectiveness in assisting drinking water systems to protect the nation's drinking
water supply against attacks and natural disasters. The Agency needs authority that
is commensurate with its responsibility as the lead federal agency for the water
sector, and which allows it to properly address this national issue. EPA must
strengthen management of the water security program, assess water security
progress, and support resources expended in order to help water systems protect
drinking water accessed by 297 million people in the United States.
Recommendations
We recommend that the Assistant Administrator for Water:
1. Develop a comprehensive strategic plan across all program offices that are
involved in EPA's water security program.
2. Utilize information currently available to assess the state of water security
across the nation, specifically, by:
a. Gathering water security data, and
b. Incorporating water security-related performance measures,
targets, and annual commitments into OW's National Program
Manager Guidance.
3. Seek additional authority from Congress to better manage the security of
drinking water systems and their water supply. Additional authorities
should include the ability to collect, protect, and utilize water system-
specific security information
4. If additional authority is granted, further assess the state of water security
across the nation, specifically, by:
a. Developing and utilizing a drinking water security baseline and
conducting periodic reassessments, and
b. Developing and utilizing annual and long-term outcome measures.
13-P-0349
16
-------�
5. Develop and implement a program review strategy and a multi-year internal
control review plan for water security in accordance with requirements set
by FMFIA, as implemented by OMB Circular A-123 and EPA Order
1000.24, which enables the Agency to address risks, assess effectiveness,
reveal any weaknesses, and monitor actions to address those weaknesses.
Agency Comments and OIG Evaluation
OW provided a written response to a draft of this report and expanded on and
clarified that response in subsequent meetings with the OIG. OW's response to
the draft report, along with the OIG's evaluation, is in appendix B. The Agency
also provided technical comments. Where appropriate, we made changes to the
report based on these comments.
In its written response and in follow-up meetings, OW agreed to address all
recommendations. EPA initially agreed with four recommendations in the draft
report (currently recommendations 1, 2a, 2b, and 5). After further discussions
with the Agency, the OIG modified the three remaining recommendations
(currently recommendations 3, 4a, and 4b) to seek additional authority and
develop a baseline and outcome measures. As a result of these discussions and
modifications, the Agency has also concurred with the current recommendations
3, 4a, and 4b. The OW provided corrective actions and estimated completion
dates for the recommendations that it develop an agencywide work plan with
enhanced metrics; include water security measures, targets, and commitments into
the OW's National Program Manager Guidance; seek additional authority; and
develop and implement a program review strategy and multi-year internal control
plan. If additional authority is granted, EPA has agreed to obtain the necessary
information needed to establish a baseline and outcome measures. All
recommendations are resolved and open with corrective actions underway.
13-P-0349
17
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Planned
Completion
Action Official Date
Claimed
Amount
Ag reed-To
Amount
16 Develop a comprehensive strategic plan across all
program offices that are involved in EPA's water
security program.
16 Utilize information currently available to assess the
state of water security across the nation,
specifically, by:
a. Gathering water security data, and
b. Incorporating water security-related
performance measures, targets, and annual
commitments into OW's National Program
Manager Guidance.
16 Seek additional authority from Congress to better
manage the security of drinking water systems and
their water supply. Additional authorities should
include the ability to collect, protect, and utilize
water system-specific security information.
16 If additional authority is granted, further assess the
state of water security across the nation,
specifically, by:
a. Developing and utilizing a drinking water
security baseline and conducting periodic
reassessments, and
b. Developing and utilizing annual and long-term
outcome measures
Assistant Administrator
for Water
Assistant Administrator
for Water
6/30/14
6/30/14
9/30/14
Assistant Administrator 3/31/14
for Water
Assistant Administrator
for Water
3/31/16
3/31/16
17 Develop and implement a program review strategy
and a multi-year internal control review plan for
water security in accordance with requirements set
by FMFIA, as implemented by OMB Circular A-123
and EPA Order 1000.24, which enables the
Agency to address risks, assess effectiveness,
reveal any weaknesses, and monitor actions to
address those weaknesses.
Assistant Administrator 12/31/14
for Water
O = Recommendation is open with agreed-to corrective actions pending.
C = Recommendation is closed with all agreed-to actions completed.
U = Recommendation is unresolved with resolution efforts in progress.
13-P-0349 18
-------�
Appendix A
Prior Drinking Water Security Reports
EPA OIG
Report Title
Report No.
Publication Date
EPA Needs a Better Strategy to Measure Changes in the
Security of the Nation's Water Infrastructure
2003-M-00016
September 11, 2003
EPA Needs to Assess the Quality of Vulnerability
Assessments Related to the Security of the Nation's Water
Supply
2003-M-00013
September 24, 2003
Survey Results on Information Used by Water Utilities to
Conduct Vulnerability Assessments
2004-M-0001
January 20, 2004
EPA's Final Water Security Research and Technical
Support Action Plan May Be Strengthened Through Access
to Vulnerability Assessments
2004-P-00023
July 1, 2004
EPA Needs to Determine What Barriers Prevent Water
Systems from Securing Known Supervisory Control and
Data Acquisition (SCADA) Vulnerabilities
2005-P-00002
January 6, 2005
Summary of Recent Developments in EPA's Drinking Water
Program and Areas for Additional Focus
08-P-0120
March 31, 2008
GAO
Report Title
Report No.
Publication Date
Critical Infrastructure Protection: Challenges for Selected
Agencies and Industry Sectors
GAO-03-233
February 2003
Drinking Water: Experts' Views on How Future Federal
Funding Can Best Be Spent to Improve Security
GAO-04-29
October 2003
Protection of Chemical and Water Infrastructure: Federal
Requirements, Actions of Selected Facilities, and
Remaining Challenges
GAO 05-327
March 2005
Source: EPA OIG analysis.
13-P-0349
19
-------�
Appendix B
Agency Response to the Draft Report
and OIG Comments
(Received April 24, 2013)
MEMORANDUM
SUBJECT: Response to the Office of Inspector General Draft Project No. OPE-FY12-006,
"EPA Needs Additional Strategic Planning and Internal Controls to Enhance
Drinking Water Security," dated February 21, 2013
FROM: Nancy K. Stoner /s/
Acting Assistant Administrator
TO: Arthur A. Elkins, Jr.
Inspector General
Thank you for the opportunity to respond to the issues and recommendations in the subject
audit report. Following is a summary of the agency's overall position, along with its position
on each of the report recommendations. For those report recommendations with which the
agency agrees, we have provided either high-level intended corrective actions and estimated
completion dates to the extent we can or reasons why we are unable to provide high-level
intended corrective actions and estimated completion dates at this time. For those report
recommendations with which the agency does not agree, we have explained our position. For
your consideration, we have included a Technical Comments Attachment to supplement this
response.
AGENCY'S OVERALL POSITION
The EPA takes the responsibility of promoting risk reduction in the water sector with respect
to all hazards, whether extreme weather events or intentionally malevolent acts very seriously.
We welcome the IG's recommendations on potential improvements to this program in an
effort to enhance the EPA's water security program. The EPA would like to acknowledge that
the water security program is a non-regulatory program. This might pose a programmatic
challenge when determining how the EPA can adopt some of the corrective actions cited in
the IG's report.
OIG Overall Response:
The OIG understands that the agency currently is implementing a non-regulatory, voluntary program and
has limited statutory authority. The OIG also recognizes the constraints identified by OW and has
discussed them in the report, and we believe we have proposed a recommendation to provide EPA with
the authorization it needs. The intent of the report recommendations was to provide the OW with ways to
mitigate these limitations. Until the OW addresses these limitations, the water security program will
continue to operate with inadequate performance measures and internal controls.
13-P-0349
20
-------�
AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS
No.
Recommendation
High-Level Intended Corrective
Actions
Estimated
Completion
by Quarter
nriH FY
OIG Response
1
Develop a comprehensive
strategic plan across all
program offices involved in
EPA's water security
program
The OW will meet on an annual basis
with each office to describe the
program outcomes and priorities that
it intends to achieve and to determine
how the other offices can contribute
to these outcomes and priorities as
their resources permit.
1QFY14
Based upon OW's response and subsequent
discussions, the OIG believes the proposed
corrective action will address the intent of
the recommendations. The meetings will
foster improved coordination and
collaboration with the end-product being a
more complete work plan than what the
water security program is currently
operating from. In subsequent discussions,
the OW estimated the work plan, enhanced
with more outcome-type metrics, will be
completed by 3QFY14 (lune 2014).
2(a)
Gather water security data
by utilizing existing
information, and employing
alternative means to gather
data
The EPA will be limited in its ability
to fulfill this recommendation due to
statutory constraints.
NA
In subsequent discussions with the OW, it
was explained the OW is currently using
available information to get a pulse on the
state of water security. The OW also intends
to develop more outcome-type metrics to
augment the ones they currently use, as part
of the work plan being developed to address
Recommendation 1. The OW estimates the
work plan will be completed by 3QFY14
(lune 2014). The OIG accepts the corrective
actions proposed by the OW as meeting the
intent of this recommendation.
13-P-0349
21
-------�
2(b)
Develop and utilize a
drinking water security
baseline and conduct
periodic reassessments
The EPA will be limited in its ability
to fulfill this recommendation due to
statutory constraints.
NA
In subsequent discussions, EPA has
committed that, if additional authority is
granted (Recommendation 3), it will work
with OMB and water sector partners in order
to collect the necessary information and
develop a baseline to fulfill this
recommendation by second quarter FY 2016
(March 2016). The OIG accepts the OW's
plans to address the recommendation. This
is Recommendation 4a in the final report.
2(c)
Develop and utilize annual
and long-term outcome
measure(s) to assess overall
water security progress
The EPA will be limited in its ability
to fulfill this recommendation due to
statutory constraints.
NA
In subsequent discussions, EPA has
committed that, if additional authority is
granted (Recommendation 3), it will work
with OMB and water sector partners in order
to collect the necessary information and
develop outcome measures to fulfill this
recommendation by second quarter FY 2016
(March 2016). The OIG accepts the OW's
plans to address the recommendation. This
is Recommendation 4b in the final report.
2(d)
Incorporate water security
related performance
measures, targets and
annual commitments into
Office of Water's National
Program Manager
Guidance
In future iterations of this guidance,
EPA will include key water security
metrics.
4QFY14
The OIG accepts the OWs plans to address
the recommendation. This is
Recommendation 2b in the final report.
13-P-0349
22
-------�
3
Seek additional authority
from Congress to better
manage the security of
drinking water systems
The EPA expects that it will need to
operate the program under the current
constraints.
NA
Based upon subsequent discussions with
OW about this recommendation, the OIG
believes the corrective action proposed by
the OW will address the intent of the
recommendation. The OW has committed
to meeting with Administration officials
outside of EPA about obtaining additional
authority for the water security program by
second quarter FY 2014. The OIG accepts
the OWs plans to address the
recommendation.
4
Develop and implement a
program review strategy
and a multi-year internal
control review plan for
water security in
accordance with FMFIA
The EPA can commit to undertaking
this recommendation with the caveat
that the performance and outcome-
based metrics required of these tasks
will of necessity be limited to the
output and limited outcome-based
metrics that OW currently collects in
assessing its water security program.
1QFY14
The OIG agrees with the proposed
corrective action to develop a strategy and
plan within the limitations and constraints of
the program, fliis is Recommendation 5 in
the final report.
Attachments
Technical Comments
cc: Mike Shapiro
Peter Grevatt
David Travers
Michael Mason
Marilyn Ramos
13-P-0349
23
-------�
Appendix C
Distribution
Office of the Administrator
Assistant Administrator for Water
Assistant Administrator for Solid Waste and Emergency Response
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Homeland Security
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Regional Administrator, Region 3
Regional Administrator, Region 5
Principal Deputy Assistant Administrator for Water
Principal Deputy Assistant Administrator for Research and Development
Director, Office of Regional Operations
Audit Follow-Up Coordinator, Office of Water
Audit Follow-Up Coordinator, Office of Research and Development
Audit Follow-Up Coordinator, Office of Solid Waste and Emergency Response
Audit Follow-Up Coordinator, Region 3
Audit Follow-Up Coordinator, Region 5
13-P-0349
24
-------� |