U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Improvements Needed in
EPA's Smartcard Program
to Ensure Consistent
Physical Access Procedures
and Cost Reasonableness
Report No. 13-P-0200
March 27, 2013
-------�
Report Contributors: Patrick Gilbride
Randy Holthaus
Raul Adrian
Lawrence Gunn
Kevin Lawrence
Abbreviations
CID
Criminal Investigation Division
DHS
U.S. Department of Homeland Security
EPA
U.S. Environmental Protection Agency
EPASS
Environmental Protection Agency Personnel Access and Security System
FAR
Federal Acquisition Regulation
FICAM
Federal Identity, Credential, and Access Management
FIPS
Federal Information Processing Standards
GAO
U.S. Government Accountability Office
GSA
U.S. General Services Administration
HSPD-12
Homeland Security Presidential Directive-12
IGCE
Independent Government Cost Estimate
OAM
Office of Acquisition Management
OARM
Office of Administration and Resources Management
OEI
Office of Environmental Information
OIG
Office of Inspector General
OMB
Office of Management and Budget
PACS
Physical Access Control System
PIN
Personal Identification Number
PIV
Personal Identity Verification
SMD
Security Management Division
SOP
Standard Operating Procedures
Cover photos: From left: a smartcard reader in the EPA Region 6 office in Dallas, Texas;
EPA West, which is part of EPA headquarters. (EPA OIG photos)
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
e-mail: OIG Hotline@epa.gov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue, NW
fax: 202-566-2599 Mailcode 2431T
online:
http://www.epa.gov/oiq/hotline.htm
Washington, DC 20460
-------�
^{.D sT/ff.
* ' U.S. Environmental Protection Agency 13-P-0200
| O \ Office of Inspector General March 27 2013
SB 1
1 w/ °
At a Glance
Why We Did This Review
Homeland Security Presidential
Directive-12 (HSPD-12) and
subsequent requirements state
that inconsistent approaches to
physical access are inefficient
and costly, and increase risk to
the federal government.
We conducted this audit to
determine whether the U.S.
Environmental Protection
Agency (EPA) upgraded
physical access control
systems consistent with the
goals of HSPD-12 and
subsequent requirements. We
also evaluated whether EPA
acquired and deployed
smartcard technology in an
efficient and effective manner.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
workforce and capabilities.
Improvements Needed in EPA's Smartcard
Program to Ensure Consistent Physicai
Access Procedures and Cost Reasonableness
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
What We Found
Contrary to its plans, EPA upgraded some less critical facilities prior to its most
important facilities (including EPA headquarters). EPA stated it was more efficient
to upgrade facilities based on geographic location rather than importance, but
provided no quantitative data to support that position. In addition, EPA indicated it
did not want to make mistakes upgrading headquarters buildings so it upgraded
others first. As a result, some lower valued facilities required a higher level of
authentication for access than EPA headquarters facilities.
The processes used to gain access are inconsistent and not yet inter-operable
(can be used by all federal employees including those outside EPA) or
intra-operable (can be used by any EPA employee). This occurred because EPA
had not developed national physical access procedures to foster consistency. As
a result, EPA is not realizing potential benefits associated with a standardized
process.
EPA did not document assurance of cost reasonableness for some of the
physical access control system contracts. EPA had spent over $12.8 million
upgrading physical access control systems and could not assure that $3.8 million
of that amount (30 percent) was spent in the most efficient and effective manner.
EPA planned to award an additional $10.6 million to upgrade its systems.
Recommendations and Planned Agency Corrective Actions
We recommend that EPA re-prioritize the remaining facility upgrades by security
level, from highest to lowest, and develop national policies and procedures that
foster consistent inter-operable physical access. We also recommend that EPA
establish an entity for overseeing EPA's smartcard program, conduct cost
analysis of smartcard upgrades, and enforce guidelines for independent
government cost estimates. EPA agreed with two of our five recommendations.
For the other three recommendations, EPA proposed alternative corrective
actions that we believe address our findings.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130327-13-P-0200.pdf
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
March 27, 2013
MEMORANDUM
SUBJECT: Improvements Needed in EPA's Smartcard Program to Ensure Consistent
Physical Access Procedures and Cost Reasonableness
Report No. 13-P-0200
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). This report contains findings that describe the
problems the OIG has identified and corrective actions the OIG recommends. This report
represents the opinion of the OIG and does not necessarily represent the final EPA position.
Final determination on matters in this report will be made by EPA managers in accordance with
established audit resolution procedures.
Action Required
The Agency did not concur with recommendations 1 and 2 and proposed acceptable alternative
corrective actions. The Agency concurred with recommendations 3 and 4 and partially concurred
with recommendation 5. On recommendation 5, parts c and d, the Agency provided acceptable
proposed alternative corrective actions. We accept EPA's response and planned corrective
actions for all five recommendations and no further response is needed. We have no objections to
the further release of this report to the public. We will post this report to our website at
http://www.epa.gov/oig.
We request that EPA provide the OIG with: (1) copies of the upgraded physical access control
system planning documents submitted to the Office of Management and Budget in 2012;
(2) its updated EPA Personnel Access and Security System project management plan; (3) the
update to EPA Order 3200, EPA Personal Identity Verification and Smartcard Program when
finalized; (4) a copy of its policy titled Use of the PIV Cardfor Facility Access when finalized;
FROM: Arthur A. Elkins Jr.
TO:
Bob Perciasepe
Deputy Administrator
Craig E. Hooks
Assistant Administrator
Office of Administration and Resources Management
-------�
(5) documents that demonstrate EPA's final decision on which office will oversee its smartcard
program; and (6) a copy of any new guidance or policy issued that further details how and when
independent government cost estimates should be prepared.
If you or your staff have any questions regarding this report, please contact Melissa Heist,
Assistant Inspector General for Audit, at (202) 566-0899 or Heist.Melissa@epa.gov; or Patrick
Gilbride, Product Line Director, at (303) 312-6969 or Gilbride.Patrick@epa.gov.
-------�
Improvements Needed in EPA's Smartcard Program to Ensure
Consistent Physical Access Procedures and Cost Reasonableness
13-P-0200
Table of Contents
Chapters
1 Introduction 1
Purpose 1
Background 1
Scope and Methodology 2
Prior Audit Reports 3
2 EPA Did Not Upgrade Most Critical Facilities First 4
Implementation Plans Not Followed 4
EPA Upgraded 29 of Its Less Important Facilities Before
Upgrading Its Most Critical Assets 5
Importance of Facilities Not a Priority for Initiating Upgrades 6
Conclusions 7
Recommendation 8
Agency Comments and OIG Evaluation 8
3 EPA's Physical Access Control Systems Not Inter-Operable
or Intra-Operable 9
Physical Access Control Systems Should Be Inter-Operable 9
EPA Uses Various Processes for Physical Access Control 10
EPA Does Not Have National Procedures for Physical Access 12
EPA Needs to Designate a Single Office to Administer Its
Smartcard Program 13
EPA Not Maximizing Efficiency and Security Within PACS 13
Conclusions 14
Recommendations 14
Agency Comments and OIG Evaluation 14
4 EPA Acquired and Deployed Smartcard Technology
Without Assuring Costs Were Reasonable 16
Cost Data and Documentation Requirements 16
EPA Did Not Maintain Sufficient Documentation to Support
PACS Decisions 18
Project and Contract Management Staff Did Not Assure
Adequate Data Were Maintained 20
Conclusions 20
Recommendations 21
Agency Comments and OIG Evaluation 21
Status of Recommendations and Potential Monetary Benefits 24
- continued-
-------�
Improvements Needed in EPA's Smartcard Program to Ensure
Consistent Physical Access Procedures and Cost Reasonableness
13-P-0200
Appendices
A Details on Scope and Methodology 25
B Prior OIG and GAO Audit Reports 26
C List of Contracts Awarded as of March 2012 for PACS Upgrades 29
D Agency Response 30
E Distribution 45
-------�
Chapter 1
Introduction
Purpose
On August 27, 2004, President George W. Bush signed Homeland Security
Presidential Directive-12 (HSPD-12). The directive states, "it is the policy of the
United States to enhance security, increase Government efficiency, reduce
identity fraud, and protect personal privacy by establishing a mandatory,
Government-wide standard for secure and reliable forms of identification issued
by the Federal Government to its employees and contractors (including contractor
employees)." Agencies are still working to implement HSPD-12 and project
milestones set by the Office of Management and Budget (OMB).
The purpose of this audit was to determine whether the U.S. Environmental
Protection Agency (EPA) upgraded physical access control systems (PACS)
consistent with the goals of HSPD-12 and subsequent requirements. We also
sought to determine whether EPA acquired and deployed smartcard technology in
an efficient and effective manner.
Background
In March 2007, in response to HSPD-12, EPA began issuing smartcards—the
required common form of federal identification—to eligible EPA employees.
EPA's physical resources include its office buildings, laboratories, storage
centers, and other physical structures. PACS are the systems that control access to
EPA's physical resources.
As of September 2011, EPA informed us it had 156 facilities nationwide. EPA
planned to upgrade 65 of those 156 facilities with PACS. By the end of 2011,
EPA had either completed or started upgrading 39 facilities. EPA plans to
upgrade an additional 26 facilities by the end of 2014, and be HSPD-12 compliant
by September 30, 2015.
EPA plans to spend a total of $55.8 million through fiscal year 2015 for its
Environmental Protection Agency Personnel Access and Security System
(EPASS) program. The EPASS program includes all components of personnel
access, from developing and issuing ID cards (smartcards) to the technology and
processes used to grant access to buildings and computers. According to data EPA
provided OMB, EPA spent $32.2 million to upgrade smartcard technology
through July 2011 (which includes upgrading computers as well as physical
locations) and plans to spend about $23.6 million over the next 4 years for its
EPASS program.
13-P-0200
1
-------�
EPA is in the process of upgrading its PACS. In addition to providing access that
is intra-operable throughout the Agency, EPA is required to upgrade PACS in a
way that allows inter-operability with other federal agencies. For purposes of this
report, intra-operability means that EPA employees can easily gain access to EPA
facilities using their smartcards and PACS technology when they have an
authorized business reason to do so.
EPA's Security Management Division (SMD) is responsible for upgrading PACS
to comply with HSPD-12. SMD is within the Office of Administration and
Resources Management's (OARM) Office of Administration (OA), which is
responsible for the acquisition of all Agency facilities, property management, and
property security. EPA's Office of Acquisition Management (OAM) is
responsible for awarding and managing contracts, including those to implement
HSPD-12. EPA's Office of Environmental Information (OEI) is responsible for
upgrades related to computer and information systems needed to comply with
HSPD-12.
Since the time President Bush signed HSPD-12 in 2004, the U.S. Department of
Commerce and OMB developed documents that detail requirements and offer
guidance for implementing the smartcard program:
• The U.S. Department of Commerce issued the Federal Information
Processing Standards (FIPS) 201 in February 2005. FIPS 201 lays out the
requirements for a common identification standard (to implement HSPD-
12) for all federal employees and contractors. In March 2006, the U.S.
Department of Commerce updated FIPS 201 by issuing FIPS 201-1.
• OMB issued M-05-24 in August 2005 to all federal departments and
agencies to transmit HSPD-12 and provide associated guidance.
• OMB issued M-06-18 in June 2006 and established a set of parameters for
acquiring products and services for implementing HSPD-12.
• OMB issued M-l 1-11 in February 2011, which included a memorandum
from the U.S. Department of Homeland Security (DHS). The memo
outlined a plan of action for agencies to expedite the full use of the
smartcard credentials for access to federal facilities and information
systems.
Scope and Methodology
We conducted our audit from June 2011 to November 2012 in accordance with
generally accepted government auditing standards. Those standards require that
we obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our evaluation objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our objectives.
13-P-0200
2
-------�
During our audit, we reviewed HSPD-12 and other supporting federal criteria as
well as EPA's policies and plans for implementing its smartcard program. We
also reviewed relevant documentation for each of the contracts EPA awarded to
upgrade physical and logical access control systems. We interviewed EPA
headquarters managers and staff from O ARM's SMD and OAM, and from OEI.
We also conducted a site visit to Region 1 in Boston, Massachusetts, and
interviewed PACS coordinators from all regions where EPA had upgraded PACS.
Appendix A provides further details on our scope and methodology.
In addition to PACS, HSPD-12 involves upgrading logical access control systems.
Logical resources include computers and information systems that EPA
employees use. EPA has had limited accomplishments to date related to the
Agency's logical access systems. EPA employees are not using smartcards to
access information systems except for a limited number of employees who are
testing their use. As a result, although logical access was originally within the
scope of our review, we did not review logical access and developed no findings
relating to that area.
Prior Audit Reports
Prior reports by the EPA Office of Inspector General (OIG), DHS OIG,
GSA OIG, and U.S. Government Accountability Office (GAO) have highlighted
various issues associated with implementing HSPD-12, including the complexity
and the importance of sound planning across government. Appendix B provides
details on the corrective actions EPA has taken to address prior audit report
findings.
13-P-0200
3
-------�
Chapter 2
EPA Did Not Upgrade Most Critical Facilities First
EPA upgraded some facilities that it classified as less critical prior to upgrading
all of its most important and critical facilities, including headquarters facilities.
On April 13, 2007, EPA issued Order 3200, EPA Personal Identity Verification
and SmarteardProgram. That order and subsequent plans stated that EPA would
upgrade facilities in an order that would protect its most critical and valued assets
first, but EPA did not do so. EPA officials said it was more efficient logistically to
upgrade facilities based on geographic location rather than importance to EPA.
However, SMD could not provide any analysis demonstrating efficiency. The
SMD Director also said that EPA did not want to make mistakes upgrading its
headquarters buildings so it has been upgrading other buildings first. As a result,
some of EPA's most critical facilities do not require as stringent an identity
verification process for access as some of its least important facilities. As of
March 2012, EPA spent over $4.5 million to upgrade facilities it determined to be
less critical to the Agency while it still has not upgraded all of its most critical
facilities.
Implementation Plans Not Followed
Policy and plans indicate that EPA would upgrade its most critical assets before
upgrading lower value assets (facilities). EPA designates the security level of its
facilities numerically on a scale from 4 down to 1, based on a federal security
standard. Level 4 facilities are EPA's most critical assets while Level 1 facilities
would be least critical. According to the federal standard used for determining the
security level of a facility, agencies should consider the following five factors when
deciding the level assigned to a facility: (1) mission criticality, (2) symbolism,
(3) facility population, (4) facility size, and (5) threat to tenant agencies.
EPA's Policy and Plans
EPA issued Order 3200 to establish the Agency's policy for providing a roadmap
to implement EPA's smartcard program. The order states, "Systems located in
facilities identified as Agency critical infrastructure assets will be replaced first,
followed by Security Level 4 facilities, Security Level 3 facilities, and Security
Level 2 facilities.. .Those EPA facilities designated at Security Level 1 will
maintain existing physical access security counter measures."
EPA issued subsequent plans dealing with PACS upgrades. In 2008, EPA
provided OEI's HSPD-12 Physical Access Controls and Logical Access Controls
Plan to OMB. In 2009, EPA issued its EPASS Project Management Plan. Both
plans laid out the priority in which EPA would upgrade PACS. They documented
13-P-0200
4
-------�
that EPA would upgrade new construction or leases first, followed by facilities
based on security level ratings. The 2008 plan stated, . EPA will mitigate its
highest risks first thus protecting our higher valued targets early on in the
implementation process." The plan also stated that EPA would complete
upgrading all of its Security Level 4 facilities by December 2011. Similar to EPA
Order 3200, the 2008 plan also stated that existing Security Level 1 facilities
would not be upgraded.
Inter-Agency Security Committee Standards
According to the Interagency Security Committee (ISC) Standard: Facility
Security Level Determinations for Federal Facilities, Level 5 facilities are unique
facilities with a high level of importance that merit the highest degree of
protection. Level 4 facilities are also of high importance and require the next
highest degree of protection, and so forth down to Level 1 facilities. EPA has
classified all of the buildings housing EPA's 10 main regional offices as well as
its headquarters facilities as Level 4.
EPA Upgraded 29 of Its Less Important Facilities Before Upgrading Its
Most Critical Assets
EPA's SMD did not follow EPA Order 3200 or the last plan it submitted to OMB
in 2008 for upgrading Agency facilities. Although EPA's stated policy was to
upgrade its most critical assets first, as of the beginning of 2012 EPA had yet to
start upgrades on six Level 4 facilities while it had completed or already started
upgrades on 29 lower-level facilities. EPA also upgraded four Level 1 facilities
and plans to upgrade another one even though its policies and plans stated that
existing Level 1 facilities would not be upgraded. These lower-level facilities
have less urgent security needs than the higher-level facilities. For example, one
of the Level 1 facilities upgraded is used to store vehicles. No EPA employees
work within that facility on a permanent basis. Conversely, EPA has not upgraded
some of its headquarters buildings that are classified as Level 4, where up to
hundreds and even thousands of EPA employees work on a full-time basis.
SMD plans to upgrade 65 facilities out of 156 EPA facilities by the end of
September 2015. It plans to upgrade all Level 4 and Level 3 facilities, and some
Level 2 and Level 1 facilities. By the end of 2011, EPA had completed or started
upgrades to 39 facilities—4 at Level 1, 14 at Level 2, 11 at Level 3, and 10 at
Level 4. EPA needs to complete upgrades for the following six Level 4 facilities
• Region 9 Main Building
• EPA East and EPA West in Headquarters
• Region 10 Main Building
• Region 7 Main Building
• Ariel Rios North and South Federal Building in Headquarters
• Ronald Reagan Building in Headquarters
13-P-0200
5
-------�
Details on upgrade actions EPA has taken since 2006 and plans to take are in
table 1.
Table 1: Number of EPA facilities to be upgraded by security level
Year started
Security levels
4
3
2
1
Total
2006
1
0
0
0
1
2007
2
2
2
0
6
2008
1
4
1
1
7
2009
0
0
1
0
1
2010
4
2
5
2
13
2011
2
3
5
1
11
2012*
3
1
2
0
6
2013*
3
5
4
0
12
2014*
0
0
7
1
8
Total to be upgraded
16
17
27
5
65
Total number of facilities
16
17
82
38
**156
Source: OIG analysis of data provided by SMD.
* Projected by EPA.
** EPA has not assessed the security level for 3 of its 156 facilities.
Importance of Facilities Not a Priority for Initiating Upgrades
A facility's security level did not appear to be SMD's top consideration for when
it should upgrade a facility. The SMD Director told us she believed it was more
efficient and logistically made more sense to upgrade facilities based on
geographic location. She said that SMD preferred to award one contract for each
location or region and have all facilities in that area upgraded simultaneously. In
other words, to install independent PACS across five facilities would require two
servers (primary and backup) per location, totaling 10 servers across the five
locations, and 5 vendor application licenses. In comparison, covering the five
locations with a single enterprise implementation requires only two servers and
one vendor application license. We requested that SMD provide data or
documented justification showing that it was more efficient to upgrade based on
location. According to the SMD Director, they did not have such data because the
increased efficiency was obvious. However, without cost analysis, EPA cannot
demonstrate that its approach was more efficient. Further, when we asked the
Director why EPA's headquarters buildings were not upgraded first, the Director
said that they did not want to make mistakes at headquarters and were therefore
upgrading other buildings first and leaving the upgrades of headquarters buildings
toward the end of the project. Although the Director said that efficiency was the
primary reason EPA upgraded facilities in the order it did, criteria that EPA
technical evaluation panel members used to review vendor proposals clearly
stated that panel members should consider price/cost as the least important factor
when evaluating which vendor should get a contract.
13-P-0200
6
-------�
We also found two cases that further indicated that facility security levels were
not the driving factor in the timing of upgrades. In one case, EPA upgraded the
PACS system at a facility in Alabama that was 3 years overdue for a security
level assessment. The facility was a Security Level 3 facility, so EPA should have
re-assessed its Security Level every 3 years. According to SMD, EPA last
assessed the facility in 2005. Therefore, EPA should have assessed the facility
again in 2008 but it did not. EPA upgraded that facility while it had not upgraded
many Level 4s. In another case, EPA upgraded a facility in Puerto Rico at the end
of 2011 even though SMD did not complete the facility level assessment until
January 2012.
We asked the SMD Director if she had considered other contracting approaches to
upgrading facilities that emphasized security level first rather than all facilities in
a given geographic area at the same time. She said that she had not thought of that
and would have to consult with OAM to determine whether EPA could have used
other contracting options. We discussed this issue with the OAM contracting
officer for some PACS contracts and she told us that awarding contracts in order
of facility security level could have been an effective alternative without resulting
in greater cost. She said that SMD could have awarded national contracts at the
beginning of this program to focus first on upgrading all Level 4s. She said that
after SMD upgraded those facilities, additional national contracts could have been
awarded to upgrade the Level 3 s and so on, thereby addressing the most critical
assets in a prioritized order.
Conclusions
Eight years after President Bush signed HSPD-12, EPA has not upgraded all of its
most critical facilities. As a result, some facilities—housing hundreds or even
thousands of employees along with other important assets—did not require the
higher level of authentication to gain access as some of its facilities of lesser value
and importance. As of March 2012, EPA had spent over $4.5 million to upgrade
facilities assessed below Level 4 before it upgraded all Level 4 facilities. EPA has
spent 69 percent more to upgrade Level 2 facilities ($2.8 million) as it has on
Level 3 facilities ($1.66 million), even though Level 2 facilities are less critical
than Level 3. As EPA stated in its formal plans, it planned to upgrade facilities
with the highest security level classification before upgrading lower level
facilities to improve security to its most critical assets first. However, EPA
decided to deviate from the plan it submitted to OMB and instead upgraded
facilities based on location. EPA should ensure it upgrades facilities based on the
criticality of the facility rather than geographic location.
13-P-0200
7
-------�
Recommendation
We recommend that the Assistant Administrator for Administration and
Resources Management:
1. Re-prioritize the remaining facility upgrades by security level from
highest to lowest, complete all remaining upgrades according to security
level, and require the SMD Director to provide written justification for
upgrading Level 1 facilities.
Agency Comments and OIG Evaluation
EPA did not concur with recommendation 1 and proposed an alternative
recommendation. We continue to believe that EPA should have placed more effort
into upgrading the Level 4 facilities earlier in this PACS upgrade project. The plan
EPA shared in its response for upgrading its remaining facilities addresses this by
planning to complete upgrades to facilities with higher security levels before
completing those with a lower security level. Therefore, we agree with EPA's
proposal to continue with its current sequencing of facility upgrades.
Regarding Level 1 facilities, we agree with EPA's proposal that the SMD Director
will provide written justification to the Assistant Administrator for OARM and
obtain approval in advance of any work. As a result, we consider recommendation
1 resolved with corrective action pending.
For EPA's detailed comments on this chapter and additional OIG responses, see
appendix D.
13-P-0200
8
-------�
Chapter 3
EPA's Physical Access Control Systems
Not Inter-Operable or Intra-Operable
EPA has upgraded more than half of the 65 facilities' PACS it plans to upgrade,
but the processes used to gain access vary considerably and the systems are not
yet inter-operable or intra-operable in practice. For purposes of this report, intra-
operability means that EPA employees can easily gain access to any EPA facility
when they have an authorized business reason to do so, while inter-operability
goes beyond EPA and applies to any federal employee that has a need for access.
HSPD-12 and OMB's M-05-24 both stress the importance of eliminating
inconsistency in physical access systems. EPA's varied and inconsistent
approaches have resulted from a lack of developed, national physical access
procedures to foster consistency or inter-operability. As a result, EPA is not
realizing the potential benefits of a standardized process, and employee access to
EPA buildings continues to be inconsistent depending on an employee's
geographic location.
Physical Access Control Systems Should Be Inter-Operable
HSPD-12 stresses the importance of eliminating inconsistency in physical access
systems, and states, "Wide variations in the quality and security of forms of
identification used to gain access to secure Federal and other facilities where there
is potential for terrorist attacks need to be eliminated." OMB M-05-24 states,
"Inconsistent agency approaches to facility security and computer security are
inefficient and costly, and increase risk to the Federal government." OMB issued
OMB M-l 1-11 in February 2011 incorporating DHS requirements that outlined a
plan for federal agencies to use for upgrading identity verification systems. The
DHS memo highlights the importance of using a consistent process for access. It
states, "Specific benefits of the standardized credentials required by HSPD-12
include secure access to federal facilities.... Additionally, standardization leads to
reduced overall costs and better ability to leverage the Federal Government's
buying power with industry." This memo also states that "Agency processes must
accept and electronically verify PIV [personal identity verification] credentials
[smartcards] issued by other federal agencies."
FIPS 201-1 laid out the requirements for a common identification process. It
addresses factors such as the ability to rapidly authenticate smartcards and to be
inter-operable from one federal facility to another. FIPS 201-1 defines inter-
operability as follows: "For the purposes of this standard, interoperability allows
any government facility or information system, regardless of the PIV Issuer, to
verify a cardholder's identity using the credentials on the PIV Card."
13-P-0200
9
-------�
OARM issued Standard Operating Procedures for EPA Personnel Access and
Security System (EPASS) Badge Post-Issuance Management, dated June 23, 2011.
While the procedures specify that EPA will have one process nationwide for
issuing smartcards, it does not foster consistency in EPA's physical access
process. Specifically, the procedures state that each location is individually
responsible for figuring out how to allow employees to use the smartcards to gain
access to EPA facilities. The EPASS standard operating procedure states:
The scope of this SOP is to provide EPA personnel serving as an
Issuer [of the smartcards] the same process and procedures across
the entire EPA. It does not apply to integration of the EPASS card
into EPA Physical Access Control Systems (PACS) or procedures
for issuance of an initial card. Each site should develop their own
PACS SOP to fulfill that requirement.
EPA Uses Various Processes for Physical Access Control
EPA is not using PACS in a consistent manner. EPA has used different processes,
including the use of key pads and temporary cards, to gain access to EPA
facilities. In addition, EPA's Criminal Investigation Division (CID) initially stated
that it was not going to upgrade its facilities because it did not agree with the
direction of the smartcard program, and SMD allowed that decision when it
should not have.
Inconsistent Use of Card Reader Key Pads
EPA's use of key pads for physical access is inconsistent. Of the locations where
PACS upgrades are complete, some use a card reader and key pad for access
while others that have key pads do not use them. Regional security staff generally
had rationale for using card readers with or without pin pads, but the reasoning
was not consistent from one region to the next. In Region 6, the main building in
Dallas, Texas, is a privately owned building, and because anyone from the general
public can access the building, EPA Region 6 employees must enter a 6-digit
personal identification number (PIN) in addition to scanning their smartcard.
Further, we found that top-level managers in Region 6 intentionally never
activated the card reader that controlled access between the Regional
Administrator's office and the region's external affairs and legal offices, so staff
who frequently go back and forth between those offices would not have to use
their smartcards.
EPA also installed card readers with key pads throughout the areas it occupies in
the Region 1 main building in Boston that several other federal agencies also
occupy. However, employees only scan their cards for access; no PIN is required.
Region 1 security staff informed us the key pads were in place in case additional
security was necessary but there are no present plans to activate the key pads.
13-P-0200
10
-------�
The more levels that an agency requires for access, the greater level of security
provided. There are three basic levels of authentication an agency could use for
access purposes - an agency could require an employee to use: (1) something they
have in their possession (like swiping a smartcard across a reader); (2) something
they know (like entering a PIN into the card reader in addition to just using the
smartcard); and (3) something they are (like a biometric, such as a fingerprint or
retinal scan, which is a feature unique to each person). If a facility or region
required only the badge to be swiped across a card reader, an unauthorized person
could use a lost or stolen card for access until it is deactivated.
In some regions, like Region 6, EPA requires employees to use something they
have (card) and something they know (PIN). In other regions, EPA employees
only use something they have (card) and do not have PINs assigned to them. In
EPA headquarters buildings, employees have only used something they have
(either their local EPA proximity card or smartcard) to present to security guards
for access to those buildings. However, PACS readers have yet to be installed in
all headquarters buildings.
Inconsistencies in Access by EPA Employees from Other Regions
The process EPA uses to grant access to visiting EPA employees also varies from
one region to the next. For example, Region 6 requires a temporary visitor card
and 8-digit PIN from EPA visitors from other regions to gain access. Region 8, on
the other hand, uses a more traditional visitor check-in
process. In Region 8, a visiting EPA employee checks in
at a reception area at the main entrance and regional staff
issue the person a visitor pass. Additionally, the visitor
must rely on an EPA employee who resides in the
building for access.
Because PACS should be intra-operable, we asked
Region 6 if it could program a visiting OIG employee's
actual smartcard to allow them access in the region.
While the Region 6 PACS coordinator informed us she
could program the card to allow for access, she also
warned that it could cause problems in the PACS identity
verification system. She explained that because locations operate differently,
changing the employee's information to allow access to Region 6 could adversely
affect access when the employee returned to their home region. The 8-digit PIN
that Region 6 requires for visiting EPA employees is a primary reason it uses the
temporary card. EPA employees visiting Region 6 may use a different number of
digits in their home region. If Region 6 were to provide access through that
employee's smartcard, it would hinder their ability to access their home office.
We also asked Region 8 if it could program a visiting OIG employee's smartcard
for use within that region. The Region 8 PACS coordinator said they were not
A temporary Region 6
visitor card. (EPA OIG
photo)
13-P-0200
11
-------�
informed that they are required to do so and therefore would not, as it could cause
problems within the PACS electronic identity verification system.
CID Not Required to Use Smartcard Readers
EPA's SMD also did not require one EPA office, CID, to use smartcard readers
and additionally allowed them to forgo the PACS upgrade. CID did not seem to
understand that it could maintain its unique security needs when upgrading its
PACS. We found that CID's office in Dallas should have had a smartcard reader
on one of its doors that the public could access. Once we brought this to the
attention of SMD and CID, and after talking to CID's National Acting Director,
CID started planning upgrades for more of its offices. CID will pilot the
installation of smartcard readers in its offices in Regions 6, 7, and 9. If the pilot is
successful, CID plans to install readers in offices in Regions 1, 2, 4, 5, and 10. In
Dallas, EPA had already upgraded the main Region 6 building (a Level 4 facility)
with card readers in 2011. Because CID's office space in Dallas was not upgraded
at the same time as the Region 6 main building, EPA planned to spend an
additional $17,927 to install the necessary equipment to CID's space. The SMD
PACS project manager told us the CID space in Dallas would be upgraded by the
end of February 2012. The additional card readers, including CID's main door
that is accessible to the general public, were installed and operational in
September 2012.
EPA Does Not Have National Procedures for Physical Access
According to its own plans, EPA knew it would take until September 2015 to
complete its smartcard program—nearly 10 years. However, EPA has not
developed national physical access procedures to foster consistency or intra-
operability. EPA has already upgraded or begun to upgrade almost 70 percent of
the facilities it plans to upgrade (45 of 65 facilities). We also determined that
there was a lack of direct coordination between SMD and some regions. We
interviewed PACS coordinators associated with each of the EPA facilities that
had completed PACS upgrades, and some informed us that SMD did not
communicate or provide guidance.
The SMD Director told us that an EPA workgroup has discussed issues related to
the smartcard program across the country. According to the Director, the
workgroup is made up of representatives from various programs and locations and
is designed to resolve issues and determine necessary Agency-wide standards. In
September 2012, the Director said that EPA would have national procedures in
place by December 31, 2012.
Another reason the PACS upgrade process has been inconsistent is that SMD did
not follow the plan submitted to OMB for carrying out the smartcard program.
According to the SMD Director, the last time SMD submitted a formal PACS
upgrade plan to OMB was in 2008. As discussed in chapter 2, EPA did not follow
13-P-0200
12
-------�
the process it laid out in that 2008 plan. If EPA's plans and approach have
changed, it should formally notify OMB of those changes so OMB can hold EPA
accountable.
EPA Needs to Designate a Single Office to Administer Its Smartcard
Program
At present, EPA does not have a clearly identified office in charge of its smartcard
program. Program accountability is dispersed among offices and management. The
Federal Identity, Credential, Access Management (FICAM) Roadmap and
Implementation Guidance—issued in December 2011 by the Federal Chief
Information Officers Council—lays out guidance for federal agencies to, among
other things, increase security and improve inter-operability with the use of
smartcards. In February 2011, OMB issued memorandum M-l 1-11 requiring
agencies to follow the FICAM guidance. In M-l 1-11, OMB, through an attached
memorandum from DHS, asked each agency to "... designate an agency lead
official..." for implementing HSPD-12. While OMB asked agencies to designate
one person, EPA designated two people as lead officials. EPA identified OARM's
Director of the Office of Administration as well as EPA's Senior Agency
Information Security Officer (within OEI) as lead officials for HSPD-12
implementation. SMD and OEI managers told us that they believe that EPA was
the only agency that provided more than one point of contact to OMB.
According to the FICAM guidance, each agency should have a formal governance
structure that creates and assigns a specific group to (a) provide oversight and
management; and (b) develop and enforce agency-specific policies, processes,
and performance measures. Oversight of the program could come from an
executive steering committee and, if so (per the guidance), the committee should
have a charter that establishes the group's authority to enforce changes to align
the program with the agency's overall mission.
SMD and OEI managers told us that the Assistant Administrators for OARM and
OEI have been discussing with EPA's Chief Financial Officer over the last year
the idea of creating one office to oversee the Agency's smartcard program. In
response to our draft audit report, EPA told us it plans to decide which entity will
implement and oversee its smartcard program by June 30, 2013.
EPA Not Maximizing Efficiency and Security Within PACS
Because EPA has not established consistent national physical access procedures,
regions have established different methods to gain access. With multiple
processes to manage, EPA is not realizing the potential benefits of a standardized
process such as lower equipment and maintenance costs and an overall greater
understanding of how the process works. Furthermore, EPA cannot assure it is
using the best approach nationally. If one physical access process is more
effective than others, EPA should use that process nationwide. However, since
13-P-0200
13
-------�
there is a lack of coordination among the different locations, good ideas used by
one region may not be benefitting other regions.
Conclusions
We recognize that EPA operates under a culture where regions often establish
their own processes for various programs. However, the inconsistency with which
EPA has upgraded PACS is impeding EPA's ability to have intra-operable
systems for EPA employees, much less inter-operability with other agencies. EPA
should follow a national process for physical access to its facilities. Inter-
operability is a primary goal associated with HSPD-12. Because the locations
where EPA completed PACS upgrades are not intra-operable, EPA might have to
spend additional funds to achieve national consistency. EPA has already spent
over $12.8 million upgrading PACS. EPA should specify a consistent process for
all regions to ensure that physical access systems can be inter-operable. EPA
should also increase accountability over its smartcard program by clearly
identifying one senior executive responsible for implementation and oversight.
Stronger leadership over the program should help address the issues related to
inconsistency that we have identified.
Recommendations
We recommend that the Assistant Administrator for Administration and
Resources Management:
2. Develop national policies and procedures for PACS that foster consistent
physical access to EPA offices around the country.
We recommend that the Deputy Administrator:
3. Establish one entity responsible for implementing and overseeing the
Agency's smartcard program, including physical and logical access.
Agency Comments and OIG Evaluation
EPA did not concur with recommendation 2 in our draft report. EPA stated it
disagreed with the word "inter-operable" in the recommendation because the
EPASS badge is inherently intra-operable across the Agency and inter-operable
with other federal agencies. EPA emphasized that the smartcard and PACS
programs fully support inter- and intra-operability in compliance with all
requirements and standards. As a result, EPA requested that the OIG remove the
words "and inter-operable" from recommendation 2.
EPA stated that it agreed with the OIG that fostering consistent facility access
procedures is important, with the understanding that procedures should be
responsive to local security conditions and the range of real estate arrangements at
13-P-0200
14
-------�
EPA facilities. EPA stated that what has been lacking is a clear understanding by
all offices of the capabilities of the smartcards and PACS, as well as an Agency-
wide policy on using smartcards for facility access. Therefore, EPA proposed in
its response to do the following two things by no later than March 31, 2013:
(1) disseminate information to regional personnel on existing capabilities of the
smartcards and PACS, and (2) submit an EPA-wide policy titled Use of the PIV
Cardfor Facility Access through the Agency's directives clearance process. The
purpose of the policy is to provide consistent application of physical access
controls; describe requirements for granting access to PIV-enabled EPA-
controlled buildings and spaces; and define the roles and responsibilities of all
parties involved in granting access to EPA facilities.
We removed the word "inter-operable" from the recommendation 2 language.
We believe that EPA's planned efforts to educate regional personnel on the
capabilities of the smartcards as well as to develop an Agency-wide policy to
foster consistent access procedures are adequate corrective actions. We fully
understand EPA's position that the EPASS badges are designed to be intra- and
inter-operable, as the smartcards comply with FIPS 201 requirements. The issue
that we presented in this chapter does not focus on any identified deficiencies
with the smartcard (badge) itself but rather on how EPA has allowed the
smartcards to be used for access in different ways across the country. EPA's
planned corrective actions, particularly to issue a national policy on access
procedures, should resolve the issues we identified during our audit. As a result,
we consider recommendation 2 resolved with corrective action pending.
EPA concurred with recommendation 3. Under the Deputy Administrator's
direction, EPA plans to determine the entity responsible for implementing and
overseeing EPA's smartcard program by no later than June 30, 2013. We are
pleased that discussions occurred over the last year between the Assistant
Administrators for OARM and OEI and the Chief Financial Officer to consider
creating one office to oversee the Agency's smartcard program. We consider
recommendation 3 resolved with corrective action pending.
For EPA's detailed comments on this chapter and additional OIG responses, see
appendix D.
13-P-0200
15
-------�
Chapter 4
EPA Acquired and Deployed Smartcard Technology
Without Assuring Costs Were Reasonable
EPA has not maintained sufficient documentation to make sound cost-related
decisions for upgrading PACS. We found numerous independent government cost
estimates (IGCEs) that were not prepared appropriately. For example:
• There was no evidence that some IGCEs were final.
• A cost estimator who was not employed at EPA was the only name on
several IGCEs.
• At least one IGCE was prepared to match the winning contractor's
proposed offer.
• For three PACS contracts, no IGCEs were prepared.
In addition, contracting officers did not certify that EPA bought only approved
products and services that complied with HSPD-12 requirements. SMD did not
have a process in place to analyze actual costs from completed upgrades for future
cost estimating purposes due to issues within the program and contract
management offices. SMD staff said they were not familiar with EPA OAM's
IGCE Manual and GAO's cost estimating guide. OAM's contracting officers did
not always ensure files contained necessary documentation of price
reasonableness. EPA plans to spend an additional $10.6 million to upgrade PACS,
and a lack of assurance that costs are fair and reasonable will remain if EPA
continues to award contracts without conducting sound cost analysis.
Cost Data and Documentation Requirements
OAM is responsible for the policies, procedures, operations and support of EPA's
procurement and contracts management program, from contract planning through
closeout. In June 2010, OAM issued its most recent update to its EPA Guide for
Preparing Independent Government Cost Estimates. This guidance states that
IGCEs are an integral tool for effective acquisition programs in both government
and private industry.
OAM's Manual for Preparing IGCEs
GAO's Cost Estimating and Assessment Guide (GAO-09-3SP) as well as OAM's
IGCE Manual (June 2010 Revision) state that:
... programs should be monitored continuously for cost control by
comparing planned and actual performance against the approved
program baseline [IGCE]... cost or schedule variances resulting
13-P-0200
16
-------�
from incorrect assumptions should always be thoroughly
documented so as not to repeat history, and all historical data should
be archived in a database for use in supporting future estimates.
OAM's manual states an IGCE is a detailed estimate of the cost to the
government to acquire services and/or supplies, typically from contractors. It also
defines estimates as a projection or forecast of the economic or financial value of
goods or services to be delivered in the future. IGCE users should be able to trace
the data, calculations, modeling assumptions, and rationale back to the source
document for verification and validation. In addition, it recommends that IGCEs
contain the name and signature of the document preparer. A successful acquisition
process requires collaboration between the program and procurement offices.
When a program office prepares a meaningful IGCE, the contracting officer can
use that document to facilitate the determination of fair and reasonable pricing in
the procurement process.
OAM Contracts Management Manual
OAM's Contracts Management Manual states that project officers shall submit
IGCEs for all contract actions, with a potential value in excess of $150,000
(the Federal Acquisition Regulation [FAR] threshold) for simplified acquisitions.
In addition, it states, that IGCEs "are an integral part of any effective acquisition
program." Section 7.3 of the manual specifies that the contracting officer will
perform the necessary analysis leading to a decision to lease or purchase
equipment considering comparative costs and other factors. It also states that the
project officer and contracting officer share responsibility for making sure the
procurement initiation package is complete. This package is required for all
procurements above the FAR threshold.
FAR Requirements for Contract Documentation
FAR Part 4.801(b) states that the documentation in files shall be sufficient to
constitute a complete history of the transaction. FAR Part 4.803(a) provides
examples of records normally contained, if applicable, in contract files. These
documents should include, but are not limited to, justifications and approvals,
determinations, findings and associated documents, government estimate of
contract price; a copy of each offer or quotation; source selection documentation;
and cost or price analysis. FAR Part 4.803 also requires that federal agencies
maintain documentation to evidence the contracting officer's determination of a
fair and reasonable price. FAR 4.1302 states that agencies must purchase only
approved personal identity verification products and services. When acquiring
personal identity verification products and services not using GSA Federal Supply
Schedule 70, agencies must ensure and certify that the applicable products and
services are approved as compliant with FIPS 201.
13-P-0200
17
-------�
EPA Did Not Maintain Sufficient Documentation to Support PACS
Decisions
We obtained IGCEs for most of the projects, although there were no IGCEs for
three. We also identified questionable IGCE preparation practices for PACS
upgrades. Contract files for some PACS upgrades were incomplete. SMD was
unable to provide us with evidence of detailed cost analysis for PACS projects.
Missing IGCEs
SMD was unable to locate IGCEs for the following three PACS upgrade projects:
Potomac Yard, Arlington, Virginia; Fort Meade, Maryland; and Montgomery,
Alabama. All of these projects exceeded the $150,000 FAR threshold, making it
mandatory that an IGCE be prepared, per OAM's Contracts Management
Manual. SMD paid contractors approximately $1.5 million for these three
upgrades but was unable to produce IGCEs documenting SMD's assessment of
what the cost should have been in each case. Specifically:
• Potomac Yard project in 2006 (Contract GS07F0142L / EP06H001120):
EPA was unable to locate much of the documentation associated with this
contract, other than a copy of the order, dated February 16, 2006, and a
copy of Amendment 1 also from February 2006 that was a $4,623
de-obligation action to close out the file. Months after our original request,
OAM was able to produce a copy of the Request for Quotes and
correspondence related to bid evaluation. There was no IGCE for this
project.
• Fort Meade project started in 2008 (Contract GS-07F-7823C / EP-08H-
000750 /EP-08H-001533 /EP-G11H-00126): The file contained no
documentation of contractor performance or IGCE.
• Montgomery, Alabama, project in 2008 (Contract GS-Q7F-7823C /
EP-10H-001546): We found no IGCE in the file. SMD informed us it was
unable to locate a copy of the IGCE for that contract.
Questionable IGCE Preparation Practices
We found that the contract file for the Region 1 main building upgrade in Boston
contained an IGCE prepared by SMD's IGCE contractor consultant for the exact
amount of the original procurement order for the primary PACS upgrade, or
$2,322,852.08. When we asked the consultant about this, he acknowledged that he
did not have support for the figures included in the IGCE and that he simply
followed instructions from a former SMD manager to prepare an IGCE for the
Boston project. The consultant told us that he "plugged" some numbers into
certain cost categories on the IGCE template to make the total equal the contract
award amount. He told us that he would not have done this on his own; someone
13-P-0200
18
-------�
at EPA instructed him to do it that way. In that instance, the IGCE that EPA
prepared was essentially meaningless as it was simply prepared to match the
award amount.
We found several IGCEs that were not signed or dated and did not show evidence
of EPA approval. Of 15 contracts we reviewed, 3 contained an IGCE prepared by
the consultant. Through the end of 2011, documentation that we were provided
showed that the consultant's estimates were considered by SMD to be the final
IGCE. We found that those IGCEs prepared by SMD's consultant had the
consultant's name at the top but neither SMD nor OAM personnel signed the
estimates. The later IGCEs that the SMD contracting officer's representative
prepared were not dated or signed by SMD or OAM staff. According to the
contracting officer's representative, he now includes his estimates in the
procurement initiation notice package. However, he did not sign them or have other
evidence demonstrating that the IGCE was considered final and approved. SMD
staff acknowledged that the consultant's estimate should not constitute the final
estimate.
Contract Files for PACS Projects Incomplete
Contracts awarded between 2006 and 2010 were very poorly documented. In
general, files did not contain evidence of contractor oversight, such as invoices,
work progress reports, or certification of work completion. While both OEI and
SMD acquired products and services from contractors that were not on GSA's
Qualified HSPD-12 Service Providers list, OAM did not always certify that all
products procured were approved and complied with all federal requirements.
OAM managers and staff said Statements of Work that they develop require
vendors to propose only approved products. In one case, SMD had scramble pad
readers installed at Region 6's Addison, Texas, Continuity of Operations facility
in 2009. According to SMD personnel, those card readers were not on GSA's
approved products list in 2009 and EPA should not have installed them. The
PACS readers installed at that facility cost more than $497,000, and do not
comply with Section 508 of the Americans with Disabilities Act. Region 6 asserts
that it never wanted them but SMD gave them no choice. Region 6 facilities
personnel told us that they are requesting that SMD replace them to match the
card readers in Region 6's main building.
SMD Did Not Analyze PACS Costs
SMD did not have a process in place to analyze actual costs from completed
upgrades for future cost estimating purposes. In one case (Boston), SMD could
not provide the actual cost of the PACS component of the installation contract.
That contract included other security items such as closed circuit television. SMD
said that the contractor quotes did not separate the price of the different
components. As a result, this cost information was not available as a basis for
comparison to evaluate subsequent procurements, as required by the criteria
13-P-0200
19
-------�
documents cited above. EPA awarded other contracts that also contained costs for
security features in addition to PACS. In some cases, regional EPA contacts
provided information to clarify PACS costs, but SMD was not able to provide us
with the appropriate documentation. SMD's contracting officer representative
had, on his own initiative, attempted a comparison of contract costs in 2011 but
was unable to include the above-cited contracts in the comparison. The
contracting officer's representative acknowledged he is not required to perform
this kind of analysis as a part of his regular duties and his supervisor—the PACS
Project Manager—was unaware that he had attempted the analysis.
Project and Contract Management Staff Did Not Assure Adequate
Data Were Maintained
Lack of cost data and incomplete contract files resulted from issues within both
the project management and contract management offices. When the PACS
upgrades started, staff and management turnover was an issue. Some employees
with responsibilities for the PACS contracts left, and neither SMD nor OAM
could locate some of the file documentation. In addition, OAM's contracting
officers did not always ensure that the files contained necessary documents for
some PACS contracts. SMD staff was not aware of the OAM IGCE Manual or the
GAO Cost Estimating and Assessment Guide. SMD officials acknowledged they
had not received training in this area. Further, SMD did not have a process in
place to conduct and document cost analysis after projects were completed (for
example, analyzing cost per reader/door, etc.) to gain assurance that future project
costs were reasonable based on experience.
In July 2012, GAO issued a report titled Information Technology Cost Estimation:
Agencies Need to Address Significant Weaknesses in Policies and Practices
(GAO-12-629). GAO reported that EPA information technology investments only
partially met requirements for complying with cost-estimating best practices, and
did not meet requirements for providing cost estimating training. EPA also did not
have a process to collect and store cost-related data. GAO concluded that until
weaknesses are addressed, it will be difficult for EPA to use cost estimates to
make informed decisions, formulate realistic budgets, or meaningfully measure
progress for information technology projects.
Conclusions
EPA needs accountability for procurement decisions relating to PACS. SMD and
OAM made procurement decisions without the benefit of required cost
information. Of the $12.8 million EPA spent on PACS projects, it did not have
the necessary documentation to show that the costs were fair and reasonable for
$3.8 million (30 percent). In addition, EPA needs to ensure that it properly
documents the cost analysis information in the future to ensure costs are
reasonable and fair. According to EPA estimates, EPA plans to spend another
13-P-0200
20
-------�
$10.6 million on PACs upgrades. EPA should conduct cost analysis on these
future upgrades to ensure fair and reasonable prices.
There was no evidence that collaboration between SMD and OAM occurred.
Furthermore, since the IGCEs were missing from some contract files, it appears
that OAM did not use them at all in some cases. In addition, during the course of
our review, SMD continually made revisions to the IGCEs that it had previously
given us or changed its analysis. As a result, we were not confident that the data
SMD was providing in the IGCEs was finalized or accurate.
Recommendations
We recommend that the Assistant Administrator for Administration and
Resources Management:
4. Hold contracting officers accountable for maintaining complete files for
PACS contracts, including documenting fair and reasonable price
determinations, progress and completion of contracted work, and
certifying that products for PACS procurements meet requirements in
FAR Part 4.1302.
5. Enforce applicable guidelines pertaining to IGCEs, including:
a. Preparing IGCEs for all procurement actions in excess of the FAR
threshold.
b. Adopting an official IGCE format that shall include the name and
signature of the preparer, the date prepared, and the signature of
the approving official.
c. Establishing a process that SMD can use to conduct and document
cost analyses of prior upgrades to ensure that future project costs
are reasonable.
d. Establishing a requirement that SMD staff involved with preparing
and reviewing IGCEs certify that they have read OAM's IGCE
Manual and understand the guidance.
Agency Comments and OIG Evaluation
EPA concurred with recommendation 4, stating that audit findings in this chapter
are consistent with similar findings that OAM reviews have found related to
internal controls and oversight systems. EPA responded that to ensure file quality,
OAM conducts multiple types of contract file reviews. In these reviews, contract
file content is a significant review element. Findings from these reviews are
13-P-0200
21
-------�
provided to contracting officers for corrective action, if necessary, and used by
OAM to identify policy gaps and possible training topics for contracting staff.
EPA stated in its response to recommendation 4 that it already completed
corrective actions before the end of December 2012 that address our
recommendation. We requested that OAM send us information related to any such
actions. According to OAM, it has implemented a Balanced Scorecard
Performance Management and Measurement Program, which contains a self-
assessment and peer review and oversight component. A primary purpose of the
Peer Review and Self Assessment Checklist, dated August 2012, is to conduct file
reviews to assess the quality of the contracting process at EPA, including
thorough file reviews. We reviewed this document and believe that, if followed,
these reviews would address our recommendation, so we consider
recommendation 4 closed upon issuance of this report.
EPA partially concurred with recommendation 5. Specifically, it agreed with
recommendations 5a and 5b. For 5a, OAM stated that it agrees with the OIG that
the IGCE policy as currently written does not distinguish between types of IGCEs
or the level of detail required in IGCEs for different types of acquisitions. OAM
agreed to review its current policy and provide more details and specific guidance
pertaining to when an IGCE is required, at what threshold, and the level of detail
required, to ensure the clarity, consistency, and significance of IGCEs prepared.
OAM stated it would revise its policy by September 30, 2013. We agree with
EPA's proposed action and consider this recommendation resolved with
corrective action pending.
Regarding 5b, EPA responded that because each program in EPA is unique there
is no "one-size-fits-all" IGCE format nor should there be. OAM agreed with the
OIG that IGCEs should be thoughtfully prepared and reviewed. OAM is in the
process of implementing EPA's Paperless Acquisition Program. This is an
initiative that allows cost estimates to be included with electronically submitted
procurement packages. This includes information on who developed and
approved the procurement information. EPA plans to have the system
implemented by September 30, 2013. We agree that this new system will address
recommendation 5b and consider the recommendation resolved with corrective
action pending.
Regarding recommendation 5c, OAM stated that the responsibility for conducting
cost analysis resides with contracting officers, according to the FAR, and not with
program offices. OAM further stated that its oversight program covers ensuring
that cost analysis is performed. Regarding recommendation 5d, OAM said that
training on IGCEs is part of the training that contracting officer representatives
get before they are certified. As a result, OAM stated that it did not believe that a
separate IGCE certification for SMD staff was necessary.
13-P-0200
22
-------�
Regarding recommendations 5c and 5d, we accept OAM's rationale that cost
analysis is to be performed by contracting officers. We also concur that OAM's
IGCE training for new contracting officer representatives should address our
recommendation. Therefore, we consider recommendations 5c and 5d closed
upon issuance of this report.
For EPA's detailed comments on this chapter and additional OIG responses, see
appendix D.
13-P-0200
23
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Planned
Completion
Action Official Date
Claimed
Amount
Agreed To
Amount
8 Re-prioritize the remaining facility upgrades by
security level from highest to lowest, complete all
remaining upgrades according to security level, and
require the SMD Director to provide written justification
for upgrading Level 1 facilities.
14 Develop national policies and procedures for PACS
that foster consistent physical access to EPA offices
around the country.
14 Establish one entity responsible for implementing and
overseeing the Agency's smartcard program, including
physical and logical access.
21 Hold contracting officers accountable
for maintaining complete files for PACS contracts,
including documenting fair and reasonable price
determinations, progress and completion of contracted
work, and certifying that products for PACS
procurements meet requirements in FAR Part 4.1302.
21 Enforce applicable guidelines pertaining to IGCEs,
including:
a. Preparing IGCEs for all procurement actions in
excess of the FAR threshold.
b. Adopting an official IGCE format that shall
include the name and signature of the preparer,
the date prepared, and the signature of the
approving official.
c. Establishing a process that SMD can use to
conduct and document cost analyses of prior
upgrades to ensure that future project costs are
reasonable.
d. Establishing a requirement that SMD staff
involved with preparing and reviewing IGCEs
certify that they have read OAM's IGCE Manual
and understand the guidance.
Assistant Administrator 06/30/2014
for Administration and
Resources Management
Assistant Administrator 03/31/2013
for Administration and
Resources Management
Deputy Administrator 06/30/2013
Assistant Administrator 12/31/2012
for Administration and
Resources Management
Assistant Administrator
for Administration and
Resources Management 09/30/2013
09/30/2013
12/21/2012
12/21/2012
O = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
13-P-0200
24
-------�
Appendix A
Details on Scope and Methodology
During our audit, we reviewed:
• HSPD-12 and associated criteria including FIPS 201 and OMB Memos M-05-24,
M-06-18, and M-ll-11
• EPA plans and policies regarding smartcard implementation
• All contracts that were awarded to upgrade physical and logical access control systems to
comply with HSPD-12
• IGCEs and other cost-related documents for PACS contracts
During our audit, we interviewed:
• SMD's Director and Deputy Director, as well as the PACS project manager and other staff
• OEI Senior Agency Information Security Officer and staff
• EPA PACS coordinators from all regions where PACS were upgraded
• The EPA contractor who prepared PACS cost estimates for SMD
• OAM contract management staff
• DHS' Identity Management Division Chief
We issued a survey to individuals who SMD and OEI designated as primary contacts for
physical and logical access systems. We issued the survey to ensure we received widespread
input relating to EPA's progress in implementing HSPD-12.
We conducted a site visit to EPA's Region 1 located in the McCormack Building in Boston,
Massachusetts. We selected Region 1 for a site visit because, of all of the completed upgrades,
its upgrades were the most costly.
We coordinated with OMB's Assistant General Counsel on specific parts of its HSPD-12-related
memos.
13-P-0200
25
-------�
Appendix B
Prior OIG and GAO Audit Reports
EPA OIG Reports
Report
number / date
HSPD-12 issues identified
Recommendations/corrective
actions
09-P-0233,
September 2009
EPA did not properly account for all property
for implementing the issuance of smartcards
under HSPD-12. The OIG found that: (1) four
pieces of property valued at $29,538 were
missing and not recorded in fixed assets
subsystem, (2) acquisition costs in fixed assets
subsystem were incorrect for some equipment,
and (3) EPA did not accurately record required
nonfinancial information for several pieces of
property.
EPA needed to use established procedures
to resolve accountability for the missing
property, and review accuracy of HSPD-12
property information. EPA also needed to
modify the HSPD-12 contract to reflect
contractor requirements and accountability
for using government property in
government facilities.
EPA established a December 2009
milestone for resolving missing HSPD-12
property and updating the Fixed Assets
Subsystem with accurate records. The
Agency also modified the contract on July
22, 2009, to reflect contractor requirements
and accountability for the HSPD-12
property.
08-P-0271,
September 2008
EPA did not require the EPASS contractor to
follow Agency procedures for developing
smartcards. EPASS did not have a certified
Project Manager authorized to oversee the
contractor's work. EPA also paid for contractor
labor overcharges worth over $75,000.
EPA needed to (a) develop and maintain an
EPASS System Management Plan,
(b) appoint an EPASS Project Manager,
(c) outline and reinforce compliance with
EPA invoice reviewing guidance, and
(d) ensure EPA collects from the contractor
the amount EPA overpaid for billing rate
errors.
EPA agreed to address the
recommendations contained in (a), (b), and
(c) by January 2009. EPA reported it had
already addressed recommendation (d) at
the time its corrective action plan was
issued.
08-P-0267,
September 2008
An employee's ID card had the ID documents
and other identifying information of another
EPA employee. EPA procedures did not
require EPASS staff to visually inspect
employees' ID documents. EPA also lacked
procedures for handling and disposing of
defective smartcard badges.
EPA needed to (a) update card issuance
procedures (including visually inspecting ID
documents and comparing them to
applicant), (b) create incident-handling
procedures when errors occur, and (c) create
and implement procedures for disposal of
defective ID badges.
EPA agreed with all three recommendations
and planned to complete all three by
December 2008.
13-P-0200
26
-------�
DHS OIG Reports
Report
number / date
HSPD-12 issues identified
Effects/recommendations
DHS OIG-10-40,
January 2010
Resources and security issues hinder DHS'
implementation of HSPD-12. DHS does not
have a plan to implement successfully a robust
program to increase physical and logical access
security within the department. The absence of
an HSPD-12 program implementation plan
department-wide deployment strategy, and
sufficient resources are hindering progress.
Components currently have their own
individual physical access control systems,
which will need to be consolidated into DHS'
Headquarters PACS sometime in the future.
More work remains to ensure that DHS
consolidates its infrastructures to support
HSPD-12 program. In addition, DHS needs
an interface between the card issuance
system. Identity Management System, and
PACS. Necessary facility upgrades need to
be completed at component locations to
ensure personal identity verification cards
are inter-operable with DHS' physical and
logical access control systems.
DHS OIG-08-01,
October 2007
DHS has made progress but more work remains
in meeting HSPD-12 requirements.
DHS has not: (1) effectively managed the
implementation to ensure that the department
can meet all mandated milestones, (2) provided
its components with sufficient guidance for
their sites implementation of HSPD-12,
(3) complied with OMB implementation
reporting instructions, (4) identified to what
extent PIV cards will be used or required in
order to access facilities or information
systems, and (5) determined which facilities
will require PIV cards in order to gain physical
access.
DHS does not have a certified and
accredited operational system to support the
implementation of HSPD-12. Specifically,
DHS has not acquired the capability to issue
PIV cards to its headquarters employees and
contractors, and bring its system to
production readiness.
13-P-0200
27
-------�
GSA OIG Report
Report
number / date
HSPD-12 issues identified
Effects/recommendations
GSA OIG
A040111/P/R/R05002,
January 2005
GSA hindered implementation of the
smartcard credentials by a lack of a vision
for incorporating the smartcard credential as
a component of agency-wide security. As a
result, the credentialing program will have
only a limited impact on the security over
physical access to buildings and facilities
due to a variety of factors, including
inconsistent controls and a lack of
supporting infrastructure. Further, other
aspects of the smartcard initiative—such as
integrated security practices, inter-
operability, and procurement issues—
will also be problematic for an effective
implementation.
Although GSA has provided guidance and
procurement vehicles for agencies to
implement smartcards, until recently it had
made only limited progress in
implementing smartcards within the
agency.
GAO Reports
Report
number / date
HSPD-12 issues identified
Effects/recommendations
GAO-06-178,
February 2006
The federal government faces significant
challenges in implementing FIPS 201. It will be
a challenge to test and acquire compliant
commercial products—such as smartcards and
card readers—w ithin required periods, and
reconcile divergent implementation
specifications. Incomplete guidance regarding
the applicability of FIPS 201 to facilities,
people, and information systems is a potential
for substantial cost increases.
Until agencies address implementation
challenges, the federal government may not
fully realize the benefits of FIPS 201.
Specifically, agencies may not be able to
meet implementation deadlines established
by OMB, and more importantly, true inter-
operability among federal government
agencies' smartcard programs—one of the
major goals of FIPS 201—may not be
achieved.
GAO-05-84T,
October 2004
While smartcard technology offers benefits,
launching smartcard projects—whether large or
small—has proved challenging to federal
agencies and efforts to sustain successful
adoption of the technology remains difficult.
The successful adoption of smartcards
throughout the federal government has been
a challenging task, and federal agencies'
adoption of this technology continues to
evolve.
13-P-0200
28
-------�
Appendix C
List of Contracts Awarded as of March 2012
for PACS Upgrades
#
Contract # / Order
Location
Actual Cost
1
GS07F0142L / EP06H001120
HQ: Potomac Yard, Arlington, VA
$560,229
2
RWA N0043821 Amendment #4
Region 6: COOP - Addison, TX
829,584
3
RWA B0334475
Region 1: HQ - Boston, MA
3,081,709
RWA A0550220
RWA A0786418
4
GS07F0103M DO#5
Cincinnati, OH: AWBERC, Norwood, Center Hill,
Test and Evaluation; Erlanger, KY
393,374
5
GS07F0317K / EP09H001359
Region 8: HQ Denver, CO; NEIC, NETI (Lakewood,
CO); Golden, CO; Helena, MT
900,477
GS07F0317K / EP09H001605
6
GS07F0317K / EP10H000322
Research Triangle Park: Mega Labs A/B, C, D/E,
High Bay; NCC, FEELC, Page Road; Durham /
Chapel Hill, NC
1,139,396
GS07F0317K / EP10H001635
EP10H001578
7
GS07F0317K / EP 10H002003
Region 6: HQ - Dallas, TX
823,094
8
GS07F7823C /EP08H000750
Fort Meade, MD
255,763
EP10H001533
GS-07F-7823C/ EP-GIIH-0012 6
9
GS07F7823C /EP08H001546
Montgomery, AL
687,821
10
GS07F0450K / EP10H002195
Region 5: HQ, Lab; COOP - Willowbrook, IL
778,790
11
GS07F0489V / EP10H002230
Region 3: HQ - Philadelphia, PA; Boothwyn, PA;
Linwood, PA; Wheeling, WV
530,394
12
GS-07F-0317F/ EP-G11H-00204
Ann Arbor Laboratory, MI
940,644
13
GS-07F-0178W/ EPG11H000667
Guaynabo, Puerto Rico
587,669
14
EP11H000874
Region 2: HQ - New York, NY; Edison Lab, Edison
NJ
1,481,898
15
GS07F450K / EPG11H00248
Region 4: HQ - Atlanta, GA; ERD, SESD, Athens,
GA
983,985
Total
$13,974,828 1
Source: EPA's SMD
1 The dollar amounts in the table above, in some cases, are higher than the amount EPA spent specifically for PACS.
This is because several of those contracts included costs for other security upgrades such as CCTV.
13-P-0200
29
-------�
Appendix D
Agency Response
December 21, 2012
MEMORANDUM
SUBJECT: Response to Office of Inspector General Draft Report No. OA-FY11-1789,
"Improvements Needed in EPA's Smartcard Program to Ensure Consistent
Physical Access Procedures and Cost Reasonableness," dated November 8, 2012
FROM: Renee Page
Director, Office of Administration
John R. Bashista
Director, Office of Acquisitions Management
TO: Melissa Heist
Assistant Inspector General for Audit
Thank you for the opportunity to respond to the issues and recommendations in the subject draft
audit report. Following is a summary of the agency's overall position, along with its position on
each of the report recommendations. For those report recommendations with which the agency
agrees, we have provided high-level intended corrective actions and estimated completion dates
to the extent we can. For those report recommendations with which the agency does not agree,
we have explained our position and proposed alternatives to recommendations. We have also
addressed selected factual inaccuracies in the report.
AGENCY'S OVERALL POSITION
Of the three major components of the federal smart card program-the badge, physical access
control and logical access control-the Office of Administration is responsible for the first two.
Regarding the primary subject of this draft report, physical access control, EPA is compliant with
all applicable federal requirements and technical standards. We disagree with Recommendations
1 and 2 and all related text indicating we are not compliant. We agree with Recommendation 3.
The report as a whole presents an inaccurate picture of the EPASS physical access control
program. The majority of conclusions concerning physical access are not supported by sufficient
and relevant evidence and are not logical inferences about the program.
Regarding the contracts-related portions of the report, the Office of Acquisition Management
agrees with Recommendation 4; the findings in the draft report are consistent with similar
findings under the Office of Acquisition Management's previous quality assurance program,
which indicated a need to improve EPA's acquisition-related internal controls and oversight
systems. OAM partially agrees with Recommendation 5, and believes the documentation
supporting the sub-recommendations inflates the level of significance of the findings.
13-P-0200
30
-------�
AGENCY'S RESPONSE TO REPORT RECOMMENDATIONS
Agreements
No.
Recommendation
High-Level Intended
Corrective Action(s)
Estimated
Completion by
Quarter and FY
3
Establish one entity responsible for
implementing and overseeing the
agency's smartcard program,
including physical and logical
access.
Under direction of the Deputy
Administrator, relevant
stakeholders will convene to
determine the entity responsible
for implementing and overseeing
the program.
Q3 FY 2013
4
Hold contracting officers
accountable for maintaining
complete files for PACS contracts,
including documenting fair and
reasonable price determinations,
progress and completion of
contracted work, and certifying that
products for PACS procurements
meet requirements in FAR Part
4.1302.
See discussion below
Completed
Q1 FY 2013
5a-b
Enforce applicable guidelines
pertaining to IGCE, including:
a. Preparing IGCEs for all
procurement actions in excess of
the FAR threshold.
b. Adopting an official IGCE
format that shall include the
name and signature of the
preparer, the date prepared, and
the signature of the approving
official.
See discussion below
a. Q4 FY
2013
b. Completed
Q1 FY
2013
Recommendation 4
OARM/OAM agrees with this recommendation. Acquisition Handbook Chapters 4 and 42, and
Contract Management Manual Chapters 7 and 42, contain significant policy and guidance
pertaining to contract file documentation, such as required supporting documentation, approvals,
and checklists. Findings in the Draft Report are consistent with similar findings under OAM's
previous Quality Assurance Program which indicated a need to improve EPA's acquisition-
related internal controls and oversight systems. As such, in FY 2011 OAM implemented the
Balanced Scorecard (BSC) Performance Measurement and Management Program. Under the
13-P-0200
31
-------�
BSC Program, OAM uses a combination of objective performance measures, quality assurance
plans, self-assessment reviews, peer reviews, and training, to review, ensure and facilitate
compliance with procurement statutes, regulations, policies, procedures, and other guidance.
To ensure file quality, OAM conducts multiple types of contract file reviews including: routine
peer reviews and random sampling file reviews in accordance with contracting office Quality
Assurance Plans (QAPs), and Self-Assessment Reviews under the OAM-wide Contract
Management Assessment Program (CMAP) review. In each of these reviews, contract file
content in terms of compliance and quality are meaningful review elements. Findings resulting
from these reviews are provided to the Contracting Officers of record for corrective action if
necessary, and are used by the organization to identify policy gaps, and as possible training
topics for contracting staff.
Recommendation 5
As a general comment on the OIG's review in this area, OAM believes the documentation
supporting these recommendations inflates the level of significance of these findings. Of the 22
files cited in the report, 18 were for the acquisition of supplies or services that meet the definition
of a commercial item so a detailed IGCE is not required, 16 were acquired on a firm-fixed-price
basis so a detailed IGCE is not required, 15 were for GSA Schedule orders so a detailed IGCE
was not required, and 6 were valued at less than the Simplified Acquisition Threshold so an
IGCE was not required. However, OAM continues to make efforts to ensure proper IGCEs are
developed with new procurement packages as required by CMM 7.3.5.7. In October 2012, OAM
released Interim Policy Notice 12-03 - Acquisition Planning, which puts greater emphasis on the
combined planning efforts (including the development of IGCEs) of the program and contracting
offices for each new acquisition greater than the SAT.
Sub-recommendation a: Having raised these anomalies, OAM agrees IGCE policy as currently
written fails to distinguish between different types of IGCEs or the level of detail required in an
IGCE for different types of acquisitions. As indicated above, many of the contract files reviewed
in this audit were for commercial item products acquired competitively on a firm-fixed-price
(FFP) basis through contracts managed by the General Services Administration (i.e. GSA
Schedule Contracts). Competitive orders for FFP commercial item products through GSA
Schedule Contracts do not rely on a detailed estimate of cost elements found in an IGCE as the
basis for fair and reasonable pricing. In these instances, the most appropriate type of IGCE would
be for a "Price Estimate" which the Federal Acquisition Institute (FAI) describes as "a bottom
line firm-fixed price". Accordingly, OAM will review current policy to provide more details and
specific guidance on the circumstances under which an IGCE is required, including at what
threshold, as well as the content and level of detail and documentation required, to ensure clarity
and consistency of IGCE's, and also to ensure IGCE's serve as meaningful tools in the
acquisition process.
Sub-recommendation b: The EPA Guide for Preparing Independent Government Cost
Estimates, June 2010 published on OAM's web-site contains information and guidance on the
types, methodologies, and techniques for developing IGCE's, as well as samples and approaches.
However, emphasis on the program specific nature of the IGCE is a common theme throughout
13-P-0200
32
-------�
the guide, and as such there is no way to develop a "one-size-fits-all" IGCE format. OAM does
agree that IGCE's should be thoughtfully prepared and reviewed. To that end, OAM is currently
developing a Paperless Acquisition Program to receive procurement documentation exclusively
in electronic format through the Agency's acquisition system, EAS. EAS allows program offices
with new contract requirements to attach supporting documents (including IGCEs) into an
electronic requisition and route through the program office for review and approval. OAM
believes creation of this electronic record will both increase the efficiency of the procurement
process, but also satisfy sub-recommendation b.
Disagreements
No.
Recommendation
Agency Explanation/
Response
Proposed Alternative
1
Reprioritize the remaining facility
upgrades by security level from
highest to lowest, complete all
remaining upgrades according to
security level, and require the
SMD director to provide written
justification for upgrading Level 1
facilities.
See discussion below
Continue with current
implementation sequencing,
which in large part achieves
the aim of the
recommendation: all
remaining Facility Security
Level (FSL) 4 upgrades will
have been initiated by Q2
FY13; all FSL 3s by Q3
FY13; all 2s by Q3 FY14.
The SMD Director will
provide written justification
to the OARM Assistant
Administrator for any FSL 1
upgrades.
2
Develop national policies and
procedures for PACS that foster
consistent and inter-operable
physical access to EPA offices
around the country.
See discussion below
Submit for EPA directives
clearance process a draft
EPA-wide policy, Use of the
PIV Cardfor Facility
Access, Q2 FY 2013. Create
and disseminate outreach on
existing inter-operable
capabilities to regional
personnel, Q2 FY 2013.
13-P-0200
33
-------�
No.
Recommendation
Agency Explanation/
Response
Proposed Alternative
5c-d
Enforce applicable guidelines
pertaining to IGCE, including:
c. Establishing a process that
SMD staff can use to conduct
and document cost analyses of
prior upgrades to ensure that
future project costs are
reasonable.
d. Establishing a requirement that
SMD staff involved with
preparing and reviewing
IGCEs certify that they have
read OAM's IGCE Manual
and understand the guidance.
See discussion below
N/A
Recommendation 1
OA disagrees with Recommendation 1 for the following reasons (explained in more detail
below): Facility security level is one, but not the only, criterion for prioritizing PACS projects;
the rationale for the recommendation, "...some facilities housing hundreds or even thousands of
employees along with other important assets did not require the higher level of authentication to
gain access as some facilities of lesser value and importance" (p. 7) is not supported by evidence
and confuses the role of authentication; and any reprioritizing at this advanced stage of the
overall PACS project would be costly and unnecessary, particularly since the remaining
sequencing in large part accomplishes the aim of the recommendation.
OIG Comment: At the time we completed our work, EPA had not upgraded Security
Level 4 facilities within headquarters. Access to these facilities is gained by showing a
badge to a security guard rather than using a smartcard badge and a PACS reader.
Conversely, in other locations, EPA did update some lower level facilities with PACS
readers. In one case, EPA upgraded a vehicle storage building that did not permanently
house any EPA employees. EPA's most critical assets, where more people and other
important resources reside, should be upgraded before its lower level facilities.
Security level is not the only criterion for prioritizing: EPA's PACS program is
accountable to OMB, and nowhere does OMB stipulate that PACS be upgraded
according to facility security level (FSL). The report's statement, "Eight years after
President Bush signed HSPD-12, EPA has not upgraded all of its most critical facilities,"
(p. 7), is not relevant since OMB leaves sequencing to the agencies. EPA is fully
compliant with its OMB plan, which is to install PIV-enabled PACS at 5-8 facilities per
year, with completion by the end of FY 2015.
13-P-0200
34
-------�
OIG Comment: In 2008, EPA provided OEI's HSPD-12 Physical Access Controls
and Logical Access Controls Plan to OMB. In 2009, EPA issued its EPASS Project
Management Plan. Both plans laid out the priority in which EPA would upgrade PACS.
They documented that EPA would upgrade new construction or leases first, followed by
facilities based on security level ratings. The 2008 plan stated, ".. EPA will mitigate its
highest risks first thus protecting our higher valued targets early on in the
implementation process." The plan also stated that EPA would complete upgrading all
of its Security Level 4 facilities by December 2011. Similar to EPA Order 3200, the
2008 plan also stated that existing Security Level 1 facilities would not be upgraded.
We continue to believe that EPA did not follow the plan as submitted to OMB.
Likewise, HSPD-12 and its implementing standards do not stipulate PACS sequencing or
that PACS be upgraded according to FSL. FSL is derived from an Interagency Security
Committee (ISC) 2008 standard, Facility Security Level Determinations for Federal
Facilities. That standard defines FSL as a "categorization based on the analysis of several
security-related facility factors, which then serves as the basis for the implementation of
certain protective security measures specified in other ISC standards" (p. 2), not in
HSPD-12 standards. EPA complies with the ISC's 2010 Physical Security Criteria for
Federal Facilities to mitigate vulnerabilities by FSL-appropriate means, agency wide,
including vulnerabilities related to facility access controls. The ISC standard does not
mention PIV-enabled PACS among physical access control protective measures.
OIG Comment: EPA's comments in the preceding paragraph do not include all of the
criteria for which it was accountable. EPA did not follow the process for upgrading the
PACS program that was defined in the plans it submitted to OMB in 2008 or EPA
Order 3200—the Agency's policy for implementing EPA's smartcard program. Our
report does not recommend any changes to processes and procedures where EPA is
already compliant. Instead, our recommendations target those areas where EPA has not
been compliant.
EPA's PACS sequencing has evolved since 2005, as is appropriate, to reflect new and
changing technical standards, federal priorities, enhanced technology, the ability to
network PACS, lessons learned, and opportunities to decrease waste and improve
efficiency and cost effectiveness. EPA considers FSLs in sequencing PACS upgrades, but
also considers existing PACS that are failing, new construction or leases, and facilities
housing critical infrastructure and key resources. Please note that at EPA, some critical
infrastructure and systems (such as those in COOP facilities) are housed in facilities that,
per ISC standards, are FSL 1 or 2 because of their small size, small population and lack
of symbolic importance.
On a case-by-case basis, certain facilities that are in close proximity to priority PACS
implementation sites and that would eventually be scheduled for PACS upgrades are
included with nearby, higher-priority projects to reduce cost, improve efficiency, and
align IT infrastructure. To give a dramatic example of the cost efficiencies gained:
• At an earlier phase of the PACS program, the Region 6 Addison and Dallas
facilities, with approximately 150 card readers between them, were upgraded
under separate contracts for a combined cost of $1,283,665.
13-P-0200
35
-------�
• The Region 2 New York and Edison facilities, with over 200 card readers
between them, were upgraded under a single contract at a cost of $909,290.
OA agrees with the OIG that we should have updated documents that referenced the
sequencing plans. We have revised the PACS-related section of our 2012 submission to
OMB to reflect our current sequencing considerations (although that is not required) and
we have updated our EPASS project management plan. EPA Order 3200, EPA Personal
Identity Verification and SmartcardProgram, will be updated in CY 2013 by a one-EPA
team of stakeholders, and any reference to PACS sequencing will be deleted.
OIG Comment: We are pleased that EPA agrees that they should have updated
these critical documents earlier. These official documents stated EPA's plans for
upgrading facilities in terms of the number to be upgraded and by what date. The
documents represented the official EPA plans and as such should have been
revised when SMD knew it was changing its plans.
Authentication is not a sequencing issue: The following OIG conclusions reflect a
misunderstanding of the role of identity verification and authentication:
• "...some of EPA's most critical facilities do not require as stringent an identity
verification process for access as some of its least important facilities" (p. 4).
• "...some facilities housing hundreds or even thousands of employees along with
other important assets did not require the higher level of authentication to gain
access as some facilities of lesser value and importance" (p. 7).
First, no federal mandate or standard, including the HSPD-12 implementing standard
FIPS 201-1, stipulates that identity verification or authentication determine the order of
PIV-enabled PACS implementation. Per FIPS 201-1: "PIV Cards can be used for identity
authentication in environments that are equipped with card readers as well as those that
lack card readers" (p. 46). FIPS 201-1 defines authentication as: "The process of
establishing confidence of authenticity; in this case in the validity of a person's identity
and the PIV card" (p. 70). In addition, 99% of EPA federal employees (95% of all
personnel when non-federal employees are included) have completed HSPD-12-
mandated identity verification and authentication in the form of a background
investigation, identity proofing, and PIV card/EPASS badge issuance.
OIG Comment: The comments in the preceding paragraph relate to requirements
for smartcard identification badges. The content in our report deals with EPA's
implementation and use of PACS along with the smartcard badge. The smartcard
badges are just one piece of the overall physical access process. Our report raises
issues EPA needs to address to improve its overall process for physical access.
Second, OIG conclusions are based on subjective characterizations of facilities as "most
critical (p. 4)," "less critical (At a Glance), "least important (p. 4)," "most important (At a
Glance)," "critical and most valued (p. 4)," "of lesser value and importance (p. 7)." No
physical security standard or smartcard mandate ranks buildings as most or least
13-P-0200
36
-------�
important, most or least critical, or most or least valuable. Although the report claims to
cite the ISC Facility Security Level Determinations for Federal Facilities, "Level 4
facilities are also of high importance and require the next highest degree of protection,
and so forth down to Level 1 facilities" (p. 5), the ISC standard does not state that. Per
ISC standards, protective measures are based on a risk management system that considers
FSL, identification of a baseline Level of Protection (LOP), and determination of
acceptable levels of risk. Again, PIV-enabled PACS are not among the protective
measures addressed in the ISC Physical Security Criteria for Federal Facilities.
OIG Comment: The document titled Facility Security Level Determinations for
Federal Facilities explains and defines the hierarchy of rankings that federal
agencies should use to determine the level of each facility. That document states
that the higher the designated level of a facility the more valuable and critical
that facility is to achieving an agency's mission. It also states that the degree of
protection should be commensurate with each designated security level, with
higher security levels requiring greater protection. While the standard titled
Physical Security Criteria for Federal Facilities may not specifically discuss
PIV-enabled PACS, the purpose of the smartcards and related systems are to
increase and improve security and protection.
The OIG's conclusion that the agency's PACS upgrade sequencing has somehow left
"hundreds and even thousands of EPA employees" (p. 5) at risk is not logical and not
supported by fact. The agency mitigates risk and vulnerability at all facilities per ISC
standards, in which PIV-enabled PACS figure not at all.
OIG Comment: As stated in our comment above, Security Level 4 facilities, by
definition, are higher value assets, and EPA states the same in the plan it
submitted to OMB in 2008. Further, having operational PACS in place at such
facilities provides an additional layer of security by increasing the number of
levels of authentication needed to gain access. EPA asserts that PACS systems
do not add security over what was in place. If PACS systems add no additional
security, this raises the question why EPA would plan to spend nearly $56
million on this program. EPA is complying with HSPD-12 and subsequent
requirements because the smartcard and associated systems increase security and
safety, which was the intent behind HSPD-12.
The majority of upgrades have already been initiated: Making changes to PACS
sequencing at this late stage of the program would be costly, disruptive and unnecessary,
not only for the reasons above, but because the remaining schedule largely accomplishes
the aim of the OIG recommendation. The contracts for the remaining Level 4 upgrades
will be awarded in Q2 FY 2013. All remaining Level 3 upgrades are scheduled for award
by Q3 FY 2013 and all remaining Level 2 upgrades by Q3 FY14.
13-P-0200
37
-------�
Proposed Alternative:
Continue with current implementation sequencing, which in large part achieves the aim of the
recommendation: all remaining FSL 4 upgrades will be initiated by Q2 FY 2013; all FSL 3s by
Q3 FY 2013; and all FSL 2s by Q3 FY14. The SMD Director will provide written justification to
the Assistant Administrator of OARM for any FSL 1 projects.
OIG Comment: We agree with EPA's proposed alternative to complete Security Level 4
facilities before completing upgrades to lower level facilities, and that the SMD Director
will provide written justification to the Assistant Administrator for OARM prior to
updating any Security Level 1 facilities.
Recommendation 2
Our disagreement is with the presence of the word "inter-operable" in the recommendation and
the misunderstanding it represents. The EPASS badge, per FIPS 201 requirements, is inherently
intra-operable across the agency and inter-operable with other agencies. Within EPA, any
EPASS badge can be authenticated and granted access to any PIV-enabled PACS. EPA PIV-
enabled PACS can authenticate PIV cards issued by other agencies, and our EPASS badges are
accepted at other agencies' PIV-enabled PACS. The EPASS badge and PACS programs fully
support inter- and intra-operability in compliance with all governing authorities and technical
standards; all statements in the draft audit indicating otherwise are incorrect (see additional
comments on accuracy of draft report, below).
OIG Comment: We understand that the EPASS badge is designed and produced to have
the capabilities to be both intra- and inter-operable and we do not question that in this
report. The point we make in chapter 3 is that, in practice, these security systems at EPA
facilities across the country are operated in dissimilar ways and were not fostering
consistent access to facilities by EPA employees. We believe that EPA's response is one
related to semantics rather than substance as EPA states that it has been lacking
nationwide policies and procedures that foster consistent facility access using the
smartcard (see next OIG comment).
What is lacking is not intra- and inter-operability, but rather: 1) a clear local understanding of the
intra- and inter-operable capabilities of Personal Identity Verification (PIV) cards and existing
PACS; and 2) agencywide policy on use of the PIV card for facility access. The proposed
alternative below addresses both of these issues. We agree with the OIG that fostering consistent
facility access procedures is important, with the understanding that procedures need to be
responsive to local security conditions and the wide range of real estate arrangements at EPA. One
size cannot fit all when circumstances include EPA-owned and leased, privately owned, GSA-
owned and leased, single and multi-tenant, and mixed federal and private tenant arrangements.
OIG Comment: We agree with EPA that what has been lacking is a national EPA-wide
policy and procedures for ensuring consistent access procedures for all EPA employees.
13-P-0200
38
-------�
Proposed Alternative:
OARM requests that the words "and inter-operable" be removed from Recommendation 2 so that
we can fully agree with the text. We are planning to foster consistent facility access control
procedures and improve regional understanding of intra- and inter-operable capabilities of
existing PACS. To achieve this, OARM will create and disseminate to regional personnel
outreach on existing inter-operable capabilities in Q2 FY 2013. EPA will also submit for the
directives clearance process an EPA-wide policy, Use of the PIV Cardfor Facility Access, in Q2
FY 2013. The policy is the result of a one-EPA effort and addresses the requirements for
permitting unescorted access to EPA facilities where physical access is controlled by a PIV-
enabled PACS. The purpose of the policy is to:
• Provide consistent application of physical access controls
• Describe requirements for granting access to PIV-enabled EPA-controlled buildings and
spaces
• Define the security roles and responsibilities of all parties involved in granting access to
EPA facilities
OIG Comment: We removed the words "and inter-operable" from recommendation 2 in
our draft report. As currently implemented, EPA's PACS and smartcard badges do not
allow consistent facility access to EPA and other federal employees as intended. We do
agree with EPA's proposed recommendation to develop and implement a policy that will
allow for consistent facility access control procedures and improve regional understanding
of intra- and inter-operable capabilities before March 31, 2013.
Recommendation 5c-d (see general comment under Recommendation 5, above)
Sub-recommendation c: The intent and basis for this recommendation is unclear, and as such,
OAM is unable to provide a response without further clarification/information from the OIG.
The FAR (3.501-2, 15.305, 15.402, 15.404, 15.405, 15.406, 43.204) sets forth responsibility for
conducting cost analysis with the Contracting Officer. Accordingly, the recommendation to
establish a process to ensure SMD conducts cost analysis assigns responsibility for this critical
function contrary to regulation. With regard to ensuring adequate cost analysis is performed,
OAM's oversight program is described in the response to recommendation 4 above.
OIG Comment: The intent of this recommendation is to ensure that SMD considers cost
through meaningful analysis before spending taxpayer dollars on its programs. We are not
suggesting that OARM removes responsibility from contracting officers. We believe cost
analysis is a useful and necessary process across all programs and divisions that use
contractors to carry out EPA's mission. The EPA Guide for Preparing Independent
Government Cost Estimates, prepared by OAM, states, "The FAR considers IGCE's an
integral part of the acquisition process. A successful acquisition process requires
collaboration between the program and procurement offices. When a Program Office
prepares a meaningful IGCE, the CO may use that document to facilitate the determination
of fair and reasonable pricing in the procurement process. As a result, all parties benefit from
a well prepared IGCE."
13-P-0200
39
-------�
Sub-recommendation d: OAM makes training on IGCE's available to through various OAM
sponsored and conducted training sessions. Additionally, under the new three tiered COR
training and certification program, OAM will continue to ensure the COR curriculum includes
training on IGCE's. Accordingly, completion of IGCE training is incorporated under COR
certification. As a result, OAM believes that the separate IGCE training certification
recommended by the OIG is both redundant and unnecessary.
OIG Comment: We agree with the action EPA has taken to make IGCE training
available. However, in a face-to-face interview on March 20, 2012, in Washington, DC,
the SMD PACS project manager and an SMD contracting officer representative both told
us that they: (1) were not familiar with the EPA Guide for Preparing Independent
Government Cost Estimates or the GAO Cost Estimating and Assessment Guide, and (2)
had not been offered any training on preparing IGCEs in general. Therefore, EPA should
ensure that appropriate staff are aware of available IGCE training and take the training.
Some Additional Factual Inaccuracies in the Draft Report
OA requests that the following indirect quotations attributed to SMD Director [name removed]
be removed from the report. The OIG versions of her words do not reflect what she said, create
an unwarranted and unsubstantiated negative personal portrayal and do not qualify as relevant
evidence (emphasis added):
• "The SMD Director also said that EPA did not want to make mistakes upgrading its
headquarters buildings so it has been upgrading other buildings first" (p. 4). The report
repeats this inaccurate claim in two other places: "Also, EPA indicated it did not want to
make mistakes upgrading headquarters buildings so it upgraded others first" (At a
Glance), and "The Director said that they did not want to make mistakes at headquarters
and were therefore upgrading other buildings first and leaving the upgrades of
headquarters buildings toward the end of the project" (p. 6).
OIG Comment: During a June 21, 2011 meeting with the SMD Director, we questioned
the decision not to upgrade Headquarters' buildings before other lower level facilities. We
believe the statements in the report accurately paraphrase those discussions.
13-P-0200
40
-------�
• "The SMD Director told us she believed it was more efficient and logistically made
more sense to upgrade facilities based on geographic location. She said that SMD
preferred to award one contract for each location or region and have all facilities in that
area upgraded simultaneously. SMD could not provide data or documented justification
showing that it was more efficient to upgrade based on location; the Director said SMD
did not have such data because the increased efficiency was obvious" (p. 6).
OIG Comment: On December 14, 2011, the SMD Director sent the OIG an email
that stated:
"Implementing PACS facility-by-facility requires separate and distinct systems
to be installed in each individual facility. Several criteria were considered when
comparing a facility-based approach to an enterprise approach. These criteria
included the cost of hardware and software and the increased technical
complexity caused by the volume of systems. No quantitative data was produced
because of the obvious cost advantage. For example, to install independent
PACS across five facilities would require two servers (primary and backup) per
location, totaling 10 servers across the five locations, and 5 vendor application
licenses. In comparison, covering the five locations with a single enterprise
implementation requires only two servers and one vendor application license.
The cost differential is obvious without a detailed quantitative analysis."
• "We asked the SMD Director if she had considered other contracting approaches to
upgrading facilities that emphasized security level first rather than all facilities in a given
geographic area at the same time. She said that she had not thought of that and would
have to consult with QAM to determine whether EPA could have used other contracting
options" (p. 7).
OIG Comment: We asked the SMD Director on December 21, 2011, whether SMD
had considered the possibility of awarding a national contract to first upgrade Security
Level 4 facilities that would contain the option to go back to a particular geographic
area at a later time to upgrade lower-level facilities in that same location. The SMD
Director said to us that she had never thought of that option and she would need to
consult with a contracting expert in OAM to determine whether that was feasible.
We request deletion of unsupported speculation on what might have been effective contracting in
2006 or what might have been done at that time. The OIG presents conjecture on a complex issue
by an individual who likely did not identify herself to the OIG as expert in the identification of
EPA's "most critical assets" or in what constitutes a proper "prioritized order" for PACS
sequencing. This text does not qualify as relevant evidence and does not contribute to logical
inferences based on findings (emphasis added):
• "We discussed this issue with the OAM contracting officer for some PACS contracts and
she told us that awarding contracts in order of facility security level could have been an
effective alternative without resulting in greater cost. She said that SMD could have
awarded national contracts at the beginning of this program to focus first on upgrading all
13-P-0200
41
-------�
Level 4s. She said that after SMD upgraded those facilities, additional national contracts
could have been awarded to upgrade the Level 3 s and so on, thereby addressing the most
critical assets in a prioritized order" (p. 7).
OIG Comment: We discussed possible contracting options with an EPA contracting
officer responsible for awarding PACS contracts. The contracting officer provided us with
her views on additional options mentioned in the report. We believe that this contracting
officer would have the knowledge and background to provide credible contracting options
for awarding PACS contracts.
We request deletion or correction of all statements indicating EPA has not achieved intra- and
inter-operability; EPA has achieved full intra- and inter-operability (see discussion of
Recommendation 2, above).
OIG Comment: EPA has achieved the potential for intra- and inter-operability through the
EPASS badge. However, the use of the smartcards and the physical access control systems
is not consistently applied across EPA. We agree with EPA that it needs nationwide
policies and procedures that foster consistent facility access using the smartcard and we
encourage the Agency to finalize those policies and procedures as soon as possible.
We request deletion of the following inaccurate statement: "Another reason the PACS upgrade
has been inconsistent is that SMD has not been accountable for how it is carrying out the
program" (p. 11). SMD is accountable to the agency and OMB and provides all reporting that the
agency and OMB require. Our PACS accountability includes:
• A monthly data call to OMB on earned value management, performance and risk
management, including PACS schedules and costs
• An updated EPASS implementation plan sent to OMB in July 2012
• An annual data call to OMB for EPA's PortfolioStat in June 2012
• A yearly Capital Planning and Investment Control (CPIC) report to OMB
• An annual report on EPASS, including PACS, as part of the Federal Managers Financial
Integrity Act assurance process
• A yearly Chief Information Officer CPIC investment review
OIG Comment: We deleted the statement from our draft report that SMD has not been
accountable for carrying out the program. We agree that SMD generates a number of
reports for OMB. Our position is that EPA does not have a clearly identified office in
charge of its smartcard program. Responsibility for the program is split between OARM
and OEI.
The OIG makes incorrect connections between accountability, leadership and inconsistency
(emphasis added). "EPA should also increase accountability over its smartcard program by
clearly identifying one senior executive responsible for implementation and oversight. Stronger
leadership over the program should help address the issues related to inconsistency that we have
13-P-0200
42
-------�
identified" (p. 13). The inconsistency referenced here refers to an earlier OIG statement:
"However, the inconsistency with which EPA has upgraded PACS is impeding EPA's ability to
have intra-operable systems for EPA employees, much less inter-operability with other agencies"
(p. 13). As explained in our response to Recommendation 2, the PACS program has achieved full
intra- and inter-operability; as explained in the previous paragraph, our PACS program is already
accountable to EPA and OMB. We agree that a single entity to oversee the smartcard program is
needed to make the agency compliant with OMB Memorandum M-l 1-11 and position the
program to implement EPA's Identity, Credential, and Access Management initiative.
OIG Comment: EPA implemented this program from 2008 through 2012 in a manner that
was not consistent with the plan submitted to OMB. We recognize that SMD responded to this
issue identified during our audit by submitting a revised plan to OMB in July 2012. This was a
positive step to increasing accountability. However, EPA's accountability for implementing
the PACS program is diminished without identifying a senior executive responsible for the
PACS program. Regarding the second part of the paragraph above, EPA is not implementing
the physical access control system in a consistent manner. Different locations use different
procedures for access and there has been no national standard to guide this process.
The following OIG language is unnecessary and inflammatory (emphasis added): "In addition,
EPA's Criminal Investigation Division (CID) initially stated that it was not going to upgrade its
facilities because it did not agree with the direction of the smartcard program, and SMD allowed
CID to dictate that decision when it should not have" (p. 9). CID did not interact with SMD in
this manner. The two organizations have been collaborative and collegial. We request that the
underlined text be removed.
OIG Comment: In discussions with CID and SMD, we found that CID Dallas, Texas, elected
not to participate in the program. SMD did not take action to ensure CID was included in the
program until we pointed out to them that the space was accessible to the general public. We
have adjusted the report language to this effect.
The table on p. 6 of the report, as well as information derived from the table throughout the
report, does not accurately reflect the data provided by SMD to the OIG. To give one example,
the OIG counts only one FSL 4 facility at Research Triangle Park; however, SMD upgraded
PACS at multiple FSL 4 facilities there.
OIG Comment: During this audit, EPA provided us with multiple lists of EPA facilities that
were different and some contained discrepancies. Further, in some spreadsheets SMD provided
us they counted a location as one facility and in others they counted each building at that
location as a separate facility. Therefore, to obtain a list that incorporated total facilities by
security level and the date of upgrades, we developed the best supportable list that we could
from the data SMD provided. We based table 1 on data SMD provided as of April 2012.
Because EPA's lists combined facilities into a single entry in some cases, we acknowledge that
the actual number of EPA facilities could be higher than the total included in our table. Based
on a report we received from SMD that EPA submitted to OMB, as of July 2012 EPA planned
to upgrade a total of 76 facilities (21 level 4s; 26 level 3s; 26 level 2s; and 3 level Is).
13-P-0200
43
-------�
If you have any questions about responses related to the PACS upgrade, please contact Security
Management Division Director Tami Franklin at (202) 564-9218. If you have questions about
responses related to contracting, please contact Special Assistant to the Director of OAM Lisa
Maass at (202) 564-2498.
13-P-0200
44
-------�
Appendix E
Distribution
Office of the Administrator
Deputy Administrator
Assistant Administrator for Administration and Resources Management
Principal Deputy Assistant Administrator for Administration and Resources Management
Chief Financial Officer
Deputy Chief Financial Officer
Director, Office of Budget, Office of the Chief Financial Officer
Director, Office of Human Resources, Office of Administration and Resources Management
Agency Follow-Up Coordinator
General Counsel
Deputy General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Audit Follow-Up Coordinator, Office of the Chief Financial Officer
Audit Follow-Up Coordinator, Office of Administration and Resources Management
13-P-0200
45
-------� |