At a Glance: Improvements Needed in EPA's Smartcard Program to Ensure Consistent Physical Access Procedures and Cost Reasonableness


^{.D sT/ff.
*	' U.S. Environmental Protection Agency	13-P-0200
| O \ Office of Inspector General	March 27 2013
SB 1
1 w/ °
At a Glance
Why We Did This Review
Homeland Security Presidential
Directive-12 (HSPD-12) and
subsequent requirements state
that inconsistent approaches to
physical access are inefficient
and costly, and increase risk to
the federal government.
We conducted this audit to
determine whether the U.S.
Environmental Protection
Agency (EPA) upgraded
physical access control
systems consistent with the
goals of HSPD-12 and
subsequent requirements. We
also evaluated whether EPA
acquired and deployed
smartcard technology in an
efficient and effective manner.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
workforce and capabilities.
Improvements Needed in EPA's Smartcard
Program to Ensure Consistent Physicai
Access Procedures and Cost Reasonableness
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
What We Found
Contrary to its plans, EPA upgraded some less critical facilities prior to its most
important facilities (including EPA headquarters). EPA stated it was more efficient
to upgrade facilities based on geographic location rather than importance, but
provided no quantitative data to support that position. In addition, EPA indicated it
did not want to make mistakes upgrading headquarters buildings so it upgraded
others first. As a result, some lower valued facilities required a higher level of
authentication for access than EPA headquarters facilities.
The processes used to gain access are inconsistent and not yet inter-operable
(can be used by all federal employees including those outside EPA) or
intra-operable (can be used by any EPA employee). This occurred because EPA
had not developed national physical access procedures to foster consistency. As
a result, EPA is not realizing potential benefits associated with a standardized
process.
EPA did not document assurance of cost reasonableness for some of the
physical access control system contracts. EPA had spent over $12.8 million
upgrading physical access control systems and could not assure that $3.8 million
of that amount (30 percent) was spent in the most efficient and effective manner.
EPA planned to award an additional $10.6 million to upgrade its systems.
Recommendations and Planned Agency Corrective Actions
We recommend that EPA re-prioritize the remaining facility upgrades by security
level, from highest to lowest, and develop national policies and procedures that
foster consistent inter-operable physical access. We also recommend that EPA
establish an entity for overseeing EPA's smartcard program, conduct cost
analysis of smartcard upgrades, and enforce guidelines for independent
government cost estimates. EPA agreed with two of our five recommendations.
For the other three recommendations, EPA proposed alternative corrective
actions that we believe address our findings.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130327-13-P-0200.pdf

-------