^£0SX
£k ¦
%X)
$
<
3>
O
X,
*¦I pro"*
&
¦
-------�
Report Contributors:
Chris Baughman
Hilda Canes Garduno
Eric Lewis
Abbreviations
CFR
Code of Federal Regulations
EO
Executive Order
EPA
U.S. Environmental Protection Agency
ISOO
Information Security Oversight Office
NSI
National Security Information
OARM
Office of Administration and Resources Management
OCFO
Office of the Chief Financial Officer
OIG
Office of Inspector General
OPM
U.S. Office of Personnel Management
SF
Standard Form
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
e-mail: OIG Hotiirie@epa.aov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue NW
fax: 202-566-2599 Mailcode 2431T
online: http://www.epa.aov/oia/hotline.htm Washington, DC 20460
-------�
.vtffcD STA?.
*. U.S. Environmental Protection Agency 12-P-0543
- \ Officeof Inspector General Juneis,20i2
22 /
¦° ° At a Glance
Why We Did This Review
The Office of Inspector
General (OIG) is responsible
for independently reviewing
U.S. Environmental Protection
Agency (EPA) programs
related to national security.
We evaluated EPA's classified
national security information
(NSI) infrastructure. We
performed this review as
required by the Reducing
Over-Classification Act.
Background
Executive Order 13526,
Classified National Security
Information, prescribes a
uniform system for classifying,
safeguarding, and declassifying
national security information.
According to the executive
order and the related
regulations, national security
information can be classified as
Top Secret, Secret, or
Confidential, depending on the
damage that may be caused by
its release. The Office of
Administration and Resources
Management manages EPA's
NSI program.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.gov/oiq/reports/2012!
20120618-12-P-0543.pdf
EPA's National Security Information Program
Could Be Improved
What We Found
Under its classified NSI program, EPA has assigned responsibilities and provided
guidance, training, and oversight. EPA program offices provide secure equipment
and space, following NSI program specifications. EPA has procedures in place so
employees can obtain security clearances and classify information. Annual
reports are prepared on the status of the program. Thus, EPA can create, receive,
handle, and store classified material needed to fulfill its responsibilities related to
its homeland security, emergency response, and continuity missions.
We found that EPA's NSI program needs improved internal controls to address
the following deficiencies:
• Although EPA keeps three copies of an employee's signed Classified
Information Nondisclosure Agreement, Standard Form 312, it does not
store a copy in the employee's Official Personnel Folder, as provided in
guidance from the Office of Personnel Management (OPM). OPM's
regulation requires that personnel records be maintained in accordance
with OPM guidance.
• Not all individuals with an EPA security clearance are completing the
required annual refresher training.
• EPA does not always promptly withdraw a clearance when an employee
leaves EPA, which may result in a person accessing classified NSI to
which he or she is no longer privileged.
• EPA regulation, policies, and basic guidance document for the NSI
program do not reflect the current government-wide requirements, and
the basic guidance document is currently not an Agency-wide directive
even though it impacts the entire EPA.
We did not assess the readiness of EPA's NSI program in the event of an actual
national security incident.
Recommendation/Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Administration and
Resources Management issue a directive to establish controls that address the
deficiencies identified in this report. The Agency partially agreed with our
recommendation, and provided alternate corrective actions with completion dates
that we consider acceptable. We consider the recommendation resolved.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
June 18, 2012
MEMORANDUM
SUBJECT: EPA's National Security Information Program Could Be Improved
Report No. 12-P-0543
FROM: Arthur A. Elkins, Jr.
TO:
Craig E. Hooks
Assistant Administrator for Administration and Resources Management
This is our report on the subject evaluation conducted by the Office of Inspector General (OIG)
of the U.S. Environmental Protection Agency (EPA). This report contains findings that describe
the problems the OIG has identified and corrective actions the OIG recommends. This report
represents the opinion of the OIG and does not necessarily represent the final EPA position.
Final determinations on matters in this report will be made by EPA managers in accordance with
established audit resolution procedures.
Action Required
Although this report contains a recommendation, you are not required to respond. Your response
to the draft report and supplemental information identified corrective actions, including
milestone dates, acceptable to us. Therefore, we are closing this report upon issuance. The
corrective actions not yet completed must be monitored through EPA's Management Audit
Tracking System.
Should you respond, your response will be posted on the OIG's public website, along with our
memorandum commenting on your response. Your response should be provided as an Adobe
PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation
Act of 1973, as amended. The final response should not contain data that you do not want to be
released to the public; if your response contains such data, you should identify the data for
redaction or removal. We have no objections to the further release of this report to the public.
We will post this report to our website at http ://www.epa. gov/oig.
We have redacted information on page 16 of this report to withhold the name of an individual.
If you or your staff have any questions regarding this report, please contact Eric Lewis, Director
of Special Reviews, at (202) 566-2664 or lewis.eric@epa.gov.
-------�
EPA's National Security Information Program
Could Be Improved
12-P-0543
Table of Contents
Chapters
1 Introduction 1
Purpose 1
Background 1
Scope and Methodology 3
2 Internal Controls Need Improvement 4
Nondisclosure Agreements Should Be in Official Personnel Folders 4
Annual Training Needs Better Monitoring 6
Clearances Should Be Promptly Withdrawn When Staff Leave 7
EPA's Guidance Is Not Current or in the Form of a Directive 8
Guidance Revision Delayed by Pending Regulation Update 9
Conclusion 10
Recommendation 10
Agency Response and OIG Evaluation 10
Status of Recommendations and Potential Monetary Benefits 12
Appendices
A Agency Response to Draft Report and OIG Evaluation 13
B E-mail From U.S. Office of Personnel Management 18
C Distribution 19
-------�
Chapter 1
Introduction
Purpose
The Office of Inspector General (OIG) evaluated how effectively the U.S.
Environmental Protection Agency (EPA) manages its classified national security
information (NSI) program and distributes classified information to those who
need it. This report complies with the Reducing Over-Classification Act (Public
Law 111-258), which calls for Inspectors General (1) "to assess whether
applicable classification policies, procedures, rules, and regulations have been
adopted, followed, and effectively administered" and (2) " to identify policies,
procedures, rules, regulations, or management practices that may be contributing
to persistent misclassification of material." The law requires that OIGs complete
at least two evaluations by September 30, 2016. The initial evaluation must be
completed no later than September 30, 2013. This report, along with the prior
EPA OIG report, EPA Should Prepare and Distribute Security Classification
Guides (Report No. 1 l-P-0722; September 29, 2011), constitute part of the initial
evaluation. The OIG may perform additional work before September 30, 2013, to
comply with the law.
Background
EPA has had a program to safeguard classified NSI since at least 1972. Such
programs must comply with the December 2009 Executive Order (EO) 13526,
Classified National Security Information, which prescribes a uniform system for
classifying, safeguarding, and declassifying NSI. According to this EO and the
implementing regulations, NSI can be classified as Top Secret, Secret, or
Confidential, depending on the damage that may be caused by its release. EPA
also has a sensitive compartmented information program that imposes access,
storage, and handling controls beyond those normally required for access to
information classified as Confidential, Secret, or Top Secret.
EPA creates, receives, handles, and stores classified material because of its
homeland security, emergency response, and continuity missions. The EPA
Administrator has had original classification authority since May 2002 and at the
time could delegate the authority. In December 2009, the Administrator's
delegation authority was withdrawn, so the Administrator is the only person at EPA
with original classification authority. Original classification means an initial
determination that information requires, in the interest of national security,
protection against unauthorized disclosure. During fiscal years 2004 through 2010,
EPA originally classified six documents. In early 2011, the Administrator classified
a seventh document. Although EPA has classified information, as discussed in EPA
OIG Report No. 1 l-P-0722, it has not issued any classification guides.
12-P-0543
1
-------�
Individuals may have access to classified information through EPA only if they
possess a valid and appropriate security clearance; have signed a Standard Form
(SF) 312, Classified Information Nondisclosure Agreement, and have avalid need
to know the information. EPA has procedures in place to provide employees with
a security clearance if their office decides the individual needs one. The Security
Management Division has an electronic information system to track the related
investigation and resulting clearance. EPA also has procedures to obtain a signed
SF 312 from the individual after their clearance is approved. In February 2011,
EPA had about 17,600 employees and 1,432 valid security clearances.
The Assistant Administrator for Administration and Resources Management has
been delegated overall authority for the NSI program. The Assistant
Administrator may, and has, delegated much of this authority to the Security
Management Division, Office of Administration, Office of Administration and
Resources Management (OARM). The Security Management Division created an
NSI program team to manage the program. In addition, all major EPA offices
assigned at least one employee as an NSI representative to coordinate the program
at their organization. Typically, this responsibility is assigned as an additional
duty. The NSI program team gives the NSI representatives supplemental training.
Each year OARM sends reports about EPA's NSI program to the Information
Security Oversight Office (ISOO), National Archives and Records
Administration. The ISOO is responsible for oversight of the government-wide
security classification system. EPA's annual reports are based, in part, on reports
provided by the NSI representatives.
EPA has procedures in place to approve secure areas for storing, processing,
handling, and discussing classified NSI. With one exception, all major EPA
offices have such secure areas. Except for two offices, they also have containers
(e.g., safes) to store classified material. The security level of the areas and
containers varies from Secret, to Top Secret, to Top Secret with sensitive
compartmented information. The Security Management Division inspects the
facilities on a 3-year cycle. Of the secure areas for five organizations that we
visited, two organizations (Regions 3 and 8) were not storing any classified
information. However, both were capable of protecting classified information, up
to and including Top Secret information. The other three organizations were
properly storing classified information.
With one exception, all major EPA offices have equipment for secure
communications. At a minimum, each office has at least one secure telephone.
The security level for the telephones varies from Secret, to Top Secret, to Top
Secret with sensitive compartmented information. Some offices also have secure
facsimile machines, cellular telephones, and satellite telephones. EPA also has
terminals for the secure information systems of other federal agencies.
12-P-0543
2
-------�
Scope and Methodology
We performed our review from December 2010 through February 2012. We
conducted our work in accordance with generally accepted government auditing
standards issued by the Comptroller General of the United States. Those standards
require that we plan and perform the review to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on
our objectives. We believe the evidence obtained provides a reasonable basis for
our findings and conclusions based on our objectives. We assessed internal
controls over the NSI program.
To obtain an overall understanding of EPA's NSI program, we reviewed internal
guidance, documents, and reports, as well as guidance applicable throughout the
federal government. We also interviewed staff from OARM; the Office of
Homeland Security, within the Office of the Administrator; and the Office of
Solid Waste and Emergency Response, which works with the Office of Homeland
Security to provide EPA offices with secure communication equipment.
During our field work, we examined how the NSI program operates in five EPA
organizations:
• Office of Air and Radiation, Washington, DC
• Office of Research and Development's National Homeland Security
Research Center, Cincinnati, Ohio
• Office of Water, Washington, DC
• Region 3, Philadelphia, Pennsylvania
• Region 8, Denver, Colorado
The process included interviewing the organizations' NSI representatives and
some of its staff with security clearances; reviewing related documentation;
inspecting some of the organizations' secure areas and safes; verifying the
clearances of those interviewed; and verifying the annual NSI training completed
by the organizations' cleared staff.
In addition to the activities of these five organizations, we verified the annual
training of cleared staff in the Office of the Chief Financial Officer, and
withdrawal of the security clearances for 20 cleared staff members who left EPA
during the first 6 months of 2011.
We did not assess the readiness of EPA's NSI program in the event of an actual
national security incident. We noted internal control deficiencies in chapter 2 of
this report and in the previously mentioned OIG report on classification guides
(Report No. ll-P-0722).
12-P-0543
3
-------�
Chapter 2
Internal Controls Need Improvement
EPA has established an infrastructure that can deliver a minimum level of
Secret NSI to major EPA offices, and at least 10 offices can handle higher-level
classified NSI. However, we found deficiencies in the following procedural
aspects of the NSI program:
• EPA does not put each employee's signed SF 312 in his or her Official
Personnel Folder. The SF 312 is the legally binding classified information
nondisclosure agreement between the employee and the U.S. government.
OPM guidance provides for it to be kept in the employee's Official
Personnel Folder.
• Annual refresher training is not being completed by everyone with an EPA
security clearance. Better monitoring is needed to ensure all those with
clearances complete the required training.
• Clearances are not being promptly withdrawn when an employee leaves
EPA. Consequently, former employees could potentially access classified
NSI to which he or she is no longer privileged.
• EPA's regulation, policies, and basic guidance document for the NSI
program are out of date and do not reflect current government-wide
requirements for NSI programs. Additionally, the basic guidance
document does not comply with EPA requirements for directives.
As a result of these control deficiencies, EPA cannot assure that access to
classified material is restricted to those who have a clearance and are
appropriately trained.
Nondisclosure Agreements Should Be in Official Personnel Folders
EPA does not put an SF 312, Classified Information Nondisclosure Agreement,
signed by an EPA employee, in his or her Official Personnel Folder. The Official
Personnel Folder is part of the records of the U.S. Office of Personnel
Management (OPM). As stated in OPM's regulation, 5 CFR Part 93, Subpart C,
Section 293.303:
Ownership of folder.
The OPF of each employee in a position subject to civil service
rules and regulations is under the jurisdiction and control of, and is
part of the records of, the Office of Personnel Management (the
Office).
12-P-0543
4
-------�
It must contain long-term records affecting the employee's status and service, as
required by OPM instructions and designated in the guidance. According to the
OPM guidance, the life of the Official Personnel Folder is usually 115 years from
the employee's date of birth.
Before being given access to classified information, an employee of the federal
government or one of its contractors, licensees, or grantees must sign an SF 312.
The SF 312 documents an employee's legally binding acceptance of obligations
in consideration of being granted access to classified information. According to
EPA's basic guidance document, the December 2006 National Security
Information Handbook (handbook), the NSI representative must obtain the
signature on the SF 312 after an individual completes the initial orientation
training. The handbook requires the NSI representative to mail the originally
signed SF 312 to the NSI program team. The Security Management Division
keeps three copies of a recently signed SF 312: an electronic version in its
electronic information system; a hard copy in the green security folder for the
employee; and a hard copy in the binder with all the other SF 312s. As required
by the implementing regulations, EPA plans to keep the SF 312s in the binder for
50 years from the date signed.
According to EPA management, it is EPA's practice to offer a copy of the SF 312
to those who sign one. Yet six individuals whom we interviewed informed us that
they did not have a copy of their SF 312. These six individuals were from three
organizations and had signed an SF 312. The signed SF 312 would be more
readily available to EPA employees if EPA placed it in their Official Personnel
Folder.
ISOO's regulation, as set forth in the Code of Federal Regulations (CFR), in
32 CFR Section 2001.80(d)(2)(vii), makes storing a copy of the SF 312 in the
Official Personnel Folder optional. The ISOO regulation, published in 2010,
states in part:
[A]n agency may store the executed copy of the SF 312 and
SF 189 in the United States Office of Personnel Management's
Official Personnel Folder as a long-term (right side) document for
that employee.
While ISOO is responsible for oversight of the government-wide security
classification system, it does not have responsibility for the Official Personnel
Folder. OPM regulation, as set forth in 5 CFR Part 293, Subpart C, requires
agencies to establish an Official Personnel Folder for each employee. The OPM
regulation, published in 2011, further states:
The [Official Personnel Folder] shall contain long-term records
affecting the employee's status and service as required by OPM's
12-P-0543
5
-------�
instructions and as designated in the Guide to Personnel
Recordkeeping.
That is, the OPM regulation requires that personnel records be maintained in
accordance with OPM guidance. OPM's guidance, The Guide to Personnel
Recordkeeping: Operating Manual, specifically identifies the SF 312 and its
predecessor, SF 189, in Section 3-G, Other Personnel Documents. The related
filing instructions are to "File the Standard Form 312 and Standard Form 189 on
the right side" [of the Official Personnel Folder]. Thus, the SF 312 should be in
the employee's Official Personnel Folder. The Security Management Division
was unaware of the OPM guidance to store the SF 312 in the employee's Official
Personnel Folder.
Annual Training Needs Better Monitoring
EPA offers NSI program training on its Intranet that covers the initial security
orientation, being a courier of classified information, marking classified
documents, and accounting for Top Secret material. EPA also offers a termination
briefing when the clearance is terminated. In addition, those with a clearance must
take refresher training at least once a year. In 2010, the refresher training was
offered through a Lotus Notes application that recorded who had completed the
training.
Not all of those who hold an EPA clearance completed the annual refresher
training in 2010. The National Security Information Handbook requires that all
such individuals must participate, annually at a minimum, in refresher training
that reinforces policies and procedures of the NSI program. According to the
handbook, the NSI representative shall administer the annual refresher training.
The NSI representatives for the five organizations we reviewed had procedures in
place to monitor who completed the annual training. Despite these procedures, a
number of people from different organizations did not complete the training, as
shown in table 1 below.
Table 1: Cleared EPA staff who did not take mandatory annual refresher training
Organization
Number of cleared staff
as of
February 2011
Percent of cleared staff
who did not take
training
Total
Did not take
2010 training
Office of Research and Development
108
5
4.6
Office of Water
42
7
16.7
Region 3
73
11
15.1
Sources: Security Management Division staff (as of February 2011) and results of OIG inquiries.
In addition, we reviewed the training records for the Office of the Chief Financial
Officer (OCFO) because, at that time, it had no NSI representative. Of the 14
people associated with the OCFO who have security clearances, 5 (or 35 percent)
12-P-0543
6
-------�
did not complete the 2010 training. Four of the five said that they were not
informed about the training. Since the OCFO had no NSI representative then, the
NSI program team was responsible for monitoring its training. On September 15,
2010, the NSI program team leader sent the cleared staff in the OCFO an e-mail
informing them that the 2010 annual training was available and must be
completed by November 15, 2010. The e-mail included a hyperlink to the
training. In August 2011, after we brought the matter to its attention, the OCFO
designated an NSI representative to serve as its local advisor and point of contact
for NSI-related matters.
We believe that the annual refresher training increases the likelihood that those
with security clearances will properly protect classified information, and the
training is particularly important to remind those with little or no contact with
NSI. Once granted a clearance, individuals in some organizations were more
likely than individuals in other organizations to be exposed to classified NSI.
Cleared staff from three organizations (Office of Air and Radiation, National
Homeland Security Research Center, and Office of Water) generally had contact
with NSI. The cleared staff from the regional offices (Region 3 and Region 8) had
little or no contact with classified NSI.
Clearances Should Be Promptly Withdrawn When Staff Leave
EPA's list of those with security clearances should be promptly revised to reflect
clearances that are, or should be, withdrawn. For example, when an employee
with a clearance leaves EPA, the employee clearance should be administratively
withdrawn. If the clearance is not withdrawn, the employee's name incorrectly
remains on the list of those with clearances. As a consequence, the employee
could potentially access classified NSI, either at EPA or another agency, to which
he or she is no longer privileged. The NSI representatives consult the list before
granting access to classified information. Each month, EPA provides its clearance
list to OPM so it can be included in the Central Verification System. Based on
information in the Central Verification System, another agency might grant
someone unauthorized access to protected information.
EPA administratively withdraws a clearance when the Security Management
Division receives documentation that the person received a termination briefing.
The handbook requires the NSI representative to provide a termination briefing to
all cleared employees who leave EPA or whose security clearance is terminated or
withdrawn for other reasons. The termination briefing shall address:
• The obligation to return to the appropriate EPA official all classified
information in the employee's possession
• The continuing responsibility not to disclose any classified information to
which the employee had access
• The potential penalties for noncompliance
12-P-0543
7
-------�
After completing the termination briefing, the employee must sign the security
debriefing acknowledgement section of SF 312. The NSI representative will mail
the signed SF 312 to the NSI program team.
Not all those who leave EPA receive a termination briefing; consequently, they do
not sign the SF 312. Without the signed SF 312, the Security Management
Division may not know to withdraw the person's clearance. Of the 20 cleared
staff who left EPA during the first 6 months of 2011, 8 did not receive a
termination briefing. This was due, in part, to some organizations using a
separation checklist that did not require a termination briefing for those with a
clearance. Even when the termination briefing is on the separation checklist,
employees may not properly complete it. The Security Management Division
discovered through other means that these eight individuals had left EPA, so they
processed a SF 312 without the employee's signature. This process started an
average of 28 days after the employee left. The employees' clearances were
withdrawn an average of 60 days after they left, instead of when or before they
left. Of the 12 who received a termination briefing, the clearances for 5 were
withdrawn before they left EPA.
Before starting the annual refresher training, the NSI representatives are supposed
to check the clearance list for accuracy. The NSI representatives' review was not
always effective. When reviewing those in the five organizations who had not
completed the 2010 refresher training, we found that the February 2011 clearance
list included five people from four offices who had left EPA long ago, as shown
in table 2.
Table 2: Years former employees were kept on clearance list after leaving EPA
Employee
Clearance
Left EPA
Years on list after leaving
A
Secret
January 2007
4.1
B
Secret
Unknown
At least 2 years
C
Top Secret
January 2008
3.1
D
Top Secret
July 2006
4.6
E
Top Secret
February 2002
9.0
Sources: EPA staff and OCFO Reporting and Business Intelligence Tool, or ORBIT.
EPA's Guidance Is Not Current or in the Form of a Directive
EPA has issued a regulation and policies for its NSI program, including orders
and a manual. As previously mentioned, the basic guidance document is the
National Security Information Handbook, but it needs to be updated to
incorporate recent changes in the national guidance. It cites EO 12958, as
amended, Classified National Security Information, dated April 1995. However,
EO 12958 was superseded by the December 2009 EO 13526. In June 2010, the
ISOO revised the related regulation in 32 CFR Part 2001. OARM has been in the
process of revising the handbook since at least February 2010 and expects to
complete the changes by January 31, 2012.
12-P-0543
8
-------�
The handbook does not incorporate the requirements of 19 sections in the CFR.
Thirteen of the 19 differences between the regulation and the guidance were
related to the changes made in the regulation after the handbook was issued. In
general, the changes to the regulation increased the number of requirements. The
requirements addressed such things as how long information remains classified,
reviewing classification guides, and automatic declassification.
The remaining six differences between the regulation and the handbook pertained
to storing information (§2001.43), transmitting bulky items (§2001.46), having a
memorandum of agreement (§2001.49), using information standards (§2001.51),
using standard forms (§2001.80), and defining terms (§2004.5).
The handbook is currently not in the form of an Agency-wide directive, even
though it impacts the entire EPA. In chapter 1, paragraph 4.j., the EPA 1315 -
Directives Manual defines directives as . . written procedures and policy which
are printed as either manuals, orders or notices." It defines a manual as "A rather
lengthy directive or combination of closely related directives which usually
consists of several chapters used to prescribe or establish policies and operating
procedures in functional areas." The handbook has 11 chapters and 13
appendices. Thus, as a handbook instead of a manual, order, or notice, it does not
comply with EPA requirements for the form of an Agency-wide directive. EPA
had a manual that covered national security information, Facilities Support and
Services Manual, Security Volume 4850, but it is under revision and not available.
EPA lists the Directives Manual on the EPA Intranet homepage for manuals, but
there is no link to it as there is for other manuals. Thus, it is no longer available to
EPA staff. The current version of the Directives Manual is dated August 1987.
Portions of the Directives Manual are out of date, including the citation to the
regulations for its legal authority. However, OARM staff confirmed that the
Directives Manual has not been rescinded and still applies.
Guidance Revision Delayed by Pending Regulation Update
Before revising the handbook, OARM plans to update the related regulation in
40 CFR Part 11. EPA issued this regulation in November 1972 based on the
March 1972 EO 11652, Classification and Declassification of National Security
Information and Material, and a national security directive dated May 1972. At
that time, EPA did not have original classification authority. Three executive
orders on national security information (EO 12065 dated June 1978, EO 12356
dated April 1982, and EO 12958 dated April 1995) were issued between the 1972
EO 11652 and the 2009 EO 13526. The 1972 EPA regulation would not reflect
the changed requirements in these EOs, including those in the current EO. Despite
the EPA Administrator having had original classification for almost 10 years,
since May 2002, the regulation has yet to be updated.
12-P-0543
9
-------�
Conclusion
EPA's NSI program needs improved internal controls to address the following
deficiencies:
• A signed SF 312, documenting an employee's acceptance of the
obligations contained in the Classified Information Nondisclosure
Agreement is not being put in employees' Official Personnel Folder, as
provided for in OPM guidance.
• Annual refresher training is not being completed by all those with an EPA
clearance, as required by the handbook.
• Clearances are not being promptly withdrawn when an employee leaves
EPA, as required by the handbook.
EPA also needs to update its regulation, policies, and basic guidance document
for the NSI program to reflect (1) current government-wide requirements and (2)
the proper EPA form for a directive.
Recommendation
We recommend that the Assistant Administrator for Administration and
Resources Management:
1. Issue a directive to establish controls that address the following
deficiencies identified in this report:
• Put the signed SF 312 in the employee's Official Personnel Folder
• Ensure that those with an EPA security clearance complete the
annual refresher training
• Promptly withdraw a clearance when a cleared employee leaves
EPA
Agency Response and OIG Evaluation
The Director of the Office of Administration, within OARM, responded to our
draft report on behalf of OARM. OARM concurred with the draft report's
findings and recommendation regarding annual refresher training, withdrawal of a
clearance when a cleared employee leaves EPA, the need to update policy
documents to reflect current federal requirements, and the need to comply with
EPA requirements for directives. However, the Agency did not agree with the
finding of a deficiency related to storing the signed SF 312 in an employee's
Official Personnel Folder. While OARM did not concur with the draft report's
finding in this matter, the Personnel Security Branch has begun mailing a copy of
the signed SF 312 for new clearance cases to the appropriate EPA human
resources service center for inclusion in the employee's Official Personnel Folder.
12-P-0543
10
-------�
To support its position that it does not need to keep SF 312s in employees'
Official Personnel Folder, OARM offered an e-mail dated February 24, 2012,
from a Human Capital Officer at OPM. Per 5 CFR Part 293, Subpart C, the
Official Personnel Folder "of each employee in a position subject to civil service
rules and regulations is under the jurisdiction and control of' OPM. The OPM
officer cited OPM and ISOO regulations and made contradictory statements
regarding the storage of the SF 312. In one statement, the OPM officer affirmed
that "OPM's Guide to Personnel Recordkeeping, page 3-19, also specifies the
SF 312 is filed on the right side ofthe OPF [Official Personnel Folder]." This
statement is immediately followed by "If an agency chooses to file the SF 312 in
the OPF [Official Personnel Folder], it must be filed on the right side."
The OIG disagrees with the characterization of the filing of the SF 312 as
optional. As noted earlier in this report, OPM regulation, as set forth in 5 CFR
Part 293, Subpart C, states that the Official Personnel Folder "shall contain long-
term records... as required by OPM's instructions and as designated in the Guide
to Personnel Recordkeeping." The use of the word "shall" signals a command to
include long-term records in the Official Personnel Folder. The status of the
SF 312 as a long-term record is established in the Guide to Personnel
Recordkeeping. First, the guide's filing procedures call for long-term records to
be filed "on the right side of the personnel folder." Second, the guide's personnel
folder filing instructions state, "File the Standard Form 312... on the right side."
By instructing that the SF 312 be filed on the right side of the Official Personnel
Folder, OPM's Guide to Personnel Recordkeeping establishes the SF 312 as a
long-term record and, hence, a document that must be included in the personnel
folder. When OPM's regulation is read together with the personnel folder filing
instructions found in OPM's Guide to Personnel Recordkeeping, we believe that
the SF 312 must be in the employee's Official Personnel Folder.
EPA has begun to provide for newly signed SF 312s to be included in employees'
Official Personnel Folders. Following issuance ofthe draft report, OARM
informed us that it will document this new practice—of mailing a copy of a
signed SF 312 for a newly cleared employee to the appropriate human resources
service center for inclusion in the employee's Official Personnel Folder—in a
Standard Operating Procedure. OARM issued a Standard Operating Procedure for
"Obtaining, Retaining, and Forwarding SF 312s" on April 9, 2012. This alternate
corrective action meets the intent of our recommendation. Therefore, we consider
the recommendation resolved. Where appropriate, we have incorporated the
Agency's comments into the body of the report. The Agency's complete written
response to the draft report, and our evaluation of the response, are in appendix A.
The e-mail from OPM is in appendix B.
12-P-0543
11
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (in $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
10 Issue a directive to establish controls that address
the following deficiencies identified in this report:
• Put the signed SF 312 in the employee's
Official Personnel Folder
• Ensure that those with an EPA security
clearance complete the annual refresher
training
• Promptly withdraw a clearance when a
cleared employee leaves EPA
Assistant Administrator for
Administration and
Resources Management
Planned
Completion
Date
Claimed
Amount
Agreed-To
Amount
12/31/12
1 0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
12-P-0543
12
-------�
Appendix A
Agency Response to Draft Report and
OIG Evaluation
March 2, 2012
MEMORANDUM
SUBJECT: Response to Draft Report OPE-FY10-0024
FROM: Renee Page, Director
Office of Administration
TO: Elizabeth A. Grossman, Acting Assistant Inspector General for Program
Evaluation
Office of Inspector General
On behalf of the Office of Administration and Resources Management, thank you for the
opportunity to respond to the Office of Inspector General's draft report of February 3, 2012:
EPA's National Security Information Program Could Be Improved. The Office of
Administration and Resources Management concurs with the draft report's findings and
recommendation regarding annual refresher training, withdrawal of a clearance when a cleared
employee leaves EPA, the need to update policy documents to reflect current federal
requirements and the need to comply with EPA requirements for directives. We do not concur
with the finding of a deficiency related to storing Standard Form 312 in the Official Personnel
Folder. Our planned completion date, description of corrective actions already initiated or
planned and comments are below.
Draft Report's Recommendation
Issue a directive to establish controls that address the following deficiencies identified in this
report:
• Put the signed Standard Form 312 in the employee's Official Personnel Folder
• Ensure that those with an EPA security clearance complete the annual refresher training
• Promptly withdraw a clearance when a cleared employee leaves EPA
Planned Completion Date
By April 30, 2012, the Security Management Division will submit an updated version of the
National Security Information Handbook to the Office of Human Resources Program
Management and Communications Office for the EPA directives clearance review process. The
updated version will establish controls addressing annual refresher training and prompt
withdrawal of a clearance when an employee leaves EPA. The document will reflect current
government-wide requirements for NSI programs and comply with all requirements for EPA
directives.
12-P-0543
13
-------�
Corrective Actions Already Initiated or Planned
• The NSI program has taken the first step in the review process by discussing the
proposed directive with the Program Management and Communications Office.
• To ensure timely compliance with the requirement to complete annual refresher training,
the Security Management Division will administratively withdraw the clearance of
employees who do not comply. This information will be included in the updated
Handbook; related outreach and education will be developed.
• The NSI program is modifying EPA Order 4850 to require clearance holders to notify the
NSI program when they are leaving the agency so they can undergo mandatory
debriefing. The Order will be submitted for the EPA directives clearance review process.
The requirement will be included in the updated Handbook; related outreach and
education will be developed.
• The Personnel Security Branch is now submitting a weekly list of employees whose
clearance status has changed to the Office of Personnel Management for inclusion in the
Central Verification System.
OIG Response: By May 1, 2012, OARM's Security Management Division had disseminated
EPA Order 4850 and the National Security Information Manual 4850 for comment through the
Agency's directives clearance process. The Security Management Division Director later
informed us that EPA anticipates issuing both the Order 4850 and the Manual 4850 by
December 31, 2012. Taken together with the actions listed above, the proposed corrective actions
and milestones meet the intent of the recommendation.
Comments Regarding Standard Form 312
OARM disagrees with the draft report's finding that the SF 312 is "required by government-wide
guidance to be kept in the employee's Official Personnel Folder." This is not a requirement, but
rather an option. Per the Information Security Oversight Office regulation set forth in 32 CFR
Section 2001.80(d)(2)(vii):
For agreements executed by civilian employees of the United States Government, an
agency may store the executed copy of the SF 312 and SF 189 in the United States Office
of Personnel Management's Official Personnel Folder as a long-term (right side)
document for that employee.
OIG Response: As noted earlier in this report, ISOO is responsible for oversight of the
government-wide security classification system. However, ISOO does not have responsibility for
the Official Personnel Folder. As stated in OPM's regulation, 5 CFR Part 93, Subpart C, Section
293.303:
Ownership of folder.
The OPF of each employee in a position subject to civil service rules and
regulations is under the jurisdiction and control of, and is part of the records of,
the Office of Personnel Management (the Office).
ISOO's regulation does not preclude the SF 312 from being stored in the Official Personnel
Folder; they simply indicate that the storage is optional. In light of OPM having jurisdiction over
12-P-0543
14
-------�
employees' Official Personnel Folders, OPM's regulation supersedes ISOO's regulation with
respect to the maintenance and content of the Official Personnel Folder.
Per OPM regulations, as set forth in 5 CFR Part 293.304:
The head of each agency shall maintain in the Official Personnel Folder the reports of
selection and other personnel actions named in section 2951 of title 5, United States
Code. The folder shall contain long-term records affecting the employee's status and
service as required by OPM's instructions and as designated in the Guide to Personnel
Recordkeeping.
The SF 312 is not a report of selection or other personnel action named in section 2951 of title 5,
USC and does not affect the employee's status and service. The Guide to Personnel
Recordkeeping does not say that the SF 312 must be included in the Official Personnel Folder,
but only, "File the Standard Form 312 and Standard Form 189 on the right side."
OIG Response: As the Agency itself notes in response to the draft report, OPM's regulation, as
set forth in 5 CFR Part 293.304, states (emphasis added):
The head of each agency shall maintain in the Official Personnel Folder the
reports of selection and other personnel actions named in section 2951 of title 5,
United States Code. The folder shall contain long-term records affecting the
employee's status and service as required by OPM's instructions and as
designated in the Guide to Personnel Recordkeeping.
The word "shall" clearly imports compulsion and obligation.
The status of the SF 312 as a long-term record is established in OPM's Guide to Personnel
Recordkeeping, which states, in Chapter 3:
Long-term documents
Long-term documents are records kept for the life of the folder... filed in chronological
order on the right side of the personnel folder.
OPM's Guide to Personnel Recordkeeping states, in Section 3-G:
Personnel Folder Filing Instructions
File the Standard Form 312 and Standard Form 189 on the right side.
The imperative verb tense, "file," expresses a direct command. By instructing that the SF 312 be
filed on the right side of the Official Personnel Folder, OPM's Guide to Personnel
Recordkeeping establishes the SF 312 as a long-term record and, hence, a document that must be
included in the personnel folder. When OPM's regulation is read together with the personnel
folder filing instructions found in OPM's Guide to Personnel Recordkeeping, we believe that the
SF 312 must be in the employee's Official Personnel Folder.
12-P-0543
15
-------�
Office of Personnel Management Human Capital Officer confirmed to EPA that
there is no requirement to store the SF 312 in the Official Personnel Folder (see attached
February 24, 2012, email):
As authorized in 5 CFR 293.304, OPM provides instructions in the Guide to Personnel
Recordkeeping regarding the long-term records kept in the OPF 32 CFR 2001.80(d)(2)(vii)
requires an agency to retain executed copies of the SF 312 in a file system, which could include
the OPF 32 CFR specifies that if the OPF is used to file the SF 312, it would be filed as a long-
term (right side) document. OPM's Guide to Personnel Recordkeeping, page 3-19, also specifies
the SF 312 is filed on the right side of the OPF. If an agency chooses to file the SF 312 in the
OPF, it must be filed on the right side.
OIG Response: We are not aware of the details surrounding the communications between EPA
and the OPM human capital officer on this issue. However, until OPM officially changes the
CFR, these comments are unsupported. OPM's regulation, as set forth in 5 CFR Part 293.304,
states (emphasis added):
The head of each agency shall maintain in the Official Personnel Folder the
reports of selection and other personnel actions named in section 2951 of title 5,
United States Code. The folder shall contain long-term records affecting the
employee's status and service as required by OPM's instructions and as
designated in the Guide to Personnel Recordkeeping.
ISOO's regulation does not preclude the SF 312 from being stored in the Official Personnel
folder; they simply indicate that the storage is optional. Since it is OPM, and not ISOO, that has
jurisdiction over employees' Official Personnel Folders, OPM's regulation supersedes ISOO's
regulation with respect to the maintenance and content of the Official Personnel Folder.
OARM's position is also supported by the National Archives and Records Administration
General Records Schedule 18, item 25, "Classified Information Nondisclosure Agreements,"
which says that the SF 312 may be filed on the right side of the Official Personnel Folder. It does
not say the SF 312 must be filed in the Official Personnel Folder.
OIG Response: OPM, not the National Archives and Records Administration, has jurisdiction
and ownership over employees' Official Personnel Folders. OPM's regulation dictates the
maintenance and content of the Official Personnel Folder.
While OARM does not concur with the draft report's finding in this matter, the Personnel
Security Branch has begun mailing a copy of the signed SF 312 for new clearance cases to the
appropriate Shared Services Center for inclusion in the employee's Official Personnel Folder,
making it easier for employees to access the form.
OIG Response: Since issuance of the draft report, OARM informed us that it intends to
document this new practice—of mailing a copy of a signed SF 312 for a newly cleared employee
to the appropriate human resources service center for inclusion in the employee's Official
Personnel Folder—in a Standard Operating Procedure. OARM issued a Standard Operating
Procedure for "Obtaining, Retaining, and Forwarding SF 312s" on April 9, 2012. We accept this
corrective action as an alternative to a requirement in the new directive.
12-P-0543
16
-------�
Comments Regarding Description of NSI Program Functions
The opening sentence in "At a Glance" states: "Under its classified NSI program, EPA has
assigned responsibilities and provided guidance, training, facilities, equipment, and information
systems to monitor some of its activities." However, the NSI program does not provide
equipment (e.g., secure telephones) or information systems. Programs and regions provide their
own, following NSI program specifications. They also provide their own secure space, again
following NSI program specifications, unless construction costs are over a certain threshold. We
suggest that the first sentence in "At a Glance" be changed to, "Under its classified NSI program,
EPA has assigned responsibilities and provided guidance, training and oversight."
OIG Response: We agree to this revision of the opening sentence in the "At a Glance."
Again, we appreciate this opportunity to respond to the draft report.
12-P-0543
17
-------�
Appendix B
E-mail From U.S. Office of Personnel Management
The following e-mail was submitted by an OPM Human Capital Officer to EPA on February 24,
2012.
Subject: Guidance on Filing SF 312
OPM has responsibility for developing regulations, practices, and procedures for the
establishment, maintenance, and transfer of the Official Personnel File (OPF), per 5 CFR
293.303. As authorized in 5 CFR 293.304, OPM provides instructions in the Guide to Personnel
Recordkeeping regarding the long-term records kept in the OPF. 32 CFR 2001.80(d)(2)(vii)
requires an agency to retain executed copies of the SF 312 in a file system, which could include
the OPF. 32 CFR specifies that if the OPF is used to file the SF 312, it would be filed as a long-
term (right side) document. OPM's Guide to Personnel Recordkeeping, page 3-19, also specifies
the SF 312 is filed on the right side of the OPF. If an agency chooses to file the SF 312 in the
OPF, it must be filed on the right side. According to 32 CFR 2001.80(d)(2)(vii), an agency must
inform ISOO of the file system it uses to store the SF 312.
Links to references:
- 5 CFR 293, Subpart C - Official Personnel Folder : hup: cdhgpoaecoss.aov cat I texi text-
e88e938dae1 t?e2?a?228d104cb93 j f'O&r^a di\t>& view tcxt&node 3:1.0.1.2,2
- 32 CFR 2001.80(d)(2)(vii): httpi ectr.&poacecxs.&ov cai i text text-
idx?c ecir&skf 8293bflxldl7h469heh41cd032312e412&n>n div3&v!ev\ text&node 32:6.2.6.1
- Guide to Personnel Recordkeeping: blip: www.opni.aov leddala. recai.iide2008.pdt'
12-P-0543
18
-------�
Appendix C
Distribution
Office of the Administrator
Assistant Administrator for Administration and Resources Management
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Director, Office of Administration, Office of Administration and Resources Management
Audit Follow-Up Coordinator, Office of Administration and Resources Management
12-P-0543
19
-------� |