£ < 33 \ ^E° 4. o z LLI o «T % PRO^0 U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Operating efficiently and effectively Management Alert: EPA Has Not Initiated Required Background Investigations for Information Systems Contractor Personnel Report No. 17-P-0409 September 27, 2017 M ------- Report Contributors: Rudolph M. Brevard Vincent Campbell Eric K. Jackson Jr. Nancy Dao Abbreviations CIO Chief Information Officer COR Contracting Officer's Representative EPA U.S. Environmental Protection Agency EPASS EPA Personnel Access and Security System MBI Moderate Risk Background Investigation NACI National Agency Check and Inquiries NACLC National Agency Check with Law and Credit OEI Office of Environmental Information OIG Office of Inspector General PSB Personnel Security Branch PUC Privilege User Card Cover photo: Background investigations graphic. (EPA OIG image) Are you aware of fraud, waste or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, DC 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotiine@epa.gov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, DC 20460 (202) 566-2391 www.epa.aov/oia Subscribe to our Email Updates Follow us on Twitter @EPAoiq Send us your Project Suggestions ------- ^edU.S. Environmental Protection Agency 17-P-0409 Office of Inspector General September 27,2017 ? Q \ \mj % PRO^ At a Glance Why We Did This Review The Office of Inspector General (OIG) is conducting an audit to determine whether the U.S. Environmental Protection Agency (EPA) completed required background investigations for contractor personnel with privileged access to EPA information systems. While the audit is ongoing, we are issuing this management alert to make the EPA aware of certain issues that need immediate attention. Background investigations are required for all individuals to be employed or contracted by the federal government. Background investigations are particularly critical for information security personnel in high-risk positions as they develop, implement and administer the system's security controls to resist and identify cybersecurity threats. This report addresses the following: • Operating efficiently and effectively. Management Alert: EPA Has Not Initiated Required Background Investigations for Information Systems Contractor Personnel What We Found The required background investigation was not initiated for any of the nine contractor personnel we reviewed prior to their obtaining privileged access to EPA networks, systems and data. The EPA is required to initiate a background investigation prior to granting access to agency systems and data. This failure to appropriately vet personnel leaves the agency vulnerable to a cyberattack. Not vetting contractor personnel before granting them network access exposes the EPA to risks. Contractor personnel with potentially questionable backgrounds who access sensitive agency data could cause harm. Management action is needed to correct how the EPA implements its background screening. In particular, we noted the following control weaknesses: • The EPA was not initiating required background investigations for contractor personnel in high-risk positions. • The EPA has not identified all high-risk information technology positions. • The EPA has not assigned a risk determination for information security contractor personnel. • EPA system owners, service managers and contracting officer's representatives did not verify whether contractor personnel possessed the required background investigations. • The EPA's internal websites do not specify background investigation requirements for contractor personnel. • The EPA does not have an accurate number for how many information security contractor personnel require high-risk background investigations. Recommendation and Planned Agency Corrective Actions We recommend that the agency implement controls over the EPA's personnel screening practices for initiating the required high-level background investigation for contractor personnel with privileged access to agency networks, information systems and data. We briefed the EPA on August 21, 2017. Management agreed with our findings and recommendation. The EPA will provide planned completion dates in a formal response to this report. Send all inquiries to our public affairs office at (202) 566-2391 or visit www.epa.aov/oia. Listing of OIG reports. ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 THE INSPECTOR GENERAL September 27, 2017 MEMORANDUM SUBJECT: Management Alert: EPA Has Not Initiated Required Background Investigations for Information Systems Contractor Persomiel Report No. 17-P-0409 FROM: Arthur A. Elkins Jr. TO: Steven Fine, Acting Assistant Administrator and Chief Information Officer Office of Environmental Information Donna J. Vizian, Acting Assistant Administrator Office of Administration and Resources Management During our audit of the U.S. Environmental Protection Agency's (EPA's) processes for managing background investigations of privileged users under Project Number OA-FY17-0139, we found that the EPA was not completing the required background investigations for contractor personnel with privileged access to EPA systems. We are issuing this management alert to make the agency aware of certain issues that need immediate attention. Audit work regarding background investigations for contractor personnel is ongoing. This report represents the opinion of the Office of Inspector General (OIG) and does not represent the final EPA position. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. Action Required Prior to issuing this report, we met with agency officials to discuss our report, and the officials verbally agreed with our recommendation. Please provide a formal response to this report within 30 calendar days that includes planned corrective actions and project completion dates for the recommendation. Your response, along with our memorandum commenting on your response, will be posted on the OIG's public website. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. The report will be available at www.epa. gov/oig. ------- Management Alert: EPA Has Not Initiated Required Background Investigations for Information Systems Contractor Personnel 17-P-0409 Table of Contents Purpose 1 Background 1 Responsible Offices 3 Scope and Methodology 3 Results of Review 4 Conclusion 6 Recommendation 7 Agency Comment and OIG Evaluation 7 Status of Recommendations and Potential Monetary Benefits 8 Appendix A Distribution 9 ------- Purpose The U.S. Environmental Protection Agency's (EPA's) Office of Inspector General (OIG) is currently conducting an audit to determine whether the EPA completed the required background investigations for contractor personnel with privileged access to EPA information and systems. This report is being issued to alert the EPA regarding issues on background investigations for contractor personnel that need immediate attention. When our audit is complete, we plan to issue a final report. Background On August 11, 2015, the EPA's Chief Information Officer (CIO) issued a memorandum to agency officials indicating that most EPA privileged users did not have the required level of background investigations. However, in the memorandum, the CIO indicated that disabling the accounts of privileged users who support critical infrastructure operations and cybersecurity controls would nonetheless have a detrimental effect on the agency's ability to accomplish its missions and respond timely and effectively to the cybersecurity initiatives. The CIO granted the following temporary waivers to the requirement for higher-level background checks for privileged access to information systems: • Before August 31, 2015, EPA Privilege User Cards (PUC) may be issued to EPA federal or contractor privileged users with a current EPA Personnel Access and Security System (EPASS) badge. • After August 31, 2015, PUC cards may not be issued to EPASS holders with a background investigation lower than a Tier 4 unless a specific written exception is granted by the EPA Senior Agency Information Security Officer. In December 2016, the EPA's Chief Information Officer found that 50 percent of the EPA's "privileged users" did not have the proper background investigations. Privileged users have access to system control, and monitoring or administration functions (such as a system administrator, network administrator or system programmer). As such, the CIO directed EPA program offices and regions to validate the information on their privileged users and background investigations, and to remove a privileged user's access to the networks by December 31, 2017, if they did not have the required background investigations. The CIO requested that EPA program offices and regions provide monthly progress updates on the number of privileged users requiring additional background investigations beginning January 26, 2017. Tier 4 is a high-level background investigation (screening) for designated high-risk positions (i.e., a network or system administrator). This level of screening is used when a position's job duties could seriously impact an organization's ability to achieve its mission. 17-P-0409 1 ------- As of February 23, 2017, the Office of Administration and Resources Management reported that 336 of 484 contractor personnel with a PUC still required a higher background investigation. A PUC is a special card issued to personnel who need elevated access to EPA systems to perform their duties. Office of Management and Budget Circular A-130 Revised, Managing Information as a Strategic Resource, published July 28, 2016, states that agencies shall implement control policies that ensure the appropriate level of background investigation is conducted to protect federal information and information systems. The Office of Personnel Management established guidelines for federal agencies when conducting background investigations. The type of background investigation to be conducted should correspond with the information technology position risk level and magnitude of harm an individual could cause. EPA CIO 2150.3-P-13.1, Information Security-Interim Personnel Security Procedures, V2.0, dated July 18, 2012, requires EPA personnel and contractor personnel to undergo similar personnel screening requirements. A risk designation must be assigned to contractor personnel in information management and information technology-related positions based upon the user's role for accessing the information system. EPA contracting officer's representatives (CORs) verify that contractor personnel timely complete the initial security screening and obtain favorable fingerprint results before an EPA badge is issued. The COR also designates the position risk level by determining a position's potential to adversely affect the agency's integrity, efficiency and mission. Risk designation is required for personnel who will be at the EPA for 6 months or longer. Table 1 identifies the types of background investigations—Tiers 4 and 5—required for high-risk positions. Table 1: Types of investigations Types of investigations Moderate Risk Background Investigation (MBI) National Agency Check and Inquiries (NACI) National Agency Check with Law and Credit (NACLC) Special Agreement Check (for fingerprints only) Tier 1 (for low-risk, non-sensitive position) Tier 2 (for moderate-risk, non-sensitive position) Tier 3 (for moderate-risk, non-critical or critical sensitive position) Tier 4 (for high-risk, non-sensitive position) Tier 5 (for high-risk, non-critical or critical sensitive position) Source: EPA Personnel Security Branch website. A PUC provides access to system security controls and processes that are not granted to general users. -Oso»:;\EPA /$ Printed on: NOT FOR IDENTIFICATION ppp} OR PHYSICAL ACCESS d 17-P-0409 2 ------- Responsible Offices The Office of Environmental Information (OEI) oversees the EPA's information security program. This office develops agencywide information security policies and procedures, including establishing procedures that govern contractor access to the EPA's networks, systems and data. The Assistant Administrator for OEI is also the agency's CIO. Within the Office of Administration and Resources Management, the Personnel Security Branch (PSB) is responsible for onboarding contractor personnel and investigation funding. The PSB manages the EPA's Personnel Security Program, which initiates and adjudicates background investigations. The PSB works directly with the Office of Personnel Management and the U.S. Department of Defense on personnel security matters, including fingerprinting and investigative services. The EPA's CORs—within each program office and region—are responsible for initiating the required background investigations for contractor personnel, and monitoring the background investigation process for applicants in the EPA's Personnel Security System before they report to their duty stations. Each EPA program office and region has a risk designation approver who is responsible for reviewing and either approving or changing the risk designations for individuals who will be employed with the EPA for more than 6 months. Scope and Methodology We began our audit in March 2017, and our work is ongoing. We are conducting this performance audit in accordance with generally accepted government auditing standards. These standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We obtained and reviewed federal and EPA policies and procedures on background investigation requirements for contractor personnel with privileged access to the agency systems. The PSB provided us a list of contractor personnel identified as PUC holders from the Office of Administrative Services Information System. The PSB could not provide us with a listing of personnel without PUCs who have privilege access to EPA systems. We reviewed the fiscal year 2016 security assessment report pertaining to this system and noted there were no weaknesses identified that would materially impact our use of the data. The PSB list of contractor personnel holding PUCs also indicated current background investigation levels. From that list, we selected a judgmental sample of nine personnel to review—seven contractor personnel for the OEI, one for Region 5 and one for Region 8. 17-P-0409 3 ------- Our review consisted of analyzing contracts and supporting data related to background investigations. We also interviewed agency personnel responsible for initiating and monitoring background investigations of contractor personnel. There were no previous recommendations for us to follow up on. Results of Review At the time of our review, the EPA had not initiated, at a minimum, a Tier 4 background investigation for any of the nine sampled contractor personnel with privileged access to agency information systems and data. The EPA is required to initiate a background investigation prior to granting access to agency systems and data. Table 2 lists the nine contractor personnel identified as privileged users with a PUC. These contractor personnel hold various information technology specialist positions with the ability to make changes to security controls in the systems they access and should have been assigned a high-risk designation (Tier 4 or 5). Table 2: Status of background investigations for contractor personnel with a PUC Contractor EPA office Date contractor assigned to contract Type of investigation conducted EPA office's risk designation Position Background investigation status since start of OIG audit 1 OEI 10/1/10 Tier 1 Not Designated Email IT Analyst Initiated Tier 4 2 OEI 10/1/12 Tier 2 Moderate Risk Computer Security Analyst Not on EPA Contract 3 OEI 10/1/10 Tier 2 Moderate Risk Manager Email Initiated Tier 4 4 OEI 10/1/10 Tier 2 Moderate Risk Active Directory Engineer Initiated Tier 4 5 OEI 1/1/12 Tier 2 Moderate Risk Senior System Engineer No change 6 OEI 10/1/10 Tier 2 Moderate Risk Senior System Analyst Initiated Tier 4 7 OEI 4/1/11 Tier 1 Not Designated Enterprise Computer Security Information Manager Initiated Tier 4 8 Region 5 5/1/16 Tier 2 Moderate Risk System Administrator Initiated Tier 4 9 Region 8 12/1/14 Tier 2 Moderate Risk Technical Support Analyst I No change Source: EPA background investigation data from Office of Administrative Services Information System as of June 21, 2017. The EPA has taken steps to reduce the number of contractor personnel with privileged access to agency information systems and data who do not have the required background investigation conducted. However, EPA offices were not implementing the background screening requirements. Our analysis and interviews disclosed that many of these underlying issues could have been uncovered had EPA management conducted oversight and a timely review of these processes. Details on these problems follow. 17-P-0409 4 ------- EPA offices were not initiating the required background investigation for high-risk positions that were specifically identified on the Position Risk Designation Checklist as such. As noted in Table 2, five of the nine positions (i.e., Email IT Analyst, Computer Security Analyst, Enterprise Computer Security Information Manager, System Administrator and Technical Support Analyst I) correspond to similar high-risk positions noted on the Position Risk Designation Checklist. However, these contractor personnel were given PUCs the required high-risk background investigation being initiated. The EPA's Position Risk Designation Checklist, which lists risk levels by positions, does not identify all information technology positions that are high risk. For example, two system engineers' duties required them to have privileged access to EPA systems, but the system engineer position is not listed on the checklist. Nonetheless, the two engineers were given PUCs that required Tier 4 background investigation, even though no background investigation had been initiated prior to the start of our audit. EPA offices had not made a risk determination for two of the nine samples. This omission of data is in contrast with EPA CIO-2150.3-P-13.1, Information Security —Interim Personnel Security Procedures, V2.0, dated July 18, 2012, which states "a risk designation must be assigned to all non-federal position functions (as determined according to the equivalent of a federal employee in the same function) in information management and information technology related positions." Both contractor personnel were given PUCs. There is a lack of oversight by responsible offices to confirm that the required background investigations for contractor personnel were initiated before the personnel were given PUCs to access EPA systems. As noted in Table 2, while none of the contractor personnel had the required background investigation initiated, five of the nine contractor personnel sampled were given sensitive access to EPA systems and have worked for the EPA for over 5 years. Additionally, the offices took no action to confirm the required background investigation was initiated. Four of the nine sampled contractor personnel came onboard after the EPA published its August 6, 2012, access control procedure, and these contractor personnel were given PUCs without the agency initiating the required background investigation. There is a breakdown in communication among system owners, service managers and CORs to verify that they initiate and subsequently complete the appropriate background investigation for contractor personnel. Guidance under EPA CIO-2150.3-P-01, Interim Access Control Procedures, dated August 6, 2012, requires that system owners and ------- service managers verify that background checks are completed. These procedures further place the responsibility on the COR to initiate and follow the contractor personnel's background investigation until it is complete. We found that CORs did not review their contracts to confirm whether the office initiated the required background investigation for all assigned contractor personnel. One COR indicated that at the time of taking over a contract that had been in place for several years, all the background investigations had been completed for the assigned contractor personnel, and the COR did not believe there was an agency requirement to review the contractor personnel background investigations again. However, EPA CIO-2150.3-P-13.1, Information Security —Interim Personnel Security Procedures, V2.0, dated July 18, 2012, requires that position sensitivity levels be reviewed annually and revised as appropriate. • Even though the EPA has personnel screening procedures, the requirement for contractor personnel with privileged access to have a Tier 4 background investigation is not identified on the agency's background screening and information security policies web pages. • The OEI and the Office of Administration and Resources Management did not have the same totals for the number of contractor personnel requiring Tier 4 background investigations. For example, as of February 2017, EPA program and regional offices reported to the OEI that 312 personnel (federal employees and contractor personnel) still required a higher background investigation. However, for the same timeframe, the information provided to us from the Office of Administration and Resources Management indicated there were 336 contractor personnel with PUCs that had background investigations lower than the mandated Tier 4 background investigation. As such, the EPA cannot be certain of the exact number of contractor personnel who are required to be investigated at the Tier 4 background investigation level. Conclusion Systemic problems in how the EPA implements its processes for initiating the required background investigations for contractor personnel expose the EPA to risks. Contractor personnel with potentially questionable backgrounds are accessing sensitive agency data and could cause harm. These initial investigations and timely reviews serve as a cornerstone for the EPA to verify whether contractor personnel are trustworthy. Contractors with potentially questionable backgrounds who access sensitive agency systems can cause the agency harm. 17-P-0409 6 ------- Recommendation We recommend that the Assistant Administrator for Environmental Information/Chief Information Officer and the Assistant Administrator for Administration and Resources Management: 1. Implement controls over the EPA's personnel screening practices for initiating the required high-level background investigations for contractor personnel with privileged access to agency networks, information systems and data. These implemented controls should include, but not be limited to, improving: (a) The EPA's Position Risk Designation Checklist to include required background investigations by position and risk designations. (b) Communication among agency personnel on verifying and reviewing background investigations. (c) The accuracy of the data in the EPA's official personnel security system. Agency Comment and OIG Evaluation We worked closely with EPA personnel throughout the audit to keep them apprised of our findings. On August 21, 2017, we briefed EPA management regarding the findings and recommendation in this report. EPA management agreed with our findings and recommendation. The EPA stated that it implemented new processes for issuing PUCs early in 2017. Subsequent to our briefing, we provided the EPA a summary of our briefing notes and collected management's email confirmation that the notes were accurate. The EPA also provided documentation of the new process discussed during the briefing. Under the new process, a web-based tool requires all information systems contractor applicants to undergo a background investigation before receiving a PUC. The documentation further indicates that the PSB will ensure that only eligible personnel receive a PUC after a high-risk Tier 4 investigation. However, the new process does not address all of the underlying issues identified in this report, and we believe that more management emphasis is needed to strengthen controls regarding background investigation for contractor personnel with privileged access to agency networks, information systems and data. We are issuing this management alert to encourage the EPA's prompt action in addressing the findings. The EPA will provide planned completion dates in a formal response to this report. 17-P-0409 7 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Rec. No. Page No. Subject Status1 Action Official Planned Completion Date Potential Monetary Benefits (in $000s) 1 7 Implement controls over the EPA's personnel screening practices for initiating the required high-level background investigations for contractor personnel with privileged access to agency networks, information systems and data. These implemented controls should include, but not be limited to, improving: U Assistant Administrator for Environmental Information/ Chief Information Officer and Assistant Administrator for Administration and Resources Management (a) The EPA's Position Risk Designation Checklist to include required background investigations by position and risk designations. (b) Communication among agency personnel on verifying and reviewing background investigations. (c) The accuracy of the data in the EPA's official personnel security system. 1 C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 17-P-0409 8 ------- Appendix A Distribution The Administrator Chief of Staff Chief of Staff for Operations Deputy Chief of Staff for Operations Assistant Administrator for Environmental Information and Chief Information Officer Assistant Administrator for Administration and Resources Management Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Principal Deputy Assistant Administrator for Environmental Information and Deputy Chief Information Officer Deputy Assistant Administrator for Administration and Resources Management Director, Office of Resources, Operations and Management, Office of Administration and Resources Management Deputy Director, Office of Resources, Operations and Management, Office of Administration and Resources Management Director, Office of Information Security and Privacy, Office of Environmental Information Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of Environmental Information Audit Follow-Up Coordinator, Office of Administration and Resources Management 17-P-0409 9 ------- |