£
<
33
\
^E°
4.
o
z
LLI
o
«T
% PRO^0
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Operating efficiently and effectively
Management Alert:
EPA Has Not Initiated Required
Background Investigations for
Information Systems
Contractor Personnel
Report No. 17-P-0409
September 27, 2017
M
-------�
Report Contributors:
Rudolph M. Brevard
Vincent Campbell
Eric K. Jackson Jr.
Nancy Dao
Abbreviations
CIO
Chief Information Officer
COR
Contracting Officer's Representative
EPA
U.S. Environmental Protection Agency
EPASS
EPA Personnel Access and Security System
MBI
Moderate Risk Background Investigation
NACI
National Agency Check and Inquiries
NACLC
National Agency Check with Law and Credit
OEI
Office of Environmental Information
OIG
Office of Inspector General
PSB
Personnel Security Branch
PUC
Privilege User Card
Cover photo: Background investigations graphic. (EPA OIG image)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotiine@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.aov/oia
Subscribe to our Email Updates
Follow us on Twitter @EPAoiq
Send us your Project Suggestions
-------�
^edU.S. Environmental Protection Agency 17-P-0409
Office of Inspector General September 27,2017
? Q \
\mj
% PRO^
At a Glance
Why We Did This Review
The Office of Inspector
General (OIG) is conducting
an audit to determine
whether the U.S.
Environmental Protection
Agency (EPA) completed
required background
investigations for contractor
personnel with privileged
access to EPA information
systems. While the audit is
ongoing, we are issuing this
management alert to make
the EPA aware of certain
issues that need immediate
attention.
Background investigations
are required for all
individuals to be employed or
contracted by the federal
government. Background
investigations are particularly
critical for information
security personnel in
high-risk positions as they
develop, implement and
administer the system's
security controls to resist and
identify cybersecurity threats.
This report addresses the
following:
• Operating efficiently and
effectively.
Management Alert: EPA Has Not Initiated
Required Background Investigations for
Information Systems Contractor Personnel
What We Found
The required background investigation was
not initiated for any of the nine contractor
personnel we reviewed prior to their obtaining
privileged access to EPA networks, systems
and data. The EPA is required to initiate a
background investigation prior to granting
access to agency systems and data. This
failure to appropriately vet personnel leaves
the agency vulnerable to a cyberattack.
Not vetting contractor
personnel before granting
them network access exposes
the EPA to risks. Contractor
personnel with potentially
questionable backgrounds
who access sensitive agency
data could cause harm.
Management action is needed to correct how the EPA implements its
background screening. In particular, we noted the following control weaknesses:
• The EPA was not initiating required background investigations for
contractor personnel in high-risk positions.
• The EPA has not identified all high-risk information technology positions.
• The EPA has not assigned a risk determination for information security
contractor personnel.
• EPA system owners, service managers and contracting officer's
representatives did not verify whether contractor personnel possessed the
required background investigations.
• The EPA's internal websites do not specify background investigation
requirements for contractor personnel.
• The EPA does not have an accurate number for how many information
security contractor personnel require high-risk background investigations.
Recommendation and Planned Agency Corrective Actions
We recommend that the agency implement controls over the EPA's personnel
screening practices for initiating the required high-level background investigation
for contractor personnel with privileged access to agency networks, information
systems and data. We briefed the EPA on August 21, 2017. Management agreed
with our findings and recommendation. The EPA will provide planned completion
dates in a formal response to this report.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.aov/oia.
Listing of OIG reports.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
September 27, 2017
MEMORANDUM
SUBJECT: Management Alert: EPA Has Not Initiated Required Background Investigations
for Information Systems Contractor Persomiel
Report No. 17-P-0409
FROM: Arthur A. Elkins Jr.
TO:
Steven Fine, Acting Assistant Administrator and Chief Information Officer
Office of Environmental Information
Donna J. Vizian, Acting Assistant Administrator
Office of Administration and Resources Management
During our audit of the U.S. Environmental Protection Agency's (EPA's) processes for managing
background investigations of privileged users under Project Number OA-FY17-0139, we found that the
EPA was not completing the required background investigations for contractor personnel with privileged
access to EPA systems. We are issuing this management alert to make the agency aware of certain issues
that need immediate attention. Audit work regarding background investigations for contractor personnel
is ongoing.
This report represents the opinion of the Office of Inspector General (OIG) and does not represent the
final EPA position. Final determinations on matters in this report will be made by EPA managers in
accordance with established audit resolution procedures.
Action Required
Prior to issuing this report, we met with agency officials to discuss our report, and the officials verbally
agreed with our recommendation. Please provide a formal response to this report within 30 calendar
days that includes planned corrective actions and project completion dates for the recommendation.
Your response, along with our memorandum commenting on your response, will be posted on the OIG's
public website. Your response should be provided as an Adobe PDF file that complies with the
accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final
response should not contain data that you do not want to be released to the public; if your response
contains such data, you should identify the data for redaction or removal along with corresponding
justification.
The report will be available at www.epa. gov/oig.
-------�
Management Alert: EPA Has Not Initiated
Required Background Investigations for
Information Systems Contractor Personnel
17-P-0409
Table of Contents
Purpose 1
Background 1
Responsible Offices 3
Scope and Methodology 3
Results of Review 4
Conclusion 6
Recommendation 7
Agency Comment and OIG Evaluation 7
Status of Recommendations and Potential Monetary Benefits 8
Appendix
A Distribution 9
-------�
Purpose
The U.S. Environmental Protection Agency's (EPA's) Office of Inspector General
(OIG) is currently conducting an audit to determine whether the EPA completed
the required background investigations for contractor personnel with privileged
access to EPA information and systems. This report is being issued to alert the EPA
regarding issues on background investigations for contractor personnel that need
immediate attention. When our audit is complete, we plan to issue a final report.
Background
On August 11, 2015, the EPA's Chief Information Officer (CIO) issued a
memorandum to agency officials indicating that most EPA privileged users did
not have the required level of background investigations. However, in the
memorandum, the CIO indicated that disabling the accounts of privileged users
who support critical infrastructure operations and cybersecurity controls would
nonetheless have a detrimental effect on the agency's ability to accomplish its
missions and respond timely and effectively to the cybersecurity initiatives. The
CIO granted the following temporary waivers to the requirement for higher-level
background checks for privileged access to information systems:
• Before August 31, 2015, EPA Privilege User Cards (PUC) may be issued
to EPA federal or contractor privileged users with a current EPA
Personnel Access and Security System (EPASS) badge.
• After August 31, 2015, PUC cards
may not be issued to EPASS holders
with a background investigation
lower than a Tier 4 unless a specific
written exception is granted by the
EPA Senior Agency Information
Security Officer.
In December 2016, the EPA's Chief Information Officer found that 50 percent of
the EPA's "privileged users" did not have the proper background investigations.
Privileged users have access to system control, and monitoring or administration
functions (such as a system administrator, network administrator or system
programmer). As such, the CIO directed EPA program offices and regions to
validate the information on their privileged users and background investigations,
and to remove a privileged user's access to the networks by December 31, 2017,
if they did not have the required background investigations. The CIO requested
that EPA program offices and regions provide monthly progress updates on the
number of privileged users requiring additional background investigations
beginning January 26, 2017.
Tier 4 is a high-level background
investigation (screening) for
designated high-risk positions
(i.e., a network or system
administrator). This level of
screening is used when a
position's job duties could
seriously impact an organization's
ability to achieve its mission.
17-P-0409
1
-------�
As of February 23, 2017, the Office of
Administration and Resources
Management reported that 336 of 484
contractor personnel with a PUC still
required a higher background
investigation. A PUC is a special card
issued to personnel who need elevated
access to EPA systems to perform their
duties.
Office of Management and Budget
Circular A-130 Revised, Managing
Information as a Strategic Resource, published July 28, 2016, states that agencies
shall implement control policies that ensure the appropriate level of background
investigation is conducted to protect federal information and information systems.
The Office of Personnel Management established guidelines for federal agencies
when conducting background investigations. The type of background
investigation to be conducted should correspond with the information technology
position risk level and magnitude of harm an individual could cause.
EPA CIO 2150.3-P-13.1, Information Security-Interim Personnel Security
Procedures, V2.0, dated July 18, 2012, requires EPA personnel and contractor
personnel to undergo similar personnel screening requirements. A risk designation
must be assigned to contractor personnel in information management and
information technology-related positions based upon the user's role for accessing
the information system.
EPA contracting officer's representatives (CORs) verify that contractor personnel
timely complete the initial security screening and obtain favorable fingerprint
results before an EPA badge is issued. The COR also designates the position risk
level by determining a position's potential to adversely affect the agency's
integrity, efficiency and mission. Risk designation is required for personnel who
will be at the EPA for 6 months or longer. Table 1 identifies the types of
background investigations—Tiers 4 and 5—required for high-risk positions.
Table 1: Types of investigations
Types of investigations
Moderate Risk Background Investigation (MBI)
National Agency Check and Inquiries (NACI)
National Agency Check with Law and Credit (NACLC)
Special Agreement Check (for fingerprints only)
Tier 1 (for low-risk, non-sensitive position)
Tier 2 (for moderate-risk, non-sensitive position)
Tier 3 (for moderate-risk, non-critical or critical sensitive position)
Tier 4 (for high-risk, non-sensitive position)
Tier 5 (for high-risk, non-critical or critical sensitive position)
Source: EPA Personnel Security Branch website.
A PUC provides access to system
security controls and processes that
are not granted to general users.
-Oso»:;\EPA
/$ Printed on:
NOT FOR IDENTIFICATION ppp}
OR PHYSICAL ACCESS d
17-P-0409
2
-------�
Responsible Offices
The Office of Environmental Information (OEI) oversees the EPA's information
security program. This office develops agencywide information security policies
and procedures, including establishing procedures that govern contractor access to
the EPA's networks, systems and data. The Assistant Administrator for OEI is
also the agency's CIO.
Within the Office of Administration and Resources Management, the Personnel
Security Branch (PSB) is responsible for onboarding contractor personnel and
investigation funding. The PSB manages the EPA's Personnel Security Program,
which initiates and adjudicates background investigations. The PSB works directly
with the Office of Personnel Management and the U.S. Department of Defense on
personnel security matters, including fingerprinting and investigative services.
The EPA's CORs—within each program office and region—are responsible for
initiating the required background investigations for contractor personnel, and
monitoring the background investigation process for applicants in the EPA's
Personnel Security System before they report to their duty stations. Each EPA
program office and region has a risk designation approver who is responsible for
reviewing and either approving or changing the risk designations for individuals
who will be employed with the EPA for more than 6 months.
Scope and Methodology
We began our audit in March 2017, and our work is ongoing. We are conducting
this performance audit in accordance with generally accepted government
auditing standards. These standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
We obtained and reviewed federal and EPA policies and procedures on
background investigation requirements for contractor personnel with privileged
access to the agency systems. The PSB provided us a list of contractor personnel
identified as PUC holders from the Office of Administrative Services Information
System. The PSB could not provide us with a listing of personnel without PUCs
who have privilege access to EPA systems. We reviewed the fiscal year 2016
security assessment report pertaining to this system and noted there were no
weaknesses identified that would materially impact our use of the data.
The PSB list of contractor personnel holding PUCs also indicated current
background investigation levels. From that list, we selected a judgmental sample
of nine personnel to review—seven contractor personnel for the OEI, one for
Region 5 and one for Region 8.
17-P-0409
3
-------�
Our review consisted of analyzing contracts and supporting data related to
background investigations. We also interviewed agency personnel responsible for
initiating and monitoring background investigations of contractor personnel.
There were no previous recommendations for us to follow up on.
Results of Review
At the time of our review, the EPA had not initiated, at a minimum, a Tier 4
background investigation for any of the nine sampled contractor personnel with
privileged access to agency information systems and data. The EPA is required to
initiate a background investigation prior to granting access to agency systems and
data.
Table 2 lists the nine contractor personnel identified as privileged users with a
PUC. These contractor personnel hold various information technology specialist
positions with the ability to make changes to security controls in the systems they
access and should have been assigned a high-risk designation (Tier 4 or 5).
Table 2: Status of background investigations for contractor personnel with a PUC
Contractor
EPA
office
Date
contractor
assigned
to contract
Type of
investigation
conducted
EPA office's
risk
designation
Position
Background
investigation
status since
start of OIG
audit
1
OEI
10/1/10
Tier 1
Not Designated
Email IT Analyst
Initiated Tier 4
2
OEI
10/1/12
Tier 2
Moderate Risk
Computer Security
Analyst
Not on EPA
Contract
3
OEI
10/1/10
Tier 2
Moderate Risk
Manager Email
Initiated Tier 4
4
OEI
10/1/10
Tier 2
Moderate Risk
Active Directory
Engineer
Initiated Tier 4
5
OEI
1/1/12
Tier 2
Moderate Risk
Senior System
Engineer
No change
6
OEI
10/1/10
Tier 2
Moderate Risk
Senior System
Analyst
Initiated Tier 4
7
OEI
4/1/11
Tier 1
Not Designated
Enterprise Computer
Security Information
Manager
Initiated Tier 4
8
Region 5
5/1/16
Tier 2
Moderate Risk
System
Administrator
Initiated Tier 4
9
Region 8
12/1/14
Tier 2
Moderate Risk
Technical Support
Analyst I
No change
Source: EPA background investigation data from Office of Administrative Services Information System as of June 21,
2017.
The EPA has taken steps to reduce the number of contractor personnel with
privileged access to agency information systems and data who do not have the
required background investigation conducted. However, EPA offices were not
implementing the background screening requirements. Our analysis and interviews
disclosed that many of these underlying issues could have been uncovered had EPA
management conducted oversight and a timely review of these processes. Details
on these problems follow.
17-P-0409
4
-------�
EPA offices were not initiating the required background investigation for
high-risk positions that were specifically identified on the Position Risk
Designation Checklist as such. As noted in Table 2, five of the nine
positions (i.e., Email IT Analyst, Computer Security Analyst, Enterprise
Computer Security Information Manager, System Administrator and
Technical Support Analyst I) correspond to similar high-risk positions
noted on the Position Risk Designation Checklist. However, these
contractor personnel were given PUCs the required high-risk background
investigation being initiated.
The EPA's Position Risk Designation Checklist, which lists risk levels by
positions, does not identify all information technology positions that are
high risk. For example, two system engineers' duties required them to
have privileged access to EPA systems, but the system engineer position is
not listed on the checklist. Nonetheless, the two engineers were given
PUCs that required Tier 4 background investigation, even though no
background investigation had been initiated prior to the start of our audit.
EPA offices had not made a risk determination for two of the nine samples.
This omission of data is in contrast with EPA CIO-2150.3-P-13.1,
Information Security —Interim Personnel Security Procedures, V2.0,
dated July 18, 2012, which states "a risk designation must be assigned to all
non-federal position functions (as determined according to the equivalent of
a federal employee in the same function) in information management and
information technology related positions." Both contractor personnel were
given PUCs.
There is a lack of oversight by responsible offices to confirm that the
required background investigations for contractor personnel were initiated
before the personnel were given PUCs to access EPA systems. As noted in
Table 2, while none of the contractor personnel had the required
background investigation initiated, five of the nine contractor personnel
sampled were given sensitive access to EPA systems and have worked for
the EPA for over 5 years. Additionally, the offices took no action to
confirm the required background investigation was initiated. Four of the
nine sampled contractor personnel came onboard after the EPA published
its August 6, 2012, access control procedure, and these contractor
personnel were given PUCs without the agency initiating the required
background investigation.
There is a breakdown in communication among system owners,
service managers and CORs to verify that they initiate and subsequently
complete the appropriate background investigation for contractor
personnel. Guidance under EPA CIO-2150.3-P-01, Interim Access Control
Procedures, dated August 6, 2012, requires that system owners and
-------�
service managers verify that background checks are completed. These
procedures further place the responsibility on the COR to initiate and
follow the contractor personnel's background investigation until it is
complete. We found that CORs did not review their contracts to confirm
whether the office initiated the required background investigation for all
assigned contractor personnel. One COR indicated that at the time of
taking over a contract that had been in place for several years, all the
background investigations had been completed for the assigned contractor
personnel, and the COR did not believe there was an agency requirement
to review the contractor personnel background investigations again.
However, EPA CIO-2150.3-P-13.1, Information Security —Interim
Personnel Security Procedures, V2.0, dated July 18, 2012, requires that
position sensitivity levels be reviewed annually and revised as appropriate.
• Even though the EPA has personnel screening procedures, the requirement
for contractor personnel with privileged access to have a Tier 4
background investigation is not identified on the agency's background
screening and information security policies web pages.
• The OEI and the Office of Administration and Resources Management
did not have the same totals for the number of contractor personnel
requiring Tier 4 background investigations. For example, as of February
2017, EPA program and regional offices reported to the OEI that 312
personnel (federal employees and contractor personnel) still required a
higher background investigation. However, for the same timeframe, the
information provided to us from the Office of Administration and
Resources Management indicated there were 336 contractor personnel
with PUCs that had background investigations lower than the mandated
Tier 4 background investigation. As such, the EPA cannot be certain of the
exact number of contractor personnel who are required to be investigated
at the Tier 4 background investigation level.
Conclusion
Systemic problems in how the EPA implements its processes for initiating the
required background investigations for contractor personnel expose the EPA to
risks. Contractor personnel with potentially questionable backgrounds are
accessing sensitive agency data and could cause harm. These initial investigations
and timely reviews serve as a cornerstone for the EPA to verify whether
contractor personnel are trustworthy. Contractors with potentially questionable
backgrounds who access sensitive agency systems can cause the agency harm.
17-P-0409
6
-------�
Recommendation
We recommend that the Assistant Administrator for Environmental
Information/Chief Information Officer and the Assistant Administrator for
Administration and Resources Management:
1. Implement controls over the EPA's personnel screening practices for
initiating the required high-level background investigations for contractor
personnel with privileged access to agency networks, information systems
and data. These implemented controls should include, but not be limited
to, improving:
(a) The EPA's Position Risk Designation Checklist to include
required background investigations by position and risk
designations.
(b) Communication among agency personnel on verifying and
reviewing background investigations.
(c) The accuracy of the data in the EPA's official personnel security
system.
Agency Comment and OIG Evaluation
We worked closely with EPA personnel throughout the audit to keep them
apprised of our findings. On August 21, 2017, we briefed EPA management
regarding the findings and recommendation in this report. EPA management
agreed with our findings and recommendation. The EPA stated that it
implemented new processes for issuing PUCs early in 2017. Subsequent to our
briefing, we provided the EPA a summary of our briefing notes and collected
management's email confirmation that the notes were accurate. The EPA also
provided documentation of the new process discussed during the briefing.
Under the new process, a web-based tool requires all information systems
contractor applicants to undergo a background investigation before receiving a
PUC. The documentation further indicates that the PSB will ensure that only
eligible personnel receive a PUC after a high-risk Tier 4 investigation. However,
the new process does not address all of the underlying issues identified in this
report, and we believe that more management emphasis is needed to strengthen
controls regarding background investigation for contractor personnel with
privileged access to agency networks, information systems and data.
We are issuing this management alert to encourage the EPA's prompt action in
addressing the findings. The EPA will provide planned completion dates in a
formal response to this report.
17-P-0409
7
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
Page
No.
Subject
Status1 Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
1
7
Implement controls over the EPA's personnel screening
practices for initiating the required high-level background
investigations for contractor personnel with privileged access to
agency networks, information systems and data. These
implemented controls should include, but not be limited to,
improving:
U Assistant Administrator for
Environmental Information/
Chief Information Officer
and Assistant Administrator
for Administration and
Resources Management
(a) The EPA's Position Risk Designation Checklist to include
required background investigations by position and risk
designations.
(b) Communication among agency personnel on verifying and
reviewing background investigations.
(c) The accuracy of the data in the EPA's official personnel
security system.
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
17-P-0409
8
-------�
Appendix A
Distribution
The Administrator
Chief of Staff
Chief of Staff for Operations
Deputy Chief of Staff for Operations
Assistant Administrator for Environmental Information and Chief Information Officer
Assistant Administrator for Administration and Resources Management
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Principal Deputy Assistant Administrator for Environmental Information and
Deputy Chief Information Officer
Deputy Assistant Administrator for Administration and Resources Management
Director, Office of Resources, Operations and Management, Office of Administration
and Resources Management
Deputy Director, Office of Resources, Operations and Management, Office of Administration
and Resources Management
Director, Office of Information Security and Privacy, Office of Environmental Information
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Environmental Information
Audit Follow-Up Coordinator, Office of Administration and Resources Management
17-P-0409
9
-------� |