At a Glance: Management Alert: EPA Has Not Initiated Required Background Investigations for Information Systems Contractor Personnel


^edU.S. Environmental Protection Agency	17-P-0409
Office of Inspector General	September 27,2017
? Q \
\mj
% PRO^
At a Glance
Why We Did This Review
The Office of Inspector
General (OIG) is conducting
an audit to determine
whether the U.S.
Environmental Protection
Agency (EPA) completed
required background
investigations for contractor
personnel with privileged
access to EPA information
systems. While the audit is
ongoing, we are issuing this
management alert to make
the EPA aware of certain
issues that need immediate
attention.
Background investigations
are required for all
individuals to be employed or
contracted by the federal
government. Background
investigations are particularly
critical for information
security personnel in
high-risk positions as they
develop, implement and
administer the system's
security controls to resist and
identify cybersecurity threats.
This report addresses the
following:
• Operating efficiently and
effectively.
Management Alert: EPA Has Not Initiated
Required Background Investigations for
Information Systems Contractor Personnel
What We Found
The required background investigation was
not initiated for any of the nine contractor
personnel we reviewed prior to their obtaining
privileged access to EPA networks, systems
and data. The EPA is required to initiate a
background investigation prior to granting
access to agency systems and data. This
failure to appropriately vet personnel leaves
the agency vulnerable to a cyberattack.
Not vetting contractor
personnel before granting
them network access exposes
the EPA to risks. Contractor
personnel with potentially
questionable backgrounds
who access sensitive agency
data could cause harm.
Management action is needed to correct how the EPA implements its
background screening. In particular, we noted the following control weaknesses:
•	The EPA was not initiating required background investigations for
contractor personnel in high-risk positions.
•	The EPA has not identified all high-risk information technology positions.
•	The EPA has not assigned a risk determination for information security
contractor personnel.
•	EPA system owners, service managers and contracting officer's
representatives did not verify whether contractor personnel possessed the
required background investigations.
•	The EPA's internal websites do not specify background investigation
requirements for contractor personnel.
•	The EPA does not have an accurate number for how many information
security contractor personnel require high-risk background investigations.
Recommendation and Planned Agency Corrective Actions
We recommend that the agency implement controls over the EPA's personnel
screening practices for initiating the required high-level background investigation
for contractor personnel with privileged access to agency networks, information
systems and data. We briefed the EPA on August 21, 2017. Management agreed
with our findings and recommendation. The EPA will provide planned completion
dates in a formal response to this report.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.aov/oia.
Listing of OIG reports.

-------