^0ST*%
Office of Inspector General
«Imt/ Audit Report
$ ¦ » %
S ate^NfllHlUJ
I
V "
PROltS
INFORMATION TECHNOLOGY
Review of Off-Site Consequence
Analysis Information Management
Audit Report Number 2002-P-00006
March 22, 2002
-------�
Inspector General Division
Conducting the Audit
Information Technology Audits Staff,
Washington, DC
Region Covered
Headquarters
Program Office Involved
Chemical Emergency Preparedness and
Prevention Office
Audit Team Members
Edward Densmore
Kelli Cooper
Martin Bardak
Abbreviations
CEPPO
Chemical Emergency Preparedness and Prevention Office
CSISSFRRA
Chemical Safety Information, Site Security and Fuels Regulatory Relief Act
EPA
U. S. Environmental Protection Agency
OCA
Off-Site Consequence Analysis
OIG
Office of Inspector General
RMP
Risk Management Plan
SR. MP
System for Risk Management Plans
-------�
MEMORANDUM
SUBJECT: Final Report: Review of Off-Site Consequence
Analysis Information Management
Report No. 2002-P-00006
FROM: Edward Densmore, Project Manager
Information Technology Audits Staff (2421)
TO:
Jim Makris, Director
Chemical Emergency Preparedness and Prevention Office (5104A)
Mark Day, Director
Office of Technology, Operations and Planning (2381)
Purpose
The objective of this audit was to review the release of Off-Site Consequence Analysis (OCA)
information that was not authorized for public disclosure on the Chemical Emergency
Preparedness and Prevention Office (CEPPO) website and determine the adequacy of controls
over the collection, maintenance, and dissemination of OCA data. OCA information is used to
help prevent chemical accidents, and provide an estimate of the potential consequences to a
surrounding community of one or more hypothetical accidental chemical releases.
Background
CEPPO provides leadership, advocacy, and assistance to: (1) prevent and prepare for chemical
emergencies; (2) respond to environmental crises; and (3) inform the public about chemical
hazards in their community. To protect human health and the environment, CEPPO develops,
implements, and coordinates regulatory and non-regulatory programs in partnership with all
Environmental Protection Agency (EPA) regions, domestic and international organizations in the
public and private sectors, and the general public.
-------�
In 1990, the Clean Air Act (Public Law 101-549) was amended in response to public concerns
about what could be done to prevent chemical accidents from occurring in their communities.
Regulations require industry to inform EPA and States on how they manage chemical risks and
what they are doing to reduce risk to the community. Certain facilities are required to submit a
Risk Management Plan (RMP) to EPA to document what they are doing to prevent accidents, and
how they plan to manage their chemicals and operate in a safe and responsible manner. RMPs
include facility registration information, OCA data, a 5-year accident history, and information on
prevention and emergency response programs.
A contractor (hereafter referred to as the database contractor) receives the RMPs and compiles
the information in the System for Risk Management Plans (SRMP). SRMP is an Oracle database
developed by a second contractor (hereafter referred to as the program contractor), and the
database is used to consolidate the RMPs. SRMP is comprised of six subsystems, including
RMP*Info™, which contains summaries of facility RMPs in 50 separate downloadable State
database files. These database files were made available to the public on EPA's website.
Public Law 106-40, the Chemical Safety Information, Site Security and Fuels Regulatory Relief
Act (CSISSFRRA), enacted on August 5, 1999, required that OCA information be made available
to authorized officials for emergency planning and response purposes. It included a provision to
exempt OCA information from public disclosure for one year from the Act's inception, or until
regulations were promulgated. EPA and the Department of Justice issued a rule in August 2000,
entitled Accidental Release Prevention Requirements; Risk Management Programs Under the
Clean Air Act Section 112(r)(7); Distribution of Off-Site Consequence Analysis Information,
authorizing some OCA data elements to be made public.
In April 2001, OCA information was made available in downloadable state database files from
CEPPO's website for the first time. However, the April 2001 files made some unauthorized
elements of OCA information available for download. A CEPPO official detected the error on
June 6, 2001, and took action to immediately have the information removed from the website. In
June 2001, the Director of CEPPO requested the Office of Inspector General to examine the
cause of the incident, the actions taken, and systemic changes necessary to prevent this type of an
event from reoccurring.
Scope and Methodology
This audit examined the incident involving the unauthorized OCA data being made available for
download on the CEPPO website. As part of our review, we examined CEPPO's oversight of the
contractors responsible for making programmatic changes to the RMP program and running the
SRMP. We also reviewed EPA's procedures to make information available on the website.
Finally, we examined the RMP*Info download logs from April 2001 through June 2001.
We conducted our audit fieldwork from July 2001 to December 2001 at EPA Headquarters in
Washington, DC. We interviewed CEPPO and Office of Environmental Information officials
within EPA, and contractor personnel responsible for programming and maintaining the SRMP.
2
-------�
Our review included identifying who downloaded information from the CEPPO website,
reviewing statements of work for the contractors, and the change control process for making
changes to the SRMP. In addition, we reviewed and analyzed policies, standards, and procedures
specifically related to the audit objectives. There was no prior audit coverage relating to the
CEPPO office or the SRMP. We conducted this audit in accordance with "Government Auditing
Standards", issued by the Comptroller General of the United States.
Results of Review
Unauthorized OCA information was inadvertently made available for download on the EPA
website from April to June 2001. As a result of this information being made available for
download on EPA's website, unauthorized individuals had access to sensitive OCA data. This
occurred due to a lack of management oversight over the software testing of program changes to
the SRMP. Specifically, CEPPO did not adequately oversee the database and program
contractors responsible for maintaining the SRMP system, and processing the RMPs submitted to
EPA.
Unauthorized Information Available on EPA's Website
OCA information, not authorized for public disclosure on the Internet, was unintentionally made
available for downloading on EPA's website from April to June 2001. The Clean Air Act requires
facilities to submit RMPs to EPA if they have specific toxic and/or flammable chemicals greater
than the established thresholds. The RMP information is received by the database contractor,
who inputs the RMP information into SRMP. This contractor then provides the consolidated
information to EPA, and the information is then made available for download from the website, as
required by CSISSFRRA.
The August 1999 enactment of CSISSFRRA exempted OCA information from disclosure under
the Freedom of Information Act, and limited public availability for at least one year. OCA data
could be made available to Federal, State, and local officials, including members of Local
Emergency Planning Committees, as well as qualified researchers. However, these individuals
were prohibited from releasing the OCA information to the public in the specific form of the
RMP. In August 2000, EPA and the Department of Justice jointly issued a rule stating that
portions of the OCA information (e.g., concentration of chemical released, duration of release,
wind speed, etc.) should be included on the Internet as publicly accessible information.
In April 2001, the program contractor provided the database contractor an upgrade to include the
OCA information in the downloadable files for the first time. The database contractor used the
upgrade to create the April 2001 release of downloadable files. The database contractor
provided the files to EPA, and they were made available for download on the website. However,
this release included some unauthorized elements of OCA information. Specifically, Alternative
Release Scenario information, such as the radius of the vulnerable zone and the estimated
population effected by the chemical release, were included. The subsequent releases in May and
June 2001 also included the unauthorized elements of OCA information.
3
-------�
As a result of this information being made available for download on EPA's website, unauthorized
individuals had access to sensitive OCA information. Specifically, OCA information provides a
general account of the consequences of a chemical release in terms of the damage that might be
inflicted on a facility's surrounding community. This includes a rough sketch of what is involved
in triggering a release from an RMP facility, including the name of the chemical involved, the
projected quantity of chemical released, and the duration of the release. In addition, a map or
graphic of the alternative release scenario, may be included. This information could be used by
terrorist organizations to identify and prioritize target facilities that would have the greatest
catastrophic impact.
Improvements Needed in Oversight of Software Testing
CEPPO management did not ensure that adequate testing was performed for program changes to
the RMP database. The CEPPO project manager stated that prior to the incident, testing and
quality assurance were performed by the database contractor for the input of data, not for the
output. CEPPO personnel, as well as the database contractor, did not pay close enough attention
to the RMP downloads to determine whether the data was sensitive. They became too
comfortable with the work of the program contractor because of the high quality and reliability of
prior software changes. Consequently, testing performed by the program contractor responsible
for making changes to the SRMP was not adequately reviewed by CEPPO to ensure the data
fields reflected information authorized for release.
We found testing was performed using only six test RMPs that were internally generated by the
program contractor for testing software changes. The SRMP, which is designed to maintain
thousands of RMPs and allow for various queries of all compiled data, should have been tested
with a larger sample. Also, the contractor did not test for the differentiation of the fields for
public and non-public OCA data. CEPPO did not identify this as a potential deficiency with the
testing. The program contractor stated they did not test for these differentiations, nor focus close
enough attention to the potential for unauthorized OCA data being disclosed.
Actions Taken By CEPPO
On June 6, 2001, a CEPPO official identified that unauthorized information was available for
download from the EPA website, and immediately notified both the program and database
contractors. Within a few hours, the program contractor delivered to the database contractor two
programs. One program was to correct the problem; the second was to monitor and ensure
unauthorized OCA data would not be viewable to the general public once the RMP databases
were again made available on EPA's website. Since the discovery of the unauthorized OCA
information, CEPPO implemented new practices to ensure sensitive data will not be erroneously
released. Specifically, CEPPO personnel now closely review the RMP database output to ensure
only authorized public information is released. In addition, CEPPO wrote programs that they run
against the RMP downloads to ensure unauthorized OCA data is not included on EPA's website.
Actions Taken by Contractors
4
-------�
The program contractor now requires peer reviews and more thorough levels of testing
throughout the project life cycle. The database contractor's procedures now include testing of
input, as well as ensuring unauthorized OCA data is not included in the releases provided to EPA.
The database contractor also runs a program that reviews the RMP databases to ensure only
information that should be disclosed through EPA's website is accessible. Finally, the database
contractor manually reviews at least five records before the data is released to EPA.
Recommendations
We recommend the Director of the Chemical Emergency Preparedness and Prevention Office:
1. Establish a policy requiring that the downloadable database files are reviewed to
ensure only authorized elements of OCA data are made available to the public.
2. Require current and future RMP database outputs be reviewed to ensure only
authorized public information is released.
3. Establish requirements for testing SRMP programing changes to:
a. Include steps to ensure OCA information, not authorized for public disclosure on
the Internet, is not made available for download.
b. Verify that adequate testing of changes for the SRMP database are performed
and documented.
EPA Response
The March 19, 2002, response from the Office of Solid Waste and Emergency Response
(OSWER) indicated that CEPPO agrees with the above-stated recommendations (see Attachment
1). Specifically, CEPPO completed modifications to the SRMP, to ensure protection of OCA
information. The software development contractor performed extensive testing on these
modifications, and the controls CEPPO instituted will remain a permanent part of the operating
procedures. The CEPPO project manager verifies that adequate testing of changes to the SRMP
database has been performed and documented. Finally, CEPPO will provide actual OCA data to
the development contractor for testing system modifications.
The Office of Technology Operations and Planning (OTOP) responded to the draft report on
March 14, 2002, and had no comments (see Attachment 2).
5
-------�
OIG Evaluation
6
-------�
In our opinion, the actions taken by CEPPO will assist in safeguarding non-public OCA
information from public disclosure. The modifications made to the SRMP eliminates the
'placeholders' for non-public OCA data in the files made available for download. However,
CEPPO needs to ensure, when future modifications are made to the SRMP, only public OCA
information is released. CEPPO should establish a policy requiring downloadable files to be
reviewed to confirm only OCA information suitable for public disclosure is made available. In
addition, while we agree with the actions taken by CEPPO project management to verify testing
has been performed and documented, requirements need to be established to ensure verification
and documentation of testing will continue.
Action Required
This audit report contains findings that describe problems the OIG has identified and corrective
actions the OIG recommends. This audit report represents the opinion of the OIG and the
findings contained in this audit report do not necessarily represent the final EPA position. Final
determinations on matters in this audit report will be made by EPA managers in accordance with
established audit resolution procedures.
In accordance with EPA Order 2750, you, as the action official, are required to provide us with a
written response to the audit report within 90 days of the final audit report date. For corrective
actions planned but not completed by the response date, reference to specific milestone dates will
assist us in deciding whether to close this report.
We appreciate your positive response to the recommendations presented in the report and the
actions you and your staff have taken to ensure security over the release of OCA data. We have
no objections to the further release of this report to the public. Should you or your staff have any
questions regarding this report, please contact Kelli Cooper, Auditor-In-Charge, at
(202) 260-8981.
Attachments
cc: Kathy Jones, Associate Director of Program Implementation and Coordination Staff
Peter Gattuso, Information Management Specialist
Dorothy McManus, Program Analyst
7
-------�
Attachment 1
OSWER Comments to Draft Report
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON. D.C. 20460
MAR 1 9 2002
OFFICE OF
SOLID WASTE AND EMERGENCY
RESPONSE
MEMORANDUM
SUBJECT: Response to OIG Draft Report "Review of Off-Site Consequences
Analysis Information Management Audit Number 2001-001308
FROM:
Marianne Lamont Horink
Assistant Administrator
TO:
Edward Densmore, IT Audit Manager
Information Technology Audits Staff (2421)
We have reviewed the subject draft report, and we have no additional comments
regarding the factual accuracy of the report. However, in response to the recommendations, we
have taken the following corrective actions.
OIG Recommendation
Establish a policy requiring that the downloadable database files are reviewed to ensure
only authorized elements of Off-Site Consequence Analysis (OCA) data are made available to
the public.
OSWER Response
The Chemical Emergency Preparedness and Prevention Office (CEPPO) has completed
modifications to its Systems for Risk Management Plans (SRMP) that will ensure protection of
OCA information. Specifically, after the accidental posting of download files, including OCA
data last June, CEPPO proposed the elimination of the placeholders or slots for non-public OCA
in those files that could be distributed to the public. This change makes it impossible for non-
public OCA data to be released in those files. These database and software changes were
completed and put into production for the Risk Management Plan (RMP) files we received in
February, 2002.
The software development contractor performed extensive testing to ensure that our
enhanced requirements were folly met. In addition, the redundant checks that we instituted at the
Reporting Center remain in place as a permanent part of the operating procedures. As a final
Internet Address (URL) • http://www,epa.gov
Recycled/Recyclable * Printed with Vegetable Oil Based Inks on Recycled Paper (Minimum 30% Postconsumer)
8
-------�
Attachment 1
-2-
step, CEPPO project managers will confirm that the non-public OCA slots are indeed no longer
part of the data files.
OlG Recommendation
Require current and future RMP database outputs be reviewed to ensure only authorized
public information is released.
OSWER Response
As indicated above, the Reporting Center is required to perform a number of redundant
checks as part of their normal operating procedures. Additionally, CEPPO confirms that RMP
database outputs do not include the non-public OCA data. Since September 11th, CEPPO has
not posted download files on the Internet.
OIG Recommendation
Establish requirements for testing SRMP programming changes to:
a. Include steps to ensure OCA information, not authorized for
public disclosure on the Internet, is not made available for download; and
b. Verify that adequate testing of changes for the SRMP database are
performed and documented.
OSWER Response
The software development contractor has always been required to provide extensive
testing. To ensure that changes involving OCA data are appropriately tested, CEPPO will now
provide actual OCA data to the development contractor to ensure optimum testing. Prior to
implementing these programming changes, the CEPPO project manager will verify that the
testing has been performed and documented.
If you have any questions regarding this response, please contact Kathy Jones at
(202) 564-8353 or Johnsie Webster, OSWER Audit Liaison, at (202) 260-4475.
9
-------�
Attachment 2
OTOP Comments to Draft Report
% UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
? WASHINGTON, D C 20460
PRO^fc
MAR ! A 2Q02
OFFICE OF
ENVIRONMENTAL INFORMATION
MEMORANDUM
SUBJECT: Review of Off-Site Consequence Analysis Information Management
FROM: Mark Day, Director ^3 '•)' /j £
Office of Technologytjperations and Planning
TO: Patricia Hill, Director
IT Audits Staff
We appreciate the opportunity to review and comment on the Draft Office of Inspector
General Report, "Review of Off-Site Consequence Analysis Information Management."
The Office of Technology Operations and Planning has reviewed the report and has no
comments.
cc: Kelli Cooper
Ed Densmore
Martin Bardak
internet Address (1 JR!_;« http/.'www.epa.gov
Recycled^Recyclabls ~ f'nnfod with Vegratnhk.- nil R -i i -i,- rPriper ^Minimum 30% PosJconsun^r)
10
-------�
Report Distribution
Attachment 3
Office of Inspector General
Inspector General (2410)
Headquarters Offices
Assistant Administrator, OSWER (5101)
Director, CEPPO (5104A)
Director, OTOP (2381)
Comptroller (2731 A)
Agency Followup Official (2710A)
Audit Liaison, OSWER (5103)
Audit Liaison, OEI (2811R)
Agency Audit Followup Coordinator (2724A)
Associate Administrator for Congressional and Intergovernmental Relations (1301 A)
Associate Administrator for Communications, Education, and Media Relations (1101 A)
11
-------� |