**«60srx
* A \
I U.S. ENVIRONMENTAL PROTECTION AGENCY
\PRO/ OFFICE OF INSPECTOR GENERAL
EPA Management
Challenges
18-N-0174
MayS, 2018
-------�
Abbreviations
EPA
U.S. Environmental Protection Agency
FTE
Full-Time Equivalent
FY
Fiscal Year
GAO
U.S. Government Accountability Office
OIG
Office of Inspector General
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
U.S. Environmental Protection Agency 18-N-0174
U \ Office of Inspector General
32a
£ \ Office of Inspector General Mays, 2018
At a Glance
What Are Management
Challenges?
According to the Government
Performance and Results Act
Modernization Act of 2010,
major management challenges
are programs or management
functions, within or across
agencies, that have greater
vulnerability to waste, fraud,
abuse and mismanagement,
where a failure to perform well
could seriously affect the ability
of an agency or the federal
government to achieve its
mission or goals.
As required by the Reports
Consolidation Act of 2000,
we are providing issues we
consider as the U.S.
Environmental Protection
Agency's (EPA's) major
management challenges for
fiscal year 2018.
EPA's Fiscal Year 2018 Management Challenges
What We Found
Attention to agency management challenges could result in program
improvements and protection for the public, and increased confidence in
management integrity and accountability.
The EPA Needs to Improve Oversight of States, Territories and Tribes
Authorized to Accomplish Environmental Goals:
• The EPA has made important progress, but our work continues to identify
challenges throughout agency programs and regions, and many of our
recommendations are still not fully implemented.
The EPA Needs to Improve Its Workload Analysis to Accomplish Its Mission
Efficiently and Effectively:
• The EPA needs to identify its workload needs so that it can more effectively
prioritize and allocate limited resources to accomplish its work.
The EPA Needs to Enhance Information Technology Security to Combat Cyber
Threats:
• Though the EPA continues to initiate actions to further strengthen or improve
its information security program, the agency lacks a holistic approach to
managing accountability over its contractors and lacks follow-up on corrective
actions taken.
The EPA Needs to Improve on Fulfilling Mandated Reporting Requirements:
• The agency faces challenges in tracking and submitting reports mandated by
law that contain key program information for Congress, the EPA Administrator
and the public.
The EPA Needs Improved Data Quality for Program Performance and Decision-
Send all inquiries to our public Making*
affairs office at (202) 566-2391
or visit www.epa.gov/oig. • Poor data quality negatively impacts the EPA's effectiveness in overseeing
programs that directly impact public health.
Listing of OIG reports.
-------�
^tDsrx
£ \ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
| W 1 WASHINGTON, D.C. 20460
the inspector general
PRO^&
May 8, 2018
MEMORANDUM
SUBJECT: EPA's Fiscal Year 2018 Management Challenges
Report No. 18-N-0174
FROM: Arthur A. Elkins Jr.
TO: Scott Pruitt, Administrator
We are providing you with a list of areas that the Office of Inspector General (OIG) considers as major
management challenges confronting the U.S. Environmental Protection Agency (EPA). The project
number for this report was OPE-FY18-0101. According to the Government Performance and Results
Act Modernization Act of 2010, major challenges are programs or management functions, within or
across agencies, that have greater vulnerability to waste, fraud, abuse and mismanagement, where a
failure to perform well could seriously affect the ability of an agency or the federal government to
achieve its mission or goals.
The Inspector General Act of 1978, as amended, directs Inspectors General to provide leadership to
agencies through audits, evaluations and investigations, as well as additional analysis of agency
operations. The enclosed management challenges reflect findings and themes resulting from many such
efforts. Drawing high-level agency attention to these key issues is an essential component of the OIG's
mission.
The Reports Consolidation Act of 2000 requires our office to annually report what we consider the most
serious management and performance challenges facing the agency. Additional challenges may exist in
areas that we have not yet reviewed, and other significant findings could result from additional work.
The attachment summarizes what we consider to be the most serious management and performance
challenges facing the agency, and assesses the agency's progress in addressing those challenges.
Challenges
Page
The EPA Needs to Improve Oversight of States, Territories and Tribes Authorized to
Accomplish Environmental Goals
1
The EPA Needs to Improve Its Workload Analysis to Accomplish Its Mission Efficiently
and Effectively
6
The EPA Needs to Enhance Information Technology Security to Combat Cyber Threats
11
The EPA Needs to Improve on Fulfilling Mandated Reporting Requirements
17
The EPA Needs Improved Data Quality for Program Performance and Decision-Making
20
-------�
Like the U.S. Government Accountability Office does with its High-Risk List, each year we assess the
agency's efforts against the following five criteria required to justify removal of management challenges
from the prior year's list:
1. Demonstrated top leadership commitment.
2. Agency capacity - people and resources to reduce risks, and processes for reporting and
accountability.
3. Corrective action plan - analysis identifying root causes, targeted plans to address root causes,
and solutions.
4. Monitoring efforts - established performance measures and data collection/analysis.
5. Demonstrated progress - evidence of implemented corrective actions and appropriate
adjustments to action plans based on data.
The U.S. Government Accountability Office's 2017 High-Risk Series report describes these five criteria
as a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the
criteria leads to progress, while satisfying all of the criteria is central to removal from the list.
This year, we retained three management challenges from last year's report due to persistent issues, and
added two issues (mandated reporting requirements and improved data quality).
We will post this report to our website at www.epa.gov/oig. We welcome the opportunity to discuss our
list of challenges and any comments you or your staff might have.
Attachment
-------�
CHALLENGE: The EPA Needs to Improve Oversight of States,
Territories and Tribes Authorized to Accomplish Environmental Goals
CHALLENGE FOR THE AGENCY
Over the past 10 years both the U.S. Environmental Protection
Agency's (EPA's) Office of Inspector General (OIG) and the
U.S. Government Accountability Office (GAO) have consistently
found that the EPA needs to improve its oversight of states,
territories and tribes that have authority (or "delegated authority")
to implement environmental programs and enforce environmental
laws. The agency has improved its oversight and addressed
deficiencies. However, our recent audits indicate this remains a
management challenge.
BACKGROUND
To accomplish its mission, the EPA develops regulations and establishes programs to implement
environmental laws. The EPA can delegate this authority to states, territories and tribes. Delegation
occurs after the EPA determines the governmental entity has the legal authority and capacity to
operate an environmental protection and enforcement program consistent with federal standards. The
EPA then performs oversight to provide reasonable assurance that human health and the environment
are being protected. The EPA has to monitor delegated programs to determine whether they continue
to meet federal standards and verify that federal funds help achieve environmental protection goals.
The EPA relies on states, territories and tribes with delegated authority to obtain environmental data
and implement compliance and enforcement programs. According to the Environmental Council of
States, states have assumed more than 96 percent of the delegable authorities under federal law. The
table below summarizes the extent that environmental authorities are delegated by the EPA.
Delegated environmental authorities
Federal law and federal programs
delegated by the EPA
States with
delegated
authority
Territories with
delegated
authority
Tribes with
delegated
authority
• Clean Air Act
• Title V
50
5
1
• Clean Water Act
• National Pollutant Discharge Elimination System
46
1
0
• Resource Conservation and Recovery Act
• Hazardous Waste Program1
48
1
0
• Safe Drinking Water Act
• Public Water Supply Supervision Program
49
5
1
Source: OIG analysis.
1 The District of Columbia implements a Hazardous Waste Program under the Resource Conservation and Recovery Act.
18-N-0174 1
-------�
Even though the states, territories and tribes implement these human health and environmental
protection programs, the EPA retains authority to enforce environmental laws. Headquarters and
regional staff perform a variety of formal and informal oversight activities but those activities are not
always consistently implemented, leading to differences in the effectiveness of delegated programs
and results from those programs.
THE AGENCY'S PROGRESS
We first reported this management challenge in fiscal year (FY) 2008. Since then, the EPA has
reviewed some of the inconsistencies in its oversight of state, territorial and tribal programs. The
agency has also used its enforcement authorities when states, territories or tribes did not use their
delegated authority to protect human health and the environment. The EPA continues to develop and
implement policies to improve consistency in its oversight of delegated programs.
Strategic Planning and Agency Emphasis on Oversight
The agency's new strategic plan, issued in February 2018, emphasizes oversight of delegated
programs as an area of focus. The FYs 2018-2022 Strategic Plan outlines three agency goals:
1) Core Mission: Deliver real results to provide Americans with clean air, land, and water, and
ensure chemical safety.
2) Cooperative Federalism: Rebalance the power between Washington and the states to create
tangible environmental results for the American people.
3) Rule of Law and Process: Administer the law, as Congress intended, to refocus the agency on
its statutory obligations under the law.
The strategic plan seeks to transform how the agency conducts business by refocusing the EPA on its
role of supporting the states, territories and tribes in implementing environmental programs.
Oversight is essential to each of the three goals. For instance:
• Under Goal 1 (Core Mission), the agency's approval of state/tribal implementation plans,
approval of vehicle and engine emission certification applications, and compliance actions in
cases of noncompliance are examples of oversight functions the EPA will perform to fulfill one
of its core missions—to improve air quality.
• Goal 2 (Cooperative Federalism) reiterates the importance of the EPA's role and, in cases of
delegated programs, the relationship between the EPA and states, tribes or territories as
co-regulators to protect public health and the environment. This includes oversight by the EPA
that is efficient, effective and within its statutory responsibilities.
• Goal 3 (Rule of Law and Process) focuses on the agency's implementation of the rule of law and
process as it administers the various environmental laws Congress has charged to the EPA. In
doing so, the plan calls for the agency to work with states, tribes and territories to ensure
compliance with the law and establish consistency and certainty for the regulated community.
18-N-0174
2
-------�
Agency Actions to Improve Oversight
In August 2016, the EPA released "Promoting Environmental Program Health and Integrity: Principles
and Best Practices for Oversight of State Permitting Programs," for the agency and states to use to
enhance the efficiency and effectiveness of the oversight system. The document states it was
developed to "deliver on a commitment in the EPA's cross-agency strategy to launch a new era of
state, tribal, local and international partnerships and to help respond to recommendations for
strengthening oversight from the EPA's Office of Inspector General." This strategy is the result of the
efforts of the State Program Health and Integrity Workgroup. This interagency workgroup is composed
of the EPA's national program offices for air, enforcement and water, as well as states and media
associations. The workgroup gathers and analyzes information on oversight of state practices,
identifies gaps, and develops solutions.
Region 1 improved accountability in the performance partnership grant process. According to the
agency's Office of Water 2017 Federal Managers' Financial Integrity Act assurance letter, Region 1
strengthened the oversight process for performance partnership grants by enhancing the level of detail
and documentation required in the states' reports, routing the annual report to all EPA technical
contacts through the use of a SharePoint site, and engaging the participation of EPA senior
programmatic managers.
EPA program offices and regions have responded to OIG report recommendations by implementing
corrective actions to improve its oversight activities:
• In a June 2016 report (16-P-0217), on the EPA's financial oversight of Superfund state contracts,
we found that the EPA incurred total obligations and expenditures in excess of the authorized
cost ceiling for 51 of the 504 active and closed contracts; did not perform timely, complete and
accurate financial closings for 20 such contracts to ensure that both the EPA and the state had
satisfied their cost share requirement; and did not have all the up-to-date information needed
for an accurate Superfund state contract accrual calculation. The agency completed corrective
actions to address the report recommendations.
• In a September 2015 early warning report (15-P-0298), we recommended that Region 9
withhold $8,787,000 for the Hawaii Drinking Water State Revolving Fund capitalization grant
until the region is satisfied with progress on implementing the corrective action plan. After
being briefed on our report, EPA Region 9 initiated an enforcement action against the Hawaii
Department of Health for not meeting its loan commitment and disbursement targets. Region 9
advised Hawaii that the FY 2015 Drinking Water State Revolving Fund capitalization grant would
be withheld and the region may withhold further awards.
• In response to a February 2015 quick reaction report (15-P-0099), the EPA completed all
corrective actions to address findings that Region 8 was not conducting inspections at
establishments in North Dakota that produce pesticides, or inspections of pesticides imported
into the state. The EPA initiated inspections, developed a multi-year plan for future inspections,
compiled a list of the inspections conducted annually for Region 8's North Dakota end-of-year
report, and reviewed the end-of year report to confirm that inspections have been initiated.
18-N-0174
3
-------�
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required to
justify removal: (1) agency capacity, (2) a corrective action plan and (3) monitoring efforts. EPA
leadership needs to demonstrate an organizational commitment to correcting problems with the
agency's oversight of key state, territorial and tribal programs designed to protect human health and the
environment. To demonstrate this commitment, the agency should show it has the proper people,
resources and processes, and has developed a framework for addressing oversight issues. The agency
also needs to develop a system for monitoring state, tribal and territorial oversight effectiveness so that
it can consistently work toward demonstrating its progress in correcting this management challenge
across all program offices. Our recent reports indicate oversight challenges in many EPA programs:
• In a February 2018 report (18-P-0079). we found that the EPA cannot ensure that its Federal
Insecticide, Fungicide, and Rodenticide Act cooperative agreement funding achieves agency
goals and reduces risks to human health and the environment from pesticide misuse. We made
recommendations to improve oversight. Corrective actions are pending.
• In a September 2017 report (17-P-0402), we found that EPA Region 2 needs to improve its
internal processes over Puerto Rico's assistance agreements. The region may have inefficiently
used over $217,000 in taxpayer funds, may need additional support for grant award decisions,
and may not have evidence that taxpayer funds have been properly used under two
cooperative agreements. Corrective actions are pending.
• In an April 2017 report (17-P-0174), we found that while most states and some tribes have fish
advisories in place, this information is often confusing, complex, and does not effectively reach
appropriate segments of the population. Under the Clean Water Act, the EPA can take a
stronger leadership role in working with states and tribes to ensure that effective fish advisory
information reaches all such segments of the population. Corrective actions are pending.
• In an October 2016 management alert (17-P-0004), we found that EPA Region 5 had the
authority and sufficient information to issue a Safe Drinking Water Act Section 1431 emergency
order to protect residents in Flint, Michigan, from lead-contaminated water as early as
June 2015. Corrective actions are pending.
• In a May 2016 report (16-P-0166), we found that EPA Region 9 needed improved internal
controls for oversight of Guam's consolidated cooperative agreements. Without adequate
internal controls and oversight, more than $67 million in consolidated cooperative agreement
funds may not have been administered efficiently and effectively. Corrective actions are pending.
• In March 2016 (16-P-0108), we reported that EPA efforts to bring small drinking water systems
into compliance through enforcement and compliance assistance resulted in some
improvement over time. However, across EPA Regions 2, 6 and 7, we found inconsistencies in
adherence to the EPA's Enforcement Response Policy. Corrective actions are pending.
18-N-0174
4
-------�
• In an April 2015 report (15-P-0137), we found that the U.S. Virgin Islands did not meet program
requirements for numerous activities related to implementing Clean Air Act, Clean Water Act,
Safe Drinking Water Act and Underground Storage Tank/Leaking Underground Storage Tank
programs. Corrective actions are pending.
In addition to EPA OIG findings about oversight of delegated authority, the GAO has also conducted a
series of audits related to state issues. A few examples follow:
• In a September 2017 report (GAO-17-424), the GAO reported that the EPA does not have
nationwide information about lead infrastructure because the lead and copper rule does not
require states to provide the agency with information on the whereabouts of lead pipe lines.
The GAO recommended that the EPA require states to report information about lead pipes as
well as all 90th percentile sample results for small water systems. The GAO further
recommended that states develop a statistical analysis to identify water systems that might
pose a greater likelihood for lead and copper rule violations.
• In a February 2016 report (GAO-16-281), the GAO reported that the EPA had not collected
necessary information or conducted oversight activities to determine whether state and
EPA-managed Underground Injection Control class II programs were protecting underground
sources of drinking water. Some of the recommendations from the GAO were that the EPA
require programs to report well-specific inspections data, clarify guidance on enforcement
data reporting, and analyze the resources needed to oversee programs.
• In an August 2015 report (GAO-15-567), the GAO found that financial indicators collected by
the EPA as part of its oversight responsibilities did not show states' abilities to sustain their
Clean Water and Drinking Water State Revolving Funds. The GAO recommended that the EPA
update its financial indicator guidance to include measures for identifying the growth of the
states' funds. The GAO also recommended that, during the reviews, the EPA develop
projections of state programs by predicting the future lending capacity.
• In a May 2012 report (GAO-12-335), the GAO reported that the 2013 Clean Water Act
Section 319 oversight guidance was not sufficient. The GAO also found that the agency did
not make changes to the Section 319 program measures of effectiveness, as recommended
by the GAO.
While there has been progress in improving agency oversight of delegated programs, the audit
community continues to identify ways in which the EPA can make further improvements. We maintain
this as a management challenge for FY 2018 and will continue to conduct reviews of the EPA's
oversight of delegated programs.
18-N-0174
5
-------�
CHALLENGE: The EPA Needs to Improve Its Workload Analysis to
Accomplish Its Mission Efficiently and Effectively
CHALLENGE FOR THE AGENCY
The EPA has riot incorporated workload
analysis into its resource allocations despite
years of reporting by the EPA OIG and GAO.
The EPA has not fully implemented controls
and a methodology to determine workforce
levels based upon analysis of the agency's
workload. The EPA's ability to assess its
workload—and subsequently estimate workforce levels necessary to carry out that workload —
is critically important to mission accomplishment. Due to the broad implications for accomplishing the
EPA's mission, we have included this as an agency management challenge since 2012.
BACKGROUND
Over the past 22 years, the EPA OIG and GAO have issued over 15 reports citing the need for the EPA
to implement workload analysis into its human resource distributions. In the 1980s, the EPA conducted
comprehensive workload analyses to determine appropriate workforce levels and each year, with
regional consensus, evaluated need and allocated its human resources accordingly. In 1987, the EPA
decided it would discontinue these analyses and instead focus on marginal changes to full-time
equivalent (FTE) distribution. The EPA has reported that it has done some limited workforce analyses in
the FY 2017 financial statements.
In 2010, we reported that the EPA did not have policies and procedures requiring that workforce levels
be determined based upon workload analysis. In 2011, we reported that the EPA does not require
program offices to collect and maintain workload data. Without such data, program offices are limited
in their ability to analyze their workload and justify resource needs. The GAO also reported in
October 2011 that the EPA's process for budgeting and allocating resources did not fully consider the
agency's current workload. As recently as 2017, the EPA OIG reported that the distribution of
Superfund PTEs among EPA regions did not support the current regional workload. The GAO has also
reported on the EPA's workload concerns and issued eight reports between 2000 and 2018.
Since 2005, EPA offices have studied workload issues at least six different times, spending nearly
$3 million for various contractors to study the issues. However, for the most part, the EPA has not used
the findings resulting from these studies. According to the EPA, the results and recommendations from
the completed studies were generally not feasible to implement.
Over the last decade, the EPA's workforce levels have declined by 2,500 positions (including losses due
to early-outs and buyouts in 2014 and 2017). Without a clear understanding of its workload, it is
unclear whether this decline jeopardizes the EPA's ability to meet its statutory requirements and
18-N-0174
6
-------�
overall mission to protect human health and the environment, or if the decline represents a natural
and justifiable progression, because the EPA has completed major regulations implementing
environmental statutes and states have assumed primacy over most media programs.
THE AGENCY'S PROGRESS
The agency has not adopted an overall plan to address workforce analysis, but has initiated some
pilots and surveys to address the issue.
In 2013, we conducted a follow-up (13-P-0366) on actions the EPA has taken to address previous
OIG recommendations. We found that the EPA:
• Initiated pilot projects in Regions 1 and 6 to analyze the workload for air State Implementation
Plans and permits, as well as water grants and permits.
• Surveyed numerous front-line agency managers on the functions performed, thereby creating
an inventory of common functions among program offices.
• Through the Office of the Chief Financial Officer, consulted with 23 other federal agencies
about their workload methodologies. As a result of that analysis, the EPA selected an approach
referred to as the "Table Top" method used by the U.S. Coast Guard, designed to use subject
matter experts and actual data to provide estimates of workload. The Table Top approach
provides flexibility in implementation, which allows for differences in organizational functions
and workloads rather than attempting to fit all regions and programs into a one-size-fits-all
approach. The EPA has conducted limited testing on this approach within two program areas-
grants and Superfund Cost Recovery. According to EPA officials, while the methodology appears
promising for grants, it became overly complicated for Superfund Cost Recovery.
During 2014, the EPA continued to test the workload model in other areas, including:
• Working with Grant Project Officers to evaluate and try to balance uneven workloads.
• Developing a Project Officer Estimator Tool for organizations to examine Project Officer
workloads.
• Working with Grants Specialists to refine the Interagency & Grants Estimator Tool.
• Submitting a Draft Funds Control Manual to the Office of Management and Budget, and
receiving and incorporating the Office of Management and Budget's comments.
In January 2016, the EPA issued a draft Funds Control Manual. The manual is intended to fulfill the
EPA's corrective actions for several unimplemented recommendations from prior OIG reports on
workload analysis. The manual highlights several tools the EPA has developed to help programs
examine and understand connections between hours of work (or FTEs) and specific tasks, products,
results or outcomes. The EPA says that the tools are designed to complement existing financial, budget
18-N-0174
7
-------�
and program information that organizations already track and use. As of February 2018, the EPA's draft
Funds Control Manual was still awaiting Office of Management and Budget approval. Once
implemented, the Funds Control Manual will meet the intent of unimplemented recommendations
from two EPA OIG reports.
In a July 2016 report (16-P-0002). we reported that Grants Specialists in Regions 4 and 5 indicated that
workload was the reason administrative baseline monitoring reviews were not completed or were not
completed timely. We recommended that the agency develop and implement a plan to complete
administrative baseline monitoring reviews as required by scheduling reviews around workload peaks.
The EPA's Office of Administration and Resources Management reported implementing a new baseline
monitoring approach in October 2017 to have Project Officers obtain information from Grants
Specialists regarding indirect costs, disadvantaged business enterprise and single audits, to incorporate
in the baseline monitoring review preparations.
In the FY 2017 Agency Financial Report, the EPA responded:
As acknowledged by OIG, there are inherent difficulties in applying workload analyses
for the highly variable, multi-year, and non-linear activities that comprise most of the
EPA's work. These difficulties limit the utility of detailed FTE-based workload analyses
for broader agency program estimates. For example, during the FY 2016 budget process,
the agency examined broad workload trends as a basis to move resources to address
major challenges. In each specific area, agency senior management considered longer-
term trends and overall staffing rather than individual tasks and portions of FTEs, such
as increased programmatic requirements. As a result, in its FY 2016 President's Budget
proposal, the agency requested and received additional FTE for these programs. In
FY 2016, Congress passed additional Toxic Substances Control Act (TSCA) fees legislation
and for FY 2016, FY 2017 and moving forward, the agency is examining fee-associated
workload.
The agency's strategy is to find the best value to be derived from detailed workload
analysis. Rather than detailed FTE models, the EPA focused workload analyses on
current operations. The agency found that detailed FTE models created a sense of false
precision, quickly became out-of-date due to changing regulations, requirements and
systems, and were overly sensitive to relatively small changes in the input. Reflecting on
this experience, the workload analysis guidance that the EPA added to the Funds
Control Manual (per the IG's recommendation) provides information about several
types of workload analyses rather than solely discussing FTE workload models. Instead,
the guidance discusses several workload tools that EPA programs can use to help
manage their program operations and resources.
Over the last few years, the EPA workload analyses examined task-driven functions,
focusing on understanding how much time managers and staff invest in each function's
major tasks. The analyses helped the EPA identify major challenges and opportunities,
target streamlining and Lean efforts, clarify guidance, prioritize training, and structure
18-N-0174
8
-------�
other support efforts and initiatives. Analyses included: grants and interagency
agreement officers; project officers; IT security officers; Funds Control Officers; and fee-
related duties.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required to
justify removal: (1) agency capacity, (2) a corrective action plan and (3) monitoring efforts. Regarding
each of these three points:
1. The EPA has not developed and implemented a definitive workload analysis system. The EPA
needs to more broadly quantify what its full workload entails so that it can more effectively
prioritize and allocate available resources to accomplish agency work. The EPA's ability to
assess its workload and estimate workforce levels necessary to carry out that workload is
critical to mission accomplishment.
2. EPA offices have not conducted a systematic workload analysis or identified workforce needs
for budget justification purposes; such analysis is critically important to mission
accomplishment. The EPA currently plans to apply workload analysis tools to task-driven agency
functions, such as grants and contracts. While we understand the difficulty in applying such
tools to the EPA's highly variable and non-linear activities, the EPA still needs to more broadly
quantify what its full workload entails so that it can more effectively prioritize and allocate
limited resources to accomplish agency work.
3. The OIG and GAO have recently reported the following workload issues:
• In 2015, the EPA awarded roughly $3.9 billion (about 49 percent of its budget) in grants
to states, local governments, tribes and other recipients. These grants supported such
activities as repairing aging water infrastructure, cleaning up hazardous waste sites,
improving air quality and preventing pollution. In its January 2017 report ( ),
the GAO concluded that the EPA's ability to manage this portfolio depended primarily
on grant specialists and project officers, but the agency did not have the information it
needed to allocate grants management resources in an effective and efficient manner.
In addition, the EPA had not identified project officer critical skills and competencies or
monitored its recruitment and retention efforts for grant specialists. The GAO
recommended that the EPA develop documented processes that could be consistently
applied by EPA offices to collect and analyze data about grants management workloads,
and use the data to inform staff allocation. The GAO also recommended that the EPA
review project officer critical skills and competencies and determine training needs to
address gaps, develop recruitment and retention performance measures, and collect
performance data for these measures. The EPA agreed with the five recommendations;
four of the corrective actions are still pending.
18-N-0174
9
-------�
• In a September 2017 EPA OIG report (17-P-0397). we noted that the distribution of
Superfund FTEs among EPA regions did not support current regional workloads. As a
result, some regions had to prioritize work and slow down, discontinue or not start
cleanup work due to lack of personnel. In a survey of EPA regions, six of 10 regions said
they were not able to start, or had to discontinue, work due to lack of FTEs, which could
impede efforts to protect human health and the environment. The agency agreed with
our recommendations, including to implement a national prioritization of Superfund
sites and regularly distribute regional FTEs according to the national prioritization. The
corrective actions are pending.
We will continue to monitor agency progress through this and other ongoing work.
18-N-0174
10
-------�
CHALLENGE: The EPA Needs to Enhance Information Technology
Security to Combat Cyber Threats
CHALLENGE FOR THE AGENCY
The EPA continues to face a management challenge in
implementing a vigorous cybersecurity program that
strengthens its network defenses and data security in a
time of ever-increasing threats to federal government
networks. The recent 2017 global cyberattack that spread
across 150 countries as a result of stolen government
hacking tools, used to compromise misconfigured
computers for a ransom, highlights the myriad of
challenges the EPA faces to protect its network.
Despite progress, recent audits highlight that the need to
fully implement information security throughout the EPA
still requires continued senior-level emphasis. Most notably, the EPA relies heavily on contractor
personnel to implement and manage the configurations and operations of agency-networked resources.
However, the EPA lacks processes for verifying that contractors who play a key role in agency operations
have the training required to fulfill their responsibilities, or have completed the required background
investigations for contractor personnel in high-risk positions with information security responsibilities.
A recent audit noted that the EPA's ability to protect its network is hampered by its inability to
implement a process to maintain an up-to-date inventory of hardware assets connected to the
agency's network. Further, continued management emphasis is required on resolving audit findings
citing the need to improve the effectiveness and efficiency of the agency's computer network
operations and address emerging challenges for the agency in managing contractors who provide
critical support for agency systems.
BACKGROUND
Protecting the EPA's network and data is as important today as it was in 2001 when we first reported
this issue as a management challenge. Securing networks that connect to the internet is increasingly
more challenging, with sophisticated attacks taking place that affect all interconnected parties,
including federal networks. In 2017, there were several high-profile cybersecurity incidents that
undermined the public's confidence in information security and the measures employed to protect
people's data. This included incidents at industry-leading companies, such as:
• Equifax, where cybercriminals penetrated the company's network and stole the personal data
of 145 million people.
• Yahoo, where cybercriminals hacked all of the company's 3 billion accounts, and the company
acknowledged the attack could have occurred almost 4 years before the company announced it.
Cybersecurity
Framework
Identify
Recoye
18-N-0174
11
-------�
Compromise of data networks extends beyond private industry firms; similar attacks have emphasized
the need for federal agencies to be vigilant in protecting their networks. The Office of Personnel
Management announced in 2015 that the agency experienced two separate but related cybersecurity
incidents that resulted in the loss of 21.5 million individuals' Social Security numbers, 5.6 million
fingerprints, and user names and passwords for applicants filling out background investigation forms
online. The Office of Personnel Management noted that cybercriminals stole the personnel data for
4.2 million current and former government employees. It is projected that these data breaches could
cost the tax payers between $133.3 to $329.8 million in response efforts.
To address these complex issues in protecting its network from cyberattack, the EPA has made
significant strides in developing a policy framework to enable information technology systems to
adhere to federal information security requirements. This includes developing an extensive policy and
procedure catalog of a significant portion of federal information security requirements, and making
them available to all its 24 headquarters and regional offices across the nation. However, the EPA
manages the implementation of this policy framework in a decentralized manner; recent audit and
investigative work indicates that insufficient oversight and reporting prevent the agency from realizing
a fully implemented information security program capable of effectively managing the remediation of
known and emerging security threats.
THE AGENCY'S PROGRESS
In response to our FY 2017 management challenge (17-N-0219), the EPA indicated that "The agency is
committed to protecting its information and technology assets. The EPA understands the prevalence
and complexity of the ever-growing cyber security attacks and is aware of the potential impact to the
Agency's mission if information assets are compromised." Further, the EPA noted that "It is developing
a process to train Contract Officer Representatives on their responsibilities for monitoring contractors
to ensure they meet specified EPA information security responsibilities." This includes taking the
following actions:
• Monitoring contractors who operate information systems on behalf of the EPA to ensure they
perform the mandated information security assessments.
• Ensuring that contractors with significant information security responsibilities complete
role-based training.
The EPA continues to initiate actions to further strengthen or improve its information security program.
However, our recent audit work continues to highlight that the EPA faces challenges in addressing
outstanding weaknesses within its information security program and in managing contractors who
provide key support in operating or managing systems on behalf of the agency. The EPA's Office of
Environmental Information is primarily responsible for information technology management.
Our FY 2017 annual audit of the EPA's information security program (17-P-0044) disclosed that more
work is needed by the agency to achieve managed and measurable information security functions to
manage cybersecurity risks. In this regard, the EPA's information security program was not graded as
18-N-0174
12
-------�
effective for any of the Cybersecurity Framework Security Functions defined by the National Institute
of Standards and Technology. The table below summarizes the areas where significant management
emphasis is needed for the EPA to obtain an effective rating of its information security program:
Results of testing assessed as "Not Met"
Cybersecurity
Framework Metric
Security Function domain Federal Information Security Modernization Act metric
Identify
Risk
Management
The EPA has not consistently implemented a process for using standard data
elements/taxonomy to develop and maintain an up-to-date inventory of hardware
assets connected to the organization's network with the detailed information
necessary for tracking and reporting.
Protect
Identity and
Access
Management
Security and
Privacy
Training
The EPA has not fully implemented an Identity, Credential and Access
Management strategy to guide its Identity, Credential and Access Management
processes and activities.
The EPA did not identify and track status of specialized security and privacy
training for all personnel (including employees, contractors and other organization
users) with significant information security and privacy responsibilities requiring
specialized training. As a result, the EPA is unaware as to whether information
security contractors possess the skills and training needed to protect the agency's
information, data and network from security breaches.
Source: OIG analysis.
In addition, our annual reports on the EPA's FYs 2017 and 2016 financial statements (18-F-0039 and
17-F-0046. respectively) disclosed that information technology processes need to be improved to protect
the integrity of EPA data used for decision-making and that the EPA lags behind in taking steps to
remediate longstanding information system controls needed to protect financial data. In particular, our
audits noted that:
• The EPA's financial accounting system (Compass Financials) application—a major information
technology investment—lacked an oversight structure to verify that personnel implemented
agency policies and procedures, and to guide the project through the acquisition process. Based
on the EPA's $3 million cost-savings estimate for competitively procuring hosting services for
Compass Financials, the agency may have overspent $250,000 by having to extend the sole-
source contract due to lack of oversight.
• The EPA did not have a documented process for handling emergency or unscheduled changes to
the Office of the Chief Financial Officer's financial system's configuration. Additionally, direct
modifications to the Compass Financials database lacked documented approvals, as well as
verifications of implemented changes to the database as required.
In particular, increased management oversight is needed over agency contractors to comply with
mandated information system security requirements:
• In our September 2015 report on EPA contract systems (15-P-0290). we noted that personnel
with oversight responsibilities for contractor systems were not aware of the requirements
outlined in EPA information security procedures. As a result, EPA contractors did not conduct
18-N-0174
13
-------�
required annual security assessments, provide security assessment results to the agency for
review, and establish the required incident response capability. Data breaches costing from
$1.4 million to over $12 million could have occurred if the systems were compromised.
• In another September 2015 report (15-P-0295), of the EPA's administration of cloud services,
we found that the EPA was not fully aware of the extent of its use of cloud services and thereby
was missing an opportunity to help make the most efficient use of its limited resources regarding
cloud-based acquisitions. The inadequate oversight of a cloud service provider resulted in the
agency placing an EPA system within the vendor's network that (1) did not comply with federal
security requirements and (2) contained vendor terms of service that were not compliant with
the Federal Risk and Authorization Management Program.
• Our FY 2015 annual audit of the EPA's information security program (16-P-0039) disclosed that
agency management of contractor systems required significant management attention to correct
noted deficiencies. We found that significant improvements were needed to (1) enforce
contractor compliance with required security controls, (2) maintain an accurate inventory of
contractor systems and (3) identify contractor systems that interface with EPA systems.
The EPA took steps to address some of the recommendations noted in the above reports. Nonetheless,
current audit work continues to note that the EPA lacked a holistic approach to managing
accountability over its contractors and ensuring personnel responsible for overseeing contractors were
aware of their responsibilities.
• Our FY 2016 annual audit of the EPA's information security program (17-P-0044) disclosed that
the agency did not identify and track the status of specialized security training for contractors
with significant information security responsibilities. Our follow-up activity during FY 2017 noted
that the agency made little progress in correcting this deficiency, and we again reported this issue
in our FY 2017 annual report on the EPA's information security program (18-P-0031).
• Our July 2017 report (17-P-0344) noted that $153 million of the $166 million of contracts did not
contain requirements for support contractors to complete required role-based training, even
though the contractors had access to EPA systems that could bypass implemented security
controls. We found that personnel overseeing contractors were not monitoring whether the
contractor completed the required training or knew about the training requirement. Further, we
found that the EPA had not reviewed its contracts to verify whether the contacts contained a
clause that requires contractors with significant information security responsibilities to complete
role-based training, even though the EPA developed a contract clause for this purpose. Also,
personnel overseeing the EPA's information security program did not implement an oversight
process to monitor the completion of specialized training, or report the status of contractors'
completion of role-based training as outlined in EPA policy and other federal guidance.
• Our September 2017 management alert (17-P-0409) noted that the EPA had not initiated, at a
minimum, a Tier 4 background investigation for any of the nine sampled contractor personnel
with privileged access to agency information systems and data. The EPA is required to initiate a
18-N-0174
14
-------�
background investigation prior to granting access to agency systems and data. The table below
summarizes the results of our analysis. These contractor personnel hold various information
technology specialist positions with the ability to make changes to security controls in the
systems they access, and the personnel should have been assigned a high-risk designation.
Risk designations for contractor personnel
Contractor
Type of
investigation
conducted
EPA office's
risk designation
Position
1
Tier 1
Not Designated
Email IT Analyst
2
Tier 2
Moderate Risk
Computer Security Analyst
3
Tier 2
Moderate Risk
Manager Email
4
Tier 2
Moderate Risk
Active Directory Engineer
5
Tier 2
Moderate Risk
Senior System Engineer
6
Tier 2
Moderate Risk
Senior System Analyst
7
Tier 1
Not Designated
Enterprise Computer Security Information Manager
8
Tier 2
Moderate Risk
System Administrator
9
Tier 2
Moderate Risk
Technical Support Analyst I
Source: OIG analysis of EPA background investigation data from Office of Administrative Services Information System
as of June 21, 2017.
The OIG in its investigative role has taken a measured approach in working with the EPA with regard to
cybersecurity prevention and remediation. The OIG's Office of Investigations has reached out to the
agency's Incident Response Center personnel and the Federal Bureau of Investigation's Cybercrime Task
Force to get a broader view of cybersecurity threats and to work with experts in identifying trends and
solutions. However, the EPA must be willing to engage in these efforts to create an environment to
broaden network situational and threat awareness to proactively combat cyber threats.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required
to justify removal: (1) demonstrated top leadership commitment, (2) monitoring efforts and
(3) demonstrated progress. The EPA has taken steps to address many of our audit recommendations.
However, the following actions remain to address cybersecurity challenges:
1. Develop and implement a process that:
a) Strengthens internal controls for monitoring and completing corrective actions on all
open audits.
b) Maintains appropriate documentation to support completion of corrective actions;
if delegated to sub-offices, the process should include regular inspections by the Office of
Environmental Information's Audit Follow-Up Coordinator.
c) Specifies when sub-offices must complete corrective actions as completed.
d) Requires verification that corrective actions fixed the issue(s) that led to the recommendation.
e) Requires sub-offices to continue to use the improved processes.
f) Requires Office of Environmental Information managers to update the office's Audit
Follow-Up Coordinator on the status of upcoming corrective actions.
18-N-0174
15
-------�
2. Remediate weaknesses identified during the FY 2017 annual audit of the EPA's information
security program.
3. Implement a process to train EPA Contract Officer Representatives on their responsibilities for
monitoring contractors to verify they meet specified EPA information security responsibilities.
4. Implement plans to review all EPA contracts and task orders and place the EPA-developed
contract clause requiring contractors to complete role-based training into all EPA contracts
and task orders.
5. Implement a process to create a listing of agency contractors with significant information
security responsibilities who require role-based training, validate that the identified
contractors complete the annual role-based training requirement, and report the information
as required by the Federal Information Security Modernization Act.
6. Identify the equipment needed to restore operations and network connectivity for the
financial and mixed-financial applications housed at the EPA's data center.
7. Monitor the actions of contractors with direct access to data within the agency's core financial
application.
8. Create data storage plans for key financial applications.
9. Implement controls within the EPA's financial systems to prevent personnel with incompatible
duties from processing financial transactions.
10. Require the Compass Financials Project Manager to obtain the Federal Acquisition Certification
for Program and Project Managers with the Information Technology specialization.
11. Establish controls for creating and locking administrative accounts in Compass Financials.
12. Develop and implement a methodology to monitor accounts with administrative capabilities in
Compass Financials.
13. Enter the Continuous Monitoring Assessment recommendations into the agency's system used
for monitoring the remediation of information security corrective actions.
14. Develop a process for obtaining the current inventory listing and document the process in the
National Computer Center's Disaster Recovery Plan and Information System Contingency Plan.
15. Participate and cooperate more with the OIG, external law enforcement agencies and industry
experts to take a proactive role in identifying trends and sharing intelligence about cyber
threats and solutions. The EPA should do more to expose exploits and vulnerabilities with
other federal agencies and work together to combat the issues of cybersecurity.
18-N-0174
16
-------�
CHALLENGE: The EPA Needs to Improve on Fulfilling Mandated
Reporting Requirements
CHALLENGE FOR THE AGENCY
OIG work over the last 8 years has shown
that the agency faces issues in tracking and
submitting reports mandated by law that
contain key program information for use by
Congress, the Administrator and the public.
When the EPA does not fulfill reporting
requirements, the agency is in violation of
the law and does not demonstrate how and whether it is achieving the goals Congress set for the
associated programs. Without these reports, Congress and the public are not informed about the EPA's
progress toward achieving goals or the challenges programs face during implementation. Our findings
across multiple programs emphasize the need for EPA management to take agencywide action to
verify that required reports are submitted. As the OIG continues to identify this issue in multiple
programs across the EPA, the agency should develop a comprehensive approach to address this
challenge.
BACKGROUND
The EPA OIG identified instances across five programs where the EPA has failed to meet legal reporting
requirements to Congress between 2010 and 2018. The OIG recommended that the agency meet the
specific reporting requirements and establish internal controls to track issuance of these required
reports. Fulfilling mandated reporting requirements will inform future rulemaking and decision making.
In response to our work, the EPA has issued some required reports that it previously had not provided,
and has issued a memorandum to the EPA's Assistant Administrators and Associate Administrators
reminding them of the agency's standard practice in tracking reports to Congress. However, much
additional work remains.
Congress mandates reports to provide Congress with information about progress, but the reports also
provide legislators with information for future legislative and funding decision making. By not fulfilling
reporting requirements, Congress and the public, as well as the EPA Administrator, are not receiving
information about programs' progress and challenges or about how the EPA is working to fulfill the
agency mission to protect human health and the environment.
THE AGENCY'S PROGRESS
The OIG is including required reporting as an EPA management challenge based on our broad findings
and on the importance of EPA meeting requirements. Some of the following issues identified in our
work over the past 8 years demonstrate the breadth of this challenge and show how the agency has
worked to address the issue on a program-by-program basis but needs a comprehensive effort. For the
18-N-0174
17
-------�
OIG reports where this issue was identified, the EPA ultimately agreed to or implemented corrective
actions by planning and submitting required program reports:
• In response to a July 2016 report (16-P-0246), the agency issued a required but long-awaited
Office of Environmental Education Report to Congress, the EPA Administrator and the public in
response to our report on insufficient reporting. The OIG found that after 2005, the office did
not fund and convene the National Environmental Education Advisory Council as required by
the National Environmental Education Act until 2012. One result of this lapse in funding and
convening the council was that the council was not always able to provide congressionally
required reports on the extent and quality of environmental education in the nation. The OIG
recommended that the EPA ensure that the council is appointed and submits required reports
to Congress. The EPA agreed and issued the required report.
• In response to a September 2011 report (ll-P-0708), the agency submitted a long-required
report related to residual effects of methamphetamine labs. The OIG had found that the Office
of Research and Development failed to submit a report to Congress required under the
Methamphetamine Remediation Research Act of 2007 detailing how the agency would use the
results of a study of the residual effects of methamphetamine labs to carry out all
methamphetamine-related activities. The office completed a literature review on residual
effects in 2010, but did not transmit a report to Congress; a copy of its draft research plan was
provided in 2009 and the office updated congressional staff on the status of this study in 2010.
The EPA agency confirmed there were no internal controls to identify or track the status of
EPA's legislative requirements. In lieu of an agencywide control system, individual EPA program
offices were responsible for tracking and completing legislative requirements. The OIG
recommended that the EPA develop internal controls to ensure that legislative requirements
are identified and tracked, and that their status is reported to Congress as required. The agency
implemented the recommendation and developed a system to track Reports to Congress and
ensure legislative requirements are met.
• In response to a June 2010 report (10-P-0154), the agency submitted a long-overdue report on
urban air toxics. The OIG found that the Office of Research and Development had failed to
submit a second report to Congress required under Section 112(k) of the Clean Air Act on
actions taken by the agency to reduce risks posed by urban air toxics from area sources. The
agency submitted the first required report to Congress in July 2000, which was 2 years after the
deadline specified by the Clean Air Act. However, the second report, required in 2002, was not
submitted. The OIG concluded that submitting this report would inform Congress on the status
of the program and the contributing factors to the delayed implementation of the program. The
OIG recommended that the EPA develop and submit the required second Urban Air Toxics
Report to Congress by the end of FY 2010. The Office of Research and Development ultimately
submitted that required second report to Congress in August 2014.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required to
justify removal: (1) demonstrated top leadership commitment, (2) a corrective action plan and
18-N-0174
18
-------�
(3) demonstrated progress. Although the EPA is working to implement recommendations to comply
with reporting requirements for individual programs, the OIG continues to identify this issue.
Therefore, EPA leadership needs to make a comprehensive effort to address this issue across the
agency by reducing the rate of missing reports; identifying the causes of not issuing reports, with
targeted plans to address the causes; and implementing corrective actions to address these issues.
• Following a January 2018 report (18-P-0071), the agency and the OIG are engaged in resolution
efforts to resolve the recommendations to submit required reports to Congress on a water
program. The OIG found that the Office of Water failed to fulfill the legal requirement under
Section 7 of the Beaches Environmental Assessment and Coastal Health Act of 2000 (known as the
BEACH Act) to report to Congress every 4 years on the program's progress and impact on water
quality and public health. The act requires that the EPA report to Congress on recommendations
for additional criteria or actions to improve water quality, provide a national assessment of the
implementation of the act, and note areas for improvement in monitoring. The EPA last submitted
this required report to Congress in 2006, though it was due in 2010 and again in 2014. According
to EPA staff, lack of resources to complete the report and disagreement between the EPA and
Office of Management and Budget on whether the program was still needed led the EPA to cease
its congressional reporting. The EPA's guidance for issuing such reports did not include a process
for addressing or appealing such disagreements. The OIG recommended that the EPA submit the
mandated reports to Congress and review and update controls for identifying, tracking and
submitting mandated reports. In response, in March 2018, the agency issued a memorandum,
Reminder of Existing Practices Regarding Statutorily-Mandated Reports to Congress, as a reminder
that all legislatively mandated reports are to be placed in ADPTracker. Other recommendations
remain unresolved with resolution efforts in progress.
• In response to an August 2016 report (16-P-0275), the agency agreed to provide some required
reports to Congress for an air program but additional reports were required. The OIG had found
that the Office of Research and Development failed to fulfill a legal requirement under
Section 204 of the Energy Independence and Security Act of 2007 to report to Congress every
3 years on the environmental and resource conservation impacts of the renewable fuel
standard program. The office issued an initial report to Congress for the Renewable Fuel
Standard Program in 2011, but did not issue subsequent triennial reports. The agency
attributed this to competing research priorities, reductions to the office's budget, and the
3-year reporting cycle not allowing time for significant scientific advances to occur. The OIG
recommended that the EPA fulfill its obligation to provide triennial reports to Congress on the
impacts of biofuels as required. The agency agreed with this recommendation and planned to
complete corrective actions in June 2018.
The EPA needs to fulfill its responsibilities by issuing all required reports. To address this agencywide
concern, EPA top leadership needs to develop and implement a process for tracking and submitting
required reports, including devoting the people and resources required to reduce risks, and
establishing processes for reporting and accountability. As the agency works to resolve this issue, the
OIG will look for a corrective action plan, evidence of monitoring efforts, and demonstrated progress in
issuing all required reports.
18-N-0174
19
-------�
CHALLENGE: The EPA Needs Improved Data Quality for Program
Performance and Decision-Making
CHALLENGE FOR THE AGENCY
In recent years, our work identified
weaknesses in quality controls for EPA
program data. Recent work by the OIG
continues to support data quality as a
management challenge. Data quality—the
totality of features and characteristics such
as accuracy, reliability and other limitations
that bear on the data's ability to meet the
stated or implied needs and expectations of the data user—matters because managers use data to
manage the EPA's programs to achieve the agency's goals. Thus, it takes high-quality data to support
high-quality decisions. Using high-quality data to inform EPA management decisions is enshrined in
long-standing policy and public law. Since 1979, EPA policy has required an agencywide quality system
supporting environmental programs and by non-EPA organizations performing work in behalf of the
EPA through extramural agreements. Further, the Government Performance and Results Act
Modernization Act of 2010 states that agencies must execute an annual performance plan that, among
other things, includes a description of how the agency will ensure the accuracy and reliability of data
used to measure progress toward performance goals.
BACKGROUND
To accomplish its mission, the EPA develops regulations and establishes programs that implement
environmental laws. The EPA performs oversight of these programs—including programs implemented
by the agency, delegated states, territories or tribes—to protect human health and the environment.
Effective oversight should provide reasonable assurance that program goals are achieved and activities
comply with all relevant laws and regulations. The EPA relies on data to help assess program
performance and public benefit, and those assessments depend on the quality of the data that
underpin the analyses.
We identified data standards and data quality in the FY 2007 management challenges report. At that
time, we found that the EPA was not routinely incorporating data standards and collecting information
for all programs. Data standards and data quality were removed from the management challenges list
for FY 2008. However, because recent OIG work points again to a pattern of data quality issues, we are
reintroducing data quality for program data as an FY 2018 management challenge.
Recent OIG reports show that poor data quality negatively impacts the EPA's effectiveness in
overseeing programs that directly impact public health, such as managing air quality, Clean Air Act
facilities, drinking water, toxic releases to surface waters, Superfund sites and environmental
18-N-0174
20
-------�
education. Data quality issues also subject the EPA to significant financial risks and delayed cleanups
while the public must endure prolonged exposure to unsafe substances and restrictions on the public
use of needed natural resources.
These reports point to a systemic problem with data quality, making data analysis more difficult and
less reliable than desired. The EPA and public rely heavily upon the agency's data to determine
program performance and benefits to the public. The agency uses a variety of data to manage many
programs and inform decisions about those programs. Therefore, for the EPA to effectively manage its
programs, data must be timely, accurate and suitable for the intended purposes. Data quality directly
impacts decision quality, and poor data quality can also mask risks to public health and tax dollars.
THE AGENCY'S PROGRESS
In response to OIG reports, the EPA took corrective actions to address enforcement data quality for
Clean Air Act facilities, benzene standard compliance, and environmental education data quality issues.
In addition, the EPA began development of the Safe Drinking Water Information System-Prime, which
should allow electronic verification of data and provide data quality functional enhancements. The EPA
also opted to improve electronic reporting tools for Toxics Release Inventory and Discharge Monitoring
data to address data quality limitations. Details follow:
• In a March 2016 management alert (16-P-0126), we reported that the EPA had poor data
quality and lacked internal controls to oversee and manage its Resource Conservation and
Recovery Act and Comprehensive Environmental Response, Compensation, and Liability Act
financial assurance program. As such, the EPA was vulnerable to considerable financial
exposure, and the public may be at risk for delayed cleanups, prolonged human and
environmental exposures to unsafe substances, and extended restrictions on the public use of
needed natural resources. The agency completed corrective actions to address the report
recommendations.
• In a July 2016 report (16-P-0246), we noted that the EPA did not obtain consistent performance
data from environmental education grantees. Thus, the EPA could not assess its environmental
education program results and benefits, was limited to reporting on individual grant and
cooperative agreement outputs, and was significantly impaired in its ability to provide evidence
of results and instill confidence that it has the capacity to properly manage both the program
and its significant grant funds. The agency completed corrective actions to address the report
recommendations.
• In a June 2017 report (17-P-0249), we noted that EPA management controls were not effective
in providing reasonable assurance that facility-reported data were of sufficient quality to assess
compliance or maintain the integrity of credit-related information for the benzene standards.
Benzene is one of three key pollutants contributing the most to cancer risks nationwide, and
benzene exposure has been linked to blood disorders and cancers, including leukemia. Mobile
sources are responsible for most of the outdoor risks from benzene, and the EPA has classified
18-N-0174
21
-------�
benzene as a regional cancer risk driver. EPA staff must research and correct questionable data
quality before the EPA can determine whether facilities comply with the benzene standards and
purchased credits were proper. Poor data quality can also delay EPA actions to identify and
resolve instances where facilities may produce or import gasoline exceeding the benzene
standards. The agency completed corrective actions to address the report recommendations.
• In a July 2017 report (17-P-0326), we noted that recent EPA reviews of public water systems'
monitoring and reporting for drinking water quality have not been as comprehensive or
nationally consistent as previous reviews. There was also a risk that drinking water quality
information reported to the EPA was not always reliable. This situation can lead to conditions
where the EPA and public may not know if water arriving at taps meets national drinking water
standards. In 2016, approximately one in five public water systems reported monitoring and
reporting violations, with 40 percent of those violations related to the Total Coliform Rule and
pathogens in drinking water. Another example of this risk is the lapse in effective monitoring
and reporting that contributed to prolonged exposure to lead-contaminated drinking water in
Flint, Michigan. The lack of in-depth public water system reviews and the low reliability of
drinking water data reported to the EPA impede the agency's ability to oversee the national
drinking water program. The EPA is currently taking action to address these limitations. No
recommendations were issued for this report.
WHAT REMAINS TO BE DONE
The agency's activities under this management challenge do not meet the following criteria required to
justify removal: (1) agency capacity, (2) a corrective action plan, (3) monitoring efforts and
(4) demonstrated progress. EPA leadership needs to demonstrate commitment to verify data used for
program performance and that management has sufficient quality.
To demonstrate this commitment, the agency should show that it has the proper people and processes
in place to deploy the agency data quality policies and procedures to all program data and actively
manage its data to achieve the desired quality. Recent reports show that the EPA still needs to address
data gaps in financial and enforcement data to ensure information is timely, accurate and suitable for
assessing the capacity of companies with multiple environmental liabilities to conduct cleanups
without unduly exposing public health or taxpayers to risks. While the move to electronic reporting
should ease the agency's access to data and simplify reporting, electronically reported data will still
need verification and validation to ensure accuracy, timeliness and proper format.
There are issues related to electronically reported data. For example, while Safe Drinking Water
Information System-Prime will provide some electronic data quality enhancements, primacy states
(i.e., those states granted primary responsibility for enforcing and implementing the Safe Drinking
Water Act) are not required to use that system for data reporting, since it is a voluntary system. States
that choose not to participate cause data gaps. Further, the EPA should ensure that all program data
used to assess and manage program performance are aligned with the stated program goals and
objectives and that the data are of sufficient quality and suitability to inform decisions.
18-N-0174
22
-------�
• In a December 2017 report (18-P-0059). we noted that the EPA lacked a data system with the
capability to track multiple environmental liabilities and the resources and technical ability to
validate self-insurance for companies with multiple environmental liabilities. The inability to
validate a company's self-insurance represents a high-risk issue to the EPA; if a company
defaults on its cleanup obligations, EPA and federal funds may be required to finance cleanups
that should be paid for by the polluter. Invalid self-insurance may also result in contamination
being left at sites for long periods; larger, more complicated cleanups; higher costs; and longer
human and environmental exposures to unsafe substances. The agency partially agreed with
our recommendations and work is underway to reach agreement on the unresolved
recommendations. Other corrective actions are pending.
• In an October 2017 report (18-P-0001), we noted that the Toxics Release Inventory and the
Discharge Monitoring Report Comparison Dashboard had limited utility for identifying possible
surface water dischargers that lacked a National Pollutant Discharge Elimination System permit
due to a lack of discharger address information. Without specific discharger address
information in the Discharge Monitoring Report Pollutant Loading Tool, attempting to manually
match a National Pollutant Discharge Elimination System facility to a Toxics Release Inventory
facility was resource-intensive and inexact, impacting the EPA's ability to regulate facilities.
Further, the Pollutant Loading Tool cannot identify unpermitted dischargers to surface water
based on Toxics Release Inventory data, which means the EPA and public cannot know when or
how much pollution occurs from those dischargers. Corrective actions are pending.
• In a May 2016 report (16-P-0164), we noted that the Clean Air Act Facility inspection data on
the EPA Enforcement and Compliance History Online website did not reflect that many facilities
had received a full compliance inspection, and it was not verified that data were properly
migrated into the database used by the website. Inaccurate data hinder EPA oversight and
reduce assurance that the delegated compliance programs comply with the agency's guidance.
Further, unreported or inaccurate data presented on the publicly available Enforcement and
Compliance History Online website could misinform the public about the status of facilities. The
EPA completed corrective actions on two recommendations for updating the compliance
monitoring system and conducting regular data reviews with state and local agencies. However,
the EPA still needs to establish a regular data quality check process, specify the length of time
states and local air districts should retain evaluation records, direct California local air districts
that do not have a current compliance monitoring plan to submit plans to Region 9 and provide
guidance to California local air districts as to how and when to submit compliance monitoring
plans, and develop a schedule for reviewing and approving draft compliance monitoring plans.
18-N-0174
23
-------� |