^tDsrx
i o
_
V pR0^O
-------�
Report Contributors:
Rudolph M. Brevard
Alonzo Munyeneh
Albert E. Schmidt
Abbreviations
CFR Code of Federal Regulations
e-Manifest Electronic Manifest
EPA U.S. Environmental Protection Agency
FIPS Federal Information Processing Standards
NIST National Institute of Standards and Technology
OIG Office of Inspector General
OLEM Office of Land and Emergency Management
SP Special Publication
Cover Photo: On July 18, 2001, a freight train carrying hazardous chemicals crashed in a
railroad tunnel in Baltimore, Maryland, forcing the closure of an interstate
highway, the Camden Yards baseball park, and the Inner Harbor area.
(Photo courtesy of the Baltimore City Fire Department)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
X^£D S7",
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
June 21, 2018
MEMORANDUM
SUBJECT: Management Alert: To Minimize Risk of Environmental Harm, the Security
Categorization of Electronic Manifest System Data Needs to Be Re-Evaluated
Report No. 18-P-0217
FROM: Arthur A. Elkins Jr.
TO:
Barry Breen, Acting Assistant Administrator
Office of Land and Emergency Management
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). The project number for this audit was OA-FY18-0089.
This report contains findings that describe the problems the OIG has identified and corrective actions the
OIG recommends. This report represents the opinion of the OIG and does not represent the final EPA
position. Final determinations on matters in this report will be made by EPA managers in accordance
with established audit resolution procedures.
The Electronic Manifest system is a major information technology investment for the Office of Land
and Emergency Management. Within that office, the Office of Resource Conservation and Recovery is
responsible for implementing the system. Within the Office of Environmental Information, the Senior
Agency Information Security Officer has responsibility for enforcement and compliance of the agency's
information security programs and information systems.
Action Required
In accordance with EPA Manual 2750, you are required to provide a written response to this report
within 60 calendar days. You should include planned corrective actions and completion dates for all
recommendations that need additional information for resolution. Your response will be posted on the
OIG's website, along with our memorandum commenting on your response. Your response should be
provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the
Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want
to be released to the public; if your response contains such data, you should identify the data for
redaction or removal along with corresponding justification.
The report will be available at www.epa.gov/oig.
-------�
Management Alert: To Minimize Risk of 18-P-0217
Environmental Harm, the Security Categorization
of Electronic Manifest System Data
Needs to Be Re-Evaluated
Table of C
Purpose 1
Background 1
Responsible Offices 1
Scope and Methodology 1
Results 2
EPA Evaluations of e-Manifest Did Not Include Sufficient
Homeland Security Considerations 3
EPA Selected an Information Type that Requires Implementing
Minimum Information System Security Controls 4
EPA Did Not Consider Use of e-Manifest by Emergency Responders 5
Conclusion 5
Recommendations 6
Agency Comment and OIG Evaluation 6
Status of Recommendations and Potential Monetary Benefits 8
Appendices
A FIPS 199 Defined Impact Levels 9
B OLEM's Response to Discussion Document and OIG Evaluation 10
C Distribution 13
-------�
Purpose
The Office of Inspector General (OIG) of the U.S. Environmental Protection
Agency (EPA) conducted this audit to determine whether the EPA categorized the
sensitivity of information for systems that handle hazardous waste material
information as prescribed by the National Institute of Standards and Technology
(NIST).
Background
The EPA is scheduled to launch its Electronic Manifest (e-Manifest) system in
June 2018. This system is an electronic tracking system being designed to track
shipment of hazardous waste from a generator's site to another site for
disposition. The EPA is implementing e-Manifest under the Hazardous Waste
Electronic Manifest Establishment Act.
As a web-based application, e-Manifest is being designed to update in real time
when there is access to the internet, thus facilitating the electronic transmission of
the uniform manifest form. The information on a manifest form includes material,
quantity, waste code and hazard class for the transported material. It also contains
the U.S. Department of Transportation nomenclature and the names and addresses
of the waste generator and receiver. This information allows users of the manifest
to understand the nature and volumes of the material being transported. EPA
Office of Land and Emergency Management (OLEM) representatives said that,
currently, transporters are required to keep paper copies of the manifest as an
official record. The EPA is working with states, industry and related stakeholders
to make the use of manifest information effective and convenient for users.
Responsible Offices
The e-Manifest system is a major information technology investment for the
OLEM. Within the OLEM, the Office of Resource Conservation and Recovery is
responsible for implementing the system.
Further, within the Office of Environmental Information, the Senior Agency
Information Security Officer has responsibility for enforcement and compliance
of the agency's information security programs and information systems.
Scope and Methodology
We conducted this audit from January 2018 to March 2018, in accordance with
generally accepted government auditing standards issued by the Comptroller
General of the United States. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis
for our findings and conclusions based on our audit objectives. We believe that
18-P-0217
1
-------�
the evidence obtained to date provides a reasonable basis for our findings and
conclusions presented in this document.
We reviewed special publications and federal information processing standards
(FIPS) issued by NIST. We also reviewed federal and EPA criteria related to our
objective. We evaluated the process used by the EPA to determine the e-Manifest
system's security categorization. We interviewed OLEM personnel in
Washington, D.C.
Results
The EPA categorized the sensitivity of the information within its e-Manifest
system at such a low level that planned information system security controls
would not minimize the risk of environmental harm. NIST provides guidelines
federal agency's must use for categorizing systems based on risk to determine
minimum information system security controls. This occurred, in part, because:
• Personnel responsible for categorizing the sensitivity of the e-Manifest
system and information did not sufficiently consider homeland security
implications as they relate to chemicals of interest.
• EPA personnel used an information type1 that defines the hazardous waste
data in the e-Manifest system in such a manner that minimal system
security controls would be needed to protect the information.
• The EPA did not consider further uses of the e-Manifest system; the
system could potentially be used by first responders in their efforts to
remediate incidents involving the transportation of hazardous waste.
As a result, the EPA plans to place sensitive hazardous waste information in its
system without implementing stronger minimum information system security
controls commensurate with the harm that could be caused if the information is
compromised. We are issuing this management alert because, before e-Manifest
launches in June 2018, we believe the EPA should consider all relevant factors
and select an information sensitivity rating that is commensurate with the harm
that could be caused if the e-Manifest system is compromised.
1 NIST Special Publication (SP) 800-60 defines an "Information Type" as a "specific category of information
(e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by
an organization or in some instances, by a specific law, Executive Order, directive, policy, or regulation."
18-P-0217
2
-------�
EPA Evaluations of e-Manifest Did Not Include Sufficient
Homeland Security Considerations
The EPA categorized the sensitivity of
information within its e-Manifest system
without sufficiently taking into account
homeland security considerations. NIST
provides guidelines for categorizing systems
based on risk to determine minimum
security controls. When the e-Manifest system goes into production, it will store
information on "chemicals of interest." The U.S. Department of Homeland
Security identified more than 300 chemicals within Appendix A of the Chemical
Facility Anti-Terrorism Standards, 6 CFR Part 27, that have the following three
main security concerns:
• "Release: Toxic, flammable, or explosive chemicals or materials
that can be released at a facility.
• "Theft or Diversion: Chemicals or materials that, if stolen or
diverted, can be converted into weapons using simple chemistry,
equipment, or techniques.
• "Sabotage: Chemicals or materials that can be mixed with readily
available materials."
FIPS 199 establishes the framework for categorizing information, and information
systems. FIPS 199 states "Security categories are to be used in conjunction with
vulnerability and threat information in assessing the risk to an organization." After
the categorization of the information and information system impact levels as either
low, moderate or high, the FIPS 199 drives the selection of the minimum information
system security controls needed to protect the information and information system.
See Appendix A of this report for the FIPS 199 defined impact levels.
EPA officials indicated that they consulted with the U.S. Department of Homeland
Security and addressed all of that department's concerns. OLEM representatives
indicated the EPA fulfilled Department of Homeland Security requests to delay
public access to manifest information for 90 days after receipt of hazardous waste at
receiving facilities and redact "chemicals of interest" information when the manifest
containing this information is made public. While these actions address the release
and availability of information through normal processes, these actions do not
address how the EPA plans to protect the information from being compromised
within the e-Manifest system.
The EPA's documented analysis used to categorize the sensitivity of information
within the e-Manifest system indicated there were no homeland security
considerations. However, public information about the e-Manifest system
indicates that the EPA took steps to delay releasing e-Manifest information at the
"Chemicals of Interest" are
hazardous chemicals that the
U.S. Department of Homeland
Security want to keep out of the
hands of those who would
misuse them.
18-P-0217
3
-------�
request of the Department of Homeland Security. As such, the EPA system
security analysis lacks information that should have been considered when
evaluating whether additional information system security controls were needed
to protect the e-Manifest system. Furthermore, the EPA's documented analysis
indicates that the agency only has to use minimum information system security
controls to protect sensitive data. Given that the e-Manifest system contains
"chemicals of interest," it is incumbent upon the EPA to implement measures to
safeguard this information while the hazardous material is being transported from
the facility to the waste disposal site in addition to protecting the information
before it is released to the public.
EPA Selected an Information Type that Requires Implementing
Minimum Information System Security Controls
The EPA selected an information type for the
e-Manifest system that requires implementing
minimal information system security to protect
the system and data. NIST SP 800-60 provides
the guidelines for mapping type of information
and information systems to security categories.
The guideline's objective is to:
NIST SP 800-60 states that an
information type "can be
associated with both user
information and system
information.... It is also used
as input in considering the
appropriate security category
for a system."
facilitate provision of appropriate levels of information security
according to a range of levels of impact or consequences that
might result from the unauthorized disclosure, modification, or loss
of availability of the information or information system.
The OLEM representatives believe that the information within e-Manifest falls
within NIST SP 800-60, Volume II, Classification of D.8.8.3 Pollution Prevention
and Control Information,2 which equates to a low impact level classification.
However, the Pollution Prevention and Control Information category does not
seem to accurately reflect the types of information contained in hazardous waste
manifests. As a result, the EPA's information type selection for the e-Manifest
system lacks considerations of the impact on human health and the environment if
the system is compromised.
The OIG disagrees with the categorization of the information within e-Manifest,
as NIST and Department of Homeland Security documentation indicates that
there are homeland security concerns with hazardous material data. Additionally,
the OIG believes the information within e-Manifest more accurately matches
NIST SP 800-60, Volume II, Data Categorization of C.3.4.2 Inventory Control
Information Type, that "refers to the tracking of information related to procured
assets and resources with regards to quantity, quality, and location."
2 NIST SP 800-60, Volume II, states: "pollution prevention and control includes activities associated with
the establishment of enviromnental standards to control the levels of harmful substances emitted into the
soil, water and atmosphere."
18-P-0217
4
-------�
While the e-Manifest system does not contain information for the EPA's procured
assets and resources with regard to quantity, quality and location, e-Manifest
contains industry-supplied inventory information that tracks shipment of
hazardous waste from a generator's site to another site for disposition.
Furthermore, this section specifically pertains to the tracking of information
related to procured assets and the e-Manifest data raises many of the same
security concerns.
EPA Did Not Consider Use of e-Manifest by Emergency Responders
The classification of the e-Manifest system and data did not include consideration
for emergency responders' use of the e-Manifest system. On January 15, 2014, the
EPA issued a press release3 in which the EPA's Assistant Administrator for the
Office of Solid Waste and Emergency Response4 indicated:
Once fully implemented, the national e-Manifest system will
provide greater access for emergency responders to information
about the types and sources of hazardous waste that are in transit
between generator sites and waste management facilities.
Although the Hazardous Waste Electronic Manifest Establishment Act does not
provide criteria for the e-Manifest system to be used by emergency responders, it
is reasonable to assume that that the system would be valuable to emergency
responders who may not be able to access the paper manifest. The e-Manifest
system contains information helpful to emergency responders to remediate
incidents involving shipments of hazardous material, and thus would enable better
protection for emergency responders as well as the surrounding population.
However, the EPA has no current plans to provide emergency responders access
to e-Manifest.
Conclusion
Securing e-Manifest with the lowest information system security controls would
hamper the EPA's ability to protect sensitive data that, if breached, has the
potential to be used in terrorist attacks. Furthermore, if a system attack
jeopardizes the availability of the e-Manifest system, it could potentially delay the
remediation of the incidents involving the transportation of hazardous waste
because emergency responders would not have access to electronic manifest data
when the paper manifest is not available.
3 Press Release: "EPA Takes Important Step in Implementing the Hazardous Waste Electronic Manifest
Establishment Act."
4 Effective December 15, 2015, the name for the Office of Solid Waste and Emergency Response was changed to
the Office of Land and Emergency Management.
18-P-0217
5
-------�
Recommendations
We recommend that the Assistant Administrator for Land and Emergency
Management:
1. Obtain an understanding of the impact of a breach of the EPA's
Electronic Manifest system's hazardous material information from the
U.S. Department of Homeland Security and re-evaluate the security
categorization accordingly.
2. In coordination with the EPA Office of Environmental Information and
the National Institute of Standards and Technology, determine whether the
Electronic Manifest system's hazardous material information should be
handled as Pollution Prevention and Control Information or Inventory
Control Information with special considerations for hazardous materials,
and re-evaluate the security categorization accordingly.
3. Re-evaluate the security categorization of the Electronic Manifest system
annually or when there are significant changes to the system (including
allowing the system to be used by emergency responders) as required by
the EPA's Information Security - Risk Assessment Procedures.
Agency Comment and OIG Evaluation
While the agency believes it has correctly categorized e-Manifest, the agency
agrees with our recommendations. EPA management stated they fully addressed
homeland security recommendations provided by the U.S. Department of
Homeland Security as part of its interagency review process. Management also
indicated they believe NIST does not contain an information category that exactly
matches manifest data, and they believe Pollution Prevention and Control is the
proper information type.
The OIG maintains that the data within e-Manifest should be categorized as
moderate or high. This categorization is based on classifying the data using the
information type Inventory Control Information. While e-Manifest is not an
inventory of procured assets, it is still an inventory maintained by the EPA, and
the EPA should treat it the same way it treats inventories of procured assets.
We informed EPA personnel of our findings throughout the audit. We provided
the EPA with a discussion document with our findings and recommendations.
On March 29, 2018, the EPA provided a response to the discussion document
(Appendix B). On April 10, 2018, we briefed EPA management regarding the
findings and recommendations in this report. EPA management again agreed with
our recommendations and stated they would provide corrective actions and the
corresponding completion dates in response to this final report. Therefore, we
consider the recommendations unresolved pending receipt of that information.
18-P-0217
6
-------�
Until the recommendations are addressed, the e-Manifest system may not meet
NIST's and EPA's minimum security requirements for systems categorized as
moderate or high when e-Manifest is launched in June 2018.
18-P-0217
7
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
1
6
Obtain an understanding of the impact of a breach of the EPA's
Electronic Manifest system's hazardous material information
from the U.S. Department of Homeland Security and re-evaluate
the security categorization accordingly.
U
Assistant Administrator for
Land and Emergency
Management
2
6
In coordination with the EPA Office of Environmental Information
and the National Institute of Standards and Technology,
determine whether the Electronic Manifest system's hazardous
material information should be handled as Pollution Prevention
and Control Information or Inventory Control Information with
special considerations for hazardous materials, and re-evaluate
the security categorization accordingly.
U
Assistant Administrator for
Land and Emergency
Management
3
6
Re-evaluate the security categorization of the Electronic Manifest
system annually or when there are significant changes to the
system (including allowing the system to be used by emergency
responders) as required by the EPA's Information Security -
Risk Assessment Procedures.
u
Assistant Administrator for
Land and Emergency
Management
1 C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
18-P-0217
8
-------�
Appendix A
FIPS 199 Defined Impact Levels
Table 1: FIPS 199 defined impact levels
Level Definition Amplification
Low "The loss of confidentiality, integrity "A limited adverse effect means that, for example, the loss of
or availability could be expected to confidentiality, integrity or availability might: (i) cause a
have a limited adverse effect on degradation in mission capability to an extent and duration
organizational operations, that the organization is able to perform its primary functions,
organizational assets or individuals." but the effectiveness of the functions is noticeably reduced;
(ii) result in minor damage to organizational assets; (iii) result
in minor financial loss; or (iv) result in minor harm to
individuals."
"A serious adverse effect means that, for example, the loss of
confidentiality, integrity or availability might: (i) cause a
significant degradation in mission capability to an extent and
duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is significantly
reduced; (ii) result in significant damage to organizational
assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life
or serious life-threatening injuries."
"A severe or catastrophic adverse effect means that, for
example, the loss of confidentiality, integrity or availability
might: (i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization is
not able to perform one or more of its primary functions;
(ii) result in major damage to organizational assets; (iii) result
in major financial loss; or (iv) result in severe or catastrophic
harm to individuals involving loss of life or serious life-
threatening injuries."
Source: EPA OIG-generated data based on extractions from FIPS 199.
Moderate "The loss of confidentiality, integrity
or availability could be expected to
have a serious adverse effect on
organizational operations,
organizational assets or individuals."
High "The loss of confidentiality, integrity
or availability could be expected to
have a severe or catastrophic
adverse effect on organizational
operations, organizational assets or
individuals."
18-P-0217
9
-------�
Appendix B
OLEM's Response to Discussion Document
and OIG Evaluation
From: Guernica, Mimi
Sent: Thursday, March 29, 2018 4:28 PM
To: Schmidt, Albert
Cc: Donnelly, Stephen; Thornton, Kecia; Charbonneau, David; Brevard, Rudy; Munyeneh,
Alonzo; Nisbett, Deana; Johnson, Barnes; Reaves, Thomas
Subject: RE: Discussion Document: EPA Needs to Reconsider Security Categorization for Its
Electronic Manifest System for Monitoring Hazardous Waste Transport (Project No. OA-FY18-
0089)
Thank you for the opportunity to respond to the issues and recommendations in the subject
discussion document. The following is a summary of the Agency's overall position.
The Office of Inspector General (OIG) made findings and issued three recommendations in the
discussion document that focused broadly on the following areas:
EPA's interactions with the U.S. Department of Homeland Security (DHS) relating to
EPA's security categorization for the electronic Manifest system (e-Manifest)
EPA's choice of data classification for e-Manifest's information under the National
Institute of Standards and Technology (NIST) information categories
EPA's re-evaluation of the system's security categorization and use of the e-Manifest
system by emergency responders
As part of interagency review related to the e-Manifest recently finalized fee rule, OLEM
solicited, received and fully addressed homeland security recommendations from DHS. DHS's
review and recommendations and EPA's ultimate actions in response focused on how to address
the release of a subset of chemicals of interest information to the public. EPA considered and
addressed the homeland security concerns raised by DHS. In response to OIG's
recommendation, however, OLEM will again initiate discussions with DHS regarding this issue
and will factor DHS concerns into assessing the impact of a breach, updating documentation as
necessary.
Concerning EPA's choice of data classification for e-Manifest information, OLEM
acknowledges that NIST 800-60 does not contain an information category that exactly matches
manifest data. However, OLEM believes it concluded that the proper FEA Information Type is
Pollution Prevention and Control. The consultation with DHS discussed above also bolsters
support for the appropriateness of the categorization and controls to mitigate vulnerabilities.
Combined with OLEM's rigorous application of the categorization guidelines and processes
detailed in FIPS, NIST, FEA and Agency publications, OLEM believes that e-Manifest is based
18-P-0217
10
-------�
on the correct information type, properly categorized, and adequately protected. Nonetheless, in
response to OIG's finding, OLEM will reconsider relevant NIST and Agency guidance.
OIG Response:
NIST SP 800-60, Volume II, Revision 1, indicates that D.8.3 Pollution Prevention and Control
Information includes activities associated with developing standards for the control of harmful
substances emitted in soil, water and atmosphere; and that the Pollution Prevention and Control
Information should be rated low for confidentiality, integrity and availability. However, NIST
SP 800-60 does not contain any information categories into which e-Manifest information clearly
fits. The information within e-Manifest most closely resembles the information that falls under
Inventory Control Information. NIST SP 800-60, Volume II, indicates that C.3.4.2 Inventory
Control Information Type refers to information related to the tracking of the quantity, quality and
location of procured assets and resources. While Inventory Control Information directly applies
to procured assets and resources, the special factors affecting the confidentiality impact
determination for such information addresses many of the concerns associated with e-Manifest
data. Further, Inventory Control Information related to hazardous materials security
categorization has special factors affecting the confidentiality impact. These factors indicate that
breach of hazardous material information may facilitate terrorist or other criminal activities and
thus should have a confidentiality impact of moderate or high.
In accordance with OIG's recommendation, EPA will follow the NIST 800-53 and Agency Risk
Assessment procedures for re-evaluation of the security categorization annually, or in concert
with significant system changes.
Regarding OIG's discussion that EPA should tailor the e-Manifest system for use by emergency
responders, the U.S. Department of Transportation (DOT) has jurisdiction relating to shipping
papers and emergency responders. In deference to DOT's requirements, the e-Manifest
regulations provide that the manifest shipping paper must remain in the truck with the hazardous
waste shipment. Congress has mandated that DOT make efforts to implement electronic shipping
paper requirements. A major focus of the DOT effort is how to involve the emergency response
community in accessing data. While OLEM has been clear that the e-Manifest system has not
initially been designed for use by first responders, OLEM is keenly aware that, as the e-Manifest
system develops, this is an area that needs to be explored further and, in addition, OLEM will
continue to engage with DOT to keep apprised of its solution.
OLEM would also like to point out that the final e-Manifest regulations' definition of 'user' does
not encompass emergency responders or others who may access the e-Manifest system only to
access manifests or manifest data supplied to the system by the users of the electronic manifest.
OIG Response:
During an emergency, a paper manifest may not be readily available to first responders. As a
result, the ability of emergency responders to access electronic manifests would be instrumental
in the timely remediation of incidents involving hazardous waste.
18-P-0217
11
-------�
OIG has informed OLEM that it intends to issue a management alert based on its findings in the
discussion document. The DHS OIG web site (https://www.oig.dhs.gov/reports/management-
alerts?field_dhs_agency_target_id=l&field_oversight_area_target_id=10) characterizes
management alerts as follows:
These notifications are used by the OIG to inform senior DHS managers of conditions which
pose an immediate and serious threat of waste, fraud and abuse in agency programs. These alerts,
usually triggered by findings made in the course of our audit, inspections and investigative work,
may also contain recommendations to correct the identified concerns.
OLEM disagrees that OIG's findings in the subject discussion document meet the criteria for
issuance of a management alert. In addition, OLEM's responses and willingness to address
OIG's concerns mitigate the need for a management alert.
OIG Response:
The EPA OIG has the discretion to issue management alerts and is not bound by the U.S.
Department of Homeland Security OIG's internal policies and procedures. We are issuing this as
a management alert because the e-Manifest system is planned for launch in June 2018.
OLEM looks forward to discussing specific issues in greater detail during our meeting in April.
Mimi Guernica
Associate Division Director, ORCR/PIID
18-P-0217
12
-------�
Appendix C
Distribution
The Administrator
Chief of Staff
Chief of Operations
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Assistant Administrator for Land and Emergency Management
Assistant Administrator for Environmental Information
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Principal Deputy Assistant Administrator for Land and Emergency Management
Principal Deputy Assistant Administrator for Environmental Information
Director, Office of Resource Conservation and Recovery, Office of Land and
Emergency Management
Senior Agency Information Security Officer, Office of Environmental Information
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Land and Emergency Management
Audit Follow-Up Coordinator, Office of Environmental Information
18-P-0217
13
-------� |