EPA Needs to Improve Oversight of Its Information Technology Projects


$
<
73
\
Ml
(T
b
2
ui
(J
T
J
OFFICE OF INSPECTOR GENERAL
Catalyst for Improving the Environment
Audit Report
EPA Needs to Improve Oversight of
Its Information Technology Projects
Report No. 2005-P-00023
September 14, 2005

-------
Report Contributors:	Eric Lewis
Rudolph M. Brevard
Michael Wall
Dwayne Crawford
Rae Donaldson
Neven Morcos
Abbreviations:
CAMDBS Clean Air Markets Division Business System
EPA	Environmental Protection Agency
FinRS	Financial Replacement System
IGMS	Integrated Grants Management System
IRM	Information Resources Management
OEI	Office of Environmental Information
OIG	Office of Inspector General
OMB	Office of Management and Budget

-------
<
^°ST4%
a VIV "
PRQI^
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
2005-P-00023
September 14, 2005
Catalyst for Improving the Environment
Why We Did This Review
We sought to determine
whether the processes used by
Environmental Protection
Agency (EPA) managers to
oversee the development of
information technology
projects helped produce
intended results. We also
sought to determine how well
Agency management
monitored these projects.
Background
To help ensure EPA manages
its information systems in a
cost-effective manner, life
cycle development guidance
requires management
involvement at key decision
points. These decisions must
be documented by EPA
management in the system
decision documents before the
system may advance from one
phase of development to the
next.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2005/
20050914-2005-P-00023.pdf
EPA Needs to Improve Oversight of Its
Information Technology Projects
What We Found
EPA's Office of Environmental Information (OEI) did not sufficiently oversee
information technology projects to ensure they met planned budgets and
schedules. The increased cost and schedule delays for the projects we reviewed
may have been averted or lessened with adequate oversight. PeoplePlus cost at
least $3.7 million more than originally budgeted and took 1 year longer than
planned to deploy. Modifications to developing the Clean Air Markets Division
Business System have already increased costs about $2.8 million and extended the
target completion date by 2 years.
Following implementation of the Clinger-Cohen Act, the Agency did not revise
procedures under Chapter 17 of the In formation Resources Management (IRM)
Policy Manual to have the Chief Information Officer evaluate information
technology program performance. Also, EPA did not include responsibilities
under its Interim Policy that required the Chief Information Officer to evaluate the
performance of the Agency's information technology program. In addition,
requirements under the Agency's Capital Planning and Investment Control
Process, governed by OEI, did not ensure necessary project documentation.
Consequently, OEI did not know that System Sponsors did not require System
Managers to completely document risks associated with system development.
The lack of project documentation prevents the appropriate level of oversight for
the different phases of development, and results in decision makers not having the
information needed to make fully informed decisions regarding project risks.
What We Recommend
We recommend that OEI revise its Interim Policy to include the Chief Information
Officer having responsibility for conducting independent reviews of Agency
information technology projects. We also recommend that OEI revise procedures
under the Interim Policy to define requirements of specific life cycle
documentation and address risk elements. Further, OEI should ensure formal
procedures are followed to make certain that System Managers prepare required
system life cycle documentation, and that System Owners review and approve that
documentation before projects advance between life cycle phases. During our
review, OEI officials acknowledged their oversight of information technology
projects could be strengthened, and said they would initiate corrective action.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
September 14, 2005
MEMORANDUM
SUBJECT:
EPA Needs to Improve Oversight of Its Information Technology Projects
Report No. 2005-P-00023
FROM:
Rudolph M. Brevard /s/
Acting Director, Business System Audits
TO:
Kimberly T. Nelson
Assistant Administrator for Environmental Information
and Chief Information Officer
This is our final report on the oversight of information technology projects audit conducted by
the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA).
This audit report contains findings that describe problems the OIG has identified and corrective
actions the OIG recommends. This report presents the opinion of the OIG, and the findings in
this report do not necessarily represent the final EPA position. EPA managers, in accordance
with established EPA audit resolution procedures, will make final determinations on matters in
this report.
Action Required
In accordance with EPA Manual 2750, you are required to provide a written response to this
report within 90 calendar days of the date of this report. You should include a corrective action
plan for agreed upon actions, including milestones dates. We have no objections to further
release of this report to the public. For you convenience, this report will be available at
http://www.epa.gov/oig.
If you or your staff have any questions regarding this report, please contact me at (202) 566-0893
or Dwayne E. Crawford, project manager, at (202) 566-2894.

-------
Table of C
At a Glance
Chapters
1	Introduction		1
Purpose		1
Background		1
Scope and Methodology		3
Results in Brief		4
2	OEI Needs to Improve Oversight of Information Technology
Project Development		6
Oversight of Information Technology Projects Is Required		6
Various Factors Caused Cost Increases and Delays		7
Lack of Documentation Hindered Appropriate Oversight		8
Recommendations		9
Agency Comments and OIG Evaluation		9
Appendices
A Agency Response to Draft Report	 11
B Distribution	 15

-------
Chapter 1
Purpose
We evaluated the processes used by Environmental Protection Agency (EPA)
managers to oversee the development of information technology projects.
Specifically, we sought to determine whether these processes helped produce
intended results. We also sought to determine how well Agency management
monitored these projects.
Background
Information technology investments can significantly impact an organization's
performance. EPA needs to effectively manage these investments in a cost-
effective manner. The Clinger-Cohen Act of 1996 (Public Law 104-106) and
Office of Management and Budget (OMB) Circular A-130 both require agency
chief information officers to oversee information technology investments.
At EPA, the initial Agency guidance governing the projects in our review was
Chapter 17 of the Information Resources Management (IRM) Policy, September
1994, which identified the life cycle requirements to develop information system
projects. One requirement was for System Managers to prepare decision papers
that updated the status of system development, provided assessments of projected
versus actual project costs, and described work to be accomplished as projects
advanced from one phase to the next. Another requirement was for System
Sponsors to approve or disapprove decision papers, and conduct periodic life
cycle management reviews to evaluate costs and efficiency of operations.
In December 2003, OEI replaced Chapter 17 with its Interim Policy. This
document continued the role and responsibilities previously established for
information technology projects' System Managers. However, it added the role
of a System Owner to approve decision papers as projects advanced from one
phase to the next.
To inform decision makers of the risks associated with project development,
procedures under the Interim Policy also continued the previous requirement to
prepare documentation at various life cycle phases, as follows:
1

-------
Initiation
	

r
Concept
Definition
	

'
Requirements
Definition
	

•
Design
	

'
Construction
	

•
Testing
	

'
Implementation
	

'
Operations &
Maintenance
	

'
Termination
	
Initiation Decision Paper
System Management Plan
Security Risk Assessment
Cost-Benefit Analysis
Requirements Decision Paper
-> System Test Plan
Security Plan
^ Development Decision Paper
-> User/System Documentation
System Implementation Plan
^ Technical Vulnerability Assessment
Security Test & Evaluation (ST&E)
Report Certifier's Statement
-> Implementation Decision Paper
-> Security Controls Review
-> Retirement Decision Paper
In accordance with the Clinger-Cohen Act, EPA implemented a Capital Planning
and Investment Control Process in 1997 to maximize the value and assess and
manage the risks of information technology acquisitions. Each year since that
time, EPA has continually improved the Capital Planning and Investment Control
2

-------
Process to make it more structured and strategic. Specific process improvements
included:
•	Creating a senior management information technology investment review
board to oversee and select information technology projects;
•	Defining selection criteria, and using peer review to analyze each
information technology investment; and
•	Automating the process to facilitate proposal preparation and allow
continuous monitoring of information technology investments.
Furthermore, the Agency's Capital Planning and Investment Control Process has
evolved to include a rigorous Earned Value Management program under which all
major information technology investments must adhere. Earned value
management is the Agency's mechanism to review cost, schedule, and
performance for major information technology investments in development. The
Earned Value Management program, administered by OEI, requires that project
managers track project cost, schedule, and performance, and report the results to
the senior management review board on a quarterly basis. OEI officials stated
earned value management results are used by the Chief Information Officer to
report to the EPA Administrator annually on the status of information technology
projects.
Scope and Methodology
From May 2004 through April 2005, we conducted our field work at EPA
Headquarters in Washington, DC. We reviewed management internal controls for
the review and oversight of information technology project development. We
requested and reviewed system life cycle documentation in accordance with
Federal and Agency criteria, and interviewed Agency personnel involved with the
system life cycle development of the projects selected for review. We conducted
this audit in accordance with Government Auditing Standards, issued by the
Comptroller General of the United States.
Our review focused on information technology development and adherence to life
cycle policies and procedures. To identify systems in development, we reviewed
the 26 fiscal year 2005 Capital Planning and Investment Control business cases
EPA submitted to OMB. We initially selected for review three business cases,
representing $36.55 million, or 27 percent, of the $134.79 million system
development funding requests for fiscal year 2005 and beyond:
3

-------
System Owner
System
Office of
Financial Replacement System (FinRS)
Chief Financial Officer

Office of Air and
Clean Air Markets Division Business System (CAMDBS)
Radiation

Office of Administration and
Resources Management
Integrated Grants Management System (IGMS)
FinRS' and CAMDBS' business cases reported scheduling variances to OMB in
September 2003, which indicated potential problems with system development.
The IGMS business case did not contain any variances at the time of reporting.
At EPA's request, we substituted IGMS with OEI's Environmental Information
Integration and Portal Development system, but after determining that system was
still in the initiation rather than design phase, we decided to concentrate on FinRS
and CAMDBS.
We reviewed the PeoplePlus component of the FinRS project because schedule
delays and cost overruns had occurred during its development. PeoplePlus
combines EPA's payroll processing and human resources systems. PeoplePlus
supports the Office of Chief Financial Officer's payroll processing requirements
and the Office of Administration and Resources Management's human capital
management responsibilities.
For CAMDBS, the Office of Air and Radiation recognized in 1999 that
significant technological changes had occurred and believed it needed a new
system. As a result, Office of Air and Radiation began replacing its Acid Rain
Data System with CAMDBS, which integrates all the functions and data that
support the emission trading programs.
Results in Brief
OEI did not sufficiently oversee information technology projects to ensure they
met planned budgets and schedules. The increased cost and schedule delays for
the projects we reviewed may have been averted or lessened with adequate
oversight. PeoplePlus cost at least $3.7 million more than originally budgeted and
took 1 year longer than planned to deploy. Modifications to CAMDBS
development have already increased costs about $2.8 million and extended the
target completion date by 2 years. Following implementation of the Clinger-
Cohen Act, the Agency did not revise procedures under Chapter 17 of the IRM
Policy to have the Chief Information Officer evaluate information technology
program performance. Also, EPA did not include responsibilities under its
Interim Policy that required the Chief Information Officer to evaluate the
performance of the Agency's information technology program. In addition,
processes under the Agency's Capital Planning and Investment Control Process,
4

-------
governed by OEI, did not ensure that System Managers prepared and submitted
for review necessary project documentation.
We recommend that OEI revise procedures under its Interim Policy to include the
Chief Information Officer having responsibility for conducting independent
reviews of projects, and to better define requirements of specific life cycle
documentation to address risks elements. OEI should also ensure that established
procedures are followed under the Interim Policy to make certain that System
Managers provide required system life cycle documentation, and that System
Owners review and approve that documentation before projects advance.
OEI agreed with the goals sought in the draft audit report, and substantially
agreed with the recommendations. OEI requested that the final report include a
more complete picture of the work they have done to manage the Capital Planning
and Investment Control and Earned Value Management governance processes.
As appropriate, we revised the final report in response to OEI's request. Our
evaluation of OEI's response to the draft report is in Chapter 2. We included
OEI's complete response as Appendix A.
5

-------
Chapter 2
OEI Needs to Improve Oversight of
Information Technology Project Development
OEI did not sufficiently oversee information technology projects to ensure they
met planned budgets and schedules. The increased costs and schedule delays for
the following projects we reviewed may have been averted or lessened with
adequate oversight:
•	PeoplePlus: This cost at least $3.7 million more than originally budgeted and
took 1 year longer than planned to deploy.
•	CAMDBS: Modifications to system development have already increased
costs about $2.8 million and extended the target completion date by 2 years.
Following implementation of the Clinger-Cohen Act, the Agency did not revise
procedures under Chapter 17 of the IBM Policy to have the Chief Information
Officer evaluate information technology program performance. Also, OEI did not
include responsibilities under its Interim Policy that required the Chief
Information Officer to evaluate the performance of the Agency's information
technology program. In addition, requirements under the Agency's Capital
Planning and Investment Control Process, governed by OEI, did not effectively
ensure that System Managers prepared and submitted for review necessary life
cycle documentation. Consequently, OEI did not know that System Sponsors did
not ensure PeoplePlus and CAMDBS System Managers completely documented
risks associated with system development. The lack of project documentation
also prevented the appropriate level of oversight for the different phases of
development, and resulted in decision makers not having the information needed
to make fully informed decisions regarding project risks.
Oversight of Information Technology Projects Is Required
The Clinger-Cohen Act of 1996 (Public Law 104-106) and OMB Circular A-130
require the Chief Information Officer to evaluate information technology
investments and advise on whether to continue, modify, or terminate projects.
Chapter 17 of the IRM Policy, September 1994, identified the Agency's initial life
cycle requirements needed to develop information systems projects. The manual
required a System Management Plan that contains decision papers showing that
each stage of the project's development was approved ahead of time. Chapter 17
also established certain management roles and responsibilities:
6

-------
•	The System Sponsors were tasked with approving or disapproving decision
papers, and conducting periodic life cycle management reviews to evaluate
costs and efficiency of operations.
•	The System Managers were to manage the system's life cycle process, prepare
the System Management Plan and other decision papers, and obtain review
and approval of all decision papers.
However, following implementation of the Clinger-Cohen Act, the Agency did
not revise procedures under Chapter 17 of the IRMPolicy to have the Chief
Information Officer evaluate information technology program performance.
Furthermore, OEI did not include responsibilities under its Interim Policy that
required the Chief Information Officer to evaluate the performance of the
Agency's information technology program. In discussions with OEI regarding
project management oversight, officials stated they did not have the personnel to
review the progress of all Agency information technology projects. In response to
our draft report, OEI officials stated it is critical for the Chief Information Officer
to focus on the development of guidance (i.e., policies and procedures) so
program managers can make good decisions. Further, officials responded that the
cornerstone of the Agency's information technology project development and
review relies on the delegated responsibilities of senior program managers in
organizations that own information technology projects.
In accordance with the Clinger-Cohen Act, EPA did implement a Capital
Planning and Investment Control Process in 1997 to maximize the value and
assess and manage the risks of information technology acquisitions. According to
an OEI official, the Capital Planning and Investment Control Process has evolved
to include a rigorous Earned Value Management program to review cost,
schedule, and performance for major information technology investments in
development. However, the Agency's Capital Planning and Investment Control
Process, and subsequent Earned Value Management program, did not sufficiently
ensure that Systems Managers prepared and submitted for review required life
cycle documentation, such as decision papers and System Management Plans,
used to document the status of system development costs and schedules.
Various Factors Caused Cost Increases and Delays
According to the Software Engineering Institute,1 major changes to commercial
off-the-shelf software can increase costs and cause delays. This is what happened
to the PeoplePlus project. The System Managers made major changes to the
commercial off-the-shelf software to integrate the human resources component
with the payroll component. In addition, when faced with schedule delays, the
System Managers modified their test approach. Rather than continue with a pilot
1 The Software Engineering Institute provides guidance to the Federal Government on developing information
technology projects
7

-------
production of PeoplePlus prior to full Agency deployment, the System Manager
approved the change to a collaborative test effort. This effort included concurrent
system integration testing; independent verification and validation testing; and,
user acceptance testing. However, this increased risks because the collaborative
test effort eliminated the opportunity to see a live system in operation before
deployment.
Although EPA was originally scheduled to deploy PeoplePlus in October 2003,
significant technical failures delayed deployment until October 2004. According
to earned value management calculations, the Office of Chief Financial Officer
budgeted $13.4 million, for development and deployment of PeoplePlus by
October 2003, but incurred additional costs of $3.7 million, bringing the total to
$17.1 million as of October 2004. In addition, the Office of Administration and
Resources Management spent $8 million on PeoplePlus, thus bringing the total
development cost to $25.1 million. (We could not determine the amount initially
budgeted by the Office of Administration and Resources Management.)
The Office of Air and Radiation, which began developing CAMDBS in 2001, had
estimated a total cost of $13.7 million and completion by 2006. However, System
Managers now estimate an additional $2.8 million will be needed, for a total of
$16.5 million. Further, because the project is far more complex than originally
envisioned, the Office of Air and Radiation now estimates project completion in
2008, a 2-year extension.
Lack of Documentation Hindered Appropriate Oversight
Life cycle documentation, such as decision papers, is important for two reasons.
First, they summarize those aspects of the analysis and decision of a given phase
that are important to program management. Second, they are used to request
approval to continue the project to the next phase. According to the OEI Interim
Policy, System Managers are to submit the decision papers to System Owners,
who are required to review the information and decide whether to advance the
project to the next life cycle phase. Further, EPA's Capital Planning and
Investment Control Process require that System Managers ensure that necessary
life cycle management documentation, such as decision papers, are prepared and
submitted for review.
However, both PeoplePlus and CAMDBS advanced from phase to phase even
though the System Managers did not prepare all of the required documents. For
example, there was no decision paper prepared during the "Implementation
Phase" of life cycle development to document the inherent risks to changing
commercial off-the-shelf software, or to the risks involved in modifying the
PeoplePlus testing approach. The CAMDBS System Manager did not prepare
any required decisions papers, including the System Management Plan decision
paper. The System Management Plan is the core document that provides the
overall framework for the management of the system development.
8

-------
Office of Chief Financial Officer personnel said OEI's Interim Policy is vague
and open to interpretation on the content of life cycle documentation, in particular
decision papers. However, the personnel did not inform OEI of their concerns
regarding the content requirements of life cycle documentation. In the case of
CAMDBS, the System Manager was not aware of the documentation requirement.
The lack of project documentation prevents the appropriate level of oversight for
the different phases of development, and results in decision makers not having the
information needed to make fully informed decisions regarding project risks.
Further, OEI did not monitor the projects or verify the accuracy and completeness
of the life cycle documentation required under their Policy.
During our review, OEI officials acknowledged their oversight of information
technology projects could be strengthened. OEI officials informed us that they
plan to align procedures under their Capital Planning and Investment Control
Process with those under their Interim Policy to effect corrective action in
response to our findings.
Recommendations
We recommend that the Assistant Administrator for Environmental Information:
2-1 Revise the Interim Policy to include the Chief Information Officer
having responsibility for conducting independent reviews of Agency
information technology projects, to be in accordance with the Clinger-
Cohen Act and OMB Circular A-130.
2-2 Revise procedures under the Interim Policy to define requirements for
life cycle documentation, such as decision papers; and to address risk
elements, such as major changes to commercial off-the-shelf software
and the system test approach.
2-3 Ensure that Systems Managers follow established procedures and
provide required system life cycle documentation to appropriate levels
of management regarding risks associated with information technology
projects at each phase, and that System Owners follow established
procedures to review and approve that documentation before projects
advance from one life cycle phase to the next.
Agency Comments and OIG Evaluation
OEI concurred with our recommendations, and agreed that additional tools for
oversight are needed, that managers must take responsibility, and that the Chief
Information Officer should set forth the policy and framework. OEI requested
that the report be revised to include a more complete picture of the work that has
9

-------
been done to manage the Capital Planning and Investment Control and Earned
Value Management governance processes. We revised our report in response to
OEI's request.
OEI officials indicated that Interim Policy procedures were previously established
for required documentation during various system life cycle management phases,
and management review of such documentation. Our report acknowledges these
requirements, points out that program offices were not meeting these
requirements, and notes that OEI was not aware that these requirements were not
being followed. For these reasons, we believe the Chief Information Officer
should have an increased role in evaluating the status of Agency information
technology projects and should conduct independent reviews of information
technology projects.
In addition, OEI officials said they believe the OIG's review may have been based
on previous versions of the revised Interim Policy and that the current policy
should now reflect OIG comments and suggestions provided in February 2005.
However, our research and interviews with Agency officials indicate that OEI has
not formally approved or promulgated a new Interim Policy. As such, no new
Interim Policy supersedes the December 29, 2003, Interim Policy requirements
applicable during this review.
10

-------
Appendix A
Agency Response to Draft Report
July 28, 2005
MEMORANDUM
SUBJECT: Response to June 15, 2005, Draft Office of Inspector General Audit Report: EPA
Needs to Improve Oversight of Its Information Technology Projects, Assignment
No. 2004-000857
FROM: Kimberly T. Nelson /s/
Assistant Administrator and Chief Information Officer
TO:	Nikki L. Tinsley
Inspector General
Thank you for the opportunity to respond to the June 15, 2005, Draft Office of Inspector
General Audit Report: EPA Needs to Improve Oversight of Its Information Technology
Projects, Assignment No. 2004-000857.
The Office of Environmental Information agrees with the goals sought in the draft audit
report, and we substantially agree with the recommendations. We agree additional tools for
oversight are needed, that managers must take responsibility, and that the Chief Information
Officer will set the policy framework. We would appreciate the report being revised to include a
more complete picture of the work that we have done to manage the Capital Planning and
Investment Control and Earned Value Management governance processes.
I have attached a detailed response to the three recommendations raised in the report. If
you have any questions regarding this response, please contact me at (202) 564-6665, or if your
staff have questions please contact Odelia Funke, Acting Director of the Mission Investment
Solutions Division, at (202) 566-0667.
Attachment
cc: Rudolph Brevard, OIG
11

-------
Office of Environmental Information Response to
June 15, 2005, Draft Office of Inspector General Audit Report:
"EPA Needs to Improve Oversight of Its Information Technology Projects"
Office of Inspector General Recommendation: 2-1. Revise the Interim Policy to include the
Chief Information Officer having responsibility for conducting independent reviews of Agency
information technology projects, in accordance with the Clinger-Cohen Act and OMB Circular
A-130.
Office of Environmental Information Response:
The Office of Environmental Information (OEI) endorses the value of having independent
reviews as a tool for project oversight. The cornerstone of Agency information technology (IT)
project development and review will continue to be grounded on the delegated responsibilities of
senior program managers in the organizations that own IT projects. It is critical for the Chief
Information Officer (CIO) to focus on guidance so program managers can make good decisions.
In keeping with the CIO's IT leadership in management of the Capital Planning and Investment
Control (CPIC) process, OEI will ensure reviews are conducted with appropriate independence
but without substantial cost increase. OEI will add the following review elements to its CPIC
governance system:
o formal delegation of this responsibility through the System Life Cycle Management
Policy
o an additional question in the Capital Planning and Investment Control process asking
for certification of the completeness of an IT project's System Life Cycle (SLC)
documentation and required approvals
o increased emphasis on the importance of reviewing solutions architecture documents.
To address the need for detailed project reviews to help senior managers in program offices, the
CIO will insist that Independent Verification and Validation be conducted as appropriate,
establishing the conditions for independent reviews, and the depth and scope needed. We will
develop a corrective action plan to carry out CIO authority to compel and ensure good reviews.
Office of Inspector General Recommendation: 2-2. Revise the Interim Policy to define
requirements for life cycle documentation, such as decision papers; and to address risk elements
such as major changes to commercial off-the-shelf software and system test approach
Office of Environmental Information Response:
We agree on the need for life cycle documentation, and that addressing risk elements is a key
component. Our policy framework takes a tiered approach, differentiating between "Policy" and
"Procedures." The Office of the Inspector General's (OIG) review of the Interim Policy must
have been based upon previous versions of the revised SLC Management Policy. The SLC
Management Policy now reflects OIG comments and suggestions received in February of this
12

-------
year. It will require that documentation be produced, and the SLC Management Procedure will
elaborate on what that documentation is, and what information is required in specific documents.
The Interim Policy requires documentation during System Life Cycle Management Phases,
including security planning, risk assessments and decision papers. Additionally, the Interim
Policy requires documentation based on requirements of IT Investment Management, including
Enterprise Architecture (EA) and Capital Planning and Investment Control (CPIC). This
documentation was further described in approved Federal and Agency documents that supported
the Interim Policy, including the Interim Procedure. The "Policy" states the high level goals of
the Agency, while the "Procedure" explains how to meet the goals established in the "Policy."
The "Procedure" supports the "Policy," and requirements are mandated. The Interim Procedure
lists and describes in more detail the documentation requirements during management of the
System Life Cycle.
The Interim Policy also requires documented management review and approval. This includes
the review and approval of a system's decision documents prior to the system advancing from
one phase to another, prior to the incremental expenditure of resources, and prior to being
deployed.
The Interim Procedure also requires System Managers to submit "Decision Papers" to
management for review and approval in order to advance the system from one SLC phase to the
next. These documents are part of the System Management Plan (SMP), one of the major
documents required for SLC Management. Specifically, the Interim Procedure describes the
"Decision Papers" as:
A decision document presented to management. It summarizes those aspects of the
analysis and decisions of a given phase or sub phase that are important to program
management and requests approval to continue the project. The EPA life-cycle model
provides for decision papers to be prepared at the beginning of the Definition,
Development or Acquisition, Implementation, and Termination Phases and at the end of
the Requirements Definition Sub phase. The level of detail for decision papers should be
appropriate to the category of the system. All decision papers are included in the SMP as
attachments. (Interim Procedure, pg. 13)
Other examples defining the requirements of system documents can be found in the "Definition"
section of the Interim Procedure. Definitional requirements can also be found in other standards
adopted by the Agency, specifically National Institute of Standards and Technology (NIST) 800-
64, "Security Considerations in the Information System Development Life Cycle."
Finally, it should be noted that the Interim Policy is being revised and will continue to require
documentation, as well as management review and approval, throughout System Life Cycle
management. Additionally, the Interim Procedure is also being revised and will expand the
definitional requirements of documentation in the System Life Cycle. They will include the
requirements of the SLC Management Policy, as well as Enterprise Architecture, CPIC, and
Security. The revised SLC Management Procedure will also provide templates for these
documents, as tools for system developers.
13

-------
Office of Inspector General Recommendation: 2-3. Establish formal procedures to make
certain that System Managers provide required system life cycle documentation to appropriate
levels of management regarding risks associated with information technology projects at each
phase, and that System Owners review and approve that documentation before projects advance
from one life cycle phase to the next.
Office of Environmental Information Response:
As noted above, the Interim Procedure requires management review and approval during each
phase of the System Life Cycle through "Decision Papers" found in the SMP. Additionally, the
Interim Policy requires "Authorization to Process" during the Implementation Phase. The
"Authorization to Process" is defined by the Interim Procedure as:
A management control, consisting of a document signed by the management official
responsible for a general support system or major application. (This management official
is sometimes referred to as the "Designated Approving Authority.") It authorizes an
information system to operate, prior to beginning processing or use of the system.
Authorization is equivalent to the term "accreditation." For a system, the authorization is
based on implementing the system security plan. For an application, the authorization is
based on confirming that the security plan(s) implemented for the systems on which the
application operates, adequately secure the application. Results of the most recent tests
and/or assessments are factored into management authorizations. Management
authorization implies accepting the risk of each system used by the application (derived
from Appendix III, Office of Management and Budget (OMB) Cir. A-130). (Interim
Procedure, pg. 11)
Additionally, "Re-authorization to Process" is required during the Operations and Maintenance
Phase. Formal procedures ensuring documentation is submitted to management were in place
starting when the Interim Procedure was approved (12/29/03, extended on 4/29/05).
Also, as is stated in the Interim Procedure, documentation of risks is required in the "Security
Plan," which is updated based on "Security Risk Assessments." Risk assessments are required
not only as part of System Life Cycle, but also in the Agency Network Security Policy and its
supporting Procedures and guidance.
In summary, the Interim Procedure already addresses OIG's concerns. It requires the needed
documentation, as well as management review and approval. As OEI revises the Interim
Procedure we will continue to support and strengthen this requirement.
14

-------
Appendix B
Distribution
Office of the Administrator
Assistant Administrator for Environmental Information
Assistant Administrator for Administration and Resources Management
Assistant Administrator for Air and Radiation
Agency Followup Official (the CFO)
Agency Followup Coordinator
Director, Office of Technology Operations and Planning
Director, Systems Planning and Integration Staff
Acting Director, Mission Investment Solutions Division
Audit Coordinator, Office of Environmental Information
Audit Coordinator, Office of Administration and Resources Management
Audit Coordinator, Office of Air and Radiation
Audit Coordinator, Office of Chief Financial Officer
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Inspector General
15

-------