^tDS7^
Vp«oitc
-------
Abbreviations
CFR
Code of Federal Regulations
CIO
Chief Information Officer
EPA
U.S. Environmental Protection Agency
FTE
Full-Time Equivalent
FY
Fiscal Year
GAO
U.S. Government Accountability Office
IT
Information Technology
OIG
Office of Inspector General
OMB
Office of Management and Budget
PII
Personally Identifiable Information
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions

-------
^EDSX
* A \
1®|
VPR0^°
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-N-0235
July 15, 2019
What Are Management
Challenges?
According to the Government
Performance and Results Act
Modernization Act of 2010,
major management challenges
are programs or management
functions, within or across
agencies, that have greater
vulnerability to waste, fraud,
abuse and mismanagement,
where a failure to perform well
could seriously affect the ability
of an agency or the federal
government to achieve its
mission or goals.
As required by the Reports
Consolidation Act of 2000,
we are providing issues we
consider to be the
U.S. Environmental Protection
Agency's (EPA's) major
management challenges for
fiscal year 2019.
EPA's Fiscal Year 2019 Management Challenges
What We Found
Attention to agency management challenges could result in program
improvements and protection for the public, and increased confidence in
management integrity and accountability.
The EPA Needs to Improve Oversight of States, Territories and Tribes
Authorized to Accomplish Environmental Goals:
•	The EPA has made important progress, but our work continues to identify
challenges throughout agency programs and regions, and many of our
recommendations are still not fully implemented.
The EPA Needs to Improve Workload Analysis to Accomplish Its Mission
Efficiently and Effectively:
•	The EPA needs to identify its workload needs so that it can more effectively
prioritize and allocate limited resources to accomplish its work.
The EPA Needs to Enhance Information Security to Combat Cyber Threats:
•	Though the EPA continues to initiate actions to further strengthen or improve
its information security program, issues remain.
The EPA Needs to Improve on Fulfilling Mandated Reporting Requirements:
•	The agency faces challenges in tracking and submitting reports mandated by
law that contain key program information for Congress, the EPA
Administrator and the public.
The EPA Needs Improved Data Quality and Should Fill Identified Data Gaps for
Program Performance and Decision-Making:
•	Poor data quality negatively impacts the EPA's effectiveness in overseeing
programs that directly impact human health.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBPOSTINGS@epa.gov.
List of OIG reports.
The EPA Needs to Improve Risk Communication to Provide Individuals and
Communities with Sufficient Information to Make Informed Decisions to Protect
Their Health and the Environment:
• In 2018, the EPA Administrator identified Risk Communication as a top
priority. Our recent reports indicate risk communication challenges across
many EPA programs.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
OFFICE OF
INSPECTOR GENERAL
July 15,2019
MEMORANDUM
SUBJECT: EPA's Fiscal Year 2019 Management Challenges
Report No. 19-N-0235
FROM: Charles J. Sheehan, Deputy Inspector General
TO:	Andrew Wheeler, Administrator
We are providing you with a list of the areas that the Office of Inspector General (OIG) considers major
management challenges confronting the U.S. Environmental Protection Agency (EPA). The project
number for this report was OA&E-FY19-0071. According to the Government Performance and Results
Act Modernization Act of 2010, major challenges are programs or management functions, within or
across agencies, that have greater vulnerability to waste, fraud, abuse and mismanagement, where a
failure to perform well could seriously affect the ability of an agency or the federal government to
achieve its mission or goals.
The Inspector General Act of 1978, as amended, directs Inspectors General to provide leadership to
agencies through audits, evaluations and investigations, as well as additional analysis of agency
operations. The enclosed management challenges reflect findings and themes resulting from many such
efforts. Drawing high-level agency attention to these key issues is an essential component of the OIG's
mission.
The Reports Consolidation Act of 2000 requires our office to annually report what we consider the most
serious management and performance challenges facing the agency. Additional challenges may exist in
areas that we have not yet reviewed, and other significant findings could result from additional work.
The attachment summarizes what we consider to be the most serious management and performance
challenges facing the agency and assesses the agency's progress in addressing those challenges.
Challenges
Page
The EPA Needs to Improve Oversight of States, Territories and Tribes Authorized to Accomplish
Environmental Goals
1
The EPA Needs to Improve Workload Analysis to Accomplish Its Mission Efficiently and
Effectively
8
The EPA Needs to Enhance Information Security to Combat Cyber Threats
11
The EPA Needs to Improve on Fulfilling Mandated Reporting Requirements
17
The EPA Needs Improved Data Quality and Should Fill Identified Data Gaps for Program
Performance and Decision-Making
20
The EPA Needs to Improve Risk Communication to Provide Individuals and Communities with
Sufficient Information to Make Informed Decisions to Protect Their Health and the Environment
25
^ŁDSX
_ \
I® i


-------
Similar to how the U.S. Government Accountability Office reports its High-Risk List, each year we
assess the agency's efforts against the following five criteria required to justify removal of management
challenges from the prior year's list:
1.	Demonstrated top leadership commitment.
2.	Agency capacity - people and resources to reduce risks, and processes for reporting and
accountability.
3.	Corrective actions - analysis identifying root causes, targeted plans to address root causes, and
solutions.
4.	Monitoring efforts - established performance measures and data collection/analysis.
5.	Demonstrated progress - evidence of implemented corrective actions and appropriate
adjustments.
The U.S. Government Accountability Office's 2019 High-Risk Series report describes these five criteria
as a road map for efforts to improve and ultimately address high-risk issues. Addressing some of the
criteria leads to progress, while satisfying all the criteria is central to removal from the list.
This year we retained all five management challenges from last year's report due to persistent issues.
We added one additional challenge ("The EPA Needs to Improve Risk Communication to Provide
Individuals and Communities with Sufficient Information to Make Informed Decisions to Protect Their
Health and the Environment").
We will post this report to our website at www.epa.gov/oig. We welcome the opportunity to discuss our
list of challenges and any comments your staff might have.
Attachment

-------
CHALLENGE: The EPA Needs to Improve
Oversight of States, Territories and Tribes
Authorized to Accomplish Environmental Goals
CHALLENGE FOR THE AGENCY
Over the past 10 years, both the U.S. Environmental	|av|
Protection Agency (EPA) Office of Inspector General (OIG)	'* .
and the U.S. Government Accountability Office (GAO)
consistently have found that the EPA needs to improve its oversight of states, territories and tribes that
have authority (or "delegated authority") to implement environmental programs and enforce
environmental laws. The agency has improved its oversight and addressed deficiencies. However,
recent audits indicate oversight remains a significant management challenge.
BACKGROUND
To accomplish its mission, the EPA develops regulations and establishes programs to implement
environmental laws. In many cases, the EPA can delegate to states, territories and tribes or otherwise
formally authorize them to implement the laws. Delegation or authorization occurs after the EPA
determines that the governmental entity has the legal authority and capacity to operate an
environmental protection and enforcement program consistent with federal standards. The EPA relies
on states, territories and tribes with delegated and authorized programs to collect environmental data
and implement compliance and enforcement programs. The EPA authorizes or delegates many, but not
all, portions of environmental laws to states, tribes and territories. According to the Environmental
Council of States, states have assumed more than 96 percent of the delegable authorities under
federal law. The table below provides examples of environmental programs delegated or authorized by
the EPA.
Examples of delegated or authorized environmental programs

States with
Territories
Tribes with

delegated
with
delegated

or
delegated or
or
Federal law and federal programs
authorized
authorized
authorized
delegated or authorized by the EPAa
programs
programsb
programs
Clean Air Act: Title V0
50
2
2
Clean Water Act: National Pollutant Discharge Elimination System d
46
1
0
Resource Conservation and Recovery Act: Hazardous Waste Program e
48
1
0
Safe Drinking Water Act: Public Water Supply Supervision Program
49
5
1
Source: OIG analysis.
a.	The District of Columbia implements Title V, National Pollutant Discharge Elimination System, and Hazardous Waste programs,
b.	Johnston Atoll and Midway Islands are not included.
c.	In some states, such as California, local agencies issue Title V permits.
d.	This includes partially and fully authorized National Pollutant Discharge Elimination System programs.
e.	This includes partially and fully authorized Hazardous Waste Programs.
19-N-0235
1

-------
The EPA retains the oversight responsibility to provide reasonable assurance that the delegated and
authorized programs protect human health and the environment. The EPA must monitor delegated
and authorized programs to determine whether they continue to meet federal standards and to verify
that federal funds help achieve the intended environmental protection goals. The EPA also retains its
own authority to enforce environmental laws. EPA headquarters and regional staff perform a variety of
formal and informal oversight activities; however, those activities are not always consistently
implemented, leading to disparities in the effectiveness of delegated and authorized programs and
results from those programs.
THE AGENCY'S PROGRESS
We first reported this management challenge in fiscal year (FY) 2008. Since then, the EPA has reviewed
some of the inconsistencies in its oversight of state, territorial and tribal programs. The agency has also
used its enforcement authorities when states, territories or tribes did not use their authority (or
"delegated authority") to protect human health and the environment. The EPA continues to develop
and implement policies to improve consistency in its oversight of delegated and authorized programs.
Strategic Planning and Agency Emphasis on Oversight
The agency's 2018-2022 Strategic Plan, issued in February 2018, emphasizes oversight of delegated
and authorized programs as an area of focus. The plan provides examples of ways the EPA is working to
improve oversight of state, territorial and tribal environmental programs, including: (1) approving
state/tribal implementation plans, vehicle and engine emission certification applications, and
compliance actions in cases of noncompliance; (2) reiterating its oversight role as a co-regulator with
states, territories and tribes in delegated programs; and (3) working with states, territories and tribes
to ensure compliance with environmental laws and establish consistency and certainty for the
regulated community.
In addition to the oversight emphasis in the agency's Strategic Plan, Administrator Andrew Wheeler
issued an oversight memorandum, "Principles and Best Practices for Oversight of Federal
Environmental Programs Implemented by States and Tribes," on October 30, 2018. According to the
Administrator, the memorandum was published to "provide certainty by setting expectations for state,
tribal and federal roles and responsibilities and ensuring decisions are made in a timely fashion."
Agency Actions to Improve Oversight
In August 2016, the Deputy Administrator released a document, "Promoting Environmental Program
Health and Integrity: Principles and Best Practices for Oversight of State Permitting Programs," for the
EPA and states to use to enhance the efficiency and effectiveness of the oversight system. The EPA
developed the document to "deliver on a commitment in the EPA's cross-agency strategy to launch a
new era of state, tribal, local and international partnerships and to help respond to recommendations
for strengthening oversight from the EPA's Office of Inspector General." This strategy was the result of
efforts by the State Program Health and Integrity Workgroup, which includes the EPA's national
program offices for air, enforcement and water as well as states and media associations. The
19-N-0235
2

-------
workgroup gathers and analyzes information on oversight of state practices, identifies gaps and
develops solutions.
Under the Public Water Systems Supervision program, the EPA provides oversight of state delegated
programs by conducting drinking water program reviews and in-depth file reviews. According to the
agency's Office of Water 2018 Federal Managers' Financial Integrity Act assurance letter, EPA regions
began using a new template for Drinking Water Program Reviews to increase consistency among the
reviews and the annual report. In addition, the agency has increased the number of in-depth file reviews
over the past few years so that approximately eight to 10 in-depth file reviews are conducted annually.
Also, in collaboration with state revolving fund managers, the EPA developed three new financial
indicators to support oversight and management of fund growth. The Drinking Water and Clean Water
State Revolving Funds are federal-state partnerships that provide financial assistance to communities for
drinking water and wastewater infrastructure and related projects. The EPA uses financial information to
conduct annual reviews of state performance regarding these funds. The range of financial indicators will
better inform stakeholders on the financial sustainability of both the Drinking Water and Clean Water
State Revolving Funds. On April 26, 2018, the Office of Wastewater Management and Office of Ground
Water and Drinking Water issued a memorandum to the regional state revolving fund branch chiefs
regarding the new indicators.
The following reports issued within the last 5 years show the continued prevalence of the issue and the
actions the EPA has taken or plans to take.
Relevant Reports
OIG Reports
•	In February 2018 (18-P-0079), we found that the EPA could not ensure that its Federal
Insecticide, Fungicide, and Rodenticide Act cooperative agreement funding achieved agency
goals and reduced risks to human health and the environment from pesticide misuse. We
made recommendations to improve oversight. Corrective actions are pending.
•	In July 2018 (1S-P-0221), we concluded that the
circumstances and response to the city of Flint,
Michigan's drinking water contamination involved
implementation and oversight lapses at the EPA as
well as the state and the city levels. Specifically,
EPA Region 5 did not implement proper
management controls that could have facilitated
more informed and proactive decisions regarding
the city's and state's implementation of the Safe
Drinking Water Act Lead and Copper Rule.
Corrective actions are pending.
Lead service lines showing inner surface without
any coating from corrosion control treatment (left),
with coating (right), and fully corroded (middle).
(EPA photo)
19-N-0235
3

-------
•	Irs July 2018 (18-P-Q227), we found that states and the EPA have taken many years to
authorize hazardous waste rules—from less than 1 year to more than 31. No state had been
authorized by the EPA for all required rules. The EPA lacked internal controls to validate the
completeness and accuracy of state authorization information and did not collect sufficient
data to identify reasons for delays or lack of authorization of Resource Conservation and
Recovery Act rules. Further, the EPA had not defined authorization goals to track program
performance. Corrective actions are pending.
•	In September 201S (1S-P-Q27Q). we found that, over a period of years, the EPA had only
conducted 13 percent of Asbestos Hazard Emergency Response Act compliance inspections
at schools within its responsibility/jurisdiction. Only one EPA region had a strategy for its
Toxic Substances Control Act compliance monitoring efforts, as recommended by the Toxic
Substances Control Act Compliance Monitoring Strategy. We also found that only five EPA
regions had inspected for asbestos in schools when they received asbestos-related tips or
complaints. Corrective actions are pending.
•	In September 2018 (18-P-0271), we found that, due to North Carolina's inaction as the
delegated authority to conduct asbestos removal and site remediation for over 7 months,
the EPA used its Comprehensive Environmental Response, Compensation, and Liability Act
authority to perform the necessary and costly work. Based upon these findings, we
recommended that EPA Region 4 implement internal controls to verify the state's
enforcement of work practices at demolition
and renovation sites under Asbestos National
Emission Standards for Hazardous Air Pollutants
and work with the state to clarify authorities.
The agency completed all corrective actions.
•	In September 2018 (18-P-0283). we found that
the EPA should collect additional program
performance data to better assess the
effectiveness of states' enhanced inspection
and maintenance programs for reducing vehicle
emissions. Also, while the agency strengthened
its oversight of required annual reports from states about the performance of their vehicle
inspection and maintenance programs, it did not consistently communicate errors in reports
back to states. Corrective actions are pending.
•	In April 2017 (17-P-0174). we found that while most states and some tribes had fish advisories
in place this information was often confusing and complex, and did not effectively reach
appropriate segments of the population. Under the Clean Water Act, the EPA can take a
States implementing enhanced inspection
and maintenance oroarams
States
implementing
enhanced
and maintenance
Source: EPA OIG.
19-N-0235
4

-------
stronger leadership role in working with states and tribes to ensure that effective fish advisory
information reaches all such segments of the population. Corrective actions are pending.
•	In September 2017 (17-P-0402). we found that EPA Region 2 needed to improve its internal
processes for reviewing Puerto Rico's assistance agreements. The region may have
inefficiently used over $217,000 in taxpayer funds, may have needed additional support for
grant award decisions, and may not have had evidence that taxpayer funds had been
properly used under two cooperative agreements. Corrective actions are pending.
•	In March 2016 (16-P-0108). we reported that EPA efforts to bring small drinking water
systems into compliance through enforcement and compliance assistance resulted in some
improvement over time. However, across EPA Regions 2, 6 and 7, we found inconsistencies
in adherence to the EPA's Enforcement Response Policy. The agency completed all corrective
actions to improve noncompliance at drinking water systems and use of enforcement and
compliance assistance tools across the regions. The EPA completed all corrective actions.
•	In May 2016 (16-P-0166). we found that EPA Region 9 needed improved internal controls for
oversight of Guam's consolidated cooperative agreements. Without adequate internal
controls and oversight, more than $67 million in consolidated cooperative agreement funds
may not have been administered efficiently and effectively. The agency completed all
corrective actions to address the report recommendations, including the recovery of
unallowable costs and expansion of internal controls with enhanced reviews and data
reporting.
•	In June 2016 (16-P-0217). we found that the EPA incurred total obligations and expenditures
in excess of the authorized cost ceiling for 51 of 504 active and closed contracts; did not
perform timely, complete and accurate financial closings for 20 such contracts to ensure that
both the EPA and the state had satisfied their respective cost share requirements; and did
not have all the up-to-date information needed for an accurate Superfund state contract
accrual calculation. The agency completed corrective actions to address the
recommendations.
•	In October 2016 (17-P-0004). we found that EPA Region 5 had the authority and sufficient
information to issue a Safe Drinking Water Act Section 1431 emergency order to protect
residents in Flint, Michigan, from lead-contaminated water as early as June 2015. The agency
completed all corrective actions by updating its Final Guidance on Emergency Authority
under Section 1431 of the Safe Drinking Water Act, and by training all relevant drinking
water and water enforcement program management and staff on Section 1431 and the
updated guidance. The EPA completed all corrective actions.
19-N-0235
5

-------
•	In February 2015 (15-P-0099). we found that Region 8 was not conducting inspections at
establishments in North Dakota that produced pesticides, or was not conducting inspections
of pesticides imported into the state. Further, North Dakota did not have a state inspector
with qualifications equivalent to a federal inspector to conduct inspections on the EPA's
behalf. The EPA initiated inspections, developed a multi-year plan for future inspections,
compiled a list of the inspections conducted annually for Region 8's North Dakota end-of-
year report, and reviewed the end-of year report to confirm that inspections had been
initiated. The EPA completed all corrective actions.
•	In April 2015 (15-P-0137). we found that the U.S. Virgin Islands (part of EPA Region 2) did not
meet program requirements for numerous activities related to implementing Clean Air Act,
Clean Water Act, Safe Drinking Water Act and Underground Storage Tank/Leaking
Underground Storage Tank programs. Some corrective actions are pending.
•	In September 2015 (15-P-0298). we recommended that EPA Region 9 withhold $8,787,000
for the Hawaii Drinking Water State Revolving Fund capitalization grant until the region was
satisfied with progress on implementing the corrective action plan. After being briefed on
our report, EPA Region 9 initiated an enforcement action against the Hawaii Department of
Health for not meeting its loan commitment and disbursement targets advising the state
that it would withhold an FY 2015 Drinking Water State Revolving Fund capitalization grant
and possibly further awards. The EPA completed the corrective action.
GAO Reports
•	In September 2018 (GAO 18-620). the GAO reported that few of the largest water systems
had publicized inventories of lead services lines. Approximately 43 states informed the EPA
that they intend to fulfill the agency's request to work with water systems to publicize
inventories of lead service lines. However, 39 states reported challenges in doing so. The
GAO's review found that, as of January 2018, 12 of the 100 largest water systems had
publicized information on the inventory of lead service lines. The agency had not followed
up with all states since 2016 to share information about how to address these challenges.
The EPA told the GAO it was focused on state compliance with drinking water rules, and not
following up with information on how states could address challenges. To encourage states
to be more transparent to the public and support the agency's oversight of the Lead and
Copper Rule and objectives for safe drinking water, the GAO recommended that the EPA
share information on successful approaches states and water systems had used to identify
and publicize locations of lead service lines with all states.
•	In September 2017 (GAO-17-424). the GAO reported that the EPA does not have nationwide
information about lead infrastructure because the Lead and Copper Rule does not require
states to provide the EPA with information on the whereabouts of lead pipe lines. The GAO
recommended that the EPA require states to report information about lead pipes as well as
19-N-0235
6

-------
all 90th percentile sample results for small water systems. The GAO further recommended
that states develop a statistical analysis to identify water systems that might pose a greater
likelihood for Lead and Copper Rule violations.
•	In February 2016 (GAO-16-281). the GAO reported that the EPA had not collected necessary
information or conducted oversight activities to determine whether state and EPA-managed
Underground Injection Control class II programs were protecting underground sources of
drinking water. GAO recommendations included that the EPA require programs to report
well-specific inspections data, clarify guidance on enforcement data reporting, and analyze
the resources needed to oversee programs.
•	In August 2015 (GAO-15-567). the GAO reported that financial indicators collected by the
EPA as part of its oversight responsibilities did not show states' abilities to sustain their Clean
Water and Drinking Water State Revolving Funds. The GAO recommended that the EPA
update its financial indicator guidance to include measures for identifying the growth of the
states' funds. The GAO also recommended that, during the reviews, the EPA develop
projections of state programs by predicting the future lending capacity.
WHAT REMAINS TO BE DONE
The EPA strategic plan and the Administrators memorandum acknowledges state oversight is an issue
and provide some guidance. However, EPA leadership needs to demonstrate an organizational
commitment to correcting problems with the agency's oversight of key state, territorial and tribal
programs by aligning the proper people, resources and processes, and developing a framework for
addressing oversight issues. The agency also needs to develop a system for monitoring state, tribal and
territorial oversight effectiveness so that it can consistently work toward demonstrating its progress in
correcting this management challenge across all program offices.
19-N-0235
7

-------
CHALLENGE: The EPA Needs to Improve Workload Analysis
to Accomplish Its Mission Efficiently and Effectively
CHALLENGE FOR THE AGENCY
The EPA has not addressed the workforce planning requirements of 5 CFR Part 250, Subpart B, Strategic
Human Capital Management, April 11, 2017. In the rule, workforce analysis is a component of workforce
planning. The EPA's ability to assess its workload—and subsequently estimate workforce levels
necessary to carry out that workload —is critically important to mission accomplishment. Prior to the
rule, the EPA OIG and GAO had reported that the EPA had not incorporated workload analysis into its
resource allocations. Specifically, the EPA had not fully implemented controls and a methodology to
determine workforce levels based upon analysis of the agency's workload. Due to the broad implications
for accomplishing the EPA's mission, we have included this management challenge since 2012.
BACKGROUND
The purpose of the Strategic Human Capital Management rule is to better align human capital activities
with an agency's mission and strategic goals. The rule establishes the Human Capital Framework, which
communicates the workforce planning methods agencies are required to follow. The Talent
Management portion of the framework1 defines workforce planning as follows:
To accomplish workforce planning the rule requires that agency leadership identify the
human capital required to meet organizational goals, conducts analyses to identify
competency and skill gaps, develop strategies to address human capital needs and close
competency skill gaps, and ensure the organization is structured effectively.
The rule requires the agency to develop a Human Capital Operating Plan. The plan serves as a tool for
agency leadership to set a clear path for achieving stated human capital strategies, identify and secure
resources, determine time frames and measures to assess progress, and demonstrate how each
Human Capital Framework system is being fulfilled. The Office of Personnel Management manages the
rule and told us that workforce planning and other elements of the rule are to be updated on an
annual basis in the Human Capital Operating Plan.
Over the past 23 years, the EPA OIG and GAO have issued over 15 reports citing the need for the EPA
to incorporate workload analysis into its distribution of staff. In the 1980s, the EPA conducted
comprehensive workload analyses to determine appropriate workforce levels and, each year, with
regional consensus, evaluated need and allocated its human resources accordingly. In 1987, the EPA
decided it would discontinue these analyses and instead focus on marginal changes to full-time
equivalent (FTE) distribution.
1 The four systems of the Human Capital Framework are Strategic Planning and Alignment, Performance Culture, Talent
Management, and Evaluation. Talent Management incorporates workforce planning, or the process to identify and close
skill gaps. Performance Culture engages, develops and inspires a diverse, high-performing workforce.
19-N-0235
8

-------
In 2010, we reported that the EPA did not have policies and procedures requiring that workforce levels
be determined based upon workload analysis. In 2011, we reported that the EPA did not require
program offices to collect and maintain workload data. Without such data, the EPA is limited in its
ability to analyze workloads and justify resource needs. The GAO also reported in October 2011 that
the EPA's process for budgeting and allocating resources did not fully consider the agency's current
workload. As recently as 2017, the EPA OIG reported that the distribution of Superfund FTEs among
EPA regions did not support the current regional workload. The GAO also reported on the EPA's
workload concerns and issued eight reports between 2000 and 2018.
Since 2005, EPA offices have studied workload issues at least six different times, spending nearly
$3 million for various contractor studies. However, for the most part, the EPA has not used the findings
and recommendations from these studies. According to the EPA, the results and recommendations
from the completed studies were generally not feasible to implement.
Over the last decade, the EPA's workforce levels declined by 2,500 FTEs (including losses due to early-
outs and buyouts in 2014 and 2017). These were budget-driven reductions and were not supported by
agencywide workforce analyses. Without a clear understanding of its workload, it is unclear whether
this decline jeopardizes the EPA's ability to meet its statutory requirements and overall mission to
protect human health and the environment, or if the decline represents a natural and justifiable
progression because the EPA has completed major regulations implementing environmental statutes
and delegated many environmental programs to the states.
THE AGENCY'S PROGRESS
In the FY 2018 Agency Financial Report, the EPA reported that it has continued to perform only
targeted workforce analyses. However, the agency did not address the requirements of the Strategic
Human Capital Management rule that requires agencywide workforce planning to be updated on an
annual basis. According to the report, the EPA does not agree that comprehensive agencywide
analyses are necessary because the EPA has highly variable, multiyear and non-linear functions and
activities that limit the utility of workload analyses to determine staffing levels.
In its FY 2018 Agency Financial Report, the agency provided examples of selected workload analysis work:
•	The agency conducted workload analyses on grants management, information technology
security officers, funds control officers and fee-related duties.
•	The Superfund program will develop a multiyear FTE plan.
Finally, the agency stated in the report that it believed targeted analyses would contribute to the
agency's multiyear approach to resource and workforce planning by helping to identify potential
investment opportunities and informing workforce decisions.
The following reports show the continued prevalence of workforce analysis and the actions the EPA
has taken or plans to take.
19-N-0235
9

-------
Relevant Reports
OIG Reports
•	In September 2018 (18-P-0270). we reported that although the EPA was responsible for
asbestos-in-schools inspections for a majority of the states, the EPA only performed
13 percent of the inspections while the states performed 87 percent. This disparity occurred
because the number of EPA inspectors was reduced based upon budget concerns, not a
comprehensive workforce analysis. Most regions indicated that inspections were necessary
and would be performed if resources were available. The EPA concurred with the
recommendations and corrective actions are pending.
•	In September 2017 (17-P-0397). we reported that the distribution of Superfund FTEs among
EPA regions did not support current regional workloads. As a result, some regions had to
prioritize work and slow down, discontinue or not start cleanup work due to a lack of
personnel. In a survey of EPA regions, six of 10 said they were not able to start, or had to
discontinue, work due to a lack of FTEs, which could impede efforts to protect human
health and the environment. The EPA concurred with the recommendations and corrective
actions are pending.
•	In July 2016 (16-P-0222). we reported that grants specialists in Regions 4 and 5 indicated
workload was the reason administrative baseline monitoring reviews were not completed
or were not completed timely. The EPA reported implementing a new baseline monitoring
approach in October 2017 to have project officers obtain information from grants specialists
regarding indirect costs, disadvantaged business enterprise and single audits, to incorporate
in the baseline monitoring review preparations. The EPA concurred with and implemented
the recommendation on baseline monitoring.
GAO Report
•	In January 2017 (GAO-17-144). the GAO reported that the EPA awarded roughly $3.9 billion
(about 49 percent of its budget) in grants to states, local governments, tribes and other
recipients. These grants supported such activities as repairing aging water infrastructure,
cleaning up hazardous waste sites, improving air quality and preventing pollution. The GAO
concluded that the EPA's ability to manage this portfolio depended primarily on grant
specialists and project officers, but the agency did not have the information it needed to
allocate grants management resources in an effective and efficient manner. In addition, the
EPA had not identified project officer critical skills and competencies or monitored
recruitment and retention efforts for grant specialists.
WHAT REMAINS TO BE DONE
The agency must comply with the Strategic Human Capital Management rule by developing a
workforce plan for the entire agency, not just parts of the agency. The targeted approach only ensures
that a portion of the EPA's workforce needs are reviewed.
19-N-0235
10

-------
CHALLENGE: The EPA Needs to Enhance Information
Security to Combat Cyber Threats
CHALLENGE FOR THE AGENCY
The EPA continues to face a management challenge in
implementing a vigorous cybersecurity program that
strengthens its network defenses and data security in a time
of ever-increasing threats to federal government networks.
Despite progress, recent audits continue to highlight the need to fully implement information security
throughout the EPA, which requires continued senior-level emphasis. The EPA relies heavily on
contractor personnel to implement and manage configurations and operations of agency networked
resources, but the EPA lacks processes for internal control and monitoring of contractor performance.
Also, recent audits noted the need for other improvements.
For example, the EPA's current incident tracking system lacks the required security controls to protect
the confidentiality of personally identifiable information (PII) and enforce password management
requirements. In addition, EPA data is vulnerable to unauthorized access because there are no
procedures to ensure that EPA security control requirements are implemented for file servers and share
folders. The EPA does not have policies that fully address the role of its Chief Information Officer (CIO)
consistent with federal laws and guidance. Furthermore, Office of Management and Budget (OMB) risk
management assessment ratings rated EPA as "at risk," meaning that while some essential policies,
processes and tools are in place to mitigate overall cybersecurity risk significant gaps remain.
BACKGROUND
Protecting EPA networks and data is as important today as it was in 2001 when we first reported the
issue as a management challenge. Securing networks that connect to the internet is increasingly more
challenging, with sophisticated attacks taking place that affect all interconnected parties, including
federal networks. Federal agencies need to be vigilant in protecting their networks. In past years,
various federal agencies have had numerous attacks on their systems, impacting at least 21.5 million
individuals.
To address these complex cybersecurity issues, the EPA has made significant strides in developing a
policy framework to enable information technology (IT) systems to adhere to federal information
security requirements. These strides include developing extensive policies and procedures and
addressing a significant portion of federal information security requirements and making them
available to all its headquarters and regional offices. However, the EPA manages the implementation of
this policy framework in a decentralized manner. Recent audit work indicates that the lack of oversight
and reporting prevents the agency from realizing a fully implemented information security program
capable of effectively managing the remediation of known and emerging security threats.
IDENTIFY
RECOVER
DETECT
19-N-0235
11

-------
THE AGENCY'S PROGRESS
In response to our FY 2018 management challenge, the EPA indicated it will do the following:
•	Continue to work with the U.S. Department of Homeland Security's Continuous Diagnostics and
Mitigation Program Office to fully implement Continuous Diagnostics and Mitigation Phase
One, which includes hardware asset management.
•	Continue to share information with the United States Computer Emergency Readiness Team
through the Einstein Program.
•	Attend the federal CIO and Chief Information Security Officer meetings as well as special
interest meetings held by the OMB and Department of Homeland Security, to understand
trends and share intelligence and solutions to improve the federal cybersecurity posture.
•	Identify or develop training for contracting officer's representatives on their responsibilities for
monitoring contractors.
•	Prioritize the development and implementation of role-based training roles within its
information security program.
Over the past year, the agency has taken the following actions:
•	Reviewed all statements of work and performance work statements undergoing the agency's
Federal Information Technology Acquisition Reform Act review for the inclusion of the role-
based training requirements task.
•	Implemented a process requiring all Senior Information Officials to provide written certification
to the EPA's Chief Information Security Officer stating that contractors with significant
information security responsibilities have completed the necessary security training specific to
their roles under those contracts by September 30 of each year.
The EPA stated that it continues to do the following.
•	Leverage technology to document and maintain the inventory of EPA networked assets. The
detailed inventory includes all the necessary data (e.g., Purpose, Capability, Operating System,
etc.) required for the data center's disaster recovery plan. The EPA indicated that it updates the
inventory on a quarterly basis and documents the results in the center's contingency plan.
•	Develop and implement processes by creating the Office of Mission Support/Office of
Resources and Business Operations to improve management and oversight of its audits to
include streamlining and process improvement, hiring additional staff, and using the most
appropriate IT system to maintain and track audit and corrective actions.
•	Identify equipment needed to restore operations and network connectivity for financial and
mixed-financial applications, to include data storage plans based on the service provider's
backup and data retention polices.
19-N-0235
12

-------
•	Monitor physical access to its data center using a digital system with cameras installed
strategically at various locations inside and outside facilities. The agency (1) maintains a list of
authorized members/teams, (2) has an access authorization process for contractors and visitors
who enter a facility, and (3) provides daily on-site security year-round.
•	Deny personnel access to agency information resources when the personnel do not submit the
appropriate waiver request to perform certain duties. Access to specific roles is controlled by
account-level roles and privileges. The EPA controls account creation within its core financial
application via an online access request form and locks administrative accounts via the agency's
help desk ticket process. The EPA receives a monthly report from its service provider that
allows for the monitoring of all users' direct access to data within the agency's core financial
application. The EPA also noted that the project manager for its core financial application
received the Federal Acquisition Certification for Program and Project Managers Senior Level
and applied for the IT specialty certification.
The following reports issued within the last 5 years show the continued prevalence of the issue and the
actions the EPA has taken or plans to take.
Relevant Reports
OIG Reports
•	In May 2019 (19-P-0158). we found that insufficient practices for managing known security
weaknesses and system settings weakened the EPA's ability to combat cyber threats. EPA
personnel did not manage plans of action and milestones for remediating security
weaknesses within the agency's information security weakness tracking system as required
by EPA policy. This happened because the office responsible for identifying vulnerabilities
relied on other agency offices to enter the plans of action and milestones in the tracking
system to manage unremediated vulnerabilities. Additionally, the EPA's information
security weakness tracking system lacked controls to prevent unauthorized changes to key
data fields and to record these changes in the system's audit logs. This occurred because
the EPA neither enabled the feature within the tracking system to prevent unauthorized
modifications to key data nor configured the system's logging feature to capture
information on the modification of key data fields. The EPA concurred with the
recommendations and corrective actions are pending.
•	In January 2019 (19-P-0058). we found that more work is needed by the agency to achieve
managed and measurable information security functions to manage cybersecurity risks. In
this regard, the EPA's information security program was not graded as effective for any of
the Cybersecurity Framework Security Functions defined by the National Institute of
Standards and Technology. We found that the EPA can further improve its processes in the
following domains to strengthen its information security posture:
19-N-0235
13

-------
Domain
Action needed
Risk Management
Implement standard data elements for hardware assets connected to
the network and software and associated licenses.
Security Training
Implement a process for reporting on contractors' completion of role-
based training.
Incident Response
Implement technologies to support the incident response program.
Contingency Planning
Implement a process to ensure that the results of business impact
analyses are used to guide contingency planning efforts.
The report assessed EPA compliance with the Federal Information System Modernization
Act of 2014 and contained no recommendations.
•	In September 2018 (18-P-0298). we found that the EPA's current incident tracking system
lacked the required security controls to (1) protect the confidentiality of Pll, including
sensitive Pll; and (2) enforce password management requirements even though the
requirements are specified in federal and agency guidance. The EPA was unaware that Pll was
included on incident tickets handled by help desk technicians and retained in the current
incident tracking system where they can be
viewed by all registered users (both EPA
employees and contractors). Password
management controls documented in the
replacement system's draft security plan
(dated March 2018) did not meet EPA
requirements. Corrective actions are pending.
•	In August 2018 (18-P-0234). we found that EPA data were vulnerable to unauthorized access
because Region 4 did not create procedures to ensure that EPA security control
requirements were implemented for file servers and share folders. Region 4 share folders
contained sensitive data, and the region did not have a process to monitor user activity or
content in file servers' share folders. Federal and agency guidance requires agencies to
implement security controls for information systems and related components, including file
servers and the share folders they host. The lack of procedures, combined with the lack of
audit logging or an audit log review process, put the EPA at risk for unauthorized activity
being undetected and uninvestigated. The EPA concurred and implemented the
recommendation.
•	In June 2018 (18-P-0217). we found that the EPA categorized the sensitivity of the
information within its electronic manifest system at such a low level that planned
information system security controls would not minimize the risk of environmental harm.
This system—designed to track shipment of hazardous waste from a generator's site to
another site for disposition—includes such information as material, quantity, waste code,
hazard class, and the names and addresses of waste generators and receivers. The low-level
categorization occurred, in part, because responsible personnel did not sufficiently consider
homeland security implications as they relate to chemicals of interest. As a result, the EPA
AT RISK-
~ L Sensitive
Personally
Identifiable
Information
19-N-0235
14

-------
plans to place sensitive hazardous waste information in its system without implementing
stronger minimum information system security controls commensurate with the harm that
could be caused if the information is compromised. The EPA concurred with the
recommendations and corrective actions are pending
GAO Reports
•	In February 2018 (GAO-18-211). the GAO reported that EPA officials indicated they do not
have the statutory authority to collect information from the Water and Wastewater Systems
sector regarding adoption and implementation of the Cybersecurity Framework. Further, the
GAO stated that the EPA did not have qualitative or quantitative means for measuring
adoption in the sector. EPA officials noted that although the agency agreed with the findings
of the report, it was constrained by several factors. The agency said it was unable to
participate in a survey to assess Cybersecurity Framework implementation by the water
sector without prior approval from the OMB under the Paperwork Reduction Act; water
sector facilities are reluctant to divulge sensitive information about specific infrastructure
protection activities, including cybersecurity; and there is a lack of a strong mandate for the
collection data and a lack of a unified cross-sector approach to metrics and survey methods
for assessing Cybersecurity Framework adoption.
•	In August 2018 (GAO-18-93). the GAO reported that the EPA does not have policies that fully
address the role of the agency's CIO consistent with federal laws and guidance. In addition,
the EPA did not fully address the role of its ClOs for any of the six key areas that the GAO
identified: IT leadership and accountability, IT budgeting, information security, IT investment
management, IT strategic planning and IT workforce. Federal ClOs acknowledged in their
responses to the GAO's survey that they were not always very effective in implementing the
six IT management areas. The GAO noted that until agencies (including the EPA) fully address
the role of ClOs in their policies, the agencies will be limited in addressing longstanding IT
management challenges.
•	In December 2018 (GAQ-19-105). the GAO reported that until agencies more effectively
implement the government's approach and strategy, federal systems will remain at risk. The
GAO noted that the OMB's risk management assessment ratings rated the EPA as at risk,
which means that while some essential policies, processes and tools were in place to
mitigate overall cybersecurity risk, significant gaps remain.
WHAT REMAINS TO BE DONE
The EPA needs to take the following actions to enhance information security from cyber threats.
1. Develop and implement a process that:
a) Strengthens internal controls for monitoring and completing corrective actions on open
cyber security recommendations.
19-N-0235
15

-------
b)	Maintains appropriate documentation to support completion of corrective actions on cyber
security audits; if delegated to sub-offices, the process should include regular inspections
by the Office of Mission Support's Audit Follow-Up Coordinator.
c)	Specifies when sub-offices must complete corrective actions on cyber security audits.
d)	Requires verification that corrective actions fixed issues that led to the recommendations
in cyber security audits.
e)	Requires sub-offices to continue to use the improved processes.
f)	Requires Office of Mission Support managers to update the office's Audit Follow-Up
Coordinator on the status of upcoming corrective actions on cyber security audits.
g)	Allows appropriate approval and monitoring access to share folder content that is
consistent with requirements specified by federal and EPA information security
procedures.
2.	Enter the Continuous Monitoring Assessment recommendations into the agency's system
used for monitoring the remediation of information security corrective actions.
3.	Work with the U.S. Department of Homeland Security to gain an understanding of the risk of
a breach of the data within the Electronic Manifest system, and work with the National
Institute of Standards and Technology to determine the proper data classification to
re-evaluate the categorization of the information within the system that should be regularly
re-evaluated.
4.	Implement a strategy to protect the confidentiality of Pll in the EPA's current incident tracking
system and update standard operating procedures for help desk technicians to follow when
handling incident tickets that require collecting Pll, including sensitive Pll.
5.	Ensure that the agency's IT management policies address the role of the CIO for key
responsibilities in the six areas identified by the GAO.
6.	Take steps to consult with respective critical infrastructure sector partners, as appropriate, to
develop methods for determining the level and type of cybersecurity framework adoption by
entities across their respective sector.
7.	Establish a control to validate that agency personnel create required plans of action and
milestones for vulnerability testing results, establish a process to periodically review the
agency's tracking system's security settings to validate that each setting meets the agency's
standards, and collaborate with the tracking system's vendor to determine whether audit
logging can capture all data changes.
19-N-0235
16

-------
CHALLENGE: The EPA Needs to Improve on
Fulfilling Mandated Reporting Requirements
CHALLENGE FOR THE AGENCY
Our work over the last 9 years has shown that the agency faces
issues in tracking and submitting reports mandated by law that
contain key program information for use by Congress, the Administrator and the public. When the EPA
does not fulfill reporting requirements, the agency is in violation of the law and does not demonstrate
how and whether it is achieving the goals Congress set for the associated programs. Without these
reports, Congress and the public are not informed about the challenges programs face during
implementation and do not learn about the EPA's progress toward achieving environmental and public
health program goals. Our findings across multiple programs emphasize the need for EPA management
to take agencywide action to verify that required reports are submitted. The OIG first identified this
issue as an agency management challenge in 2018, and we are retaining it as a challenge in 2019
because the agency has not yet established and implemented a comprehensive approach to address
the challenge.
BACKGROUND
The EPA OIG identified instances across five major environmental programs where the EPA failed to
meet legal reporting requirements to Congress between 2010 and 2018. As part of the budget process,
the agency continues to maintain a list of 25 congressionally required reports it views as outdated
and/or duplicative. As part of the budget process, the agency informs congressional committees of the
reports it thinks should be eliminated, but Congress has not yet removed any of these required reports
from the agency's workload. The OIG previously recommended that the agency meet the specific
reporting requirements and establish internal controls to track issuance of these required reports.
Fulfilling mandated reporting requirements will inform future rulemaking and decision-making.
However, additional work remains to solve this agencywide issue.
THE AGENCY'S PROGRESS
In response to our work, the EPA has issued required reports that it previously had not provided to
Congress and the public on the beach monitoring grant program, the renewable fuel standards program,
the national status of environmental education, the residual effects of methamphetamine labs, and the
urban air toxics program. Additionally, the Office of Congressional and Intergovernmental Relations
issued a March 2018 memorandum to the EPA's Assistant Administrators and Associate Administrators
reminding them of the agency's standard practice of tracking reports to Congress in ADPTracker. The
following issues identified in our work over recent years demonstrate both the breadth of this challenge
and the agency's work toward addressing the issue on a program-by-program basis. For the OIG reports
where this issue was identified, the EPA ultimately agreed to our recommendations or implemented
corrective actions by planning and submitting required program reports.
19-N-0235
17

-------
The following reports issued within the last 5 years show the continued prevalence of the issue and the
actions the EPA has taken or plans to take.
Relevant OIG Reports
•	In January 2018 (18-P-0071). we found that the Office of Water did not fulfill the legal requirement
under Section 7 of the Beaches Environmental Assessment and Coastal Health Act of 2000 (known
as the BEACH Act) to report to Congress every 4 years on the program's progress and its impact on
water quality and public health. The act requires that the EPA report to Congress on
recommendations for additional criteria or actions to improve water quality, provide a national
assessment of the implementation of the act, and note areas for improvement in monitoring.
At the time of the report, the EPA had last submitted this required report to Congress in 2006,
though it was due in 2010 and again in 2014. According to EPA staff, lack of resources to complete
the report and disagreement between the EPA and OMB on whether the program was still needed
led the EPA to cease its reporting to Congress. The EPA's guidance for issuing such reports did not
include a process for addressing or appealing such disagreements. The OIG recommended that the
EPA submit the mandated reports to Congress and review and update controls for identifying,
tracking and submitting mandated reports. In response, in March 2018, the Office of Congressional
and Intergovernmental Relations issued a memorandum, Reminder of Existing Practices Regarding
Statutorily-Mandated Reports to Congress, noting that all legislatively mandated reports are to be
placed in ADPTracker. Additionally, the Office of Water submitted a report to Congress,
Implementing the BEACH Act of 2000: 2018 Report to Congress (EPA 823-R-18-002). in July 2018,
but the 2018 report did not make reference to required reports for the prior quadrennial periods.
•	In July 2016 (16-P-0246). we found that after 2005 the EPA's Office of Environmental Education
did not fund and convene until 2012 the National Environmental Education Advisory Council, as
required by the National Environmental Education Act. As a result, the council was not always
able to biennially provide congressionally required reports on the extent and quality of
environmental education in the United States. The OIG recommended that the EPA ensure that
the council is appointed and submits congressionally required reports. The EPA agreed and the
council issued the required biennial report, 2015 Report to the U.S. Environmental Protection
Agency Administrator (undated), to Congress, the EPA Administrator and the public.
•	In August 2016 (16-P-0275). we found that the Office of Research and Development had failed to
fulfill a legal requirement under Section 204 of the Energy Independence and Security Act of
2007 to report to Congress every 3 years on the environmental and resource conservation
impacts of the renewable fuel standard program. The office issued an initial report to Congress
for the program in 2011 but did not issue subsequent triennial reports. The agency attributed
this to competing research priorities, reductions to the office's budget, and the 3-year reporting
cycle not allowing time for significant scientific advances to occur. The OIG recommended that
the EPA fulfill its obligation to provide triennial reports to Congress. The agency agreed with this
recommendation and issued the required report, Biofuels and the Environment: The Second
Triennial Report to Congress (EPA 600-R-18-195). in June 2018.
19-N-0235
18

-------
WHAT REMAINS TO BE DONE
To ensure required reports are issued, the EPA needs to make a comprehensive effort across the
agency to identify the causes for programs not issuing required reports, implement targeted plans to
address the causes, and complete and issue the reports. For example, while the agency submitted the
two required reports to Congress that we mentioned in the 2018 management challenges (i.e., the
reports on the BEACH Act and Renewable Fuels programs), we have not yet seen a sustained
commitment from agency management on the issue.
Further, the EPA must continue to work with Congress to eliminate duplicative reports. The EPA
maintains a list of 25 congressionally mandated reports that it deems duplicative and/or outdated, and
the agency has requested that Congress eliminate its requirements for these reports. However, Congress
has not yet responded to the EPA's request and, consequently, these reports continue to be required for
EPA work.
19-N-0235
19

-------
CHALLENGE: The EPA Needs Improved Data Quality and
Should Fill Identified Data Gaps for Program Performance
and Decision-Making
CHALLENGE FOR THE AGENCY
We continue to identify weaknesses in quality controls for EPA program data and have identified
multiple data gaps. Data quality and gaps matter because managers use data to manage the EPA's
programs to achieve the agency's goals. The EPA needs and expects high-quality, accurate, and
complete data to support high-quality decisions. Since 1979, EPA policy has required that the EPA use
an agencywide quality system supporting environmental programs and requires that non-EPA
organizations performing work on behalf of the EPA also use such a system through extramural
agreements. Further, the Government Performance and Results Act Modernization Act of 2010 states
that agencies must execute an annual performance plan that includes a description of how the agency
will ensure the accuracy and reliability of data used to measure progress toward performance goals.
BACKGROUND
To accomplish its mission, the EPA develops regulations and establishes programs that implement
environmental laws. The EPA performs oversight of these programs—including programs implemented
by the agency, delegated states, territories or tribes—to verify effectiveness and ultimately to protect
human health and the environment. Effective oversight should provide reasonable assurance that
program goals are achieved and activities comply with all relevant laws and regulations. The EPA relies
on data to help assess program performance and public benefit and, as such, those assessments
depend on the quality of the data that underpin the analyses.
We identified data standards and data quality in the FY 2007 management challenges report. At that
time, we found that the EPA was not routinely incorporating data standards and collecting information
for all programs. We removed that challenge for FY 2008 but reintroduced data quality for program
data as an FY 2018 management challenge because recent OIG work pointed to a pattern of data
quality issues. For FY 2019, we are retaining but modifying the challenge by adding discussion of data
gaps that inhibit program performance and decision-making.
OIG reports show that poor data quality and data gaps negatively impact the EPA's effectiveness in
overseeing programs that directly impact public health, such as managing air quality, drinking water,
toxic releases to surface waters, Superfund sites and environmental education. Data quality issues and
data gaps also subject the EPA to significant financial risks and delayed cleanups while the public
endures prolonged exposure to unsafe substances and restrictions on the use of natural resources.
19-N-0235
20

-------
THE AGENCY'S PROGRESS
In response to EPA OIG reports, the EPA took corrective actions to address data quality issues; however,
problems persist. The following reports issued within the last 5 years show the continued prevalence of
the issue and the actions the EPA has taken or plans to take.
Relevant OIG Reports
Data quality problems
•	In April 2019 (19-N-0115). we found discrepancies between (1) the total pounds of
chemicals released to the environment as reported in the publicly available Toxic Release
Inventory data for reporting years 2013-2017 and (2) the information that the EPA provided
to us separately on the total pounds of chemicals released. Our work led to the EPA's
discovery that total release calculations provided by the publicly available database do not
properly include the Publicly Owned Treatment Works release amounts. This report was a
management alert and no recommendations were made.
•	In July 2018 (18-P-0222). we found that the EPA lacked documented internal controls to
prevent the use of Presidential Green Chemistry Challenge Awards Program results in
agency performance metrics. Without documented controls, there is a risk that unverified
program results could be used as part of future agency metrics (for example, if and when
new staff become involved with the program). Also, the EPA disagreed with the OIG about
the requirements regarding supporting documentation for completed corrective actions
from a 2015 report on the same topic. Corrective actions from this 2018 report are pending.
•	In June 2017 (17-P-0249). we found that EPA management controls did not provide
reasonable assurance that facility-reported data were of sufficient quality to assess
compliance or maintain the integrity of credit-related information for benzene standards.
Benzene is one of three key pollutants contributing the most to cancer risks nationwide,
and has been linked to blood disorders and cancers, including leukemia. Mobile sources are
responsible for most of the outdoor risks from benzene, and the EPA has classified benzene
as a regional cancer risk driver. EPA staff need to research and correct questionable data
quality before the EPA can determine whether facilities comply with the benzene standards
and purchased credits were proper. The agency completed some corrective actions to
address the report recommendations.
•	In October 2017 (18-P-0001). we found that the Toxics Release Inventory and the Discharge
Monitoring Report Comparison Dashboard had limited utility for identifying possible surface
water dischargers that lacked a National Pollutant Discharge Elimination System permit due
to a lack of discharger address information. Without specific discharger address
information, attempting to manually match a National Pollutant Discharge Elimination
System facility to a Toxics Release Inventory facility was resource-intensive and inexact,
impacting the EPA's ability to regulate facilities. Further, the Pollutant Loading Tool could
19-N-0235
21

-------
not identify unpermitted dischargers to surface water based on Toxics Release Inventory
data, which means the EPA and public cannot know when or how much pollution occurs
from those dischargers. Corrective actions are pending.
•	In December 2017 (18-P-0059). we found that the EPA lacked a data system with the
capability to track multiple environmental liabilities regarding cleanup activities and
resources and technical ability to validate self-insurance for companies with multiple
environmental liabilities. The inability to validate a company's self-insurance represents a
high-risk issue to the EPA; if a company defaults on its cleanup obligations, the EPA and
other federal funds may be required to finance cleanups that should be paid for by the
polluter. Invalid self-insurance may also result in contamination being left at sites; larger,
more complicated cleanups; higher costs; and longer human and environmental exposures
to unsafe substances. Corrective actions are pending.
•	In May 2016 (16-P-0164). we found that the Clean Air Act facility inspection data on the EPA
Enforcement and Compliance History Online website did not reflect that many facilities had
received a full compliance inspection, and it was not verified that data were properly
migrated into the database used by the website. Inaccurate data hinder the EPA's oversight
and reduce assurance that the delegated compliance programs comply with the agency's
guidance. Further, unreported or inaccurate data presented on the publicly available
website could misinform the public about the status of facilities. The EPA completed
corrective actions on the recommendations, which included updating the compliance
monitoring system, conducting regular data reviews with state and local agencies,
establishing a regular data quality check process, specifying the length of time states and
local air districts should retain evaluation records, and providing guidance to California local
air districts.
Data gap issues
•	In July 2018 (18-P-0227). we found that most states were authorized to implement the
majority of new required hazardous waste rules promulgated by the EPA. However, states
and the EPA have taken many years to authorize rules—from less than 1 year to more than
31. No state has been authorized by the EPA for all required rules. The EPA lacks internal
controls to validate the completeness and accuracy of state authorization information and
does not collect sufficient data to identify reasons for delays or lack of authorization.
Further, the EPA has not defined authorization goals to track program performance. For
Hazardous and Solid Waste Amendments of 1984 rules, EPA regions can administer the
requirements if a state has not received authorization. However, for non-Hazardous and
Solid Waste Amendments rules, the EPA cannot administer a rule when a state has not yet
been authorized for the rule, which creates regulatory gaps. Corrective actions are pending.
•	In September 2018 (18-P-0281). we found that the EPA's Office of Pesticide Programs did
not have outcome measures to determine how well the emergency exemption process
maintains human health and environmental safeguards. The office also did not have
19-N-0235
22

-------
comprehensive internal controls to manage the emergency exemption data it collects or
consistently communicate that data with its stakeholders. Although the office collected
human health and environmental data through its emergency exemption application
process, it did not make that data available in its publicly accessible database or use the
data to support outcome-based performance measures that capture the scope of each
exemption or measure potential benefits or risks. We also found significant deficiencies in
the office's online database management, draft Section 18 emergency exemption standard
operating procedure and application checklist, and reports to Congress and the OMB.
Corrective actions are pending.
•	In September 2018 (18-P-0283). we found that the EPA should collect additional program
performance data to better assess the effectiveness of enhanced inspection and
maintenance programs for reducing vehicle emissions. For example, nine states operating
enhanced programs did not conduct the required biennial program evaluations to assess
the effectiveness of their programs in reducing vehicle emissions. Another four states did
not conduct required on-road testing to obtain information on performance of in-use
vehicles, and three states did not conduct required reviews and tests due to a lack of clarity
in EPA guidance. As a result, the EPA lacked data to determine the effectiveness of state
enhanced vehicle inspection and maintenance programs. In addition, states are required to
submit annual reports to the EPA about the performance of their vehicle inspection and
maintenance programs, and, while the EPA has been improving the oversight of this
reporting, improvements are needed. The agency agreed with our recommendations and
corrective actions are pending.
•	In November 2018 (19-P-0002). we found that the EPA's controls over the land application
of sewage sludge (biosolids) were incomplete or had weaknesses and may not fully protect
human health and the environment. The EPA consistently monitored biosolids for nine
regulated pollutants. However, it lacked the data or risk assessment tools needed to make a
determination on the safety of 352 pollutants found in biosolids, including 61 pollutants
designated as acutely hazardous, hazardous or priority pollutants in other EPA programs.
Past reviews showed that the EPA needed more information to fully examine the health
effects and ecological impacts of land-applied biosolids. Although the EPA is not required to
obtain additional data, without such data the agency cannot determine whether biosolids
pollutants with incomplete risk assessments are safe. The EPA's website, public documents
and biosolids labels do not explain the full spectrum of pollutants in biosolids and the
uncertainty regarding their safety, which can impact public health and the environment.
The agency partially agreed with our recommendations, and while some corrective actions
are pending, work is underway to reach agreement on the unresolved recommendations.
WHAT REMAINS TO BE DONE
EPA leadership needs to demonstrate commitment to verify the quality of data and adequately fill data
gaps. To demonstrate this commitment, the agency should show that it has the people and processes
19-N-0235
23

-------
in place to deploy agency policies and procedures across all program data, and to actively manage data
to improve quality and completeness. While a move to electronic reporting should ease the agency's
access to data and simplify reporting, the EPA still needs to verify and validate electronically reported
data to ensure accuracy, timeliness and proper format.
19-N-0235
24

-------
CHALLENGE: The EPA Needs to Improve
Risk Communication to Provide Individuals
and Communities with Sufficient Information
to Make Informed Decisions to Protect Their
Health and the Environment
CHALLENGE FOR THE AGENCY
Over the past 7 years, the EPA OIG has identified issues with EPA actions to inform the public of
potential environmental dangers. From unsafe drinking water in Flint, Michigan, to farmworkers
working near pesticides, citizens count on the EPA for timely and accurate risk communication
messages. EPA Administrator Andrew Wheeler identified risk communication as one of his top
priorities in his July 2018 speech to EPA employees, stating "Risk communication goes to the heart of
EPA's mission of protecting public health and the environment. ... We must be able to speak with one
voice and clearly explain to the American people the relevant environmental and health risks that they
face, that their families face and that their children face." This is the first year the OIG has identified
risk communication as a management challenge. The agency has taken important steps to address this
important issue, but recent audits indicate more work is needed.
BACKGROUND
The EPA OIG has identified instances across water, air, land and pesticide programs where the EPA
needs more effective risk communication strategies to guide, coordinate and evaluate its
communication efforts to convey potential hazards. Risk communication tools can be written, verbal or
visual statements containing information about risk.
THE AGENCY'S PROGRESS
In his July 2018 speech to EPA employees, Administrator Wheeler promised to assemble a working
group to look at risk communication across the EPA. By giving added certainty to the public and
regulated community, he said "we can dramatically enhance environmental protections and give the
private sector the clarity and transparency it needs." Following are some examples of how the agency
is taking action to improve risk communication.
•	The EPA's FYs 2018-2022 Strategic Plan discusses the importance of risk communication with
respect to radiation and states the agency will focus on education —including formal and
informal training—in the areas of health physics, radiation science, radiation risk
communications and emergency response to fill existing and emerging gaps.
•	The EPA hosted a PFAS (Per- and polyfluoroalkyl substances) National Leadership Summit in
May 2018 that brought together state, tribal and federal partners; as well as key stakeholders,
including industry, utilities, congressional staff and nongovernmental organizations. The
19-N-0235
25

-------
summit provided an opportunity to share information on ongoing efforts, identify specific near-
term actions, and address risk communication challenges,
•	In an October 2018 memo to EPA employees, Administrator Wheeler stated, "The EPA Office of
Children's Health Protection plays an essential leadership role in protecting children through
engagement on key children's health issues. OCHP will continue to work with internal and
external stakeholders in risk communication and training, as well as scientific and policy
analyses."
The following reports issued within the last 5 years show the continued prevalence of the issue and the
actions the EPA has taken or plans to take.
Relevant OIG Reports
•	In February 2018 (18-P-0080), we found that the state-led worker protection standard outreach
to stakeholders was incomplete. Pursuant to the EPA's cooperative agreements with states to
implement the Federal Insecticide, Fungicide and Rodenticide Act, states are responsible for
educating their stakeholders about worker protection standard compliance. As of June 14,
2017, the Office of Chemical Safety and Pollution Prevention said that, based on its
communication with states, only five or six states had completed revised worker protection
standard outreach activities with their regulated communities (i.e., the agricultural
establishments that employ farmworkers and pesticide handlers). Of the three states in which
we interviewed staff, California and Minnesota conducted outreach with their regulated
communities to facilitate worker protection standard compliance. North Carolina staff said that
they were unable to add the standard to the agenda for their annual meetings with growers in
early 2016 because the revised standard was published in late 2015; therefore, they did not
begin discussions with growers until early 2017. Corrective actions are pending.
•	In July 2018 (18-P-0221), we found that communication weaknesses contributed to a delayed
federal response to water contamination in Flint, Michigan. For effective oversight,
management needs accurate and complete
information and clear communication. However, the
communication between the EPA and the Michigan
Department of Environmental Quality did not convey
key information about human health risks from lead
contamination in Flint. Communication within the EPA
was also problematic. These issues limited the EPA's
knowledge about risks and contributed to the delayed
federal response. Corrective actions are pending.
•	In November 2018 (19-P-0002). we found that the EPA's controls over the land application of
sewage sludge (biosolids) were incomplete or had weaknesses and may not fully protect human
health and the environment. The EPA consistently monitored biosolids for nine regulated
pollutants, but lacked the data or risk assessment tools needed to make a determination on the
Boiling YOUR Water
DOES NOT REMOVE LEAD
A billboard in the city of Flint. (OIG photo)
19-N-0235
26

-------
safety of 352 pollutants found in biosolids. Our analysis determined that the 352 pollutants
included 61 designated as acutely hazardous, hazardous or priority pollutants in other
programs. The EPA's risk communication regarding the unknown risks from the 352 identified
pollutants in biosolids should be transparent. Past reviews showed that the EPA needed more
information to fully examine the health effects and ecological impacts of land-applied biosolids.
Although the EPA could obtain additional data to complete biosolids risk assessments, it is not
required to do so. Without such data, the agency cannot determine whether biosolids
pollutants with incomplete risk assessments are safe. The EPA's website, public documents and
biosolids labels do not explain the full spectrum of pollutants in biosolids and the uncertainty
regarding their safety. Consequently, the biosolids program is at risk of not achieving its goal to
protect public health and the environment. Some recommendations are pending, but others-
including recommendations related to transparent risk communication—are unresolved.
• In April 2017 (17-P-0174). we found that some subsistence fishers, tribes, sport fishers and other
groups consumed large amounts of contaminated fish without health warnings. Although most
states and some tribes had fish advisories in place, this information was often confusing, complex
and did not effectively reach the segments of the population that need the advisories. Fish
advisories differ from state to state, between states and tribes, and across state and tribal
borders, which in some cases leads to multiple advisories with conflicting advice for a single
waterbody. In addition, although the EPA's risk communication guidance recommended
evaluations of fish advisories, we found that less than half of states, and no tribes, had evaluated
the effectiveness of their fish advisories. Under the Clean Water Act, the EPA can take a stronger
leadership role in working with states and tribes to ensure that effective fish advisory
information reaches all such segments of the population. Corrective actions are pending.
WHAT REMAINS TO BE DONE
Despite increased awareness of the importance of risk communication strategies, EPA leadership needs
to demonstrate an organizational commitment to correcting problems with such strategies, designed to
protect human health and the environment. To demonstrate this commitment, the agency should show
that it has the proper resources and processes and has developed adequate risk communication
strategies.
19-N-0235
27

-------