j A * 1® U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Hotline Report: Operating Efficiently and Effectively EPA Oversight over Enterprise Customer Service Solution Needs Improvement Report No. 19-P-0278 August 19, 2019 ------- Report Contributors: Rudolph M. Brevard Christina Nelson Jeremy Sigel Abbreviations CIO Chief Information Officer CPIC Capital Planning and Investment Control CRM Customer Relationship Management ECSS Enterprise Customer Service Solution EPA U.S. Environmental Protection Agency FedRAMP Federal Risk and Authorization Management Program FY Fiscal Year IT Information Technology OEI Office of Environmental Information OIG Office of Inspector General OMB Office of Management and Budget OMS Office of Mission Support SLCM System Life Cycle Management WCF Working Capital Fund Cover photo: The EPA's Enterprise Customer Service Solution information technology investment must meet Working Capital Fund, System Life Cycle Management, and Capital Planning and Investment Control policies and procedures. (EPA OIG image) Are you aware of fraud, waste or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, DC 20460 (888) 546-8740 (202) 566-2599 (fax) OIG Hotline@epa.gov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, DC 20460 (202) 566-2391 www.epa.gov/oiq Subscribe to our Email Updates Follow us on Twitter @EPAoig Send us your Project Suggestions ------- ^tDsrx * Q \ \X! U.S. Environmental Protection Agency Office of Inspector General At a Glance 19-P-0278 August 19, 2019 Why We Did This Project The U.S. Environmental Protection Agency's (EPA's) Office of Inspector General (OIG) conducted this audit in response to an anonymous hotline complaint. We sought to determine whether the EPA followed documented policies and procedures for providing information technology (IT) software under the Working Capital Fund (WCF). Specifically, we reviewed how the EPA managed a project to implement an Enterprise Customer Service Solution (ECSS)/Customer Relationship Management system. The WCF provides a centralized source for administrative and support services for the EPA. The ECSS is a WCF application to host the EPA's Frequently Asked Questions and inquiries from the agency's public website. Since the ECSS is an IT investment, it must meet System Life Cycle Management (SLCM) and Capital Planning and Investment Control policies and procedures. This report addresses the following: • Operating efficiently and effectively. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. EPA Oversight over Enterprise Customer Service Soiution Needs Improvement What We Found The EPA did not implement key oversight activities for the ECSS to meet several agency software requirements. These activities included documenting the agency's business justification, having the required plans, and doing a user satisfaction review. Further, the ECSS was not classified into the correct IT investment category Office of Management and Budget memorandums describe the agency's management oversight responsibilities for information systems. The EPA SLCM policy and procedures provide a framework for system and project managers to tailor system life cycle management controls for information systems. The EPA Capital Planning and Investment Control policy and procedures identify the classification requirements for IT investments. The problems we identified existed because the ECSS team did not have processes in place to: • Transfer ownership during the responsible office's reorganization in 2016. • Document delivery of the vendor's annual deliverables. • Verify cloud service vendor compliance with mandatory federal IT security requirements. In addition, the ECSS team did not identify and report that annual costs exceeded a $250,000 threshold, which would have placed the project into a different IT investment category with additional reporting requirements. This occurred because the Capital Planning and Investment Control team lacked a process to validate the costs for IT investments and the team did not complete the corrective action for a prior 2015 OIG audit recommendation. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Mission Support verify that responsible personnel adhere to the agency's SLCM policy and procedures and implement needed internal controls. We also recommend implementing a process to verify that recording of costs is proper and make needed changes to project documentation. The agency agreed with the recommendations and provided acceptable planned corrective actions to address Recommendations 1, 3 and 4, and we consider those recommendations resolved with corrective actions pending. The agency did not provide acceptable corrective actions to address Recommendations 2 and 6 and we consider them unresolved pending management's response to the final report. The agency also took the corrective action for Recommendation 5 and we consider that recommendation completed. Ineffective project oversight limits the agency's ability to balance IT investments at the lowest cost while addressing agency needs. ------- ^£DSX s rjQLi \ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY | j? WASHINGTON, D.C. 20460 %S *1 PRO"^ OFFICE OF INSPECTOR GENERAL August 19, 2019 MEMORANDUM SUBJECT: EPA Oversight over Enterprise Customer Service Solution Needs Improvement Report No. 19-P-0278 FROM: Charles J. Sheehan, Deputy Inspector General IaJvUu (J TO: Donna Vizian, Principal Deputy Assistant Administrator Office of Mission Support This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the U. S. Environmental Protection Agency (EPA). The project number for this audit was OA&E-FY 18-0261. This report contains findings that describe the problems the OIG has identified and improvements the OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the final EPA position. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. The EPA's Office of Mission Support is responsible for the issues discussed in this report. Action Required In accordance with EPA Manual 2750, the Office of Mission Support provided acceptable corrective actions and milestone dates in response to Recommendations 1,3,4 and 5. We consider these recommendations resolved and no further response to those recommendations is required. However, if you submit a response, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We consider Recommendations 2 and 6 to be unresolved. In accordance with EPA Manual 2750, the resolution process begins immediately with the issuance of the report. We are requesting a meeting within 30 days between the Principal Deputy Assistant Administrator for Mission Support and the OIG's Assistant Inspector General for Audit and Evaluation. If resolution is not reached, the Office of Mission Support is required to complete and submit a dispute resolution request to the Chief Financial Officer. We will post this report to our website at www.epa.gov/oig. ------- EPA Oversight over Enterprise Customer Service Solution Needs Improvement 19-P-0278 Table of C Chapters 1 Introduction 1 Purpose 1 Background 1 Responsible Offices 2 Scope and Methodology 3 Prior Audits 3 2 Better Oversight Needed for the ECSS WCF IT Investment 5 Federal Memorandum and EPA Policy and Procedure Outline Oversight Requirements 5 ECSS Oversight Lapsed After Reorganization 6 EPA Did Not Verify Receipt of Contract Deliverables or Compliance with Federal Security Requirements 7 Conclusion 7 Recommendations 8 EPA Response and OIG Evaluation 8 3 ECSS Classification Incorrect During CPIC Review 9 EPA Misclassified ECSS Within CPIC 9 Evaluation of Medium and Lite Investments Not Documented 10 Conclusion 10 Recommendations 10 EPA Response and OIG Evaluation 11 Status of Recommendations and Potential Monetary Benefits 12 Appendices A EPA Response to Draft Report 13 B Distribution 16 ------- Chapter 1 Introduction Purpose In April 2018, the U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) received an anonymous hotline complaint regarding how the EPA manages and uses the Enterprise Customer Service Solution (ECSS), a Customer Relationship Management (CRM) system paid for and maintained through the agency's Working Capital Fund (WCF). We conducted this audit to determine whether the EPA followed its policies and procedures for software purchases under the WCF. Specifically, we reviewed how the EPA managed the project for the ECSS/CRM system. Background The EPA established the WCF in fiscal year (FY) 1997 based upon appropriation language and with the authority of the Government Management Reform Act of 1994. The WCF is used to provide centralized administrative and support services for the EPA. Mandatory services or products must be purchased through the WCF, while discretionary services can be planned, budgeted and charged to individual offices. The ECSS is a data processing discretionary service that can be procured from the WCF. The EPA initiated a project to implement its CRM system using the ECSS application. The EPA indicates the purpose of the project was to use commercial- off-the-shelf software to automate and standardize comments and queries from the agency's public website into a Frequently Asked Questions webpage. Since the project began more than a decade ago, according to EPA personnel, the EPA has used several vendors to accomplish this function. In 2015, the EPA contracted with a cloud-service provider to implement and manage its ECSS. The EPA plans to implement a new ECSS application at the end of FY 2020 and discontinue the use of this cloud-service provider. The Office of Management and Budget (OMB) and the EPA establish criteria for managing information systems and information technology (IT) investments. Per OMB Memorandum M-16-17, OMB Circular A-12 3, Management's Responsibility for Enterprise Risk Management and Internal Control, July 15, 2016, if the agency uses a third party to provide information system services, "[management ... retains overall responsibility and accountability for all controls related to the processes A CRM application maintains a centralized view of all interactions and improves the outreach experience to citizens contacting and engaging with the agency through various methods. 19-P-0278 1 ------- provided by a third party, and must monitor the process as a whole to make sure it is effective." EPA Chief Information Officer (CIO) Directive 2121.1, System Life Cycle Management (SLCM) Policy, dated September 21, 2012, and updated on December 21, 2017, establishes a six-phase life-cycle framework for the planning and management of all EPA IT systems and applications (see Figure 1). The related procedure (CIO Directive 2121-P-03.0) provides a framework for system owners, system managers and project managers to comply with the six phases. When developing applications provided through the WCF, EPA offices must follow the agency's SLCM policy to implement and manage the IT investment. The EPA's SLCM policy applies to systems developed on behalf of the EPA by contractors. EPA offices must also follow the EPA's CIO Directive 2120.1, CPICProgram Policy for the Management of Information Technology Investments, dated September 22, 2015, and updated on December 21, 2017. The directive requires EPA offices to report to the OMB on the status of the IT investment's performance using the agency's Capital Planning and Investment Control (CPIC) process. The EPA stated on its CPIC intranet that its CPIC program provides a structured, integrated approach to manage IT investments and that the program "ensures that all IT investments align with the EPA mission and support business needs while minimizing risk and maximizing returns through the investment's lifecycle." The EPA CPIC policy classifies CPIC IT investments into four distinct types— major, medium, lite and small/other—and uses annual expenditure thresholds as criteria for each category. Reporting requirements vary based upon the CPIC investment type. The EPA states on its CPIC intranet website that it uses the government-owned, web-based Electronic Capital Planning and Investment Control system (known as "eCPIC") to prepare and submit its Agency IT Portfolio Summary to the OMB. Responsible Offices The EPA's former Office of Environmental Information (OEI) was responsible for the oversight of the ECSS (in November 2018, during the course of our audit, the agency combined the Office of Administration and Resources Management and the OEI into one office—the Office of Mission Support (OMS)). The ECSS is managed by the OMS' Office Information Management, Web Content Services Figure 1: SLCM Phases Acquisition/Development Implementation Operations & Maintenance Definition Pre-Definition Termination Source: OIG-created image. 19-P-0278 2 ------- Division. The OMS' Office of Customer Advocacy, Policy and Portfolio Management provides strategic planning, management of the information directives program, and information portfolio management for the agency. The OMS is also responsible for WCF's data processing services, which includes the ECSS. Scope and Methodology We conducted this audit from July 2018 to May 2019 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We confirmed that the ECSS is a WCF IT investment by reviewing the catalogue of services offered through the WCF. We reviewed the EPA's SLCM and CPIC policies and procedures to determine what documentation is required during the SLCM and CPIC processes. We reviewed ECSS documentation to determine whether it met SLCM and CPIC requirements. We interviewed the ECSS project manager and system owner to gather an understanding of how they managed the ECSS to be compliant with the EPA's SLCM and CPIC processes. We also interviewed the EPA's CPIC representatives to understand the correlation between the CPIC process and the WCF IT investment process. Prior Audits EPA OIG Report No. 15-P-0292. EPA Needs to Improve Recording Information Technology Investments and Issue a Policy Covering All Investments, dated September 22, 2015, found that reviews of medium and lite investments were not documented in the EPA's CPIC policy. The OIG recommended that the EPA update its CPIC policy to require documentation of the agency's formal evaluations of medium and lite investments. The EPA agreed to incorporate a portfolio review process called "Pre Exhibit 100 Reviews" in its CPIC policy and procedure by December 31, 2015, and according to the EPA's Management Audit Tracking System database the agency completed the action. However, during this audit, we confirmed that while the CPIC policy and procedure were updated, they did not include "Pre Exhibit 100 Reviews" to document evaluations of medium and lite investments. Therefore, we determined the prior corrective action to be incomplete. EPA OIG Report No. 15-P-0295. EPA Needs to Improve the Recognition and Administration of Cloud Services for the Office of Water's Permit Management Oversight System, dated September 24, 2015, found the EPA was not fully aware of the extent of its use of cloud services. The OIG made two recommendations related to the objectives of this audit. The OIG recommended that the EPA develop guidance for IT and cloud procurements to be identified, and develop and maintain an inventory of cloud systems. The EPA agreed to develop the guidance, and also agreed to add a "hosting type" field in the Registry of EPA Applications, 19-P-0278 3 ------- Models and Data Warehouses for the owner of the system to identify the type of hosting for each application. According to the EPA's Management Audit Tracking System, the agency has completed the corrective actions for these two recommendations. As part of annual OIG Federal Information Security Modernization Act audit work, the OIG has verified the completion of these corrective actions. 19-P-0278 4 ------- Chapter 2 Better Oversight Needed for the ECSS WCF IT Investment The EPA needs to improve oversight for the WCF IT investment—ECSS—during the multiple phases of the project's lifecycle. Lapses in key oversight activities for the ECSS—such as a lack of documented business justification, tailoring plan, configuration management plan and user satisfaction review—led to the ECSS not meeting several EPA and OMB requirements. Federal memorandums and the EPA SLCM policy and procedure outline responsibilities for the project manager and system manager when developing EPA applications. The lack of oversight during key project phases resulted from the ECSS project management team not having processes in place to: • Assume ownership responsibilities for the ECSS during a reorganization. • Document the vendor's annual deliverables. • Verify that the ECSS cloud service vendor could meet Federal Risk and Authorization Management Program (FedRAMP) requirements. As a result, the EPA cannot demonstrate ECSS accomplishes its goals. In addition, the EPA used a third-party cloud service provider without knowing whether the vendor met the mandatory federal information security requirements needed to protect agency data. Federal Memorandum and EPA Policy and Procedure Outline Oversight Requirements As an IT investment, the ECSS must follow the OMB memorandum and EPA SLCM policy and procedure to achieve desired outcomes and business purposes. OMB Memorandum M-16-17 requires management to be responsible for the development and maintenance of internal controls, even if the agency uses a third party. Per the EPA SLCM policy, system owners and system managers must review and approve the system's tailoring decisions. The project manager must document the tailoring reviews and approvals in the system decision documents. Per the EPA SLCM procedure, the project manager and system manager must periodically conduct reviews to assess the health The U.S. General Services Administration defines FedRAMP on the FedRAMP's website as a "government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services." The SLCM policy states that system tailoring involves deciding "the order of implementing SLCM phases and the level of detail required to complete them." 19-P-0278 5 ------- of the system and its suitability to meet business requirements during the Operations and Maintenance phase of the process. ECSS Oversight Lapsed After Reorganization In FY 2016, the then OEI underwent a reorganization that transferred ECSS ownership from the OEI's Office of Information Analysis and Access to the OEI's Office of Information Management. During the ownership transfer, the Office of Information Management did not understand that the ECSS needed to follow EPA SLCM policies and procedures and did not conduct key project management oversight activities. As a result, the EPA did not create decision documents for key milestones for ECSS. While SLCM documentation was lacking, we found that the EPA complied with only four out of the eight SLCM requirements we tested, as depicted in Table 1. The EPA lacked the following required SLCM documents: • Business Justification describing the business rationale for developing the system. • Tailoring Plan deciding the order of implementing SLCM phases and the level of detail required to complete them. • Configuration Management Plan describing the process for reviewing and approving proposed changes to the system configuration baseline, defining approval levels for authorizing changes, and providing a method to validate approved changes. • User Satisfaction Review to measure how well the investment meets customer needs. Table 1: SLCM compliance for most recent ECSS vendor EPA SLCM phase Required documentation Compliance with SLCM requirement? Pre-Definition Segment Architecture Charter Compliant Definition Business Justification Not Compliant Tailoring Plan Not Compliant Implementation Configuration Management Plan Not Compliant Authorization to Operate Compliant Operations & Maintenance In-Process Review Compliant User Satisfaction Review Not Compliant Control Gate #5 Decision Memo Compliant Source: OIG analysis. Likewise, as outlined in Table 2, the EPA complied with one of the four SLCM requirements we tested for its planned future ECSS vendor. The EPA lacked the following required SLCM documents: 19-P-0278 6 ------- • Control Gate #1 Decision Memo determining the business need or performance gap fulfilled by the system. • Enterprise Architecture Compliance and System Selection Review documenting approval of the system's business case as a good investment for the agency that does not conflict with current enterprise architecture. • Enterprise Architecture Compliance Certification ensuring the system's design addresses the business need and aligns with agency enterprise architecture. Table 2: SLCM compliance for planned future ECSS vendor EPA SLCM phase Required documentation Compliance with SLCM requirement? Pre-Definition Segment Architecture Charter Compliant Control Gate #1 Decision Memo Not Compliant Definition Enterprise Architecture Compliance and System Selection Review Not Compliant Acquisition/Development Enterprise Architecture Compliance Certification Not Compliant Source: OIG analysis. EPA Did Not Verify Receipt of Contract Deliverables or Compliance with Federal Security Requirements Based on the statement of work, the most recent ECSS vendor agreed to provide annual deliverables to the EPA and pursue FedRAMP certification as part of its paid contracting services. However, due to a lack of management oversight, the ECSS project manager did not have documentation of the following statement of work annual vendor deliverables: • Yearly evaluation of the ECSS software and service. • Yearly optimization sessions with EPA program offices to assess workflows and identify best practices. • Annual online refresher training for system users and administrators. Also, the ECSS project manager and system owner did not confirm that the ECSS vendor obtained its FedRAMP certification as stated in its statement of work and required by the OMB for cloud-based service providers. By not verifying certification, the EPA entrusted its data to a cloud-based service provider that may not be able to protect the EPA's data. Conclusion The EPA's CIO 2121.1, SLCM Policy, states that "The purpose of this policy is to establish a consistent framework across the Agency to ensure that EPA IT systems and applications are properly planned and managed, controllable, cost-effective and that they support the Agency's mission and business goals." The EPA finds itself in 19-P-0278 7 ------- a position where management direction for the ECSS is not clearly articulated to those responsible for verifying the desired outcomes because management did not follow the agency's framework. Further, insufficient oversight led the EPA to pay for services it did not receive and continue placing agency data in a cloud-based environment with unknown capability for protecting the data. Recommendations We recommend that the Assistant Administrator for Mission Support: 1. Verify that the proj ect manager and system owner adhere to the System Life Cycle Management policies and procedures when implementing the Enterprise Customer Service Solution. 2. Implement internal controls to verify receipt of the Enterprise Customer Service Solution statement of work deliverables. 3. Implement internal controls to verify that cloud-service providers for the Enterprise Customer Service Solution are Federal Risk and Authorization Management Program certified. EPA Response and OIG Evaluation The EPA agreed with our recommendations and provided acceptable proposed corrective actions and completion dates. To address Recommendation 1, the CIO agreed with the recommendation in part. The CIO indicated that the CIO would direct the responsible office to provide the required SLCM documentation to the office's Audit Follow-Up Coordinator. We believe having the responsible office send the required documentation to an external third party would serve as a verification that the required documentation has been produced. Therefore, we consider Recommendation 1 resolved with corrective actions pending. For Recommendation 2, the EPA indicated it would schedule a review to confirm receipt of contract deliverables. The EPA indicated it had completed the corrective action, but upon further inquiry we found it was unable to provide documentation to confirm receipt of contract deliverables. Therefore, we consider Recommendation 2 unresolved pending the agency's response to the final report. For Recommendation 3, the EPA indicated it would replace the vendor-supported application for ECSS with an in-house-developed solution by September 30, 2020. This would negate the need for the current ECSS vendor to be Federal Risk and Authorization Management Program-certified. Therefore, we consider the Recommendation 3 resolved with corrective actions pending. The EPA's written response is in Appendix A. 19-P-0278 8 ------- Chapter 3 ECSS Classification Incorrect During CPIC Review The EPA did not correctly classify the ECSS during the agency's CPIC review. The EPA's CIO 2120.1, CPIC Policy, requires offices to categorize their IT investments based on the annual amount spent. However, due to a lack of communication between the ECSS stakeholders and the CPIC team, the CPIC team relied on outdated information regarding ECSS annual expenditures. Consequently, the agency did not identify that the ECSS annual costs exceeded the $250,000 threshold and thus would place the IT investment in a different category. Further, we determined that the EPA had not completed corrective actions for Recommendation 2 of the OIG Report No. 15-P-0292. to update CPIC policy to include a requirement to document formal evaluations of all medium and lite investments. This incorrect categorization could contribute to the ECSS project manager not conducting additional oversight to ensure that the money spent on the application is helping the project meet its intended purpose. EPA Misclassified ECSS Within CPIC The EPA did not categorize the ECSS correctly based on the actual amount annually expended for the project. The EPA CPIC policy has four EPA IT investment categories based on the investment's annual expenditures (see Figure 2). The EPA's CIO 2120-P- 02.1, CPIC Procedures for the OMB Exhibits, requires that project managers provide the CPIC team with an "Investment Change in Status form" to change an investment's category. The EPA did not establish a process for ECSS stakeholders and the CPIC team to verify the actual costs of the ECSS against the CPIC IT investment category reporting requirements. Due to this lack of communication between the CPIC team and ECSS stakeholders, the CPIC team relied on outdated information regarding the ECSS' annual costs. Furthermore, the ECSS is an older WCF IT investment that used to fall under the small and other CPIC IT investment category. In 2015, the EPA procured a new vendor for the ECSS in which annual costs were greater than the $250,000 threshold. Therefore, the ECSS should have been reclassified from a Figure 2: CPIC investment categories based on annual expenditures Medium: between $2-5 million Major: greater than $5 million Small and Other: less than $250,000 Lite: between $250,000 and $2 million Source: OIG-created image. 19-P-0278 9 ------- small and other IT investment to a lite IT investment. However, the ECSS project manager did not provide the CPIC team with an "Investment Change in Status" form to upgrade the ECSS to a lite IT investment as required. Evaluation of Medium and Lite Investments Not Documented We followed up on the status of corrective actions the EPA took for OIG Report No. 15-P-0292. EPA Needs to Improve Recording Information Technology Investments and Issue a Policy Covering All Investments, dated September 22, 2015. That report found that the reviews of medium and lite investments were not documented in the agency's CPIC policy, and recommended that the EPA update the CPIC process policy to require documentation of the agency's formal evaluations of medium and lite investments. The EPA agreed to incorporate a portfolio review process called "Pre Exhibit 100 Reviews" to the EPA's CPIC policy and procedure by December 31, 2015. However, although the CPIC policy and procedure were updated, they did not include "Pre Exhibit 100 Reviews" to document evaluations of medium and lite investments. Conclusion The agency noted that the CPIC process is the methodology used for "selecting, controlling and evaluating the performance of EPA IT investments throughout the full lifecycle." By miscategorizing IT investments and not reviewing IT investments with annual expenditures below the major investment level, the agency lacked much-needed information to make strategic decisions regarding IT investments that are critical to accomplishing the EPA's mission. Recommendations We recommend that the Assistant Administrator for Mission Support: 4. Create a process to verify annual costs of the Enterprise Customer Service Solution to validate that the investment is recorded in the correct Capital Planning and Investment Control investment category. 5. Submit the "Investment Change in Status" form to upgrade the Enterprise Customer Service Solution categorization from Capital Planning and Investment Control "small and other IT investment" category to the Capital Planning and Investment Control "lite" category. 6. Update the Capital Planning and Investment Control policy and procedure to incorporate the existing requirement for the agency to document its formal evaluations of Capital Planning and Investment Control "medium" and "lite" investments. 19-P-0278 10 ------- EPA Response and OIG Evaluation The EPA provided an acceptable proposed corrective action plan and completion date for Recommendation 4. The EPA agreed to address the annual costs associated with ECSS and determine its appropriate CPIC investment category as part of the annual portfolio review process. The agency CPIC process requires offices to identify the cost associated with an IT investment. Therefore, we believe this corrective action meets the intent of the recommendation and we consider Recommendation 4 resolved with corrective actions pending. For Recommendation 5, the EPA provided documentation that it has completed an "Investment Change in Status" form, and that action satisfies Recommendation 5. For Recommendation 6, the EPA indicated that major revisions to the CPIC guidance are forthcoming. The agency indicated that it would develop a policy and procedures to incorporate the new guidance when it becomes available. However, the agency did not indicate whether it would incorporate requirements for the agency to document its formal evaluations of CPIC "medium" and "lite" investments. Therefore, it is incumbent upon management to include in the new policy and procedures requirements to evaluate CPIC "medium" and "lite" investments if the new CPIC guidance does not address this issue. We consider Recommendation 6 unresolved pending management's response to the final report. The EPA's written response is in Appendix A. 19-P-0278 11 ------- Status of Recommendations and Potential Monetary Benefits RECOMMENDATIONS Rec. No. No. Subject Status1 Action Official Planned Completion Date Potential Monetary Benefits (in $000s) 8 Verify that the project manager and system owner adhere to the System Life Cycle Management policies and procedures when implementing the Enterprise Customer Service Solution. 8 Implement internal controls to verify receipt of the Enterprise Customer Service Solution statement of work deliverables. 8 Implement internal controls to verify that cloud-service providers for the Enterprise Customer Service Solution are Federal Risk and Authorization Management Program certified. 10 Create a process to verify annual costs of the Enterprise Customer Service Solution to validate that the investment is recorded in the correct Capital Planning and Investment Control investment category. 10 Submit the Investment Change in Status" form to upgrade the Enterprise Customer Service Solution categorization from Capital Planning and Investment Control "small and other IT investment" category to the Capital Planning and Investment Control "lite" category. 10 Update the Capital Planning and Investment Control policy and procedure to incorporate the existing requirement for the agency to document its formal evaluations of Capital Planning and Investment Control "medium" and "lite" investments. R Assistant Administrator for 1/15/20 Mission Support U Assistant Administrator for Mission Support R Assistant Administrator for 9/30/19 Mission Support R Assistant Administrator for 1/15/20 Mission Support C Assistant Administrator for 1/29/19 Mission Support U Assistant Administrator for Mission Support C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 19-P-0278 12 ------- Appendix A EPA Response to Draft Report $ Mm UNITED STATES ENVIRONMENTAL PROTECTION AGENCY PR0^( WASHINGTON. D.C. 20460 OFFICE OF MISSION SUPPORT MEMORANDUM SUBJECT: Response to the Office of Inspector General Draft Report No. OA&E-FY18-0261 "EPA Oversight Over Enterprise Customer Service Solution Needs Improvement" dated May 13, 2019 \/A| IPUKI Digitally signed by V nUOnlN VAUGHN NOGA PROM: Vaughn Noga, Chief Information Officer NOGA omVso'-mw4 and Deputy Assistant Administrator for Environmental Information TO: Rudolph M. Brevard Information Resources Management Directorate Office of Audit and Evaluation Thank you for the opportunity to respond to the issues and recommendations in the subject audit report. Following is a summary of the agency's overall position, along with its position on each of the report recommendations. For those report recommendations with which the agency agrees, we have provided high-level intended corrective actions and estimated completion dates. There are no recommendations that the agency disagrees with. AGENCY'S OVERALL POSITION The EPA agrees with the Office of Inspector General's (OIG) overall report, that there were areas for improvement in the agency's oversight over Enterprise Customer Service Solution (ECSS) system. The EPA further agrees with the OIG's report that the EPA has already begun making many of the improvements identified in the report. Agreements No. Recommendation High-Level Intended Corrective Actions Estimated Completion Date 1 Verify that the project manager and system owner adhere to the System Life Cycle Management polices and procedures when 1.1 The Chief Information Officer concurs with the recommendation in part and will direct OMS-EI-OIM to provide the appropriate System Life Cycle Management documentation January 15, 2020 " 19-P-0278 13 ------- implementing the Enterprise Customer Service Solution. to QMS" audit follow-up coordinator going forward. Because QMS plans to discontinue use of the service in FY 2020 we will not develop retrospective documentation for previous life evele stages. 2 Implement internal controls to verify receipt of Enterprise Customer Sen ice solution statement of work deliverables. 2.1 Si\ty days prior to the next and final option year, schedule review? to confirm receipt of contract deliverables July 30, 2019 3 Implement internal controls to verify that that cloud-service providers .for the Enterprise Customer Service Solution are federal Risk and Authorization Management Program certified. 3.1 It has been determined that the cloud service provider (/endesk) is not making sufficient progress in getting EedRAMP certification. OMS-EI will discontinue use of /.endesk in EY 2020. September 30, 2020 4 Create a process to verify annual costs of the Enterprise Customer Sen ice Solution to validate that the investment is recorded in the correct Capital Planning and Investment Control investment category. 4.1 I"ntil QMS discontinues use of ECSS in EY 2020. we will continue to address the annual costs associated with ECSS and make a determination as to its appropriate CPIC investment category as part of the annual portfolio review process conducted in accordance with EITARA. January 15, 2020 5 Submit the "Investment Change in Status" form to upgrade the Enterprise Customer Service Solution category from Capital Planning and Investment Control "small and other IT in\ estment" category to the Capital Planning and Investment Control "lite" category. 5.1 Submit the "investment Change of Status" form to upgrade the Enterprise Customer Sen ice Solution category from Capital Planning Investment Control ''small and other IT investment" category to "lite". Completed January 29. 2019 6 Update the Capital Planning and Investment Control policy and procedure to incorporate requirement for the agency to document its formal evaluations of Capital Planning and Investment Control "medium" and '"lite" investments. 6.1 The Ofiice of Management and Budget has advised OMS-EI that major revisions to the CPIC are forthcoming. The agency will develop a policy and procedures to incorporate the new guidance when it becomes available. September 30, 2020 19-P-0278 14 ------- CONTACT INFORMATION If you have any questions regarding this response, please contact Marilyn Armstrong, Audit Follow-up Coordinator, Office of Mission Support, on (202) 564-1876. cc: Marilyn Armstrong. OMS JcIT Wells. ()\IS Majal .ee. OMS I in Darlington. OMS Holly I'enderson. OMS 19-P-0278 15 ------- Appendix B Distribution The Administrator Deputy Administrator Chief of Staff Deputy Chief of Staff Assistant Administrator for Mission Support Agency Follow-Up Official (the CFO) Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Director, Office of Continuous Improvement, Office of the Administrator Principal Deputy Assistant Administrator for Mission Support Associate Deputy Assistant Administrator for Mission Support Deputy Assistant Administrator for Environmental Information and Chief Information Officer, Office of Mission Support Director, Office of Resources and Business Operations, Office of Mission Support Director, Office of Information Management, Office of Mission Support Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of Mission Support 19-P-0278 16 ------- |