j A *
1®
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Hotline Report:
Operating Efficiently and Effectively
EPA Oversight over
Enterprise Customer Service
Solution Needs Improvement
Report No. 19-P-0278
August 19, 2019
-------�
Report Contributors:
Rudolph M. Brevard
Christina Nelson
Jeremy Sigel
Abbreviations
CIO Chief Information Officer
CPIC Capital Planning and Investment Control
CRM Customer Relationship Management
ECSS Enterprise Customer Service Solution
EPA U.S. Environmental Protection Agency
FedRAMP Federal Risk and Authorization Management Program
FY Fiscal Year
IT Information Technology
OEI Office of Environmental Information
OIG Office of Inspector General
OMB Office of Management and Budget
OMS Office of Mission Support
SLCM System Life Cycle Management
WCF Working Capital Fund
Cover photo: The EPA's Enterprise Customer Service Solution information technology
investment must meet Working Capital Fund, System Life Cycle Management,
and Capital Planning and Investment Control policies and procedures.
(EPA OIG image)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
^tDsrx
* Q \
\X!
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-P-0278
August 19, 2019
Why We Did This Project
The U.S. Environmental
Protection Agency's (EPA's)
Office of Inspector General
(OIG) conducted this audit in
response to an anonymous
hotline complaint. We sought to
determine whether the EPA
followed documented policies
and procedures for providing
information technology (IT)
software under the Working
Capital Fund (WCF).
Specifically, we reviewed how
the EPA managed a project to
implement an Enterprise
Customer Service Solution
(ECSS)/Customer Relationship
Management system.
The WCF provides a centralized
source for administrative and
support services for the EPA.
The ECSS is a WCF application
to host the EPA's Frequently
Asked Questions and inquiries
from the agency's public
website. Since the ECSS is an
IT investment, it must meet
System Life Cycle Management
(SLCM) and Capital Planning
and Investment Control policies
and procedures.
This report addresses the
following:
• Operating efficiently and
effectively.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
EPA Oversight over Enterprise Customer
Service Soiution Needs Improvement
What We Found
The EPA did not implement key oversight
activities for the ECSS to meet several agency
software requirements. These activities included
documenting the agency's business justification,
having the required plans, and doing a user
satisfaction review. Further, the ECSS was not
classified into the correct IT investment category
Office of Management and Budget memorandums describe the agency's
management oversight responsibilities for information systems. The EPA SLCM
policy and procedures provide a framework for system and project managers to
tailor system life cycle management controls for information systems. The EPA
Capital Planning and Investment Control policy and procedures identify the
classification requirements for IT investments.
The problems we identified existed because the ECSS team did not have
processes in place to:
• Transfer ownership during the responsible office's reorganization in 2016.
• Document delivery of the vendor's annual deliverables.
• Verify cloud service vendor compliance with mandatory federal IT security
requirements.
In addition, the ECSS team did not identify and report that annual costs
exceeded a $250,000 threshold, which would have placed the project into a
different IT investment category with additional reporting requirements. This
occurred because the Capital Planning and Investment Control team lacked a
process to validate the costs for IT investments and the team did not complete
the corrective action for a prior 2015 OIG audit recommendation.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Mission Support verify that
responsible personnel adhere to the agency's SLCM policy and procedures and
implement needed internal controls. We also recommend implementing a
process to verify that recording of costs is proper and make needed changes to
project documentation. The agency agreed with the recommendations and
provided acceptable planned corrective actions to address Recommendations 1,
3 and 4, and we consider those recommendations resolved with corrective
actions pending. The agency did not provide acceptable corrective actions to
address Recommendations 2 and 6 and we consider them unresolved pending
management's response to the final report. The agency also took the corrective
action for Recommendation 5 and we consider that recommendation completed.
Ineffective project
oversight limits the
agency's ability to balance
IT investments at the
lowest cost while
addressing agency needs.
-------�
^£DSX
s rjQLi \ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
| j? WASHINGTON, D.C. 20460
%S
*1 PRO"^ OFFICE OF
INSPECTOR GENERAL
August 19, 2019
MEMORANDUM
SUBJECT: EPA Oversight over Enterprise Customer Service Solution Needs Improvement
Report No. 19-P-0278
FROM: Charles J. Sheehan, Deputy Inspector General IaJvUu
(J
TO: Donna Vizian, Principal Deputy Assistant Administrator
Office of Mission Support
This is our report on the subject audit conducted by the Office of Inspector General (OIG) of the
U. S. Environmental Protection Agency (EPA). The project number for this audit was OA&E-FY 18-0261.
This report contains findings that describe the problems the OIG has identified and improvements the
OIG recommends. This report represents the opinion of the OIG and does not necessarily represent the
final EPA position. Final determinations on matters in this report will be made by EPA managers in
accordance with established audit resolution procedures.
The EPA's Office of Mission Support is responsible for the issues discussed in this report.
Action Required
In accordance with EPA Manual 2750, the Office of Mission Support provided acceptable corrective
actions and milestone dates in response to Recommendations 1,3,4 and 5. We consider these
recommendations resolved and no further response to those recommendations is required. However, if
you submit a response, it will be posted on the OIG's website, along with our memorandum commenting
on your response. Your response should be provided as an Adobe PDF file that complies with the
accessibility requirements of Section 508 of the Rehabilitation Act of 1973, as amended. The final
response should not contain data that you do not want to be released to the public; if your response
contains such data, you should identify the data for redaction or removal along with corresponding
justification.
We consider Recommendations 2 and 6 to be unresolved. In accordance with EPA Manual 2750, the
resolution process begins immediately with the issuance of the report. We are requesting a meeting
within 30 days between the Principal Deputy Assistant Administrator for Mission Support and the OIG's
Assistant Inspector General for Audit and Evaluation. If resolution is not reached, the Office of Mission
Support is required to complete and submit a dispute resolution request to the Chief Financial Officer.
We will post this report to our website at www.epa.gov/oig.
-------�
EPA Oversight over Enterprise Customer
Service Solution Needs Improvement
19-P-0278
Table of C
Chapters
1 Introduction 1
Purpose 1
Background 1
Responsible Offices 2
Scope and Methodology 3
Prior Audits 3
2 Better Oversight Needed for the ECSS WCF IT Investment 5
Federal Memorandum and EPA Policy and Procedure
Outline Oversight Requirements 5
ECSS Oversight Lapsed After Reorganization 6
EPA Did Not Verify Receipt of Contract Deliverables or
Compliance with Federal Security Requirements 7
Conclusion 7
Recommendations 8
EPA Response and OIG Evaluation 8
3 ECSS Classification Incorrect During CPIC Review 9
EPA Misclassified ECSS Within CPIC 9
Evaluation of Medium and Lite Investments Not Documented 10
Conclusion 10
Recommendations 10
EPA Response and OIG Evaluation 11
Status of Recommendations and Potential Monetary Benefits 12
Appendices
A EPA Response to Draft Report 13
B Distribution 16
-------�
Chapter 1
Introduction
Purpose
In April 2018, the U.S. Environmental Protection Agency (EPA) Office of
Inspector General (OIG) received an anonymous hotline complaint regarding how
the EPA manages and uses the Enterprise Customer Service Solution (ECSS), a
Customer Relationship Management (CRM) system paid for and maintained
through the agency's Working Capital Fund (WCF). We conducted this audit to
determine whether the EPA followed its policies and procedures for software
purchases under the WCF. Specifically, we reviewed how the EPA managed the
project for the ECSS/CRM system.
Background
The EPA established the WCF in fiscal year (FY) 1997 based upon appropriation
language and with the authority of the Government Management Reform Act of
1994. The WCF is used to provide centralized administrative and support services
for the EPA. Mandatory services or products must be purchased through the
WCF, while discretionary services can be planned, budgeted and charged to
individual offices. The ECSS is a data processing discretionary service that can be
procured from the WCF.
The EPA initiated a project to implement its CRM system using the ECSS
application. The EPA indicates the purpose of the project was to use commercial-
off-the-shelf software to automate and standardize comments and queries from the
agency's public website into a Frequently Asked
Questions webpage. Since the project began more than a
decade ago, according to EPA personnel, the EPA has
used several vendors to accomplish this function. In
2015, the EPA contracted with a cloud-service provider
to implement and manage its ECSS. The EPA plans to
implement a new ECSS application at the end of FY
2020 and discontinue the use of this cloud-service
provider.
The Office of Management and Budget (OMB) and the EPA establish criteria for
managing information systems and information technology (IT) investments. Per
OMB Memorandum M-16-17, OMB Circular A-12 3, Management's Responsibility
for Enterprise Risk Management and Internal Control, July 15, 2016, if the agency
uses a third party to provide information system services, "[management ... retains
overall responsibility and accountability for all controls related to the processes
A CRM application
maintains a centralized
view of all interactions
and improves the
outreach experience to
citizens contacting and
engaging with the
agency through
various methods.
19-P-0278
1
-------�
provided by a third party, and must monitor the process as a whole to make sure it is
effective."
EPA Chief Information Officer (CIO) Directive
2121.1, System Life Cycle Management
(SLCM) Policy, dated September 21, 2012, and
updated on December 21, 2017, establishes a
six-phase life-cycle framework for the planning
and management of all EPA IT systems and
applications (see Figure 1). The related
procedure (CIO Directive 2121-P-03.0)
provides a framework for system owners,
system managers and project managers to
comply with the six phases. When developing
applications provided through the WCF, EPA
offices must follow the agency's SLCM policy
to implement and manage the IT investment.
The EPA's SLCM policy applies to systems
developed on behalf of the EPA by contractors.
EPA offices must also follow the EPA's CIO Directive 2120.1, CPICProgram
Policy for the Management of Information Technology Investments, dated
September 22, 2015, and updated on December 21, 2017. The directive requires
EPA offices to report to the OMB on the status of the IT investment's
performance using the agency's Capital Planning and Investment Control (CPIC)
process. The EPA stated on its CPIC intranet that its CPIC program provides a
structured, integrated approach to manage IT investments and that the program
"ensures that all IT investments align with the EPA mission and support business
needs while minimizing risk and maximizing returns through the investment's
lifecycle."
The EPA CPIC policy classifies CPIC IT investments into four distinct types—
major, medium, lite and small/other—and uses annual expenditure thresholds as
criteria for each category. Reporting requirements vary based upon the CPIC
investment type. The EPA states on its CPIC intranet website that it uses the
government-owned, web-based Electronic Capital Planning and Investment
Control system (known as "eCPIC") to prepare and submit its Agency IT
Portfolio Summary to the OMB.
Responsible Offices
The EPA's former Office of Environmental Information (OEI) was responsible for
the oversight of the ECSS (in November 2018, during the course of our audit, the
agency combined the Office of Administration and Resources Management and the
OEI into one office—the Office of Mission Support (OMS)). The ECSS is
managed by the OMS' Office Information Management, Web Content Services
Figure 1: SLCM Phases
Acquisition/Development
Implementation
Operations & Maintenance
Definition
Pre-Definition
Termination
Source: OIG-created image.
19-P-0278
2
-------�
Division. The OMS' Office of Customer Advocacy, Policy and Portfolio
Management provides strategic planning, management of the information directives
program, and information portfolio management for the agency. The OMS is also
responsible for WCF's data processing services, which includes the ECSS.
Scope and Methodology
We conducted this audit from July 2018 to May 2019 in accordance with
generally accepted government auditing standards. Those standards require that
we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions
based on our audit objective.
We confirmed that the ECSS is a WCF IT investment by reviewing the catalogue
of services offered through the WCF. We reviewed the EPA's SLCM and CPIC
policies and procedures to determine what documentation is required during the
SLCM and CPIC processes. We reviewed ECSS documentation to determine
whether it met SLCM and CPIC requirements. We interviewed the ECSS project
manager and system owner to gather an understanding of how they managed the
ECSS to be compliant with the EPA's SLCM and CPIC processes. We also
interviewed the EPA's CPIC representatives to understand the correlation
between the CPIC process and the WCF IT investment process.
Prior Audits
EPA OIG Report No. 15-P-0292. EPA Needs to Improve Recording Information
Technology Investments and Issue a Policy Covering All Investments, dated
September 22, 2015, found that reviews of medium and lite investments were not
documented in the EPA's CPIC policy. The OIG recommended that the EPA
update its CPIC policy to require documentation of the agency's formal evaluations
of medium and lite investments. The EPA agreed to incorporate a portfolio review
process called "Pre Exhibit 100 Reviews" in its CPIC policy and procedure by
December 31, 2015, and according to the EPA's Management Audit Tracking
System database the agency completed the action. However, during this audit, we
confirmed that while the CPIC policy and procedure were updated, they did not
include "Pre Exhibit 100 Reviews" to document evaluations of medium and lite
investments. Therefore, we determined the prior corrective action to be incomplete.
EPA OIG Report No. 15-P-0295. EPA Needs to Improve the Recognition and
Administration of Cloud Services for the Office of Water's Permit Management
Oversight System, dated September 24, 2015, found the EPA was not fully aware
of the extent of its use of cloud services. The OIG made two recommendations
related to the objectives of this audit. The OIG recommended that the EPA
develop guidance for IT and cloud procurements to be identified, and develop and
maintain an inventory of cloud systems. The EPA agreed to develop the guidance,
and also agreed to add a "hosting type" field in the Registry of EPA Applications,
19-P-0278
3
-------�
Models and Data Warehouses for the owner of the system to identify the type of
hosting for each application. According to the EPA's Management Audit
Tracking System, the agency has completed the corrective actions for these two
recommendations. As part of annual OIG Federal Information Security
Modernization Act audit work, the OIG has verified the completion of these
corrective actions.
19-P-0278
4
-------�
Chapter 2
Better Oversight Needed for the
ECSS WCF IT Investment
The EPA needs to improve oversight for the WCF IT investment—ECSS—during
the multiple phases of the project's lifecycle. Lapses in key oversight activities for
the ECSS—such as a lack of documented business justification, tailoring plan,
configuration management plan and user satisfaction review—led to the ECSS not
meeting several EPA and OMB requirements. Federal memorandums and the
EPA SLCM policy and procedure outline responsibilities for the project manager
and system manager when developing EPA applications. The lack of oversight
during key project phases resulted from the ECSS project management team not
having processes in place to:
• Assume ownership responsibilities for the ECSS during a reorganization.
• Document the vendor's annual deliverables.
• Verify that the ECSS cloud service vendor could meet Federal Risk and
Authorization Management Program (FedRAMP) requirements.
As a result, the EPA cannot demonstrate
ECSS accomplishes its goals. In addition,
the EPA used a third-party cloud service
provider without knowing whether the
vendor met the mandatory federal
information security requirements needed
to protect agency data.
Federal Memorandum and EPA Policy and
Procedure Outline Oversight Requirements
As an IT investment, the ECSS must follow the OMB memorandum and EPA
SLCM policy and procedure to achieve desired outcomes and business purposes.
OMB Memorandum M-16-17 requires management to be responsible for the
development and maintenance of internal controls, even if the agency uses a third
party.
Per the EPA SLCM policy, system owners and system
managers must review and approve the system's tailoring
decisions. The project manager must document the tailoring
reviews and approvals in the system decision documents. Per
the EPA SLCM procedure, the project manager and system
manager must periodically conduct reviews to assess the health
The U.S. General Services
Administration defines FedRAMP on
the FedRAMP's website as a
"government-wide program that
provides a standardized approach to
security assessment, authorization,
and continuous monitoring for cloud
products and services."
The SLCM policy states that
system tailoring involves
deciding "the order of
implementing SLCM phases
and the level of detail required
to complete them."
19-P-0278
5
-------�
of the system and its suitability to meet business requirements during the
Operations and Maintenance phase of the process.
ECSS Oversight Lapsed After Reorganization
In FY 2016, the then OEI underwent a reorganization that transferred ECSS
ownership from the OEI's Office of Information Analysis and Access to the
OEI's Office of Information Management. During the ownership transfer, the
Office of Information Management did not understand that the ECSS needed to
follow EPA SLCM policies and procedures and did not conduct key project
management oversight activities. As a result, the EPA did not create decision
documents for key milestones for ECSS.
While SLCM documentation was lacking, we found that the EPA complied with
only four out of the eight SLCM requirements we tested, as depicted in Table 1.
The EPA lacked the following required SLCM documents:
• Business Justification describing the business rationale for developing the
system.
• Tailoring Plan deciding the order of implementing SLCM phases and the
level of detail required to complete them.
• Configuration Management Plan describing the process for reviewing and
approving proposed changes to the system configuration baseline, defining
approval levels for authorizing changes, and providing a method to
validate approved changes.
• User Satisfaction Review to measure how well the investment meets
customer needs.
Table 1: SLCM compliance for most recent ECSS vendor
EPA SLCM phase
Required documentation
Compliance with
SLCM requirement?
Pre-Definition
Segment Architecture Charter
Compliant
Definition
Business Justification
Not Compliant
Tailoring Plan
Not Compliant
Implementation
Configuration Management Plan
Not Compliant
Authorization to Operate
Compliant
Operations & Maintenance
In-Process Review
Compliant
User Satisfaction Review
Not Compliant
Control Gate #5 Decision Memo
Compliant
Source: OIG analysis.
Likewise, as outlined in Table 2, the EPA complied with one of the four SLCM
requirements we tested for its planned future ECSS vendor. The EPA lacked the
following required SLCM documents:
19-P-0278
6
-------�
• Control Gate #1 Decision Memo determining the business need or
performance gap fulfilled by the system.
• Enterprise Architecture Compliance and System Selection Review
documenting approval of the system's business case as a good investment
for the agency that does not conflict with current enterprise architecture.
• Enterprise Architecture Compliance Certification ensuring the system's
design addresses the business need and aligns with agency enterprise
architecture.
Table 2: SLCM compliance for planned future ECSS vendor
EPA SLCM phase
Required documentation
Compliance with
SLCM requirement?
Pre-Definition
Segment Architecture Charter
Compliant
Control Gate #1 Decision Memo
Not Compliant
Definition
Enterprise Architecture Compliance
and System Selection Review
Not Compliant
Acquisition/Development
Enterprise Architecture Compliance
Certification
Not Compliant
Source: OIG analysis.
EPA Did Not Verify Receipt of Contract Deliverables or
Compliance with Federal Security Requirements
Based on the statement of work, the most recent ECSS vendor agreed to provide
annual deliverables to the EPA and pursue FedRAMP certification as part of its
paid contracting services. However, due to a lack of management oversight, the
ECSS project manager did not have documentation of the following statement of
work annual vendor deliverables:
• Yearly evaluation of the ECSS software and service.
• Yearly optimization sessions with EPA program offices to assess
workflows and identify best practices.
• Annual online refresher training for system users and administrators.
Also, the ECSS project manager and system owner did not confirm that the ECSS
vendor obtained its FedRAMP certification as stated in its statement of work and
required by the OMB for cloud-based service providers. By not verifying
certification, the EPA entrusted its data to a cloud-based service provider that may
not be able to protect the EPA's data.
Conclusion
The EPA's CIO 2121.1, SLCM Policy, states that "The purpose of this policy is to
establish a consistent framework across the Agency to ensure that EPA IT systems
and applications are properly planned and managed, controllable, cost-effective and
that they support the Agency's mission and business goals." The EPA finds itself in
19-P-0278
7
-------�
a position where management direction for the ECSS is not clearly articulated to
those responsible for verifying the desired outcomes because management did not
follow the agency's framework. Further, insufficient oversight led the EPA to pay
for services it did not receive and continue placing agency data in a cloud-based
environment with unknown capability for protecting the data.
Recommendations
We recommend that the Assistant Administrator for Mission Support:
1. Verify that the proj ect manager and system owner adhere to the System
Life Cycle Management policies and procedures when implementing the
Enterprise Customer Service Solution.
2. Implement internal controls to verify receipt of the Enterprise Customer
Service Solution statement of work deliverables.
3. Implement internal controls to verify that cloud-service providers for the
Enterprise Customer Service Solution are Federal Risk and Authorization
Management Program certified.
EPA Response and OIG Evaluation
The EPA agreed with our recommendations and provided acceptable proposed
corrective actions and completion dates. To address Recommendation 1, the CIO
agreed with the recommendation in part. The CIO indicated that the CIO would
direct the responsible office to provide the required SLCM documentation to the
office's Audit Follow-Up Coordinator. We believe having the responsible office
send the required documentation to an external third party would serve as a
verification that the required documentation has been produced. Therefore, we
consider Recommendation 1 resolved with corrective actions pending.
For Recommendation 2, the EPA indicated it would schedule a review to confirm
receipt of contract deliverables. The EPA indicated it had completed the
corrective action, but upon further inquiry we found it was unable to provide
documentation to confirm receipt of contract deliverables. Therefore, we consider
Recommendation 2 unresolved pending the agency's response to the final report.
For Recommendation 3, the EPA indicated it would replace the vendor-supported
application for ECSS with an in-house-developed solution by September 30,
2020. This would negate the need for the current ECSS vendor to be Federal Risk
and Authorization Management Program-certified. Therefore, we consider the
Recommendation 3 resolved with corrective actions pending.
The EPA's written response is in Appendix A.
19-P-0278
8
-------�
Chapter 3
ECSS Classification Incorrect During CPIC Review
The EPA did not correctly classify the ECSS during the agency's CPIC review.
The EPA's CIO 2120.1, CPIC Policy, requires offices to categorize their IT
investments based on the annual amount spent. However, due to a lack of
communication between the ECSS stakeholders and the CPIC team, the CPIC team
relied on outdated information regarding ECSS annual expenditures. Consequently,
the agency did not identify that the ECSS annual costs exceeded the $250,000
threshold and thus would place the IT investment in a different category. Further,
we determined that the EPA had not completed corrective actions for
Recommendation 2 of the OIG Report No. 15-P-0292. to update CPIC policy to
include a requirement to document formal evaluations of all medium and lite
investments. This incorrect categorization could contribute to the ECSS project
manager not conducting additional oversight to ensure that the money spent on the
application is helping the project meet its intended purpose.
EPA Misclassified ECSS Within CPIC
The EPA did not categorize the ECSS correctly based on the actual amount
annually expended for the project. The EPA CPIC policy has four EPA IT
investment categories based on the investment's annual expenditures (see
Figure 2). The EPA's CIO 2120-P-
02.1, CPIC Procedures for the OMB
Exhibits, requires that project
managers provide the CPIC team
with an "Investment Change in Status
form" to change an investment's
category.
The EPA did not establish a process
for ECSS stakeholders and the CPIC
team to verify the actual costs of the
ECSS against the CPIC IT investment
category reporting requirements.
Due to this lack of communication
between the CPIC team and ECSS
stakeholders, the CPIC team relied on
outdated information regarding the
ECSS' annual costs. Furthermore, the ECSS is an older WCF IT investment that
used to fall under the small and other CPIC IT investment category. In 2015, the
EPA procured a new vendor for the ECSS in which annual costs were greater than
the $250,000 threshold. Therefore, the ECSS should have been reclassified from a
Figure 2: CPIC investment categories based
on annual expenditures
Medium: between
$2-5 million
Major: greater than
$5 million
Small and Other:
less than $250,000
Lite: between $250,000
and $2 million
Source: OIG-created image.
19-P-0278
9
-------�
small and other IT investment to a lite IT investment. However, the ECSS project
manager did not provide the CPIC team with an "Investment Change in Status"
form to upgrade the ECSS to a lite IT investment as required.
Evaluation of Medium and Lite Investments Not Documented
We followed up on the status of corrective actions the EPA took for OIG
Report No. 15-P-0292. EPA Needs to Improve Recording Information Technology
Investments and Issue a Policy Covering All Investments, dated September 22,
2015. That report found that the reviews of medium and lite investments were not
documented in the agency's CPIC policy, and recommended that the EPA update
the CPIC process policy to require documentation of the agency's formal
evaluations of medium and lite investments. The EPA agreed to incorporate a
portfolio review process called "Pre Exhibit 100 Reviews" to the EPA's CPIC
policy and procedure by December 31, 2015. However, although the CPIC policy
and procedure were updated, they did not include "Pre Exhibit 100 Reviews" to
document evaluations of medium and lite investments.
Conclusion
The agency noted that the CPIC process is the methodology used for "selecting,
controlling and evaluating the performance of EPA IT investments throughout the
full lifecycle." By miscategorizing IT investments and not reviewing IT
investments with annual expenditures below the major investment level, the
agency lacked much-needed information to make strategic decisions regarding IT
investments that are critical to accomplishing the EPA's mission.
Recommendations
We recommend that the Assistant Administrator for Mission Support:
4. Create a process to verify annual costs of the Enterprise Customer Service
Solution to validate that the investment is recorded in the correct
Capital Planning and Investment Control investment category.
5. Submit the "Investment Change in Status" form to upgrade the Enterprise
Customer Service Solution categorization from Capital Planning and
Investment Control "small and other IT investment" category to the
Capital Planning and Investment Control "lite" category.
6. Update the Capital Planning and Investment Control policy and procedure
to incorporate the existing requirement for the agency to document its
formal evaluations of Capital Planning and Investment Control "medium"
and "lite" investments.
19-P-0278
10
-------�
EPA Response and OIG Evaluation
The EPA provided an acceptable proposed corrective action plan and completion
date for Recommendation 4. The EPA agreed to address the annual costs
associated with ECSS and determine its appropriate CPIC investment category as
part of the annual portfolio review process. The agency CPIC process requires
offices to identify the cost associated with an IT investment. Therefore, we
believe this corrective action meets the intent of the recommendation and we
consider Recommendation 4 resolved with corrective actions pending.
For Recommendation 5, the EPA provided documentation that it has completed
an "Investment Change in Status" form, and that action satisfies
Recommendation 5.
For Recommendation 6, the EPA indicated that major revisions to the CPIC
guidance are forthcoming. The agency indicated that it would develop a policy
and procedures to incorporate the new guidance when it becomes available.
However, the agency did not indicate whether it would incorporate requirements
for the agency to document its formal evaluations of CPIC "medium" and "lite"
investments. Therefore, it is incumbent upon management to include in the new
policy and procedures requirements to evaluate CPIC "medium" and "lite"
investments if the new CPIC guidance does not address this issue. We consider
Recommendation 6 unresolved pending management's response to the final
report.
The EPA's written response is in Appendix A.
19-P-0278
11
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
Rec.
No.
No.
Subject
Status1
Action Official
Planned
Completion
Date
Potential
Monetary
Benefits
(in $000s)
8 Verify that the project manager and system owner adhere to the
System Life Cycle Management policies and procedures when
implementing the Enterprise Customer Service Solution.
8 Implement internal controls to verify receipt of the Enterprise
Customer Service Solution statement of work deliverables.
8 Implement internal controls to verify that cloud-service providers
for the Enterprise Customer Service Solution are Federal Risk
and Authorization Management Program certified.
10 Create a process to verify annual costs of the Enterprise
Customer Service Solution to validate that the investment is
recorded in the correct Capital Planning and Investment Control
investment category.
10 Submit the Investment Change in Status" form to upgrade the
Enterprise Customer Service Solution categorization from
Capital Planning and Investment Control "small and other IT
investment" category to the Capital Planning and Investment
Control "lite" category.
10 Update the Capital Planning and Investment Control policy and
procedure to incorporate the existing requirement for the agency
to document its formal evaluations of Capital Planning and
Investment Control "medium" and "lite" investments.
R Assistant Administrator for 1/15/20
Mission Support
U Assistant Administrator for
Mission Support
R Assistant Administrator for 9/30/19
Mission Support
R Assistant Administrator for 1/15/20
Mission Support
C Assistant Administrator for 1/29/19
Mission Support
U Assistant Administrator for
Mission Support
C = Corrective action completed.
R = Recommendation resolved with corrective action pending.
U = Recommendation unresolved with resolution efforts in progress.
19-P-0278 12
-------�
Appendix A
EPA Response to Draft Report
$ Mm UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
PR0^(
WASHINGTON. D.C. 20460
OFFICE OF MISSION SUPPORT
MEMORANDUM
SUBJECT: Response to the Office of Inspector General Draft Report No. OA&E-FY18-0261 "EPA
Oversight Over Enterprise Customer Service Solution Needs Improvement" dated May
13, 2019
\/A| IPUKI Digitally signed by
V nUOnlN VAUGHN NOGA
PROM: Vaughn Noga, Chief Information Officer NOGA omVso'-mw4
and Deputy Assistant Administrator for Environmental Information
TO: Rudolph M. Brevard
Information Resources Management Directorate
Office of Audit and Evaluation
Thank you for the opportunity to respond to the issues and recommendations in the subject audit report.
Following is a summary of the agency's overall position, along with its position on each of the report
recommendations. For those report recommendations with which the agency agrees, we have provided
high-level intended corrective actions and estimated completion dates. There are no recommendations
that the agency disagrees with.
AGENCY'S OVERALL POSITION
The EPA agrees with the Office of Inspector General's (OIG) overall report, that there were areas for
improvement in the agency's oversight over Enterprise Customer Service Solution (ECSS) system. The
EPA further agrees with the OIG's report that the EPA has already begun making many of the
improvements identified in the report.
Agreements
No.
Recommendation
High-Level Intended Corrective
Actions
Estimated
Completion
Date
1
Verify that the project manager
and system owner adhere to
the System Life Cycle
Management polices and
procedures when
1.1 The Chief Information Officer
concurs with the recommendation in
part and will direct OMS-EI-OIM to
provide the appropriate System Life
Cycle Management documentation
January 15,
2020 "
19-P-0278
13
-------�
implementing the Enterprise
Customer Service Solution.
to QMS" audit follow-up coordinator
going forward. Because QMS plans
to discontinue use of the service in
FY 2020 we will not develop
retrospective documentation for
previous life evele stages.
2
Implement internal controls to
verify receipt of Enterprise
Customer Sen ice solution
statement of work deliverables.
2.1 Si\ty days prior to the next and
final option year, schedule review? to
confirm receipt of contract
deliverables
July 30, 2019
3
Implement internal controls to
verify that that cloud-service
providers .for the Enterprise
Customer Service Solution are
federal Risk and Authorization
Management Program
certified.
3.1 It has been determined that the
cloud service provider (/endesk) is
not making sufficient progress in
getting EedRAMP certification.
OMS-EI will discontinue use of
/.endesk in EY 2020.
September 30,
2020
4
Create a process to verify
annual costs of the Enterprise
Customer Sen ice Solution to
validate that the investment is
recorded in the correct Capital
Planning and Investment
Control investment category.
4.1 I"ntil QMS discontinues use of
ECSS in EY 2020. we will continue
to address the annual costs
associated with ECSS and make a
determination as to its appropriate
CPIC investment category as part of
the annual portfolio review process
conducted in accordance with
EITARA.
January 15,
2020
5
Submit the "Investment
Change in Status" form to
upgrade the Enterprise
Customer Service Solution
category from Capital Planning
and Investment Control "small
and other IT in\ estment"
category to the Capital
Planning and Investment
Control "lite" category.
5.1 Submit the "investment Change
of Status" form to upgrade the
Enterprise Customer Sen ice
Solution category from Capital
Planning Investment Control ''small
and other IT investment" category to
"lite".
Completed
January 29.
2019
6
Update the Capital Planning
and Investment Control policy
and procedure to incorporate
requirement for the agency to
document its formal
evaluations of Capital Planning
and Investment Control
"medium" and '"lite"
investments.
6.1 The Ofiice of Management and
Budget has advised OMS-EI that
major revisions to the CPIC are
forthcoming. The agency will
develop a policy and procedures to
incorporate the new guidance when
it becomes available.
September 30,
2020
19-P-0278
14
-------�
CONTACT INFORMATION
If you have any questions regarding this response, please contact Marilyn Armstrong, Audit Follow-up
Coordinator, Office of Mission Support, on (202) 564-1876.
cc: Marilyn Armstrong. OMS
JcIT Wells. ()\IS
Majal .ee. OMS
I in Darlington. OMS
Holly I'enderson. OMS
19-P-0278
15
-------�
Appendix B
Distribution
The Administrator
Deputy Administrator
Chief of Staff
Deputy Chief of Staff
Assistant Administrator for Mission Support
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Director, Office of Continuous Improvement, Office of the Administrator
Principal Deputy Assistant Administrator for Mission Support
Associate Deputy Assistant Administrator for Mission Support
Deputy Assistant Administrator for Environmental Information and Chief Information Officer,
Office of Mission Support
Director, Office of Resources and Business Operations, Office of Mission Support
Director, Office of Information Management, Office of Mission Support
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Mission Support
19-P-0278
16
-------� |