Steps Needed to Prevent Prior Control Weaknesses From Affecting New Acquisition Systemc


tftD STA^
U.S. Environmental Protection Agency	10-P-0160
£ %M \ Office of Inspector General	June 28 2010
/ fi

At a Glance
Catalyst for Improving the Environment\
Why We Did This Review
We sought to determine to
what extent the U.S.
Environmental Protection
Agency (EPA) took steps to
prevent system control
weaknesses in its current
acquisition system from
impacting the new
replacement system.
The Office of Inspector
General contracted with
Williams, Adley & Company,
LLP, to conduct this review.
Background
The Integrated Contracts
Management System (ICMS)
supports the procurement
needs of EPA offices. ICMS
generates documents critical
to the procurement process
and recorded contract values
totaling approximately
$17.5 billion for Fiscal Year
2008. EPA is replacing ICMS
with a new system called the
EPA Acquisition System
(EAS).
For further information, contact
our Office of Congressional,
Public Affairs and Management
at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2010/
20100628-10-P-0160.pdf
Steps Needed to Prevent Prior Control Weaknesses
From Affecting New Acquisition System
What Williams, Adley & Company, LLP, Found
Stronger system controls over ICMS need to be addressed prior to transitioning to
the new EAS. Williams, Adley & Company, LLP, noted that:
•	System reporting does not always accurately associate a procurement
action with the correct user who initiated the action.
•	ICMS does not have an audit log to capture and allow monitoring of
security events.
•	No formal ICMS user training exists.
•	The ICMS Continuity of Operations Plan and system backup procedures
are not compliant with federal requirements.
•	ICMS generates procurement documents in a format such that changes to
the procurement documents can be made outside of the ICMS processing
environment.
While it may not be practical for EPA to address these weaknesses within ICMS,
EPA should take proactive steps to strengthen its system controls so these similar
weaknesses do not exist in EAS.
What Williams, Adley & Company, LLP, Recommends
Williams, Adley & Company, LLP, recommends that the Director, Office of
Acquisition Management:
Modify EAS reporting to associate procurements with the correct user
who initiated the action.
Implement EAS security logging; develop and implement a formal process
for storing, reviewing, and reporting violations recorded in security logs.
Continue EAS Contracting Officer training and Getting Started training
for EAS users prior to obtaining system access.
Ensure the EAS contingency site is remote from the primary hosting site.
Implement system controls, such as proper tracking and version control of
procurement documents, to prevent a user from altering procurement
documents outside of the EAS environment.
On June 9, 2010, we met with EPA officials to discuss this briefing. Appendix A
contains EPA's response to the findings.

-------