The CSB's Fiscal Year 2024
Top Management
Challenges
December 6, 2023 J Report No. 24-N-0010
-------�
Report Contributors
Chad Garland
Eric Lewis
Claire McWilliams
Adam Seefeldt
KellyJune Stout
Andre von Hoyer
Abbreviations
C.F.R. Code of Federal Regulations
CSB U.S. Chemical Safety and Hazard Investigation Board
EPA U.S. Environmental Protection Agency
FY Fiscal Year
OGE U.S. Office of Government Ethics
OIG Office of Inspector General
PAS Presidentially Appointed and Senate Confirmed
U.S.C. United States Code
Cover Image
CSB employees investigating. (CSB image)
Are you aware of fraud, waste, or abuse in a CSB
program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, D.C. 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG.Hotline@epa.qov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, D.C. 20460
(202) 566-2391
www.epaoiq.gov
Subscribe to our Email Updates.
Follow us on X (formerly Twitter) @EPAoiq.
Send us your Project Suggestions.
-------�
24-N-0010
December 6, 2023
At a Glance
The CSB's Fiscal Year 2024 Top Management Challenges
What Are Management
Challenges?
The Reports Consolidation Act of 2000
requires each inspector general to
prepare an annual statement
summarizing what the inspector
general considers to be "the most
serious management and performance
challenges facing the agency" and to
briefly assess the agency's progress in
addressing those challenges.
Our previous U.S. Chemical Safety and
Hazard Investigation Board report.
Fiscal Year 2023 U. S. Chemical Safety
and Hazard Investigation Board
Management Challenges, issued
October 21, 2022, identified three top
management challenges facing the
agency. Those challenges addressed
operating effectively without a full
board, minimizing mission-critical staff
vacancies and attrition rates, and
improving cybersecurity. We have
retained these challenges for fiscal
year 2024. In addition, we have
identified the promotion of ethical
conduct as a new top management
challenge for the CSB.
This report addresses the three CSB
goals:
• Prevent recurrence of significant
chemical incidents.
• Advocate safety and achieve
change.
• Create and maintain an engaged,
high-performing workforce.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG.PublicAffairs@epa.gov.
What We Found
We retained the three previously identified top management and performance challenges
from the prior year's report, and we added a fourth challenge. We consider these to be the
CSB's greatest vulnerabilities to waste, fraud, abuse, and mismanagement and the most
significant barriers to accomplishing the CSB's mission during fiscal year 2024:
1. Management Challenge (initially identified in fiscal year 2019):
Operating effectively without a full board.
The CSB's governing board has only three confirmed members, one more than when
we highlighted this challenge in fiscal year 2023. The Clean Air Act Amendments of
1990 authorized the creation of the CSB and established a board of five members,
including a chairperson. That board is responsible for major budgeting decisions,
strategic planning and direction, general oversight of the CSB, and approval of
investigation reports and studies. The lack of a full board has inhibited the CSB's
mission to conduct investigations to protect people and the environment. A full board
ensures that the CSB can function in the event of the loss of one or two board
members.
2. Management Challenge (initially identified in fiscal year 2023):
Minimizing mission-critical staff vacancies and attrition rates.
The CSB is working to increase hiring, but vacancies and attrition rates remain a
concern. As of the end of September 2023, the CSB's staffing level was short of fiscal
year-end projections by ten full-time equivalents, or about 20 percent. Mission-critical
positions have remained vacant for more than one year. Despite some improvements,
we remain concerned that staffing problems affect the CSB's ability to carry out day-
to-day operations in a timely manner, including deployment to new incidents,
completion of investigations, and issuance of reports.
3. Management Challenge (initially identified in fiscal year 2023):
Improving cybersecurity.
The CSB has demonstrated a strong commitment to its cybersecurity program and to
addressing the Office of Inspector General's cybersecurity recommendations to
ensure the reliability, availability, and accuracy of CSB data. However, the CSB
should ensure that it has formalized and documented policies, procedures, and
strategies for its information security program and that they are consistently
implemented. The risk that vulnerabilities may be exploited is elevated at the CSB's
latest assessed information security level. The CSB's continued improvement to its
cybersecurity posture and increased maturity level is necessary to fully address prior
Office of Inspector General recommendations.
4. Management Challenge (new): Promoting ethical conduct.
In July 2023, the U.S. Office of Government Ethics recommended that the CSB take
steps to improve its ethics program. The CSB is reviewing this recommendation and
plans to fully respond by January 2024. A robust ethics program, combined with
training, can assist employees in recognizing potential ethics concerns.
List of OIG reports.
-------�
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
December 6, 2023
Steve Owens
Chairperson
U.S. Chemical Safety and Hazard Investigation Board
1750 Pennsylvania Avenue NW, Suite 910
Washington, D.C. 20006
Dear Mr. Owens:
Enclosed is the Office of Inspector General's fiscal year 2024 management challenges report for the
U.S. Chemical Safety and Hazard Investigation Board. The Reports Consolidation Act of 2000 requires
that I prepare an annual statement summarizing what the OIG considers to be the "most serious
management and performance challenges facing" the CSB. This statement is also to briefly assess the
CSB's progress in addressing these challenges. We used audit, evaluation, and other analyses of CSB
operations to arrive at the issues presented.
We retained the previous three top management challenges that we identified in our report Fiscal
Year 2023 U.S. Chemical Safety and Hazard Investigation Board Management Challenges. The first of
these challenges concerns the impairment of the CSB's mission accomplishment from having less than a
full confirmed board, a challenge we first identified in 2019. The second challenge focuses on the
CSB's need to minimize staff vacancies and attrition rates to ensure timeliness of deployments,
investigations, and reports. Our third challenge highlights the criticality of addressing cybersecurity
weaknesses to ensure mission-essential information is secure and will not compromise agency systems.
We have identified a fourth challenge, promoting ethical conduct, which relates to lapses in the
CSB's ethics program.
You are not required to provide a written response to this final report. We will post this report to our
website at www.epaoig.gov.
Sincerely,
Sean W. O'Donnell
Inspector General
Enclosure
-------�
Table of Con
Sections
1 Introduction 1
2 Challenge 1: Operating Effectively Without a Full Board 4
3 Challenge 2: Minimizing Mission-Critical Staff Vacancies and Attrition Rates 6
4 Challenge 3: Improving Cybersecurity 9
5 Challenge 4: Promoting Ethical Conduct 11
-------�
Introduction
This U.S. Environmental Protection Agency Office of Inspector General report provides Congress and the
U.S. Chemical Safety and Hazard Investigation Board, or CSB, with an independent and objective
assessment of the CSB's top management and performance challenges identified by the OIG for fiscal
year 2024.
The Clean Air Act Amendments of 1990, 42 U.S.C. § 7412(r)(6), authorized the creation of the CSB, which
became operational in January 1998. Headquartered in Washington, D.C., the CSB is an independent
federal agency charged with investigating chemical incidents and hazards to prevent similar events. The
Clean Air Act Amendments of 1990 provide that the CSB board "shall consist of five members, including
a Chairperson." Board members serve by presidential appointment with the Senate's confirmation. The
CSB's mission is to "drive chemical safety change through independent investigation to protect people
and the environment."1 The CSB examines all aspects of significant chemical incidents, including causes
and root causes. It is not a regulatory agency and does not issue fines or citations, but it makes
recommendations to plants; industry organizations; labor groups; and regulatory agencies, such as the
Occupational Safety and Health Administration and the EPA. The CSB considers these recommendations
its principal tool for influencing positive change, though compliance with them is voluntary.
The CSB's FY2022-2026 Strategic Plan, which serves as a blueprint for its priorities, sets three goals:
1. Prevent recurrence of significant chemical incidents through independent investigations.
2. Advocate safety and achieve change through recommendations, outreach, and education.
3. Create and maintain an engaged, high-performing workforce.
We annually assess the top management and performance challenges affecting the programs and
operations of the CSB, consistent with the Reports Consolidation Act of 2000. The Act requires each
inspector general to prepare an annual statement summarizing what the inspector general considers to
be "the most serious management and performance challenges facing the agency" and to briefly assess
the agency's progress in addressing those challenges. As part of the OIG's annual assessment, we solicit
input from senior CSB leadership, consider our prior year's oversight work and how the CSB's programs
addressed management challenges identified in other fiscal years, review congressional hearings and
public statements, analyze oversight work conducted by the U.S. Government Accountability Office, and
consider issues raised in media coverage and the civil sector. For FY 2024, we also considered a
U.S. Office of Government Ethics, or OGE, inspection report.
The CSB's FY 2024 top management challenges are as follows:
1. Operating effectively without a full board.
2. Minimizing mission-critical staff vacancies and attrition rates.
1 About the CSB - Mission, U.S. Chemical Safety and Hazard Investigation Board, https://www.csb.gov/about-the-
csb/mission/ (last visited Sept. 11, 2023).
24-N-0010
1
-------�
3. Improving cybersecurity.
4. Promoting ethical conduct.
We have numbered these for reference, not as an indication of priority, severity, or precedence. Each
challenge relates significantly to the CSB's ability to meet its mission of protecting communities,
workers, and the environment. These challenges are all forward-looking to assist the CSB in its
operations, as well as to guide the OIG in its oversight planning for the next fiscal year.
Summary of the FY 2024 Management Challenges
The OIG's Fiscal Year 2023 U.S. Chemical Safety and Hazard Investigation Board Management
Challenges report, hereafter referred to as the FY2023 Management Challenges report, was issued
October 21, 2022. It identified three top management challenges for the CSB, which we have retained
for FY 2024.
The first challenge is operating effectively without a full board. With three congressionally approved
members as of September 2023, including the chairperson, the CSB is still missing 40 percent of the
five board members authorized by the Clean Air Act Amendments of 1990. The board members are
responsible for major budgeting decisions; strategic planning; general oversight; approval of
investigation reports and studies; and other specific duties, such as serving as the principal
spokespersons at accident sites and conducting community meetings, hearings, and boards of inquiry
during accident investigations. CSB staff cannot assume board-specific duties. While the addition of the
third confirmed board member in FY 2023 is an improvement and provides the board with a tie-breaking
vote for its decisions, the loss of one member would return it to its previously mission-impaired
condition. It took an average of seven-and-a-half months after nomination to confirm the existing board
members. The CSB's mission to protect communities, workers, and the environment may be impaired
without the full complement of board members.
The second challenge is minimizing mission-critical staff vacancies and attrition rates. This challenge
concerns the understaffing and turnover rates that continue to affect the CSB. While the CSB brought on
11 professional staff new-hires and one new board member in FY 2023, its personnel strength was still
ten full-time equivalents short of projections for the fiscal year. We have previously noted that
insufficient staffing of both management and nonmanagement positions has hampered the CSB's ability
to investigate new safety incidents, to complete its backlog of investigations, and to issue timely reports.
This staffing shortage remains an obstacle to the Board's mission accomplishment.
In the third challenge, improving cybersecurity, we focus on the CSB's information security program. We
have consistently identified deficiencies and vulnerabilities in this program that could affect the CSB's
ability to fulfill its obligations and mission. The Federal Information Security Modernization Act of 2014
requires federal agencies to develop, document, and implement information system programs to
protect federal information and systems. The CSB should ensure formal policies, procedures, and
strategies for its information security program are in place and consistently implemented to reduce the
risk that vulnerabilities may be exploited.
24-N-0010
2
-------�
Finally, we identified a new challenge for FY 2024. The fourth challenge, promoting ethical conduct, is
an issue about which the OGE'S work has raised concerns. Federal laws and regulations govern CSB
employees' ethical conduct, but deficiencies that the OGE identified in a July 2023 inspection
underscore how a delay in appointing the designated agency ethics official may have left the CSB
vulnerable to ethical lapses. If the CSB does not strengthen its ethics program and promote an ethical
culture, it could jeopardize the CSB's programs and risk the loss of public trust in the organization's
ability to accomplish its mission efficiently and effectively.
24-N-0010
3
-------�
Challenge 1: Operating Effectively Without a Full Board
Introduction and Overview
The CSB's governing body has been operating below its authorized
five-member complement since FY 2019, which we have
consistently identified as a top management challenge. All three
members on the board as of September 2023 had more than
three years left on their terms, but the body was still operating with
authorized members. The Clean Air Act Amendments of 1990 authorize the CSB's governing board to
consist of five members. The board's significant and irreplaceable management role and its consistent
shortfall under the statute present a continuing challenge to the CSB's ability to fulfill its mission and
achieve its goals.
Board Member Appointments Are Subject to Potential Delays
Congress intended the CSB to have five board members to perform many important roles, but efforts to
fill board vacancies are subject to political processes outside the CSB. The Clean Air Act Amendments
of 1990 state that the CSB's governing body shall consist of five members, including a chairperson,
appointed by the president and confirmed by the Senate. However, the statute limits board member
terms to five years and permits their removal for inefficiency, neglect of duty, or malfeasance in office.
The statute also assigns board members the responsibility to investigate, determine, and report to the
public in writing the facts, conditions, circumstances, and causes or root causes of any accidental release
resulting in a fatality, serious injury, or substantial property damage. Board members are also
responsible for major budgeting decisions; strategic planning; general oversight; and other specific
duties, such as serving as the principal spokespersons at accident sites and conducting community
meetings, hearings, and boards of inquiry during accident investigations. These board-specific duties
cannot be delegated to CSB staff.
The newest CSB board member's term began in FY 2023. However, with the board still lacking
two members as of September 2023, the addition does not fully mitigate the risk of operating without a
full board. Delays in appointing the remaining members can have debilitating effects because the board
members' duties cannot be delegated and the absence of one or more members could make it difficult
to break a tie or otherwise meet board requirements under the Clean Air Act. As we noted in the
FY2023 Management Challenges report, the governing body had four vacancies at the end of 2021,
which left one person to serve as the lone board member and chairperson. Two new board members
began terms in February 2022. But the chairperson resigned in July 2022, leaving the board membership
at two for several months until a third member's term began in February 2023. It took an average of
over seven-and-a-half months to nominate, confirm, and appoint the three board members serving as of
September 2023. That figure was ten-and-a-half months just a few years earlier,2 and it has historically
2 U.S. Env't Prot. Agency Off. of Inspector Gen., 20-N-0218, Fiscal Year 2020 U.S. Chemical Safety and Hazard
Investigation Board Management Challenges (2020).
#
-1 £ ±
?
•
•
SEPTEMBER 2023
slightly more than half of its
24-N-0010
4
-------�
stretched to as long as 18.0 months.3 The appointment process, the risk of additional resignations, and
natural attrition put the CSB's governing body at risk of continuing cycles of unfilled membership that
could reduce the effectiveness of the governing body or stall its initiatives.
Lack of Full Board Puts CSB Operations at Risk
Having a full board helps to ensure the continuity of the CSB's operations in the event of board member
attrition or conflicts. Our Fiscal Year 2022 U.S. Chemical Safety and Hazard Investigation Board
Management Challenges report, issued November 10, 2021, detailed the risks of having just one board
member, and our FY2023 Management Challenges report stated that the CSB's operations remained at
risk with a board of two. The CSB's governing body will continue to operate in an impaired state until its
full membership is appointed.
Much of the risk we have previously identified has to do with the possibility of the board being reduced
to a single member, which would render it unable to perform many of its basic functions, such as
passing a budget, approving investigative reports, and hiring senior personnel. A revised board order
states that the board cannot perform certain functions with a quorum of one. Even with two members,
an unbreakable tie vote could hamper decision-making on basic functions and other vital matters.
Any number of events could reduce the board again to two or fewer members, including natural attrition.
Despite the CSB's governing body operating at only 60 percent of its authorized membership, the lack of
members leaves it with no less responsibility. As noted, Congress intended the five technically qualified
board members to perform specific duties that cannot be delegated to CSB staff. The CSB has been
working to clear a long-standing backlog of investigations, but it may be hampered in opening new ones
because, with fewer than the five board members intended by the Clean Air Act, the CSB may lack
sufficient leadership resources to oversee the investigations. Further, the board members significantly
help advocate for the adoption of the CSB's recommendations by industry, labor, the government, and
other entities. Board members also regularly meet with leaders of other federal agencies and participate
in conferences, safety forums, and committees. Three board members are unlikely to have the time to
perform the required duties of five members or the same breadth of technical qualifications. Without a
full governing body, the CSB is at risk of not functioning as required and intended under the Clean Air Act.
Board members require presidential nomination and Senate confirmation, subjecting authorization
efforts to political processes and other factors outside the CSB's control or influence.
Conclusion
Although the Senate confirmed two new board members in 2022 and one in 2023, the organization still
has only slightly more than half of its authorized board members. Having a full board is authorized under
the Clean Air Act and is necessary for the CSB to operate as intended by the Act. The president should
nominate and the Senate should confirm new board members as soon as possible, especially since the
nomination and confirmation process has historically taken up to 18 months to complete.
3 U.S. Env't Prot. Agency Off. of Inspector Gen., Fiscal Year 2023 U.S. Chemical Safety and Hazard Investigation
Board Top Management Challenges (2022).
24-N-0010
5
-------�
Challenge 2: Minimizing Mission-Critical Staff Vacancies
and Attrition Rates
and issue timely reports.
The CSB's limited investigative staff have focused on eliminating a long-standing backlog of
investigations, resulting in investigators having been deployed to only two new incidents since
January 2022. Meanwhile, the CSB has received hundreds of reports of accidental chemical releases since
a new reporting rule took effect in March 2020/ which has added to the workload. The CSB is planning to
hire more investigative staff and expects to deploy investigators more frequently after the backlog is
cleared. While we have noted improvement in hiring, we anticipate that the CSB will continue to face
staffing-related challenges throughout FY 2024, which may continue to affect the CSB's productivity.
Understaffing and Attrition Rates Delay CSB Reporting
We identified understaffing as a management challenge in FY 2023, and the CSB continues to struggle in
filling its ranks. For FY 2023, the CSB was allocated 49 full-time equivalent staff, but as of the end of the
fiscal year, the number remained ten staff members shy of that total. According to the CSB, a total of
seven professional staff members departed the CSB in FY 2022, and four left in FY 2023. While attrition
rates improved in FY 2023, the CSB's attrition rates in recent years were about three times those of the
EPA. Specifically, we found in OIG Report No. 22-N-0056. Special Review of the U.S. Chemical Safety and
Hazard Investigation Board Capabilities to Effectively Administer Its Programs and Operations, issued
September 7, 2022, that CSB attrition rates averaged 22 percent for FY 2019 through 2021. In contrast,
we found that the EPA's average annual attrition rate for the same period was 7 percent. The attrition
rates were among several mission-critical staffing problems affecting the CSB that we detailed in OIG
Report No. 22-N-0056.
Our report also noted that the CSB had nine management staff departures during FY 2021.5 Some of the
positions vacated had yet to be permanently filled as of September 19, 2023. The CSB has been
operating without a general counsel since November 2020, although an acting general counsel was
appointed in July 2022. The director of administration position had been vacant for more than two years
and remained so as of September 2023. The director of human resources and the chief information
4 Incident Reporting Rule Submission Information and Data, U.S. Chemical Safety and Hazard Investigation Board,
https://www.csb.gov/news/incident-report-rule-form-/ (last accessed October 3, 2023).
5 U.S. Env't Prot. Agency Off. of Inspector Gen., 22-N-0056. Special Review of the U.S. Chemical Safety and Hazard
Investigation Board Capabilities to Effectively Administer Its Programs and Operations (2022).
The CSB has struggled in recent years to reduce staff vacancies and
turnover rates. Continued understaffing in management and
nonmanagement ranks adversely affects the CSB's ability to
investigate new safety incidents, complete existing investigations,
Introduction and Overview
24-N-0010
6
-------�
officer positions, however, had been filled by that time.6 Other long-standing executive-level vacancies
have proven difficult to keep filled. In February 2022, the CSB briefly filled the managing director
position that had been vacant for over two years, but that individual subsequently tendered a
resignation in May 2022 and vacated the position by the following July.7 While the general counsel and
the managing director positions had not been advertised in FY 2023, the director of administration
position had been advertised in January 2023. However, the CSB chairperson did not select a candidate
from more than 50 applicants.
Hiring has long been a challenge for the CSB. We detailed in a special review that, since FY 2018,
Congress has allocated the CSB significantly more full-time equivalent employee positions than it has
been able to fill. For FY 2021, the difference between congressionally allocated and actual full-time
equivalents at the CSB was 24 percent. By comparison, the difference at the EPA, a much larger agency,
was less than 1 percent for the same fiscal year.8 The actual number of full-time equivalents at the CSB
remained about one-quarter below budgeted numbers in FY 2022. That figure improved slightly in
FY 2023 to 20 percent short of allocated numbers.
Of particular concern are the vacancies that persist among the CSB's cadre of investigators, which limit
the agency's ability to perform core functions. New requirements have added to the CSB's investigative
workload. In August 2022, the CSB had 12 chemical incident investigators working on 17 open
investigations.9 By the following August, the CSB had closed 12 backlogged investigations in the prior
12 months, which board Chairperson Steve Owens said is the highest rate of productivity in the
CSB's history. But investigators had only deployed to two new incidents since January 2022—a fatal
incident at the BP-Husky refinery in Oregon, Ohio, in September 2022, and a fatal explosion at the
R.M. Palmer chocolate factory in West Reading, Pennsylvania, in March 2023. What is more, the
CSB's Office of Investigations personnel are responsible for reviewing and following up on the over
270 chemical release reports that have been submitted under the Accidental Release Reporting Rule
that took effect in March 2020.10
A CSB director reported that, as of July 1, 2023, the CSB had hired an additional supervisory investigator
and three chemical incident investigators, which fulfilled a commitment outlined in its FY 2023 budget
request and brought the total number of investigators on staff to 17. The CSB was also committed to
hiring three more chemical incident investigators in FY 2024. As of August 2023, the CSB was also
working to onboard three chemical engineers who accepted offers via the Pathways Internship Program.
Hiring is likely to remain an issue for the CSB, given the number of vacancies and various concerns raised
by professional staff and board members. The CSB's human resources director has been focused on
6 CSB Directory, U.S. Chemical Safety and Hazard Investigation Board, https://www.csb.gov/about-the-csb/csb-
directory/ (last accessed September 11, 2023).
7 Special Review of the U.S. Chemical Safety and Hazard Investigation Board Capabilities to Effectively Administer
Its Programs and Operations, supra note 5.
8 Special Review of the U.S. Chemical Safety and Hazard Investigation Board Capabilities to Effectively Administer
Its Programs and Operations, supra note 5.
9 Special Review of the U.S. Chemical Safety and Hazard Investigation Board Capabilities to Effectively Administer
Its Programs and Operations, supra note 5.
10 Incident Reporting Rule Submission Information and Data, supra note 4.
24-N-0010
7
-------�
recruitment efforts. Consequently, an anticipated workforce analysis that was in process in July 2022 has
yet to be completed, according to the CSB. However, the CSB is a microagency, which is an agency
employing fewer than 100 full-time equivalents. As such, it does not have the ability to do its own hiring.
It, therefore, relies on a service provider, an arrangement that two directors and a board member said
presents challenges to onboarding mission-critical personnel. The CSB reported that board members
have been working to improve the hiring process. Board members also reported that the CSB has been
working to improve employee morale and retention through various engagement activities, awards, and
other measures.
Conclusion
The long-standing hiring and attrition challenges at the CSB will take time to address. We recognize that
the CSB has made progress in clearing its backlog, which should free up investigators for future
deployments, but the CSB will not be able to sustain historical levels of productivity or add significantly
to its workload without addressing its staffing needs. We also note that the CSB has made some
progress in hiring staff for key positions, such as the chief information officer and several chemical
incident investigators, but efforts to lower attrition rates by improving senior management
communication and promoting a healthy workplace environment remain critical to overcoming the
CSB's staffing challenges. The lack of staffing and the attrition rates at the CSB hinder its ability to deploy
to new incidents, delay the completion of investigations, and reduce the timeliness of reports, all of
which affect the CSB's ability to meet its mission of protecting workers, the community, and the
environment.
24-N-0010
8
-------�
Challenge 3: Improving Cybersecurity
Introduction and Overview
Across the federal government, cybersecurity remains a high-risk
concern, given the increased threat from sophisticated cyberattacks
targeting critical infrastructure. This is no less true for the CSB. Our
oversight of the CSB has consistently identified deficiencies in the
CSB's information security program. Since we identified the need for improved cybersecurity as an
FY 2023 management challenge, the CSB has demonstrated a commitment to address this issue by
implementing corrective actions from prior OIG reports. Nonetheless, given the threat from malicious
cyberactors and the repeated poor assessments of the CSB's information security program, we are
continuing to highlight the need for further improvement and continued vigilance in cybersecurity.
Heightened Cyberthreats Require Continued Information Security Improvement
The CSB must continue to improve its
information security program to combat
rising cyberthreats. The increased
governrnentwide threat from
sophisticated cyberattacks targeting
critical infrastructure led the
Government Accountability Office to
include ensuring the cybersecurity of the
nation in its 2023 High-Risk List.11 Our
evaluations of the CSB's information
security program, however, have
repeatedly identified deficiencies and
low overall maturity ratings. OIG Report
No. 23-E-0016. The CSB Is at Increased
Risk of Losing Significant Da ta as
Vulnerabilities Are Not Identified and
Remediated Timely, issued May 2, 2023,
calculated the CSB's overall maturity at
the lowest level possible.
Needs Improvement
A
Risk
Management
Level 1: Ad-Hoc
Level 2: Defined
Level 3; Consistently Implemented
Level 4: Managed and Measurable
Level 5: Optimized
The CSB's FY 2022 maturity level, according to the OIG's evaluation
of the CSB's information security program and associated domains
based on reporting metrics for the Federal Information Security
Modernization Act of 2014. (EPA OIG image)
Specifically, in OIG Report No. 23-E-0016, our evaluation of the CSB's compliance with U.S. Department
of Homeland Security FY 2022 reporting metrics for the Federal Information Security Modernization Act
of 2014 calculated the information security program's overall CyberScope maturity rating as "Level 1, Ad
11 U.S. Gov't Accountability Off., GAQ-23-106203, High-Risk Series: Efforts Made to Achieve Progress Need to Be
Maintained and Expanded to Fully Address Ali Areas (2023).
24-N-0010
9
-------�
Hoc."12 This means that the CSB's relevant policies, procedures, and strategies were not formalized and
activities were performed in an ad hoc, reactive manner. The calculated rating was based on core
CyberScope metrics as detailed in the May 2, 2023 report.
OIG Report No. 23-E-0016 also identified that the CSB needed to continue improvements by resuming
monthly vulnerability scanning, which was discontinued in FY 2022 because of staffing issues. The report
evaluated the CSB's progress toward addressing deficiencies identified in the prior year's Federal
Information Security Modernization Act of 2014 evaluation report, which recommended that the CSB
improve its cybersecurity program by consistently storing system backups at an off-site location a
sufficient distance from its headquarters to prevent significant loss of data. OIG Report No. 22-N-0058,
Data Vulnerabilities Could Impact the CSB's Ability to Carry Out Its Obligations Under the Federal
Information Security Modernization Act of 2014, issued September 22, 2022, identified both the
discontinuation of periodic vulnerability scans and the lack of regular off-site backups as being among
several vulnerabilities with potential significant impacts on the confidentiality, integrity, and availability
of the CSB's information technology resources.
In OIG Report No. 23-E-0016. we did find signs of improvement. As the CSB noted in its response to that
report, the CSB had been without a chief information officer for nearly the entirety of FY 2022, but it
onboarded a chief information officer in September 2022. It has also implemented Cybersecurity and
Infrastructure Security Agency programs, including the Vulnerability Disclosure Program and the
Continuous Diagnostics and Mitigation Program, to address the recommendations in our previous
report. Additionally, the CSB has established a process to perform daily backups of critical servers to an
off-site location. The CSB also noted that there is about a one-year lag between our Federal Information
Security Modernization Act of 2014 evaluations and the CSB's program status as of September 2023,
which means our latest review has not captured all efforts to improve cybersecurity. Our subsequent
reviews will determine the effectiveness of the CSB's corrective actions.
Conclusion
Since onboarding its new chief information officer, the CSB has taken steps to improve its cybersecurity
posture and address the OIG's cybersecurity recommendations. However, the CSB needs to formalize
and document all relevant policies, procedures, and strategies for its information security program and
consistently implement them. The risk that vulnerabilities may be exploited is elevated at the
CSB's information security maturity level. The CSB's continued improvement to its cybersecurity posture
and CyberScope maturity level is necessary to provide for the protection, reliability, and availability of its
data.
12 CyberScope is a web-based application that collects data from each federal agency to assess information
technology security, relying on live data feeds and data entry by agency staff.
24-N-0010
10
-------�
Challenge 4: Promoting Ethical Conduct
Introduction and Overview
According to the Standards of Ethical Conduct for Employees of the
Executive Branch, "[p]ublic service is a public trust, requiring
employes to place loyalty to the Constitution, the laws and ethical
principles above private gain."13 As the supervising ethics office for
the executive branch, the OGE is responsible for evaluating federal
agency ethics programs by conducting program reviews, including
inspections, to assess agency compliance with statutory and regulatory ethics requirements.14 In
July 2023, the OGE issued an inspection report for the CSB ethics program and identified areas of
improvement that resulted in the issuance often recommendations for the CSB to address.15 Also in
July 2023, we published a report of investigation that identified expenses the former chairperson
improperly incurred in violation of federal statutes and regulations. Given the breadth and scope of the
concerns noted in these reports, we have identified promoting ethical conduct as a top management
challenge for the CSB.
OGE Inspection Report Findings Identify Need for a Stronger Ethics Program
When the OGE determines that an agency's ethics program is not in substantial compliance with a
statute or regulation, the OGE will issue a recommendation.16 The OGE inspection report for the CSB
covered the period from October 29, 2021, through January 31, 2023, and resulted in
ten recommendations to the CSB. The deficiencies that the OGE noted in the inspection report covered
a range of issues, including the need for the CSB to have its ethics program appropriately staffed with a
designated agency ethics official; concerns regarding timely collection, review, and certification of
required financial disclosures; and the need for the CSB to provide ethics notices to new supervisors and
training to employees who complete public financial disclosure reports.
As noted in the inspection report, the position of designated agency ethics official was vacant during the
period covered by OGE's review. As detailed in the inspection report, the former designated agency
ethics official—the general counsel—terminated CSB employment in November 2020. As required by
5 C.F.R. § 2638.104(a), each agency head must appoint a designated agency ethics official who is "the
employee with primary responsibility for directing the daily activities of the agency's ethics program and
coordinating with the Office of Government Ethics." The CSB was without a permanent full-time
designated agency ethics official until October 2023. The lack of a permanent designated agency ethics
official to lead the ethics program and promote a culture of ethics within the CSB during the almost
three-year gap raises concerns. While the appointment of a permanent ethics official is a positive step,
13 5 C.F.R. § 2635.101(b).
14 U.S. Off. of Gov't Ethics, What Ethics Officials Should Know About Program Reviews (last visited Oct. 25, 2023).
15 U.S. Off. of Gov't Ethics, 23-351, Ethics Program Inspection Report - United States Chemical Safety and Hazard
Investigation Board (2023).
16 What Ethics Officials Should Know About Program Reviews, supra note 14.
24-N-0010
11
-------�
the CSB needs to address its other ethics program deficiencies, as noted in the OGE report, and ensure
its employees adhere to required ethical standards for federal government employees.
The recommendations issued in the inspection report regarding the need for timely collection and
review of financial disclosures by CSB employees are also of significant concern. Financial disclosures—
both public disclosures for employees who are presidentially appointed and Senate confirmed, or PAS,
and employees in the Senior Executive Service who are non-PAS and confidential disclosures for
designated career employees—serve the purpose of identifying and preventing potential ethical
conflicts of interest between federal employees and any personal financial interests, as well as assisting
ethics officials in providing counseling to employees.17 The OGE inspection report noted deficiencies
related to the need to (1) timely collect and review non-PAS public financial disclosure reports, (2) timely
collect and review confidential financial disclosure reports, and (3) provide notices regarding the need
for financial disclosures to those prospective employees entering into designated positions. In particular,
the OGE noted that, in the sample reviewed, the CSB certified and reviewed confidential financial
disclosure reports in a timely manner only 50 percent of the time, or for seven of 14 reports, with
one report being submitted more than 200 days after the employee was appointed. Similarly, two of
four non-PAS public financial disclosure reports that the OGE reviewed were neither reviewed nor
certified in a timely manner by the CSB.
The concern with ensuring that the CSB reviews and certifies public financial disclosure reports in a timely
manner has been a pervasive issue. In the OGE's August 2020 inspection report covering January to
December 2019, a similar recommendation stated that the CSB needed to timely review and certify
public financial disclosure reports.18 Although the 2020 inspection report noted that the CSB agreed with
the recommendation and indicated a compliance date of August 2021, the issue remained unresolved, as
reflected in the 2023 OGE report.
Finally, the 2023 OGE inspection report issued recommendations regarding the need for the CSB to
provide necessary ethics information and training to employees. One recommendation provided that
the CSB needs to ensure that new supervisors receive the required notice of their enhanced
ethics-related responsibilities. Another recommendation noted the need for the CSB to ensure that all
non-PAS public financial disclosure filers receive annual ethics training.
The CSB has been working to address the OGE report's recommendations within the timelines OGE
provided, according to the chairperson. For example, in addition to the designated agency ethics official,
two other ethics officials have access to reporting systems and are providing staff with ethics training.
A bedrock of the Standards of Ethical Conduct for Employees of the Executive Branch is that federal
employees cannot use their public office for private gain.19 A robust ethics program and training can
assist employees in recognizing potential ethics concerns. Conversely, without robust training, CSB
employees are at risk of not being fully aware of their ethical responsibilities.
The findings of our July 2023 report of investigation, for example, highlight the importance of ensuring
employees at all levels understand their ethical responsibilities. In that report, we determined that a
17 5 C.F.R. § 2634.104(a)—(b).
18 U.S. Off. of Gov't Ethics, 20-401, Ethics Program Inspection Report - United States Chemical Safety and Hazard
Investigation Board (2020).
19 5 C.F.R. § 2635.702.
24-N-0010
12
-------�
former CSB chairperson and chief executive officer improperly incurred almost $100,000 in travel,
furniture, and training expenses in violation of federal statutes and regulations. The report detailed the
former chairperson's violation of federal travel regulations by using taxpayer funds for travel to and
from the chairperson's residence in California and by not properly expensing other travel, resulting in
the use of government funds for expenses that should have been the chairperson's personal
responsibility. The report of investigation also concluded that the former chairperson's use of more than
$20,000 in government funds to furnish and redecorate her office in Washington, D.C., exceeded the
$5,000 statutory cap permitted on such expenses and that her selection of upgraded leather furniture
was in violation of the Federal Management Regulation. Further, the report found that the former
chairperson used more than $20,000 in government funds for her own media training in violation of the
Government Employees Training Act and Office of Personnel Management regulations.20
Although the report of investigation did not address whether the chairperson's improper use of
government funds constituted a violation of any ethical requirements, all government employees are
required under their ethics obligations to protect and conserve federal property and to not use it for
anything other than authorized activities.21 Ethics regulations also establish the principle that employees
avoid situations that could give the appearance of violating the law or ethical standards.22 The former
chairperson's use of government funds for personal expenses not only violated various federal statutes
and regulations but also gives rise to an appearance of an ethics violation and potentially undermines
the confidence of the public in the CSB.
Conclusion
According to the OGE, "[e]thical failures hurt our ability to fulfill our missions and erode the trust of
citizens in their government," and public confidence is vital for government success.23 As detailed in the
OGE 2023 inspection report, the CSB needs to continue to improve its ethics program and its ethics
culture, to include ensuring that public and confidential financial disclosure reports are timely reviewed
and certified to prevent and identify conflicts of interest, and implementing robust training so that
employees are aware of their ethical responsibilities. A demonstrated commitment to ethical behavior
would empower board members and staff to make decisions that are ethically sound and build trust
with external stakeholders.
20 U.S Env't Prot. Agency Off. of Inspector Gen., 23-N-0020, Report of Investigation: Katherine A. Lemos, Former
Chairperson and Chief Executive Officer, U.S. Chemical Safety and Hazard Investigation Board (2023).
215 C.F.R. § 2635.704(a).
225 C.F.R. § 2635.101(b)(14).
23 U.S. Off. of Gov't Ethics, Memorandum to Agency Heads (2018).
24-N-0010
13
-------�
Whistleblower Protection
U.S. Environmental Protection Agency
The whistleblower protection coordinator's role
is to educate Agency employees about
prohibitions against retaliation for protected
disclosures and the rights and remedies against
retaliation. For more information, please visit
the OIG's whistleblower protection webpaae.
Contact us:
Congressional Inquiries: OIG.CongressionalAffairs(5)epa.gov
Media Inquiries: OIG.PublicAffairs@epa.gov
'line EPA OIG Hotline: OIG.Hotline@epa.gov
-jig- Web: epaoig.gov
Follow us:
X (formerly Twitter): (5>epaoig
(J) Linkedln: linkedin.com/company/epa-oig
YouTube: voutube.com/epaoig
[01 Instagram: ffiepa.ig.on.ig
-------� |