oversight

Report 2013-008-PSA - Performance Audit of the Agency's Personnel Security Program

Published by the Equal Employment Opportunity Commission, Office of Inspector General on 2014-09-15.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION

         Performance Audit of the Agency’s
            Personnel Security Program
        OIG REPORT NUMBER 2013-08-PSA




             September 15, 2014
                            U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION
                                   PERFORMANCE AUDIT OF THE AGENCY’S
                                      PERSONNEL SECURITY PROGRAM

                                                          Table of Contents




EXECUTIVE SUMMARY ............................................................................................................ 1
BACKGROUND ............................................................................................................................ 2
RESULTS OF AUDIT .................................................................................................................... 3
   Classified Information Management........................................................................................... 4
   Suitability Determinations .......................................................................................................... 7
       Risk Designations ................................................................................................................... 8
       Reinvestigations ...................................................................................................................... 8
       Federal Personnel/Payroll System (FPPS) .............................................................................. 9
       Certificates of Investigation .................................................................................................... 9
       Reporting Adjudication Decisions to OPM ............................................................................ 9
   Physical Security and Credentialing ......................................................................................... 11
Appendix A: Glossary of Acronyms.......................................................................................... A.1
Appendix B: Objectives, Scope, and Methodology .................................................................... B.1
   OBJECTIVES .......................................................................................................................... B.1
   SCOPE AND METHODOLOGY ........................................................................................... B.2
Appendix C: Management Response .......................................................................................... C.1
September 15, 2014


Milton A. Mayo Jr.
Inspector General
Equal Employment Opportunity Commission

Dear Mr. Mayo,

Williams, Adley & Company-DC, LLP performed a performance audit of the U.S. Equal
Employment Opportunity Commission’s (EEOC) Personnel Security Program for calendar year
2013. The audit was performed in accordance with our Task Order No. EECIGA-UD-0-07, dated
September 26, 2013. This report presents the results of the audit, and includes
recommendations to help improve efficiency and effectiveness of EEOC’s Personnel Security
Program.

Our audit was conducted in accordance with applicable Government Auditing Standards, 2011
revision. The audit was a performance audit, as defined by Chapter 2 of the Standards. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.

We appreciate the opportunity to have conducted this audit. Should you have any questions or
need further assistance, please contact Charbet Duckett, Partner at (202) 371-1397.


Sincerely,



Charbet M. Duckett
Partner




                                           WILLIAMS, ADLEY & COMPANY-DC, LLP
                                     Certified Public Accountants / Management Consultants
             1030 15th Street, NW, Suite 350 West • Washington, DC 20005 • (202) 371-1397 • Fax: (202) 371-9161
                                                       www.williamsadley.com
EXECUTIVE SUMMARY
We conducted a performance audit of Equal Employment Opportunity Commission’s (EEOC)
Personnel Security Program for calendar year 2013. Our audit was performed in accordance
with generally accepted Government Auditing Standards. Accordingly, our audit included
examining, on a test basis, evidence about EEOC’s compliance with Title 5 of the Code of
Federal Regulations (CFR) Part 731 and 32 CFR Part 2001 and performing such other procedures
as we considered necessary.

Overall the objective of this audit was to ensure that EEOC has implemented a Personnel
Security Program that adheres to policies and procedures as described by the Office of
Personnel Management (OPM) and the Code of Federal Regulations as well as to determine
whether EEOC’s personnel security program was effective and efficient.

Although EEOC has designed an overall compliant personnel security program, we identified
areas in which improvements are needed in the implementation of the program in order to
achieve optimum effectiveness and efficiency.

   •   Classified Information Management,
   •   Suitibility Determinations, and
   •   Physical Security and Credentialing

Without such improvements, EEOC runs the risk of insufficient oversight, inadequate practices,
and unauthorized disclosure of classified information. Also, not implementing these
improvements to the personnel security program may result in individuals holding positions for
which they are not suitable or fit, and limiting EEOC’s ability to protect national security,
privacy-related information, and national interest. The conditions noted were caused by a lack
of EEOC policies and procedures for classified information and ineffective implementation of
established requirements.

Our seventeen recommendations call for management to develop or update policies and
procedures, to implement those policies and procedures, to adhere to the requirements
already in place, to address staffing concerns within the Office of the Chief Human Capital
Officer (OCHCO), and to complete risk designations, reinvestigations, and OPM reporting in
accordance with the requirements.




U.S. Equal Employment Opportunity Commission                                        Page 1
Personnel Security Program Audit
BACKGROUND
The U.S. Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal
laws that make it illegal to discriminate against a job applicant or an employee because of the
person's race, color, religion, sex (including pregnancy), national origin, age (40 or older),
disability or genetic information. It is also illegal to discriminate against a person because the
person complained about discrimination, filed a charge of discrimination, or participated in an
employment discrimination investigation or lawsuit. The EEOC carries out its mission through
its headquarters office in Washington, D.C. and through 53 field offices serving every part of the
nation.

The Personnel Security Program is managed by the EEOC’s, Office of Chief Human Capital
Officer (OCHCO). The EEOC conducts personnel security investigations to determine if
applicants, interns/volunteers, contractors, and employees meet the suitability requirements
for employment. The scope of a personnel security investigation varies depending on the duties
and access requirements for the position. The authority to conduct personnel security
investigations is derived from Executive Order 10450, Security Requirements for Government
Employment, and Title 5, Code of Federal Regulations (CFR), parts 731 and 736.

Per EEOC order 530.010, EEOC must “ensure that personnel security investigations are
conducted in accordance with 5 CFR 736. Suitability determinations shall be made for
employment in covered positions in accordance with 5 CFR 731. Fitness determinations shall be
made for employment in the excepted service in accordance with 5 CFR 302.203. Fitness
determinations shall be made for contract employees in accordance with the Office of
Personnel Management’s (OPM) Supplemental Credentialing Standards.” Agency personnel
shall be credentialed in accordance with Federal Information Processing Standards (FIPS) 201
(as amended), Office of Management and Budget (OMB) Memo 05-24, USAccess policy, and the
OPM Final Credentialing Standards Memorandum (as amended). The EEOC maintains and
safeguards personnel security investigations and materials related to adjudications in strict
confidence. Access is granted only to authorized individuals, and handled in accordance with
the Privacy Act of 1974, 29 CFR 1611.15, and EEOC Order 531.001.

EEOC established a project team and implemented the agency’s HSPD-12 policy. The Office of
Information Technology (OIT), the Office of Chief Financial Officer (OCFO), and Office of the
Chief Human Capital Officer (OCHCO) jointly sponsored the implementation. OCHCO has lead
responsibility for background investigations, adjudication, and PIV card issuance/maintenance.
OCFO has lead responsibility for implementing use of the PIV credentials for facility access.
However, the field offices have been delegated the implementation of credentialing for facility
access. OIT has lead responsibility for implementing use of the PIV credentials for logical access
to EEOC information technology networks.




U.S. Equal Employment Opportunity Commission                                           Page 2
Personnel Security Program Audit
EEOC background investigations are conducted by OPM, Federal Investigative Services (FIS).
The extent of the background investigation is determined by the type of information individuals
will have access to. EEOC uses OPM-FIS background investigations as the basis for its suitability
determinations for employment in covered positions. All positions subject to investigation
under this part must also receive a sensitivity designation of Special-Sensitive, Critical-Sensitive,
or Noncritical-Sensitive, when appropriate. This designation is complementary to the risk
designation, and may have an effect on the position's investigative requirement. Procedures for
determining investigative requirements for all positions based upon risk and sensitivity are
published in OPM issuances, as described in 5 CFR 731.102(c).

In the EEOC Personnel Security and Suitability Handbook, EEOC has designated most positions
as Non-sensitive for national security purposes, which indicates that classified information is
not generated, handled or stored by EEOC positions. However, some EEOC employees are
required to handle classified information related to EEO complaints filed against intelligence
agencies. Some of this classified information is stored at EEOC headquarter and field office
locations. Currently, there is no classified information policy nor is classified information being
managed by a singular office. Instead, EEOC’s classified information is managed by the
individuals and offices handling the information such as the Office of Federal Operations (OFO),
the Office of Field Programs (OFP), and Washington Field Office (WFO).


RESULTS OF AUDIT
Although EEOC has designed an overall compliant Personnel Security Program, we identified
the following areas in which improvements are needed in the implementation of the program
in order to achieve optimum effectiveness and efficiency:
    • Classified Information Management,
    • Suitibility Determinations, and
    • Physical Security and Credentialing

Without such improvements, EEOC runs the risk of insufficient oversight, inadequate practices,
and unauthorized disclosure of classified information. Also, not implementing these
improvements to the personnel security program may result in individuals holding positions for
which they are not suitable or fit, and limiting EEOC’s ability to protect national security,
privacy-related information, and national interest.




U.S. Equal Employment Opportunity Commission                                              Page 3
Personnel Security Program Audit
Classified Information Management

Currently, EEOC does not have formal, documented policies and procedures to address the
safeguarding, transfer, storage, or disposal of classified information. Also, a training policy for
classified information has not been established. Classified information is managed by the
individual offices and field offices based on verbal guidance from the originating federal
agencies. The individuals working on the classified information generally work directly with the
intelligence agency and receive feedback and instruction on how to handle the classified cases.
Therefore, EEOC cannot provide assurance to the proper oversight, consistent training and
safeguarding of classified information.

OCHCO has been delegated the responsibility of background investigations and adjudications.
Clearances for the employees who handle classified information are initiated by the intelligence
agency that works directly with the EEOC employee or his/her supervisor to obtain the
information necessary for the clearance process. The employee information is submitted to the
intelligence agency that conducts the investigation and renders an adjudication decision.
However, the current process for initiating, granting and monitoring security clearances, need-
to-know and security clearance access levels to classified information are not within OCHCO or
any other singular office within EEOC HQ. As a result, OCHCO is not aware of the sensitivity of
the information to be accessed, the clearances obtained, or the clearance level required to
handle the classified information.

Approximately 18 EEOC employees, primarily in OFO, OFP, and WFO, currently have access to
classified information as a result of EEO complaints filed against intelligence agencies. The
classified information is stored either as hard copy or on thumb drives provided by the
originating intelligence agency. Each employee and/or their office is responsible for the
safeguarding and proper handling of the classified information. EEOC Staff interviewed
reported that procedures for safeguarding classified information are communicated verbally to
them by the intelligence agency or by their agency point of contact within EEOC. Guidance is
also provided to cleared EEOC employees at meetings with the originating agency. None of the
EEOC staff interviewed reported a formal EEOC-provided or mandated training for individuals
who require access to classified information. OFO stated that they are planning to develop a
policy and procedure document to cover the handling of classified information within their
office. The development of this document is still in its early stages and the completion date is
not yet known.

OIT requires all employees to complete a security awareness training each year. This EEOC-
developed training does not cover handling, use, or transfer of classified information. OIT
stated that they did not include classified information in the security awareness training due to
the small number of employees who handle classified information. There is no EEOC
requirement that individuals who handle classified information receive additional training in
this area.


U.S. Equal Employment Opportunity Commission                                            Page 4
Personnel Security Program Audit
According to the staff interviewed, the classified information is stored in GSA Security
Containers at EEOC Headquarters and at WFO. We were told that at least one field office stored
classified information at their location, however the exact number of field offices with classified
information was not provided to us prior to the end of fieldwork.

Executive Order 13526, Classified National Security Information, section 5.4 requires agencies
that handle classified information to designate a senior agency official to direct and administer
the program. This official is responsible for establishing and maintaining security education and
training programs, establishing and maintaining a self-inspection program, establishing
procedures to prevent unnecessary access to classified information, and accounting for the
costs associated with implementing this program and reporting them to the Director of the
Information Security Oversight Office.

EEOC designated all personnel positions as “Non-sensitive” for national security purposes which
would indicate that the information handled by those individuals would not be of a classified
nature. Also OCHCO was unaware until recently of higher level security clearances held by
several employees as a result of the classified information. EEOC relies on the guidance
provided to the user by the originating agency in lieu of developing its own procedures.

Consequently, EEOC did not develop classified information policies and procedures and each
office manages its classified information without the benefit of oversight or guidance from the
required designated senior agency official in accordance with Executive Order 13526 and 32
CFR Parts 2001 & 2003. Although several office directors and users of classified information
have stated that they believe instituting a cohesive, agency-wide classified information
management policy would be beneficial, no specific office has taken responsibility for
developing one. Without a personnel security policy that includes classified information
management, the EEOC runs the risk of insufficient oversight, inadequate practices, and
unauthorized disclosure of classified information.

Recommendation:

We recommend that EEOC Senior Management direct the Office of the Chief Human Capital
Officer and the Office of the Chief Financial Officer work together to:

   1. Identify all HQs and Field Offices where classified national security information is
      safeguarded, handled, processed, reproduced, transmitted, transported, or destroyed.

   2. Identify all EEOC employees with:

           a. current or prior access to classified national security information;




U.S. Equal Employment Opportunity Commission                                            Page 5
Personnel Security Program Audit
          b. a current adjudicated security clearance and the sponsoring agency, if
             applicable; and
          c. special access or interim clearance and the sponsoring agency, if applicable.

   3. Develop and implement policies and procedures to address the safeguarding, transfer,
      storage, or disposal of classified information. The policy should include the
      requirements for Memorandums of Understanding between agencies.

   4. Designate a senior agency official to direct and administer the program in accordance
      with Executive Order 13526 and 32 CFR Parts 2001 & 2003. This senior agency
      official/office must be provided the resources and authority to achieve compliance with
      the requirements associated with Classified National Security Information program.

   5. Implement a formalized training program for individuals who use classified information
      as a part of their duties. If an external agency is to assume the responsibility of training
      these individuals, this agreement should be documented in an MOU.

   6. Perform and document an assessment/evaluation of current classified information
      practices and safeguarding at headquarters and field offices to determine any non-
      compliances. Immediate corrective action should be taken to address any non-
      compliances noted.

   7. Incorporate a review of controls over classified information in EEOC’s annual Federal
      Managers Financial Integrity Act (FMFIA) process.

Management Response:

OCHCO Response: The EEOC suitability program is design to adhere to applicable regulations,
executive orders, and statues regarding suitability and fitness determinations; each covered
position is designated non-sensitive. Currently, there are no covered positions that fall under
Executive Order 12968 (National Security positions) eligibility for access to classified
information.

OFP Response: Currently only eight administrative judges (AJ) have clearances or authorization
issued from intelligence agencies (IA). A survey of those individuals reveals that they rarely
have access to classified information. In addition, classified documentation is ordinarily
redacted or is reviewed at FBI offices. AJs follow the procedures established by the IA.

OFO Response: Each office that has some involvement with classified information is managed
by a senior official.




U.S. Equal Employment Opportunity Commission                                           Page 6
Personnel Security Program Audit
OCFO Response: Overall, OCFO agreed with the finding. At this present time, the sponsoring
intelligence agencies and EEOC do not have an MOU/MOA established to address the required
continual monitoring, evaluation or reporting of an EEOC employees continued eligibility, or
need-to-know of classified information. This is why it is important that the agency in custody of
the classified information and handling the classified information manage its own employee’s
personnel security clearance process and adjudication, need-to-know and access in cooperation
with the intelligence community agencies EEOC is serving.

OCFO also stated that their office has never received a thumb drive containing classified
information. When thumb drives are used, they are only used to transmit draft decisions to the
IA reviewing official. However, the possibility of classified information on unclassified
computers is present.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

The lack of a unified response speaks to a decentralized process without a designated senior
agency official responsible for the classified information and handling. The number of
employees with access to classified information was obtained from EEOC’s PPD-19
Supplemental Response, dated September 11, 2013. This number includes employees in OFO,
OFP, and WFO. Also, the procedures for reviewing classified information differ between
intelligence agencies. No consensus was reached about this issue and no responses were made
to the corrective actions. Therefore, the recommendations remain open until management
decision is reached with the EEOC OIG.


Suitability Determinations

We noted several instances where EEOC did not comply with federal requirements or its own
policies and procedures pertaining to suitability determinations. These instances include:

   •   Risk Designations
   •   Reinvestigations
   •   Federal Personnel Payroll System
   •   Certificates of Investigation
   •   Reporting Adjudication Decisions to OPM

As a result, EEOC cannot provide assurance that there are no individuals holding positions for
which they are not suited, thereby limiting EEOC’s ability to protect national security, privacy-
related information, and national interest.



U.S. Equal Employment Opportunity Commission                                          Page 7
Personnel Security Program Audit
Risk Designations

The EEOC has not conducted risk designations for all public trust position descriptions as
required by OPM, federal regulations, and EEOC policy. Currently only six of an estimated 200
covered positions have received a risk designation. Risk designations have been required by 5
CFR 731.106(a) since 2008. The EEOC began performing risk designations in 2011, however the
designations have only been performed for six employees.

Title 5, CFR Section 731.106 and EEOC Order 530.010 both require EEOC to designate every
covered position within the agency at a high, moderate, or low risk as determined by the
position’s potential for adverse impact to the efficiency or integrity of the service. In addition,
all positions subject to investigation must also receive a sensitivity designation of special-
sensitive, critical-sensitive, or noncritical sensitive, when appropriate.

OCHCO personnel stated that due to low staffing levels they decided to complete risk
designations for new hires only. Also, OCHCO has decided to wait until OPM and the Office of
the Director of National Intelligence (ODNI) promulgate new joint regulations on sensitive
positions and update or replace the Automated Position Designation Tool before they perform
any additional risk designations.

Without a corresponding risk designation for all covered positions, EEOC is at risk of
maintaining the wrong level of investigation for covered positions. This could result in
individuals holding positions for which they are not suitable, limiting EEOC’s ability to protect
national security, privacy-related information, and national interest.

Reinvestigations

EEOC does not consistently conduct reinvestigations for employees in public trust positions as
required by federal regulation and EEOC policy. According to EEOC Order 530.010 and 5 CFR
731.106, EEOC must ensure reinvestigations are conducted for persons occupying public trust
positions at least once every five years. Of the 25 employees selected for testing who should
have had at least one reinvestigation, 11 had not had a reinvestigation completed in the last 5
years. The amount of time between investigations for these employees ranged from 6 to 28
years, with an average of 9 years. Additionally, EEOC could not locate the reinvestigation
records of three of the 25 employees selected, so we were unable to determine whether they
received a reinvestigation or not.

Although EEOC has a written policy requiring reinvestigations, the OCHCO has elected not to
implement reinvestigation procedures because OPM has not issued implementation guidance
to federal agencies regarding public trust reinvestigations.




U.S. Equal Employment Opportunity Commission                                            Page 8
Personnel Security Program Audit
Without conducting periodic reinvestigations for current public trust positions once every 5
years, the EEOC could potentially have unsuitable personnel conducting EEOC activities.

Federal Personnel/Payroll System (FPPS)

The EEOC has not completely entered employee investigation data, such as dates and type of
adjudication completed, into FPPS although it is required by EEOC’s Personnel Security Program
Order, Chapter 1. OCHCO is charged with the responsibility of maintaining the completeness of
FPPS for all EEOC Federal employees. Out of 21 EEOC employees selected for testing, eleven
employee FPPS files had not been updated to show the type of investigation, and date of
adjudication.

We also noted that the EEOC policy related to FPPS does not, but should, include a timeline for
updating FPPS with the appropriate information, for example within 30 days after the
adjudication date.

OCHCO has not implemented proper procedures to ensure that FPPS is updated with the results
of adjudication in a timely manner. By not updating the FPPS to include investigation
information, the EEOC is limiting its ability to track and maintain the necessary data related to
suitability determinations.

Certificates of Investigation

The EEOC did not maintain a Certificate of Investigation (COI) within each current employee’s
electronic Official Personnel Folder (eOPF), as required by OPM and EEOC Order 530.010,
Chapter 5 and The Office of Personnel Management (OPM) Operating Manual: The Guide to
Record Keeping, Section 3-E. Although internal tracking documents showed that an
investigation was performed, we were not provided a COI for 16 of the 50 employees selected
for testing. The OCHCO is responsible for maintaining EEOC employee’s eOPF and receiving and
signing the COI.

OCHCO stated that it is experiencing a staffing shortage that is affecting the maintenance of
eOPF records. Therefore, EEOC employees’ eOPF files do not include the necessary information
to document that an appropriate background investigation was performed. This could impact
an employee’s clearance documentation when transferring to another agency. Also, without
this information, EEOC may not be able to validate whether the appropriate type of
investigation was obtained.

Reporting Adjudication Decisions to OPM

EEOC did not provide evidence that they reported adjudication decisions to OPM as required by
the 5 CFR 731.206 and EEOC Order 530.010, Chapter 5. We selected 25 employees for testing



U.S. Equal Employment Opportunity Commission                                          Page 9
Personnel Security Program Audit
and requested evidence showing that EEOC reported the employees’ adjudication decisions to
OPM as required. We were not provided evidence of reporting for any of these employees
prior to the end of fieldwork.

Without proper mechanisms to access information in a timely manner, EEOC is not able to
demonstrate compliance with federal reporting requirements.

EEOC has designed the proper system to meet the federal personnel security program
requirements. However, EEOC has not effectively and consistently implemented the policies
and procedures as outlined. As a result, EEOC is not able to demonstrate compliance or provide
assurance that there are no individuals holding positions for which they are not suited, thereby
limiting EEOC’s ability to protect national security, privacy-related information, and national
interest.

Recommendations:

We recommend that the Office of the Chief Human Capital Officer:

   8. Complete risk designations for the remaining estimated 194 EEOC covered positions.

   9. Complete and begin any outstanding reinvestigations as required by the CFR.

   10. Adhere to EEOC policy and federal requirements pertaining to reinvestigations. EEOC
       should follow their internal policy until further guidance is provided by OPM.

   11. Update the policy for the Federal Personnel Payroll System with a timeline and
       implement the revised standard.

   12. Review all employee eOPFs to ensure proper inclusion of the employee’s COI and in
       instances where the documentation is missing, insert the COI.

   13. Report any outstanding EEOC adjudication decisions to the Office of Personnel
       Management and going forward adhere to the 90 day timeline.

   14. Develop and implement a procedure to maintain relevant evidence documenting that
       the EEOC has informed OPM of the adjudication decisions it has made.

   15. Explore and document the decision on using alternative staffing options, such as
       contract employees, part time employees, or obtaining an employee on detail in order
       to become current on risk designations, reinvestigations, FPPS, COIs, and adjudication
       reporting.




U.S. Equal Employment Opportunity Commission                                         Page 10
Personnel Security Program Audit
Management Response:

OCHCO Response: OCHCO management concurred with all findings and recommendations
noted in this section. EEOC has employed a Personnel Security Specialist and Personnel
Security Assistant to assist with these efforts. Corrective actions have begun on the
recommendations and will be completed by the second quarter of FY 2015 except EEOC has
decided to delay reinvestigations until such time as OPM issues guidance.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

We believe that the above-mentioned actions, if properly implemented, will resolve the
condition and address the recommendations.


Physical Security and Credentialing

EEOC’s HSPD-12 implementation plan establishes the OCFO as having the lead responsibility for
implementing use of the PIV credentials for facility access across the agency. EEOC’s physical
security program is managed by OCFO. We noted that EEOC’s physical security process is highly
decentralized. The field offices have a great amount of autonomy as it relates to implementing
security measures at their locations and the agency physical security manager has limited
authority related to the security measures at field office locations.

EEOC has a headquarters and 53 field offices located throughout the United States. Each field
office or district office establishes and manages its own physical security and credentialing
process. There is currently insufficient coordination and review by headquarters to ensure
compliance with EEOC physical security and credentialing requirements. As a result, EEOC is
increasing the risk that a security breach could occur that would affect the safety of employees
or the information they handle.

We asked field office staff about the physical security measures at their respective locations
and compared these measures to the physical security standards issued by the Interagency
Security Committee (ISC) in their Physical Security Criteria for Federal Facilities. These
standards, issued in 2010, set forth a baseline set of physical security measures to be applied to
all Federal facilities based on their designated Facility Security Level (FSL). For multi-tenant
buildings under GSA control, a representative from each tenant participates in the buildings’
Facility Security Committee. The Facility Security Committee determines which building
security measures to implement by a vote of the members. If the committee decides not to
implement specific physical security measures, it is required to document its acceptance of the
associated risk.


U.S. Equal Employment Opportunity Commission                                           Page 11
Personnel Security Program Audit
Security requirements for each location vary based on each office’s FSL as described in the
Interagency Security Committee’s Facilities Security Criteria. We performed inquiries of nine
field offices with various FSLs to determine whether the security measures in place at their
location were in line with the security requirements of their FSL. We noted that four of the
nine field offices did not fully comply with the security requirements for their FSL.

There is currently no review being performed by the physical security manager to ensure field
office security measures and credentialing are in compliance with federal regulations.

Facilities Security Criteria for Federal Facilities, An Interagency Security Committee Standard
sets forth certain Facility Entrance Security Criteria that Federal agencies must follow,
specifically as it relates to badge identification, employee and visitor access control, and
occupant and visitor screening based on their FSL. In all cases, the project documentation must
clearly reflect the reason why the necessary protection cannot be achieved. It is extremely
important that the rationale for accepting risk be well-documented, including alternative
strategies that are considered or implemented, and opportunities in the future to implement
necessary protection.

EEOC has not established an effective centralized method for ensuring field office compliance
with physical security and credentialing regulations. Due to its relatively small size and diversity
of locations, physical security is managed at the field-office level and there is little to no
coordination or consultation with security staff at EEOC headquarters regarding physical
security and credentialing. In addition, EEOC does not perform regular reviews of the security
measures in place at field office locations to ensure they are appropriate for each field office’s
FSL. Field offices are required to submit an annual security self-assessment checklist, however
this checklist does not include aspects such as building access, badging, visitor access, and
visitor and employee screening.

The lack of cohesive physical security, credentialing, and tools for consistent application has
resulted in inconsistent physical security practices across EEOC’s field office locations.
Oversight provided by OCFO is not robust enough to properly mitigate the risk associated with
such a decentralized structure. Without proper oversight by the Physical Security Manager to
ensure field office compliance with security directives, EEOC is increasing the risk that a security
breach could occur that would affect the safety of employees or the information they handle.

Recommendation:

We recommend that the Office of the Chief Financial Officer:

   16. Update and implement comprehensive policies and procedures for physical security.
       These policies and procedures should include but not be limited to:


U.S. Equal Employment Opportunity Commission                                             Page 12
Personnel Security Program Audit
           a. Providing training for the FSC member or designee at each field office location at
              least annually;
           b. Developing and implementing a field office onsite security assessment program,
              that includes performing assessments and/or spot checks of field office security
              measures by the OCFO on a rotational basis as it relates to Interagency Security
              Committee requirements; and
           c. Assisting and ensuring field offices correct noted security weaknesses or
              document acceptance of risk where EEOC has determined corrective action will
              not be taken.

   17. Revise the field office self-assessment checklist to include facility security and
       credentialing information.

   18. Immediately correct any known weaknesses. If EEOC determines not to correct a noted
       weakness, EEOC should document this analysis and their acceptance of the associated
       risk.

   19. Increase coordination between OCFO and OFP to improve field office security posture,
       awareness and training to ensure compliance with applicable EEOC orders and guides;
       Facility Security Committees, An ISC Standard, dated January 1, 2012, 2nd edition; and
       other applicable Interagency Security Committee Standards. .

Management Response:

OCFO Response: OCFO concurred with the intent of the recommendations with a few minor
clarifications. OCFO management stated that EEOC can only impose EEOC specific
requirements on EEOC controlled space. It is the Facility Security Committee’s responsibility to
ensure that security procedures and countermeasures at each facility/building are administered
properly, to include entry access control. Corrective actions will be implemented in FY 2015.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

We believe that the above-mentioned actions, if properly implemented, will resolve the
condition and most recommendations. However, the OCFO response did not address
recommendations 16c or 18. They will remain open until addressed with the OIG.




U.S. Equal Employment Opportunity Commission                                         Page 13
Personnel Security Program Audit
                        Appendix A: Glossary of Acronyms

CFR         Code of Federal Regulations
COI         Certificate of Investigations
COO         Chief Operating Officer
DHS         Department of Homeland Security
EEOC        U.S. Equal Employment Opportunity Commission
eOPF        Electronic Official Personnel Folder
FIPS        Federal Information Processing Standards
FIS         Federal Investigative Services
FOUO        For Official Use Only
FSL         Facility Security Level
FPPS        Federal Personnel/Payroll System
GAO         Government Accountability Office
HSPD        Homeland Security Presidential Directive
ISC         Interagency Security Committee
IT          Information Technology
OCFO        Office of the Chief Financial Officer
OCHCO       Office of the Chief Human Capital Officer (formerly OHR)
ODNI        Office of the Director of National Intelligence
OFO         Office of Federal Operations
OFP         Office of Field Programs
OHR         Office of Human Resources (now OCHCO)
OIT         Office of Information Technology
OMB         Office of Management and Budget
OPM         Office of Personnel Management
PIV         Personal Identity Verification
WFO         Washington Field Office




U.S. Equal Employment Opportunity Commission                           Page A.1
Personnel Security Program Review
                  Appendix B: Objectives, Scope, and Methodology

OBJECTIVES

The overall objective of our audit was to determine whether EEOC has implemented a
personnel security program that adheres to policies and procedures as described by the Office
of Personnel Management and the Code of Federal Regulations.

More specifically, the objectives of our audit were as follows:

   1.      To ensure that the EEOC Personnel Security Program Handbook provides guidance
           on the procedures, rules, roles, and responsibilities involved in the personnel
           security investigation process.
   2.      To ensure as stipulated by 5 CFR 736.201, that personnel security investigations are
           initiated within 14 days of placement in the position.
   3.      To ensure that EEOC, as stipulated by 5 CFR 731.106, conducts reinvestigations and a
           determination regarding continued employment of persons occupying public trust
           positions at least once every 5 years.
   4.      To ensure that EEOC reports to OPM the level or nature, result, and completion date
           of each background investigation or reinvestigation, each agency decision based on
           such investigation or reinvestigation, and any personnel action taken based on such
           investigation or reinvestigation, as required in OPM issuances.
   5.      To ensure that a copy of the Certificate of Investigation shall be placed in the
           employee’s electronic Official Personnel Folder (eOPF).
   6.      To ensure that the type of investigation and the date of adjudication are reported in
           the Federal Personnel/Payroll System (FPPS)
   7.      To ensure that EEOC has implemented a process of risk designation.
   8.      To ensure that EEOC has implemented the appropriate procedures associated with
           risk level changes.
   9.      To review whether EEOC has classified information.
   10.     To ensure that, when applicable, EEOC has implemented the appropriate policies
           and procedures, as prescribed by federal statute, associated with individuals who
           may have access to classified information that is maintained and used on the behalf
           of another agency.
   11.     To assess the effectiveness and efficiency of EEOC’s personnel security program and
           to identify best practices and provide areas for improvement.




U.S. Equal Employment Opportunity Commission                                         Page B.1
Personnel Security Program Review
SCOPE AND METHODOLOGY

The scope of our audit included all federal established guidance and best practices associated
with the implementation of an effective and efficient Personnel Security Program. Our audit
focused on the appropriateness and effectiveness of EEOC’s Personnel Security Program during
calendar year 2013.

We used a four-phased approach: planning, internal control assessment, testing, and reporting.
We used IDEA sampling software to make our sample selections and perform testing when
reasonable. We reviewed key applicable laws and regulations. We interviewed EEOC staff to
document the processes and procedures and tested those processes and procedures to ensure
they were operating effectively. We researched and identified best practices and identified
areas for improvement.

We noted exceptions and wrote findings in those instances where violations occurred and were
not corrected, where internal control weaknesses existed, and where processes were
determined not to be effective and efficient. We stated the conditions, causes and effects of
our findings, as well as the criteria upon which the findings were based, and recommendations
for correcting the issues.




U.S. Equal Employment Opportunity Commission                                        Page B.2
Personnel Security Program Review
                      Appendix C: Management Response




U.S. Equal Employment Opportunity Commission            Page C.1
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.2
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.3
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.4
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.5
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.6
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.7
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.8
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.9
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.10
Personnel Security Program Review
U.S. Equal Employment Opportunity Commission   Page C.11
Personnel Security Program Review