December 20, 2001 The Honorable Michael M. Reyna Chairman of the Board and Chief Executive Officer Farm Credit Administration 1501 Farm Credit Drive McLean, Virginia 22102-5090 Dear Mr. Reyna: The Office of the Inspector General completed an inspection of the Farm Credit Administration’s (FCA) Personnel Security Program. The objective of this inspection was to evaluate the progress made in addressing seven suggested actions contained in an OIG Management Letter to strengthen FCA’s Personnel Security Program, dated May 10, 1999. We found that management addressed the suggested actions made in the OIG Management Letter. However, employees have not always been following the procedures that were revised to address the weaknesses found in the letter. Further, we found the personnel security program at FCA still lacks emphasis on its importance to the Agency. We performed the inspection following the President’s Council on Integrity and Efficiency Quality Standards for Inspections. We conducted fieldwork from August 21 through October 24, 2001. We provided a preliminary discussion draft report to program officials on November 21st for their review. We issued the final draft report on December 7th. Finally, we held an exit conference and discussed the final draft report with Phil Shebest, Chief Administrative Officer, the appropriate OCAO employees, the Chief Operating Officer, and the Audit Followup Official on December 19, 2001. Where actions were presented to the OIG that would resolve the weaknesses found in the findings, the recommendation was changed to an agreed upon action. The report has an appendix with an organizational chart. Due to privacy concerns, the appendix will only be distributed to Board Members, the Chief Operating Officer, and the Chief Administrative Officer. If you have any questions about this inspection, I would be pleased to meet with you at your convenience. Respectfully, Stephen G. Smith Inspector General Personnel Security Program 01-06 TABLE OF CONTENTS BACKGROUND 4 Personnel Security Program 4 OIG Management Letter on Personnel Security 4 OBJECTIVE AND SCOPE 4 FINDINGS AND RECOMMENDATIONS 5 Personnel Security Policies and Procedures Are Thorough 5 Agreed Upon Action 5 Personnel Security Program Still Lacks Importance 6 Internal Procedures Are Not Always Being Followed 6 Personnel Security Records Were Inaccurate 7 PSO Performance Standards Need Strengthening 7 Internal Control Reviews Are Not Being Conducted 8 PSO Has Not Been Provided Sufficient Training 8 Agreed Upon Action 8 Position Sensitivity Levels Need Updating 8 Agreed Upon Actions 9 Personnel Security Duties Are Not Being Performed for All Workers 9 FCA Board Members 9 FCA Contractors 10 Agreed Upon Actions 10 BACKGROUND The Farm Credit Administration (FCA or Agency) is an independent Federal financial regulatory agency. FCA has regulatory, examination and supervisory responsibilities for the Farm Credit System (System) banks, associations, and related institutions. FCA employs less than 300 people. Personnel related costs account for about 81 percent of the Agency’s $36.8 million fiscal year 2001 budget. Personnel Security Program All persons obtaining Federal employment are required to have a background investigation conducted to ensure the applicant meets suitability requirements. Suitability is based on an individual’s character or conduct that may have an impact on the integrity or efficiency of service. The depth of the background investigation is determined by the sensitivity and risk level of the position the individual seeks. Individual agencies are delegated the authority to maintain their own personnel security program in accordance with regulations and guidelines provided through the Office of Personnel Management (OPM) at 5 CFR 731 and 732. FCA employees hold positions of public trust. All FCA positions are rated low, moderate or high risk according to the criteria for risk rating of public trust positions. According to our analysis, there are currently 51 sensitive positions. Of these, 19 positions should be designated as high risk (including one vacant position) and 32 positions should be designated as moderate risk. The remaining FCA employees are in low risk or nonsensitive positions. OIG Management Letter on Personnel Security On May 10, 1999, the Office of Inspector General (OIG) issued a management letter as a result of work performed in connection with an investigation. This letter detailed the weaknesses found in the personnel security program at that time. In this management letter, seven suggested actions were made to improve FCA’s personnel security program. The management letter focused on weaknesses in performing timely background investigations and in determining proper sensitivity levels for Agency positions. OBJECTIVE AND SCOPE The objective of this inspection was to determine if the FCA made progress in improving the personnel security program by adopting previously reported suggested actions in the OIG management letter. We reviewed records, current regulations and guidelines on personnel security, FCA policies and procedures, and conducted interviews with appropriate Office of Administrative Officer (OCAO) staff to determine the progress. We also reviewed employee listings and personnel files to determine the accuracy and completeness of records. OCAO currently has the responsibility for the personnel security function. Previously, this work was the responsibility of the former Office of Resources Management (ORM), Human and Administrative Resources Division (HARD). In the following sections, the previous suggested actions are re- stated (similar actions grouped together) along with our findings. Included in our findings are 1) actions taken in response to our previous management letter, 2) the status of the current program, and 3) recommendations or agreed upon actions to improve areas where we found weaknesses still exist. FINDINGS AND RECOMMENDATIONS Personnel Security Policies and Procedures Are Thorough The OCAO has taken action on both internal operating procedures and the Agency policies and procedures manual (PPM) to better provide guidance and show clear program responsibilities for the personnel OIG Management Letter security process. The changes to OCAO’s internal procedures include: Suggested Actions The personnel management specialists’ (PMS or #2 Create clear individual and program specialist) responsibility to send all SF-52s (Requests for responsibilities, procedures and timelines to Personnel Action) immediately on approval to the Personnel ensure the program is completely and Security Officer (PSO) for sensitivity designation. accurately operated. The specialists’ responsibility to discuss personnel security issues with managers when reviewing personnel actions. The PSO’s duties, responsibilities and procedures #3 Personnel security files of HARD are clearly stated. should be transferred to the ORM OCAO added the requirement for applicants to Director in compliance with the Agency submit the form OF-306 “Declaration for Federal Employment” PPM 825 or the PPM should be revised before they are offered a position at FCA which includes to allocate safekeeping of the files in background questions previously, but no longer, included in the another area in compliance with applicable standard government employment application (SF-171). guidelines. With only a minor exception, we found the updated internal policies and procedures are detailed and clearly define individual responsibilities and operating procedures (organizational title changes need updating in OCAO’s policies and procedures). Similarly, our review of the FCA PPM on personnel security (No. 825) found only minor exceptions: -- The organizational titles are outdated. -- The section, “Establishing New Positions,” should be updated to match OCAO’s internal procedures that state security designations will be determined immediately upon receiving SF-52s. FCA PPM 825 addressed the need to maintain the PSO and alternate PSO security files separately. The PSO and alternate PSO are the only persons who have access to the safe where all FCA employee security files are kept. The individual files of the PSO and alternate PSO should be kept under the control of someone other than themselves. Although these files do not contain investigative reports or findings material, our discussions with OPM’s Investigations Service suggest that these employees’ security files should be kept under separate control regardless of the materials included in the files. Finally, we reviewed the delegations of authority for PSO responsibilities. The Agency delegation of authority (Del-12, dated July 16, 1998) is outdated for organizational titles, employee names and Agency PPM number reference. The OCAO delegation is correct in naming the current PSO. Agreed Upon Action 1) The CAO will update Agency Delegation 12 and PPM 825 for the Chairman’s signature to address the above exceptions. Personnel Security Program Still Lacks Importance The personnel security work in the OCAO is not emphasized as an important function for the office. This is based on observations including: the specialists sometimes delay or do not always forward OIG Management Letter SF-52s to the PSO for security determinations; the PSO is not Suggested Actions consistently documenting security determinations; some records in the personnel security listings/spreadsheets are inaccurate and outdated; the PSO’s performance standards lack rating criteria and weight; and, internal control reviews are not being conducted. #1 Emphasize to responsible staff that the issue of public trust in Agency operations is Internal Procedures Are Not Always Being Followed important and hold them accountable for timely, accurate and complete performance. While procedures require the PSO to review personnel actions to determine position sensitivity levels, the results show the PSO is not #5 HARD should exercise greater consistently receiving and reviewing the position descriptions to diligence in providing necessary information determine sensitivity levels before actions are taken. to the alternate PSO for security determina- tion before further action is taken on the We took a random sample of 10% (five) of the internal actions for the last 2 years, as well as the actions for 2 high risk positions. We found personnel request. that 6 of the 7 actions reviewed did not evidence staff adherence to #4 The PSO or alternate PSO should OCAO procedures, as follows: ensure that a system is developed and maintained to accurately reflect all employee 3 actions did not have a security designation or evidence that the PSO reviewed the action; background investigations completed and in 1 action lacked the PSO’s signature, although a process. Additionally, this system should security designation was given; and track when re-investigations should be 2 actions were signed by the PSO after the conducted for applicable employees. effective date of the action. We also reviewed Official Personnel Files (OPFs) of recently hired employees (from outside FCA). Of the 38 new hires in our sample, 14 did not have personnel security background requirements because they were interns or temporary employees. One of the remaining 24 employees did not have the required background investigation performed. There is no documentation that the PSO made a determination about the need to conduct investigations on the 5 employees who transferred from other Federal agencies. After an extensive review, we did find that investigations were not required. While not a requirement, providing a memo of a transferred employee’s status in their OPF is desirable and practical for tracking purposes. OPM’s Investigations Service agreed that this practice would enhance the personnel security function. We reviewed OPFs to determine if the PSO was receiving the SF-52s timely. We did not find evidence that requests for personnel action ever went through the PSO for three employees. In nine other cases, the PSO did not receive the SF-52 until 2 ½ to 7 ½ months after the authorizing official approved the SF-52. Finally, we looked at the length of time between OPM certifying completion of investigations and the PSO documenting the determination to the employee or the OPF. The current PSO has been diligent in reviewing OPM’s investigative reports and completing the process. Delays in only two cases were attributable to the prior PSO. Personnel Security Records Were Inaccurate The PSO maintains spreadsheets to keep track of background investigations and employee position sensitivity designations. One of the spreadsheets is a “High Risk List” worksheet that lists all FCA employees with sensitive positions designated as either high or moderate risk. A second spreadsheet “Sensitivity Designation Worksheet” shows the sensitivity designations and specific numerical ratings for all FCA employees. When we compared the two spreadsheets, we found the following inaccuracies on the High Risk List: 8 employees are on list who are no longer employed at FCA (the oldest separation being in March 2000). 3 employees were not listed, but should have been (2 moderate risk and 1 high risk employee), 12 employees had incorrect position titles (for example, Field Office Directors still named as Associate Regional Directors) 2 employees should not be on the list because they are in low risk positions. Although the Sensitivity Designation Worksheet is more up-to-date than the High Risk List, we found: many employees have left FCA, but are still on this list, 1 employee is not listed at all (although he is on the High Risk List), and 1 employee is rated as a moderate risk although she is not on the High Risk List and her position should be low risk. The inaccuracies in these spreadsheets indicate a lack of attention to this program and the importance of accurate recordkeeping. We provided a comparison for the sensitive positions to the PSO who made the appropriate corrections. Although there are only a few high risk positions requiring 5-year reinvestigations, we did not find a procedure for the PSO to review the high risk positions and track timeframes for performing reinvestigations. If the high risk list was kept up-to-date showing when reinvestigations are required or when a high risk position is vacant, it could be used in the office budget and planning process. This would be useful since high risk position background investigations are the most expensive. Having the PSO provide this information in conjunction with the planning process, would also ensure that a review is done annually to ensure reinvestigations are processed. PSO Performance Standards Need Strengthening The PSO’s performance standards contain all PSO duties under one bullet for one critical performance element, “Special Personnel Programs.” This bullet is one of eight bullets for this element and does not contain performance criteria except for the PSO’s task of updating policies and procedures within one month. Having the PSO duties as only one element among many reduces the importance of the function by not offering it the appropriate weight. Although time spent on the PSO duties is not significant, the work is and should be elevated to reflect its significance to the Agency. Internal Control Reviews Are Not Being Conducted The internal OCAO policy for personnel security provides for internal control reviews that should ensure the program is running effectively. The policy states “The PSO and/or alternate PSO will engage in a quarterly review of personnel security files to determine the nature of any outstanding investigations.” However, the PSO stated he does not review the files quarterly as a matter of practice. Rather, he updates the spreadsheets when new actions occur. Additionally, there is no process to remove employees who have left the Agency. Because reviews of the records are not done as a whole, the spreadsheets have many inaccuracies as described earlier. The OCAO policy also provides for an annual audit of the program by the alternate PSO. According to policy, the findings of the annual audit are reported to the Chief, HARD (now the Chief Administrative Officer) with any recommendations for corrective measures. However, the Alternate PSO has not performed the required audit. The management control plan for OCAO dated July 10, 2000, labeled the personnel security function “low risk” and is not due for a review until the third quarter of fiscal year 2003. This is another indicator that the personnel security program lacks appropriate emphasis. PSO Has Not Been Provided Sufficient Training The current PSO had some on-the-job training from the former PSO before he retired. The PSO stated that he has only been assigned these duties for about a year and feels that he is not seasoned or fully knowledgeable/experienced in this area. The current PSO developed contacts with the OPM Investigations Service. He also receives updates on changes in the regulations about personnel security issues and guidelines. However, the PSO’s only formal training was a one-day conference that provides updates on personnel security issues. Agreed Upon Action 2) The CAO will place greater emphasis on the personnel security program by: a) creating a performance measure for the personnel security function using criteria encompassing the timeliness, thoroughness and accuracy of personnel security reviews and records. b) requiring the PSO to provide documentation in the OPFs of all new hires showing the security status of the employee. c) creating a separate critical element in the PSO’s performance standards with specific criteria for all PSO responsibilities. d) creating an element in all other appropriate OCAO staff’s performance standards addressing their responsibilities to the personnel security function. e) auditing the personnel security program each year covering areas described in the findings above. f) providing training for the PSO on personnel security responsibilities, including legal updates and personnel security adjudications. Position Sensitivity Levels Need Updating The former PSO completed a review of position sensitivity levels for FCA employees in the summer of 1999. As a result, the Field Office Directors’ positions were upgraded from low risk to moderate risk. The Equal Employment Opportunity manager was also upgraded from low risk to moderate risk. After the review, the former PSO, in consultation with the Office of General Counsel, determined the Designated Agency Ethics Officer position did not require updating and is still rated low risk. Also, one Executive Assistant was added to the high risk list, and now all Board- level assistants are on that list. Although a review was done in the summer of 1999, our review found there are now other positions needing elevation from being low risk. The chart in Appendix 1 highlights several inconsistencies that should OIG Management Letter be addressed. For example, one of the two Executive Assistants to the Suggested Actions Chief Operating Officer (COO) has a moderate risk and the other has a low risk designation. The position with the low risk designation has access to the same or more sensitive information since the employee in #6 The Field Office Director this position is involved in policy and strategic direction issues. positions should be reevaluated for risk level classifications. There are other positions not evident on the chart that should be addressed. We noted many of the FCA computer specialist positions #7 A review of all FCA positions, are considered moderate risk. In our opinion, the Information especially those with higher levels of Technology (IT) examiners have the same risk factors as the computer responsibility and access to sensitive specialists and their sensitivity levels should be upgraded. We did not information, should be completed. do a full review of all positions in FCA. We mentioned these positions because they came to our attention when reviewing the PSO position sensitivity lists. These positions reiterate the need for more detailed reviews of internal position changes by the specialists and the PSO. The internal policy of OCAO is that specialists are to discuss personnel security issues with managers. Although we did not interview the specialists about this requirement, informal discussions with managers revealed that personnel security or risk factors of positions are not discussed during the recruiting process or when positions are upgraded because of new responsibilities. Agreed Upon Actions 3) The CAO will develop a process to validate position risk ratings periodically. As part of this process, the CAO will review all updated or newly created positions in the last two years, including the Executive Assistant to the COO position and the IT examiner positions to determine appropriate risk levels. 4) The PSO should provide the specialists a short checklist that describes position sensitivity issues to discuss with managers and require that this checklist should be discussed with managers and the results provided to the PSO for any new or updated position description. Personnel Security Duties Are Not Being Performed for All Workers FCA Board Members The Board members were not part of our review because they did not fall under the scope of our sample. However, we noted that the Board members were designated as the only employees with “substantial” impact on the Agency’s programs. The PSO records showed they were high risk and their investigations were to be done by the Federal Bureau of Investigation. However, there was no documentation concerning the status of their background investigations. The PSO stated FCA does not conduct any personnel security work concerning the Board members’ background investigations. The Board members are presidentially appointed and do not fall under normal civil service rules. However, they are employees of the Agency and their security status should be verified, whether initiated by FCA or previously conducted by the White House Security Office. Most likely, Board members receive detailed background investigations before being confirmed. However, according to the PSO, FCA does not know the status of the Board members’ security clearance. We contacted OPM’s Investigations Service and confirmed it is the Agency’s responsibility to verify that background investigations were completed and the level of the investigation was adequate for the positions that the presidentially appointed personnel hold. Further, the Investigations Service stated that the Board members should be re-investigated if FCA’s policy is to do periodic re-investigations of high risk positions. The Board members should have the highest level security clearance available in order to be able to respond to any call placed upon them by the Administration. Inadequate security clearances could result in an embarrassment to the Board member. For example, they may not be able to access information that is critical to a policy decision or they could be rejected from meetings and sites with sensitive or classified information due to their lack of security clearance. Such situations might occur, especially in times of national emergency. According to OPM’s Investigations Service, it is standard practice to have the head of the agency hold a Top Secret security clearance. FCA has one employee with a Top Secret security clearance, which allows her access to classified information. (Top Secret security clearances are slightly different than the process for public trust positions.) However, she would not be able to share this information with the head of FCA if he does not have the appropriate clearance. Nor can the PSO adjudicate her re-investigation if he does not also hold that level of clearance. The PSO needs to be knowledgeable about the Board members investigations and level of security clearance. To provide appropriate service to the Board and the Agency, the PSO should obtain appropriate high-level security clearance designations for the Board members, and himself, if he is to adjudicate high-level security clearances. FCA Contractors Finally, we asked what the procedures were for contractor background investigations or if FCA had conducted any such investigations. The PSO stated he was not aware of ever having a background investigation done for a contractor. We discussed this issue with the contracting specialist. He stated that he is unaware of any procedures for conducting background investigations on contract employees, except in the case of personal service contracts. FCA has not had a personnel service contract for several years. The contract specialist said that as a part of his contracting procedures he does do reference checks on contractors. However, he has never consulted with the PSO about possibly conducting a background investigation. The Federal Acquisition Regulations state that agency procedures should be followed. Although this area may not be common since FCA rarely enters into sensitive contracts, FCA should have a process to decide if a background investigation should be conducted for contract employees. The most common basis for such background investigations would be contractors who had access to sensitive information or unescorted access in an FCA office or building. Agreed Upon Actions 5) The PSO will ensure appropriate security clearances are acquired and documented for Board members. 6) The PSO and contracting officer will establish procedures for determining if background investigations are needed for contract personnel.
Personnel Security Inspection
Published by the Farm Credit Administration, Office of Inspector General on 2001-12-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)