oversight

Personnel Security Inspection

Published by the Farm Credit Administration, Office of Inspector General on 2001-12-20.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

December 20, 2001


The Honorable Michael M. Reyna
Chairman of the Board and
 Chief Executive Officer
Farm Credit Administration
1501 Farm Credit Drive
McLean, Virginia 22102-5090

Dear Mr. Reyna:

The Office of the Inspector General completed an inspection of the Farm Credit Administration’s
(FCA) Personnel Security Program. The objective of this inspection was to evaluate the
progress made in addressing seven suggested actions contained in an OIG Management Letter
to strengthen FCA’s Personnel Security Program, dated May 10, 1999.

We found that management addressed the suggested actions made in the OIG Management
Letter. However, employees have not always been following the procedures that were revised
to address the weaknesses found in the letter. Further, we found the personnel security
program at FCA still lacks emphasis on its importance to the Agency.

We performed the inspection following the President’s Council on Integrity and Efficiency
Quality Standards for Inspections. We conducted fieldwork from August 21 through October 24,
2001. We provided a preliminary discussion draft report to program officials on November 21st
for their review. We issued the final draft report on December 7th. Finally, we held an exit
conference and discussed the final draft report with Phil Shebest, Chief Administrative Officer,
the appropriate OCAO employees, the Chief Operating Officer, and the Audit Followup Official
on December 19, 2001. Where actions were presented to the OIG that would resolve the
weaknesses found in the findings, the recommendation was changed to an agreed upon action.
The report has an appendix with an organizational chart. Due to privacy concerns, the appendix
will only be distributed to Board Members, the Chief Operating Officer, and the Chief
Administrative Officer.

If you have any questions about this inspection, I would be pleased to meet with you at your
convenience.

Respectfully,


Stephen G. Smith
Inspector General
Personnel Security
         Program

            01-06
                                        TABLE OF CONTENTS




BACKGROUND                                                          4

Personnel Security Program                                          4
  OIG Management Letter on Personnel Security                       4

OBJECTIVE AND SCOPE                                                 4

FINDINGS AND RECOMMENDATIONS                                        5

Personnel Security Policies and Procedures Are Thorough             5
  Agreed Upon Action                                                5

Personnel Security Program Still Lacks Importance                   6
  Internal Procedures Are Not Always Being Followed                 6
  Personnel Security Records Were Inaccurate                        7
  PSO Performance Standards Need Strengthening                      7
  Internal Control Reviews Are Not Being Conducted                  8
  PSO Has Not Been Provided Sufficient Training                     8
  Agreed Upon Action                                                8

Position Sensitivity Levels Need Updating                           8
  Agreed Upon Actions                                               9

Personnel Security Duties Are Not Being Performed for All Workers    9
  FCA Board Members                                                  9
  FCA Contractors                                                   10
  Agreed Upon Actions                                               10
 BACKGROUND

         The Farm Credit Administration (FCA or Agency) is an independent Federal financial regulatory
         agency. FCA has regulatory, examination and supervisory responsibilities for the Farm Credit
         System (System) banks, associations, and related institutions. FCA employs less than 300 people.
         Personnel related costs account for about 81 percent of the Agency’s $36.8 million fiscal year 2001
         budget.

Personnel Security Program

         All persons obtaining Federal employment are required to have a background investigation
         conducted to ensure the applicant meets suitability requirements. Suitability is based on an
         individual’s character or conduct that may have an impact on the integrity or efficiency of service.
         The depth of the background investigation is determined by the sensitivity and risk level of the
         position the individual seeks.

         Individual agencies are delegated the authority to maintain their own personnel security program in
         accordance with regulations and guidelines provided through the Office of Personnel Management
         (OPM) at 5 CFR 731 and 732. FCA employees hold positions of public trust. All FCA positions are
         rated low, moderate or high risk according to the criteria for risk rating of public trust positions.
         According to our analysis, there are currently 51 sensitive positions. Of these, 19 positions should
         be designated as high risk (including one vacant position) and 32 positions should be designated
         as moderate risk. The remaining FCA employees are in low risk or nonsensitive positions.

         OIG Management Letter on Personnel Security

         On May 10, 1999, the Office of Inspector General (OIG) issued a management letter as a result of
         work performed in connection with an investigation. This letter detailed the weaknesses found in
         the personnel security program at that time. In this management letter, seven suggested actions
         were made to improve FCA’s personnel security program. The management letter focused on
         weaknesses in performing timely background investigations and in determining proper sensitivity
         levels for Agency positions.


 OBJECTIVE AND SCOPE


         The objective of this inspection was to determine if the FCA made progress in improving the
         personnel security program by adopting previously reported suggested actions in the OIG
         management letter. We reviewed records, current regulations and guidelines on personnel
         security, FCA policies and procedures, and conducted interviews with appropriate Office of
         Administrative Officer (OCAO) staff to determine the progress. We also reviewed employee
         listings and personnel files to determine the accuracy and completeness of records. OCAO
         currently has the responsibility for the personnel security function. Previously, this work was the
         responsibility of the former Office of Resources Management (ORM), Human and Administrative
         Resources Division (HARD). In the following sections, the previous suggested actions are re-
         stated (similar actions grouped together) along with our findings. Included in our findings are
         1) actions taken in response to our previous management letter, 2) the status of the current
         program, and 3) recommendations or agreed upon actions to improve areas where we found
         weaknesses still exist.
      FINDINGS AND RECOMMENDATIONS

    Personnel Security Policies and Procedures Are Thorough

                                                The OCAO has taken action on both internal operating procedures and
                                                the Agency policies and procedures manual (PPM) to better provide
                                                guidance and show clear program responsibilities for the personnel
     OIG Management Letter                      security process. The changes to OCAO’s internal procedures include:
       Suggested Actions
                                                                   The personnel management specialists’ (PMS or
#2 Create clear individual and program                specialist) responsibility to send all SF-52s (Requests for
responsibilities, procedures and timelines to         Personnel Action) immediately on approval to the Personnel
ensure the program is completely and                  Security Officer (PSO) for sensitivity designation.
accurately operated.                                               The specialists’ responsibility to discuss personnel
                                                      security issues with managers when reviewing personnel actions.
                                                                   The PSO’s duties, responsibilities and procedures
#3 Personnel security files of HARD                   are clearly stated.
should be transferred to the ORM                                   OCAO added the requirement for applicants to
Director in compliance with the Agency                submit the form OF-306 “Declaration for Federal Employment”
PPM 825 or the PPM should be revised                  before they are offered a position at FCA which includes
to allocate safekeeping of the files in               background questions previously, but no longer, included in the
another area in compliance with applicable            standard government employment application (SF-171).
guidelines.
                                                With only a minor exception, we found the updated internal policies and
                                                procedures are detailed and clearly define individual responsibilities and
                                                operating procedures (organizational title changes need updating in
                                                OCAO’s policies and procedures).

                    Similarly, our review of the FCA PPM on personnel security (No. 825) found only minor exceptions:

                    --   The organizational titles are outdated.
                    --   The section, “Establishing New Positions,” should be updated to match OCAO’s internal
                         procedures that state security designations will be determined immediately upon receiving
                         SF-52s.

                    FCA PPM 825 addressed the need to maintain the PSO and alternate PSO security files
                    separately. The PSO and alternate PSO are the only persons who have access to the safe where
                    all FCA employee security files are kept. The individual files of the PSO and alternate PSO should
                    be kept under the control of someone other than themselves. Although these files do not contain
                    investigative reports or findings material, our discussions with OPM’s Investigations Service
                    suggest that these employees’ security files should be kept under separate control regardless of
                    the materials included in the files.

                    Finally, we reviewed the delegations of authority for PSO responsibilities. The Agency delegation
                    of authority (Del-12, dated July 16, 1998) is outdated for organizational titles, employee names and
                    Agency PPM number reference. The OCAO delegation is correct in naming the current PSO.

                    Agreed Upon Action

                    1) The CAO will update Agency Delegation 12 and PPM 825 for the Chairman’s signature
                         to address the above exceptions.
    Personnel Security Program Still Lacks Importance

                                                The personnel security work in the OCAO is not emphasized as an
                                                important function for the office. This is based on observations
                                                including: the specialists sometimes delay or do not always forward
    OIG Management Letter                       SF-52s to the PSO for security determinations; the PSO is not
      Suggested Actions                         consistently documenting security determinations; some records in
                                                the personnel security listings/spreadsheets are inaccurate and
                                                outdated; the PSO’s performance standards lack rating criteria and
                                                weight; and, internal control reviews are not being conducted.
#1 Emphasize to responsible staff that the
issue of public trust in Agency operations is   Internal Procedures Are Not Always Being Followed
important and hold them accountable for
timely, accurate and complete performance.      While procedures require the PSO to review personnel actions to
                                                determine position sensitivity levels, the results show the PSO is not
#5 HARD should exercise greater                 consistently receiving and reviewing the position descriptions to
diligence in providing necessary information    determine sensitivity levels before actions are taken.
to the alternate PSO for security determina-
tion before further action is taken on the      We took a random sample of 10% (five) of the internal actions for the
                                                last 2 years, as well as the actions for 2 high risk positions. We found
personnel request.                              that 6 of the 7 actions reviewed did not evidence staff adherence to
 #4 The PSO or alternate PSO should             OCAO procedures, as follows:
ensure that a system is developed and
maintained to accurately reflect all employee                      3 actions did not have a security designation or
                                                      evidence that the PSO reviewed the action;
background investigations completed and in                         1 action lacked the PSO’s signature, although a
process. Additionally, this system should             security designation was given; and
track when re-investigations should be                             2 actions were signed by the PSO after the
conducted for applicable employees.                   effective date of the action.

                                            We also reviewed Official Personnel Files (OPFs) of recently hired
                                            employees (from outside FCA). Of the 38 new hires in our sample,
                   14 did not have personnel security background requirements because they were interns or
                   temporary employees. One of the remaining 24 employees did not have the required background
                   investigation performed.

                   There is no documentation that the PSO made a determination about the need to conduct
                   investigations on the 5 employees who transferred from other Federal agencies. After an
                   extensive review, we did find that investigations were not required. While not a requirement,
                   providing a memo of a transferred employee’s status in their OPF is desirable and practical for
                   tracking purposes. OPM’s Investigations Service agreed that this practice would enhance the
                   personnel security function.

                   We reviewed OPFs to determine if the PSO was receiving the SF-52s timely. We did not find
                   evidence that requests for personnel action ever went through the PSO for three employees. In
                   nine other cases, the PSO did not receive the SF-52 until 2 ½ to 7 ½ months after the authorizing
                   official approved the SF-52.

                   Finally, we looked at the length of time between OPM certifying completion of investigations and
                   the PSO documenting the determination to the employee or the OPF. The current PSO has been
                   diligent in reviewing OPM’s investigative reports and completing the process. Delays in only two
                   cases were attributable to the prior PSO.
          Personnel Security Records Were Inaccurate

          The PSO maintains spreadsheets to keep track of background investigations and employee
          position sensitivity designations. One of the spreadsheets is a “High Risk List” worksheet that lists
          all FCA employees with sensitive positions designated as either high or moderate risk. A second
          spreadsheet “Sensitivity Designation Worksheet” shows the sensitivity designations and specific
          numerical ratings for all FCA employees.

          When we compared the two spreadsheets, we found the following inaccuracies on the High Risk
          List:

                8 employees are on list who are no longer employed at FCA (the oldest separation being in
                March 2000).
                3 employees were not listed, but should have been (2 moderate risk and 1 high risk
                employee),
                12 employees had incorrect position titles (for example, Field Office Directors still named as
                Associate Regional Directors)
                2 employees should not be on the list because they are in low risk positions.


Although the Sensitivity Designation Worksheet is more up-to-date than the High Risk List, we
found:

                many employees have left FCA, but are still on this list,
                1 employee is not listed at all (although he is on the High Risk List), and
                1 employee is rated as a moderate risk although she is not on the High Risk List and her
                position should be low risk.

          The inaccuracies in these spreadsheets indicate a lack of attention to this program and the
          importance of accurate recordkeeping. We provided a comparison for the sensitive positions to the
          PSO who made the appropriate corrections.

          Although there are only a few high risk positions requiring 5-year reinvestigations, we did not find a
          procedure for the PSO to review the high risk positions and track timeframes for performing
          reinvestigations. If the high risk list was kept up-to-date showing when reinvestigations are
          required or when a high risk position is vacant, it could be used in the office budget and planning
          process. This would be useful since high risk position background investigations are the most
          expensive. Having the PSO provide this information in conjunction with the planning process,
          would also ensure that a review is done annually to ensure reinvestigations are processed.

          PSO Performance Standards Need Strengthening

          The PSO’s performance standards contain all PSO duties under one bullet for one critical
          performance element, “Special Personnel Programs.” This bullet is one of eight bullets for this
          element and does not contain performance criteria except for the PSO’s task of updating policies
          and procedures within one month. Having the PSO duties as only one element among many
          reduces the importance of the function by not offering it the appropriate weight. Although time
          spent on the PSO duties is not significant, the work is and should be elevated to reflect its
          significance to the Agency.
         Internal Control Reviews Are Not Being Conducted

         The internal OCAO policy for personnel security provides for internal control reviews that should
         ensure the program is running effectively. The policy states “The PSO and/or alternate PSO will
         engage in a quarterly review of personnel security files to determine the nature of any outstanding
         investigations.” However, the PSO stated he does not review the files quarterly as a matter of
         practice. Rather, he updates the spreadsheets when new actions occur. Additionally, there is no
         process to remove employees who have left the Agency. Because reviews of the records are not
         done as a whole, the spreadsheets have many inaccuracies as described earlier.

         The OCAO policy also provides for an annual audit of the program by the alternate PSO.
         According to policy, the findings of the annual audit are reported to the Chief, HARD (now the Chief
         Administrative Officer) with any recommendations for corrective measures. However, the Alternate
         PSO has not performed the required audit. The management control plan for OCAO dated
         July 10, 2000, labeled the personnel security function “low risk” and is not due for a review until the
         third quarter of fiscal year 2003. This is another indicator that the personnel security program lacks
         appropriate emphasis.

         PSO Has Not Been Provided Sufficient Training

         The current PSO had some on-the-job training from the former PSO before he retired. The PSO
         stated that he has only been assigned these duties for about a year and feels that he is not
         seasoned or fully knowledgeable/experienced in this area. The current PSO developed contacts
         with the OPM Investigations Service. He also receives updates on changes in the regulations
         about personnel security issues and guidelines. However, the PSO’s only formal training was a
         one-day conference that provides updates on personnel security issues.

         Agreed Upon Action

         2) The CAO will place greater emphasis on the personnel security program by:

             a) creating a performance measure for the personnel security function
                using criteria encompassing the timeliness, thoroughness and
                accuracy of personnel security reviews and records.
             b) requiring the PSO to provide documentation in the OPFs of all new
                hires showing the security status of the employee.
             c) creating a separate critical element in the PSO’s performance standards
                with specific criteria for all PSO responsibilities.
             d) creating an element in all other appropriate OCAO staff’s performance standards
                addressing their responsibilities to the personnel security function.
             e) auditing the personnel security program each year covering areas
                described in the findings above.
             f) providing training for the PSO on personnel security responsibilities,
                including legal updates and personnel security adjudications.

Position Sensitivity Levels Need Updating

         The former PSO completed a review of position sensitivity levels for FCA employees in the
         summer of 1999. As a result, the Field Office Directors’ positions were upgraded from low risk to
         moderate risk. The Equal Employment Opportunity manager was also upgraded from low risk to
         moderate risk. After the review, the former PSO, in consultation with the Office of General
         Counsel, determined the Designated Agency Ethics Officer position did not require updating and is
                   still rated low risk. Also, one Executive Assistant was added to the high risk list, and now all Board-
                   level assistants are on that list.

                                               Although a review was done in the summer of 1999, our review found
                                               there are now other positions needing elevation from being low risk.
                                               The chart in Appendix 1 highlights several inconsistencies that should
   OIG Management Letter                       be addressed. For example, one of the two Executive Assistants to the
     Suggested Actions                         Chief Operating Officer (COO) has a moderate risk and the other has a
                                               low risk designation. The position with the low risk designation has
                                               access to the same or more sensitive information since the employee in
#6        The Field Office Director            this position is involved in policy and strategic direction issues.
positions should be reevaluated for risk
level classifications.                         There are other positions not evident on the chart that should be
                                               addressed. We noted many of the FCA computer specialist positions
#7 A review of all FCA positions,              are considered moderate risk. In our opinion, the Information
especially those with higher levels of         Technology (IT) examiners have the same risk factors as the computer
responsibility and access to sensitive         specialists and their sensitivity levels should be upgraded. We did not
information, should be completed.              do a full review of all positions in FCA. We mentioned these positions
                                               because they came to our attention when reviewing the PSO position
                                               sensitivity lists. These positions reiterate the need for more detailed
                                               reviews of internal position changes by the specialists and the PSO.

                                              The internal policy of OCAO is that specialists are to discuss personnel
                   security issues with managers. Although we did not interview the specialists about this
                   requirement, informal discussions with managers revealed that personnel security or risk factors of
                   positions are not discussed during the recruiting process or when positions are upgraded because
                   of new responsibilities.

                   Agreed Upon Actions

                   3) The CAO will develop a process to validate position risk ratings periodically. As part of
                        this process, the CAO will review all updated or newly created positions in the last two
                        years, including the Executive Assistant to the COO position and the IT examiner
                        positions to determine appropriate risk levels.

                   4) The PSO should provide the specialists a short checklist that describes position
                        sensitivity issues to discuss with managers and require that this checklist should be
                        discussed with managers and the results provided to the PSO for any new or updated
                        position description.

    Personnel Security Duties Are Not Being Performed for All Workers

                   FCA Board Members

                   The Board members were not part of our review because they did not fall under the scope of our
                   sample. However, we noted that the Board members were designated as the only employees with
                   “substantial” impact on the Agency’s programs. The PSO records showed they were high risk and
                   their investigations were to be done by the Federal Bureau of Investigation. However, there was
                   no documentation concerning the status of their background investigations. The PSO stated FCA
                   does not conduct any personnel security work concerning the Board members’ background
                   investigations.
The Board members are presidentially appointed and do not fall under normal civil service rules.
However, they are employees of the Agency and their security status should be verified, whether
initiated by FCA or previously conducted by the White House Security Office. Most likely, Board
members receive detailed background investigations before being confirmed. However, according
to the PSO, FCA does not know the status of the Board members’ security clearance. We
contacted OPM’s Investigations Service and confirmed it is the Agency’s responsibility to verify that
background investigations were completed and the level of the investigation was adequate for the
positions that the presidentially appointed personnel hold. Further, the Investigations Service
stated that the Board members should be re-investigated if FCA’s policy is to do periodic
re-investigations of high risk positions.

The Board members should have the highest level security clearance available in order to be able
to respond to any call placed upon them by the Administration. Inadequate security clearances
could result in an embarrassment to the Board member. For example, they may not be able to
access information that is critical to a policy decision or they could be rejected from meetings and
sites with sensitive or classified information due to their lack of security clearance. Such situations
might occur, especially in times of national emergency. According to OPM’s Investigations
Service, it is standard practice to have the head of the agency hold a Top Secret security
clearance.

FCA has one employee with a Top Secret security clearance, which allows her access to classified
information. (Top Secret security clearances are slightly different than the process for public trust
positions.) However, she would not be able to share this information with the head of FCA if he
does not have the appropriate clearance. Nor can the PSO adjudicate her re-investigation if he
does not also hold that level of clearance. The PSO needs to be knowledgeable about the Board
members investigations and level of security clearance. To provide appropriate service to the
Board and the Agency, the PSO should obtain appropriate high-level security clearance
designations for the Board members, and himself, if he is to adjudicate high-level security
clearances.

FCA Contractors

Finally, we asked what the procedures were for contractor background investigations or if FCA had
conducted any such investigations. The PSO stated he was not aware of ever having a
background investigation done for a contractor. We discussed this issue with the contracting
specialist. He stated that he is unaware of any procedures for conducting background
investigations on contract employees, except in the case of personal service contracts. FCA has
not had a personnel service contract for several years. The contract specialist said that as a part of
his contracting procedures he does do reference checks on contractors. However, he has never
consulted with the PSO about possibly conducting a background investigation. The Federal
Acquisition Regulations state that agency procedures should be followed. Although this area may
not be common since FCA rarely enters into sensitive contracts, FCA should have a process to
decide if a background investigation should be conducted for contract employees. The most
common basis for such background investigations would be contractors who had access to
sensitive information or unescorted access in an FCA office or building.

Agreed Upon Actions

5) The PSO will ensure appropriate security clearances are acquired and documented for
    Board members.

6) The PSO and contracting officer will establish procedures for determining if
    background investigations are needed for contract personnel.