Issue Date
September 30, 2009
Audit Report Number
2009-DP-0008
TO: Jerry E. Williams Chief Information Officer, Q
//signed//
FROM: Hanh Do, Director, Information System Audit Division, GAA
SUBJECT: Audit Report on the Review of Recovery Act Management and Reporting
System (RAMPS)
HIGHLIGHTS
What We Audited and Why
We audited the U.S. Department of Housing and Urban Development’s (HUD)
management procedures, practices, and controls related to the Recovery Act Management
and Reporting System (RAMPS) to assess HUD’s compliance with reporting
requirements under the American Recovery and Reinvestment Act (Recovery Act). We
also reviewed whether the RAMPS project team followed Federal and HUD’s security
requirements during the development of RAMPS.
We conducted this audit because the Recovery Act requires Federal agencies to ensure
that the recipients’ use of all recovery funds is transparent to the public and that the
public benefits of these funds are reported clearly, accurately, and in a timely manner.
Also, Office of Management and Budget Memorandum 09-15 requires the Offices of
Inspectors General to perform audits and inspections of their respective agencies’
awarding, disbursing, and monitoring of Recovery Act funds to determine whether
safeguards exist to ensure that funds are used for their intended purposes.
What We Found
HUD has taken the following actions to comply with the reporting requirements under
the Recovery Act:
Working with program offices and developers to identify and develop a process
for the NEPA and recipient reporting requirements;
Conducted security categorization and vulnerability scans early in the system
development process; and
Developed business requirements and provided those requirements to the Office
of IT security for review early in the system development process.
However, HUD’s effort to implement procedures, practices, and controls related to
RAMPS did not fully meet the reporting requirements under the Recovery Act.
Specifically, (1) HUD did not meet the Recovery Act’s National Environmental Policy
Act (NEPA) reporting requirements to ensure that NEPA data were reported to the public
in a timely and accurate manner, and (2) HUD did not complete required security and
privacy documents before or during the early phase of system development.
We recommend that the Office of the Chief Information Officer
1. Ensure that system owners develop the system security plan and risk assessment
early in the development process.
2. Ensure that system owners complete a privacy impact assessment for a new
system before placing it into development and production.
For each recommendation without a management decision, please respond and provide
status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us
copies of any correspondence or directives issued because of the audit.
Auditee’s Response
We provide a discussion draft to the Chief Information Officer on September 16, 2009
and met with him and his staff on September 23, 2009. We subsequently issued a formal
draft report and received written comments on September 30, 2009. The Chief
Information Officer concurred with the finding and recommendations. The complete text
of the comments can be found in appendix A of this report.
2
TABLE OF CONTENTS
Background and Objectives 4
Results of Audit
Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements 6
Finding 2: HUD Did Not Fully Comply with Federal and HUD Security Policies for 9
RAMPS
Scope and Methodology 12
Internal Controls 13
Appendix
A. Auditee Comments and OIG’s Evaluation 14
3
BACKGROUND AND OBJECTIVES
The American Recovery and Reinvestment Act of 2009 (Recovery Act)1 requires Federal
agencies to ensure that (1) recovery funds are awarded and distributed in a prompt, fair, and
reasonable manner; (2) the recipients and uses of all recovery funds are transparent to the public;
and (3) the public benefits of these funds are reported clearly, accurately, and in a timely manner.
The Recovery Act includes $13.61 billion for projects and programs administered by the U.S.
Department of Housing and Urban Development (HUD). Section 1609 of the Recovery Act and
the Council on Environmental Quality (CEQ) requires agencies and grantees to report quarterly
on the status of environmental reviews under the National Environmental Policy Act (NEPA)2
for all Recovery Act-funded projects and activities. Section 1512 of the Recovery Act requires
recipients and subrecipients to submit reports on the use of Recovery Act funds on a quarterly
basis. The reports are due no later than the 10th day after the end of each calendar quarter
(beginning the quarter ending September 30, 2009). The Federal agency providing those funds
must make the reports publicly available no later than the 30th day after the end of that quarter.
HUD signed a contract on May 21, 2009, to develop and manage the Recovery Act Management
and Reporting System (RAMPS). RAMPS is a web-based application that aggregates the
required reporting data from HUD’s program offices’ existing source systems to efficiently
report, validate, analyze, and publish Recovery Act data. HUD currently requires grantees to
report the status of their compliance with NEPA directly into RAMPS. HUD’s original plan was
to use RAMPS and other HUD existing systems to collect the data required to be reported by
Section 1512. The Section 1512 report contains aggregate information on awards, programs,
activities, and employment impact. After the Office of Management and Budget (OMB) created
and released the reporting Web site, FederalReporting.gov3, in August 2009, HUD changed its
plan and required recipients and subrecipients to report their Section 1512 data directly to
OMB’s FederalReporting.gov.
OMB Memorandum 09-124 requires Federal agencies to develop internal policies and procedures
for reviewing reported Section 1512 data and perform limited data quality reviews intended to
identify material omissions and/or significant reporting errors. HUD had not finalized the
quality control plan for reviewing recipient reports required by Section 1512 of the Recovery Act
1
The American Recovery and Reinvestment Act of 2009 became Public Law 111-5 on February 17, 2009. The
purposes of the Act are to 1) preserve and create jobs and promote economic recovery; 2) assist those impacted by
the recession; 3) provide investments needed to increase economic efficiency and provide long term economic
benefits; and 4) stabilize State and local government budget.
2
The National Environmental Policy Act protects public health, safety and environmental quality. The Act requires
federal agencies to develop environmental regulation, establish levels of environmental reviews, and create the
Council on Environmental Quality. HUD requires its recipients not to commit funds received from HUD and begin
physical activities prior to the completion of environmental review.
3
FederalReporting.gov is a central government wide data collection system for Federal agencies and recipients of
federal awards under Section 1512 of the Recovery Act. Recipients will access this site to fulfill their reporting
obligations. Federal Agency and Recipient users will be able to submit reports, view and comment on reports
(Federal Agency and Prime Recipient users), and update or correct reports.
4
“Implementing Guidance for the Reports on Use of Funds to the American Recovery and Reinvestment Act of
2009.”
4
by the time we completed our review. HUD plans to use RAMPS to validate recipient reporting
data in FederalReporting.gov.
The overall objective of our audit was to determine whether HUD’s effort to implement
procedures, practices, and controls related to RAMPS met the reporting requirements under the
Recovery Act. We also reviewed whether the RAMPS project team followed Federal and
HUD’s security requirements during the development of RAMPS.
5
RESULTS OF AUDIT
Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting
Requirements
HUD could not comply with the Recovery Act requirement to report the status of NEPA
compliance for Recovery Act projects and activities in its April, 2009 and July, 2009 reports.
These conditions occurred because many program offices did not have existing systems to
collect the NEPA data, were not able to use the newly developed RAMPS system, or were not
provided training on how to use the system. As a result, HUD was not able to provide the NEPA
status to the public in an accurate and timely manner for over $2.9 billion of obligated funds.
HUD Did Not Meet the Recovery Act’s
NEPA Reporting Requirements
To ensure that accurate NEPA data are reported to the public in a timely manner, OMB
Memorandum 09-15 and CEQ5 require agencies to submit two reports in April on the
status of NEPA compliance for Recovery Act projects and activities. Additional NEPA
reports must be submitted on or before July 15, 2009, and every 90 days thereafter
through October 15, 2011.
HUD is taking the following actions to meet the Recovery Act’s NEPA requirements:
working with program offices and developers to identify and develop a process for the
NEPA and recipient reporting requirements. There are also weekly status meetings
between the RAMPS project team and HUD management. However, HUD did not fully
meet the NEPA reporting requirements. HUD did not report the status of its compliance
with NEPA requirements for all Recovery Act-funded projects and activities in the April
30 and July 15 NEPA reports. Also, HUD could not ensure that all information reported
in the July 15 report was accurate. Specifically,
1. April 30 NEPA report: HUD was unable to report and left out the status of NEPA
compliance for Recovery Act projects and activities for two of the three programs
that require NEPA reporting. The programs received obligation funds from HUD and
reported total gross outlays in HUD’s April financial activity reports. Also, HUD did
not disclose in the NEPA report that although the two programs had received
obligation funds, HUD was unable to provide the required NEPA data. As a result,
readers of the report were led to believe that HUD had only one Recovery Act
program that required NEPA reporting for April 30.
5
The Recovery Act requires a report to Congress on the status and progress of NEPA reviews for Recovery Act
funded projects and activities. The President has assigned reporting responsibility to CEQ.
6
Table 1: Recovery Act programs that were required to be in the April 30 NEPA report
Program Total obligation Total gross outlay
Project-based rental assistance $1,419,697,987 $211,594,531
*Public Housing Capital Fund $2,982,510,530 $ 1,652,160
*Native American Housing Block Grant $ 130,909,255 $ 18,291,513
*Programs for which the status of NEPA compliance was not included in the April 30 NEPA
report
2. July 15 NEPA report: HUD did not report the status of NEPA compliance for
Recovery Act projects and activities for one of the four programs that require NEPA
reporting. The program received obligation funds from HUD and reported total gross
outlays in HUD’s July financial activity reports.
Table 2: Recovery Act programs that were required to be in the July 15 NEPA report
Program Total obligation Total gross outlay
Project-based rental assistance $1,893,525,069 $857,372,733
*Public Housing Capital Fund $2,982,289,837 $ 49,263,777
Native American Housing Block Grant $ 257,307,748 $ 39,038,619
Lead Hazard Reduction $ 99,500,000 $ 1,055,967
*Program for which the status of NEPA compliance was not included in the July 15 NEPA
report
Not all HUD program officials and grantees could enter NEPA data directly into
RAMPS for the July 15 report. The RAMPS project team designed a user template to
be used by those program offices to report recipients’ NEPA review status for the
July 15 report. However, the RAMPS project team could not upload the status of
NEPA compliance for HUD’s Recovery Act projects and activities automatically into
RAMPS. Instead, they had to manually enter the information received from the
program offices. Some grantee data were not entered into the system, causing
RAMPS to have incomplete information, thereby reporting inaccurate information.
HUD could not provide the status of NEPA compliance for all applicable Recovery Act
projects and activities due to the following:
1. HUD did not have a department-wide system that collected environmental
compliance information until the development of RAMPS. The Office of the Chief
Information Officer originally informed program offices that RAMPS would be ready
in mid-May. However, the RAMPS contract was not signed until May 21, 2009.
HUD deployed release 16 of RAMPS on June 30.
2. HUD officials indicated that there was not enough time to train program officials and
awardees on how to enter NEPA status data into RAMPS to meet the deadline. HUD
developed training for NEPA administrators and recipients. However, the training
classes were not available until the end of August 2009.
6
RAMPS release 1 focuses on the NEPA reporting requirements of the Recovery Act.
7
3. Some HUD program offices need to collect NEPA data from a large number of
grantees. For instance, the Public Housing Capital Fund program needs to gather
NEPA data from 3,000 grantees.
4. Some program offices did not follow the RAMPS project team’s instruction to fill out
recipients’ NEPA review status in the user template designed by the RAMPS team.
This error caused a delay in loading the recipients’ information into RAMPS.
Conclusion
HUD could not meet the Recovery Act’s requirement to report the status of NEPA
compliance for all Recovery Act projects and activities that received funding because
there was no department-wide system in place to collect data from a large amount of
grantees during the April and July reporting periods. As a result, HUD could not provide
accurate NEPA data to the public in a timely manner for over $2.9 billion of obligated
funds.
8
Finding 2: HUD Did Not Fully Comply with Federal and HUD Security
Policies for RAMPS
HUD did not complete required security and privacy documents before or during the early phase
of system development. This condition occurred because HUD did not follow Federal and HUD
security policies for implementing these security requirements for RAMPS. As a result, HUD
officials could not ensure that all security controls were in place, implemented correctly, and
operating as intended.
HUD Did Not Complete a Risk
Assessment for RAMPS in a Timely
Manner
HUD did not follow Federal and HUD’s system development methodology7 requirements
to complete all risk analysis activities of system security early in the development
process. While HUD conducted security categorization and vulnerability scans during
the initiate project phase,8 the risk assessment which covers risk analysis activities such
as threat and vulnerabilities associated with the project and probability determinations for
each threat were not completed during the project initiation phase. HUD completed the
risk assessment on July 6, 2009 although the project initiation phase ended in May and
the release 1 of RAMPS was placed into production on June 30, 2009. HUD officials
stated that a risk assessment is not required to be conducted for a nonmajor application.
However, HUD’s system development methodology and NIST 800-539 do not make the
distinction on whether an application is major. HUD’s system development methodology
requires risk analysis activities be completed during the initiate project phase. When the
risk assessment is completed early and in development phase, the results can be used for
the development of system requirements, including security requirements, and a security
concept of operations.
HUD Did Not Complete RAMPS
System Security Plan in a Timely
Manner
HUD did not follow its system development methodology requirements to develop the
system security plan early in the development process. The RAMPS project team
planned to complete the draft system security plan by the end of the “define system
7
System development methodology is a framework that is used to structure, plan, and control the process of
developing an information system.
8
Initiate Project phase is the period in which an information management need is identified and the decision is made
whether to commit the necessary resources to solve the deficiency.
9
“Recommended Security Controls for Federal Information Systems and Organizations”
9
phase”10 as required by HUD’s system development methodology. However, many
major sections of the final draft security plan submitted to HUD management at the end
of the “define system phase” were not completed. The contractor team had not met with
the HUD Office of the Chief Information Officer (OCIO) security team before
completing the “define system phase,” which was completed on June 5, 2009. While the
RAMPS project team developed and provided the business requirements to the Office of
IT security for review on April 23, 2009, the RAMPS project team and Office of IT
security did not meet to discuss the developing of system security plan of RAMPS until
June 12, 2009. HUD’s system development methodology requires the system
development team to work with the ADP Security Office during the “define system
phase” to develop a system security plan that describes the management, operational, and
technical controls needed to mitigate the risks determined in the project initiation phase.”
HUD security officials informed the RAMPS project team after the “define system
phase” that HUD would not develop a separate system security plan for RAMPS because
it is a nonmajor application. HUD will develop a system security plan for the major
application that will also cover RAMPS. HUD placed release 1 of RAMPS into
production on June 30, 2009. However, the system security plan for the major
application on which RAMPS resides was not completed until July 6, 2009. Also, the
certification and accreditation of the major application was not completed until July 30,
2009. We also found that the system description section in the system security plan of
the major application was incomplete. NIST SP 800-3711 and HUD’s handbook 2400.25
REV-2 require system owners to have completed system security plans for all systems
and completed certifications and accreditations before placing systems into production.
By not documenting security controls in the system security plans and completing
certifications and accreditations before placing systems into full production, HUD
officials could not determine the extent to which security controls in the systems were
implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the information system.
HUD Did Not Complete a Privacy
Impact Assessment for RAMPS
HUD did not complete a privacy impact assessment for RAMPS before placing it into
development and production. HUD’s “Use of Social Security Numbers Privacy Policy
Guidance” issued on September 21, 2007 requires that before developing a new system,
the program sponsor shall provide a privacy impact assessment12 to the departmental
10
The Define System phase defines specific, detailed functional and data requirements, including security and
security assurance requirements, which forms the basis for the detailed design of the system during the Design
System phase.
11
“Guide for the Security Certification and Accreditation of Federal Information Systems”
12
Privacy impact Assessment is an analysis of how information is handled: (i) to ensure handling conforms to
applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of
collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and
(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential
privacy risks.
10
Privacy Act Officer. HUD officials informed the Office of Inspector General (OIG) that
RAMPS does not contain personally identifiable information13. HUD was in the process
of completing the assessment during the performance of this audit. The privacy impact
assessment had not been completed for RAMPS and submitted to the Privacy Act Officer
by the time OIG completed this audit. The privacy impact assessment needs to be
completed to ensure that all data collected by RAMPS is reviewed by program sponsors
to determine whether personally identifiable information will be collected. This will
ensure that security controls needed to protect the information are planned for during
system development.
Conclusion
HUD did not complete the required security and privacy documents before or during the
early phase of the system development because HUD did not comply with Federal and
HUD’s security requirements. As a result, HUD officials could not ensure that all
security controls were in place, implemented correctly, and operated as intended. Also,
including security controls early in the development process results in less expensive and
more effective security measures.
Recommendations
We recommend that the Office of the Chief Information Officer
2A. Ensure that system owners develop the system security plan and risk assessment
early in the development process.
2B. Ensure that system owners complete the privacy impact assessment for a new
system before placing it into development and production.
13
Personal identifiable information is information relating to an individual that identifies that individual. The use of
such information may include linking information with personal identifiable information from other sources or
combining information so as to infer a person’s identity; i.e., name, address, identification number, etc., as well as IP
(Internet provider) address, e-mail address, psychographic information, etc.
11
SCOPE AND METHODOLOGY
We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.
We performed the audit
From May 2009 through August 2009.
At HUD headquarters, Washington, DC.
To accomplish our objectives, we
Interviewed program officials and RAMPS project managers and evaluated HUD’s
process for using RAMPS and existing systems to collect NEPA and Section 1512 data
from recipients and the process for submitting these Recovery Act data to CEQ and
OMB.
Interviewed RAMPS project managers and reviewed RAMPS project schedules, status
reports, system requirements presentations, and meeting minutes between the RAMPS
project team and program offices to better understand the status of RAMPS system
development and interface with program source systems.
Reviewed Federal and HUD’s security policies and procedures along with RAMPS
security documents to determine whether the RAMPS project team followed Federal and
HUD’s security requirements during the development of the RAMPS system.
Performed analyses of NEPA reports to determine whether the reports were accurate and
submitted in a timely manner.
Reviewed results of security and system tests conducted for RAMPS.
Attended training prepared for RAMPS administrators and reviewed the training course
prepared for NEPA user reporting.
12
INTERNAL CONTROLS
Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following objectives are achieved:
Effectiveness and efficiency of operations,
Relevance and reliability of information,
Compliance with applicable laws and regulations, and
Safeguarding of assets and resources.
Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.
Relevant Internal Controls
We determined that the following internal controls were relevant to our audit
objectives:
Policies, procedures, control systems, and other management tools used
for implementation of security and technical controls for HUD’s system
security.
Policies, procedures, controls, and other management tools implemented
to collect and validate Recovery Act data.
We assessed the relevant controls identified above.
A significant weakness exists if management controls do not provide reasonable
assurance that the process for planning, organizing, directing, and controlling
program operations will meet the organization’s objectives.
Significant Weaknesses
Based on our review, we believe that the following items are significant
weaknesses:
HUD was unable to provide the NEPA status to the public in an accurate
and timely manner (finding 1).
HUD did not complete security documents in a timely manner (finding 2).
13
Appendix A
AUDITEE COMMENTS AND OIG’S EVALUATION
MEMORANDUM FOR: Hanh Do, Director, Information System Audit
Division, Office of the Inspector General, GAA
//signed//
FROM: Lynn Allen, General Deputy Chief Information
Officer, Q
SUBJECT: Draft Audit Report on the Review of Recovery Act
Management and Reporting System (RAMPS)
Thank you for the opportunity to respond and submit our findings to the Draft
Audit Report on the Review of Recovery Act Management and Reporting System
(RAMPS).
Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements
Response: Concur
HUD could not meet the Recovery Act’s requirements to report the status of NEPA
compliance of all Recovery Act projects and activities that received funding
because there was no Department – wide system in place to collect data form [the]
larger amount of grantees during the April and July reporting periods. As a result,
HUD could not provide accurate NEPA data to the public in a timely manner.
We agree that all pertinent information about HUD’s compliance with the National
Environmental Policies Act (NEPA) was not provided in the April and July reports
because HUD did not have operational Department – wide information system
capable of gathering the required information.
Since that time, HUD has developed the Recovery Act Management Performance
System (RAMPS) to gather the required information. There should be considerable
improvement in the next report, which is due next month.
14
Finding 2: HUD did not fully comply with Federal and HUD Security
Policies for RAMPS.
OIG Recommendation #2A: Ensure system owners develop the system
security plan and risk assessment early in the development process.
OCIO Response: Concur
Although system security planning had been an integral part of early
development, the aggressive schedule required for introduction of RAMPS
necessitated pursuit of several parallel paths in order to meet initial
production milestones. As noted in the report, final Certification and
Accreditation was completed 30 days after initial go-live.
OIG Recommendation #3: Ensure system owners complete a privacy
impact assessment for a new system prior to placing it into development
and production.
OCIO Response: Concur
RAMPS is not a system that processes PII; it is not listed in the
Comment 1 Department’s Inventory of Automated Systems (IAS) as such. To
accommodate OIG concerns, as of 9/17/09 the PIA has been completed.
15
OIG Evaluation of Auditee Comments
Comment 1: HUD’s “Use of Social Security Numbers Privacy Policy Guidance” issued on
September 21, 2007 requires that before developing a new system, the program sponsor shall
provide a privacy impact assessment to the departmental Privacy Act Officer. Also, during the
certification and accreditation process, it was documented in the security documents that the
privacy impact assessment had not been completed.
16
Report on the Review of Recovery Act Management and Reporting System
Published by the Department of Housing and Urban Development, Office of Inspector General on 2009-09-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)