Issue Date September 30, 2009 Audit Report Number 2009-DP-0008 TO: Jerry E. Williams Chief Information Officer, Q //signed// FROM: Hanh Do, Director, Information System Audit Division, GAA SUBJECT: Audit Report on the Review of Recovery Act Management and Reporting System (RAMPS) HIGHLIGHTS What We Audited and Why We audited the U.S. Department of Housing and Urban Development’s (HUD) management procedures, practices, and controls related to the Recovery Act Management and Reporting System (RAMPS) to assess HUD’s compliance with reporting requirements under the American Recovery and Reinvestment Act (Recovery Act). We also reviewed whether the RAMPS project team followed Federal and HUD’s security requirements during the development of RAMPS. We conducted this audit because the Recovery Act requires Federal agencies to ensure that the recipients’ use of all recovery funds is transparent to the public and that the public benefits of these funds are reported clearly, accurately, and in a timely manner. Also, Office of Management and Budget Memorandum 09-15 requires the Offices of Inspectors General to perform audits and inspections of their respective agencies’ awarding, disbursing, and monitoring of Recovery Act funds to determine whether safeguards exist to ensure that funds are used for their intended purposes. What We Found HUD has taken the following actions to comply with the reporting requirements under the Recovery Act: Working with program offices and developers to identify and develop a process for the NEPA and recipient reporting requirements; Conducted security categorization and vulnerability scans early in the system development process; and Developed business requirements and provided those requirements to the Office of IT security for review early in the system development process. However, HUD’s effort to implement procedures, practices, and controls related to RAMPS did not fully meet the reporting requirements under the Recovery Act. Specifically, (1) HUD did not meet the Recovery Act’s National Environmental Policy Act (NEPA) reporting requirements to ensure that NEPA data were reported to the public in a timely and accurate manner, and (2) HUD did not complete required security and privacy documents before or during the early phase of system development. We recommend that the Office of the Chief Information Officer 1. Ensure that system owners develop the system security plan and risk assessment early in the development process. 2. Ensure that system owners complete a privacy impact assessment for a new system before placing it into development and production. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response We provide a discussion draft to the Chief Information Officer on September 16, 2009 and met with him and his staff on September 23, 2009. We subsequently issued a formal draft report and received written comments on September 30, 2009. The Chief Information Officer concurred with the finding and recommendations. The complete text of the comments can be found in appendix A of this report. 2 TABLE OF CONTENTS Background and Objectives 4 Results of Audit Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements 6 Finding 2: HUD Did Not Fully Comply with Federal and HUD Security Policies for 9 RAMPS Scope and Methodology 12 Internal Controls 13 Appendix A. Auditee Comments and OIG’s Evaluation 14 3 BACKGROUND AND OBJECTIVES The American Recovery and Reinvestment Act of 2009 (Recovery Act)1 requires Federal agencies to ensure that (1) recovery funds are awarded and distributed in a prompt, fair, and reasonable manner; (2) the recipients and uses of all recovery funds are transparent to the public; and (3) the public benefits of these funds are reported clearly, accurately, and in a timely manner. The Recovery Act includes $13.61 billion for projects and programs administered by the U.S. Department of Housing and Urban Development (HUD). Section 1609 of the Recovery Act and the Council on Environmental Quality (CEQ) requires agencies and grantees to report quarterly on the status of environmental reviews under the National Environmental Policy Act (NEPA)2 for all Recovery Act-funded projects and activities. Section 1512 of the Recovery Act requires recipients and subrecipients to submit reports on the use of Recovery Act funds on a quarterly basis. The reports are due no later than the 10th day after the end of each calendar quarter (beginning the quarter ending September 30, 2009). The Federal agency providing those funds must make the reports publicly available no later than the 30th day after the end of that quarter. HUD signed a contract on May 21, 2009, to develop and manage the Recovery Act Management and Reporting System (RAMPS). RAMPS is a web-based application that aggregates the required reporting data from HUD’s program offices’ existing source systems to efficiently report, validate, analyze, and publish Recovery Act data. HUD currently requires grantees to report the status of their compliance with NEPA directly into RAMPS. HUD’s original plan was to use RAMPS and other HUD existing systems to collect the data required to be reported by Section 1512. The Section 1512 report contains aggregate information on awards, programs, activities, and employment impact. After the Office of Management and Budget (OMB) created and released the reporting Web site, FederalReporting.gov3, in August 2009, HUD changed its plan and required recipients and subrecipients to report their Section 1512 data directly to OMB’s FederalReporting.gov. OMB Memorandum 09-124 requires Federal agencies to develop internal policies and procedures for reviewing reported Section 1512 data and perform limited data quality reviews intended to identify material omissions and/or significant reporting errors. HUD had not finalized the quality control plan for reviewing recipient reports required by Section 1512 of the Recovery Act 1 The American Recovery and Reinvestment Act of 2009 became Public Law 111-5 on February 17, 2009. The purposes of the Act are to 1) preserve and create jobs and promote economic recovery; 2) assist those impacted by the recession; 3) provide investments needed to increase economic efficiency and provide long term economic benefits; and 4) stabilize State and local government budget. 2 The National Environmental Policy Act protects public health, safety and environmental quality. The Act requires federal agencies to develop environmental regulation, establish levels of environmental reviews, and create the Council on Environmental Quality. HUD requires its recipients not to commit funds received from HUD and begin physical activities prior to the completion of environmental review. 3 FederalReporting.gov is a central government wide data collection system for Federal agencies and recipients of federal awards under Section 1512 of the Recovery Act. Recipients will access this site to fulfill their reporting obligations. Federal Agency and Recipient users will be able to submit reports, view and comment on reports (Federal Agency and Prime Recipient users), and update or correct reports. 4 “Implementing Guidance for the Reports on Use of Funds to the American Recovery and Reinvestment Act of 2009.” 4 by the time we completed our review. HUD plans to use RAMPS to validate recipient reporting data in FederalReporting.gov. The overall objective of our audit was to determine whether HUD’s effort to implement procedures, practices, and controls related to RAMPS met the reporting requirements under the Recovery Act. We also reviewed whether the RAMPS project team followed Federal and HUD’s security requirements during the development of RAMPS. 5 RESULTS OF AUDIT Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements HUD could not comply with the Recovery Act requirement to report the status of NEPA compliance for Recovery Act projects and activities in its April, 2009 and July, 2009 reports. These conditions occurred because many program offices did not have existing systems to collect the NEPA data, were not able to use the newly developed RAMPS system, or were not provided training on how to use the system. As a result, HUD was not able to provide the NEPA status to the public in an accurate and timely manner for over $2.9 billion of obligated funds. HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements To ensure that accurate NEPA data are reported to the public in a timely manner, OMB Memorandum 09-15 and CEQ5 require agencies to submit two reports in April on the status of NEPA compliance for Recovery Act projects and activities. Additional NEPA reports must be submitted on or before July 15, 2009, and every 90 days thereafter through October 15, 2011. HUD is taking the following actions to meet the Recovery Act’s NEPA requirements: working with program offices and developers to identify and develop a process for the NEPA and recipient reporting requirements. There are also weekly status meetings between the RAMPS project team and HUD management. However, HUD did not fully meet the NEPA reporting requirements. HUD did not report the status of its compliance with NEPA requirements for all Recovery Act-funded projects and activities in the April 30 and July 15 NEPA reports. Also, HUD could not ensure that all information reported in the July 15 report was accurate. Specifically, 1. April 30 NEPA report: HUD was unable to report and left out the status of NEPA compliance for Recovery Act projects and activities for two of the three programs that require NEPA reporting. The programs received obligation funds from HUD and reported total gross outlays in HUD’s April financial activity reports. Also, HUD did not disclose in the NEPA report that although the two programs had received obligation funds, HUD was unable to provide the required NEPA data. As a result, readers of the report were led to believe that HUD had only one Recovery Act program that required NEPA reporting for April 30. 5 The Recovery Act requires a report to Congress on the status and progress of NEPA reviews for Recovery Act funded projects and activities. The President has assigned reporting responsibility to CEQ. 6 Table 1: Recovery Act programs that were required to be in the April 30 NEPA report Program Total obligation Total gross outlay Project-based rental assistance $1,419,697,987 $211,594,531 *Public Housing Capital Fund $2,982,510,530 $ 1,652,160 *Native American Housing Block Grant $ 130,909,255 $ 18,291,513 *Programs for which the status of NEPA compliance was not included in the April 30 NEPA report 2. July 15 NEPA report: HUD did not report the status of NEPA compliance for Recovery Act projects and activities for one of the four programs that require NEPA reporting. The program received obligation funds from HUD and reported total gross outlays in HUD’s July financial activity reports. Table 2: Recovery Act programs that were required to be in the July 15 NEPA report Program Total obligation Total gross outlay Project-based rental assistance $1,893,525,069 $857,372,733 *Public Housing Capital Fund $2,982,289,837 $ 49,263,777 Native American Housing Block Grant $ 257,307,748 $ 39,038,619 Lead Hazard Reduction $ 99,500,000 $ 1,055,967 *Program for which the status of NEPA compliance was not included in the July 15 NEPA report Not all HUD program officials and grantees could enter NEPA data directly into RAMPS for the July 15 report. The RAMPS project team designed a user template to be used by those program offices to report recipients’ NEPA review status for the July 15 report. However, the RAMPS project team could not upload the status of NEPA compliance for HUD’s Recovery Act projects and activities automatically into RAMPS. Instead, they had to manually enter the information received from the program offices. Some grantee data were not entered into the system, causing RAMPS to have incomplete information, thereby reporting inaccurate information. HUD could not provide the status of NEPA compliance for all applicable Recovery Act projects and activities due to the following: 1. HUD did not have a department-wide system that collected environmental compliance information until the development of RAMPS. The Office of the Chief Information Officer originally informed program offices that RAMPS would be ready in mid-May. However, the RAMPS contract was not signed until May 21, 2009. HUD deployed release 16 of RAMPS on June 30. 2. HUD officials indicated that there was not enough time to train program officials and awardees on how to enter NEPA status data into RAMPS to meet the deadline. HUD developed training for NEPA administrators and recipients. However, the training classes were not available until the end of August 2009. 6 RAMPS release 1 focuses on the NEPA reporting requirements of the Recovery Act. 7 3. Some HUD program offices need to collect NEPA data from a large number of grantees. For instance, the Public Housing Capital Fund program needs to gather NEPA data from 3,000 grantees. 4. Some program offices did not follow the RAMPS project team’s instruction to fill out recipients’ NEPA review status in the user template designed by the RAMPS team. This error caused a delay in loading the recipients’ information into RAMPS. Conclusion HUD could not meet the Recovery Act’s requirement to report the status of NEPA compliance for all Recovery Act projects and activities that received funding because there was no department-wide system in place to collect data from a large amount of grantees during the April and July reporting periods. As a result, HUD could not provide accurate NEPA data to the public in a timely manner for over $2.9 billion of obligated funds. 8 Finding 2: HUD Did Not Fully Comply with Federal and HUD Security Policies for RAMPS HUD did not complete required security and privacy documents before or during the early phase of system development. This condition occurred because HUD did not follow Federal and HUD security policies for implementing these security requirements for RAMPS. As a result, HUD officials could not ensure that all security controls were in place, implemented correctly, and operating as intended. HUD Did Not Complete a Risk Assessment for RAMPS in a Timely Manner HUD did not follow Federal and HUD’s system development methodology7 requirements to complete all risk analysis activities of system security early in the development process. While HUD conducted security categorization and vulnerability scans during the initiate project phase,8 the risk assessment which covers risk analysis activities such as threat and vulnerabilities associated with the project and probability determinations for each threat were not completed during the project initiation phase. HUD completed the risk assessment on July 6, 2009 although the project initiation phase ended in May and the release 1 of RAMPS was placed into production on June 30, 2009. HUD officials stated that a risk assessment is not required to be conducted for a nonmajor application. However, HUD’s system development methodology and NIST 800-539 do not make the distinction on whether an application is major. HUD’s system development methodology requires risk analysis activities be completed during the initiate project phase. When the risk assessment is completed early and in development phase, the results can be used for the development of system requirements, including security requirements, and a security concept of operations. HUD Did Not Complete RAMPS System Security Plan in a Timely Manner HUD did not follow its system development methodology requirements to develop the system security plan early in the development process. The RAMPS project team planned to complete the draft system security plan by the end of the “define system 7 System development methodology is a framework that is used to structure, plan, and control the process of developing an information system. 8 Initiate Project phase is the period in which an information management need is identified and the decision is made whether to commit the necessary resources to solve the deficiency. 9 “Recommended Security Controls for Federal Information Systems and Organizations” 9 phase”10 as required by HUD’s system development methodology. However, many major sections of the final draft security plan submitted to HUD management at the end of the “define system phase” were not completed. The contractor team had not met with the HUD Office of the Chief Information Officer (OCIO) security team before completing the “define system phase,” which was completed on June 5, 2009. While the RAMPS project team developed and provided the business requirements to the Office of IT security for review on April 23, 2009, the RAMPS project team and Office of IT security did not meet to discuss the developing of system security plan of RAMPS until June 12, 2009. HUD’s system development methodology requires the system development team to work with the ADP Security Office during the “define system phase” to develop a system security plan that describes the management, operational, and technical controls needed to mitigate the risks determined in the project initiation phase.” HUD security officials informed the RAMPS project team after the “define system phase” that HUD would not develop a separate system security plan for RAMPS because it is a nonmajor application. HUD will develop a system security plan for the major application that will also cover RAMPS. HUD placed release 1 of RAMPS into production on June 30, 2009. However, the system security plan for the major application on which RAMPS resides was not completed until July 6, 2009. Also, the certification and accreditation of the major application was not completed until July 30, 2009. We also found that the system description section in the system security plan of the major application was incomplete. NIST SP 800-3711 and HUD’s handbook 2400.25 REV-2 require system owners to have completed system security plans for all systems and completed certifications and accreditations before placing systems into production. By not documenting security controls in the system security plans and completing certifications and accreditations before placing systems into full production, HUD officials could not determine the extent to which security controls in the systems were implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. HUD Did Not Complete a Privacy Impact Assessment for RAMPS HUD did not complete a privacy impact assessment for RAMPS before placing it into development and production. HUD’s “Use of Social Security Numbers Privacy Policy Guidance” issued on September 21, 2007 requires that before developing a new system, the program sponsor shall provide a privacy impact assessment12 to the departmental 10 The Define System phase defines specific, detailed functional and data requirements, including security and security assurance requirements, which forms the basis for the detailed design of the system during the Design System phase. 11 “Guide for the Security Certification and Accreditation of Federal Information Systems” 12 Privacy impact Assessment is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. 10 Privacy Act Officer. HUD officials informed the Office of Inspector General (OIG) that RAMPS does not contain personally identifiable information13. HUD was in the process of completing the assessment during the performance of this audit. The privacy impact assessment had not been completed for RAMPS and submitted to the Privacy Act Officer by the time OIG completed this audit. The privacy impact assessment needs to be completed to ensure that all data collected by RAMPS is reviewed by program sponsors to determine whether personally identifiable information will be collected. This will ensure that security controls needed to protect the information are planned for during system development. Conclusion HUD did not complete the required security and privacy documents before or during the early phase of the system development because HUD did not comply with Federal and HUD’s security requirements. As a result, HUD officials could not ensure that all security controls were in place, implemented correctly, and operated as intended. Also, including security controls early in the development process results in less expensive and more effective security measures. Recommendations We recommend that the Office of the Chief Information Officer 2A. Ensure that system owners develop the system security plan and risk assessment early in the development process. 2B. Ensure that system owners complete the privacy impact assessment for a new system before placing it into development and production. 13 Personal identifiable information is information relating to an individual that identifies that individual. The use of such information may include linking information with personal identifiable information from other sources or combining information so as to infer a person’s identity; i.e., name, address, identification number, etc., as well as IP (Internet provider) address, e-mail address, psychographic information, etc. 11 SCOPE AND METHODOLOGY We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We performed the audit From May 2009 through August 2009. At HUD headquarters, Washington, DC. To accomplish our objectives, we Interviewed program officials and RAMPS project managers and evaluated HUD’s process for using RAMPS and existing systems to collect NEPA and Section 1512 data from recipients and the process for submitting these Recovery Act data to CEQ and OMB. Interviewed RAMPS project managers and reviewed RAMPS project schedules, status reports, system requirements presentations, and meeting minutes between the RAMPS project team and program offices to better understand the status of RAMPS system development and interface with program source systems. Reviewed Federal and HUD’s security policies and procedures along with RAMPS security documents to determine whether the RAMPS project team followed Federal and HUD’s security requirements during the development of the RAMPS system. Performed analyses of NEPA reports to determine whether the reports were accurate and submitted in a timely manner. Reviewed results of security and system tests conducted for RAMPS. Attended training prepared for RAMPS administrators and reviewed the training course prepared for NEPA user reporting. 12 INTERNAL CONTROLS Internal control is an integral component of an organization’s management that provides reasonable assurance that the following objectives are achieved: Effectiveness and efficiency of operations, Relevance and reliability of information, Compliance with applicable laws and regulations, and Safeguarding of assets and resources. Internal controls relate to management’s plans, methods, and procedures used to meet its mission, goals, and objectives. They include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objectives: Policies, procedures, control systems, and other management tools used for implementation of security and technical controls for HUD’s system security. Policies, procedures, controls, and other management tools implemented to collect and validate Recovery Act data. We assessed the relevant controls identified above. A significant weakness exists if management controls do not provide reasonable assurance that the process for planning, organizing, directing, and controlling program operations will meet the organization’s objectives. Significant Weaknesses Based on our review, we believe that the following items are significant weaknesses: HUD was unable to provide the NEPA status to the public in an accurate and timely manner (finding 1). HUD did not complete security documents in a timely manner (finding 2). 13 Appendix A AUDITEE COMMENTS AND OIG’S EVALUATION MEMORANDUM FOR: Hanh Do, Director, Information System Audit Division, Office of the Inspector General, GAA //signed// FROM: Lynn Allen, General Deputy Chief Information Officer, Q SUBJECT: Draft Audit Report on the Review of Recovery Act Management and Reporting System (RAMPS) Thank you for the opportunity to respond and submit our findings to the Draft Audit Report on the Review of Recovery Act Management and Reporting System (RAMPS). Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements Response: Concur HUD could not meet the Recovery Act’s requirements to report the status of NEPA compliance of all Recovery Act projects and activities that received funding because there was no Department – wide system in place to collect data form [the] larger amount of grantees during the April and July reporting periods. As a result, HUD could not provide accurate NEPA data to the public in a timely manner. We agree that all pertinent information about HUD’s compliance with the National Environmental Policies Act (NEPA) was not provided in the April and July reports because HUD did not have operational Department – wide information system capable of gathering the required information. Since that time, HUD has developed the Recovery Act Management Performance System (RAMPS) to gather the required information. There should be considerable improvement in the next report, which is due next month. 14 Finding 2: HUD did not fully comply with Federal and HUD Security Policies for RAMPS. OIG Recommendation #2A: Ensure system owners develop the system security plan and risk assessment early in the development process. OCIO Response: Concur Although system security planning had been an integral part of early development, the aggressive schedule required for introduction of RAMPS necessitated pursuit of several parallel paths in order to meet initial production milestones. As noted in the report, final Certification and Accreditation was completed 30 days after initial go-live. OIG Recommendation #3: Ensure system owners complete a privacy impact assessment for a new system prior to placing it into development and production. OCIO Response: Concur RAMPS is not a system that processes PII; it is not listed in the Comment 1 Department’s Inventory of Automated Systems (IAS) as such. To accommodate OIG concerns, as of 9/17/09 the PIA has been completed. 15 OIG Evaluation of Auditee Comments Comment 1: HUD’s “Use of Social Security Numbers Privacy Policy Guidance” issued on September 21, 2007 requires that before developing a new system, the program sponsor shall provide a privacy impact assessment to the departmental Privacy Act Officer. Also, during the certification and accreditation process, it was documented in the security documents that the privacy impact assessment had not been completed. 16
Report on the Review of Recovery Act Management and Reporting System
Published by the Department of Housing and Urban Development, Office of Inspector General on 2009-09-30.
Below is a raw (and likely hideous) rendition of the original report. (PDF)