oversight

Report on the Review of Recovery Act Management and Reporting System

Published by the Department of Housing and Urban Development, Office of Inspector General on 2009-09-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                     Issue Date
                                                                     September 30, 2009
                                                                     Audit Report Number
                                                                         2009-DP-0008




TO:           Jerry E. Williams Chief Information Officer, Q

              //signed//
FROM:         Hanh Do, Director, Information System Audit Division, GAA

SUBJECT:      Audit Report on the Review of Recovery Act Management and Reporting
              System (RAMPS)

                                      HIGHLIGHTS

What We Audited and Why


        We audited the U.S. Department of Housing and Urban Development’s (HUD)
        management procedures, practices, and controls related to the Recovery Act Management
        and Reporting System (RAMPS) to assess HUD’s compliance with reporting
        requirements under the American Recovery and Reinvestment Act (Recovery Act). We
        also reviewed whether the RAMPS project team followed Federal and HUD’s security
        requirements during the development of RAMPS.

        We conducted this audit because the Recovery Act requires Federal agencies to ensure
        that the recipients’ use of all recovery funds is transparent to the public and that the
        public benefits of these funds are reported clearly, accurately, and in a timely manner.
        Also, Office of Management and Budget Memorandum 09-15 requires the Offices of
        Inspectors General to perform audits and inspections of their respective agencies’
        awarding, disbursing, and monitoring of Recovery Act funds to determine whether
        safeguards exist to ensure that funds are used for their intended purposes.
What We Found


      HUD has taken the following actions to comply with the reporting requirements under
      the Recovery Act:
             Working with program offices and developers to identify and develop a process
             for the NEPA and recipient reporting requirements;
             Conducted security categorization and vulnerability scans early in the system
             development process; and
             Developed business requirements and provided those requirements to the Office
             of IT security for review early in the system development process.

      However, HUD’s effort to implement procedures, practices, and controls related to
      RAMPS did not fully meet the reporting requirements under the Recovery Act.
      Specifically, (1) HUD did not meet the Recovery Act’s National Environmental Policy
      Act (NEPA) reporting requirements to ensure that NEPA data were reported to the public
      in a timely and accurate manner, and (2) HUD did not complete required security and
      privacy documents before or during the early phase of system development.

      We recommend that the Office of the Chief Information Officer
         1. Ensure that system owners develop the system security plan and risk assessment
            early in the development process.
         2. Ensure that system owners complete a privacy impact assessment for a new
            system before placing it into development and production.

      For each recommendation without a management decision, please respond and provide
      status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us
      copies of any correspondence or directives issued because of the audit.


Auditee’s Response


      We provide a discussion draft to the Chief Information Officer on September 16, 2009
      and met with him and his staff on September 23, 2009. We subsequently issued a formal
      draft report and received written comments on September 30, 2009. The Chief
      Information Officer concurred with the finding and recommendations. The complete text
      of the comments can be found in appendix A of this report.




                                              2
                         TABLE OF CONTENTS

Background and Objectives                                                              4

Results of Audit

     Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements        6
     Finding 2: HUD Did Not Fully Comply with Federal and HUD Security Policies for    9
     RAMPS

Scope and Methodology                                                                 12

Internal Controls                                                                     13

Appendix

   A. Auditee Comments and OIG’s Evaluation                                           14




                                         3
                          BACKGROUND AND OBJECTIVES

The American Recovery and Reinvestment Act of 2009 (Recovery Act)1 requires Federal
agencies to ensure that (1) recovery funds are awarded and distributed in a prompt, fair, and
reasonable manner; (2) the recipients and uses of all recovery funds are transparent to the public;
and (3) the public benefits of these funds are reported clearly, accurately, and in a timely manner.
The Recovery Act includes $13.61 billion for projects and programs administered by the U.S.
Department of Housing and Urban Development (HUD). Section 1609 of the Recovery Act and
the Council on Environmental Quality (CEQ) requires agencies and grantees to report quarterly
on the status of environmental reviews under the National Environmental Policy Act (NEPA)2
for all Recovery Act-funded projects and activities. Section 1512 of the Recovery Act requires
recipients and subrecipients to submit reports on the use of Recovery Act funds on a quarterly
basis. The reports are due no later than the 10th day after the end of each calendar quarter
(beginning the quarter ending September 30, 2009). The Federal agency providing those funds
must make the reports publicly available no later than the 30th day after the end of that quarter.

HUD signed a contract on May 21, 2009, to develop and manage the Recovery Act Management
and Reporting System (RAMPS). RAMPS is a web-based application that aggregates the
required reporting data from HUD’s program offices’ existing source systems to efficiently
report, validate, analyze, and publish Recovery Act data. HUD currently requires grantees to
report the status of their compliance with NEPA directly into RAMPS. HUD’s original plan was
to use RAMPS and other HUD existing systems to collect the data required to be reported by
Section 1512. The Section 1512 report contains aggregate information on awards, programs,
activities, and employment impact. After the Office of Management and Budget (OMB) created
and released the reporting Web site, FederalReporting.gov3, in August 2009, HUD changed its
plan and required recipients and subrecipients to report their Section 1512 data directly to
OMB’s FederalReporting.gov.

OMB Memorandum 09-124 requires Federal agencies to develop internal policies and procedures
for reviewing reported Section 1512 data and perform limited data quality reviews intended to
identify material omissions and/or significant reporting errors. HUD had not finalized the
quality control plan for reviewing recipient reports required by Section 1512 of the Recovery Act


1
  The American Recovery and Reinvestment Act of 2009 became Public Law 111-5 on February 17, 2009. The
purposes of the Act are to 1) preserve and create jobs and promote economic recovery; 2) assist those impacted by
the recession; 3) provide investments needed to increase economic efficiency and provide long term economic
benefits; and 4) stabilize State and local government budget.
2
  The National Environmental Policy Act protects public health, safety and environmental quality. The Act requires
federal agencies to develop environmental regulation, establish levels of environmental reviews, and create the
Council on Environmental Quality. HUD requires its recipients not to commit funds received from HUD and begin
physical activities prior to the completion of environmental review.
3
 FederalReporting.gov is a central government wide data collection system for Federal agencies and recipients of
federal awards under Section 1512 of the Recovery Act. Recipients will access this site to fulfill their reporting
obligations. Federal Agency and Recipient users will be able to submit reports, view and comment on reports
(Federal Agency and Prime Recipient users), and update or correct reports.
4
 “Implementing Guidance for the Reports on Use of Funds to the American Recovery and Reinvestment Act of
2009.”
                                                          4
by the time we completed our review. HUD plans to use RAMPS to validate recipient reporting
data in FederalReporting.gov.

The overall objective of our audit was to determine whether HUD’s effort to implement
procedures, practices, and controls related to RAMPS met the reporting requirements under the
Recovery Act. We also reviewed whether the RAMPS project team followed Federal and
HUD’s security requirements during the development of RAMPS.




                                              5
                                     RESULTS OF AUDIT

Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting
Requirements
HUD could not comply with the Recovery Act requirement to report the status of NEPA
compliance for Recovery Act projects and activities in its April, 2009 and July, 2009 reports.
These conditions occurred because many program offices did not have existing systems to
collect the NEPA data, were not able to use the newly developed RAMPS system, or were not
provided training on how to use the system. As a result, HUD was not able to provide the NEPA
status to the public in an accurate and timely manner for over $2.9 billion of obligated funds.




HUD Did Not Meet the Recovery Act’s
NEPA Reporting Requirements

        To ensure that accurate NEPA data are reported to the public in a timely manner, OMB
        Memorandum 09-15 and CEQ5 require agencies to submit two reports in April on the
        status of NEPA compliance for Recovery Act projects and activities. Additional NEPA
        reports must be submitted on or before July 15, 2009, and every 90 days thereafter
        through October 15, 2011.

        HUD is taking the following actions to meet the Recovery Act’s NEPA requirements:
        working with program offices and developers to identify and develop a process for the
        NEPA and recipient reporting requirements. There are also weekly status meetings
        between the RAMPS project team and HUD management. However, HUD did not fully
        meet the NEPA reporting requirements. HUD did not report the status of its compliance
        with NEPA requirements for all Recovery Act-funded projects and activities in the April
        30 and July 15 NEPA reports. Also, HUD could not ensure that all information reported
        in the July 15 report was accurate. Specifically,


        1. April 30 NEPA report: HUD was unable to report and left out the status of NEPA
           compliance for Recovery Act projects and activities for two of the three programs
           that require NEPA reporting. The programs received obligation funds from HUD and
           reported total gross outlays in HUD’s April financial activity reports. Also, HUD did
           not disclose in the NEPA report that although the two programs had received
           obligation funds, HUD was unable to provide the required NEPA data. As a result,
           readers of the report were led to believe that HUD had only one Recovery Act
           program that required NEPA reporting for April 30.


5
 The Recovery Act requires a report to Congress on the status and progress of NEPA reviews for Recovery Act
funded projects and activities. The President has assigned reporting responsibility to CEQ.
                                                       6
                   Table 1: Recovery Act programs that were required to be in the April 30 NEPA report
                  Program                                         Total obligation    Total gross outlay
                  Project-based rental assistance                 $1,419,697,987      $211,594,531
                  *Public Housing Capital Fund                    $2,982,510,530      $ 1,652,160
                  *Native American Housing Block Grant            $ 130,909,255       $ 18,291,513
                   *Programs for which the status of NEPA compliance was not included in the April 30 NEPA
                   report

           2. July 15 NEPA report: HUD did not report the status of NEPA compliance for
              Recovery Act projects and activities for one of the four programs that require NEPA
              reporting. The program received obligation funds from HUD and reported total gross
              outlays in HUD’s July financial activity reports.

                   Table 2: Recovery Act programs that were required to be in the July 15 NEPA report
                   Program                                    Total obligation Total gross outlay
                   Project-based rental assistance            $1,893,525,069         $857,372,733
                   *Public Housing Capital Fund               $2,982,289,837         $ 49,263,777
                   Native American Housing Block Grant $ 257,307,748                 $ 39,038,619
                   Lead Hazard Reduction                      $ 99,500,000           $ 1,055,967
                   *Program for which the status of NEPA compliance was not included in the July 15 NEPA
                   report

               Not all HUD program officials and grantees could enter NEPA data directly into
               RAMPS for the July 15 report. The RAMPS project team designed a user template to
               be used by those program offices to report recipients’ NEPA review status for the
               July 15 report. However, the RAMPS project team could not upload the status of
               NEPA compliance for HUD’s Recovery Act projects and activities automatically into
               RAMPS. Instead, they had to manually enter the information received from the
               program offices. Some grantee data were not entered into the system, causing
               RAMPS to have incomplete information, thereby reporting inaccurate information.

           HUD could not provide the status of NEPA compliance for all applicable Recovery Act
           projects and activities due to the following:

           1. HUD did not have a department-wide system that collected environmental
              compliance information until the development of RAMPS. The Office of the Chief
              Information Officer originally informed program offices that RAMPS would be ready
              in mid-May. However, the RAMPS contract was not signed until May 21, 2009.
              HUD deployed release 16 of RAMPS on June 30.

           2. HUD officials indicated that there was not enough time to train program officials and
              awardees on how to enter NEPA status data into RAMPS to meet the deadline. HUD
              developed training for NEPA administrators and recipients. However, the training
              classes were not available until the end of August 2009.



6
    RAMPS release 1 focuses on the NEPA reporting requirements of the Recovery Act.
                                                        7
      3. Some HUD program offices need to collect NEPA data from a large number of
         grantees. For instance, the Public Housing Capital Fund program needs to gather
         NEPA data from 3,000 grantees.
      4. Some program offices did not follow the RAMPS project team’s instruction to fill out
         recipients’ NEPA review status in the user template designed by the RAMPS team.
         This error caused a delay in loading the recipients’ information into RAMPS.



Conclusion


      HUD could not meet the Recovery Act’s requirement to report the status of NEPA
      compliance for all Recovery Act projects and activities that received funding because
      there was no department-wide system in place to collect data from a large amount of
      grantees during the April and July reporting periods. As a result, HUD could not provide
      accurate NEPA data to the public in a timely manner for over $2.9 billion of obligated
      funds.




                                              8
Finding 2: HUD Did Not Fully Comply with Federal and HUD Security
Policies for RAMPS
HUD did not complete required security and privacy documents before or during the early phase
of system development. This condition occurred because HUD did not follow Federal and HUD
security policies for implementing these security requirements for RAMPS. As a result, HUD
officials could not ensure that all security controls were in place, implemented correctly, and
operating as intended.



    HUD Did Not Complete a Risk
    Assessment for RAMPS in a Timely
    Manner

           HUD did not follow Federal and HUD’s system development methodology7 requirements
           to complete all risk analysis activities of system security early in the development
           process. While HUD conducted security categorization and vulnerability scans during
           the initiate project phase,8 the risk assessment which covers risk analysis activities such
           as threat and vulnerabilities associated with the project and probability determinations for
           each threat were not completed during the project initiation phase. HUD completed the
           risk assessment on July 6, 2009 although the project initiation phase ended in May and
           the release 1 of RAMPS was placed into production on June 30, 2009. HUD officials
           stated that a risk assessment is not required to be conducted for a nonmajor application.
           However, HUD’s system development methodology and NIST 800-539 do not make the
           distinction on whether an application is major. HUD’s system development methodology
           requires risk analysis activities be completed during the initiate project phase. When the
           risk assessment is completed early and in development phase, the results can be used for
           the development of system requirements, including security requirements, and a security
           concept of operations.

       HUD Did Not Complete RAMPS
       System Security Plan in a Timely
       Manner


           HUD did not follow its system development methodology requirements to develop the
           system security plan early in the development process. The RAMPS project team
           planned to complete the draft system security plan by the end of the “define system

7
 System development methodology is a framework that is used to structure, plan, and control the process of
developing an information system.
8
 Initiate Project phase is the period in which an information management need is identified and the decision is made
whether to commit the necessary resources to solve the deficiency.
9
    “Recommended Security Controls for Federal Information Systems and Organizations”
                                                         9
           phase”10 as required by HUD’s system development methodology. However, many
           major sections of the final draft security plan submitted to HUD management at the end
           of the “define system phase” were not completed. The contractor team had not met with
           the HUD Office of the Chief Information Officer (OCIO) security team before
           completing the “define system phase,” which was completed on June 5, 2009. While the
           RAMPS project team developed and provided the business requirements to the Office of
           IT security for review on April 23, 2009, the RAMPS project team and Office of IT
           security did not meet to discuss the developing of system security plan of RAMPS until
           June 12, 2009. HUD’s system development methodology requires the system
           development team to work with the ADP Security Office during the “define system
           phase” to develop a system security plan that describes the management, operational, and
           technical controls needed to mitigate the risks determined in the project initiation phase.”

           HUD security officials informed the RAMPS project team after the “define system
           phase” that HUD would not develop a separate system security plan for RAMPS because
           it is a nonmajor application. HUD will develop a system security plan for the major
           application that will also cover RAMPS. HUD placed release 1 of RAMPS into
           production on June 30, 2009. However, the system security plan for the major
           application on which RAMPS resides was not completed until July 6, 2009. Also, the
           certification and accreditation of the major application was not completed until July 30,
           2009. We also found that the system description section in the system security plan of
           the major application was incomplete. NIST SP 800-3711 and HUD’s handbook 2400.25
           REV-2 require system owners to have completed system security plans for all systems
           and completed certifications and accreditations before placing systems into production.
           By not documenting security controls in the system security plans and completing
           certifications and accreditations before placing systems into full production, HUD
           officials could not determine the extent to which security controls in the systems were
           implemented correctly, operating as intended, and producing the desired outcome with
           respect to meeting the security requirements for the information system.


         HUD Did Not Complete a Privacy
         Impact Assessment for RAMPS


           HUD did not complete a privacy impact assessment for RAMPS before placing it into
           development and production. HUD’s “Use of Social Security Numbers Privacy Policy
           Guidance” issued on September 21, 2007 requires that before developing a new system,
           the program sponsor shall provide a privacy impact assessment12 to the departmental
10
   The Define System phase defines specific, detailed functional and data requirements, including security and
security assurance requirements, which forms the basis for the detailed design of the system during the Design
System phase.
11
     “Guide for the Security Certification and Accreditation of Federal Information Systems”
12
   Privacy impact Assessment is an analysis of how information is handled: (i) to ensure handling conforms to
applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of
collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and
(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential
privacy risks.
                                                          10
         Privacy Act Officer. HUD officials informed the Office of Inspector General (OIG) that
         RAMPS does not contain personally identifiable information13. HUD was in the process
         of completing the assessment during the performance of this audit. The privacy impact
         assessment had not been completed for RAMPS and submitted to the Privacy Act Officer
         by the time OIG completed this audit. The privacy impact assessment needs to be
         completed to ensure that all data collected by RAMPS is reviewed by program sponsors
         to determine whether personally identifiable information will be collected. This will
         ensure that security controls needed to protect the information are planned for during
         system development.

     Conclusion


         HUD did not complete the required security and privacy documents before or during the
         early phase of the system development because HUD did not comply with Federal and
         HUD’s security requirements. As a result, HUD officials could not ensure that all
         security controls were in place, implemented correctly, and operated as intended. Also,
         including security controls early in the development process results in less expensive and
         more effective security measures.


     Recommendations



         We recommend that the Office of the Chief Information Officer
         2A.      Ensure that system owners develop the system security plan and risk assessment
                  early in the development process.
         2B.      Ensure that system owners complete the privacy impact assessment for a new
                  system before placing it into development and production.




13
  Personal identifiable information is information relating to an individual that identifies that individual. The use of
such information may include linking information with personal identifiable information from other sources or
combining information so as to infer a person’s identity; i.e., name, address, identification number, etc., as well as IP
(Internet provider) address, e-mail address, psychographic information, etc.
                                                           11
                         SCOPE AND METHODOLOGY

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.

We performed the audit
       From May 2009 through August 2009.
       At HUD headquarters, Washington, DC.

To accomplish our objectives, we
       Interviewed program officials and RAMPS project managers and evaluated HUD’s
       process for using RAMPS and existing systems to collect NEPA and Section 1512 data
       from recipients and the process for submitting these Recovery Act data to CEQ and
       OMB.
       Interviewed RAMPS project managers and reviewed RAMPS project schedules, status
       reports, system requirements presentations, and meeting minutes between the RAMPS
       project team and program offices to better understand the status of RAMPS system
       development and interface with program source systems.
       Reviewed Federal and HUD’s security policies and procedures along with RAMPS
       security documents to determine whether the RAMPS project team followed Federal and
       HUD’s security requirements during the development of the RAMPS system.
       Performed analyses of NEPA reports to determine whether the reports were accurate and
       submitted in a timely manner.
       Reviewed results of security and system tests conducted for RAMPS.
       Attended training prepared for RAMPS administrators and reviewed the training course
       prepared for NEPA user reporting.




                                               12
                              INTERNAL CONTROLS

Internal control is an integral component of an organization’s management that provides
reasonable assurance that the following objectives are achieved:

           Effectiveness and efficiency of operations,
           Relevance and reliability of information,
           Compliance with applicable laws and regulations, and
           Safeguarding of assets and resources.

Internal controls relate to management’s plans, methods, and procedures used to meet its
mission, goals, and objectives. They include the processes and procedures for planning,
organizing, directing, and controlling program operations as well as the systems for measuring,
reporting, and monitoring program performance.



 Relevant Internal Controls

              We determined that the following internal controls were relevant to our audit
              objectives:

                      Policies, procedures, control systems, and other management tools used
                      for implementation of security and technical controls for HUD’s system
                      security.
                      Policies, procedures, controls, and other management tools implemented
                      to collect and validate Recovery Act data.

              We assessed the relevant controls identified above.

              A significant weakness exists if management controls do not provide reasonable
              assurance that the process for planning, organizing, directing, and controlling
              program operations will meet the organization’s objectives.

 Significant Weaknesses

              Based on our review, we believe that the following items are significant
              weaknesses:

                      HUD was unable to provide the NEPA status to the public in an accurate
                      and timely manner (finding 1).
                      HUD did not complete security documents in a timely manner (finding 2).



                                               13
                         Appendix A

AUDITEE COMMENTS AND OIG’S EVALUATION




 MEMORANDUM FOR:               Hanh Do, Director, Information System Audit
                               Division, Office of the Inspector General, GAA

                               //signed//
 FROM:                         Lynn Allen, General Deputy Chief Information
                               Officer, Q

 SUBJECT:                      Draft Audit Report on the Review of Recovery Act
                               Management and Reporting System (RAMPS)


        Thank you for the opportunity to respond and submit our findings to the Draft
 Audit Report on the Review of Recovery Act Management and Reporting System
 (RAMPS).

 Finding 1: HUD Did Not Meet the Recovery Act’s NEPA Reporting Requirements

 Response: Concur

 HUD could not meet the Recovery Act’s requirements to report the status of NEPA
 compliance of all Recovery Act projects and activities that received funding
 because there was no Department – wide system in place to collect data form [the]
 larger amount of grantees during the April and July reporting periods. As a result,
 HUD could not provide accurate NEPA data to the public in a timely manner.

 We agree that all pertinent information about HUD’s compliance with the National
 Environmental Policies Act (NEPA) was not provided in the April and July reports
 because HUD did not have operational Department – wide information system
 capable of gathering the required information.

 Since that time, HUD has developed the Recovery Act Management Performance
 System (RAMPS) to gather the required information. There should be considerable
 improvement in the next report, which is due next month.




                                    14
            Finding 2: HUD did not fully comply with Federal and HUD Security
            Policies for RAMPS.

            OIG Recommendation #2A: Ensure system owners develop the system
            security plan and risk assessment early in the development process.

            OCIO Response: Concur

            Although system security planning had been an integral part of early
            development, the aggressive schedule required for introduction of RAMPS
            necessitated pursuit of several parallel paths in order to meet initial
            production milestones. As noted in the report, final Certification and
            Accreditation was completed 30 days after initial go-live.

            OIG Recommendation #3: Ensure system owners complete a privacy
            impact assessment for a new system prior to placing it into development
            and production.

            OCIO Response: Concur

            RAMPS is not a system that processes PII; it is not listed in the
Comment 1   Department’s Inventory of Automated Systems (IAS) as such. To
            accommodate OIG concerns, as of 9/17/09 the PIA has been completed.




                                          15
                           OIG Evaluation of Auditee Comments

Comment 1: HUD’s “Use of Social Security Numbers Privacy Policy Guidance” issued on
September 21, 2007 requires that before developing a new system, the program sponsor shall
provide a privacy impact assessment to the departmental Privacy Act Officer. Also, during the
certification and accreditation process, it was documented in the security documents that the
privacy impact assessment had not been completed.




                                              16