Issue Date July 22, 2011 Audit Report Number 2011-DP-0007 TO: Jerry E. Williams, Chief Information Officer, Q FROM: Hanh Do, Director, Information Systems Audits Division, GAA SUBJECT: Review of the National Environmental Policy Act and Core Activity Modules Within the Recovery Act Management and Performance System HIGHLIGHTS What We Audited and Why We audited the U.S. Department of Housing and Urban Development’s (HUD) management procedures, practices, and controls related to the Recovery Act Management and Reporting System (RAMPS). Our objective was to assess its capability to record and provide data required by the American Recovery and Reinvestment Act of 2009 on which HUD is required to report. We conducted this audit because the Recovery Act requires Federal agencies to ensure that the recipients’ use of all recovery funds is transparent to the public and that the public benefits of these funds are reported clearly, accurately, and in a timely manner. RAMPS is used by HUD to aggregate the required reporting data from HUD’s program offices’ existing source systems to efficiently report, validate, analyze, and publish Recovery Act data. What We Found Overall, RAMPS had the capability to record Recovery Act data and produce the reports necessary for HUD to comply with the Recovery Act reporting requirements. However, we identified areas in which vulnerabilities existed. Specifically, we found that (1) National Environmental Policy Act (NEPA) reports did not fully comply with the Recovery Act reporting requirements, (2) access controls over RAMPS needed to be strengthened, and (3) the technical problem management process in place for RAMPS was not adequately controlled. These vulnerabilities could compromise the validity of the information that is required to be disclosed to the public. What We Recommend We recommend that the Office of the Chief Information Officer ensure that (1) reports required by the Recovery Act are accurate and complete, (2) access controls over RAMPS adequately protect Recovery Act data that are required to be disclosed to the public, and (3) the RAMPS technical problem reporting process is limited to a single point of contact. For each recommendation without a management decision, please respond and provide status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us copies of any correspondence or directives issued because of the audit. Auditee’s Response The draft audit report was issued on June 30, 2011, and written comments were requested by July 11, 2011. We received written comments dated July 8, 2011. The addressee generally agreed with the recommendations in our report. The complete text of the auditee’s response, along with our evaluation of that response, can be found in appendix A of this report. 2 TABLE OF CONTENTS Background and Objectives 4 Results of Audit Finding 1: NEPA Reports Did Not Fully Comply With Recovery Act Reporting 5 Requirements Finding 2: Access Controls Over RAMPS Had Weaknesses 8 Finding 3: The Technical Problem Management Process for RAMPS Was Not 11 Adequately Controlled Scope and Methodology 13 Internal Controls 14 Appendixes A. Auditee Comments and OIG’s Evaluation 15 3 BACKGROUND AND OBJECTIVES The American Recovery and Reinvestment Act of 2009 1 requires Federal agencies to ensure that (1) recovery funds are awarded and distributed in a prompt, fair, and reasonable manner; (2) the recipients and uses of all recovery funds are transparent to the public; and (3) the public benefits of these funds are reported clearly, accurately, and in a timely manner. The Recovery Act includes $13.61 billion for projects and programs administered by the U.S. Department of Housing and Urban Development (HUD). Section 1609 of the Recovery Act and the Council on Environmental Quality (CEQ) require agencies and grantees to report quarterly on the status of environmental reviews under the National Environmental Policy Act (NEPA) 2 for all Recovery Act-funded projects and activities. The intent of the NEPA process is to help public officials make decisions that are based on an understanding of the environmental consequences of those decisions and take actions that protect, restore, and enhance the environment. Examples of HUD programs that impact the environment and thus require reporting under NEPA include the Green Retrofit Program for Section 8 Multi Family Housing, Lead Hazard Reduction, the Home Investment Partnership Program, and the Native American Housing Block Grant. As stated in the CEQ NEPA regulations, NEPA’s purpose is to enable better decisions. Section 1512 of the Recovery Act requires recipients and sub-recipients to submit reports on the use of Recovery Act funds quarterly. The reports are due no later than the 10th day after the end of each calendar quarter (beginning the quarter ending September 30, 2009). The Federal agency providing those funds must make the reports publicly available no later than the 30th day after the end of that quarter. If some of the required data are missing from the reports, decision making capabilities could be adversely affected. HUD placed the Recovery Act Management and Performance System (RAMPS) into production on June 30, 2009. The primary objective of RAMPS is to support HUD and its grantee stakeholders in complying with reporting activities required by the Recovery Act. In January 2010, the core activity module was added to RAMPS for the purposes of complying with the HUD Secretary-directed requirement that all programs report on core activities funded through the Recovery Act (for instance, number of housing units rehabilitated or number of housing units developed). 1 The Recovery Act became Public Law 111-5 on February 17, 2009. The purposes of the Act are to (1) preserve and create jobs and promote economic recovery, (2) assist those impacted by the recession, (3) provide investments needed to increase economic efficiency and provide long-term economic benefits, and (4) stabilize State and local government budgets. 2 NEPA protects public health, safety, and environmental quality. It requires Federal agencies to develop environmental regulations, establish levels of environmental reviews, and create the CEQ. HUD requires its recipients not to commit funds received from HUD and begin physical activities before completion of the environmental review. 4 RESULTS OF AUDIT Finding 1: NEPA Reports Did Not Fully Comply With Recovery Act Reporting Requirements HUD did not fully follow the Recovery Act’s reporting requirements to ensure data quality for all of the information provided to the CEQ. Some reports contained inaccurate information, while others lacked required information. This condition occurred because RAMPS did not contain enough system checks to ensure the accuracy and completeness of the required reports. Inaccurate data in NEPA reports to the CEQ diminishes the value of Recovery Act reporting. NEPA Reports Contained Inaccurate Information The total Recovery Act obligations reported by HUD for the Lead Hazard Reduction program were higher than the total Recovery Act appropriation for three consecutive quarterly NEPA reports. HUD did not provide an explanation for this discrepancy in the NEPA reports for the quarters ending March 31, 2010, September 30, 2010, and December 31, 2010. Upon notification from the Office of Inspector General (OIG) in March 2011, HUD corrected the discrepancy in the report for the quarter ending March 31, 2011, which was submitted to the CEQ on April 15, 2011. The change was also documented in the explanatory note sent to the CEQ. Our review of the Recovery Act Section 1609 NEPA Long Pending Report 3 for the quarter ending March 31, 2011, showed that 14 of the 16 projects in the report had been pending for the same number of quarters as was reported in the December 2010 report. The number of quarters pending had not been incremented by one in the March report. Under Section 1609(c) of the Recovery Act, Congress required quarterly reports on the status and progress of funded activities with respect to compliance with NEPA. Section 1609(c) of the Recovery Act states that agency reviews should be completed before cover memorandums and spreadsheets are submitted to the CEQ. The condition described above occurred because RAMPS was not designed with enough system checks to ensure data quality for the reports prepared for submission to the CEQ. Submitting inaccurate data in the NEPA reports to the 3 The NEPA Long Pending Report (1) identifies those projects and activities in which the NEPA actions are reported as “pending” for more than one reporting period, (2) provide the reason(s) the NEPA actions remain pending, and (3) provide a reasonable projection of progress being made to complete the NEPA actions. 5 CEQ diminishes the value of Recovery Act reporting and skews the information that is required to be disclosed to the public. The NEPA Long Pending Report Contained Blank Fields One of the records from the NEPA Long Pending Report for the quarter ending March 31, 2011, contained a blank in the “reason for pending” field. This had been a problem previously; however, HUD achieved 100 percent compliance with the requirement to include a reason for pending with the report submitted for the quarter ending December 31, 2010. In the NEPA report explanatory note sent to the CEQ for the quarter ending June 30, 2010, HUD indicated, “To increase reporting on this ‘reason for pending’ field in the future, the Department will provide additional guidance to recipients and will also institute a system change prohibiting the submission of any pending report without this completed field.” Yet, after achieving 100 percent compliance, a later report was issued with a blank “reason for pending” field. The CEQ, in supplemental guidance to departments and Federal agencies with NEPA reporting responsibilities, 4 required two additional items to be reported beginning with the report due to the CEQ on January 15, 2010: • The explanatory note must (1) identify those projects and activities in which the NEPA actions are reported as “pending” for more than one reporting period, (2) provide the reason(s) the NEPA actions remain pending, and (3) provide a reasonable projection of progress being made to complete the NEPA actions. • The explanatory note for the next report must provide examples of the benefits provided as a result of the NEPA action. Examples include situations in which conditions were placed on the use of funds to protect sensitive resources, such as protected species or historic structures, or when changes were made in constructing facilities to increase their energy efficiency. We recognize that, based on the types of projects and activities being undertaken, some departments and agencies may not have many examples; consequently, the departments and agencies should coordinate their proposed responses with the CEQ associate director for NEPA oversight as soon as possible. The March 31, 2011, NEPA Long Pending Report contained a record with a blank “reason for pending” field because the system change implemented to prevent this occurrence was not effective. In May 2011, another system change was 4 Council on Environmental Quality, Memorandum for Heads of Departments and Federal Agencies Reporting on NEPA Status for Activities and Projects Receiving American Recovery and Reinvestment Act Funding, dated November 20, 2009, entitled “Additional Reporting on NEPA Status and Progress for the American Recovery and Reinvestment Act” 6 implemented to reinforce the reason for pending requirement and fix the logic error that made the first attempt ineffective. The next NEPA Long Pending Report will be for the period ending June 30, 2011. Without complete information, public officials may not be able to make the best decisions concerning the environment. Conclusion HUD did not fully follow the Recovery Act’s reporting requirements to ensure data quality for all of the information provided to the CEQ. RAMPS, which was created to support HUD and its grantee stakeholders in complying with reporting activities required by the Recovery Act, was not designed with enough system checks to ensure data quality. Further, a system change made to address a known weakness was not fully effective. The intent of the NEPA process is to help public officials make decisions that are based on an understanding of the environmental consequences of those decisions and take actions that protect, restore, and enhance the environment. Without complete, accurate information, public officials may not make the best decisions for our environment. Recommendations We recommend that the Office of the Chief Information Officer 1A. Implement an automated or manual review process to identify and correct inaccuracies such as instances in which obligation amounts exceed the total funds appropriated for an activity and incorrect number of quarters pending. 1B. Ensure that the system change to prohibit the submission of reports when the required fields are left blank operates as intended for the remaining reporting periods. 7 Finding 2: Access Controls Over RAMPS Had Weaknesses HUD did not ensure that access controls for RAMPS were fully in place and operating effectively. Invalid, duplicate, and excessive RAMPS user accounts existed, and RAMPS did not display a systems use notification message. This condition occurred because HUD did not consider or include these requirements when developing the specifications for the system. Improper management of the user access accounts could lead to inadequate controls over the Recovery Act data stored in RAMPS. Inadequate controls could lead to malicious users altering or deleting the Recovery Act data that are required to be disclosed to the public. RAMPS Contained Invalid, Duplicate, and Excessive Numbers of User Accounts Invalid, duplicate, and excessive numbers of user accounts existed in RAMPS. We performed a review of the logical access controls for RAMPS and found • One invalid user ID and seven duplicate user IDs. The discrepancies resulted from the inability to remove user IDs from RAMPS before release 5. We notified HUD of the issue, and HUD immediately took action to remove these accounts. • There were 35,206 users with access to RAMPS; however, only 4,083 were actively using it to submit core activity or NEPA reports. HUD Handbook 2400.25, REV-2, CHG-1, dated November 30, 2009, section 5.2.2, Account Management, states, “Program Offices/System Owners shall ensure that user access is reviewed once a year.” The section also states, “The ISSO [information system security officer] shall ensure that user IDs are disabled after a period of inactivity of no more than 90 days. For moderate- and high-impact systems, the system shall do this automatically.” The condition described above occurred because HUD did not perform annual reviews of RAMPS’ user access, monitor system use, or deactivate users due to inactivity. The managers believed that since RAMPS was categorized as a low-risk, low-impact system, deactivating users due to inactivity was not necessary. Further, disabling users who are inactive for a period of more than 90 days could impose an unnecessary burden upon users. Reporting for RAMPS is completed quarterly. In many instances, there is no reason for users to log onto RAMPS between reporting cycles. Therefore, the 90-day inactivity period could result in disabling the majority 8 of valid users. Reactivating these users could have a negative impact on the completeness and accuracy of RAMPS reporting. Improper management of the user access accounts could lead to inadequate controls over the Recovery Act data stored in RAMPS. The inadequate controls could lead to unauthorized individuals altering or deleting the Recovery Act data that are required to be disclosed to the public. RAMPS Did Not Display a Systems Use Notification Message When logging onto RAMPS, a system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, executive orders, directives, policies, regulations, standards, and guidance was not displayed before users were granted access to the system. National Institute of Standards and Technology Special Publication 800-53, “Recommended Security Controls for Federal Information Systems and Organizations,” states that an information system should display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable Federal laws, executive orders, directives, policies, regulations, standards, and guidance. The message should also state that (1) users are accessing a U.S. Government information system; (2) system use may be monitored, recorded, and subject to audit; (3) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (4) use of the system indicates consent to monitoring and recording. The notification message or banner should remain on the screen until users take explicit actions to log onto or further access the information system. For publicly accessible systems, the message should (1) display the system use information, when appropriate, before granting further access; (2) display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (3) include in the notice given to public users of the information system a description of the authorized uses of the system. Additionally, HUD Handbook 2400.25, REV-2, CHG-1, November 30, 2009, section 5.2.8, System Use Notification, states, “Successful prosecution of unauthorized access to HUD systems requires that users be notified prior to their entry into the systems that the data in the system is owned by HUD and that activities on the system are subject to monitoring.” The condition described above occurred because HUD did not include the system use notification requirement when developing the specifications for the system. 9 Without a proper systems use notification message, HUD would be unable to successfully prosecute unauthorized individuals who access RAMPS. Upon notification of this condition by OIG, HUD immediately added a temporary system use notification message to the RAMPS login screen in the area where messages such as system outage information are displayed. HUD planned to include a permanent banner in the next release of RAMPS, which is scheduled for the fourth quarter of this fiscal year. Conclusion RAMPS contained invalid, duplicate, and an excessive number of user accounts and lacked a system use notification message on its login screen. Consequently, RAMPS was vulnerable to unauthorized and malicious individuals altering or deleting the Recovery Act data that are required to be disclosed to the public, and HUD would have been unable to successfully prosecute those individuals. Recommendations We recommend that the Office of the Chief Information Officer 2A. Ensure that RAMPS user account access is reviewed annually in accordance with HUD policy. 2B. Establish a process for disabling users who are inactive for 90 or more days. If this process is not feasible, the Office should seek guidance and approval from the HUD Chief Information Security Officer on deactivating inactive RAMPS users after a specified period to maintain the integrity and security of the system while still complying with established security policies. 2C. Ensure that a permanent system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, executive orders, directives, policies, regulations, standards, and guidance is implemented as part of the next release of RAMPS. 10 Finding 3: The Technical Problem Management Process for RAMPS Was Not Adequately Controlled Multiple avenues existed for reporting and resolving RAMPS’ technical issues. This condition occurred because conflicting guidance was provided to users. Having more than one reporting avenue for technical issues leaves the problem management process vulnerable to inefficiencies. RAMPS’ Users Could Report Technical Issues in Multiple Ways Multiple avenues existed for reporting and resolving technical issues. Users were able to report issues through the HUD Information Technology Service (HITS) 5 National Help Desk and the RAMPS help desk and directly by e-mail to the RAMPS team via the RAMPS government technical manager and program manager. ISO/IEC (International Organization for Standardization and International Electrotechnical Commission publication) 19770-1:2006(E), Information Technology-Software Asset Management, Part 1: Processes, section 4.7.8, Problem Management process states, “The objective of the Problem management process in respect of software and related assets is to keep software assets current and in operational fitness, including through proactive identification and analysis of the cause of incidents and addressing the underlying problems. There is a formal process of problem management which includes 1) All incidents that affect software or related assets or services or SAM processes are recorded and classified as to their impact, 2) High priority and repeat incidents are analyzed for the underlying causes and prioritized for resolution, 3) Underlying causes are documented and communicated to incident management, and 4) Problems are resolved in accordance with their priority for resolution, and the resolution is documented and communicated to incident management.” HUD did not provide clear guidance to users to ensure that the appropriate steps to report and resolve RAMPS-related problems were followed. At the start of our audit, the help screen told users they could either use the HITS help desk or e-mail the RAMPS team. The option to e-mail the RAMPS team was removed during the audit as part of general system maintenance. 5 Awarded on January 21, 2005, the HITS contract was designed to provide HUD with necessary personnel, materials, equipment, infrastructure software, telecommunications, facilities, and services required to deliver core IT infrastructure functions, including a data center, national Help Desk, disaster recovery, a network operating center and direct IT services for HUD Headquarters and field offices. 11 Having more than one reporting avenue for technical issues leaves the problem management process vulnerable to inefficiencies. Problems may not get resolved in accordance with priority and impact, resolution data may not be recorded and made available for future diagnostics and trending, and underlying issues may not be properly identified. Conclusion RAMPS technical issues could be reported and resolved using several different methods. This condition occurred because users were told they could either use the HITS help desk or e-mail the RAMPS team. Having more than one reporting avenue for technical issues leaves the problem management process vulnerable to inefficiencies. Recommendations We recommend that the Office of the Chief Information Officer 3A. Limit the problem reporting process to a single point of contact for all matters relating to technical issues with RAMPS. 12 SCOPE AND METHODOLOGY The review covered the period May 2009 through March 2011. We performed the audit from February through June 2011 at HUD headquarters in Washington, DC. Our objective was to assess RAMPS’ capability to record and provide data required by the American Recovery and Reinvestment Act of 2009 on which HUD is required to report. Our review was based on Recovery Act reporting guidance, publications by the National Institute of Standards and Technology, and HUD’s own information security policies and procedures. To accomplish our objective, we • Interviewed RAMPS project team members and evaluated HUD’s compliance with Recovery Act reporting requirements. • Reviewed Federal and HUD security policies and procedures along with RAMPS security documents to determine whether RAMPS followed Federal and HUD security requirements. • Evaluated the effectiveness of the user access controls over RAMPS. • Performed analyses of NEPA reports to determine whether the reports were accurate and complete. • Evaluated the effectiveness of the RAMPS problem management process. We performed a limited assessment of RAMPS data. Specifically, we performed analyses of NEPA reports to determine whether information in the reports was accurate and complete. We identified several instances where data records contained inaccurate or incomplete information, which are detailed in finding 1 of this report. However, because this is an information system review which included assessment of general and application controls, a formal assessment of data reliability was not required. We conducted the audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 13 INTERNAL CONTROLS Internal control is a process adopted by those charged with governance and management, designed to provide reasonable assurance about the achievement of the organization’s mission, goals, and objectives with regard to • Effectiveness and efficiency of operations, • Reliability of financial reporting, and • Compliance with applicable laws and regulations. Internal controls comprise the plans, policies, methods, and procedures used to meet the organization’s mission, goals, and objectives. Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations as well as the systems for measuring, reporting, and monitoring program performance. Relevant Internal Controls We determined that the following internal controls were relevant to our audit objectives: • Policies, procedures, control systems, and other management tools used for implementation of security and technical controls for HUD’s system security. • Policies, procedures, controls, and other management tools implemented to collect and validate Recovery Act data. We assessed the relevant controls identified above. A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations on a timely basis. Deficiencies Based on our review, we believe that the following items are deficiencies: • The NEPA reports contained inaccurate and missing information (finding 1). • RAMPS contained invalid, duplicate, and excessive numbers of user accounts (finding 2). 14 APPENDIXES Appendix A AUDITEE COMMENTS AND OIG’S EVALUATION Ref to OIG Evaluation Auditee Comments Comment 1 15 Ref to OIG Evaluation Auditee Comments Comment 1 Comment 2 Comment 3 16 Ref to OIG Evaluation Auditee Comments Comment 4 Comment 5 Comment 6 17 OIG Evaluation of Auditee Comments Comment 1 OIG agrees with OCIO’s comment. Comment 2 OIG agrees with OCIO’s comment. Comment 3 OIG agrees with OCIO’s comment. Comment 4 The recommendation acknowledges that it may not be feasible to deactivate the accounts of users who have been inactive for only 90 days and requests that OCIO obtain approval for deactivating RAMPS users after some other period of time. OIG agrees with OCIO’s Information Security Policy Exception approved on June 22, 2011. The documentation provided with the response to the draft report is sufficient to support closing this recommendation upon issuance of the final report. Comment 5 OIG agrees with OCIO’s comment. Comment 6 OIG agrees with OCIO’s comment and has confirmed that the option to email the RAMPS team has been removed from the Help screens within the RAMPS application. This recommendation can be closed upon issuance of the final report. 18
Review of the National Environmental Policy Act and Core Activity Modules Within the Recovery Act Management and Performance System
Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-07-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)