oversight

Review of the National Environmental Policy Act and Core Activity Modules Within the Recovery Act Management and Performance System

Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-07-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                   Issue Date
                                                                           July 22, 2011
                                                                   Audit Report Number
                                                                                2011-DP-0007




TO:         Jerry E. Williams, Chief Information Officer, Q


FROM:       Hanh Do, Director, Information Systems Audits Division, GAA


SUBJECT: Review of the National Environmental Policy Act and Core Activity Modules
           Within the Recovery Act Management and Performance System


                                    HIGHLIGHTS

 What We Audited and Why

             We audited the U.S. Department of Housing and Urban Development’s (HUD)
             management procedures, practices, and controls related to the Recovery Act
             Management and Reporting System (RAMPS). Our objective was to assess its
             capability to record and provide data required by the American Recovery and
             Reinvestment Act of 2009 on which HUD is required to report.

             We conducted this audit because the Recovery Act requires Federal agencies to
             ensure that the recipients’ use of all recovery funds is transparent to the public and
             that the public benefits of these funds are reported clearly, accurately, and in a
             timely manner. RAMPS is used by HUD to aggregate the required reporting data
             from HUD’s program offices’ existing source systems to efficiently report,
             validate, analyze, and publish Recovery Act data.

 What We Found

             Overall, RAMPS had the capability to record Recovery Act data and produce the
             reports necessary for HUD to comply with the Recovery Act reporting
           requirements. However, we identified areas in which vulnerabilities existed.
           Specifically, we found that (1) National Environmental Policy Act (NEPA)
           reports did not fully comply with the Recovery Act reporting requirements, (2)
           access controls over RAMPS needed to be strengthened, and (3) the technical
           problem management process in place for RAMPS was not adequately controlled.
           These vulnerabilities could compromise the validity of the information that is
           required to be disclosed to the public.

What We Recommend


           We recommend that the Office of the Chief Information Officer ensure that (1)
           reports required by the Recovery Act are accurate and complete, (2) access
           controls over RAMPS adequately protect Recovery Act data that are required to
           be disclosed to the public, and (3) the RAMPS technical problem reporting process
           is limited to a single point of contact.

           For each recommendation without a management decision, please respond and
           provide status reports in accordance with HUD Handbook 2000.06, REV-3.
           Please furnish us copies of any correspondence or directives issued because of the
           audit.


Auditee’s Response


           The draft audit report was issued on June 30, 2011, and written comments were
           requested by July 11, 2011. We received written comments dated July 8, 2011.
           The addressee generally agreed with the recommendations in our report.

           The complete text of the auditee’s response, along with our evaluation of that
           response, can be found in appendix A of this report.




                                            2
                          TABLE OF CONTENTS

Background and Objectives                                                        4

Results of Audit

      Finding 1: NEPA Reports Did Not Fully Comply With Recovery Act Reporting   5
      Requirements

      Finding 2: Access Controls Over RAMPS Had Weaknesses                       8

      Finding 3: The Technical Problem Management Process for RAMPS Was Not      11
      Adequately Controlled

Scope and Methodology                                                            13

Internal Controls                                                                14

Appendixes

   A. Auditee Comments and OIG’s Evaluation                                      15




                                          3
                         BACKGROUND AND OBJECTIVES

The American Recovery and Reinvestment Act of 2009 1 requires Federal agencies to ensure that
(1) recovery funds are awarded and distributed in a prompt, fair, and reasonable manner; (2) the
recipients and uses of all recovery funds are transparent to the public; and (3) the public benefits
of these funds are reported clearly, accurately, and in a timely manner. The Recovery Act
includes $13.61 billion for projects and programs administered by the U.S. Department of
Housing and Urban Development (HUD).

Section 1609 of the Recovery Act and the Council on Environmental Quality (CEQ) require
agencies and grantees to report quarterly on the status of environmental reviews under the
National Environmental Policy Act (NEPA) 2 for all Recovery Act-funded projects and activities.
The intent of the NEPA process is to help public officials make decisions that are based on an
understanding of the environmental consequences of those decisions and take actions that
protect, restore, and enhance the environment. Examples of HUD programs that impact the
environment and thus require reporting under NEPA include the Green Retrofit Program for
Section 8 Multi Family Housing, Lead Hazard Reduction, the Home Investment Partnership
Program, and the Native American Housing Block Grant. As stated in the CEQ NEPA
regulations, NEPA’s purpose is to enable better decisions.

Section 1512 of the Recovery Act requires recipients and sub-recipients to submit reports on the
use of Recovery Act funds quarterly. The reports are due no later than the 10th day after the end
of each calendar quarter (beginning the quarter ending September 30, 2009). The Federal agency
providing those funds must make the reports publicly available no later than the 30th day after
the end of that quarter. If some of the required data are missing from the reports, decision
making capabilities could be adversely affected.

HUD placed the Recovery Act Management and Performance System (RAMPS) into production
on June 30, 2009. The primary objective of RAMPS is to support HUD and its grantee
stakeholders in complying with reporting activities required by the Recovery Act. In January
2010, the core activity module was added to RAMPS for the purposes of complying with the
HUD Secretary-directed requirement that all programs report on core activities funded through
the Recovery Act (for instance, number of housing units rehabilitated or number of housing units
developed).




1
  The Recovery Act became Public Law 111-5 on February 17, 2009. The purposes of the Act are to (1) preserve
and create jobs and promote economic recovery, (2) assist those impacted by the recession, (3) provide investments
needed to increase economic efficiency and provide long-term economic benefits, and (4) stabilize State and local
government budgets.
2
  NEPA protects public health, safety, and environmental quality. It requires Federal agencies to develop
environmental regulations, establish levels of environmental reviews, and create the CEQ. HUD requires its
recipients not to commit funds received from HUD and begin physical activities before completion of the
environmental review.



                                                         4
                                     RESULTS OF AUDIT

Finding 1: NEPA Reports Did Not Fully Comply With Recovery Act
Reporting Requirements
HUD did not fully follow the Recovery Act’s reporting requirements to ensure data quality for
all of the information provided to the CEQ. Some reports contained inaccurate information,
while others lacked required information. This condition occurred because RAMPS did not
contain enough system checks to ensure the accuracy and completeness of the required reports.
Inaccurate data in NEPA reports to the CEQ diminishes the value of Recovery Act reporting.


    NEPA Reports Contained
    Inaccurate Information


                 The total Recovery Act obligations reported by HUD for the Lead Hazard
                 Reduction program were higher than the total Recovery Act appropriation for
                 three consecutive quarterly NEPA reports. HUD did not provide an explanation
                 for this discrepancy in the NEPA reports for the quarters ending March 31, 2010,
                 September 30, 2010, and December 31, 2010. Upon notification from the Office
                 of Inspector General (OIG) in March 2011, HUD corrected the discrepancy in the
                 report for the quarter ending March 31, 2011, which was submitted to the CEQ on
                 April 15, 2011. The change was also documented in the explanatory note sent to
                 the CEQ.

                 Our review of the Recovery Act Section 1609 NEPA Long Pending Report 3 for
                 the quarter ending March 31, 2011, showed that 14 of the 16 projects in the report
                 had been pending for the same number of quarters as was reported in the
                 December 2010 report. The number of quarters pending had not been
                 incremented by one in the March report.

                 Under Section 1609(c) of the Recovery Act, Congress required quarterly reports
                 on the status and progress of funded activities with respect to compliance with
                 NEPA. Section 1609(c) of the Recovery Act states that agency reviews should be
                 completed before cover memorandums and spreadsheets are submitted to the
                 CEQ.

                 The condition described above occurred because RAMPS was not designed with
                 enough system checks to ensure data quality for the reports prepared for
                 submission to the CEQ. Submitting inaccurate data in the NEPA reports to the

3
 The NEPA Long Pending Report (1) identifies those projects and activities in which the NEPA actions are reported
as “pending” for more than one reporting period, (2) provide the reason(s) the NEPA actions remain pending, and
(3) provide a reasonable projection of progress being made to complete the NEPA actions.


                                                       5
                CEQ diminishes the value of Recovery Act reporting and skews the information
                that is required to be disclosed to the public.


    The NEPA Long Pending
    Report Contained Blank Fields

                One of the records from the NEPA Long Pending Report for the quarter ending
                March 31, 2011, contained a blank in the “reason for pending” field. This had
                been a problem previously; however, HUD achieved 100 percent compliance with
                the requirement to include a reason for pending with the report submitted for the
                quarter ending December 31, 2010. In the NEPA report explanatory note sent to
                the CEQ for the quarter ending June 30, 2010, HUD indicated, “To increase
                reporting on this ‘reason for pending’ field in the future, the Department will
                provide additional guidance to recipients and will also institute a system change
                prohibiting the submission of any pending report without this completed field.”
                Yet, after achieving 100 percent compliance, a later report was issued with a
                blank “reason for pending” field.

                The CEQ, in supplemental guidance to departments and Federal agencies with
                NEPA reporting responsibilities, 4 required two additional items to be reported
                beginning with the report due to the CEQ on January 15, 2010:

                •    The explanatory note must (1) identify those projects and activities in which
                     the NEPA actions are reported as “pending” for more than one reporting
                     period, (2) provide the reason(s) the NEPA actions remain pending, and (3)
                     provide a reasonable projection of progress being made to complete the NEPA
                     actions.

                •    The explanatory note for the next report must provide examples of the benefits
                     provided as a result of the NEPA action. Examples include situations in
                     which conditions were placed on the use of funds to protect sensitive
                     resources, such as protected species or historic structures, or when changes
                     were made in constructing facilities to increase their energy efficiency. We
                     recognize that, based on the types of projects and activities being undertaken,
                     some departments and agencies may not have many examples; consequently,
                     the departments and agencies should coordinate their proposed responses with
                     the CEQ associate director for NEPA oversight as soon as possible.

                The March 31, 2011, NEPA Long Pending Report contained a record with a blank
                “reason for pending” field because the system change implemented to prevent this
                occurrence was not effective. In May 2011, another system change was

4
 Council on Environmental Quality, Memorandum for Heads of Departments and Federal Agencies Reporting on
NEPA Status for Activities and Projects Receiving American Recovery and Reinvestment Act Funding, dated
November 20, 2009, entitled “Additional Reporting on NEPA Status and Progress for the American Recovery and
Reinvestment Act”


                                                      6
             implemented to reinforce the reason for pending requirement and fix the logic
             error that made the first attempt ineffective. The next NEPA Long Pending
             Report will be for the period ending June 30, 2011. Without complete
             information, public officials may not be able to make the best decisions
             concerning the environment.


Conclusion


             HUD did not fully follow the Recovery Act’s reporting requirements to ensure
             data quality for all of the information provided to the CEQ. RAMPS, which was
             created to support HUD and its grantee stakeholders in complying with reporting
             activities required by the Recovery Act, was not designed with enough system
             checks to ensure data quality. Further, a system change made to address a known
             weakness was not fully effective. The intent of the NEPA process is to help
             public officials make decisions that are based on an understanding of the
             environmental consequences of those decisions and take actions that protect,
             restore, and enhance the environment. Without complete, accurate information,
             public officials may not make the best decisions for our environment.


Recommendations

             We recommend that the Office of the Chief Information Officer

             1A. Implement an automated or manual review process to identify and correct
                 inaccuracies such as instances in which obligation amounts exceed the total
                 funds appropriated for an activity and incorrect number of quarters pending.

             1B. Ensure that the system change to prohibit the submission of reports when the
                 required fields are left blank operates as intended for the remaining reporting
                 periods.




                                               7
Finding 2: Access Controls Over RAMPS Had Weaknesses
HUD did not ensure that access controls for RAMPS were fully in place and operating
effectively. Invalid, duplicate, and excessive RAMPS user accounts existed, and RAMPS did
not display a systems use notification message. This condition occurred because HUD did not
consider or include these requirements when developing the specifications for the system.
Improper management of the user access accounts could lead to inadequate controls over the
Recovery Act data stored in RAMPS. Inadequate controls could lead to malicious users altering
or deleting the Recovery Act data that are required to be disclosed to the public.



 RAMPS Contained Invalid,
 Duplicate, and Excessive
 Numbers of User Accounts


              Invalid, duplicate, and excessive numbers of user accounts existed in RAMPS.
              We performed a review of the logical access controls for RAMPS and found

              •   One invalid user ID and seven duplicate user IDs. The discrepancies resulted
                  from the inability to remove user IDs from RAMPS before release 5. We
                  notified HUD of the issue, and HUD immediately took action to remove these
                  accounts.

              •   There were 35,206 users with access to RAMPS; however, only 4,083 were
                  actively using it to submit core activity or NEPA reports.

              HUD Handbook 2400.25, REV-2, CHG-1, dated November 30, 2009, section 5.2.2,
              Account Management, states, “Program Offices/System Owners shall ensure that
              user access is reviewed once a year.” The section also states, “The ISSO
              [information system security officer] shall ensure that user IDs are disabled after a
              period of inactivity of no more than 90 days. For moderate- and high-impact
              systems, the system shall do this automatically.”

              The condition described above occurred because HUD did not perform annual
              reviews of RAMPS’ user access, monitor system use, or deactivate users due to
              inactivity. The managers believed that since RAMPS was categorized as a low-risk,
              low-impact system, deactivating users due to inactivity was not necessary. Further,
              disabling users who are inactive for a period of more than 90 days could impose an
              unnecessary burden upon users. Reporting for RAMPS is completed quarterly. In
              many instances, there is no reason for users to log onto RAMPS between reporting
              cycles. Therefore, the 90-day inactivity period could result in disabling the majority



                                                8
           of valid users. Reactivating these users could have a negative impact on the
           completeness and accuracy of RAMPS reporting.

           Improper management of the user access accounts could lead to inadequate controls
           over the Recovery Act data stored in RAMPS. The inadequate controls could lead
           to unauthorized individuals altering or deleting the Recovery Act data that are
           required to be disclosed to the public.


RAMPS Did Not Display a
Systems Use Notification
Message


           When logging onto RAMPS, a system use notification message or banner that
           provides privacy and security notices consistent with applicable Federal laws,
           executive orders, directives, policies, regulations, standards, and guidance was not
           displayed before users were granted access to the system.

           National Institute of Standards and Technology Special Publication 800-53,
           “Recommended Security Controls for Federal Information Systems and
           Organizations,” states that an information system should display an approved
           system use notification message or banner before granting access to the system
           that provides privacy and security notices consistent with applicable Federal laws,
           executive orders, directives, policies, regulations, standards, and guidance. The
           message should also state that (1) users are accessing a U.S. Government
           information system; (2) system use may be monitored, recorded, and subject to
           audit; (3) unauthorized use of the system is prohibited and subject to criminal and
           civil penalties; and (4) use of the system indicates consent to monitoring and
           recording. The notification message or banner should remain on the screen until
           users take explicit actions to log onto or further access the information system.
           For publicly accessible systems, the message should (1) display the system use
           information, when appropriate, before granting further access; (2) display
           references, if any, to monitoring, recording, or auditing that are consistent with
           privacy accommodations for such systems that generally prohibit those activities;
           and (3) include in the notice given to public users of the information system a
           description of the authorized uses of the system.

           Additionally, HUD Handbook 2400.25, REV-2, CHG-1, November 30, 2009,
           section 5.2.8, System Use Notification, states, “Successful prosecution of
           unauthorized access to HUD systems requires that users be notified prior to their
           entry into the systems that the data in the system is owned by HUD and that
           activities on the system are subject to monitoring.”

           The condition described above occurred because HUD did not include the system
           use notification requirement when developing the specifications for the system.



                                             9
             Without a proper systems use notification message, HUD would be unable to
             successfully prosecute unauthorized individuals who access RAMPS. Upon
             notification of this condition by OIG, HUD immediately added a temporary
             system use notification message to the RAMPS login screen in the area where
             messages such as system outage information are displayed. HUD planned to
             include a permanent banner in the next release of RAMPS, which is scheduled for
             the fourth quarter of this fiscal year.


Conclusion


             RAMPS contained invalid, duplicate, and an excessive number of user accounts
             and lacked a system use notification message on its login screen. Consequently,
             RAMPS was vulnerable to unauthorized and malicious individuals altering or
             deleting the Recovery Act data that are required to be disclosed to the public, and
             HUD would have been unable to successfully prosecute those individuals.


Recommendations



             We recommend that the Office of the Chief Information Officer

             2A. Ensure that RAMPS user account access is reviewed annually in accordance
                 with HUD policy.

             2B. Establish a process for disabling users who are inactive for 90 or more days. If
                 this process is not feasible, the Office should seek guidance and approval from
                 the HUD Chief Information Security Officer on deactivating inactive RAMPS
                 users after a specified period to maintain the integrity and security of the
                 system while still complying with established security policies.

             2C. Ensure that a permanent system use notification message or banner that
                 provides privacy and security notices consistent with applicable Federal laws,
                 executive orders, directives, policies, regulations, standards, and guidance is
                 implemented as part of the next release of RAMPS.




                                              10
Finding 3: The Technical Problem Management Process for RAMPS
Was Not Adequately Controlled
Multiple avenues existed for reporting and resolving RAMPS’ technical issues. This condition
occurred because conflicting guidance was provided to users. Having more than one reporting
avenue for technical issues leaves the problem management process vulnerable to inefficiencies.



    RAMPS’ Users Could Report
    Technical Issues in Multiple
    Ways

                  Multiple avenues existed for reporting and resolving technical issues. Users were
                  able to report issues through the HUD Information Technology Service (HITS) 5
                  National Help Desk and the RAMPS help desk and directly by e-mail to the
                  RAMPS team via the RAMPS government technical manager and program
                  manager.

                  ISO/IEC (International Organization for Standardization and International
                  Electrotechnical Commission publication) 19770-1:2006(E), Information
                  Technology-Software Asset Management, Part 1: Processes, section 4.7.8, Problem
                  Management process states, “The objective of the Problem management process in
                  respect of software and related assets is to keep software assets current and in
                  operational fitness, including through proactive identification and analysis of the
                  cause of incidents and addressing the underlying problems. There is a formal
                  process of problem management which includes 1) All incidents that affect software
                  or related assets or services or SAM processes are recorded and classified as to their
                  impact, 2) High priority and repeat incidents are analyzed for the underlying causes
                  and prioritized for resolution, 3) Underlying causes are documented and
                  communicated to incident management, and 4) Problems are resolved in accordance
                  with their priority for resolution, and the resolution is documented and
                  communicated to incident management.”

                  HUD did not provide clear guidance to users to ensure that the appropriate steps to
                  report and resolve RAMPS-related problems were followed. At the start of our
                  audit, the help screen told users they could either use the HITS help desk or e-mail
                  the RAMPS team. The option to e-mail the RAMPS team was removed during the
                  audit as part of general system maintenance.

5
  Awarded on January 21, 2005, the HITS contract was designed to provide HUD with necessary personnel,
materials, equipment, infrastructure software, telecommunications, facilities, and services required to deliver core IT
infrastructure functions, including a data center, national Help Desk, disaster recovery, a network operating center
and direct IT services for HUD Headquarters and field offices.


                                                          11
             Having more than one reporting avenue for technical issues leaves the problem
             management process vulnerable to inefficiencies. Problems may not get resolved in
             accordance with priority and impact, resolution data may not be recorded and made
             available for future diagnostics and trending, and underlying issues may not be
             properly identified.


Conclusion


             RAMPS technical issues could be reported and resolved using several different
             methods. This condition occurred because users were told they could either use
             the HITS help desk or e-mail the RAMPS team. Having more than one reporting
             avenue for technical issues leaves the problem management process vulnerable to
             inefficiencies.


Recommendations



             We recommend that the Office of the Chief Information Officer

             3A. Limit the problem reporting process to a single point of contact for all matters
                 relating to technical issues with RAMPS.




                                              12
                        SCOPE AND METHODOLOGY

The review covered the period May 2009 through March 2011. We performed the audit from
February through June 2011 at HUD headquarters in Washington, DC. Our objective was to
assess RAMPS’ capability to record and provide data required by the American Recovery and
Reinvestment Act of 2009 on which HUD is required to report. Our review was based on
Recovery Act reporting guidance, publications by the National Institute of Standards and
Technology, and HUD’s own information security policies and procedures.

To accomplish our objective, we

   •   Interviewed RAMPS project team members and evaluated HUD’s compliance with
       Recovery Act reporting requirements.

   •   Reviewed Federal and HUD security policies and procedures along with RAMPS
       security documents to determine whether RAMPS followed Federal and HUD security
       requirements.

   •   Evaluated the effectiveness of the user access controls over RAMPS.

   •   Performed analyses of NEPA reports to determine whether the reports were accurate and
       complete.

   •   Evaluated the effectiveness of the RAMPS problem management process.

We performed a limited assessment of RAMPS data. Specifically, we performed analyses of
NEPA reports to determine whether information in the reports was accurate and complete. We
identified several instances where data records contained inaccurate or incomplete information,
which are detailed in finding 1 of this report. However, because this is an information system
review which included assessment of general and application controls, a formal assessment of
data reliability was not required.

We conducted the audit in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate
evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.




                                               13
                              INTERNAL CONTROLS

Internal control is a process adopted by those charged with governance and management,
designed to provide reasonable assurance about the achievement of the organization’s mission,
goals, and objectives with regard to

   •   Effectiveness and efficiency of operations,
   •   Reliability of financial reporting, and
   •   Compliance with applicable laws and regulations.

Internal controls comprise the plans, policies, methods, and procedures used to meet the
organization’s mission, goals, and objectives. Internal controls include the processes and
procedures for planning, organizing, directing, and controlling program operations as well as the
systems for measuring, reporting, and monitoring program performance.


 Relevant Internal Controls

       We determined that the following internal controls were relevant to our audit objectives:

                •     Policies, procedures, control systems, and other management tools used for
                      implementation of security and technical controls for HUD’s system
                      security.

                •     Policies, procedures, controls, and other management tools implemented to
                      collect and validate Recovery Act data.

       We assessed the relevant controls identified above.

       A deficiency in internal control exists when the design or operation of a control does not
       allow management or employees, in the normal course of performing their assigned
       functions, the reasonable opportunity to prevent, detect, or correct (1) impairments to
       effectiveness or efficiency of operations, (2) misstatements in financial or performance
       information, or (3) violations of laws and regulations on a timely basis.

 Deficiencies


       Based on our review, we believe that the following items are deficiencies:

                •     The NEPA reports contained inaccurate and missing information (finding 1).

                •     RAMPS contained invalid, duplicate, and excessive numbers of user
                      accounts (finding 2).



                                                 14
                        APPENDIXES

Appendix A

        AUDITEE COMMENTS AND OIG’S EVALUATION


Ref to OIG Evaluation      Auditee Comments

Comment 1




                            15
Ref to OIG Evaluation   Auditee Comments




Comment 1




Comment 2




Comment 3




                         16
Ref to OIG Evaluation   Auditee Comments




Comment 4




Comment 5




Comment 6




                         17
                         OIG Evaluation of Auditee Comments

Comment 1   OIG agrees with OCIO’s comment.

Comment 2   OIG agrees with OCIO’s comment.

Comment 3   OIG agrees with OCIO’s comment.

Comment 4   The recommendation acknowledges that it may not be feasible to deactivate the
            accounts of users who have been inactive for only 90 days and requests that OCIO
            obtain approval for deactivating RAMPS users after some other period of time.
            OIG agrees with OCIO’s Information Security Policy Exception approved on
            June 22, 2011. The documentation provided with the response to the draft report
            is sufficient to support closing this recommendation upon issuance of the final
            report.

Comment 5   OIG agrees with OCIO’s comment.

Comment 6   OIG agrees with OCIO’s comment and has confirmed that the option to email the
            RAMPS team has been removed from the Help screens within the RAMPS
            application. This recommendation can be closed upon issuance of the final report.




                                           18