oversight

Departmentwide Approach Needed to Address HUD Contractor Employee Security Risks

Published by the Department of Housing and Urban Development, Office of Inspector General on 2016-03-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

     Departmentwide Approach Needed to
      Address HUD Contractor Employee
               Security Risks




                  Program Evaluations Division

Washington D.C.   Report Number: 2015-OE-0008    March 30, 2016
                                      MEMORANDUM


To:      Towanda A. Brooks
         Chief Human Capital Officer, A.

         Laura H. Hogshead
         Chief Operating Officer, S

         Patricia A. Hoban-Moore
         Chief Administrative Officer, A


From:    Kathryn Saylor
         Assistant Inspector General for Evaluation, GAH

Subject: Departmentwide Approach Needed To Address Contractor Employee Security Risks
         (2015-OE-0008)


Attached is our report on contractor employee security risks at the U.S. Department
of Housing and Urban Development (HUD). This review was conducted by Zelos,
LLC for the HUD Office of Inspector General.

Our evaluation assessed security policies and operations for contractor employees
performed primarily by HUD’s Office of the Chief Human Capital Officer. Zelos
observed five areas where HUD could improve security for contractor employees and
made nine recommendations. The Agency did not comment on the recommendations
in the response to the draft report; they provided additional information on
improvements in the process or actions they plan to initiate. The Agency’s complete
response is provided in Appendix B.

HUD Handbook 2000.06, REV-4 sets specific timeframes for management decisions
on recommended corrective actions. For each recommendation without a
management decision, please respond and provide status reports in accordance with
the HUD Handbook. Please furnish us copies of any correspondence or directives
issued as a result of the evaluation.

If you have any questions, please contact me at 202-809-3093 or Nikki Tinsley at
443-822-8285.
.




                                         Office of Inspector General
                                              Office of Evaluation
                                   451 7th Street SW, Washington DC 20024
                                  Phone (202) 708-0430, Fax (202) 401-2505
                                                www.hudoig.gov
                Departmentwide Approach Needed to Address HUD Contractor Employee Security Risks
                                                                                March 30, 2016

At A Glance
What We Evaluated and Why
The Personnel Security Division (PSD) in the Office of the Chief Human Capital Officer is responsible
for reviewing and evaluating candidates’ suitability for working at the U.S. Department of Housing and
Urban Development (HUD). In 2013, the Office of Inspector General, Office of Investigation, issued a
systemic implications report that described weaknesses in the suitability review program. In addition, the
Office of Inspector General identified contractor employees as a particular concern. We wanted to know
(1) the strengths and weaknesses of HUD’s personnel, information, and physical security policies,
processes, and practices for contractor employees and (2) how policies, processes, and practices could be
strengthened to protect HUD from security vulnerabilities associated with its contractor employees.

What We Found
We identified vulnerabilities related to contractor employees. PSD reduced the backlog of suitability
adjudication cases, but on average it took about four times longer than the Office of Personnel
Management standard of 90 days to complete a case—resulting in several hundred contractor employees
working at HUD without a final suitability determination. PSD had not issued comprehensive policies
and procedures or implemented an automated case management system. Administrative and program
offices within HUD that were responsible for personnel, physical, and information security did not
collaborate effectively at the policy-making level. During this evaluation, the Office of Administration
established a security council to identify and address cross-HUD security issues.

What We Recommend
Our primary recommendations are as follows:

    1. The PSD director should develop and implement a comprehensive departmental personnel
       security policy and provide clear guidance for PSD and other relevant HUD staff.
    2. The Chief Operating Officer should use the security council to develop a strategic approach to
       contractor employee security departmentwide.
    3. The PSD director should collaborate with administrative and program offices to develop a
       structured approach to training on contractor employee security.
    4. The Chief Human Capital Officer should take immediate steps to eliminate the suitability
       adjudication backlog and meet Federal timeliness standards.
    5. The Chief Operating Officer should review physical security issues and risks related to contractor
       employees and provide direction for response by appropriate offices in HUD.

Management Response
The Chief Human Capital Officer provided a response in the form of comments and edits on the report
draft (Appendix B), which primarily consisted of status updates. The response indicated that her office
was in the process of implementing some of the report’s recommendations. The Chief Human Capital
Officer did not object to any of the report’s recommendations
Table of Contents/Abbreviations
Background and Objectives..................................................................... 4
       Previous Office of Inspector General Review of Personnel Security at HUD ....... 4
       Facts about Contractor Employees at HUD.......................................................... 5
       Evaluation Objectives ........................................................................................... 6
       Management Response and Contractor Analysis................................................. 6
Evaluation Results.................................................................................... 8
       Observation 1: HUD Lacked a Comprehensive Personnel Security Policy for
       Contractor Employees .......................................................................................... 8
       Conclusions ........................................................................................................ 11
       Recommendations.............................................................................................. 11
       Management Response and Contractor Analysis............................................... 12
       Observation 2: HUD Offices and Individual Staff Members with Security-Related
       Responsibilities Did Not Communicate and Collaborate Sufficiently .................. 13
       Conclusions ........................................................................................................ 15
       Recommendations.............................................................................................. 15
       Management Response and Contractor Analysis............................................... 16
       Observation 3: Acquisitions Staff Did Not Receive Consistent and Effective
       Training .............................................................................................................. 17
       Conclusions ........................................................................................................ 19
       Recommendations.............................................................................................. 19
       Management Response and Contractor Analysis............................................... 19
       Observation 4: PSD’s Improved Operational Efficiency Had Not Eliminated the
       Adjudication Backlog .......................................................................................... 21
       Conclusions ........................................................................................................ 23
       Recommendations.............................................................................................. 23
       Management Response and Contractor Analysis............................................... 24
       Observation 5: Physical Security Policies and Procedures for Contractor
       Employees at HUD Headquarters Were Inadequate .......................................... 25
       Conclusions ........................................................................................................ 27
       Recommendations.............................................................................................. 27
       Management Response and Contractor Analysis............................................... 27
Scope and Methodology ........................................................................ 28
Appendixes ............................................................................................. 30
        Appendix A ......................................................................................................... 30
        Appendix B ......................................................................................................... 31
Abbreviations
     CFR                  Code of Federal Regulations
     COR                  Contracting Officer’s Representative
     GAO                  Government Accountability Office
     Ginnie Mae           Government National Mortgage Association
     GTM                  Government Technical Monitor
     GTR                  Government Technical Representative
     HUD                  U.S. Department of Housing and Urban Development
     OCHCO                Office of Chief Human Capital Officer
     OCIO                 Office of Chief Information Officer
     OCPO                 Office of Chief Procurement Officer
     OPM                  Office of Personnel Management
     PIV                  personal identity verification
     PSD                  Personnel Security Division
Background and Objectives
Previous Office of Inspector General Review of Personnel Security at
HUD
Protecting government assets, including facilities and information systems and occupants of Federal
facilities, is a critical government function. Previous audits and reviews of HUD personnel, information, and
physical security by the Office of Inspector General and other Federal agencies identified several longstanding
weaknesses in policies and procedures that put HUD at risk.

The HUD Office of Inspector General, Office of Investigation, issued a systemic implications report
regarding background investigations for new employees on April 12, 2013. The report identified
systemic weaknesses in personnel security and suitability adjudication, including a lack of policies,
procedures, management, and oversight to ensure that new hires were properly vetted. The Office of
Investigation review was prompted by the case of an employee who had been federally indicted for
allegedly participating in a mortgage fraud scheme at the time of her hiring. In early 2015, the Office of
Investigation requested that the Office of Evaluation perform a followup evaluation on progress made by
the Personnel Security Division (PSD) of the Office of the Chief Human Capital Officer (OCHCO) in
implementing the recommendations of the report.

The implications report made the following recommendations to OCHCO and PSD:

    1. Develop and implement personnel security policies, procedures, and regulations in accordance
       with Title 5, Code of Federal Regulations, Part 731 [5 CFR Part 731] and U.S. Office of
       Personnel Management [OPM] Federal Investigative Standards.
    2. Develop and implement an effective and timely case management process for bringing someone
       on board.
    3. Develop and implement an effective case management system for timely review and suitability
       adjudications.

In response to the recommendations, OCHCO committed on June 19, 2013, to undertake the following:

       Develop a Personnel Security Policy Handbook.
       Develop and implement internal PSD policies for indebtedness (applicant delinquent debt limits)
        and for making suitability determinations.
       Hold biweekly on-the-job training to improve the accuracy of initial and final adjudication
        determinations.
       Perform quality reviews on all cases to identify discrepancies or incomplete information before
        making initial entry on duty determinations and submitting background investigation requests to
        OPM.
       Ensure adequate training for staff via OPM suitability adjudication training.
       Improve timeliness of adjudication of background investigations.
       Establish performance goals for PSD.
       Provide training to reduce deficient cases returned by OPM.




                                                      4
Appendix A presents the recommendations contained in the implications report, OCHCO’s responses to
the recommendations, and the implementation status.

Facts about Contractor Employees1 at HUD
When following up on the implications report, we became aware of several issues related to contractor
employees at HUD that indicated potential security vulnerabilities, including the following:
    The precise number of contractor employees working for HUD was unknown.
            o On September 28, 2015, approximately 6,693 contractor employees were working on 2,926
                 contracts.
            o On September 28, 1,727 contractor employees had personal identity verification (PIV) cards.
            o On September 24, 2015, 1,279 contractor employees had information system accounts.2
    Contractor employees accounted for more than 65 percent of the suitability adjudication backlog as of
       October 22, 2015. According to PSD, 654 contractor employees were working for HUD without a
       final suitability determination.
    OPM did not provide personnel security guidance for some steps in the security process for contractor
       employees or for situations specific to contractor employees.
    Security related to the contractor employees was a disjointed and complicated process. Several
       administrative and program offices and hundreds of individuals had some level of responsibility.
    PSD had very little or no control over some aspects of the security process for contractor employees.
       For example, contractor employees often transferred to different contracts or experienced breaks in
       service between contracts without PSD being informed.
    PSD and other HUD personnel provided examples of security breaches at headquarters that illustrated
       HUD’s vulnerabilities, such as contractor employees without PIV cards not being escorted while in the
       building and contractor employees working at HUD headquarters (sometimes for years) without having
       gone through the clearance process.




1
  “Contractor employee” refers to “an individual who performs work for or on behalf of any agency under a contract
and who, in order to perform the work specified under the contract, will require access to space, information,
information technology systems, staff, or other assets of the Federal Government” (see Executive Order 13488,
“Granting Reciprocity on Excepted Service and Federal Contractor Employee Fitness and Reinvestigating
Individuals in Positions of Public Trust,” January 16, 2009). There is no consistently used term across the Federal
government for this cadre of workers; other terms commonly used include “contract employee,” “contractor,” and
“contractor personnel.” However, the term “contractor employee” appears to be the most frequently used term, and
therefore will be used in this report.
2
  Contractor employees who worked offsite were not generally issued PIV cards, and those who did not need access
to information systems (for example, child care providers) were not provided with information technology system
accounts.

                                                        5
    Three Cases Illustrating HUD Security Vulnerabilities Related to Its Contractor Employees
                                   (These cases occurred in 2014 and 2015.)
      Individual “A” worked at HUD in a support services office for a number of years without
            PSD clearance. When PSD required A to submit a security application, details regarding past
            criminal conduct came to light, and he was found unsuitable to continue working at HUD.
       Individual “B”, a parking attendant and subcontractor to the guard force, worked at HUD for
            an extended period without clearance. B entered the headquarters building every day through
            the loading dock area. The guards there were accustomed to seeing him and let him enter
            without question. However, one day a new guard told B he had to go to the main entrance and
            sign in, and the main entrance guard identified the problem.
             Individual “C” was in a high-level position on the guard force. He had begun work without
              going through the security clearance process. When PSD required the security package, it
              found that Individual C was severely delinquent in repaying a Federal debt and was,
              therefore, unfit to work at HUD.

Source: Personnel Security Division, OCHCO

Internal and external reviews identified many weaknesses in physical security at HUD headquarters going
back several years. Officials responsible for physical security stated that they were unable to implement
previous recommendations due to a lack of resources. The 2014 and 2015 HUD Federal Information
Security Modernization Act reports also identified issues regarding appropriate management of access by
Federal and contractor employees to HUD applications and information.

Evaluation Objectives
Our evaluation assessed HUD security policies, processes, and practices related to its contractor
employees. The purpose of the evaluation was to identify ways to strengthen security processes for
contractor employees to ensure that they were suitable or fit to work on HUD contracts and had
appropriate access to information and facilities. Our specific objectives were to achieve the following:

           Identify the strengths and weaknesses of HUD security policies, processes, and practices related
            to the contractor employees.
           Determine how policies, processes, and practices could be strengthened to protect HUD from
            potential security vulnerabilities associated with contractor employees.

Management Response and Contractor Analysis
OCHCO provided status updates showing progress on each of the action items it had committed to
undertake in response to the systemic implications report.

OCHCO suggested wording changes to descriptions of the systemic implications report
recommendations, but we did not make the changes in order to remain consistent with the original
wording of the recommendations.

OCHCO contended that the statement that OPM did not provide guidance on many steps in the contractor
employee personnel security process was incorrect because security determinations are based on position
designation descriptors from OPM’s Position Designation Tool, which does not distinguish between
Federal and contractor employees. However, OPM’s reinvestigation guidance did not include contractors
                                                       6
and directed agencies to develop their own reinvestigation policy for contractors. In addition, there are
some situations that apply only to contractor employees, such as when there are breaks between contracts,
which OPM does not address. Therefore, we changed the word “many” to “some.”

OCHCO commented that Government Technical Representatives (GTRs) 3, Government Technical
Monitors (GTMs), and Contracting Officer’s Representatives (CORs) are trained annually on the process
of moving a contractor employee to a different contract. However, this was not covered in PSD’s training
and GTRs, GTMs, and CORs we interviewed during this evaluation stated that they did not know what to
do in this situation.




3
  GTRs, GTMs, and contracting officer representatives were administrative and program office staff with acquisition
and procurement responsibilities. Acquisitions staff at HUD also included contracting officers, primarily located in
OCPO, who delegated specific contract-related tasks and functions to GTRs or contracting officer representatives.
At HUD, GTRs and contracting officer representatives performed similar functions, including delegating certain
tasks and functions to GTMs. In this report, we use “acquisitions staff” to refer to all of these positions and “GTRs”
and “GTMs” to include contracting officer representatives.




                                                          7
Evaluation Results
Observation 1: HUD Lacked a Comprehensive Personnel Security
Policy for Contractor Employees

HUD did not have a comprehensive personnel security policy for contractor employees, or guidelines on
personnel security-related roles and responsibilities for PSD staff and the several administrative and
program offices and hundreds of individuals responsible for contractor employees. PSD had drafted a
personnel security policy that was undergoing review at the time of the evaluation. While the draft policy
signified progress, it did not address the full range of issues and risks related to personnel security for
contractor employees. As a result, HUD could not ensure that acquisitions staff effectively implemented
personnel security processes for contractor employees and that risks associated with using contractor
employees were mitigated to the extent possible. In the absence of a HUD policy, PSD relied on a U.S.
Department of Homeland Security policy as a reference.

PSD’s Draft Personnel Security Policy

HUD’s 1973 departmental personnel security policy had not been revised to reflect changes in Federal
regulations, OPM guidelines, technology, and roles and responsibilities. PSD had drafted a new policy in
response to the Office of Inspector General’s 2013 implications report, which had not been issued at the
time of this report. In drafting the personnel security policy, PSD did not fully engage the Office of the
Chief Procurement Officer (OCPO), the Office of the Chief Information Officer (OCIO), or the Facilities
and Services Branch to identify and resolve issues that should have been addressed by the policy or to
ensure consistency among HUD personnel, information, and physical security policies (although OCIO
did have an opportunity to provide comments on the November 2015 draft of the PSD policy). PSD
provided an updated draft personnel security policy, National Security and Suitability Policy Handbook
755.1, on November 30, 2015. Our analysis of the updated draft revealed that the new version did not
include a separate chapter or section on contractor employees, the absence of which would make it
difficult for GTRs and GTMs to understand which aspects of the policy they would be responsible for
following and implementing.

In addition, many aspects of the contractor employee security process were incomplete, not clearly
defined, or not addressed at all, including the following:

       Roles and responsibilities of GTRs and GTMs (a section on roles and responsibilities of GTRs and
        GTMs was included, but it consisted of a list of specific tasks these individuals were responsible
        for performing and did not discuss broader responsibilities for ensuring that personnel security
        policies and processes for contractor employees were properly implemented).
       Risk levels for contractor employee positions and the use of the HUD management survey, to
        determine risk designation and the level of background investigation needed for contractor
        employees.
       References to other relevant HUD policies, such as the HUD Acquisition Regulation (Chapter 24
        of the Federal Acquisition Regulation (48 CFR)) or HUD Information Technology Security
        Policy (HUD Handbook 2400.25 Rev 4).



                                                    8
       Security issues specific to contractor employees, such as breaks in service and transfers to another
        HUD contract.

The policy could be improved in other ways, such as including references to other relevant HUD policies
like the HUD Acquisition Regulation (Chapter 24 of the Federal Acquisition Regulation (48 CFR)) or
HUD Information Technology Security Policy (HUD Handbook 2400.25 Rev 4). Including these
references would help ensure that all HUD policies related to security are aligned, and provide other
sources of information on roles, responsibilities, and processes.

PSD developed a reinvestigation policy, which was included in the personnel security policy, that
required reinvestigation of all employees, including contractor employees, in moderate- and high-risk
positions at least once every 5 years, in accordance with OPM requirements. The policy did not apply to
any category of employees in low-risk, nonsensitive positions. While OPM does not require
reinvestigation for these positions, some other Federal agencies conducted reinvestigations of individuals
in those positions. PSD had previously lacked a reinvestigation policy, and some contractor employees
had worked at HUD for more than a decade on multiple contracts without having been reinvestigated.

In comparison to HUD’s draft policy, the policies and guidelines of selected Federal agencies (the U.S.
Departments of Commerce, Homeland Security, and Veterans Affairs and the Federal Deposit Insurance
Corporation) addressed many of the missing or incomplete areas of the HUD policy and could serve as
models. For example, one or more of the policies and guidelines contained separate sections on
contractor employees, which addressed the following issues:

       Roles and responsibilities for every employee and office involved in the personnel security
        process and for some processes, specific steps and timeframes;
       Position risk designation, including risk level definitions, criteria for determining the risk
        designation for contractor employees, when and how to change a designation, and required forms;
        and
       Situations specific to contractor employees, such as breaks in service, transfers to other contracts,
        and situations in which contractor employees could be given access to Federal information
        without a background investigation.

PSD faced a number of challenges that interfered with its ability to develop an effective and
comprehensive personnel security policy. Given the state of the adjudication backlog and noncompliance
with OPM standards (see observation 4), PSD’s director prioritized streamlining operations to satisfy
OPM requirements. Chronic shortages of qualified staff and an antiquated case management system that
required staff to rely on a manual, paper-based system for processing and tracking cases resulted in PSD
leadership’s continued focus on the backlog and managing the personnel security program. Recognizing
the need of the PSD director to focus on management and the adjudication backlog, during this evaluation
the Chief Human Capital Officer tasked the OCHCO Policy Development and Oversight Division with
further developing and finalizing the personnel security policy.

PSD Internal Policies

In response to the 2013 implications report, the PSD director drafted two interim policies to guide internal
PSD operations: an indebtedness policy and a suitability determination policy. The indebtedness policy
was important in aligning HUD with OPM thresholds. The suitability determination policy was important
because it institutionalized some PSD practices, such as requiring a second-level review for all
                                                     9
unfavorable recommendations. The policies were in draft form for more than 2 years. The (then acting)
Chief Human Capital Officer signed and issued the indebtedness policy on June 26, 2015, but OCHCO
was still reviewing the suitability adjudication policy at the time of this evaluation. Turnover in OCHCO
leadership positions appeared to delay consideration of proposed policies. OCHCO leadership had
changed several times, and the acting Chief Human Capital Officer became permanent in the position in
August 2015.

Guidance for PSD Personnel

The Handbook OCHCO committed to develop in 2013 had evolved into PSD’s comprehensive personnel
security policy. In response to our request for internal PSD procedures, PSD provided a “PSD Desk
Reference Onboarding Process” and two packets of documents that PSD staff used to perform its duties.
The Desk Reference listed the steps to bring different types of HUD employees on board.4 The
documents in the packets provided some tools for PSD staff, but they were not procedures. They were
primarily instructions for filling out forms and performing other specific functions, such as how to open
the security package email submitted by GTRs and GTMs, which forms to use, and how to log into
USAccess5 to submit a PIV card print request.

One of the packets was on bringing contractors on board and contained the following documents:

       The security package that GTRs and GTMs submitted to PSD when a contractor was hired.
       Samples of notices that might be sent to GTRs during the security process, such as a notice of a
        delay.
       Examples of notices that might be sent to the contractor employee if there were an issue that
        needed clarification.
       An example of an eligibility analysis and recommendation.
       A copy of the training provided by PSD to GTRs, GTMs, and other sponsors of contractors.

Guidance for Acquisitions Staff

OCPO had overall contracting responsibility at HUD, including training and accrediting contracting
officers, GTRs, and GTMs. Some of the GTRs’ and GTMs’ security-related roles and responsibilities
were described in various OCPO policy documents, some of which were outdated, and in training
materials. PSD training materials provided information on how to perform specific functions, such as
providing information system access to contractor employees, without going into the policy details that
would help a GTR or GTM understand when a particular practice was the correct one. GTRs and GTMs
did not have a complete, authoritative source of information regarding their responsibilities and the
policies they should abide by.




4
  Employee categories addressed include: federal employees, executive resources, presidential management fellows,
student interns, volunteer interns-volunteers, and contractor employees.
5
  The U.S. General Services Administration’s USAccess program provided Federal agencies with a shared,
centralized service for procuring and maintaining PIV credentials that complied with Homeland Security
Presidential Directive 12 for employees and contractor employees. HUD started using USAccess in 2010.




                                                       10
Quarterly PSD training was the primary vehicle that provided GTRs and GTMs with guidance on
personnel security for contractor employees. The training included limited information on physical and
information security procedures. However, similar to the guidance provided to PSD staff, the training
primarily focused on specific instructions, such as how to become a sponsor in USAccess, and did not
include security policies and guidance. (Training is discussed in more detail in observation 3.)

Three OCPO documents provided GTRs, GTMs, and contracting officers limited guidance on contractor
employee security:

       HUD Procurement Handbook
       HUD Acquisition Regulation
       Contract Monitoring Desk Guide for Government Technical Representatives & Government
        Technical Monitors

Contracting officers were responsible for ensuring that contractor employees met clearance requirements
and that clauses addressing security requirements were inserted into contracts. The guidance for GTRs
and GTMs focused largely on physical and logical access. GTRs and GTMs were responsible for
ensuring that every contractor employee working on site had the proper credentials for accessing the
headquarters building and information systems, maintaining a list of PIV cards issued, and collecting PIV
cards when the contract expired or the contractor employee’s employment ended. In addition, GTRs and
GTMs were instructed not to approve final invoice payments until all PIV cards were collected.

There were many aspects of security associated with contractor employees that were not addressed in
OCPO documents. By way of comparison, the U.S. Department of Commerce Acquisition Manual
contained a chapter on security related to contractor employees that detailed the purpose and applicability
of the chapter, criteria for designating risk for information technology and non-information technology
service contracts, and personnel security processing requirements, among other policies and procedures.

Conclusions
PSD had made progress in developing an internal policy on indebtedness, but the suitability determination
policy was still under review, and the draft comprehensive personnel security policy had many weaknesses
and omissions and was also still under review more than 2 years after OCHCO had committed to develop
it. PSD staff said that acquisitions staff with personnel security responsibilities did not always follow
procedures. GTRs and GTMs interviewed were not always aware of their personnel security
responsibilities because of the lack of clear policy and guidelines. Without a comprehensive departmental
personnel security policy for contractor employees, offices and individual staff members with security-
related responsibilities did not have a full understanding of how to carry out their duties, making it difficult
if not impossible for HUD to monitor and enforce personnel security requirements. HUD was at risk of
contractor employees having inappropriate access to HUD facilities and information.

Recommendations
1A. The Chief Human Capital Officer should ensure that the Personnel Security Division has adequate
resources to develop and implement a comprehensive departmental personnel security policy that fully
addresses contractor employees.



                                                      11
1B. The Personnel Security Division director should develop a comprehensive policy and clear guidance
for all HUD personnel with roles and responsibilities related to contractor employee security. To
accomplish this objective, the director of the Personnel Security Division should do the following:
      Work with the Office of the Chief Procurement Officer and HUD administrative and program
         offices to define roles and responsibilities for all steps of the contractor employee security
         process, identify security issues that need to be included in the policy, ensure consistency in HUD
         security policies, and meet the needs of users.
     Work with the Office of the Chief Procurement Officer and administrative and program offices to
         develop guidelines for individuals with security-related responsibilities on how to implement the
         policy and make the guidelines widely available.

Management Response and Contractor Analysis
OCHCO provided several status updates, including progress it had made in implementing
recommendations and plans for further improvements. (See Appendix B.)

OCHCO stated that, instead of including a separate section on contractors in the personnel security
policy, subheadings or captions in the policy document would be adjusted to make it clear that the policy
applied to both Federal and contractor employees. OCHCO also would issue a separate standard
operating procedure for acquisitions staff on onboarding contractor employees. While this approach
would be an improvement, we did not believe it was sufficient. A separate section addressing personnel
security issues that acquisitions staff are specifically responsible for would make it easier for them to
adhere to the policy. In addition, we had concerns regarding how long it would take to develop the
standard operating procedure given the time it took to develop the personnel policy.

OCHCO also stated that the most recent draft of the personnel security policy addressed breaks in service
between contracts. We did not have the opportunity to review the updated draft policy and could not
determine how the issue was addressed.




                                                     12
Observation 2: HUD Offices and Individual Staff Members with
Security-Related Responsibilities Did Not Communicate and
Collaborate Sufficiently

Offices and individual staff members responsible for contractor employee security were dispersed
throughout HUD. They included administrative offices (Office of Administration, OCHCO, OCPO, and
OCIO) and program offices. Communication at the staff level on day-to-day operations occurred
regularly and effectively between PSD and OCIO and between PSD and the Facilities and Services
Branch. On the other hand, communication between PSD and OCPO was minimal but started to improve
during this evaluation. However, PSD appeared to be isolated from other program and administrative
offices and not fully aware of these offices’ policies and practices (such as physical security) related to
contractor employees.

Recognizing the important role of collaboration in addressing Federal Government challenges, the U.S.
Government Accountability Office recommended several practices to improve collaboration, such as
defining and articulating a joint outcome and establishing mutually reinforcing strategies.6 HUD offices
responsible for security did not communicate or collaborate at the policy-making level on developing
strategies and joint outcomes.

Communication and Coordination at the Operational Level

PSD reported regular communication and a good working relationship with the Facilities and Services
Branch and OCIO. OCIO and the Facilities and Services Branch also stated that they were in regular
communication and coordinated well with PSD. For example, OCIO periodically reviewed PSD training
materials to ensure that the portions related to computer systems access through the Centralized HUD
Account Management Process were up to date, and participated in training sessions offered by PSD. The
Facilities and Services Branch indicated that it viewed communications from PSD as a high priority and
always responded immediately. PSD concurred that it always received a prompt response from the
Facilities and Services Branch when it needed assistance, such as when a contractor employee was
determined to be unfit needed to be removed from the facility.

Formal mechanisms to facilitate and institutionalize communication and collaboration among the
different offices and individual staff members with security-related responsibilities were lacking. Both
PSD and the Facilities and Services Branch stated that their good working relationship with PSD was
largely due to personal relationships that were established when PSD and the Facilities and Services
Branch were both located in OCHCO. Staff members of PSD, OCIO, and the Facilities and Services
Branch did not hold regular meetings at the operational level, and there were no memorandums of
understanding in place to specify roles and responsibilities for cross-cutting processes or rules.

While the relationship between PSD and OCPO was less developed, during this evaluation PSD and
OCPO began to work together and had several meetings to collaborate on developing a 30-minute video
on personnel security for inclusion in GTR and GTM training. PSD and OCPO had also begun to
collaborate on updating boilerplate contract language on personnel security. However, the previous lack

6
 U.S. Government Accountability Office, Results-Oriented Government: Practices That Can Help Enhance and
Sustain Collaboration among Federal Agencies, October 2005, GAO-06-15, pp. 1, 4.

                                                     13
of communication and coordination between PSD and OCPO had some significant consequences. For
example, PSD did not have a reliable mechanism to disseminate policy changes, training availability, and
other important information to those with security-related responsibilities in other HUD offices because
PSD did not have a complete list of GTRs and GTMs.

PSD was unaware that there were more than 600 GTRs and GTMs and that OCPO maintained a list of
them. PSD relied on a loosely assembled email distribution list of approximately 150 GTRs and GTMs
who had contacted PSD with questions. GTRs and GTMs indicated that they learned of security policy
changes in a variety of ways, such as through the security or procurement staff in their program offices.
For example, the Government National Mortgage Association (Ginnie Mae) security officer interviewed
indicated that he forwarded information he received from PSD to GTRs. However, GTRs and GTMs
reported that there were times when there were changes in policies or procedures that they learned about
“on the job”—for example, if the security package changed, they would learn about it when the package
they submitted was rejected.

More importantly, PSD lacked complete information on the security-related situations that GTRs and
GTMs encountered in managing contracts, such as breaks in service or transferring a contractor employee
to a different GTR and, therefore, had not addressed these issues proactively. PSD did not have input on
training or guidance that OCPO provided to GTRs and GTMs. For example, PSD was previously
unaware of some relevant components of OCPO policy documents, including the HUD Procurement
Handbook, the HUD Acquisition Regulation, and the Contract Monitoring Desk Guide.

Communication at the Policy Making Level

Offices and individuals responsible for security related to contractor employees were dispersed
throughout HUD, and no single individual or office had a clear leadership role for security. As a result,
until the summer of 2015, there was no collaboration among decision makers to take a strategic,
integrated, departmentwide approach to security that assessed risks, vulnerabilities, areas needing
improvement, gaps in policies and procedures, and resource needs.

Policy development and implementation were not integrated, thorough, or in some cases, agreed upon.
For example, OCPO and PSD disagreed on whether all contractor employees needed to go through the
security clearance process. PSD believed that all contractor employees should be required to go through
the personnel security process, while OCPO contended that HUD had contracts that involved people who
were never on site and did not have access to HUD information systems and, therefore, putting those
contractor employees through the process was unnecessary. OCPO agreed that it needed to coordinate
with PSD to resolve this issue.

In another example, PSD requested that the Facilities and Services Branch not allow contractor employees
who had not been issued a PIV card into the building more than three times. After a contractor employee
was signed into the building three times, the Facilities and Services Branch managers required a
memorandum of explanation from the GTR or GTM before allowing the contractor employee to be signed
in again. PSD was not notified about how the rule was being implemented or about contractor employees
who were signed into the building frequently. OCPO indicated that it was unaware of this rule.




                                                    14
However, during this evaluation, some promising developments indicated an increasing recognition of the
need for and importance of collaboration at the policy level. The director of the Office of Human Capital
Services (in which the Personnel Security Division resides) in OCHCO told us that she approached the
Chief Procurement Officer regarding holding regular meetings and had a goal for fiscal year 2016 to
improve collaboration with OCPO.

The Chief Administrative Officer formed an informal security council in summer 2015. Participants
included representatives from OCIO; PSD; and multiple Office of Administration offices, including
Disaster and Emergency Management, the Facilities and Services Branch, and protective services. The
council reports to the Chief Operating Officer and the Deputy Secretary. The council was initially
somewhat narrowly focused on addressing emerging security threats and developments that could impact
HUD and did not have a statement of goals and objectives or a charter. However, council leadership
expressed interest in institutionalizing the council so that it would continue to function when HUD
leadership changed.

The Office of Administration had introduced new issues, was planning to continue to expand the
membership, and was receptive to including OCPO. OCPO indicated interest in participating when the
council addressed topics relevant to security for contractor employees. The council had already identified
issues of concern related to security for contractor employees, such as the practice of issuing paper
entrance cards that allowed contractor employees access to HUD headquarters for an extended period.

Conclusions
Limited communication and collaboration among some offices and decision makers responsible for
contractor employees’ security negatively affected HUD’s ability to take a departmentwide,
integrated approach to developing, implementing, and enforcing security policies for contractor
employees and providing guidelines and training. There were gaps in policies, processes, and
practices. In addition, procedures were not implemented properly at all times because the
appropriate people were not always aware of them. The security council provided an opportunity
for the offices and individuals with responsibility for security at HUD to collaborate on a
departmentwide level.

Recommendations
2A. The Chief Operating Officer should use the security council to engage offices in a coordinated
approach to security departmentwide.

2B. The Chief Administrative Officer should implement the following measures to institutionalize the
security council and ensure that all offices responsible for security are represented:
     Formalize the security council and its outcomes with a charter and with goals and objectives to
        guide its work.
     Continue to expand the membership of the security council and ensure that the Office of the Chief
        Procurement Officer is included in meetings or consulted with as appropriate.

2C. The director of the Personnel Security Division should develop a communication plan that promotes
appropriate information exchange with internal and external stakeholders, including frequency and


                                                    15
mechanisms for communication and how the Personnel Security Division will collect information from
stakeholders on contractor security issues and concerns.

Management Response and Contractor Analysis
OCHCO commented that communication among the offices with responsibility for personnel security of
contractor employees, while not formal, took place informally on a daily basis. Our interviews with HUD
officials indicated that informal, frequent communication took place between PSD and OCIO, and PSD
and the Facilities and Services Branch at the operational level. However, there was little communication
between PSD and OCPO. In addition, until the establishment of the security council, leaders of the offices
with personnel security responsibilities did not communicate on a regular basis regarding departmentwide
policies, strategies, vulnerabilities, or resource needs.




                                                   16
Observation 3: Acquisitions Staff Did Not Receive Consistent and
Effective Training
Acquisitions staff in OCPO and other administrative and program offices had responsibilities related to
personnel, physical, and information security for the contractor employees, but these responsibilities were
not clearly explained in HUD policy. In addition, acquisitions staff did not receive consistent and
effective training on their security responsibilities. Effective training of acquisitions staff was emphasized
throughout the U.S. Government Accountability Office Framework for Assessing the Acquisition
Function at Federal Agencies.7 The Office of Federal Procurement Policy, in Letter 05-01, specified that
each agency should assign responsibility to acquisition career managers for determining and addressing
training requirements for the agency’s acquisition workforce.

Acquisitions career managers in HUD are located in OCPO. Most of the training OCPO required GTRs
and GTMs to take consisted of standardized courses from the Federal Acquisitions Institute and the
Defense Acquisition University. Because they were designed for individuals from many Federal
agencies, these courses did not address HUD-specific security responsibilities. OCPO could have
required acquisitions staff to take additional training but had not required staff to take the PSD training
on security related to contractor employees.

When the current PSD director arrived at HUD, there was no training for acquisitions staff on contractor
employee security. The primary motivation for PSD to develop the training was to minimize requests for
information and assistance made by GTRs and GTMs. Therefore, rather than being based on an
assessment of what GTRs and GTMs needed to fulfill their security-related responsibilities, the training
focused on how to complete various processes, such as sponsoring a contractor employee in USAccess or
filling out a Centralized HUD Account Management Process request. Based on what GTRs and GTMs
told us, training did not reach all of the GTRs and GTMs who should have taken it.

OCPO officials and acquisitions staff indicated that those with security responsibilities for contractor
employees sometimes learned what they needed to know about fulfilling their day-to-day responsibilities
regarding security from more experienced colleagues. Some program offices offered their own security
training. For example, Ginnie Mae provided annual security training on responsibilities, such as escorting
and chaperoning contractor employees without PIV cards and limiting contractor employee access to
information; and the Real Estate Assessment Center held quarterly meetings on security.

Training Strategy

PSD did not have a comprehensive training plan and lacked effective mechanisms to identify and notify
acquisitions staff that needed the training, track who participated, or determine whether they learned key
information. However, PSD should not have been solely responsible for developing and implementing a
comprehensive training plan because OCPO, OCIO, and the Facilities and Services Branch all had
contractor security responsibilities. Acquisitions staff had responsibility for physical and information
security as well as personnel security. PSD had responsibility for personnel security, the Facilities and
Services Branch had responsibility for physical security, and OCIO had responsibility for information


7
 U.S. Government Accountability Office, Framework for Assessing the Acquisition Function at Federal Agencies,
GAO-05-218G, September 2005

                                                      17
security. OCPO had responsibility for ensuring that contracts addressed security requirements
appropriately and acquisitions staff received the training needed to fulfill their roles.

During this evaluation, in their security council roles, PSD and the Office of Administration began to
collaborate on training that included physical and personnel security. PSD and the Office of
Administration planned to continue to meet to discuss training and the security-related responsibilities of
the administrative and program offices.

HUD had not defined or assigned roles and responsibilities for developing contractor employee security
training for acquisitions staff, or providing the training. PSD had developed and delivered training to
GTRs and GTMs on processes for bringing contractor employees onboard related to personnel, physical,
and information security, but PSD’s core responsibility was for the personnel security program. OCIO
and the Facilities and Services Branch provided feedback on PSD’s training materials, but there was no
collaboration to identify training needs. In addition, there was disagreement between OCPO and PSD on
who was responsible for training acquisitions staff on contractor employee security. OCPO initially
stated that it was primarily PSD’s responsibility, while PSD believed that OCPO was responsible for
coordinating the training of acquisitions staff. This was an example of inadequate communication and
collaboration described in observation 2.

Training Content and Delivery

PSD provided a single training course that it used to achieve the purposes of initial, refresher, and special
training. The course contained largely the same information every time it was offered, with updates to
alert participants to any changes or new requirements that had been instituted or were on the horizon.

The content of PSD’s training was not based on a needs analysis but primarily reviewed the required
procedures to be followed so that PIV cards could be obtained from the General Services Administration,
OPM could conduct background checks, and OCIO could provide HUD logical access.

PSD did not collaborate with OCPO on training content. However, OCIO participated in PSD training
sessions and provided feedback on the portions of the training materials that addressed information
security (such as Centralized HUD Account Management Process access) to ensure that the information
was up to date. The Facilities and Services Branch recently began reviewing and providing input on PSD
training materials.

Training content was incomplete due to both a lack of clear security policies and omission of important
components, such as references to relevant regulations and policies. Neither OCPO nor PSD identified
administrative and program offices’ contractor employee security responsibilities and specific staff
designations for meeting security requirements to include in the training. Some GTRs and GTMs who
had participated in PSD’s training identified several examples of the types of information that were not
addressed in the training but would have been useful to them, such as the following:
     How to transfer oversight of a contractor or individual contractor employees to a new GTR;




                                                      18
        How to fill out the HUD management survey8 and how the elements of the survey corresponded
         to risk;
        Step-by-step guidance on the overall security process, including clear guidance on who needs to
         go through the clearance process and the timeline; and
        Citations for relevant regulations and guidance.

PSD provided training to GTRs and GTMs four times per year, as well as individually upon request to
acquisitions staff new to these roles. PSD delivered the training via conference call and a 30-page
PowerPoint presentation. Fewer than 100 of the more than 600 GTRs and GTMs participated in each
training. The low participation rate was due partially to technology constraints but also indicated PSD’s
inability to reach all GTRs and GTMs with information on the availability of training. Some participants
considered the presentation format to be of questionable effectiveness and believed that new staff
members should be required to take the class in person and refresher courses should be offered via
webinar.

Conclusions
The required training for GTRs and GTMs provided by OCPO included little information on contractor
employee security, and the information was not specific to HUD. Thus, PSD’s training, which was not
mandatory for GTRs and GTMs, was the primary source of information about security-related
responsibilities and how to fulfill them. PSD, OCPO, the Facilities and Services Branch, and OCIO did
not collaborate with each other effectively to identify relevant staff members, determine their training
needs, or develop and deliver contractor employee security training.

Recommendations
3A. The Personnel Security Division director should collaborate with the Chief Procurement Officer, the
Chief Information Officer, the Chief Administrative Officer, and GTRs and GTMs to develop a structured
approach to training staff with contractor employee security responsibilities on personnel security, logical
access, and physical security. The strategy should include how security training will be implemented,
evaluated and improved, validated, and tracked. Training should be mandatory and should be managed
and delivered using proven approaches and available tools.

Management Response and Contractor Analysis
OCHCO provided information on plans to continue making improvements in training.

OCHCO commented that their training materials were updated and streamlined based on participant
feedback and that the training includes all key components of the personnel security process for

8
  The HUD management survey was a modified version of OPM’s management survey, a tool for determining
position risk designation and investigative requirements for employees. The management survey included questions
about the position’s fiduciary responsibilities, level of supervision, and information system access needs. The survey
was part of the security package that GTRs and GTMs completed and submitted to PSD when hiring contractor
employees. If the GTR or GTM filled out the survey incorrectly, PSD could request the wrong background
investigation. Having to request a second background investigation to give the individual the level of access needed
to perform his or her job cost HUD money.


                                                         19
contractor employees. We did not believe this contradicted our statement that PSD did not work with
other relevant offices to develop and implement a training strategy.

OCHCO stated that guidance on the management survey and transferring contractor employees to new
contracts would be provided by OCPO. We were unable to verify that OCPO provides this guidance to
acquisitions staff, and the GTRs and GTMs whom we interviewed indicated that they needed guidance in
those areas.

OCHCO stated that the training provided guidance on the overall security clearance process and included
timelines for complying with OPM regulations, and specified timelines for the PSD fingerprinting process
and security package submission. The training did not include an overview of the entire process with
estimated timelines for each step.

In response to OCHCO comments, we reworded the conclusion to clarify that the training GTRs and
GTMs were required to take was provided by OCPO, not PSD.




                                                   20
Observation 4: PSD’s Improved Operational Efficiency Had Not
Eliminated the Adjudication Backlog
PSD’s director took several steps to improve operational efficiency, but they were not enough to meet
OPM and Director of National Intelligence timeliness standards for adjudication6 resulting in many
contractor and Federal employees working before PSD ensured their suitability or fitness. Contractor
employees comprised a large portion of the backlog (approximately 65 percent), and the average time it
took PSD to complete an adjudication was 360 days. As a result, hundreds of contractor employees with
provisional (incomplete) suitability or fitness determinations potentially had physical and logical access
for 1 year or more, putting HUD at significant risk.

Adjudication Backlog

OPM’s suitability timeliness standard required that agencies complete suitability adjudications for 100
percent of cases within 90 days of receiving background investigation results. OPM’s Security and
Suitability End-to-End Hiring Roadmap contained additional personnel security performance goals. The
Director of National Intelligence timeliness standard for national security clearances required that
agencies complete suitability adjudications for 90 percent of cases within 20 days.

PSD was unable to meet OPM’s suitability timeliness standards. PSD was understaffed (the deputy
director and several other positions were vacant) and staffed with individuals who, due to lack of
experience or training, could not perform suitability determinations necessary to meet performance goals.
Three staff members had been transferred from other parts of HUD and had no experience or training in
personnel security. These employees were not stationed at headquarters, which made on-the-job training
difficult. PSD’s staffing problems were compounded by the November 2015 departure of its most
experienced personnel security specialist. This individual was in charge of the personnel security process
for the contractor employees. In addition to being a trained and experienced adjudicator, this individual
managed staff and workload and updated and delivered training to acquisitions specialists on contractor
employee security. Further, PSD’s automated case management system was out of date and did not
contain information and features needed to track and manage cases. Therefore, PSD staff primarily relied
on Excel spreadsheets and paper-based files.

PSD had a significant backlog of adjudication cases:

        PSD’s average adjudication timeline in November 2015 was 360 days.
        The current PSD director successfully implemented changes when she arrived in 2012, which
         resulted in a significant reduction in the backlog from approximately 3,000 in 2012 to
         approximately 900 in 2013. However, due to a hiring surge in 2014, the backlog had risen to
         1,500 cases by the spring of 2015. By early fall 2015, PSD had again reduced the number of
         cases, this time to approximately 1,000. The number was reduced in part because 276 of the
         1,500 backlogged cases were contractor employees who no longer worked at HUD. (See figure
         1)


6
 The timeliness standard for national security positions was included in the Intelligence Reform and Terrorism
Prevention Act of 2004 and was issued by the Director of National Intelligence, while timeliness standards for all
other risk levels were put forth by OPM and contained in 5 CFR Part 731.

                                                         21
                       Figure 1: Approximate adjudication backlog,
                                       2012-2015
 3,500

 3,000

 2,500

 2,000

 1,500

 1,000

   500

        0
                    2012                 2013               Spring 2015           Fall 2015

Source: Personnel Security Division, OCHCO

           As of October 22, 2015, the number of contractor employee cases in the backlog was 654. (The
            backlog changed daily as PSD received new cases or cleared older cases from the backlog.)

Contractor employees who were determined to be unfit to work at HUD due to criminal violations or
financial delinquencies were typically identified during the preliminary security screening process,
reducing HUD’s vulnerability. However, it was possible for individuals to pass the preliminary screening
and ultimately be determined to be unfit during the final adjudication process. Delays in the adjudication
process caused by the backlog exposed HUD to risk resulting from the possibility of unfit contractor
employees working at HUD for long periods.

PSD had taken the following steps to address the suitability adjudication backlog:
    Streamlining processes and developing desk references.
    Changing the office’s organizational structure.
    Developing an implementation plan to eliminate the backlog within 6 months.
    Hiring one Federal and four contractor employees in August 2015 who were devoted to reducing
      the adjudication backlog. (Two of the contractor employees had left HUD, and PSD was in the
      process of hiring replacements.)
    Working with the OCHCO project management office to build the business case for a case
      management system and to identify systems requirements. Funding for the system was approved
      during this evaluation.
    Training two additional PSD staff members to be adjudicators.

Before the staff additions noted above, three Federal employees were certified to make suitability
determinations, but only one was actively doing so. The others were dedicated to making preliminary
decisions for bringing Federal and contractor employees onboard. Contractor employees performing



                                                      22
adjudications were not allowed to make final suitability determinations (in accordance with 5 CFR Part
731) but could complete a majority of the review process and make suitability recommendations.

PSD Performance Goals

PSD’s fiscal year 2015 performance goals (fiscal year 2016 goals had not been developed), even when
met or exceeded, did not put PSD in compliance with Federal timeliness standards. See table 1 for a
comparison of PSD’s performance goals, PSD’s actual performance, and the standards.

Table 1: PSD adjudication timeliness

        Process                  PSD fiscal year                  PSD actual                     Standard9
                                   2015 goal                (as of November 2015)
 Entry on duty             25 days                          25 days                             14 days
 Suitability adjudication Average of 345 days               Average of 360 days                 100% within
 – time to process for all                                                                      90 days
 Suitability adjudication 25% within 255 days               15% within 255 days                 100% within
 – percentage within 255                                                                        90 days
 days
 National security         85% within 25 days               100% within 21 days                 90% within 20
 suitability adjudication                                                                       days
Source: Personnel Security Division, OCHCO

Conclusions
Several hundred contractor employees worked at HUD—with physical and logical access—without a
final suitability or fitness determination. Hundreds of contractor employees worked at and left HUD
without having had their cases adjudicated. It would be possible for the full suitability adjudication
process to reveal that a contractor was unfit to work at HUD, making HUD vulnerable to risk from the
backlog.

Recommendations
4A. The Chief Human Capital Officer should take immediate steps to eliminate the suitability
adjudication backlog and meet the Office of Personnel Management timeliness standards, including the
following:
          Devoting adequate and appropriately trained staff to perform suitability adjudications and
          Prioritizing, obtaining, and implementing an automated case management system.

4B. The Chief Human Capital Officer and the director of the Personnel Security Division should plan
work to prevent the recurrence of backlogs.




9
 Entry on duty and suitability adjudication standards were set by OPM; national security suitability standards were
set by the Director of National Intelligence.

                                                         23
Management Response and Contractor Analysis
OCHCO provided updated data that indicated it had made significant progress on reducing the backlog
and improving adjudication timeliness, and implemented steps to continue progress. (See Appendix B.)

We reworded the characterization of vulnerabilities resulting from the backlog and the Conclusion in
response to OCHCO comments that it was rare for contractors to be found unfit to work at HUD after the
full adjudication process; problems were typically identified during preliminary screening.




                                                  24
Observation 5: Physical Security Policies and Procedures for
Contractor Employees at HUD Headquarters Were Inadequate
Physical security policies, processes, and practices for contractor employees at HUD headquarters
presented a risk of unauthorized access or a tragic event. Problem areas included a lack of screening for
contractor employees entering facilities, temporary sign-in of contractor employees who had not been
cleared by PSD, and contractor employees with temporary badges not being escorted while in the
building.

The Interagency Security Committee, chaired by the U.S. Department of Homeland Security, provided
standards on facility access in The Risk Management Process: An Interagency Security Committee
Standard. The standard applied to “all buildings and facilities in the United States occupied by Federal
employees for nonmilitary activities.” A 2014 Office of Inspector General audit found that facility access
procedures at HUD did not meet these standards.10

The Facility and Services Branch stated that it had some responsibility for implementing Homeland
Security Presidential Directive 12 and standards put forth by the National Institute of Standards and
Technology, U.S. Department of Commerce, on personal identity verification of Federal and contractor
employees.11 We could not identify HUD-specific physical security policies, and the only guidelines or
procedures in place addressed hosting events with outside attendees, which were basically instructions for
the individual or office hosting the event.

Previous Assessments of HUD’s Physical Security Processes, Practices, and
Vulnerabilities

The U.S. Department of Homeland Security conducted a facility security assessment of HUD in 2011 and
identified several issues related to physical security at the headquarters facility. While the report
concentrated on employees, our observations and interviews showed that these issues did or could apply
to contractor employees with a PIV badge. The assessment report noted the following vulnerabilities:
     The Facilities and Services Branch did not require employees entering the HUD headquarters
         building to go through any screening measures (magnetometer or x-ray).
     Before 2009, when entry screening of personnel through screening machines was still being
         conducted, the Facilities and Services Branch confiscated weapons and prohibited items from
         employees on multiple occasions.

The report recommended reinstating the screening of employees. We were told that the screening was
discontinued due to concerns of union(s) representing employees.

A 2014 Office of Inspector General review of physical security processes that compared HUD with four
similar-size Federal agencies indicated that HUD was relatively lenient and recommended that, in light of

10
   HUD, Office of the Inspector General, Office of Investigation, memorandum, Building Security Review, 5
February 2014.
11
   Homeland Security Presidential Directive 12 directed the publication of a Federal standard for secure and reliable
forms of identification for Federal and contractor employees. In response, the National Institute of Standards and
Technology developed the standard, FIPS PUB 201-2: Personal Identity Verification (PIV) of Federal Employees
and Contractors.


                                                          25
recent examples of workplace violence, these vulnerabilities be addressed. Examples of approaches used
at some other agencies included random screening of Federal and contractor employees and x-raying
packages and belongings.

Physical Security Policies, Processes, and Practices Related to the Contractor
Employees

In addition to the issues and risks identified in previous reviews of physical security at HUD
headquarters, we identified other potential vulnerabilities through interviews with program and
administrative office personnel.

Mechanisms in place to prohibit visitor access to the facility by contractor employees who had previously
been deemed unsuitable or unfit or removed from a contract were potentially ineffective. In instances in
which a contractor employee had been removed from headquarters by security officers at the request of
PSD or the program or administrative office, the Facilities and Services Branch issued a memorandum to
security guards. This notice included a photograph of the individual to inform them that the individual
was not allowed in the building. Information on the individual was also entered into the Visitor
Management System, the information technology system used by security guards to track physical access.
When a banned individual attempted to sign into the building, the Visitor Management System flagged the
individual and sometimes provided additional information, such as what to do or whom to call. However,
if PSD informed an administrative or program office that an individual was no longer allowed to work on
a contract but there was no need to physically remove the contractor from the building (either because the
contractor was not in the headquarters building at the time or worked offsite), the Facilities and Services
Branch would be unaware of the fact unless the GTR or GTM provided it written notification. If the
Facilities and Services Branch did not receive notification from the GTR or GTM, the information on the
contractor employee would not be entered into the Visitor Management System.

The Facilities and Services Branch did not effectively implement policies meant to limit the number of
times a contractor employee could be signed into the building by a representative of the program or
administrative office without a PIV card. PSD had requested that contractor employees without a PIV
card not be allowed to be signed into the building more than three times. The Facilities and Services
Branch implemented this policy by requesting an explanation in writing from the GTR or GTM before
allowing the contractor employee to be signed in after the third time. However, the Facilities and
Services Branch said that the Visitor Management System did not flag frequent visitors to the building so
it was incumbent on the security officers to view the individual’s history in the System. In addition,
visitors did not always identify themselves as contractor employees. Therefore, it was unclear how
effectively the rule could be enforced. Further, the Facilities and Services Branch did not notify PSD
when contractor employees were signed into the building frequently; thus PSD was unaware of how the
rule was implemented. OCPO was unaware of the rule.

The Facilities and Services Branch could not ensure that contractor employees who had not received their
PIV cards were escorted while in the building. Individuals we interviewed told us that they sometimes
observed individuals with temporary contractor employee badges (and other visitors with temporary
badges) in the building without an escort. Some interviewees reported that they did not feel safe at HUD
as a result.




                                                    26
Due to budget constraints, the Facilities and Services Branch had been unable to update equipment,
systems and software to track patterns of visitor and contractor employee entry and ensure appropriate
access to the facilities. Facilities and Services Branch officials stated that they were unable to address
previous Office of Inspector General recommendations due to a lack of resources. Through the security
council, the Office of Administration was working with the Chief Information Officer, the Chief
Operating Officer, and the Chief Financial Officer to establish a working capital fund for security and to
include funds for new equipment, such as updated magnetometers, in the budget.

Conclusions
HUD’s physical security was vulnerable to the risk of contractor employees inappropriately accessing
facilities and contractor and other employees entering headquarters with weapons or other prohibited
items. As a result of lax screening procedures and physical access controls, as well as the Facilities and
Services Branch’s inability to update information technology systems and equipment, some staff
members from both program and administrative offices were concerned that they were not adequately
protected in the workplace.

Recommendations
5A. The Chief Operating Officer should review physical security issues, risks, the U.S. Department of
Homeland Security’s recommendations, and resource implications and provide direction to relevant
offices in HUD for coordinated policies, processes, and practices. This process should include
reexamining the feasibility of physically screening individuals who have been issued PIV cards when
they enter the headquarters building.

Management Response and Contractor Analysis
HUD did not provide comments on Observation 5.




                                                     27
Scope and Methodology
Our evaluation focused on HUD policies, processes, and practices related to personnel, physical, and
information security for the contractor employees at HUD headquarters. We used OPM policies and
guidelines for contractor and Federal employees12 as well as policies and guidelines of other Federal
agencies to identify and document gaps in policies, processes, and practices. We coordinated with
Office of Evaluation staff involved with information security to exchange information and avoid
duplication. While the scope of this evaluation was limited to the contractor employees, our
observations had implications for security as it related to HUD employees.

To accomplish our objectives, we carried out the following activities:

        Identified and reviewed past studies, reports, and testimonies to gain an understanding and
         historical perspective of HUD security functions and challenges.
        Interviewed individuals with security roles and responsibilities related to the contractor
         employees, including officials in
             o OCHCO and PSD;
             o OCPO;
             o The Facilities and Services Branch in the Office of Administration, which was
                  responsible for headquarters physical security;
             o OCIO, which was responsible for information security; and
             o Program offices, such as Ginnie Mae and the Offices of Public and Indian Housing and
                  Community Planning and Development.
        Interviewed the director of information and personnel security at the U.S. Department of
         Commerce to learn about best practices that could be adapted by PSD.
        Obtained and reviewed PSD, Facilities and Services Branch, OCIO, and OCPO policies,
         guidelines, and training materials.
        Conducted discussion groups with GTRs, GTMs, and CORs to understand specific roles and
         responsibilities as well as challenges.
        Reviewed security policies and guidelines of selected Federal agencies (the U.S. Departments of
         Commerce, Homeland Security, and Veterans Affairs and the Federal Deposit Insurance
         Corporation) and conducted a comparative analysis to identify policies and procedures that HUD
         could use to strengthen personnel security for contractor employees.
        Reviewed Federal regulations, policies, guidelines, and presidential directives, including 5 CFR
         731.203; Homeland Security Presidential Directive 12; and OPM’s Introduction on Credentialing,
         Suitability, and Security Clearance Decision-Making Guide.
        Conducted a gap analysis to identify weaknesses and vulnerabilities in HUD policies and
         procedures.
        Examined selected PSD files of contractor employee cases to determine strengths, weaknesses,
         and vulnerabilities in the personnel security process.


12
   OPM policies and guidelines do not address every phase of the contractor employee personnel security process, or
issues specific to contractor employees. However, where policies and guidance for contractor employees were
lacking, we used OPM policies for Federal employees as a baseline.

                                                        28
Our study was limited in content and scope by the information provided by HUD offices, as well as
previous reviews and other information provided by the HUD Office of Inspector General and other
Federal agencies. PSD had not developed performance goals for fiscal year 2016. We were unable to
identify physical security policies or validate data provided by PSD, including status updates provided by
OCHCO in comments (see Appendix B) to the final draft of this report.

We performed the evaluation from April 2015 through January 2016 at HUD headquarters in
Washington, DC. We performed work in accordance with the Council of the Inspectors General on
Integrity and Efficiency Quality Standards for Inspection and Evaluation, January 2012.




                                                    29
Appendixes
Appendix A

           Status of Systemic Implications Report Recommendations13
Recommendation 1: OCHCO should develop and implement policies, procedures,
                  and regulations.
                                             Develop a Handbook.
     OCHCO Response on June 19, 2013         Develop and implement a Policy for Indebtedness Issues and for
                                              Making Suitability Determinations.
      Completed as of November 2015          Indebtedness policy was signed and issued.
                                             Handbook draft was submitted to OCHCO for review in March
                                              2015; it was revised and as of date of this report, the policy
     Not Completed as of November 2015        Handbook is still under review.
                                             Suitability determination policy was under review.

Recommendation 2: Develop and implement an effective and timely case
                  management process for bringing someone on board.
                                             Hold biweekly on-the-job training and quality review sessions.
     OCHCO Response on June 19, 2013         Assure adequate training for staff – attend OPM Suitability
                                              Adjudication Training.
                                             The PSD director held periodic training sessions as needed.
                                             The specialist in charge of contractor employees held quality
                                              review sessions, and the PSD director provided quality review for
      Completed as of November 2015
                                              selected cases.
                                             The PSD director served as final reviewer and decision maker for
                                              complex cases.
                                             Few staff members received OPM training due to unavailability of
     Not Completed as of November 2015         training funds. PSD planned to train two additional staff members.


Recommendation 3: Develop and implement an effective case management
                  system for timely review and suitability adjudications.
                                             Implement internal policy to improve timeliness of adjudication of
     OCHCO Response on June 19, 2013          background investigations.
                                             Establish performance goals for PSD.
                                             Provide training to reduce deficient cases returned by OPM.
                                             Adjudication backlog was down from 3,000 to 900 in 2013, had
                                              gone back up to 1,500 in 2014, and was about 650.
      Completed as of November 2015
                                             FY 2015 goals were developed but did not meet Federal timeliness
                                              standards.
                                             OPM’s goal was 90 days; PSD’s average was 360 days.
                                             FY 2016 performance goals had not been developed.
     Not Completed as of November 2015       Case management was primarily a paper-based system. Funding
                                              for a new case management system was approved, and PSD was
                                              identifying system requirements.



13
  In comments on a draft of this report, OCHCO provided additional status updates on progress made in implementing
responses to OIG’s recommendations. See Appendix B.

                                                       30
Appendix B


      Office of Chief Human Capital Officer Comments




                            31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59