oversight

NSF Could Strengthen Key Controls Over Electronic Records Management

Published by the National Science Foundation, Office of Inspector General on 2017-07-06.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

NSF Could Strengthen Key
Controls over Electronic Records
Management




July 6, 2017
OIG 17-2-009
AT A GLANCE
NSF Could Strengthen Key Controls over Electronic Records Management
Report No. OIG 17-2-009
July 6, 2017
WHY WE DID THIS AUDIT
We conducted this audit to determine whether NSF is compliant with applicable standards for preserving
electronic messages as Federal records and if NSF has responded to congressional requests for information. This
audit responds to a request from Ranking Member McCaskill and Senator Carper of the U.S. Senate Committee
on Homeland Security and Government Affairs.
WHAT WE FOUND
NSF has controls in place for managing certain electronic records. For example, it developed a Capstone email
policy to permanently preserve select senior officials’ email and chat records. It also has issued policies related to
the appropriate use of information technology and social media and NSF will adopt NARA’s general record
schedule for social media once finalized. However, NARA has not yet approved NSF’s Capstone email policy,
and NSF is exploring solutions to capture text and social media messages.
NSF has also not finalized its guidance related to the use of smartphone applications that support encryption or
the automatic deletion of messages for work-related communications, although it has been working to complete
the guidance since NARA issued its memo on this topic in March 2017. NSF has the capability to monitor the
download of smartphone applications on NSF-owned mobile devices, but it does not actively monitor downloads;
instead it provides policies on expected behavior. This allowed some NSF employees to download smartphone
applications that support encryption or automatic deletion of messages without consulting required officials.
NSF has taken steps to strengthen its records management, such as by planning on updating its records
management training by August 2017 and addressing prior Government Accountability Office records
management recommendations. However, without having a NARA-approved Capstone policy, capturing text and
social media messages, or monitoring the use of smartphone applications, NSF cannot ensure it is complying with
Federal requirements and guidance for electronic records management.
The evidence we examined did not suggest that any NSF or NSB official was asked to delay or withhold
responses to congressional requests for information, or any NSF or NSB officials directed or advised any NSF or
congressional staff that NSF will only provide information to a committee chair. Therefore, we did not continue
our inquiry in this area.
WHAT WE RECOMMEND
We made five recommendations to strengthen NSF’s compliance with electronic records management.
AGENCY RESPONSE AND OIG EVALUATION
NSF is reviewing the findings and recommendations. NSF noted that agencies, not NARA, identify Capstone
accounts. However, NSF should continue to work with NARA to obtain an approved Capstone policy.
FOR FURTHER INFORMATION, CONTACT US AT (703) 292-7100 OR OIG@NSF.GOV.
MEMORANDUM

DATE:                 July 6, 2017

TO:                   Joanne Tornow
                      Head
                      Office of Information and Resource Management

                      Amanda Hallberg Greenwell
                      Head
                      Office of Legislative and Public Affairs


FROM:                 Mark Bell
                      Assistant Inspector General
                      Office of Audits

SUBJECT:              Final Report No. 17-2-009, NSF Could Strengthen Key Controls over Electronic
                      Records Management

Attached is the final report on the subject audit. We have included NSF’s response to the draft report as
an appendix.

This report contains five recommendations to strengthen NSF’s oversight over the retention of electronic
records. NSF responded that it will engage us to respond to the final report. In accordance with OMB
Circular A-50, Audit Followup, please provide our office with a written corrective action plan to address
the report’s recommendations. In addressing the report’s recommendations, the corrective action plan
should detail specific actions and associated milestone dates. Please provide the action plan within 60
calendar days of the date of this report.

We appreciate the courtesies and assistance NSF staff provided during the audit. If you have questions,
please contact Elizabeth Goebels, Director, Performance Audits, at (703) 292-7100.

 cc: Christina Sarris                Dorothy Aronson                 Peggy Hoyle
     Allison Lerner                  Ann Bushmiller                  Maxine Hynson
     Marie Maguire                   Donna Butler                    Javier Inclan
     Elizabeth Goebels               Dianne Campbell                 Kris McFail
     Wendell Reid                    Aya Collins                     Karen Pearce
     Elizabeth Argeris               Joan Ferrini-Mundy              Erika Rissi
     Brian Gallagher                 Fae Korsmo                      Lawrence Rudolph
     Vashti Young                    Wonzie Gardner                  Sanya Spencer
     Emily Woodruff                  Peggy Gartner                   John Veysey
     John Anderson                   Daniel Hofherr                  Mark Wilson
     Maria Zuber                     Karen Scott
TABLE OF CONTENTS
Background ......................................................................................................................................... 1
Results of Audit................................................................................................................................... 2
  NSF Could Strengthen Key Controls over Electronic Records Management ......................... 2
  NSF Does Not Have Guidance for and Does Not Actively Monitor Download of
  Smartphone Applications That Support Encryption or the Automatic Deletion
  of Messages ..................................................................................................................................... 5
  OIG and Government Accountability Office Work Related to Electronic Records
  Management ................................................................................................................................... 7
  Other Matter: NSF’s Responses to Congressional Requests ................................................... 8
Recommendations ........................................................................................................................... 11
OIG Evaluation of Agency Response ............................................................................................. 11
Appendix A: Agency Response ....................................................................................................... 12
Appendix B: Objectives, Scope, and Methodology ...................................................................... 14
Appendix C: Request from U.S. Senate Committee on Homeland Security and
Government Affairs .......................................................................................................................... 16
Appendix D: OIG Staff Acknowledgments .................................................................................... 21


ABBREVIATIONS
GAO                    Government Accountability Office
IT                     information technology
NARA                   U.S. National Archives and Records Administration
NSB                    National Science Board
OIRM                   Office of Information and Resource Management
OLPA                   Office of Legislative and Public Affairs
Background
The National Science Foundation is an independent Federal agency created by Congress in 1950 to
“promote the progress of science; to advance the national health, prosperity, and welfare; and to secure
the national defense….” NSF supports basic research and people to create knowledge that transforms the
future, and is currently headquartered in Arlington, Virginia.

Records Management of Electronic Messages

The Federal Records Act defines Federal records as any material that is recorded, made, or received in
the course of Federal business, regardless of its form or characteristics, and is preserved or worthy of
preservation because it evidences “the organization, functions, policies, decisions, procedures,
operations, or other activities of the United States Government or because of [its] informational value.” 1
Managing Federal business records is an important responsibility of Federal agencies, which are
required to institute records management programs. The U.S. National Archives and Records
Administration (NARA) is authorized to promulgate regulations for Federal records.

In 2014, Congress amended the Presidential Records Act and the Federal Records Act regarding the
preservation, storage, and management of Federal records. NARA also provided Federal agencies with
specific guidance on July 29, 2015, on how to comply with Federal law regarding the preservation of
electronic messages in Bulletin 2015-02, Guidance on Managing Electronic Records. There are
additional requirements to manage records created or sent in nonofficial and personal electronic message
accounts. 2

On March 15, 2017, NARA issued a memo to senior agency officials for records management that
addressed, among other things, electronic messaging and encrypted messages. The memo stated that
“agencies are responsible for properly managing electronic messages that are Federal records whether
they are SMS texts, encrypted communications, direct messages on social media platforms, email or
created on any other type of electronic messaging system or account.” 3

Audit Purpose

The overall objectives of this performance audit were to determine whether NSF is compliant with
applicable standards for preserving electronic messages as Federal records and to determine if NSF has
responded to congressional requests for information. This audit responds to a request from Ranking
Member McCaskill and Senator Carper of the U.S. Senate Committee on Homeland Security and
Government Affairs, dated June 8, 2017. The request is included in its entirety in Appendix C.




1
  44 U.S.C. § 3301(a)
2
  44 U.S.C. § 2911(a)
3
  Records Management Priorities for 2017, March 15, 2017



1     NSF.GOV/OIG | OIG 17-2-009
Results of Audit
NSF has controls in place for managing certain electronic records. For example, it developed its
Capstone Officials Email Records Management Policy to permanently preserve the email and chat
records of 20 of its senior officials, and has issued guidance on the appropriate use of information
technology (IT) and social media. However, NARA has not yet approved NSF’s Capstone policy due to
an issue surrounding Capstone official requirements. As of June 2017, NSF is exploring solutions to
capture text messages, but does not have policies, procedures, or tools to retain them. NSF also has
issued policies for the use of social media by NSF employees in the course of their employment and
personal use and will adopt NARA’s general record schedule once finalized by NARA, but it does not
have tools to preserve social media messages.

NSF has also not finalized its guidance related to the use of smartphone applications that support
encryption or the automatic deletion of messages after they are read or sent for work-related
communications, although NSF has informed us it has been working to produce such guidance since
NARA issued its memo on this topic in March 2017. NSF has the capability to monitor the use of
smartphone applications on NSF-owned mobile devices, but does not actively monitor their use.
According to the Head of the Office of Information and Resource Management (OIRM), NSF’s general
approach is not to monitor staff’s use of certain applications, but to set out policies on expected
behavior. As a result, some NSF employees downloaded smartphone applications that support
encryption or automatic deletion of messages without consulting the appropriate records management
and legal officials as required by NARA.

NSF has taken steps to strengthen its records management, such as by planning on updating its records
management training by August 2017 and completing all corrective actions to address prior Government
Accountability Office (GAO) records management recommendations. However, without having a
NARA-approved Capstone policy, capturing text and social media messages, or monitoring the use of
smartphone applications, NSF cannot ensure it is complying with Federal requirements for electronic
records management.

NSF Could Strengthen Key Controls over Electronic Records Management
NSF has designed controls over managing electronic records, such as its Capstone Officials Email
Records Management Policy, although NARA has not yet approved that policy due to an issue
surrounding Capstone official requirements. In addition, while NSF is exploring solutions, it does not
yet have tools to retain text messages or social media messages. However, without having a NARA-
approved Capstone policy or capturing text and social media messages, NSF cannot ensure it is
complying with Federal requirements for electronic records management.




2     NSF.GOV/OIG | OIG 17-2-009
NSF Has Issued a Capstone Email Policy, But Has Not Yet Received NARA Approval

Issued in August 2013, NARA Bulletin 2013-02 provides agencies with a new records management
approach, known as “Capstone,” for managing their Federal record emails electronically. 4 The Bulletin
discusses the considerations that agencies should review if they choose to implement the Capstone
approach to manage their email records. According to the Bulletin, “[t]he Capstone approach allows for
the capture of records that should be preserved as permanent from the accounts of officials at or near the
top of an agency or an organizational subcomponent.” 5

NSF developed its Capstone Officials Email Records Management Policy, effective December 31, 2016,
to permanently preserve the email and chat records of 20 of its senior Foundation officials. NSF defines
email records as “email messages with attachments, calendar appointments, tasks, and chat transcripts
created and received in the same system as email message.” In addition, NSF captures Skype for
Business chat and instant messages and Voicemail messages through its permanent email records.
Transcripts of the Skype for Business conversations are integrated with NSF’s email system.

Agencies submit the Capstone NARA form 1005 (NA-1005), Verification for Implementing GRS 6.1, to
NARA for approval of their Capstone officials. According to NARA guidance, Capstone officials “must
include, when applicable: … General Counsel, … and additional roles and positions that predominantly
create permanent records related to … policy decisions….” 6 [Emphasis in original.] NSF, however, did
not include its General Counsel on its list of Capstone officials. The NARA appraisal archivist who
works with NSF on records scheduling notified OIG on June 15, 2017, that, due to “an internal issue
surrounding ‘Capstone Official Requirements,’ NSF’s submission has not been approved and is
scheduled to be withdrawn.”

The Capstone approach supports the Presidential Memorandum on Managing Government Records and
allows agencies to comply with the requirement in Directive M-12-18 to “manage both permanent and
temporary email records in an accessible electronic format.” However, without a NARA-approved plan,
NSF is at risk for not properly complying with Federal policies for retaining records.

NSF Does Not Have Policies and Procedures for Retaining Text Messages But is Exploring
Solutions

According to NARA’s Records Management Priorities for 2017, issued March 15, 2017, “Agencies are
responsible for properly managing electronic messages that are Federal records,” including texts.
However, NSF does not have policies and procedures related specifically to retaining text messages or a
way to capture text messages on NSF-owned mobile devices.


4
  NARA Bulletin 2013-02, Guidance on a New Approach to Managing Email Records, August 29, 2013
5
  NARA Bulletin 2013-02. This Bulletin also states, “When adopting the Capstone approach, agencies must identify those
email accounts most likely to contain records that should be preserved as permanent. Agencies will determine Capstone
accounts based on their business needs. They should identify the accounts of individuals who, by virtue of their work, office,
or position, are likely to create or receive permanently valuable Federal records.”
6
  General Records Schedule 6.1: Email Managed Under a Capstone Approach, issued in September 2016




3      NSF.GOV/OIG | OIG 17-2-009
According to NSF’s Senior Agency Official for Records Management FY 2015 Annual Report, “NSF is
still exploring technical solutions to capture … text.” NSF’s Senior Agency Official for Records
Management told us NSF does not have any tools available to capture an individual’s text messages or
other media not managed by NSF. Without a method to retain text messages, NSF risks not complying
with Federal electronic record requirements.

NSF Has Issued Policies for Social Media Use, But Does Not Have Tools for Preservation of Social
Media Messages

According to NARA Bulletin 2014-02, “[t]he use of social media [such as Facebook and Twitter] may
create Federal records that must be captured and managed in compliance with Federal records
management laws, regulations, and policies.” The bulletin does not contain platform-specific social
media capture guidance. 7 As of May 2017, NARA has not finalized its general records schedule for
social media.

NSF plans to adopt NARA’s general records schedule for social media once it is finalized. In addition,
NSF issued its Policy for Social Media Use in December 2015, which describes responsibilities for
using social media on behalf of NSF. According to the policy, “[t]he laws, regulations, and policies that
govern Federal records management (including the creation, maintenance/use, and disposition of
records) also apply when creating social media on behalf of NSF. New content created with social media
tools that qualifies as a federal record must be captured and maintained consistent with NSF Records
Management policies.” 8

According to NSF’s Senior Agency Official for Records Management FY 2015 Annual Report, “[a]s
with most agencies, NSF is still exploring technical solutions to capture social media….” According to
NSF’s Senior Agency Official for Records Management, NSF does not have tools to capture social
media. On June 20, 2017, the NSF senior official said that NSF’s records schedule covers types of
information, but not the media or mode of transmission. Without a method to capture social media
messages, NSF cannot ensure it is retaining electronic records in compliance with Federal records
management laws.

NSF Has IT and Records Management Training and Guidance, But It Does Not Yet Include
Preservation of Electronic Records Created on Personal Accounts

According to NARA Bulletin 2017-01, “Agencies must incorporate the following minimum required
content areas into annual records management training: Describe how to manage record and nonrecord
materials in email, social media, and other electronic messages, including the statutory requirement that
all emails and other electronic messages constituting a record that are sent or received using a personal
or non-official account must be copied or forwarded into agency recordkeeping systems within 20 days


7
    NARA Bulletin 2014-02, Guidance on managing social media records, October 25, 2013
8
    NSF Bulletin No. 15-14, Policy for Social Media Use, December 14, 2015




4        NSF.GOV/OIG | OIG 17-2-009
of creation or receipt.” 9

NSF provides its policy to employees regarding the appropriate use of IT, including guidance for
personal use and the conduct of NSF business. 10 In addition, NSF’s annual IT Security and Privacy
Awareness Training covers employee responsibilities for appropriate IT use. The training materials also
inform employees that certain types of communications, such as email messages and Skype for Business
conversations, are not private and may be retained/releasable as Federal records. Each employee must
annually complete the mandatory training, then review and accept the Rules of Behavior indicating he or
she is aware of his or her responsibilities with regards to appropriate use of IT.

NSF also provides records management training, called “Records Management Training for Everyone,”
to provide an overview of NSF’s records management processes and procedures including how to
properly maintain and dispose of NSF records. However, as of June 2017, the records management
training does not meet NARA’s minimum requirement content areas. For example, the training does not
address NARA’s statutory requirement that all emails and other electronic messages constituting a
record that are sent or received using a personal or non-official account must be copied or forwarded
into agency recordkeeping systems within 20 days of creation or receipt. NSF indicated as part of our
last inspection that it is updating the training, which should be ready in August 2017. Such training will
help ensure staff are aware of NARA requirements for preserving electronic records created on personal
accounts.

NSF Does Not Have Guidance for and Does Not Actively Monitor Download of
Smartphone Applications That Support Encryption or the Automatic Deletion of
Messages
NSF has not finalized its guidance related to the use of smartphone applications that support encryption
or the ability to automatically delete messages after they are read or sent for work-related
communications. The NARA memo requiring the creation of this guidance was issued in March 2017,
only 3 months prior to our fieldwork. In addition, NSF has the capability to monitor download of
smartphone applications on NSF-owned mobile devices, but does not actively monitor downloads;
instead, according to the Head of OIRM, NSF’s general approach is not to monitor staff’s use of certain
applications, but to set out policies on expected behavior. This allowed some NSF employees to
download such smartphone applications without consulting the appropriate records management and
legal officials. Without providing guidance or consistent monitoring, NSF cannot be assured that staff
are complying with NARA requirements for electronic message retention.




9
 NARA Bulletin 2017-01, Agency Records Management Training Requirements, November 29, 2016
10
 NSF Bulletin 13-06, Personal Use Policy for NSF Technology and Communication Resources, April 17, 2013; NSF
Bulletin 13-05, Mobile Communications Devices, April 17, 2013; and NSF Bulletin 15-14, Policy for Social Media Use,
December 14, 2015.




5      NSF.GOV/OIG | OIG 17-2-009
NSF Did Not Issue Guidance Related to the Use of Smartphone Applications That Support
Encryption or the Ability to Automatically Delete Messages

According to NARA’s Records Management Priorities for 2017, issued March 15, 2017, use of
applications that support encryption or the ability to automatically delete messages would require
coordination with the agency’s legal counsel and records management official to ensure compliance
with the Federal Records Act and related regulations. Agencies are responsible for setting policies and
procedures that govern the use of these applications prior to their deployment and must take steps to
manage and preserve records created through their use for as long as required.

NSF has issued no guidance related to the use of smartphone applications that support encryption or the
ability to automatically delete messages after they are read or sent for work-related communications.
NSF also does not provide training on the use of such smartphone applications, and it does not monitor
the downloading of such applications.

According to the Head of OIRM, NSF has been working on creating guidance on the use of smartphone
applications since the NARA guidance’s issuance. Because NARA issued the guidance in March 2017,
the Foundation had not finalized the guidance at the time of our fieldwork, which was only 3 months
later; in addition, NARA did not specify a mandated implementation date in its guidance.

NSF Has the Capability to Monitor the Download of Smartphone Applications, But Does Not
Actively Monitor Downloads

NSF established a Mobile Device Services initiative to enroll approved smartphones and tablets in
AirWatch, a mobile device management software. AirWatch provides NSF the capability to centrally
control its mobile devices. Administrators can see how many devices are enrolled in the mobile device
management software; which type of device (iOS or Android) is enrolled; which operating system
version is running; whether the device is in compliance, such as if it has a password; whether the device
is NSF-owned; and what applications are installed on the enrolled devices.

We observed an IT administrator using the AirWatch administrative console and saw that he could run
more than 100 reports to show additional information, such as the Active Inactive Users By Location
report, as well as create custom reports. However, the administrator noted that reports were not run on a
regular basis. AirWatch also provides the capability of blocking and approving applications to be
installed on NSF mobile devices, but as of June 2017, those features are not enabled at NSF. According
to the Head of OIRM, NSF’s general approach is not to monitor staff’s use of certain applications, but to
set out policies on expected behavior

NSF could strengthen information system controls by either blocking applications it deems
untrustworthy or allowing the use of only approved applications that it deems trustworthy and in line
with its mission. NSF has an application approval process for its laptop and desktop computers, but it
could provide a similar guide for mobile devices.




6     NSF.GOV/OIG | OIG 17-2-009
Some NSF Employees Downloaded Smartphone Applications That Support Encryption or the
Ability to Automatically Delete Messages

As of June 19, 2017, 21 NSF employees, including one Foundation official, 11 had downloaded
WhatsApp, a messaging application which supports encryption, on their NSF-owned mobile devices. 12
In addition, three NSF employees had downloaded Signal, an application that supports the ability to
automatically delete messages, on their NSF-owned devices. We found that no NSF employees
downloaded Confide, which also supports the ability to automatically delete messages, on their NSF-
owned mobile devices.

Staff with whom we spoke who downloaded WhatsApp or Signal 13 told us they had not consulted legal
counsel or the records management official prior to doing so because they were not aware that was a
requirement, as NSF has not yet issued guidance on such smartphone applications. NSF’s Senior
Agency Official for Records Management and General Counsel also told us they had not been contacted
by staff requesting to download the applications.

Staff told us they downloaded WhatsApp to communicate internationally for both personal and work-
related communications because the application does not need cell phone towers to make calls; instead,
users can use the Internet to make calls or send messages. Staff who downloaded Signal told us they
viewed it as a messaging application alternative to iMessage and were not planning on using it, nor did
they ever use it, for work-related communications.

Without providing guidance or consistent monitoring, NSF cannot be assured that staff are complying
with NARA requirements for electronic message retention.

OIG and Government Accountability Office Work Related to Electronic Records
Management
In the past 10 years, we have not issued any recommendations related to records management, but as of
June 2017, we have one ongoing inspection related to records management. Once issued, our inspection
report will include several recommendations to NSF. For example, we will recommend NSF update its
records management training to meet all minimum content areas required by NARA, such as describing
how and where to store agency records; how to manage records and nonrecord materials in email, social
media, and other electronic records; and what to do with record and nonrecord materials when an
employee leaves the agency. We also will recommend NSF require all staff take records management
training, which, at the time of our fieldwork, NSF did not make mandatory for all NSF staff.




11
   We defined “Foundation official” as staff at the Assistant Director level and Office Head level and above.
12
   NSF-owned devices include approved mobile devices, including iPhones and iPads, and are not limited to smartphones.
13
   We met with a judgmental sample of eight employees who downloaded WhatsApp; we met with all three staff members
who downloaded Signal.




7      NSF.GOV/OIG | OIG 17-2-009
As part of that inspection, we reviewed NSF’s compliance with GAO’s May 2015 recommendations
related to records management 14 and determined all recommendations had been addressed. In its report,
GAO evaluated NSF’s implementation of the Managing Government Records Directive, issued by
NARA and OMB in 2012. The directive sets goals for Federal agencies to meet as an effort to address a
2011 Presidential memorandum on managing government records. Furthermore, the Directive required
agencies to establish a records management framework, eliminate paper, and use electronic
recordkeeping by December 31, 2019.

Based on its review, GAO reported that NSF required additional work to implement the NARA and
OMB directive. GAO recommended that the Director of NSF take the following four actions:

    1. Establish a date by which the agency will complete, and then report to NARA, its plans for
       managing permanent records electronically.
    2. Establish a date by which the agency will complete, and then report to NARA on, its progress
       toward managing permanent and temporary e-mail records in an electronic format.
    3. Report to NARA on the identification of its permanent records in existence for 30 years or more,
       to include when no such records exist.
    4. Complete the identification of unscheduled records stored at agency records storage facilities.

We reviewed NSF’s actions to address GAO’s recommendations and found that NSF had met the
requirements. To address GAO’s recommendations, NSF took the following steps:

    1. Submitted a plan to NARA that identified when NSF would implement an electronic records
       management system and digitize hard copy records.
    2. Established and met the target date for implementation of a new email Capstone policy, allowing
       the agency to manage permanent and temporary e-mail records in an electronic system.
    3. Sent a letter to NARA stating it does not have permanent records in existence for 30 years or
       more.
    4. Conducted a review of records stored at facilities and sent a report to NARA.

In March 2017, GAO determined that NSF has taken corrective action to address the recommendations
and now considers the recommendations closed.

Other Matter: NSF’s Responses to Congressional Requests
In order to better understand NSF’s compliance with Federal laws governing records retention and
responsiveness to congressional requests for information, Ranking Member McCaskill and Senator
Carper of the U.S. Senate Committee on Homeland Security and Governmental Affairs asked us to
conduct a review and provide a written response to its questions. 15 In response to that request, we
conducted fieldwork related to NSF’s responsiveness to congressional requests during the period from

14
   GAO-15-339, Additional Actions Are Needed to Meet Requirements of the Managing Government Records Directive, May
14, 2015
15
   We have included the request in its entirety in Appendix D.




8     NSF.GOV/OIG | OIG 17-2-009
July 1, 2016, to June 13, 2017. As a result of that fieldwork, no information came to our attention to
indicate that:

       •    any Foundation or National Science Board (NSB) official directed or advised any agency
            employee to delay or withhold a response to a congressional request for information; and
       •    any Foundation or NSB official directed or advised any agency employee or congressional staff
            member that NSF will only provide requested documents or information to a Committee chair.

We found that NSF has internal controls for responding to and tracking congressional requests for
information. Finally, we have not issued any prior recommendations related to responding to
congressional requests for information.

No Evidence Suggests That NSF or NSB Officials Were Asked to Delay or Withhold Responses to
Congressional Requests for Information

In their request, Ranking Member McCaskill and Senator Carper expressed concern over newly-
implemented policies that “may also run afoul of several laws that prohibit interference with federal
employees’ ability to communicate with Congress, including, but not limited to the Whistleblower
Protection Enhancement Act, Section 713 of the Consolidated Appropriations Act of 2016, as well as 5
U.S.C. § 7211 [Employees’ Right to Petition Congress].” Specifically, according to 5 U.S.C. § 7211,
“[t]he right of employees, individually or collectively, to petition Congress or a Member of Congress, or
to furnish information to either House of Congress, or to a committee or Member thereof, may not be
interfered with or denied.”

After reviewing Federal and NSF criteria and deciding upon a review period spanning the current and
previous presidential administrations (July 1, 2016, through June 13, 2017), we sent questions by email
to 14 staff members in OLPA, 16 whose responsibilities include, but are not limited to, congressional
affairs and public affairs. None of these employees reported that a Foundation official asked them to
delay or withhold a response to a congressional request for information. We also sent questions by email
to all senior officials at the Assistant Director level and Office Head level and above, including the Head
of OIRM and NSF’s General Counsel, as well as to NSB senior officials. All of the Foundation officials
responded that they had not requested information be delayed or withheld. In addition, we interviewed
the president of NSF’s union, who told us he had not heard any complaints from staff that responses to
Congress were being delayed. Our Office of Investigations staff also informed us that it had received no
complaints about responses to Congress being delayed and had not conducted any investigations of such
a complaint. Based on these efforts, we found no evidence to suggest that during the period we
examined any Foundation or NSB official directed or advised any agency employee to delay or withhold
a response to a congressional request for information.

We also reviewed NSF’s congressional log — in which NSF tracks the name of the requestor, date
requested, date due, and date completed of congressional requests — for the period of July 1, 2016, to
June 13, 2017, and noted delays in responses to congressional requests from both parties during both

16
     One of the 14 OLPA staff members was sent an email but did not respond as he retired on June 21, 2017.




9          NSF.GOV/OIG | OIG 17-2-009
President Trump’s and President Obama’s administrations. Officials told us that the due dates in the
system are sometimes imposed by NSF, and not requested by Congress. In addition, although the log
does not reflect the basis for the delays, NSF officials stated that responses to some requests were
delayed because of staff turnover, competing priorities, workload issues, or the sensitive nature of the
request; for example, some responses required multiple layers of review, which created a delay in
response time. Based on the foregoing, we did not find any reason to continue our inquiry in this area.

No Evidence Suggests That NSF and NSB Officials Directed or Advised NSF or Congressional
Staff That NSF Will Only Provide Information to a Committee Chair

As part of our review of NSF’s congressional log, we found NSF responded both to minority and
majority requests for the period of July 1, 2016, to June 13, 2017. In addition, in response to our request,
all senior officials at the Assistant Director level and Office Head level and above, including the Head of
OIRM and NSF’s General Counsel; senior NSB officials; and OLPA staff, including staff in
Congressional Affairs, responded that they had not requested information to only go to a Committee
chair. The president of NSF’s union also told us that he was not aware of anyone being asked to only
send information if requested by a Committee chair. In addition, our Office of Investigations informed
us it had received no complaints and had not conducted any investigations related to staff being advised
to only provide information to a Committee chair. Further, the Head of OLPA stated NSF will continue
its practice of responding to both the majority and minority. Based on these efforts, we found no
evidence to suggest that between July 1, 2016, and June 13, 2017, any Foundation or NSB official
directed or advised any agency employee or congressional staff member that NSF will only provide
requested documents or information to a Committee chair. Accordingly, we did not find any reason to
continue our inquiry in this area.

NSF Has Internal Controls for Congressional Requests for Information

NSF has internal controls for responding to and tracking congressional requests for information. For
example, NSF has developed a Correspondence Preparation Guide, dated November 2014. The guide
includes OLPA’s policies and procedures for responding to committee chairs as well as individual
members. The guide does not direct staff to only send documents/information to a committee chair.
Further, the guide explains that NSF has a tracking system for congressional requests. If a response is
going to be late, OLPA is to contact the congressional office and negotiate a revised date. In addition,
OLPA created a correspondence flow document that explains how NSF staff are to handle congressional
requests, and according to the Office Head of OLPA, it conducts outreach to NSF Directorates so they
know to contact the OLPA office with any congressional requests. However, an official told us that a
Directorate may respond directly to congressional staff on an informal email.

As previously discussed, NSF has developed a congressional tracking log to track the status of
congressional requests. NSF provided us with the tracking log for the time period we requested,
including information on overdue requests. However, an OLPA official stated that not all congressional
requests for information, such as quick emails or phone calls, would appear on the log. In addition, OIG
and the NSB do not respond to congressional requests through OLPA; therefore, requests sent to these
two offices are not included in NSF’s congressional log.



10    NSF.GOV/OIG | OIG 17-2-009
According to OLPA, NSF has a performance metric with respect to responding to congressional requests
of responding within 10 days, even if Congress has not set a deadline. However, OLPA officials told us
that sometimes the 10 days is not realistic; for example, requests related to personnel are sensitive and
may take longer than 10 days to process. In addition, OLPA staff are sometimes late in entering
completion dates and enter the date they entered the information in the log rather than the date the
response to the request was actually completed.

Recommendations
We recommend the Head of OIRM:

     1. Update NSF’s Capstone Officials Email Records Management Policy to ensure it meets NARA
        requirements.

     2. Develop policies, procedures, and controls to capture and retain work-related text messages,
        social media posts, and electronic records created on government and non-government accounts
        to meet NARA requirements.

     3. Finish updating training to cover all NARA-required elements, including the handling of
        electronic records created on non-government accounts.

     4. Develop policies and procedures related to downloading smartphone applications, including
        applications that encrypt emails or automatically delete messages or emails, on NSF-issued
        mobile devices, as required by NARA guidance.

     5. Actively monitor application downloads on NSF-issued mobile devices.

OIG Evaluation of Agency Response
NSF responded that it is reviewing OIG’s findings and recommendations. NSF provided background on
the development of its Capstone policy and noted that NSF’s General Counsel determined that agencies,
not NARA, have the authority to determine which positions would constitute Capstone accounts based
on their business needs. However, as mentioned in our report, NARA has not approved NSF’s Capstone
policy. Although we do not take a position regarding NSF’s interpretation of NARA policy, we believe
NSF should continue to work with NARA, the approving agency for this requirement, to obtain an
approved Capstone policy.

We have included NSF’s response to this report in its entirety as Appendix A.




11     NSF.GOV/OIG | OIG 17-2-009
Appendix A: Agency Response




12   NSF.GOV/OIG | OIG 17-2-009
13   NSF.GOV/OIG | OIG 17-2-009
Appendix B: Objectives, Scope, and Methodology
The overall objectives of this performance audit were to determine whether NSF is compliant with
applicable standards for preserving electronic messages as Federal records and to determine if NSF has
responded to congressional requests for information. This audit responds to a request from Ranking
Member McCaskill and Senator Carper of the U.S. Senate Committee on Homeland Security and
Government Affairs, dated June 8, 2017. The request is included in its entirety in Appendix C. Our
scope included NSF policies, procedures, and processes in effect from July 1, 2016, through June 13,
2017.

To complete our objectives, we reviewed NARA guidance and NSF policies and procedures related to
electronic records; searched NSF employees’ NSF-owned mobile devices for the WhatsApp, Signal, and
Confide applications, which support the encryption or automatic deletion of messages; interviewed NSF
staff with these applications downloaded on their NSF-owned mobile devices; interviewed records
management, social media, and IT employees, including senior officials; and discussed NARA
requirements with NARA officials.

Through interviews with NSF staff and review of documentation, we obtained an understanding of
controls over responding to requests and electronic records management. We identified some internal
control deficiencies related to electronic records management, which we discuss in our findings. We did
not identify any instances of fraud, illegal acts, or abuse. We identified instances of noncompliance with
NARA guidance and requirements, as discussed in our audit findings.

For our review of electronic records, NSF provided us with a list of application downloads on NSF-
owned mobile devices. We ran only limited tests to validate the accuracy of the list. For example, we
compared the NSF application download list to the list of mobile devices on the April 2017 vendor
invoice for NSF devices. By completing this test, we were able to determine that NSF’s application
download list included staff who had incorrectly coded their own personal phone as an NSF-owed
mobile device. However, due to time constraints, we did not conduct any additional testing to validate
the NSF-provided list. As a result, we cannot independently confirm that the list provided by NSF
includes all staff with WhatsApp, Confide, or Signal on their NSF-owned mobile devices. However, we
interviewed the 3 NSF staff with Signal on their NSF phone and a judgmental sample of 8 of the 21 staff
with WhatsApp on their NSF-owned mobile devices and confirmed that they did have the application.

Regarding congressional requests for information, we reviewed Federal criteria and NSF policies and
procedures to understand the rules governing the cooperation with congressional document requests and
electronic messages. We reviewed NSF’s records of congressional requests and surveyed OLPA staff on
whether they were directed to delay or withhold a response to a congressional request or only respond to
a Committee Chair as per the U.S. Senate Committee’s June 8, 2017 inquiry. We sent questions by
email to Foundation senior officials, including the Head of OIRM and NSF’s General Counsel, to
determine whether they had directed staff to delay or withhold responses to congressional requests for
information or only send responses to a Committee chair. We also met with NSF’s union president
regarding if he had heard any complaints from staff regarding being asked to delay a response to such
requests or only send responses to a Committee chair. Our Office of Investigations staff conducted



14    NSF.GOV/OIG | OIG 17-2-009
research to determine if it had received or investigated any complaints about responses to Congress
being delayed or being advised to only respond to a Committee chair. Based on the responses to our
requests, we did not find any reason to continue our inquiry in this area.

During the course of this audit, we relied on information received from NSF’s congressional log for our
review of congressional requests for information. To test the data in NSF’s congressional log, we
reviewed documentation for any outstanding delays and NSF responses that were overdue by 30 days.
Based on our documentation review, we could confirm that delays did occur in responding to both the
majority and minority. However, based on our testing, the dates in the congressional log could not be
relied upon, and as such, we are not providing statistics on delays in this report.

Except for limited testing of data provided by NSF as discussed above, we conducted this performance
audit during June 2017 in accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide
a reasonable basis for our findings and conclusions, based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions.

We held an exit conference with NSF management on June 26, 2017.




15    NSF.GOV/OIG | OIG 17-2-009
Appendix C: Request from U.S. Senate Committee on Homeland Security
and Government Affairs




16   NSF.GOV/OIG | OIG 17-2-009
17   NSF.GOV/OIG | OIG 17-2-009
18   NSF.GOV/OIG | OIG 17-2-009
19   NSF.GOV/OIG | OIG 17-2-009
20   NSF.GOV/OIG | OIG 17-2-009
Appendix D: OIG Staff Acknowledgments
Wendell Reid, Audit Manager; Elizabeth Goebels, Director, Performance Audits; Marie Maguire,
Deputy Assistant Inspector General for Audit; Vashti Young, Senior Management Analyst; Brian
Gallagher, IT Specialist; Elizabeth Argeris, Communications Analyst; and Brittany Moon, Laura
Rainey, and Jeanette Hyatt, Independent Report Referencers, made key contributions to this report.




21    NSF.GOV/OIG | OIG 17-2-009
22   NSF.GOV/OIG | OIG 17-2-009