Performance Audit of the Agency’s Personnel Security Program (HTML)

U.S. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION

Performance Audit of the Agency’s

Personnel Security Program

OIG REPORT NUMBER 2013-08-PSA

Performed by Williams Adley

September 15, 2014

Dear Mr. Mayo,

Williams, Adley & Company-DC, LLP performed a performance audit of the U.S. Equal Employment Opportunity Commission’s (EEOC) Personnel Security Program for calendar year 2013. The audit was performed in accordance with our Task Order No. EECIGA-UD-0-07, dated September 26, 2013. This report presents the results of the audit, and includes recommendations to help improve efficiency and effectiveness of EEOC’s Personnel Security Program.

Our audit was conducted in accordance with applicable Government Auditing Standards, 2011 revision. The audit was a performance audit, as defined by Chapter 2 of theStandards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

We appreciate the opportunity to have conducted this audit. Should you have any questions or need further assistance, please contact Charbet Duckett, Partner at (202) 371-1397.

Sincerely,

Charbet M. Duckett

Partner

EXECUTIVE SUMMARY

We conducted a performance audit of Equal Employment Opportunity Commission’s (EEOC) Personnel Security Program for calendar year 2013. Our audit was performed in accordance with generally accepted Government Auditing Standards. Accordingly, our audit included examining, on a test basis, evidence about EEOC’s compliance with Title 5 of the Code of Federal Regulations (CFR) Part 731 and 32 CFR Part 2001 and performing such other procedures as we considered necessary.

Overall the objective of this audit was to ensure that EEOC has implemented a Personnel Security Program that adheres to policies and procedures as described by the Office of Personnel Management (OPM) and the Code of Federal Regulations as well as to determine whether EEOC’s personnel security program was effective and efficient.

Although EEOC has designed an overall compliant personnel security program, we identified areas in which improvements are needed in the implementation of the program in order to achieve optimum effectiveness and efficiency.

• Classified Information Management,
• Suitibility Determinations, and
• Physical Security and Credentialing

Without such improvements, EEOC runs the risk of insufficient oversight, inadequate practices, and unauthorized disclosure of classified information. Also, not implementing these improvements to the personnel security program may result in individuals holding positions for which they are not suitable or fit, and limiting EEOC’s ability to protect national security, privacy-related information, and national interest. The conditions noted were caused by a lack of EEOC policies and procedures for classified information and ineffective implementation of established requirements.

Our seventeen recommendations call for management to develop or update policies and procedures, to implement those policies and procedures, to adhere to the requirements already in place, to address staffing concerns within the Office of the Chief Human Capital Officer (OCHCO), and to complete risk designations, reinvestigations, and OPM reporting in accordance with the requirements.

BACKGROUND

The U.S. Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal laws that make it illegal to discriminate against a job applicant or an employee because of the person's race, color, religion, sex (including pregnancy), national origin, age (40 or older), disability or genetic information. It is also illegal to discriminate against a person because the person complained about discrimination, filed a charge of discrimination, or participated in an employment discrimination investigation or lawsuit. The EEOC carries out its mission through its headquarters office in Washington, D.C. and through 53 field offices serving every part of the nation.

The Personnel Security Program is managed by the EEOC’s, Office of Chief Human Capital Officer (OCHCO). The EEOC conducts personnel security investigations to determine if applicants, interns/volunteers, contractors, and employees meet the suitability requirements for employment. The scope of a personnel security investigation varies depending on the duties and access requirements for the position. The authority to conduct personnel security investigations is derived from Executive Order 10450, Security Requirements for Government Employment, and Title 5, Code of Federal Regulations (CFR), parts 731 and 736.

Per EEOC order 530.010, EEOC must “ensure that personnel security investigations are conducted in accordance with 5 CFR 736. Suitability determinations shall be made for employment in covered positions in accordance with 5 CFR 731. Fitness determinations shall be made for employment in the excepted service in accordance with 5 CFR 302.203. Fitness determinations shall be made for contract employees in accordance with the Office of Personnel Management’s (OPM) Supplemental Credentialing Standards.” Agency personnel shall be credentialed in accordance with Federal Information Processing Standards (FIPS) 201 (as amended), Office of Management and Budget (OMB) Memo 05-24, USAccess policy, and the OPM Final Credentialing Standards Memorandum (as amended). The EEOC maintains and safeguards personnel security investigations and materials related to adjudications in strict confidence. Access is granted only to authorized individuals, and handled in accordance with the Privacy Act of 1974, 29 CFR 1611.15, and EEOC Order 531.001.

EEOC established a project team and implemented the agency’s HSPD-12 policy. The Office of Information Technology (OIT), the Office of Chief Financial Officer (OCFO), and Office of the Chief Human Capital Officer (OCHCO) jointly sponsored the implementation. OCHCO has lead responsibility for background investigations, adjudication, and PIV card issuance/maintenance. OCFO has lead responsibility for implementing use of the PIV credentials for facility access. However, the field offices have been delegated the implementation of credentialing for facility access. OIT has lead responsibility for implementing use of the PIV credentials for logical access to EEOC information technology networks.

EEOC background investigations are conducted by OPM, Federal Investigative Services (FIS). The extent of the background investigation is determined by the type of information individuals will have access to. EEOC uses OPM-FIS background investigations as the basis for its suitability determinations for employment in covered positions. All positions subject to investigation under this part must also receive a sensitivity designation of Special-Sensitive, Critical-Sensitive, or Noncritical-Sensitive, when appropriate. This designation is complementary to the risk designation, and may have an effect on the position's investigative requirement. Procedures for determining investigative requirements for all positions based upon risk and sensitivity are published in OPM issuances, as described in 5 CFR 731.102(c).

In the EEOC Personnel Security and Suitability Handbook, EEOC has designated most positions as Non-sensitive for national security purposes, which indicates that classified information is not generated, handled or stored by EEOC positions. However, some EEOC employees are required to handle classified information related to EEO complaints filed against intelligence agencies. Some of this classified information is stored at EEOC headquarter and field office locations. Currently, there is no classified information policy nor is classified information being managed by a singular office. Instead, EEOC’s classified information is managed by the individuals and offices handling the information such as the Office of Federal Operations (OFO), the Office of Field Programs (OFP), and Washington Field Office (WFO).

RESULTS OF AUDIT

Although EEOC has designed an overall compliant Personnel Security Program, we identified the following areas in which improvements are needed in the implementation of the program in order to achieve optimum effectiveness and efficiency:

• Classified Information Management,
• Suitibility Determinations, and
• Physical Security and Credentialing

Without such improvements, EEOC runs the risk of insufficient oversight, inadequate practices, and unauthorized disclosure of classified information. Also, not implementing these improvements to the personnel security program may result in individuals holding positions for which they are not suitable or fit, and limiting EEOC’s ability to protect national security, privacy-related information, and national interest.

Classified Information Management

Currently, EEOC does not have formal, documented policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. Also, a training policy for classified information has not been established. Classified information is managed by the individual offices and field offices based on verbal guidance from the originating federal agencies. The individuals working on the classified information generally work directly with the intelligence agency and receive feedback and instruction on how to handle the classified cases. Therefore, EEOC cannot provide assurance to the proper oversight, consistent training and safeguarding of classified information.

OCHCO has been delegated the responsibility of background investigations and adjudications. Clearances for the employees who handle classified information are initiated by the intelligence agency that works directly with the EEOC employee or his/her supervisor to obtain the information necessary for the clearance process. The employee information is submitted to the intelligence agency that conducts the investigation and renders an adjudication decision. However, the current process for initiating, granting and monitoring security clearances, need-to-know and security clearance access levels to classified information are not within OCHCO or any other singular office within EEOC HQ. As a result, OCHCO is not aware of the sensitivity of the information to be accessed, the clearances obtained, or the clearance level required to handle the classified information.

Approximately 18 EEOC employees, primarily in OFO, OFP, and WFO, currently have access to classified information as a result of EEO complaints filed against intelligence agencies. The classified information is stored either as hard copy or on thumb drives provided by the originating intelligence agency. Each employee and/or their office is responsible for the safeguarding and proper handling of the classified information. EEOC Staff interviewed reported that procedures for safeguarding classified information are communicated verbally to them by the intelligence agency or by their agency point of contact within EEOC. Guidance is also provided to cleared EEOC employees at meetings with the originating agency. None of the EEOC staff interviewed reported a formal EEOC-provided or mandated training for individuals who require access to classified information. OFO stated that they are planning to develop a policy and procedure document to cover the handling of classified information within their office. The development of this document is still in its early stages and the completion date is not yet known.

OIT requires all employees to complete a security awareness training each year. This EEOC-developed training does not cover handling, use, or transfer of classified information. OIT stated that they did not include classified information in the security awareness training due to the small number of employees who handle classified information. There is no EEOC requirement that individuals who handle classified information receive additional training in this area.

According to the staff interviewed, the classified information is stored in GSA Security Containers at EEOC Headquarters and at WFO. We were told that at least one field office stored classified information at their location, however the exact number of field offices with classified information was not provided to us prior to the end of fieldwork.

Executive Order 13526, Classified National Security Information, section 5.4 requires agencies that handle classified information to designate a senior agency official to direct and administer the program. This official is responsible for establishing and maintaining security education and training programs, establishing and maintaining a self-inspection program, establishing procedures to prevent unnecessary access to classified information, and accounting for the costs associated with implementing this program and reporting them to the Director of the Information Security Oversight Office.

EEOC designated all personnel positions as “Non-sensitive” for national security purposes which would indicate that the information handled by those individuals would not be of a classified nature. Also OCHCO was unaware until recently of higher level security clearances held by several employees as a result of the classified information. EEOC relies on the guidance provided to the user by the originating agency in lieu of developing its own procedures.

Consequently, EEOC did not develop classified information policies and procedures and each office manages its classified information without the benefit of oversight or guidance from the required designated senior agency official in accordance with Executive Order 13526 and 32 CFR Parts 2001 & 2003. Although several office directors and users of classified information have stated that they believe instituting a cohesive, agency-wide classified information management policy would be beneficial, no specific office has taken responsibility for developing one. Without a personnel security policy that includes classified information management, the EEOC runs the risk of insufficient oversight, inadequate practices, and unauthorized disclosure of classified information.

Recommendation:

We recommend that EEOC Senior Management direct the Office of the Chief Human Capital Officer and the Office of the Chief Financial Officer work together to:

1. Identify all HQs and Field Offices where classified national security information is safeguarded, handled, processed, reproduced, transmitted, transported, or destroyed.
2. Identify all EEOC employees with:
a. current or prior access to classified national security information;
b. a current adjudicated security clearance and the sponsoring agency, if applicable; and
c. special access or interim clearance and the sponsoring agency, if applicable.
3. Develop and implement policies and procedures to address the safeguarding, transfer, storage, or disposal of classified information. The policy should include the requirements for Memorandums of Understanding between agencies.
4. Designate a senior agency official to direct and administer the program in accordance with Executive Order 13526 and 32 CFR Parts 2001 & 2003. This senior agency official/office must be provided the resources and authority to achieve compliance with the requirements associated with Classified National Security Information program.
5. Implement a formalized training program for individuals who use classified information as a part of their duties. If an external agency is to assume the responsibility of training these individuals, this agreement should be documented in an MOU.
6. Perform and document an assessment/evaluation of current classified information practices and safeguarding at headquarters and field offices to determine any non-compliances. Immediate corrective action should be taken to address any non-compliances noted.
7. Incorporate a review of controls over classified information in EEOC’s annual Federal Managers Financial Integrity Act (FMFIA) process.

Management Response:

OCHCO Response: The EEOC suitability program is design to adhere to applicable regulations, executive orders, and statues regarding suitability and fitness determinations; each covered position is designated non-sensitive. Currently, there are no covered positions that fall under Executive Order 12968 (National Security positions) eligibility for access to classified information.

OFP Response: Currently only eight administrative judges (AJ) have clearances or authorization issued from intelligence agencies (IA). A survey of those individuals reveals that they rarely have access to classified information. In addition, classified documentation is ordinarily redacted or is reviewed at FBI offices. AJs follow the procedures established by the IA.

OFO Response: Each office that has some involvement with classified information is managed by a senior official.

OCFO Response: Overall, OCFO agreed with the finding. At this present time, the sponsoring intelligence agencies and EEOC do not have an MOU/MOA established to address the required continual monitoring, evaluation or reporting of an EEOC employees continued eligibility, or need-to-know of classified information. This is why it is important that the agency in custody of the classified information and handling the classified information manage its own employee’s personnel security clearance process and adjudication, need-to-know and access in cooperation with the intelligence community agencies EEOC is serving.

OCFO also stated that their office has never received a thumb drive containing classified information. When thumb drives are used, they are only used to transmit draft decisions to the IA reviewing official. However, the possibility of classified information on unclassified computers is present.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

The lack of a unified response speaks to a decentralized process without a designated senior agency official responsible for the classified information and handling. The number of employees with access to classified information was obtained from EEOC’s PPD-19 Supplemental Response, dated September 11, 2013. This number includes employees in OFO, OFP, and WFO. Also, the procedures for reviewing classified information differ between intelligence agencies. No consensus was reached about this issue and no responses were made to the corrective actions. Therefore, the recommendations remain open until management decision is reached with the EEOC OIG.

Suitability Determinations

We noted several instances where EEOC did not comply with federal requirements or its own policies and procedures pertaining to suitability determinations. These instances include:

• Risk Designations
• Reinvestigations
• Federal Personnel Payroll System
• Certificates of Investigation
• Reporting Adjudication Decisions to OPM

As a result, EEOC cannot provide assurance that there are no individuals holding positions for which they are not suited, thereby limiting EEOC’s ability to protect national security, privacy-related information, and national interest.

Risk Designations

The EEOC has not conducted risk designations for all public trust position descriptions as required by OPM, federal regulations, and EEOC policy. Currently only six of an estimated 200 covered positions have received a risk designation. Risk designations have been required by 5 CFR 731.106(a) since 2008. The EEOC began performing risk designations in 2011, however the designations have only been performed for six employees.

Title 5, CFR Section 731.106 and EEOC Order 530.010 both require EEOC to designate every covered position within the agency at a high, moderate, or low risk as determined by the position’s potential for adverse impact to the efficiency or integrity of the service. In addition, all positions subject to investigation must also receive a sensitivity designation of special-sensitive, critical-sensitive, or noncritical sensitive, when appropriate.

OCHCO personnel stated that due to low staffing levels they decided to complete risk designations for new hires only. Also, OCHCO has decided to wait until OPM and the Office of the Director of National Intelligence (ODNI) promulgate new joint regulations on sensitive positions and update or replace the Automated Position Designation Tool before they perform any additional risk designations.

Without a corresponding risk designation for all covered positions, EEOC is at risk of maintaining the wrong level of investigation for covered positions. This could result in individuals holding positions for which they are not suitable, limiting EEOC’s ability to protect national security, privacy-related information, and national interest.

Reinvestigations

EEOC does not consistently conduct reinvestigations for employees in public trust positions as required by federal regulation and EEOC policy. According to EEOC Order 530.010 and 5 CFR 731.106, EEOC must ensure reinvestigations are conducted for persons occupying public trust positions at least once every five years. Of the 25 employees selected for testing who should have had at least one reinvestigation, 11 had not had a reinvestigation completed in the last 5 years. The amount of time between investigations for these employees ranged from 6 to 28 years, with an average of 9 years. Additionally, EEOC could not locate the reinvestigation records of three of the 25 employees selected, so we were unable to determine whether they received a reinvestigation or not.

Although EEOC has a written policy requiring reinvestigations, the OCHCO has elected not to implement reinvestigation procedures because OPM has not issued implementation guidance to federal agencies regarding public trust reinvestigations.

Without conducting periodic reinvestigations for current public trust positions once every 5 years, the EEOC could potentially have unsuitable personnel conducting EEOC activities.

Federal Personnel/Payroll System (FPPS)

The EEOC has not completely entered employee investigation data, such as dates and type of adjudication completed, into FPPS although it is required by EEOC’s Personnel Security Program Order, Chapter 1. OCHCO is charged with the responsibility of maintaining the completeness of FPPS for all EEOC Federal employees. Out of 21 EEOC employees selected for testing, eleven employee FPPS files had not been updated to show the type of investigation, and date of adjudication.

We also noted that the EEOC policy related to FPPS does not, but should, include a timeline for updating FPPS with the appropriate information, for example within 30 days after the adjudication date.

OCHCO has not implemented proper procedures to ensure that FPPS is updated with the results of adjudication in a timely manner. By not updating the FPPS to include investigation information, the EEOC is limiting its ability to track and maintain the necessary data related to suitability determinations.

Certificates of Investigation

The EEOC did not maintain a Certificate of Investigation (COI) within each current employee’s electronic Official Personnel Folder (eOPF), as required by OPM and EEOC Order 530.010, Chapter 5 and The Office of Personnel Management (OPM) Operating Manual: The Guide to Record Keeping, Section 3-E. Although internal tracking documents showed that an investigation was performed, we were not provided a COI for 16 of the 50 employees selected for testing. The OCHCO is responsible for maintaining EEOC employee’s eOPF and receiving and signing the COI.

OCHCO stated that it is experiencing a staffing shortage that is affecting the maintenance of eOPF records. Therefore, EEOC employees’ eOPF files do not include the necessary information to document that an appropriate background investigation was performed. This could impact an employee’s clearance documentation when transferring to another agency. Also, without this information, EEOC may not be able to validate whether the appropriate type of investigation was obtained.

Reporting Adjudication Decisions to OPM

EEOC did not provide evidence that they reported adjudication decisions to OPM as required by the 5 CFR 731.206 and EEOC Order 530.010, Chapter 5. We selected 25 employees for testing

and requested evidence showing that EEOC reported the employees’ adjudication decisions to OPM as required. We were not provided evidence of reporting for any of these employees prior to the end of fieldwork.

Without proper mechanisms to access information in a timely manner, EEOC is not able to demonstrate compliance with federal reporting requirements.

EEOC has designed the proper system to meet the federal personnel security program requirements. However, EEOC has not effectively and consistently implemented the policies and procedures as outlined. As a result, EEOC is not able to demonstrate compliance or provide assurance that there are no individuals holding positions for which they are not suited, thereby limiting EEOC’s ability to protect national security, privacy-related information, and national interest.

Recommendations:

We recommend that the Office of the Chief Human Capital Officer:

8. Complete risk designations for the remaining estimated 194 EEOC covered positions.
9. Complete and begin any outstanding reinvestigations as required by the CFR.
10. Adhere to EEOC policy and federal requirements pertaining to reinvestigations. EEOC should follow their internal policy until further guidance is provided by OPM.
11. Update the policy for the Federal Personnel Payroll System with a timeline and implement the revised standard.
12. Review all employee eOPFs to ensure proper inclusion of the employee’s COI and in instances where the documentation is missing, insert the COI.
13. Report any outstanding EEOC adjudication decisions to the Office of Personnel Management and going forward adhere to the 90 day timeline.
14. Develop and implement a procedure to maintain relevant evidence documenting that the EEOC has informed OPM of the adjudication decisions it has made.
15. Explore and document the decision on using alternative staffing options, such as contract employees, part time employees, or obtaining an employee on detail in order to become current on risk designations, reinvestigations, FPPS, COIs, and adjudication reporting.

Management Response:

OCHCO Response: OCHCO management concurred with all findings and recommendations noted in this section. EEOC has employed a Personnel Security Specialist and Personnel Security Assistant to assist with these efforts. Corrective actions have begun on the recommendations and will be completed by the second quarter of FY 2015 except EEOC has decided to delay reinvestigations until such time as OPM issues guidance.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

We believe that the above-mentioned actions, if properly implemented, will resolve the condition and address the recommendations.

Physical Security and Credentialing

EEOC’s HSPD-12 implementation plan establishes the OCFO as having the lead responsibility for implementing use of the PIV credentials for facility access across the agency. EEOC’s physical security program is managed by OCFO. We noted that EEOC’s physical security process is highly decentralized. The field offices have a great amount of autonomy as it relates to implementing security measures at their locations and the agency physical security manager has limited authority related to the security measures at field office locations.

EEOC has a headquarters and 53 field offices located throughout the United States. Each field office or district office establishes and manages its own physical security and credentialing process. There is currently insufficient coordination and review by headquarters to ensure compliance with EEOC physical security and credentialing requirements. As a result, EEOC is increasing the risk that a security breach could occur that would affect the safety of employees or the information they handle.

We asked field office staff about the physical security measures at their respective locations and compared these measures to the physical security standards issued by the Interagency Security Committee (ISC) in their Physical Security Criteria for Federal Facilities. These standards, issued in 2010, set forth a baseline set of physical security measures to be applied to all Federal facilities based on their designated Facility Security Level (FSL). For multi-tenant buildings under GSA control, a representative from each tenant participates in the buildings’ Facility Security Committee. The Facility Security Committee determines which building security measures to implement by a vote of the members. If the committee decides not to implement specific physical security measures, it is required to document its acceptance of the associated risk.

Security requirements for each location vary based on each office’s FSL as described in the Interagency Security Committee’s Facilities Security Criteria. We performed inquiries of nine field offices with various FSLs to determine whether the security measures in place at their location were in line with the security requirements of their FSL. We noted that four of the nine field offices did not fully comply with the security requirements for their FSL.

There is currently no review being performed by the physical security manager to ensure field office security measures and credentialing are in compliance with federal regulations.

Facilities Security Criteria for Federal Facilities, An Interagency Security Committee Standard sets forth certain Facility Entrance Security Criteria that Federal agencies must follow, specifically as it relates to badge identification, employee and visitor access control, and occupant and visitor screening based on their FSL. In all cases, the project documentation must clearly reflect the reason why the necessary protection cannot be achieved. It is extremely important that the rationale for accepting risk be well-documented, including alternative strategies that are considered or implemented, and opportunities in the future to implement necessary protection.

EEOC has not established an effective centralized method for ensuring field office compliance with physical security and credentialing regulations. Due to its relatively small size and diversity of locations, physical security is managed at the field-office level and there is little to no coordination or consultation with security staff at EEOC headquarters regarding physical security and credentialing. In addition, EEOC does not perform regular reviews of the security measures in place at field office locations to ensure they are appropriate for each field office’s FSL. Field offices are required to submit an annual security self-assessment checklist, however this checklist does not include aspects such as building access, badging, visitor access, and visitor and employee screening.

The lack of cohesive physical security, credentialing, and tools for consistent application has resulted in inconsistent physical security practices across EEOC’s field office locations. Oversight provided by OCFO is not robust enough to properly mitigate the risk associated with such a decentralized structure. Without proper oversight by the Physical Security Manager to ensure field office compliance with security directives, EEOC is increasing the risk that a security breach could occur that would affect the safety of employees or the information they handle.

Recommendation:

We recommend that the Office of the Chief Financial Officer:

16. Update and implement comprehensive policies and procedures for physical security. These policies and procedures should include but not be limited to:
a. Providing training for the FSC member or designee at each field office location at least annually;
b. Developing and implementing a field office onsite security assessment program, that includes performing assessments and/or spot checks of field office security measures by the OCFO on a rotational basis as it relates to Interagency Security Committee requirements; and
c. Assisting and ensuring field offices correct noted security weaknesses or document acceptance of risk where EEOC has determined corrective action will not be taken.
17. Revise the field office self-assessment checklist to include facility security and credentialing information.
18. Immediately correct any known weaknesses. If EEOC determines not to correct a noted weakness, EEOC should document this analysis and their acceptance of the associated risk.
19. Increase coordination between OCFO and OFP to improve field office security posture, awareness and training to ensure compliance with applicable EEOC orders and guides; Facility Security Committees, An ISC Standard, dated January 1, 2012, 2nd edition; and other applicable Interagency Security Committee Standards. .

Management Response:

OCFO Response: OCFO concurred with the intent of the recommendations with a few minor clarifications. OCFO management stated that EEOC can only impose EEOC specific requirements on EEOC controlled space. It is the Facility Security Committee’s responsibility to ensure that security procedures and countermeasures at each facility/building are administered properly, to include entry access control. Corrective actions will be implemented in FY 2015.

See management’s response in its entirety in Appendix C.

Auditor Analysis:

We believe that the above-mentioned actions, if properly implemented, will resolve the condition and most recommendations. However, the OCFO response did not address recommendations 16c or 18. They will remain open until addressed with the OIG.

Appendix A: Glossary of Acronyms

CFR Code of Federal Regulations

COI Certificate of Investigations

COO Chief Operating Officer

DHS Department of Homeland Security

EEOC U.S. Equal Employment Opportunity Commission

eOPF Electronic Official Personnel Folder

FIPS Federal Information Processing Standards

FIS Federal Investigative Services

FOUO For Official Use Only

FSL Facility Security Level

FPPS Federal Personnel/Payroll System

GAO Government Accountability Office

HSPD Homeland Security Presidential Directive

ISC Interagency Security Committee

IT Information Technology

OCFO Office of the Chief Financial Officer

OCHCO Office of the Chief Human Capital Officer (formerly OHR)

ODNI Office of the Director of National Intelligence

OFO Office of Federal Operations

OFP Office of Field Programs

OHR Office of Human Resources (now OCHCO)

OIT Office of Information Technology

OMB Office of Management and Budget

OPM Office of Personnel Management

PIV Personal Identity Verification

WFO Washington Field Office

Appendix B: Objectives, Scope, and Methodology

OBJECTIVES

The overall objective of our audit was to determine whether EEOC has implemented a personnel security program that adheres to policies and procedures as described by the Office of Personnel Management and the Code of Federal Regulations.

More specifically, the objectives of our audit were as follows:

1. To ensure that the EEOC Personnel Security Program Handbook provides guidance on the procedures, rules, roles, and responsibilities involved in the personnel security investigation process.
2. To ensure as stipulated by 5 CFR 736.201, that personnel security investigations are initiated within 14 days of placement in the position.
3. To ensure that EEOC, as stipulated by 5 CFR 731.106, conducts reinvestigations and a determination regarding continued employment of persons occupying public trust positions at least once every 5 years.
4. To ensure that EEOC reports to OPM the level or nature, result, and completion date of each background investigation or reinvestigation, each agency decision based on such investigation or reinvestigation, and any personnel action taken based on such investigation or reinvestigation, as required in OPM issuances.
5. To ensure that a copy of the Certificate of Investigation shall be placed in the employee’s electronic Official Personnel Folder (eOPF).
6. To ensure that the type of investigation and the date of adjudication are reported in the Federal Personnel/Payroll System (FPPS)
7. To ensure that EEOC has implemented a process of risk designation.
8. To ensure that EEOC has implemented the appropriate procedures associated with risk level changes.
9. To review whether EEOC has classified information.
10. To ensure that, when applicable, EEOC has implemented the appropriate policies and procedures, as prescribed by federal statute, associated with individuals who may have access to classified information that is maintained and used on the behalf of another agency.
11. To assess the effectiveness and efficiency of EEOC’s personnel security program and to identify best practices and provide areas for improvement.

SCOPE AND METHODOLOGY

The scope of our audit included all federal established guidance and best practices associated with the implementation of an effective and efficient Personnel Security Program. Our audit focused on the appropriateness and effectiveness of EEOC’s Personnel Security Program during calendar year 2013.

We used a four-phased approach: planning, internal control assessment, testing, and reporting. We used IDEA sampling software to make our sample selections and perform testing when reasonable. We reviewed key applicable laws and regulations. We interviewed EEOC staff to document the processes and procedures and tested those processes and procedures to ensure they were operating effectively. We researched and identified best practices and identified areas for improvement.

We noted exceptions and wrote findings in those instances where violations occurred and were not corrected, where internal control weaknesses existed, and where processes were determined not to be effective and efficient. We stated the conditions, causes and effects of our findings, as well as the criteria upon which the findings were based, and recommendations for correcting the issues.