The Environmental Protection Agency’s (EPA) reorganization led to gaps in the agency’s compliance with IT policies for its Enterprise Customer Service Solution (ECSS) system, according to an EPA OIG report released August 19.
The report focused on the ECSS system, which is funded by the agency’s working capital fund. When EPA went through reorganization in fiscal year 2016, responsibility for the system moved from the Office of Information Analysis and Access to the Office of Information Management, which “did not understand that the ECSS needed to follow EPA SLCM [Software Lifecycle Management] policies and procedures and did not conduct key project management oversight activities,” the report states.
Gaps in SLCM compliance include the lack of a business justification, tailoring plan, user satisfaction review, and receipt of annual evaluation from the vendor.
The confusion also led EPA to not meet Federal regulations. EPA did not verify that its vendor was FedRAMP certified and failed to meet the Office of Management and Budget’s Capital Planning and Investment Council (CPIC) guidance.
The inspector general recommended EPA enforce existing policies, verify the receipt of deliverables, ensure FedRAMP certification, and improve internal controls on CPIC compliance. While EPA concurred with all recommendations, OIG found its planned corrective actions on verifying vendor deliverables and CPIC guidance to be insufficient, and left the recommendation as unresolved.