TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

 

The Homeland Security Presidential Directive 12 Program Office Has Addressed Prior Weaknesses, but Progress Is Slower Than What Has Been Reported

 

 

 

June 25, 2009

 

Reference Number:  2009-20-084

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 Redaction Legend:

3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals

 

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

June 25, 2009

 

 

MEMORANDUM FOR ACTING CHIEF, AGENCY-WIDE SHARED SERVICES

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – The Homeland Security Presidential Directive 12 Program Office Has Addressed Prior Weaknesses, but Progress Is Slower Than What Has Been Reported (Audit # 200920001)

 

This report presents the results of our review to determine whether the Homeland Security Presidential Directive 12 (HSPD-12)[1] Program Management Office (PMO) is making adequate progress in implementing the HSPD-12 requirements and has addressed the recommendations we made in our prior report.[2]  The Internal Revenue Service (IRS) has been designated as the lead bureau for ensuring that the Department of the Treasury (Treasury) complies with the Directive.  This audit was included in the Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan and was part of our statutory requirement to annually review the adequacy and security of IRS technology.

Impact on the Taxpayer

The HSPD-12 established a new standard for issuing and maintaining identification badges for Federal Government employees entering Federal Government facilities and accessing computer systems.  The HSPD-12 PMO is making slow progress in issuing the badges to employees and contractors.  In addition, the number of badges that have been issued is less than what has been reported to the Office of Management and Budget (OMB) and to Treasury officials.  Issuing the HSPD-12 badges is critical to improving the future security over Treasury facilities, computer systems, and critical processes, such as collecting tax revenues, issuing refunds, and processing economic stimulus payments to taxpayers.

Synopsis

The HSPD-12 PMO is using the General Services Administration’s (GSA) shared services provider, or Managed Service Office,[3] to produce the HSPD-12 badges.  This strategy was adopted due to a recommendation in our first audit[4] of the Treasury HSPD-12 program and because the OMB rejected the Treasury’s first implementation plan, which showed that the Treasury was planning to produce its own identification badges.

The shared services provider and the HSPD-12 PMO are making slow progress in implementing the HSPD-12 directive.  As of January 30, 2009, the shared services provider and the Treasury had issued 58,858 (46 percent) badges out of the total Treasury population of 127,922 employees and contractors.  However, many of the challenges and delays are out of the direct control of the PMO.  For example, the Treasury Enterprise Directory Services identification numbers that are given to seasonal employees when they are rehired at the start of each filing season cause conflicts in the shared services provider’s computer system.

This slow progress in issuing the HSPD-12 badges is of concern because the number of badges issued each month is decreasing by a significant amount.  The number of badges issued to employees and contractors decreased 55 percent from October to November 2008, 38 percent in December 2008, and 28 percent in January 2009.  The HSPD-12 program manager attributes the latest cause for the slow progress to the priority that the IRS filing season has over other initiatives such as the HSPD-12 program.

In addition, the HSPD-12 PMO has not accurately reported the slow progress and downward trend in the number of badges being issued.  On October 27, 2008, the PMO reported to the OMB that 76,575 (73 percent)[5] of the Treasury employees and contractors had been issued badges.  However, we determined that only 32 percent of the badges had been actually issued by that date.  The inaccurate reporting was partially due to the PMO defining “issued” as “sponsored, adjudicated, and enrolled.”  Many more employees and contractors are sponsored, adjudicated, and enrolled than are actually issued badges.

The gap between enrollments and issuances is due to challenges experienced in activating and issuing a badge after an employee or contractor is enrolled.  As noted in the PMO’s November 2008 presentation to the HSPD-12 Executive Steering Committee, employees and contractors often work in different locations other than where the enrollment stations are located.  Therefore, the employee or contractor must make an appointment to travel a second time to the enrollment station to finalize the credentialing process and obtain a badge.  Another reason cited is a lack of incentive for employees and contractors to complete the badge issuance process because the badges are not currently needed to access Treasury facilities and computer systems.

In addition to improperly defining the term “issued,” the HSPD-12 PMO excluded a significant number of contractors and seasonal employees from the total population of individuals who are required to be issued a badge.  Contractors cannot be easily issued badges because their personal identity information cannot be uploaded as a group into the GSA shared services provider’s computer system and must be manually entered.  Issuing badges to seasonal employees is also a challenge due to the conflict, discussed previously, between the GSA shared services provider’s computer system and the Treasury Enterprise Directory Services identification numbers.

The PMO has taken corrective actions to address our prior audit recommendations.  HSPD-12 tasks are now clearly delineated by functional area to better monitor contractor performance, the PMO and the Contracting Officer’s Technical Representatives are complying with IRS procedures for reviewing and paying contractors’ invoices, and the program manager maintains documentation sufficient to support all program costs, assigns costs to specific tasks in the work breakdown structure, and uses earned value to measure progress.  The PMO coordinated with the Treasury to evaluate the possibility of combining its Public Key Infrastructure efforts with those of the GSA and is now following the Enterprise Life Cycle.

Recommendations

To ensure progress is clearly and accurately reported, the HSPD-12 Executive Steering Committee should instruct the HSPD-12 program manager to 1) continue reporting the program as being behind schedule and report to the OMB a revised estimated date that all employees and contractors will be issued badges, and 2) define badges issued as badges that have been activated and given to employees or contractors, report to the OMB the total cumulative number of badges that have been issued to employees and contractors, and include all contractors and seasonal employees in the total Treasury population, as long as these individuals are employed by the Treasury.

Response

IRS management disagreed with all of our recommendations.  In response to our first recommendation, the IRS stated that it adjusted its schedule, revised its estimated completion date to March 2010, and reported this date to the OMB.  The IRS stated that its schedule is now on target to meet the March 2010 completion date.  In response to our second recommendation, the IRS provided the following comments:

(1)   The IRS stated that its current definition and methodology are already well understood, established, and circulated within the Treasury and the OMB.  To maintain consistency and clarity, it will continue to use its current definition of “issued.”  The IRS further stated that our auditors had not demonstrated that our definition of “issued’ is the proper one.  In working with the GSA Managed Service Office, the IRS has received documentation supporting its definition and provided this information to our audit team during our visits.

(2)   The IRS stated that the Treasury already reports its progress to the Executive Steering Committee and to the OMB each quarter.  It will continue to report both the number of enrollments and the number of activations in accordance with its existing definition.

(3)   The IRS stated that when the Treasury reported its progress on October 27, 2008, seasonal employees who had enrolled were included in the total population and those who had not enrolled were omitted.  Because the seasonal employees were already furloughed and had not yet returned, they were not considered employees during that time.  Effective March 13, 2009, the IRS made a business decision to stop the enrollment and activation of all seasonal employees.  In addition, the IRS stated that technical challenges prevented mass sponsorship, enrollment, and adjudication of contractors.  The Treasury HSPD-12 PMO has not implemented a means for bulk uploading of contractor information into the GSA shared service provider database as was done for Treasury employees.  The IRS further stated that, at this time, it is premature to include contractors in its count.  Once a viable solution is implemented, contractors will be added to Treasury’s overall population.

Management’s complete response to the draft report is included as Appendix V.

Office of Audit Comment

While the IRS disagreed with our first recommendation, statements in its management response indicate that it took corrective actions to address the recommendation.  The HSPD-12 PMO revised the estimated completion date to March 2010 and reported this new date to the OMB.

We continue to believe the progress being reported to the OMB is overstated and provide the following comments to the IRS’ response to our second recommendation.

(1)   The PMO defining “issued” as employees and contractors who have been “sponsored, adjudicated, and enrolled” is inaccurate and significantly overstates the progress of the HSPD-12 program.  We used the common definition of the word “issued” and do not believe that qualifying or expanding its meaning is appropriate.  The audit team did not receive documentation from the PMO to support the IRS definition of “issued” even though the audit team requested this documentation several times during the audit.  As for the GSA Managed Service Office’s support for the IRS’ definition of “issued,” we note that the GSA Managed Service Office provides the card issuance service for the IRS and the Treasury and has a vested interest in the success of the program.  For this reason, we do not believe the GSA Managed Service Office should be the authority on defining when a badge is considered issued.

(2)   We continue to believe the reporting of the program progress to the OMB should be based on the number of activations (i.e., how many HSPD-12 badges have been issued to employees and contractors), not the number of enrollments.  The intent of the HSPD-12 Directive was for Federal Government employees and contractors to actually have HSPD-12 badges in their possession as a form of identification.  The fact that an employee or contractor has enrolled in the program should not be reported to the OMB as a badge having been issued.

(3)   In October 2008, the HSPD-12 PMO knew that approximately 20,000 seasonal employees would begin returning to work at the IRS.  At that point, the PMO planned to issue badges to the seasonal employees.  Therefore, seasonal employees should have been included in the total Treasury population.  The Treasury has the authority to make a risk-based decision on whether to issue an HSPD-12 badge to a seasonal employee and the IRS exercised this authority in March 2009 when it decided that it would no longer attempt to issue badges to seasonal employees.  However, the OMB requires HSPD-12 badges to be issued to contractors and there is no authority for excluding contractors from the HSPD-12 program.  Therefore, we continue to believe that the IRS should include contractors in the total Treasury population.  The technical difficulties in issuing badges to contractors does not justify excluding them from the Treasury population.

Because we believe the IRS’ disagreements to our findings and recommendations are significant, we plan on elevating our concerns to the Department of the Treasury.  We request that the Deputy Commissioner for Operations Support ensures that the IRS Commissioner submits a written reply to the Assistant Secretary for Management and Chief Financial Officer of the Department of the Treasury within 30 calendar days of the final report issuance date.

Copies of this report are also being sent to the IRS managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services) at (202) 622-8510.

  

Table of Contents

 

Background

Results of Review

The Treasury HSPD-12 Program Management Office Is Making Slow Progress Implementing the HSPD-12 Directive

Recommendation 1:

The Number of HSPD-12 Badges Issued to Employees and Contractors Is Fewer Than What Has Been Reported to the Office of Management and Budget and Treasury Officials

Recommendation 2:

The Treasury HSPD-12 Program Management Office Took Corrective Actions to Address Prior Audit Recommendations

Appendices

Appendix I – Detailed Objectives, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Glossary of Terms

Appendix V – Management’s Response to the Draft Report

 Abbreviations

 

GSA

General Services Administration

HSPD-12

Homeland Security Presidential Directive 12

IRS

Internal Revenue Service

OMB

Office of Management and Budget

PKI

Public Key Infrastructure

PMO

Program Management Office

  

Background

 

On August 27, 2004, President Bush signed Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.  This Directive established a new standard for issuing and maintaining identification badges for Federal Government employees entering Federal Government facilities and accessing computer systems.  The Office of Management and Budget (OMB), which is responsible for overseeing implementation of the Directive, required agencies to verify and/or complete employee background investigations and issue the personal identity verification badges by the following deadlines:

  • October 27, 2007 – Agencies must verify and/or complete background investigations and issue identification badges to all employees with 15 or fewer years of service.
  • October 27, 2008 – Agencies must verify and/or complete background investigations and issue badges to all employees with more than 15 years of service.

To implement the Directive, the Internal Revenue Service (IRS) established an HSPD-12 project team in September 2005.  In January 2006, the IRS Commissioner volunteered the IRS to lead the Department of the Treasury (Treasury) HSPD-12 program efforts and deliver a Department-wide solution.  The Treasury agreed and, in March 2006, the IRS assumed leadership of the HSPD-12 Program Management Office (PMO).

The PMO faces a significant amount of work to comply with the Directive and issue identification badges to approximately 128,000 Treasury employees and contractors.  The IRS, which is the largest of 11 Treasury bureaus, has more than 660 facilities located throughout the nation.  In addition, the IRS hires approximately 19,500 seasonal employees[6] each year to work during the filing season.  The scope of the HSPD-12 implementation work includes:

  • Enrollment – Employees must be fingerprinted and photographed, and their identities must be verified.  The enrollment process qualifies the employee to receive an identification badge.  The employee makes an appointment to return to the enrollment station at a later date to obtain his or her badge.
  • Badge Printing and Finalization – The identification badge must be encoded and printed to comply with all HSPD-12 standards, including the encryption of personal data on the badges.  Each badge is printed with an employee’s photograph and other identifiable information.  If the badge is acceptable, it is activated and issued to the employee or contractor.
  • Systems Infrastructure – The identification badges will provide controls over employees’ and contractors’ access to buildings and eventually be programmed to provide controls over employees’ access to computer systems.  The Treasury will have to develop and maintain a data store of employee information, such as where they work and what facilities and computer systems they are allowed to access.
  • Badge Maintenance – Identification badges must be updated when employees’ responsibilities and access needs change.

Our first audit[7] of the HSPD-12 PMO determined that the program was experiencing delays.  The PMO was planning to produce its own identification badges instead of taking advantage of the General Service Administration’s (GSA) shared services provider, which was being offered to all Federal Government agencies at a low cost due to the economies of scale.  Despite assigning 68 employees to the Treasury HSPD-12 effort, the PMO had not purchased the hardware and software necessary to produce the identification badges and did not expect to complete the program until September 2010, 2 years after the OMB deadline.  The OMB rejected the Treasury’s first implementation plan.  We recommended that the IRS consider the benefits of using the GSA’s shared services provider, the Managed Service Office; coordinate with the GSA to resolve concerns; and customize the GSA solution to meet the Treasury’s needs.  The IRS agreed with our recommendations and began using the GSA offering to the extent possible.

Prior to our second audit of the HSPD-12,[8] the IRS replaced the Treasury HSPD-12 program manager.  However, we found that prior to this management change, $3.5 million was spent on acquisitions that should have been avoided.  In addition, the PMO, ****(3d)****, did not effectively manage HSPD-12 contracts and did not follow governance procedures for overseeing the program.  We made five recommendations to improve the program.  The IRS agreed with our recommendations and planned to take corrective actions.

We conducted this third audit of the HSPD-12 to determine whether the PMO is making adequate progress in implementing the HSPD-12 requirements and has addressed the recommendations we made in our prior report.  This review was performed at the PMO headquarters office in New Carrollton, Maryland, during the period October 2008 through February 2009.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.  Detailed information on our audit objectives, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

 

 

Results of Review

 

The Treasury HSPD-12 Program Management Office Is Making Slow Progress Implementing the HSPD-12 Directive

The OMB recognized that Federal Government agencies were experiencing difficulties in meeting the October 27, 2008, HSPD-12 completion deadline.  In an October 2007 memorandum,[9] the OMB instructed agencies to confirm their implementation plans were on schedule or submit revised plans detailing when implementation efforts would be completed.  In January 2008, the PMO submitted a revised implementation plan with a March 31, 2009, estimated completion date.  However, this revised completion date will not be met, and the PMO revised its completion date for a second time to June 30, 2009.  As of February 2, 2009, the PMO estimated that 84 percent of the badges would be issued by June 30, 2009.  This estimate indicates that approximately 20,000 out of a total population of 127,922 employees and contractors would not have an HSPD-12 badge.  Most of these unissued badges would be for contractors and IRS seasonal employees.

Based on the slow progress in issuing badges to employees and contractors, we believe this third completion date will also be difficult to meet.  As illustrated in Figure 1, identification badges had been issued to only 58,858 (46 percent) of the total 127,922 employees and contractors by the end of January 2009.

Figure 1:  Cumulative Number of Badges Issued to Treasury Employees and Contractors

Figure 1 was removed due to its size.  To see Figure 1, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

In addition to the slow progress in issuing the new HSPD-12 badges, the number of badges issued each month is decreasing by a significant percentage.  The number of badges issued decreased by 55 percent from October to November 2008, 38 percent in December 2008, and 28 percent in January 2009.  Figure 2 illustrates the downward trend in the number of badges issued during these 3 months.

Figure 2:  HSPD-12 Badges Issued by Month

Figure 2 was removed due to its size.  To see Figure 2, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.

 

The causes for the slow progress are due to numerous challenges experienced by the GSA shared services provider and the PMO.  Many challenges and delays are out of the direct control of the PMO, such as:

  • Negotiations with the National Treasury Employee Union caused a 4-month delay.  IRS union employees could not be enrolled in the GSA shared services provider’s computer system until the negotiations were completed.  A Memorandum of Understanding was finally signed with the Union on May 30, 2008.
  • Some of the GSA shared services provider’s contractors have occasionally not shown up to work at the enrollment stations.  The Treasury employees would arrive at the enrollment stations to find the shared services provider’s contractor was not available to enroll or issue the new identification badge.
  • The GSA shared services provider improperly printed some identification badges.  For example, the “concealed weapons carrier” indicator for the Treasury’s law enforcement employees was not printed on some of the badges.  This mistake caused a 4-month delay and approximately 3,000 badges had to be reprinted and reissued.
  • The quality of the photograph on some badges was too poor to recognize some employees.  Approximately 1,000 pictures had to be retaken, reprinted, and reissued.  This issue caused a 3-month delay.
  • A GSA requirement to limit batch uploads of employee personal data to the GSA badge issuance database caused a 2-month backlog.  The PMO could upload only 1,000 employee records at a time.  Each batch upload required 2 hours to process.
  • The Treasury Enterprise Directory Services identification numbers that are given to seasonal employees when they are rehired at the start of each filing season causes conflicts in the database used by the GSA shared services provider to enroll and activate the badges.

In addition to the above challenges, the HSPD-12 program manager reported that the IRS filing season is causing additional delays in issuing the badges.  The most critical tax administration processes such as processing taxpayers’ payments, tax returns, and refunds take priority over other work during the filing season.

Issuing the HSPD-12 badges is critical to improving future security over Treasury facilities, computer systems, and critical processes, such as collecting tax revenues, issuing refunds, and processing economic stimulus payments to taxpayers.

Recommendation

Recommendation 1:  The HSPD-12 Executive Steering Committee should instruct the HSPD-12 program manager to continue to report the program as being behind schedule and report to the OMB a revised estimated date that all employees and contractors will be issued badges.

Management’s Response:  The IRS disagreed with this recommendation.  The IRS stated that, in January 2009, it appeared that the schedule could fall behind due to the decrease in IRS card issuance activities.  The IRS has adjusted the schedule and publicly posted the report to the OMB web site, updating the completion date to March 2010.  At this time, the completion schedule is currently on target to meet the revised completion date.

Office of Audit Comment:  While the IRS stated that it disagreed with this recommendation, statements in its management response indicate that it took corrective action to address the recommendation.  The HSPD-12 PMO revised the completion date to March 2010 and reported this new completion date to the OMB.  When we completed our fieldwork in February 2009, we asked the program manager why the HSPD-12 Program Review presentation to the Executive Steering Committee showed the program’s overall status as “green,” which indicated the program was on schedule.  The program manager informed us that the program’s schedule and cost performance indicators would be changed from “green” to “red” status in the February 2009 Program Review to indicate the program was behind schedule.

The Number of HSPD-12 Badges Issued to Employees and Contractors Is Fewer Than What Has Been Reported to the Office of Management and Budget and Treasury Officials

The HSPD-12 PMO reports the progress, status, and challenges of the program to the HSPD-12 Executive Steering Committee.  The Committee, made up of executives from Treasury bureaus, was established in March 2006 to provide oversight and to support the Directive’s implementation across the Treasury and all of its bureaus.  The Committee is chaired by the IRS Deputy Commissioner for Operations Support and the Treasury Chief Information Officer.  The PMO also prepares status reports to IRS executives who brief the OMB on the Treasury’s implementation efforts.

On October 31, 2008, the OMB, in a special communication[10] to Federal Government agencies, commended the Treasury, along with the National Aeronautics and Space Administration, for their implementation progress on the HSPD-12.  The HSPD-12 PMO relayed this special commendation in subsequent briefings and presentations to IRS and Treasury officials.  On November 25, 2008, the PMO reported to the HSPD-12 Executive Steering Committee that 67 percent of the badges had been issued as of October 27, 2008.  Although this completion percentage is 6 percent lower than what was originally reported to the OMB, it was significantly overstated.  In its report to the Committee, the PMO also made the following citations.

“According to the 10/27/08 OMB Report, Treasury issued more cards than all other agencies of comparable size.”

“Treasury produced more cards than any other GSA customer.”

“Treasury was one of two agencies receiving special recognition from [the] OMB.”

The PMO continued to report significant progress during its January 2009 presentation to the HSPD-12 Executive Steering Committee.  The PMO also reported that the project was on schedule.

Contrary to what has been reported by the HSPD-12 PMO to the OMB, the Treasury, and the IRS, we believe the HSPD-12 PMO inaccurately reported the progress that had been achieved in issuing badges to employees and contractors.  On October 27, 2008, the PMO reported to the OMB that 76,575 (73 percent)[11] of the total Treasury employees and contractors had been issued HSPD-12 identification badges.  However, the actual number of badges issued was significantly lower.  As previously presented in Figure 1, the Treasury had issued 40,821 (32 percent) of the identification badges by the end of October 2008.

The inaccurate reporting of implementation progress was caused by the PMO defining “issued” as “sponsored, adjudicated, and enrolled.”  The program manager informed us that the OMB instructed agencies to consider a badge issued when the employee or contractor had been sponsored, adjudicated, and enrolled.  Despite our repeated requests, the program manager was unable to provide the documentation of this OMB guidance.  Because many more employees and contractors have been sponsored, adjudicated, and enrolled than have actually been issued badges, the PMO was able to report a significantly higher completion percentage.  As of January 30, 2009, approximately 87,000 employees and contractors were sponsored, adjudicated, and enrolled but only 58,858 badges had been issued.

We disagree with the program manager’s definition of “issued.”  It is our opinion that the intent of HSPD-12 was for Federal Government employees and contractors to actually have HSPD-12 identification badges in their possession as a form of identification.  The fact that an employee has enrolled in the HSPD-12 program should not constitute the completed task of being issued an HSPD-12 badge.  As such, the PMO should count a badge as issued only when the employee or contractor returns to the enrollment station to finalize the badge issuance process.

As noted in its November 2008 presentation to the HSPD-12 Executive Steering Committee, the PMO has cited challenges in activating and issuing a badge after an employee or contractor is enrolled.  For example, employees and contractors often work in different locations than where the enrollment stations are located.  Therefore, the employee or contractor must make an appointment to travel a second time to the enrollment station to finalize the credentialing process and obtain a badge.  Another reason cited was a lack of incentive for employees and contractors to complete the badge issuance process because the badges are not currently needed to access Treasury facilities and computer systems.

In addition to using an incorrect definition of the term “issued,” the PMO excluded many contractors from the total population of individuals who are required to have an HSPD-12 badge.  The PMO excluded the contractors because they could not easily be issued badges due to limitations in the GSA shared services provider’s computer system.  The personal identity information for contractors cannot be uploaded into the system as a group like employee information can.  The information must be input manually, which is a labor intensive process.  The GSA shared services provider had issued badges to 274 (3 percent) contractors out of a total population of 9,431 as of January 30, 2009.

The PMO also excluded many seasonal employees from the total population of individuals who are required to have an HSPD-12 badge because issuing badges to seasonal employees is also a challenge.  As previously discussed, the Treasury Enterprise Directory Services identification numbers that are given to seasonal employees when they are rehired at the start of each filing season causes conflicts in the GSA shared services provider’s USAccess database, which is used to enroll and activate the badges.  The GSA shared services provider had issued badges to 6,263 (32 percent) seasonal employees out of the total population of 19,514 as of January 30, 2009.

Contractors and seasonal employees access IRS facilities and computer systems and present the same security risk as full-time employees.  To ensure security and fulfill the intent of the HSPD-12, contractors and seasonal employees must be issued HSPD-12 badges.  Therefore, the PMO should include these workers in the total population of individuals who are required to have a badge.

The significance of the HSPD-12 program and the level of attention given to issuing HSPD-12 badges to employees and contractors require the HSPD-12 PMO to ensure the status of the program is clearly and accurately reported to IRS, Treasury, and OMB officials.  Inaccurate reporting could affect management decision making and provide a false sense of accomplishment.

Recommendation

Recommendation 2:  To ensure conservative transparent reporting, the HSPD-12 Executive Steering Committee should instruct the HSPD-12 PMO to 1) define badges issued as badges that have been activated and given to employees or contractors, 2) report to the OMB the total cumulative badges issued to employees and contractors, and 3) include all contractors and seasonal employees in the total Treasury population as long as these individuals are employed by the Treasury.

Management’s Response:  The IRS disagreed with this recommendation.

(1)   The IRS stated that its current definition and methodology are already well understood, established, and circulated throughout the Treasury HSPD-12 PMO, Executive Steering Committee, and the OMB.  To maintain consistency and clarity, the IRS will continue to use its current definition of “issued.”  The IRS further stated that our auditors had not demonstrated that our definition of “issued” is the proper one.  In working with the GSA Managed Service Office, the IRS has received documentation supporting its definition and provided this information to our audit team during our visits.

(2)   The IRS stated that the Treasury already reports its progress to the Executive Steering Committee and the OMB each quarter.  It will continue to report both the number of enrollments and the number of activations in accordance with its existing definition.

(3)   The IRS stated that when the Treasury reported its progress on October 27, 2008, seasonal employees who had enrolled were included in the total population and those who had not enrolled were omitted.  Because the seasonal employees were already furloughed and had not yet returned, they were not considered employees during that time.  Effective March 13, 2009, the IRS made a business decision to stop the enrollment and activation of all seasonal employees.  In addition, the IRS stated that technical challenges prevented mass sponsorship, enrollment, and adjudication of contractors.  The Treasury HSPD-12 PMO has not implemented a means for bulk uploading of contractor information into the GSA shared service provider database as was done for Treasury employees.  The IRS further stated that, at this time, it is premature to include contractors in its count.  Once a viable solution is implemented, contractors will be added to Treasury’s overall population.

Office of Audit Comment:  We continue to believe the progress reported to the OMB is overstated and provide the following comments to the IRS’ response to our second recommendation.

(1)   The PMO defining “issued” as employees and contractors who have been “sponsored, adjudicated, and enrolled” is inaccurate and significantly overstates the progress of the HSPD-12 program.  We used the common definition of the word “issued” and do not believe that qualifying or expanding its meaning is appropriate.  The audit team did not receive documentation from the PMO to support the IRS definition of “issued” even though the audit team requested this documentation several times during the audit.  The audit manager requested this documentation on two occasions near the end of field work, once on February 5, 2009, during a teleconference with the program manager and his or her staff, and again during an onsite meeting on February 17, 2009, with the program manager.  On both occasions, the program manager informed the auditors that he or she would provide documentation of the OMB guidance that instructed agencies to consider badges “issued” if the employee or contractor had been “sponsored, adjudicated, and enrolled.”  The OMB guidance was not provided.  As for the GSA Managed Service Office’s support for the IRS’ definition of “issued,” we note that the GSA Managed Service Office provides the card issuance service for the IRS and the Treasury, and has a vested interest in the success of the program.  For this reason, we do not believe the GSA Managed Service Office should be the authority on defining when a badge is considered issued.

(2)   We continue to believe the reporting of the program progress to the OMB should be based on the number of activations (i.e., how many HSPD-12 badges have been issued to employees and contractors), not the number of enrollments.  The intent of the HSPD-12 Directive was for Federal Government employees and contractors to actually have HSPD-12 badges in their possession as a form of identification.  The fact that an employee or contractor has enrolled in the HSPD-12 program should not be reported to the OMB as a badge having been issued.

(3)   In October 2008, the HSPD-12 PMO knew that approximately 20,000 seasonal employees would begin returning to work at the IRS.  At that point, the PMO planned to issue badges to the seasonal employees.  Therefore, seasonal employees should have been included in the total Treasury population.  The Treasury has the authority to make a risk-based decision on whether to issue an HSPD-12 badge to a seasonal employee and the IRS exercised this authority in March 2009 when it decided that it would no longer attempt to issue badges to seasonal employees.  However, the OMB requires HSPD-12 badges to be issued to contractors and there is no authority for excluding contractors from the HSPD-12 program.  Therefore, we continue to believe the IRS should include contractors in the total Treasury population.  The technical difficulties in issuing badges to contractors does not justify excluding them from the Treasury population.

The Treasury HSPD-12 Program Management Office Took Corrective Actions to Address Prior Audit Recommendations

In our prior audit report,[12] we made five recommendations to improve the management of the HSPD-12 program.  We recommended that the Chief, Agency-Wide Shared Services:

  • Require that future task orders prepared by the PMO clearly separate tasks by function.  This recommendation was intended to help each contractor understand the tasks and enable the PMO to monitor the contactor’s performance.
  • Ensure Contracting Officer’s Technical Representatives comply with procedures that require sufficient supporting documentation for hours worked.
  • Ensure the HSPD-12 program manager maintains documentation that is sufficient to support all program costs and assigns costs to specific tasks in the work breakdown structure.
  • Coordinate with the Treasury to evaluate the possibility of combining its Public Key Infrastructure (PKI) efforts with those of the GSA.

We also recommended that the Chief Information Officer ensure executive steering committees responsible for providing oversight to information technology projects take an active role to address the challenges and, specifically, to enforce use of the Enterprise Life Cycle requirements to the HSPD-12 program.

The PMO took effective actions to address each of our recommendations.

The PMO has clearly delineated HSPD-12 tasks by functional area to better monitor contractor performance

The Treasury HSPD-12 PMO is supported by four contractors:

1)      Booz Allen Hamilton provides administrative support.

2)      Presidio Networked Solutions provides technical expertise, such as advice relating to the physical and logical access controls the Treasury must implement to read the identification badges.

3)      Chevo Consulting helps develop and maintain the Treasury HSPD-12 business case.  The business case is required to be submitted and approved by the OMB each year.

4)      MITRE provides project management and business process expertise.

To set aside or obligate funds for the four contracts, the IRS issues task orders to the contractors.  The task orders should clearly delineate the HSPD-12 tasks from other tasks the contractors are performing for other Treasury functions.  This practice enables the program manager to better manage the HSPD-12 program by identifying what HSPD-12 related work is due and when.

In our previous audit, we found that the PMO charged the HSPD-12 work to existing task orders that included many other assignments.  The HSPD-12 tasks included in the statements of work were not specific enough to identify the deliverables and were too general to track the program’s work requirements.  The program manager has taken corrective actions to address this weakness.  Separate task orders are now prepared for HSPD-12 work and deliverables.  The tasks and deliverables are clearly written in the task orders.

The PMO and the Contracting Officer’s Technical Representatives are complying with IRS procedures for reviewing and paying contractors’ invoices

When a contractor submits an invoice requesting payment, the IRS Contracting Officer’s Technical Representative is required to obtain supporting documentation from the contractor and written approval from the IRS program manager prior to paying the invoice.  In our last audit, we determined that the ****(3d)****.  Contractors were paid without verifying that work was performed.  The program manager has taken corrective actions to address this weakness.

The PMO and the Contracting Officer’s Technical Representatives are now complying with IRS procedures for reviewing and paying contractors’ invoices.  We reviewed monthly invoices for a 1-year period from the 2 largest HSPD-12 contracts, Booz Allen Hamilton and Presidio Networked Solutions, and found that the invoices were accurate and adequately supported.  The program manager or the deputy program manager provided written approval to the Contracting Officer’s Technical Representative prior to payment of the invoice.  In addition, we compared the deliverables and work listed in the invoice to the program manager’s work breakdown structure and determined the tasks and deliverables had been planned.

The program manager maintains documentation sufficient to support all program costs, assigns costs to specific tasks in the work breakdown structure, and uses earned value to measure progress

Preparing a work breakdown structure is a basic project management technique for defining and organizing the total scope of a program and reporting progress.  It should identify what should be done, who will do it, how long it will take, and how much the program will cost.  The work breakdown structure should also allow the program manager to calculate earned value, which provides an objective measure of the budget and schedule performance of the program.

In our last audit, we found that the PMO did not maintain documentation to support program costs and did not assign costs to planned tasks.  In addition, the program’s work breakdown structure did not include the planned costs and resources that are needed to complete the program’s milestones and deliverables.

The program manager has taken corrective actions to address the inadequate accounting and weaknesses in the work breakdown structure.  Documentation is now being maintained to support the costs.  Costs are included in the work breakdown structure and assigned to planned tasks, and earned value is being calculated and reported to the HSPD-12 Executive Steering Committee on a regular basis by the program manager.

The PMO coordinated with the Treasury to evaluate the possibility of combining its PKI efforts with those of the GSA

The HSPD-12 identification badges are required to be resistant to tampering, prevent identity fraud, and provide electronic authentication of the person holding the badge.  A core element of this security is the inclusion of PKI technology on the badges.  In our last audit, we found that the GSA and the Treasury were developing separate PKI strategies.  To ensure consistency and reduce duplication of effort, we recommended that the PMO coordinate with the GSA to determine the feasibility of developing one PKI solution.

The PMO coordinated with the GSA and considered the following three alternatives:

·        Adopt the GSA’s PKI service.

·        Use a combination of the GSA and Treasury PKI services.

·        Use the Treasury PKI service.

Each alternative has benefits and could affect the program’s schedule, cost, and use of the identification badges.  After considering each alternative, the PMO determined the better long-term benefit was to use the Treasury PKI service.  The GSA agreed that the Treasury PKI certificates were compatible with the identification badges that are used by the GSA shared services provider.

The PMO is now following the Enterprise Life Cycle

The Enterprise Life Cycle is the life cycle methodology that provides the standard processes and techniques the IRS must follow to implement business change and support information systems programs, such as the HSPD-12 program.  The Enterprise Life Cycle is based on best practices found in government and industry and enables the IRS to establish and follow repeatable processes that yield better results over the long run.

In our last audit, we found that the PMO was not following the Enterprise Life Cycle.  The PMO had not completed a business case for the HSPD-12 implementation efforts.  The PMO should have submitted a business case to the HSPD-12 Executive Steering Committee, which is responsible for overseeing the HSPD-12 PMO’s implementation efforts.

The PMO has taken effective actions to address our recommendations and is now following the Enterprise Life Cycle.  A comprehensive business case was completed.  This business case accurately reflects the status and significant details of the program.  The actual and planned costs are consistently reported in the various sections of the business case, and earned value is calculated and presented in the appropriate section of the document.  The PMO is also updating the business case, as required, when new events or significant activities impact the program.

 

Appendix I

 

Detailed Objectives, Scope, and Methodology

 

The overall objectives of this review were to determine whether the HSPD-12[13] PMO is making adequate progress in implementing the HSPD-12 requirements and has addressed the recommendations we made in our prior report.[14]  To accomplish our objectives, we:

I.                    Determined whether the HSPD-12 PMO has made adequate progress in implementing the HSPD-12 requirements.

A.     Determined whether the project has been “re-baselined” (changed the planned costs, schedule, deliverables, and milestones) during the past 12 months.

B.     Determined how the actual costs were tracked.

C.     Compared the OMB deadlines to the estimated project completion date.

D.     Determined causes for any project delays.

II.                 Determined whether the PMO has clearly delineated tasks by functional area to better monitor contractor performance.  We identified the contracts and task orders[15] and determined whether the tasks and deliverables were clearly identified and whether separate task orders were used for HSPD-12 work or if HSPD-12 tasks were combined with task orders for non-HSPD-12 tasks.

III.               Determined whether the PMO and the Contracting Officer’s Technical Representatives were complying with IRS procedures for reviewing and paying contractors’ invoices.

A.     Determined the population of HSPD-12 contractor invoices.

B.     Determined whether the hours billed on contractor invoices were adequately supported, compared the deliverables and work listed on the invoices to the work breakdown structure to determine whether the expenditures were planned, determined whether the Contracting Officer’s Technical Representatives received a written certification from the program manager indicating the hours billed on the invoices were acceptable for the work performed, and determined whether invoices are paid only after a written certification is received from the program manager approving the payments.  We reviewed the monthly invoices submitted by one contractor (Presidio Networked Solutions) for Fiscal Year 2008 and the monthly invoices from another contractor (Booz Allen Hamilton) for the period December 2007 through November 2008.

IV.              Determined whether the HSPD-12 program manager maintains documentation that is sufficient to support all program costs, assigns costs to specific tasks in the work breakdown structure, and uses earned value to measure progress.

A.     Reviewed documentation for all actual and obligated program costs.

B.     Determined actual and obligated program costs for contractors’ work.

C.     Reviewed the program’s current work breakdown structure to determine whether it identified the tasks, dependencies, milestones, deliverables, and costs needed to satisfy the HSPD-12 goals.

D.     Determined whether earned value is being calculated and reported to the HSPD-12 Executive Steering Committee on a regular basis by the program manager.  We evaluated and verified the most current earned value calculations and assessed the budget and schedule status of the project.  We also determined whether earned value and other progress information are regularly reported to the Committee and other governance boards.

V.                 Determined whether the PMO coordinated with the Treasury to evaluate the possibility of combining PKI efforts with those of the GSA.

VI.              Determined what management actions have been taken to enforce the use of the Enterprise Life Cycle.

A.     Identified the improvements that have been made to key project management processes.

B.     Reviewed the most recent business case and determined whether it was reasonably complete and compared actual and planned costs to the costs in the work breakdown structure.  We reviewed the business case for consistency of costs throughout different sections of the business case and reviewed the “summary of spending” table and the justifications and alternative strategies in the business case.

C.     Reviewed the project reports presented to the HSPD-12 Executive Steering Committee and other governance boards to determine whether the reports reflect the project’s status and compliance with the Enterprise Life Cycle.

D.     Reviewed the HSPD-12 Executive Steering Committee charter to determine whether it has been updated to strengthen the Committee’s oversight responsibilities.

 

Appendix II

 

Major Contributors to This Report

 

Margaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information Technology Services)

Kent Sagara, Acting Director

William A. Gray, Audit Manager

David Brown, Senior Auditor

Michelle Griffin, Senior Auditor

Thomas Nacinovich, Senior Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Operations Support  OS

Chief Technology Officer  OS:CTO

Chief Information Officer  OS:CIO

Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA

Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

            Acting Chief, Agency-Wide Shared Services  OS:A

Chief Technology Officer  OS:CTO

Chief Information Officer  OS:CIO

 

Appendix IV

 

Glossary of Terms

 

Term

Definition

Adjudication

Refers to an applicant’s background investigation as having been completed; the applicant is cleared to receive a badge.

Business Case

Illuminates and clarifies key details such as viable alternatives to the implementation strategy, planned and actual costs, earned value, and other significant details that are critical for decision making.

Contracting Officer’s Technical Representative

Responsible for the contract award and administration process, this person must ensure all terms and conditions of the contracts he or she manages are met and taxpayer dollars are prudently spent.

Earned Value

A required management system that compares the work the project team has finished so far with the estimates made at the beginning of the project.

Enrollment

The process where the applicant is fingerprinted, photographed, and his or her identity is verified.  The enrollment process qualifies the applicant to receive a badge.

Enterprise Life Cycle

Establishes a set of repeatable processes and a system of reviews, checkpoints, and milestones that reduce the risks of system development and ensures alignment with the overall business strategy.  All IRS personnel and contractors involved in information technology efforts are required to follow the Enterprise Life Cycle.

Filing Season

The period from January through mid-April when most individual income tax returns are filed.

HSPD-12 Executive Steering Committee

A committee made up of executives from Treasury bureaus to provide oversight and support implementation efforts.  It is chaired by the IRS Deputy Commissioner for Operations Support and the Treasury Chief Information Officer.

Managed Service Office

Provides Federal Government agencies with interoperable identity management and credentialing solutions that provide end-to-end services to enroll applicants, issue credentials, and manage the lifecycle of these credentials.  The GSA Managed Service Office is the executive agent responsible for managing Government-wide acquisition of information technology to implement HSPD-12 services.

Public Key Infrastructure

An encryption system of digital certificates and other authorities that verify and authenticate the validity of each party involved in an electronic transaction.

Seasonal Employees

Employees hired by the IRS in November of each year and trained prior to the start of the filing season.

Sponsored

An applicant is sponsored when his or her personal information is input into the GSA shared services provider’s computer system.

Task Order

An order for services placed against an established contract.

Work Breakdown Structure

A deliverable-oriented grouping of project elements that organizes and defines the total scope of the project.

 

Appendix V

 

Management’s Response to the Draft Report

 

The response was removed due to its size.  To see the response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.


[1] Policy for a Common Identification Standard for Federal Employees and Contractors (signed by President Bush on August 27, 2004).  This Directive requires all Federal Government agencies to meet standards for issuing identification badges that will be used for entering Federal Government facilities and accessing computer systems.

[2] Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).

[3] See Appendix IV for a glossary of terms.

[4] Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12 Requirements (Reference Number 2007-20-110, dated June 20, 2007).

[5] The PMO calculated the 73 percent completion by using a total Treasury population of 104,520.  This population improperly excluded seasonal employees and contractors who had not yet been issued badges.  The total population of employees and contractors was 127,922.  We used this number for our calculations.

[6] See Appendix IV for a glossary of terms.

[7] Progress Has Been Slow in Meeting Homeland Security Presidential Directive-12 Requirements (Reference Number 2007-20-110, dated June 20, 2007).

[8] Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).

[9] Memorandum M-08-01, HSPD-12 Implementation Status, dated October 23, 2007.

[10] OMB Reports Significant HSPD-12 Implementation Progress but Areas for Improvement Identified, OMB web site http://www.whitehouse.gov/omb/pubpress/2008/103108_hspd12.html, dated October 31, 2008.

[11] The PMO calculated the 73 percent completion by using a total Treasury population of 104,520.  This population improperly excluded seasonal employees and contractors who had not yet been issued badges.  The total population of employees and contractors was 127,922.  We used this number for our calculations.

[12] Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).

[13] Policy for a Common Identification Standard for Federal Employees and Contractors (signed by President Bush on August 27, 2004).  This Directive requires all Federal Government agencies to meet standards for issuing identification badges that will be used for entering Federal Government facilities and accessing computer systems.

[14] Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030, dated December 14, 2007).

[15] See Appendix IV for a glossary of terms.