Skip top navigation Skip to content

Print   Email  Share

August 18, 2014

MEMORANDUM

TO: Milton A. Mayo Jr.
Inspector General
FROM: Claudia A. Withers
Chief Operating Officer
SUBJECT: EEOC Response to OIG Draft Report 2013-08-PSA-Performance Audit of the Agency's Personnel Security Program

Thank you for the opportunity to provide comments to the above captioned report and for providing an extension to August 15th to enable coordination of the response. Attached are comments and responses to the report for your review and consideration. Due to the comprehensiveness of the report, we have decided to provide the comments of each affected office in total rather than combining them into one narrative. Please do not hesitate to contact me if you have any further questions.

From the Office of the Chief Human Capital Officer:

Report - Performance Audit of the Agency's Personnel Security Program (OIG Report Number 2013-08-PSA) conducted by the EEOC IG.
Response: The EEOC suitability program is design to adhere to applicable regulations, executive orders, and statues regarding suitability and fitness determinations; each covered position is designated non-sensitive. Currently, there are no covered positions that fall under Executive Order 12968 (National Security positions) eligibility for access to classified information.
______________________________________________________________________
Recommendations to the Office of the Chief Human Capital Officer from the EEOC IG:
Action: Complete risk designations for the remaining estimated 194 EEOC covered positions (IG):
Response: Designations for 85% of our positions have been completed. To meet the requirement with ensuring that every position within the EEOC is designated at a high, moderate, and low risk level as determine by the position's potential impact that could adversely impinge on the efficiency and integrity of the EEOC; we plan to have this completed by the end of the second quarter of FY 2015.

Action: Complete and begin any outstanding reinvestigations as required by the CFR (IG):
Response: Currently, OPM-Federal Investigative Service (FIS) is advising agencies that it is acceptable to delay implementing public trust reinvestigations; OPM-Federal Investigative Service (FIS) is not assessing agencies implementation of the Executive Order and regulations pertaining to the reinvestigation requirements for positions of public trust, but are planning to issue implementing guidance once the proposed 5 CFR Part 1400 regulation (which includes reinvestigation requirements for sensitive positions) is finalize.

In accordance with the memorandum issued by OPM-FIS dated April 30, 2014, OPM is implementing a phased deployment of tiered investigations; required to achieve full operating capability (FOC) by the end of fiscal year 2017. A Federal Investigative Standards (FIS) Working Group is currently revising the investigative standards to align national security and suitability investigations to the extent possible in accordance with E.O. 13467 "Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information."

It is the intent of OPM-FIS to direct phase deployment of a tiered background investigation process which builds upon background investigations conducted atlower tiers in an integrated and collaborative manner across all federal agencies. The increased alignment will enhance consistency and efficiency, making government investigations more timely and cost-effective and improving reciprocity.
Early initial operating capability (IOC) for federal agencies to implement the tiered background investigation process is as follows:

IOC for Tiers 1 and 2 (Low Risk and Moderate Risk) is October 2014.
IOC for Tier 3 (Non-Critical Sensitive, L, Confidential, and Secret) is October 2015.
IOC for Tiers 4 and 5 (High Risk-Public Trust and Top Secret / Special Secret) is October 2016.

The goal is all tiers will reach FOC by the end of the fiscal year 2017. Therefore, we have been advised that implementing the reinvestigation requirements prior to the issuance of further guidance from OPM-FIS is not discouraged or encouraged.
Because, the position designations play a vital role in the process and based on the fiscal impact this could have on our budget, we have decided to await final regulations in this area.

Action: Adhere to EEOC policy and federal requirements pertaining to reinvestigations. EEOC should follow their internal policy until further guidance is provided by OPM (IG):
Response: Our internal policy only speaks to the fact that we are required to conduct reinvestigations; however, we notified employees as required about this new procedure and informed them that we are waiting further instruction in a memorandum dated October 31, 2013. The language is as quoted "Please note that while the public trust reinvestigation requirement §731,106(d) has been in effect since November 2011, OPM has yet to issue implementation guidance to federal agencies in regards to public trust reinvestigations. As such, OCHCO is not conducting these reinvestigations until such time as OPM issues their implementation guidance to federal agencies. Currently, OPM does not have a timeline for issuing their implementation guidance."

Action: Update the policy for the Federal Personnel Payroll System with a timeline and implement the revised standard (IG):
Response: This is considered a procedure; therefore, we will develop Standard Operating Procedures to ensure that we document the procedures for annotating required documents. We will have this completed by the end of the first quarter of FY 2015.

Action: Review all employee eOPFs to ensure proper inclusion of the employee's COI and in instances where the documentation is missing insert the CO (IG):
Response: We will review personnel security files for Certificates Of Investigation (COI). If the COI is missing, we will verify e-OPF for the COI or verify the completion and adjudication of the background investigation utilizing the Clearance Verification System (CVS). CVS produces an automated version of the COI that is maintained with OPM-FISD. Therefore, we will download and print the findings and scan it into the employees' e-OPF.
We will also utilize the EEOC Employee Alpha Listing or some form of personnel roster/data to ensure the accuracy of the required information. We propose to have this completed by the end of second quarter of FY 2015.

Action: Report any outstanding EEOC adjudication decisions to the Office of Personnel Management and going forward adhere to the 90 day timeline (IG):
Response: This is currently being addressed with the new-hire, Personnel Security Specialist; going forward we plan to adhere to the OPM requirement of the 90 day timeline. It is reflected in our 2013 assessment conducted by OPM (attached) which shows much improvement over this process since the report in 2010.

Action: Develop and implement a procedure to maintain relevant evidence documenting that the EEOC has informed OPM of the adjudication decisions it has made (IG):
Response: This will also be included in the Standard Operating Procedures we will develop. Given that we have CVS access, we are able to inform OPM of our adjudication decisions electronically. In those cases that we must do it manually, we will continue to use the INV FORM 79A.
In addition, we will continue to maintain a personnel security file for employees, contractors, and affiliates that have a completed background investigation which will consist of:

Cover sheet (snap shot of background investigation information)
COI or the automated version (with background information provided by OPM-FIS)
Resume
OF306
Signature pages (from the e-QIP background investigation application)

Action: Explore and document the decision on using alternative staffing options, such as contract employees, part time employees, or obtaining an employee on detail in order to become current risk designations, reinvestigations, FPPS, COIs, and adjudication reporting (IG):
Response: We will explore these possibilities as needed now that we have employed a Personnel Security Specialist and Personnel Security Assistant. Final decision will be made at the completion of our action plan.

 From the Office of Field Programs:

Under the heading Classified Information Management, the report raises concerns that EEOC does not have "formal, documented policies and procedures to address the safeguarding, transfer, storage or disposal of classified information." The report indicates that EEOC has approximately 18 employees who "currently have access to classified information as a result of EEO complaints filed against intelligence agencies."

Our records show that there are a total of 8 Administrative Judges (AJs) who have security clearances or some form of authorization issued by one or more of the intelligence agencies, most by the FBI. A survey of those individuals reveals that they rarely have access to classified information. Most indicated that over the course of the last three years they have not had a case in which the agency indicated that the file contained classified information as contemplated by Executive Order 13526 (i.e., national security information). In those rare instances where an AJ has handled a complaint in which the respondent agency indicated that the eeo investigative file or other documents relevant to the case contained classified or sensitive information, the documents were redacted before being provided to the AJ. In a few instances, the AJ viewed the documents onsite at the respondent agency.

With respect to the handling of the investigative file from intelligence agencies, the AJs follow the procedures established by the agency submitting the eeo investigative file. This includes such things as the AJ being the only person who can access the file, requiring that decisions by the AJ be reviewed by the agency before being issued to the complainant to ensure that no "classified information" is included in the decision and using aliases for certain individuals identified in the investigative record. In the WFO and the SFDO all such documents are maintained in a safe with only those AJs with security clearances, or otherwise authorized by the respondent agency, having access.     
It is important to note that the intelligence agency, not the EEOC, conducts the necessary background checks, issues the security clearance and provides the necessary training. Additionally, the respondent agency controls the manner of access to the documents as well as the level of access. 

From the Office of Federal Operations:

Page 3 of the draft states that "In the EEOC Personnel Security and Suitability Handbook, EEOC has designated all positions as Non-sensitive for national security purposes…" This statement is repeated on page 5 of the draft. However, in looking at the Handbook that I found on InSite, on page 3, it states "The majority of EEOC positions are non-sensitive…." I could not locate a statement that indicates all positions have been designated as Non-sensitive.
Later, that paragraph states that "…some EEOC employees are required to handle classified information related to EEO complaints filed against intelligence agencies." In OFO, the staff handles appeals in which classified information has been redacted; classified information is not handled.
Also, in that same paragraph on page 3 of the draft, there are errors in identifying the Office of Federal Operations and the Office of Field Programs.
On page 5, the 4th paragraph reads: "Consequently, EEOC did not develop classified information policies and procedures and each office manages its classified information without benefit of oversight or guidance from senior EEOC officials." This is incorrect in that each office that has some involvement with classified information is managed by a senior official. The statement incorrectly implies that there are no controls over the process.

From the Office of the Chief Financial Officer:

The Office of the Chief Financial Officer (OCFO) fully understands that the protection of Classified National Security Information is critical to our Nation's security and national interests. Executive Order 13526, Classified National Security Information (December 29, 2009), the Code of Federal Regulation (CFR) 32 CFR Parts 2001 and 2003, Information Security Oversight Office: Classified National Security Information; Final Rule (June 28, 2010) and multiple Intelligence Community Directives (ICDs) from the Office of the Director of National Intelligence specifically state requirements for the storage, access, handling, processing, marking, transporting and destruction of Classified National Security Information, to include required training, reporting, documents and program management.

The OCFO, Central Services Division (CSD), supports the mission of the Equal Employment Opportunity Commission (EEOC) with a Supervisory Security Specialist and two Security Specialists. At this present time the OCFO/CSD oversee the functions of life safety, physical security, emergency preparedness and continuity of operations for Headquarters (HQ) and all Field Offices, in cooperation with the Office of Field Programs. The OCFO/CSD does not have oversight of the Classified National Security Information program.

Following are OCFO's comments and recommendations on the Draft Report-Performance Audit of the Agency's Personnel Security Program (OIG Report Number 2013-08-PSA).

Page/Paragraph

Comments and Recommendations

 

 

Page 4/Para 2

"Clearances for the employees who handle classified information are initiated by the intelligence agency that works directly with the EEOC employee or his/her supervisor to obtain the information necessary for the clearance process. The employee information is submitted to the intelligence agency that conducts the investigation and renders an adjudication decision."

Comment: Actually, our employees accessing classified national security information fall into two categories: (1) those with fully adjudicated security clearances by the respective sponsoring Intelligence Agency (IA); and those with "special access" or what is commonly referred to as an Interim Clearance, granted by the respective Intelligence Agency, which is primarily the case with the Central Intelligence Agency (CIA) classified cases and respective attorneys and administrative judges. However, these "special access" or interim clearances do not include a full review of security clearance eligibility requirements and adjudicative guidelines. In fact, some of these employees with "special access" or interim clearance have had that designation for 5 years or more; some employees granted full clearances or interim clearances no longer work at the agency and this was never reported to the sponsoring agency or that employee debriefed.

Recommendation: Replace with "Security clearances and special access for the employees who handle classified information are initiated by the sponsoring Intelligence Agency that works directly with the EEOC employee or his/her supervisor to complete the necessary security clearance eligibility package. The employee information is submitted to the sponsoring Intelligence Agency that conducts the background investigation and renders an adjudicative decision and grants eligibility and access levels. This entire process is void of any involvement by the OCHCO and up until recently, without the knowledge of the OCHCO."

Page 4/Para 2

"However, the current process for increasing the clearance level needed to handle classified information does not include OCHCO."

Comment: At this present time, the sponsoring intelligence agencies and EEOC do not have an MOU/MOA established to address the required continual monitoring, evaluation or reporting of an EEOC employees continued eligibility, or need-to-know of classified information; especially when derogatory and/or disciplinary information or actions are self reported, discovered or reported and access to classified information should be removed, suspended or revoked. This is why it is important that the agency in custody of the classified information and handling the classified information manage its own employee's personnel security clearance process and adjudication, need-to-know and access in cooperation with the intelligence community agencies EEOC is serving.

Recommendation: Delete "…increasing the clearance level needed to handle classified information does not include OCHCO." Replace with "initiating, granting and monitoring security clearances, need-to-know and security clearance access levels to classified information are not within OCHCO or any other singular office within EEOC HQ."

Page 4/Para 3

"The classified information is stored either as hard copy or on thumb drives provided by the originating intelligence agency."

Comment: A preliminary inquiry of the Classified National Security Information program was conducted by the Supervisory Security Specialist in August 2013 after it was learned that EEOC employee's were being sponsored and granted security clearances and that EEOC was in custody of Classified National Security Information. During that inquiry the only mention of the use of a thumb drive was by Todd Denicoff, attorney in the Office of Federal Operations (OFO), who worked with classified cases. Mr. Denicoff explained that when they write a draft decision on a classified case they sit down at their unclassified network workstation computer with the classified file and the redacted/unclassified file. They write their draft decision on the unclassified network workstation computer, using care to write/draft it as unclassified, paying close attention to the redacted/unclassified file. Mr. Denicoff stated that they use this process because often times the redacted/unclassified file is so "blacked-out" that they need the complete classified file to fully comprehend what has happened in the case to render a decision accurately. After the draft decision is completed it is either copied to a thumb drive, other removable media or printed, and then secured in the GSA-approved security container until it is delivered to the Intelligence Agency (IA) courier, usually these are CIA cases, and it is delivered to the IA reviewing official. Once it arrives at the respective IA it is given to a reviewing official that will closely read the draft decision to ensure that there is no classified information contained. Once approved by the IA reviewing official, then the EEOC can finalize or publish the decision.

Therefore, there is the potential for classified information to be within the draft decision, which was created on an EEOC unclassified network workstation. This process described above involves a multitude of dangers, security violations and security infractions that are not addressed in this audit report.

Finally, if an Intelligence Agency were to provide a thumb drive, or other removable media, with classified information on it…then the EEOC attorney would be accessing classified information on our unclassified network and EEOC would have a serious national security violation and classified spillage that must be reported to the Director of National Intelligence and Information Security Oversight Office immediately. The Supervisory Security Specialist spoke with Mr. Denicoff on July 24, 2014 about the thumb drive statement and Mr. Denicoff emphatically stated that to the best of his knowledge, his office has never received a thumb drive containing classified information from any Intelligence Agency. 

Recommendation: Delete the reference to a thumb drive being used to store classified information and being provided by the originating intelligence agency.

NOTE: It is warranted to include a paragraph or comment about the process described above and the potential for classified information to be on the thumb drive containing the EEOC draft decision and that the draft decision is being written on the EEOC unclassified network and there is the potential for classified information to be in that draft decision.

Page 5/Para 4

"Consequently, EEOC did not develop classified information policies and procedures and each office manages its classified information without the benefit of oversight or guidance from EEOC officials."

Comment: None

Recommendation: Delete "EEOC officials" and replace with "the required designated senior agency official in accordance with Executive Order 13526 and 32 CFR Parts 2001 & 2003."

Page 5/ Recommendation

CRITICAL - theremust be a recommendation that EEOC "designate a senior agency official to direct and administer the program" (i.e. Classified National Security Information) in accordance with Executive Order 13526, Sec. 5.4.

Comment: It is critical that the audit report clearly state in the findings and/or recommendations that the EEOC must designate a HQ Office that will serve as the senior agency official to direct and administer the classified national security information program. Furthermore, this senior agency official/office must be provided the resources and authority to achieve compliance with the requirements associated with Classified National Security Information program.

Page 5/
Recommendation

1. Identify all field offices that store or use classified information.

Comment: None

Recommendation: Delete above recommendation language and replace with:

1. Identify all HQs and Field Offices where classified national security information is safeguarded, handled, processed, reproduced, transmitted, transported, or destroyed.

2. Identify all EEOC employees with (1) current or prior access to classified national security information; (2) a current adjudicated security clearance and the sponsoring agency, if applicable; and (3) special access or interim clearance and the sponsoring agency, if applicable.

NOTE: Item #2 has implications for the OCHCO Personnel Security and Suitability Program functions and operations.

Page 10/
Physical Security and Credentialing

Physical Security and Credentialing

Comment: It needs to be clearly defined in the introduction and scope on this topic that the auditors only looked at physical security as it related to credentialing (PIV cards or Agency photo ID) to entry access control and visitor access control to the facility/building and EEOC controlled space.

Furthermore, the tenure of the draft report infers that EEOC has complete control over physical security at the field office locations, i.e. facilities/buildings…and that is far from accurate. EEOC has established policy and guidance in the EEOC Security Plan, Order 370.002 (currently under revision); Space Allocation Guidelines, and the Administrative Manual that addresses physical security measures, countermeasures and other standards.

For example:

Administrative Manual, Sec. 8.5, Identification and Access Control Card, addresses the proper procedures for wear, accountability and use of these cards for identification and entry access control, to include Federal Investigator Badges and Credentials.

EEOC Security Plan, Order 370.002, addresses Physical Security in Appendix A, to include: Security Design Standards; Identification Badges; Security At Building Entrances; Duress Alarm Systems; Security Guard Services; Security Risk Assessments; and Security Planning. These topics also include collaboration with the General Services Administration (GSA), Federal Protective Services (FPS) and the Facility Security Committee (FSC, formerly known as the Building Security Committee) all of whom make recommendations and determinations about physical security and security countermeasures at federally-controlled buildings for multi-tenant occupants.

The Space Allocation Guidelines goes into great deal addressing physical security measures in EEOC controlled space, to include: cipher locks, electric or electromagnetic locking devices, duress alarms, and entry access control of EEOC outer (public) and inner (staff) space.

It is important to note that EEOC has addressed certain physical security measures and countermeasures, to include entry access control, but we can only impose EEOC specific requirements on EEOC controlled space. It is the Facility Security Committee's responsibility to ensure that security procedures and countermeasures at each facility/building are administered properly, to include entry access control. EEOC representation at each respective FSC is mandatory and addressed in a memorandum that was released on November 19, 2013 and FSC representatives are strongly encouraged to voice and vote on physical security measures and countermeasures that meet or enhance security of EEOC staff. Additionally, the FSC representative required training is being added to the EEOC Security Plan for implementation in FY 2015.

Recommendation: The content of this report must clearly delineate the relationship between EEOC physical security requirements and the Facility Security Committee role, in partnership with Federal Protective Service for building/facility security, security countermeasures and entry access control.

Page 10/Para 1

"We noted that EEOC's physical security process is highly decentralized."

Comment: This statement is not taking into account the role of the Facility Security Committee at each respective building/facility and designated Security Organization.

Recommendation: Delete "process" and add"program requirements are limited to EEOC controlled space and the building/facility physical security program is significantly impacted by each field office locations Facility Security Committee voting decisions, where applicable, and technical advice/assistance provided by the designated Security Organization (i.e. Federal Protective Services) as explained in the Facility Security Committees, An ISC Standard, dated January 1, 2012, 2nd edition."

Page 11/
Recommendation

"14. a. Providing required annual training for the security lead at each field office location;"

Comment: First, the only current security training requirement applicable to this topic is for FSC members and is found in the Facility Security Committees, An ISC Standard, dated January 1, 2012, 2nd edition, Sec. 4.6, Interagency Security Committee Training. There are four required training courses and it is not an annual requirement.

Recommendation: Delete the term "annual" as it is not an annual requirement. FSC member training requirement was added to the EEOC Administrative Manual and the EEOC Security Plan, 370.002 (currently under revision) for implementation in FY 2015.

Additionally, delete the term "security lead" and replace with "FSC member or designee. "

Page 11/
Recommendation

"14. b. Performing annual assessments and/or spot checks of field office security measures by the OCFO on a rotational basis as it relates to Interagency Security Committee requirements; and"

Comment: Onsite annual security assessments of all field offices each year is not possible, fiscally or with regards to staffing. The OCFO has implemented onsite security assessments beginning August 2014 with a goal of four (4) field offices by the end of FY 2014. The current program goal is to achieve a minimum of five (5) onsite field office security assessments per fiscal year beginning in FY 2015. However, future budget constraints may require that we modify our plans.

Recommendation: Replace with "Develop and implement a field office onsite security assessment program in coordination with the Office of Field Programs, to include announced and unannounced site visits, which will focus on increasing security posture and awareness at field office locations."

Page 11/
Recommendation

"15. Revise the field office self?assessment checklist to include facility security and credentialing information."

Comment: The OCFO will continue the Annual Safety/Security Self Inspection program and will implement the recommendation of increasing more physical security and entry access control questions/assessments in the inspection criteria beginning FY 2015. Regarding relocations of EEOC space, we will continue to work with FPS and the prospective building's FSC to obtain the most current Facility Security Assessment (FSA) to ensure that physical security requirements meet the EEOC minimum standards.

Recommendation: None

Page 12/
Recommendation

"17. Increase the responsibility of the Physical Security Manager to improve the level of coordination and review of field office security measures to ensure compliance with EEOC physical security and credentialing requirements."

Comment: The Supervisory Security Specialist and Security Specialists already have all the necessary authority to meet the intent of this recommendation.

Recommendation: Delete this recommendation/finding. Replace with "Increase coordination between OCFO and OFP to improve field office security posture, awareness and training to ensure compliance with applicable EEOC orders and guides; Facility Security Committees, An ISC Standard, dated January 1, 2012, 2nd edition; and other applicable Interagency Security Committee Standards.

cc:

Nicholas Inzeo
Germaine Roseboro
Lisa Williams
Carlton Hadden
Kimberly Hancher