ML24226B294

From kanterella
Jump to navigation Jump to search
DNFSB-24-A-04 Audit of the Defense Nuclear Facilities Safety Boards Freedom of Information Act Program, Dated August 13, 2024
ML24226B294
Person / Time
Issue date: 08/13/2024
From: Virkar H
NRC/OIG/AIGA
To: Buhler M
NRC/EDO
References
DNFSB-24-A-04
Download: ML24226B294 (1)
v  d  e


Text

Audit of the Defense Nuclear Facilities Safety Boards Freedom of Information Act Program DNFSB-24-A-04 August 13, 2024 All publicly available OIG reports, including this report are accessible through the OIGs website at:

nrcoig.oversight.gov

NRC Headquarters l 11555 Rockville Pike l Rockville, Maryland 20852 l 301.415.5930 nrcoig.oversight.gov MEMORANDUM DATE:

August 13, 2024 TO:

Mary J. Buhler Executive Director of Operations FROM:

Hruta Virkar, CPA /RA/

Assistant Inspector General for Audits & Evaluations

SUBJECT:

AUDIT OF THE DEFENSE NUCLEAR FACILITIES SAFETY BOARDS FREEDOM OF INFORMATION ACT PROGRAM (DNFSB-24-A-04)

Attached is the Office of the Inspector Generals (OIG) audit report titled Audit of the Defense Nuclear Facilities Safety Boards Freedom of Information Act Program.

The report presents the results of the subject audit. Following the March 25, 2024, exit conference, agency staff indicated that they had no formal comments for inclusion in this report.

Please provide information on actions taken or planned on each of the recommendation(s) within 30 days of the date of this memorandum.

We appreciate the cooperation extended to us by members of your staff during the audit.

If you have any questions or comments about our report, please contact me at 301.415.1982 or Paul Rades, Team Leader, at 301.415.6228.

Attachment:

As stated cc: T. Tadlock, OEDO G. Garvin, OEDO

i Results in Brief Audit of the Defense Nuclear Facilities Safety Boards Freedom of Information Act Program DNFSB-24-A-04 August 13, 2024 The Defense Nuclear Facilities Safety Boards FOIA request processing and communications are sometimes untimely, inconsistent with FOIA requirements, or insufficient to apprise requesters of the reasons for the agencys decision. Due to outdated information, agency FOIA decisions may conflict with statutory requirements or be inconsistent with statutory requirements.

Agency processes must be documented and have adequate controls to ensure data reliability. However, FOIA program records and information are often missing or erroneous. This occurs because the DNFSB lacks controls for its FOIA request management tool, and also lacks an electronic records repository system. As a result, the agencys FOIA program knowledge management and public reporting could be compromised.

The time and materials service contract used for FOIA program support identifies FOIA-specific terms, but some terms were not met. This occurred because the Contracting Officers Representative (COR) was relatively inexperienced and inadequately supported, and the agencys FOIA program staff did not adequately communicate with the COR. This is important because time and materials contracts are considered high-risk, and thus require enhanced oversight by experienced program staff.

This report makes eight recommendations intended to improve and strengthen the agencys FOIA program.

What We Found What We Recommend Why We Did This Review The Defense Nuclear Facilities Safety Board (DNFSB) Office of the Inspector General (OIG) conducted this audit because (1) the OIG last audited the DNFSBs Freedom of Information Act (FOIA) program in 2014; and, (2) the FOIA Improvement Act of 2016 changed processes, roles, and responsibilities concerning federal agency FOIA programs.

Five key officials are involved in managing the DNFSBs FOIA program, including the Chief FOIA Officer, FOIA Attorney, and FOIA Public Liaison. Annually, the DNFSB receives approximately 20 to 30 FOIA requests. The DNFSB receives contractor support for the processing of FOIA requests.

The audit objective was to assess the consistency and timeliness of the DNFSBs FOIA request decisions and to assess the agencys effectiveness in communicating FOIA policies to FOIA requesters.

ii ABBREVIATIONS AND ACRONYMS................................................................ iii I.

BACKGROUND............................................................................................ 1 II.

OBJECTIVE................................................................................................. 4 III. FINDINGS.................................................................................................. 4

1.

FOIA Request Decisions and Communications Are Sometimes Untimely, Inconsistent, or Insufficient.............................................. 4

2.

FOIA Program Records and Information Are Often Missing or Erroneous.......................................................................................... 12

3.

Some FOIA-Specific Contract Terms Were Not Met......................... 19 IV. CONSOLIDATED LIST OF RECOMMENDATIONS................................ 24 V.

DNFSB COMMENTS................................................................................. 25 APPENDICES A.

OBJECTIVE, SCOPE, AND METHODOLOGY......................................... 26 B.

FOIA EXEMPTIONS................................................................................ 28 C.

FOIA EXCLUSIONS................................................................................. 29 TO REPORT FRAUD, WASTE, OR ABUSE...................................................... 30 COMMENTS AND SUGGESTIONS.................................................................. 30 NOTICE TO NON-GOVERNMENTAL ORGANIZATIONS AND BUSINESS ENTITIES SPECIFICALLY MENTIONED IN THIS REPORT........................ 30 TABLE OF CONTENTS

iii AD Administrative Directive CAP Corrective Action Plan C.F.R.

Code of Federal Regulations COR Contracting Officers Representative DNFSB Defense Nuclear Facilities Safety Board DOE Department of Energy DOJ Department of Justice ECIC Executive Committee on Internal Control FOIA Freedom of Information Act FY Fiscal Year GAO Government Accountability Office NARA National Archives and Records Administration OGIS Office of Government Information Services OIG Office of the Inspector General OIP Office of Information Policy OMB Office of Management and Budget ABBREVIATIONS AND ACRONYMS

1 The Freedom of Information Act1 (FOIA) and its subsequent amendments give any person the right to submit a written request for access to federal agency records. The basic purpose of FOIA is to ensure an informed citizenry, vital to the functioning of a democratic society; to provide a necessary check against corruption; and to hold the government accountable to the governed.

The Basics of a FOIA Request Figure 1: Basics of a FOIA Request Source: Department of Justice (DOJ)

Steps to Process a FOIA Request Figure 2: General Steps Agencies Follow to Process a FOIA Request Source: DOJ 1 5 U.S.C. 552.

I. BACKGROUND

2 The Defense Nuclear Facilities Safety Boards (DNFSBs)

Procedures Within the Four-Step Processing of FOIA Requests Step 1: A request is submitted to the DNFSB for records.

FOIA requests to the DNFSB can be submitted through the FOIA.gov web portal, via email to FOIA@dnfsb.gov, or by mail to DNFSB headquarters and addressed to the Chief FOIA Officer. The DNFSB tracks and manages FOIA requests using a Microsoft Excel spreadsheet (FOIA request management tool).

Upon receiving a FOIA request, the DNFSB acknowledges the FOIA request, confirms its receipt, reiterates the FOIA request, provides an agency-assigned FOIA request number, and provides agency contact information to the requester.

Step 2: The DNFSB searches for responsive records.

The DNFSB staff, manually or by automated means, search for records pertaining to a request. This may include searches for responsive records electronically or in desks, file cabinets, bookshelves, hard copy administrative files, and classified documents. For electronic records, staff searches may include the agencys document management system, local area network, individual electronic files (email, shared drive, desktop) and classified files.

Step 3: Records are reviewed for disclosure.

Information can only be withheld if it falls within one of nine FOIA statutory exemptions and the agency either reasonably foresees that disclosure would cause harm or disclosure is prohibited by law. The FOIA Attorney at the DNFSB determines if information in a responsive record is exempt from disclosure.

FOIA provides special disclosure protections for records falling into any of three narrow categories of law enforcement and national security records.

Records falling within one of these exclusions are not subject to FOIA disclosure requirements.2 2 For more details on the nine FOIA exemptions and three exclusions, please see Appendices B and C, respectively.

3 Step 4: The DNFSB responds to the requester and releases disclosable information.

The FOIA Attorney and Chief FOIA Officer approve the disclosure and transmittal of responsive records prior to their release to the FOIA requester.

Contract Work in DNFSB FOIA Processing Consistent with Federal Acquisition Regulation subpart 7.5, agencies may employ contract workers in FOIA request processing. However, government personnel must perform the inherently governmental aspects of this work, which include approval of FOIA requests and approval of agency responses to administrative appeals of FOIA request denials. Contract workers may, provide support to an agencys FOIA personnel to the extent this support does not require discretionary decision-making.

The DNFSB received contract support for FOIA request processing from two different vendors during the period under review for this audit. The first vendor provided services from 2017 to 2019, and the second vendor provided services starting in 2019 with option years through 2024. The current contract is a time and materials administrative and professional services contract covering a broad range of work, including writing and editing, FOIA request processing, accounting, human resources, and administrative support.

Below are the key officials that provide oversight for the DNFSBs FOIA program.

Key Officials for DNFSB FOIA Program Oversight Figure 3: Roles and Responsibilities of Key FOIA Program Officials DNFSB FOIA Program Role Responsibility Chief FOIA Officer Manage FOIA program compliance.

FOIA Attorney Ensure legal sufficiency of the FOIA responses; issue final decisions on appeals.

Director, Division of Operational Services Oversee FOIA Public Liaisons work.

Contracting Officers Representative (COR)

Contract oversight and management.

FOIA Public Liaison3 (contractor)

Perform activities to ensure the day-to-day operations of the FOIA program.

Source: OIG-generated 3 In this audit report, references to the FOIA Public Liaison and FOIA Contractor are used interchangeably.

4 The audit objective was to assess the consistency and timeliness of the DNFSBs FOIA request decisions and to assess the agencys effectiveness in communicating FOIA policies to FOIA requesters.

The DNFSBs FOIA request decisions and communications are not always timely, consistent, or sufficient. The records and information supporting the FOIA request process are often missing or erroneous. Finally, some FOIA-specific terms in the agencys professional services contract are not met.

1. FOIA Request Decisions and Communications Are Sometimes Untimely, Inconsistent, or Insufficient The DNFSBs FOIA request decisions and communications are sometimes untimely as measured by the deadlines in FOIA, inconsistent with FOIAs requirements, or insufficient to apprise requesters of the reasons for the agencys decisions. This occurred partly because of the agencys outdated FOIA regulations, guidance, and training. Due to outdated information, DNFSB FOIA decisions may be inconsistent with statutory requirements.

Federal statutes and guidance require FOIA request responses to be timely, consistent, and sufficient.

FOIA Requires Timely Responses According to FOIA, agencies have 20 working days to respond to a FOIA request. Under the FOIA Improvement Act of 2016 (FOIA Improvement Act),

agencies may extend the 20-day response time for up to 10 additional working days, for a total of 30 working days, where unusual circumstances apply, and the agency provides timely written notice to the requester. Agencies are granted this 10-day extension flexibility under circumstances such as 1) the need to search for records from field facilities or other locations, 2) the need to search, collect and examine voluminous records; and, 3) the need for II. OBJECTIVE III. FINDINGS What Is Required

5 consultation with another agency or among two or more components of an agency. An agency must notify a requester of the National Archives and Records Administrations (NARA) Office of Government Information Services (OGIS) dispute resolution services if a requests response time goes beyond 30 working days.

FOIA Addresses Consistency of Communication The FOIA Improvement Act requires agencies to proactively disclose information and make available for public inspection in an electronic format records that have been requested 3 or more times; this is referred to as the Rule of 3. The Rule of 3 also applies where requests for records are the same or substantively similar.

Government-Wide FOIA Guidance States That Agencies Should Provide Sufficient Information When Communicating with FOIA Requesters and the Public The DOJs Office of Information Policy (OIP) provides government-wide training and guidance on sufficiency of information when communicating with FOIA requesters. This includes the minimum information an agency should convey to a requester when acknowledging a FOIA request and the elements of the agencys final response to the requester. The Issue Assessment Recommendations and Best Practices issued by NARA-OGIS,4 together with guidance from DOJ-OIP,5 instruct agencies to ensure their public-facing FOIA websites provide sufficient, accurate, clear, and complete information.

Agency FOIA Guidance Provides Instruction for Consistent Application of FOIA Responses and Procedures The DNFSBs Administrative Directive 231.1 (AD 231.1), Freedom of Information Act,6 establishes agency procedures for complying with FOIA.

4 DOJ-OIP and NARA-OGIS jointly operate as government-wide authorities on FOIA. DOJ-OIP is responsible for developing government-wide policy guidance on all aspects of FOIA administration.

NARA-OGIS is the FOIA Ombudsman who resolves FOIA disputes, identifies methods to improve compliance with the statute, and educates stakeholders about the FOIA process.

5 Per OIP Guidance: Recommendations for FOIA Web Sites and OIP Guidance: Agency FOIA Websites 2.0.

6 At the time of the OIGs review, the applicable version of AD 231.1 was dated September 4, 2001.

6 The directive instructs agency personnel on the appropriate responses to FOIA requesters and points them to the applicable procedures (see Figure 4).

Figure 4: Examples of Agency FOIA Responses or Procedures from AD 231.1 Occurrence Instructed Agency Response/Procedure A FOIA request was sent to DNFSB in error, confusing the DNFSB with another agency.

The requester will be informed of the error and the request will be forwarded, if possible, to the appropriate agency.

The minimum information in the FOIA request case log record.

The minimum information that must be maintained includes assigned FOIA request number, date of receipt, and summary of request.

The FOIA request is vague or overly broad.

The Chief FOIA Officer and FOIA Attorney must both agree the request is not perfected.7 The FOIA requester is outreached to perfect the request and the statutory timeline is suspended.

Source: The DNFSB FOIA request decisions and communications with requesters are sometimes untimely, inconsistent, or insufficient.

The DNFSB Does Not Always Meet Statutory Deadlines for FOIA Request Decisions Four of the 37 judgmentally sampled8 responses to FOIA requests (approximately 11 percent) did not meet the statutory deadlines.9 In addition, two other responses did not meet the statutory deadlines due to consultations with other agencies. For example, one FOIA request from fiscal year (FY) 2018 required consultation with the Department of Energy (DOE), the Nuclear Regulatory Commission, the Office of Management and Budget (OMB), the Office of the Administration (within the Executive Office of the President), and the Department of Defense. The DNFSB sent its final response to the FOIA requester approximately 153 days after the FOIA request was perfected. A FOIA request from FY 2017 required consultation 7 According to the DOJ-OIP, a perfected request is a FOIA request for records which adequately describes the records sought, which has been received by the FOIA office of the agency in possession of the records, and for which there is no remaining question about the payment of applicable fees.

8 For more information on the judgmentally selected sample and sampling methodology, see Appendix A.

9 According to the DNFSBs published FOIA annual reports, the number of requests completed after the 20-working-day statutory deadline for FY 2017 to FY 2021 are as follows: 5 of 22 in FY 2017, 6 of 16 in FY 2018, 7 of 14 in FY 2019, 4 of 15 in FY 2020, and 2 of 14 in FY 2021.

What We Found

7 with the DOE; this FOIA request took approximately 516 working days to provide a final response to the FOIA requester.

The DNFSBs Processing of FOIA Requests Was Sometimes Inconsistent Seven of the 37 sampled FOIA request decisions (approximately 19 percent) were inconsistent with decisions made on similar FOIA requests. Examples of inconsistency in the application of FOIA involve:

  • Denying a FOIA request instead of perfecting a FOIA request;
  • Denying a FOIA request instead of advising the requester to contact the appropriate agency; and,
  • Using different exemptions for substantively the same or similar requests.

For example, in FY 2021, the DNFSB denied a FOIA request for information regarding suspended diversity program activities because the requester poses questions rather than asking for records. DNFSB officials did not, however, follow up with the requester to clarify the scope of the request, as they had done in other cases reviewed by the OIG.

In FY 2017 and FY 2018, the DNFSB received substantively similar FOIA requests for a copy of the DNFSBs intranet page one level down. For the FY 2017 FOIA request, the assigned FOIA Attorney elected to use Exemption 2 to redact agency personnel information, while a different FOIA Attorney assigned to the FY 2018 FOIA request used Exemption 6 to redact agency personnel information.

8 Communication with FOIA Requesters Is Insufficient or Inconsistent The DNFSB Does Not Always Provide Sufficient Information to FOIA Requesters For 24 of the 37 sampled FOIA requests (approximately 65 percent), the DNFSB did not include sufficient information in its outreach to FOIA requesters. Examples of information omitted from acknowledgement letters included:

  • the date the agency received the FOIA request;
  • the subject of the request;
  • whether unusual circumstances existed that prevented the DNFSB from meeting statutory response times;
  • confirmation that the FOIA requested was perfected10 or, for certain requests, language providing the requester the opportunity to narrow the scope of the request;
  • fee information; and,
  • NARA-OGIS contact information language.

Additionally, the DNFSBs final responses to certain requesters lacked required information, such as NARA-OGIS contact information language and administrative appeals language.

Public Communication Is Inconsistent and Does Not Always Adhere to FOIAs Requirements The DNFSB does not consistently disclose information proactively following FOIAs Rule of 3.11 The DNFSB disclosed the case logs of FOIA requests from FY 2008 to FY 2015 on the agencys FOIA Reading Room website.

However, the DNFSB did not disclose case logs of FOIA requests from FY 2017 to FY 2021, even though the agency received four separate requests for the case logs covering this period. A former Chief FOIA Officer did not approve the posting of the FY 2016 and FY 2017 case logs of FOIA requests because, in this Chief FOIA Officers view, during that period FOIA had been weaponized by requesters. Although this Chief FOIA Officer authorized 10 A FOIA request is perfected when the request adequately describes the records sought and there is no remaining question about the payment of applicable fees.

11 See 5 U.S.C. § 552(a)(2)(D)(ii)(II) (requiring that each agency make available for public inspection, in an electronic format, copies of all records that have been requested three or more times).

9 posting the FY 2018 and FY 2019 FOIA request case logs, the DNFSB still had not posted approved FOIA responsive records to its FOIA websites at the time of this audit.

DNFSB FOIA Websites Do Not Provide Effective Public Communication The DNFSB websites do not follow DOJ-OIP and NARA-OGIS guidance for effective, user-friendly public communication. Specifically, the OIGs review of the agencys FOIA websites found multiple instances of duplicate documents, nonworking or outdated hyperlinks, uncorroborated hyperlink information, and outdated information.

For example, as of FY 2023, the DNFSBs FOIA Reading Room website contained broken hyperlinks for the following policy directives that affect the public:

  • D.111.1, Equal Employment Opportunity Program Directive;
  • OP-111.1-1, Equal Employment Opportunity Program Operating Procedure;
  • D-112.1, Reasonable Accommodation Program;
  • OP 112.1-1, Reasonable Accommodation Program Operating Procedure; and,
  • D-260.2, Privacy Program - Directive.

Additionally, the DNFSB last updated the FOIA fee schedule on its website in 2015, even though the agencys FOIA regulations require annual fee schedule updates.12 The DNFSB FOIA Contractor notified a previous FOIA Attorney at the DNFSB about this problem in FY 2021. However, the fee schedule remained out of date when the OIG reviewed the website for this audit. The DNFSB subsequently published a Notice of Proposed Rulemaking in the Federal Register to revise the FOIA fee schedule, received public comments on the draft rule, and incorporated those comments into the final rule.13 12 10 C.F.R. § 1703.107(b)(6).

13 The final FOIA fee schedule rule was pending publication at the time of this report.

10 The DNFSB FOIA regulations and internal guidance are not up to date, and staff are not trained on FOIA-specific responsibilities.

DNFSB FOIA Regulations and Internal Guidance Do Not Fully Address Substantive Changes from Recent Federal Law The agencys FOIA regulations (10 C.F.R. Part 1703) do not capture substantive changes from the FOIA Improvement Act of 2016. Notably, the regulations do not specify current Chief FOIA Officer responsibilities, such as serving as the primary liaison for DOJ-OIP and NARA-OGIS and as a member of the Chief FOIA Officer Council.14 The DNFSBs internal FOIA guidance took effect in 2001.15 This internal guidance does not address the following items:

  • Statutory timelines (e.g., timelines applying to decisions on extensions, appeals, and fee waivers);
  • Conditions constituting unusual circumstances or otherwise supporting extension of response times;
  • The appeals process being free to use;
  • Agency handling, processing, and reporting of fees received;
  • Perfection policy and allotted time to wait for a requesters response;
  • Handling of referrals and consultations (requirements, timelines, and memoranda of understanding with other agencies); and,
  • Changes from the enactment of the 2016 FOIA Improvement Act, such as:

o Allowance of 90 days for the requester to appeal the agency FOIA decision; o Limits on the use of search fees; and, 14 At the time OIG completed audit fieldwork, the DNFSB was in the process of drafting revised FOIA regulations that could conceivably address some of these issues.

15 The DNFSB also drafted a revised FOIA policy directive, but the revised directive was not finalized or in effect before the audit fieldwork was completed.

Why This Occurred

11 o Additional Chief FOIA Officer duties, including providing agencywide FOIA training, acting as a liaison between the DOJ-OIP and/or NARA-OGIS, and reviewing the agencys FOIA compliance.

FOIA Personnel Are Not Trained on FOIA-Specific Responsibilities Key officials responsible for FOIA program oversight have either not taken FOIA-specific training or lack documentation of training completion.

Program officials confirmed the agency did not offer its staff substantive FOIA-specific training from FY 2017 to FY 2021, despite free training opportunities offered by the DOJ-OIP. Additionally, the FOIA Contractor claimed to have taken annual DOJ-OIP FOIA training but did not provide documentation of training attendance or completion to the OIG. Following this audits review period, the DNFSB instituted training for all staff, including federal employees and contractors, and reported a 95% completion rate for calendar year 2023.

DNFSB FOIA Decisions May Be Inconsistent with FOIA and the Statutes Underlying Goals Inconsistent and untimely FOIA request decisions can undermine FOIAs goals of promoting transparency and openness regarding agency operations.

For example, one FOIA requester interviewed by the OIG expressed concerns about the DNFSBs FOIA process, including claims that the agency improperly processed a FOIA request that had political content, inadequately searched for responsive documents, imposed an artificial narrowing of a FOIA request, and unnecessarily used exemptions to withhold information.16 For example, the potential effect of not performing an adequate search for records is the unjustified denial of information to a requester. In one informally disputed FOIA decision in FY 2017, a FOIA requester asked for specific documents used in briefings by the DOE to the DNFSB. The FOIA 16 The OIG contacted multiple FOIA requesters to solicit public feedback on the DNFSB FOIA program.

Only one requester participated in an interview with OIG auditors. Given the relatively small population of DNFSB FOIA requesters and a small sample size, this particular requesters views may not represent a majority of the requesters views. However, this requesters views illustrate how agency conduct can affect public perceptions of agency performance and transparency.

Why This Is Important

12 requester identified the document names and dates used in those briefings in the FOIA request. The final response by the agency specified there were no documents responsive to the request.17 Since the specific names and dates of the documents were provided in the original request, the FOIA requester informally disputed the FOIA request and requested a re-examination of the agencys response. In processing the re-examination request, the FOIA Contractor admitted to not performing an email search independent of asking specific individuals for their possession of the responsive documents.18 Recommendations The OIG recommends that the DNFSB:

1.1 Revise its FOIA regulations to capture substantive changes from the FOIA Improvement Act of 2016; 1.2 Update its internal FOIA guidance for statutory timelines, extension conditions, fee waivers, perfection policy, referrals, and consultations; 1.3 Require annual FOIA-specific training for key officials involved in its FOIA program oversight; and, 1.4 Develop a quality assurance process to review FOIA responses for completeness.

2. FOIA Program Records and Information Are Often Missing or Erroneous Agency processes must be documented, and adequate controls must be implemented to ensure data reliability. At the DNFSB, however, key FOIA program records and information are often missing or erroneous. This occurs 17 The responsibility for record retention of these particular documents resided with the DOE.

18 Per the DOJ Guide to the FOIA, the adequacy of a FOIA search is judged on a test of reasonableness, which varies from case to case. At times, the records custodians selected by the agency to search are examined by the court, with searches found to be reasonable when the selection was adequately explained but unreasonable when the selection was not. The reasonableness of an agencys search can often depend on whether the agency properly determined where responsive records were likely to be found and searched those locations or whether the agency improperly limited its search to certain record systems. In this case, it is reasonable to assume that a FOIA search would include email or other electronic file repositories, given that federal government documents are commonly generated, stored, and transmitted by electronic media.

13 because the DNFSB lacks controls for its FOIA request management tool and does not have an electronic records repository system. As a result, the agencys FOIA program knowledge management could be compromised, and the agency risks reporting incorrect information to the public regarding the FOIA programs performance.

Agency Processes Must be Documented, and Adequate Controls Must Be Implemented to Ensure Data Reliability Agency processes must be documented, and the documentation must be kept as agency records in accordance with the Federal Records Act of 1950.19 Additionally, the Government Accountability Office (GAO) Green Book explains that accurate and timely recording of transactions helps to maintain data relevance and value to management in controlling operations and making decisions. Management should also design control activities so that all transactions are completely and accurately recorded. In addition, as explained in the GAOs report GAO-20-283G, Assessing Data Reliability, information system controls support the underlying structures and processes of the system where data is maintained. They consist of those internal controls that depend on information systems processing and include general controls, application controls, and user controls.

FOIA Program Records and Information Are Often Missing or Erroneous Records Validating the Timeliness Requirements of the FOIA Are Missing Ten of the 37 sampled FOIA request cases (approximately 27%) were missing records that would validate the DNFSBs compliance with statutory timeliness requirements (i.e., the 20- and 30-day standards). Records representing the start of the statutory clock are either the original perfected FOIA request or the confirmation of a perfected request following discussion with the 19 The NARAs General Records Schedule 4.2 and the DOJs Guide to FOIA further state the general record retention period for files and supporting documentation for FOIA requests are six years after the agencys final action on the request.

What Is Required What We Found

14 requester. The statutory clock ends when an agency issues its response with the requested decision and responsive documents, if applicable.

Records Supporting FOIA Request Processing Are Missing For 30 of the 37 sampled FOIA requests (approximately 81 percent), the OIG identified missing records that would have supported the FOIA request processing, such as the request acknowledgment letter, responsive document identification, and documentation relating to processing, redaction, and approval of the request.

The FOIA Request Management Tool Shows Data Discrepancies The DNFSB manually aggregates information from every FOIA request in the FOIA request management tool (i.e., Microsoft Excel spreadsheets) to track and manage requests. This tool contains the relevant information for all FOIA requests received by the DNFSB from the start to the end of each fiscal year.

This includes information such as the FOIA requester, agency-assigned tracking number, request receipt date, and request closure or disposition decision date. The DNFSBs FOIA request management tool contained numerous errors:

  • Of the 37 sampled FOIA request cases, 16 contained input errors (approximately 43%), including incorrect dates and other information pertaining to referred or consulted agencies, fee waivers, case disposition, or exemptions; and,
  • Information for specific fiscal years was erroneously copied into the management tool for different fiscal years. For example, FY 2017 FOIA request information appeared in both FY 2017 and FY 2018 spreadsheets. Similarly, FY 2019 FOIA request information appeared in both FY 2019 and FY 2020 spreadsheets.

The OIG identified these errors by comparing the FOIA tracking spreadsheets with the original documentation and communications for the respective FOIA requests held within the agencys FOIA email inbox. This email inbox was the DNFSBs main form of communication with FOIA requesters for requests received during the FY 2017 to FY 2021 period.

In response to OIG data requests for the FY 2017 to FY 2021 period, the DNFSB provided the FOIA request management tool. Upon review, the OIG determined information regarding FOIA request referrals and consultations was missing from the tool. The OIG also noticed blank cells that should have

15 contained information. Following this, the OIG requested the missing referral and consultation information. Upon receiving the revised set of FY 2017 to FY 2021 information, the OIG found that, although the tool now included information regarding referrals or consultations, it had also been modified in other sections for all five fiscal years between the first and second iterations of the documents submitted to the OIG.

Records Supporting FOIA Program Improvement Are Missing In response to an OIG request for documentation of internal FOIA program reviews, the DNFSB provided its Executive Committee on Internal Control (ECIC) corrective action plan (CAP)20 documentation related to FOIA, which the DNFSB maintains in lieu of performing the annual Chief FOIA Officer reviews.21 The DNFSB provided less documentation than was available in the OIGs own records22 of the FOIA program review through the ECIC. The gap between DNFSB-provided documentation and the OIG documentation is shown in Figure 5.

Figure 5: The DNFSB FOIA Program Review Records Compared to the OIG Internal Records for FY 2017 to FY 2021 Source: OIG-generated 20 The ECIC is the executive body that advises the Chairperson and the Board Members on whether there are any internal control deficiencies that are serious enough to report as material weaknesses to the President and Congress. CAPs are needed to prevent the risk of potential waste, loss, unauthorized use, misappropriation, inability to perform mission-related work, or noncompliance with law or regulation.

21 The DOJ-OIP encourages but does not require annual Chief FOIA Officer reviews for agencies that receive fewer than 50 FOIA requests per year.

22 The OIG regularly attends the ECIC meetings, although it attends the meetings as an observer.

16 When the OIG requested documentation related to the DNFSBs FOIA program improvement efforts, staff provided the 2019 CAP, which showed that the program improvement items were closed. The OIGs internal documentation regarding the ECIC meetings, however, showed that while four corrective actions to remedy various deficiencies were proposed, not all deficiencies had corresponding corrective actions. Senior DNFSB officials explained that not every deficiency needs a matching corrective action. In addition, they noted that corrective action proposals are simply proposals, and that the agency is not obligated to implement all proposed corrective actions.

Based on the information in the OIGs internal records, the OIG ascertained the following information about the agencys FOIA program improvements through the internal control review approved by the ECIC:

  • Status of the program assessment;
  • Risk level of the FOIA program assessment; and,
  • Number of items assessed (29) and deficiencies discovered (8).

The eight deficiencies occurred in the following areas of the FOIA program:

  • Lack of timeliness according to the statute;
  • Missing records needed to support FOIA request processing;
  • Outdated publicly posted information; and,
  • Lack of regular, periodic FOIA training of DNFSB personnel.

The OIGs internal documentation regarding the ECIC meetings showed that the DNFSB proposed four corrective actions to remedy the eight deficiencies referenced above, although not all deficiencies had corresponding corrective actions.

The DNFSB lacks controls for the FOIA request management tool and does not have an electronic records repository.

There Is No Requirement for Systematic Quality Checks on the FOIA Request Management Tool Data Periodic testing of inputs in the FOIA request management tool is not required in either agency policy or operating procedures. Regular approval of Why This Occurred

17 the FOIA request management tool is also not required by agency policy or operating procedures. Access and ability to make changes to data in the FOIA request management tool is not limited only to key FOIA program staff.

The DNFSB Does Not Have an Electronic Records Repository or Case Management System The service contract used for FOIA program support addresses digitization of agency records. Agency records that are in the process of being digitized, and those that are already digitized, necessitate a records repository that is easily searchable so that the DFNSB can ensure it adequately searches for records that are responsive to FOIA requests. Current and historical case files are stored on a shared drive, which is only accessible for personnel with FOIA responsibilities.

The DNFSB did not consider a case management system for use in the FOIA program despite available options, such as the General Services Administration FOIA case management solution, which is available government-wide. This case management option is also noted within the NARA-OGIS Issue Assessment Recommendation. A key official in the DNFSBs FOIA program stated that commercially available FOIA case management system options were impractical for the DNFSB, due to the agencys low FOIA caseload volume. As of December 16, 2022, the DNFSB had no electronic records management system23 at the agency, but the agency was in the process of adopting electronic service center technology to better manage workflows associated with FOIA requests and case management. As of July 1, 2023, the DNFSB still had not acquired such a system, but the agency had hired NARA to aid in complying with federal electronic records management requirements.24 The DNFSB risks knowledge management and internal decision-making problems, as well as incorrect FOIA reporting.

23 NARA-OGIS FOIA Issue Assessment Recommendations noted an update to the Federal Acquisition Regulation, which requires all agencies to consider FOIA obligations when acquiring electronic records management software.

24 In accordance with OMB Memoranda M-19-21 and M-23-07, agencies are required to follow NARA electronic records management standards and requirements.

Why This Is Important

18 The DNFSB Risks Knowledge Management and Public Reporting Problems Heavy reliance on a single FOIA Contractor concentrates institutional knowledge of the DNFSBs FOIA program in one non-governmental employee, thereby creating a single point of failure if the contractor resigns or takes leave for extended periods of time. For example, the DNFSB received two FOIA requests while the FOIA Contractor was on leave during FY 2017.

These requests were not tracked properly in his absence. One request was recorded as finished without having been started. The other request was recorded as started but not finished after the request had been closed.

The DNFSB Submitted Erroneous FOIA Reports to the DOJ-OIP Federal agencies are required to send annual FOIA reports to the DOJ-OIP for review on a fiscal year basis. These reports include the number of FOIA requests received by each agency and show agency performance with respect to timeliness metrics. The DNFSBs FY 2017 and FY 2018 annual reports had errors that were discovered by the DOJ-OIP, thereby requiring correction by the DNFSB. These errors included FOIA requests that were labeled as processed but were never processed because the requests did not reasonably describe what information was requested. This type of agency error was made on the annual submission to the DOJ-OIP for both FY 2017 and FY 2018.

Further, in the DNFSBs FY 2018 submission, the DOJ-OIP found additional errors in entries addressing the disposition and timeliness counts of requests.

Errors were present in the DNFSBs reports despite their approval by the FOIA Attorney and Chief FOIA Officer prior to submission to the DOJ-OIP.

Upon notification of the errors in the DNFSB submissions, the FOIA Public Liaison found additional reporting errors the DOJ-OIP had not detected, such as an error in the number of exemptions cited in the submitted FY 2017 report and a couple of fundamental errors in the submitted FY 2018 report. In addition, the FOIA Attorney directed the FOIA Public Liaison to correct the completion time of the agencys response to a specific FOIA request in the FY 2018 report, but incorrectly instructed the FOIA Liaison to use calendar days, instead of working days,25 as required by the statute.

Lastly, the FOIA Public Liaison admitted that there is not a precise methodology to determine FOIA-related full-time equivalents in the DNFSBs 25 Calculation of FOIA request timelines excludes Saturdays, Sundays, and legal public holidays.

19 annual report. However, the DOJ-OIP did not reject the DNFSBs submission, so the FOIA Public Liaison assumed the information had been reported correctly.

Recommendations The OIG recommends that the DNFSB:

2.1 Develop and implement systematic quality assurance procedures for FOIA request tracking and management; and, 2.2 Complete compliance with and implementation of the NARAs electronic records management requirements as they pertain to FOIA records.

3. Some FOIA-Specific Contract Terms Were Not Met The service contract used for FOIA program support identifies FOIA-specific terms, but some terms were not met during the period of the OIGs review.

This occurred because the COR was relatively inexperienced and not supported by adequate resources, and also because the COR and the agencys FOIA program staff did not adequately communicate regarding contractor performance of FOIA-specific work. This time and materials contract is relatively high-risk compared to fixed price contracts; therefore, it requires more rigorous oversight.26 Service Contract Identifies FOIA-Specific Terms The service contract used for FOIA program support obligates the contractor to provide professional and administrative support on a time and materials basis to the DNFSB. The contractor is responsible for providing professional and administrative personnel support to perform all tasks identified in the scope of work. The FOIA-specific terms are detailed in this contracts personnel requirements and deliverables section.27 26 This contract is considered high-risk due to its high dollar value and time and materials structure.

27 The current support contract took effect in 2019 and has option years continuing through 2024.

What Is Required

20 Some FOIA-Specific Contract Terms Were Not Met Findings 1 and 2 of this audit report reveal that some FOIA-specific contract terms were not fully met during the period of the OIGs review. Figure 6 below summarizes these unmet contract terms.

Figure 6: FOIA-Specific Unmet Contract Terms Contract Terms Issues Discovered Through This Audit Seeks scope clarification from requesters as needed.

Examples of inconsistencies in application of decisions related to FOIA requests (Finding 1).

Maintains a complete and accurate administrative record.

Data reliability issues of the FOIA request management tool (Finding 2).

Maintains agency records, correspondence, and tracking sheets throughout the government information management lifecycle.

Records management issues of FOIA timeline verifying and processing records (Finding 2).

Prepares FOIA responses within regulatory prescribed time frames.

Statutory deadlines for FOIA request decisions are unmet (Finding 1).

Reviews and updates operating procedures annually.

DNFSBs finalized FOIA internal guidance was last updated in 2001 (Finding 1).

Maintains FOIA tracking statistics.

Data reliability issues of the FOIA request management tool and external reporting deficiencies (Finding 2).

Source: OIG-generated The DNFSB has not prioritized FOIA contract administration, as evidenced by the assignment of an inexperienced COR to a high-risk contract and inadequate communication regarding contract performance problems.

Inexperienced COR Not Supported by Adequate Resources The DNFSB did not consider this contracts complexity and dollar value when assigning an inexperienced COR to this contract as an ancillary duty. The contract includes a broad range of professional services, including FOIA program support, and the COR oversees 17 contractor employees (including the contract employee assigned to FOIA duties) working on a contract worth What We Found Why This Occurred

21 approximately $2 million for the base award, and approximately $10 million28 if all option years are elected.

The COR has not taken the FOIA training provided by the DOJ-OIP and lacks FOIA-specific technical knowledge that would enhance oversight of the contracts FOIA-specific portions. The COR also lacked The Federal Acquisition Certification for Contracting Officers Representatives certification for other contracts prior to assignment as COR for this contract.

Further, this was the employees first COR assignment, which conflicts with federal contracting regulations stating that only experienced staff should be assigned to contracts with high dollar value, complexity, or risk.29 The current COR was meant to serve on an interim basis. However, this eventually became a long-term assignment due to turnover in the Director of the Division of Operational Services position. The previous Director of the Division of Operational Services served as the COR from 2017 to 2019 before retiring. The current COR subsequently inherited contract oversight duties while three different employees served as the Director of the Division of Operational Services from 2019 to 2023.30 Inadequate Communication Among Agency FOIA Personnel The COR was not notified of items impacting contract administration by other DNFSB staff who worked regularly with contractor personnel on FOIA program matters. Specifically, the COR was not notified of the following:

  • Problems in meeting the contract terms;
  • Delays in processing FOIA requests, despite complaints by the FOIA Attorney; and, 28 The FOIA portion of the contract is projected to account for approximately $335,000 of total contract value if all option years are elected.

29 The Federal Acquisition Institutes requirements for COR certification include one year of Level I COR experience prior to working as a Level II COR. Additionally, General Services Acquisition Manual Section 501.604 states that if an employee has been appointed to serve as a COR, but does not hold an active Federal Acquisition Certification (FAC)-COR certification at the appropriate level within 6 months from the date of the appointment, the Contracting Officer shall remove the employee from the appointment until the certification has been obtained 30 DNFSB-24-A-01 The Inspector Generals Assessment of the Most Serious Management and Performance Challenges Facing the Defense Nuclear Facilities Safety Board in Fiscal Year 2024, dated November 3, 2023, addresses the DNFSBs difficulties recruiting and retaining staff.

22

  • The OIGs Audit of the DNFSBs FOIA Program (this audit).

Additionally, the COR was not included in any email records provided to the OIG in support of FOIA tracking and program management, including emails transmitting erroneous FY 2017 and FY 2018 annual reports to the DOJ-OIP.

Similarly, in 2018,31 the DNFSBs FOIA Attorney denied a contractor request to extend the statutory deadline for responding to a FOIA request and expressed concerns about delays in processing this FOIA request.32 Despite the FOIA Attorneys concerns, the FOIA Attorney did not include the COR on any communication with other agency staff indicating a contract deliverable was unmet.

High Risk Contracts Require Enhanced Oversight Since 2007, the GAO and the OMB have highlighted risks associated with the use of time and materials contracts. In 2011, the OMB directed federal agencies to reduce spending on high-risk contracts, and more recently, in 2021, issued a memorandum reminding agencies that time and materials contracts are considered high-risk because the contractor is paid a fixed labor rate for the number of hours worked plus actual materials costs incurred, so there is little incentive to control costs.33 Due to its relatively high risk, this contract type requires enhanced oversight to ensure the government gets best value for taxpayer resources and that those resources are managed appropriately.

31 The COR referenced in this section was a predecessor of the current COR.

32 The FOIA contractor was unfamiliar with DNFSB information technology procedures and capabilities used to support searches for responsive documents.

33 OMB Memorandum to the Heads of Executive Departments and Agencies M-21-11, Increasing Attention on Federal Contract Type Decisions, Jan. 5, 2021.

Why This Is Important

23 Recommendations The OIG recommends that the DNFSB:

3.1 Ensure sufficient subject matter expertise, experience, administrative support, and authority to oversee the FOIA-specific portions of the administrative services contract adequately; and, 3.2 Establish procedures to ensure transparent communication with the COR on developments in the FOIA program and facilitate adequate monitoring of the FOIA-specific sections of the contract in accordance with its terms.

24 The OIG recommends that the DNFSB:

1.1 Revise its FOIA regulations to capture substantive changes from the FOIA Improvement Act of 2016; 1.2 Update its internal FOIA guidance for statutory timelines, extension conditions, fee waivers, perfection policy, referrals, and consultations; 1.3 Require annual FOIA-specific training for key officials involved in its FOIA program oversight; 1.4 Develop a quality assurance process to review FOIA responses for completeness; 2.1 Develop and implement systematic quality assurance procedures for FOIA request tracking and management; 2.2 Complete compliance with and implement the NARAs electronic records management requirements as they pertain to FOIA records; 3.1 Ensure sufficient subject matter expertise, experience, administrative support, and authority to oversee the FOIA-specific portions of the administrative services contract adequately; and, 3.2 Establish procedures to ensure transparent communication with the COR on developments in the FOIA program and facilitate adequate monitoring of the FOIA-specific sections of the contract in accordance with its terms.

IV. CONSOLIDATED LIST OF RECOMMENDATIONS

25 The OIG held an exit conference with the agency on March 25, 2024. Before the exit conference, agency management reviewed and provided comments on the discussion draft version of this report, and the OIG discussed these comments with the agency during the conference. Following the conference, agency management stated their general agreement with the findings and recommendations in this report and opted not to provide additional comments. The OIG has incorporated the agencys comments into this report, as appropriate.

V. DNFSB COMMENTS

26 Appendix A Objective The audit objective was to assess the consistency and timeliness of the DNFSBs FOIA request decisions, and to assess the agencys effectiveness in communicating FOIA policies to FOIA requesters.

Scope This audit focused on the DNFSBs FOIA process from FY 2017 to FY 2021.

We conducted this performance audit at DNFSB headquarters (Washington, D.C.) and in Rockville, Maryland, from December 2022 to July 2023.

The OIG reviewed and analyzed internal controls related to the audit objective, specifically, the components of the control environment, control activities, information and communication, and monitoring. Within those components, the OIG reviewed the principles of establishing structure, responsibility, and authority; demonstrating a commitment to competence; enforcing accountability; designing control activities; implementing control activities; using quality information; communicating internally; communicating externally; performing monitoring activities; and, evaluating issues and remediating deficiencies.

Methodology The OIG reviewed relevant criteria for this audit, including, but not limited to:

  • 5 U.S.C. § 552 - The Freedom of Information Act;
  • Public Law 114-185 - FOIA Improvement Act of 2016;
  • The DNFSBs FOIA Improvement Plan;
  • The DNFSBs FOIA Regulations;
  • The DNFSBs FOIA Reference Guide;
  • GAO-20-283G: Assessing Data Reliability; and,
  • NARA General Records Schedule 4.2.

OBJECTIVE, SCOPE, AND METHODOLOGY

27 The OIG interviewed the administrative services contracts project manager, the contracts records management contractor, the contractor specifically tasked with FOIA duties, the DNFSB staff and management involved with the FOIA program, and one FOIA requester after attempting to speak with 12 others.

To assess the DNFSBs FOIA request processing performance, the OIG analyzed a judgmental sample of FOIA cases that are typically received and processed through the DNFSBs FOIA email. The OIG derived its judgmental sampling criteria from FOIA case attributes that could present the risk of errors in consistency, timeliness, and communication with FOIA requesters.

These attributes include the frequency of requests sent by a single requester, the final disposition of requests (e.g., referral, consultation, or denial), and whether a requester appealed the DNFSBs final decision. The OIG selected 37 unique FOIA cases from a population of 107 FOIA cases that fell within the audits scope from FY 2017 to FY 2021, with multiple attributes for review.

To assess the reliability of data used to address this audits objectives, the OIG (1) performed electronic testing; (2) corroborated with source documentation in the DNFSB FOIA email; and, (3) interviewed agency officials knowledgeable about the FOIA request management tool data. This testing showed a high incidence of missing and erroneous data in the FOIA request management tool, highlighted in Finding 2.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Throughout the audit, auditors considered the possibility of fraud, waste, and abuse in the program.

The audit was conducted by Paul Rades, Team Leader; Tincy Thomas de Colón, Audit Manager; Connor McCune, Senior Auditor; Karen Corado, Management Analyst; and Jocelyn Rivera, Student Intern.

28 Appendix B Figure 7: FOIA Exemptions Exemption Exemption Detailed Description Exemption 1 Information that is classified to protect national security.

Exemption 2 Information related solely to the internal personnel rules and practices of an agency.

Exemption 3 Information that is prohibited from disclosure by another federal law.

Exemption 4 Trade secrets or commercial or financial information that is confidential or privileged.

Exemption 5 Privileged communications within or between agencies, including those protected by the:

Deliberative Process Privilege (provided the records were created less than 25 years before the date on which they were requested);

Attorney-Work Product Privilege; or, Attorney-Client Privilege.

Exemption 6 Information that, if disclosed, would invade another individuals personal privacy.

Exemption 7 Information compiled for law enforcement purposes that:

A. Could reasonably be expected to interfere with enforcement proceedings; B. Would deprive a person of a right to a fair trial or an impartial adjudication; C. Could reasonably be expected to constitute an unwarranted invasion of personal privacy; D. Could reasonably be expected to disclose the identity of a confidential source; E. Would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law; or, F. Could reasonably be expected to endanger the life or physical safety of any individual.

Exemption 8 Information that concerns the supervision of financial institutions.

Exemption 9 Geological information on wells.

Source: The DOJ FOIA Exemptions

29 Appendix C Figure 8: FOIA Exclusions Exclusion Number Exclusion Detailed Description Exclusion 1 Subject of a criminal investigation or proceeding is unaware of the existence of records concerning the pending investigation or proceeding and disclosure of such records would interfere with the investigation or proceeding.

Exclusion 2 Informant records maintained by a criminal law enforcement agency and the individual's status as an informant is not known.

Exclusion 3 Existence of FBI foreign intelligence, counterintelligence or international terrorism records are classified fact.

Source: The United States Treasury, Financial Crimes Enforcement Network FOIA Exclusions

30 Please

Contact:

Online:

Hotline Form Telephone:

1.800.233.3497 TTY/TDD:

7-1-1, or 1.800.201.7165 Address:

U.S. Nuclear Regulatory Commission Office of the Inspector General Hotline Program Mail Stop O12-A12 11555 Rockville Pike Rockville, Maryland 20852 If you wish to provide comments on this report, please email the OIG using this link.

In addition, if you have suggestions for future OIG audits, please provide them using this link.

TO REPORT FRAUD, WASTE, OR ABUSE COMMENTS AND SUGGESTIONS NOTICE TO NON-GOVERNMENTAL ORGANIZATIONS AND BUSINESS ENTITIES SPECIFICALLY MENTIONED IN THIS REPORT Section 5274 of the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023, Pub. L.

No. 117-263, amended the Inspector General Act of 1978 to require OIGs to notify certain entities of OIG reports. In particular, section 5274 requires that, if an OIG specifically identifies any non-governmental organization (NGO) or business entity (BE) in an audit or other non-investigative report, the OIG must notify the NGO or BE that it has 30 days from the date of the reports publication to review the report and, if it chooses, submit a written response that clarifies or provides additional context for each instance within the report in which the NGO or BE is specifically identified.

If you are an NGO or BE that has been specifically identified in this report and you believe you have not been otherwise notified of the reports availability, please be aware that under section 5274 such an NGO or BE may provide a written response to this report no later than 30 days from the reports publication date. Any response you provide will be appended to the published report as it appears on our public website, assuming your response is within the scope of section 5274. Please note, however, that the OIG may decline to append to the report any response, or portion of a response, that goes beyond the scope of the response provided for by section 5274. Additionally, the OIG will review each response to determine whether it should be redacted in accordance with applicable laws, rules, and policies before we post the response to our public website.

Please send any response via email using this link. Questions regarding the opportunity to respond should also be directed to this same address.

Retrieved from "https://kanterella.com/w/index.php?title=ML24226B294&oldid=3751322"