Consumer Product Safety Commission--Voluntary Use of Personally-Owned Equipment to Conduct Government Business
B-327376: Feb 19, 2016
- Full Report:
The Consumer Product Safety Commission's (CPSC) proposed voluntary "bring your own device" program would permit CPSC employees, without reimbursement for attendant costs, to use their personally-owned equipment to conduct official agency business. Such a program would not result in the improper augmentation of CPSC's appropriation, nor constitute a gift from CPSC employees. CPSC may use its appropriation to support the program.
Matter of: Consumer Product Safety Commission—Voluntary Use of Personally‑Owned Equipment to Conduct Government Business
Date: February 19, 2016
The Consumer Product Safety Commission’s (CPSC) proposed voluntary “bring your own device” program would permit CPSC employees, without reimbursement for attendant costs, to use their personally‑owned equipment to conduct official agency business. Such a program would not result in the improper augmentation of CPSC’s appropriation, nor constitute a gift from CPSC employees. CPSC may use its appropriation to support the program.
The General Counsel of the Consumer Product Safety Commission (CPSC) requests a decision as to whether a proposed CPSC program would result in the improper augmentation of CPSC’s appropriation. Letter from the General Counsel, CPSC, to General Counsel, GAO (Sept. 15, 2015) (Request Letter), at 1. Under this program, CPSC employees, on a voluntary basis and without reimbursement for attendant costs, could use their personally-owned equipment (POE) to conduct government business. Id. CPSC defines POE as including laptop computers, tablet devices, and smartphones, and refers to the proposed program as the voluntary “bring your own device” (BYOD) program. Id. As explained below, CPSC’s proposed voluntary BYOD program would not result in the improper augmentation of CPSC’s appropriation nor constitute a gift from CPSC employees. CPSC may use its appropriations to provide support to the program.
This decision addresses only the appropriation law concerns. A myriad of other issues should be addressed by CPSC before implementation, including those posed by the National Institute of Standards and Technology (NIST) standards and guidelines on mobile devices, security and privacy controls, federal records management, and additional enterprise infrastructure costs.
Our practice when rendering decisions is to obtain the legal views of the relevant agency and to establish a factual record on the subject of the request. GAO, Procedures and Practices for Legal Decisions and Opinions, GAO‑06‑1064SP (Washington, D.C.: Sept. 2006), available at www.gao.gov/products/GAO-06-1064SP. In its request, CPSC provides factual information as well as its legal views on its proposed voluntary BYOD program. Request Letter, at 1‑5.
CPSC currently has a program whereby it provides certain employees with smartphones. Request Letter, at 1. Under this program, CPSC purchases the smartphones and pays for the monthly provider plans as well as maintenance and repair costs. Id. CPSC notes that if its proposed voluntary BYOD program were instituted, CPSC would allow an employee who currently has a CPSC-issued smartphone to elect to continue using the device. CPSC would continue to pay for the purchase or replacement of the device, as well as any monthly provider, maintenance, and repair costs for this government provided device. Id.
Participation in CPSC’s voluntary BYOD program would be, as the name implies, strictly voluntary, and as described by CPSC, in part for “the convenience of participating employees.” Id.CPSC explains that participation in the program by an employee who has a CPSC-issued smartphone would allow the employee to conduct official government business on the equipment that the employee prefers (either the employee’s POE or a CPSC-issued smartphone), and should the employee choose to participate in the program, provide the convenience of carrying one device for both official government business and personal purposes. Id. CPSC explains that its employees who have not been issued a smartphone would have the convenience of being able to conduct official business on their POE should they choose to participate in the voluntary BYOD program.
Participating employees would not be reimbursed for the purchase of their POE, and would not be reimbursed for any monthly provider, maintenance, repair, or other costs associated with the use of their POE for official government business. Id., at 1‑2. CPSC states that it, however, would provide technical support services to CPSC employees participating in the voluntary BYOD program. Id., at 3. CPSC notes that its proposed voluntary BYOD program is not required “for CPSC to conduct agency business or carry out its mission.” Id., at 4.
We consider three issues: (1) whether CPSC’s proposed voluntary BYOD program would constitute an improper augmentation of its appropriation; (2) whether employees’ use of their POE would constitute a gift to CPSC; and (3) whether CPSC may use appropriated funds for certain costs of supporting the BYOD program.
Agencies may not augment their appropriations. An augmentation results when an agency obtains and retains money from outside sources without statutory authority. B‑317022, Sept. 25, 2008, at 6. The prohibition against augmentation of appropriated funds results from the application of several fiscal statutes, including the miscellaneous receipts statute and the Antideficiency Act. 63 Comp. Gen. 459, 460 (1984); B-317022, at 6. In concert, those statutes prevent an agency from spending more money than Congress appropriates, thereby maintaining Congress’s control over agency activity. B-317022, at 6.
Generally, the case law on augmentation involves the donation, payment, or transfer of money to, or the acceptance of money by an agency. B-291947, Aug. 15, 2003, at 3; 63 Comp. Gen. at 460. We have also held that the prohibition against augmentation prevents agencies from having others bear costs for which an agency is responsible or liable. See B-300248, Jan. 15, 2004, at 7‑9 (an agency may not avoid the prohibition against augmentation by requiring third parties to pay for an agency’s contractual commitment). Here, CPSC’s proposed voluntary BYOD program would not involve the donation, payment, or transfer of money to, or the acceptance of money by, CPSC. Nor does CPSC’s program provide for the payment of money on CPSC’s behalf by anyone else. Rather, CPSC’s proposed program involves its employees’ voluntary use of POE to conduct government business.
That CPSC’s voluntary BYOD program is in part for the convenience of the CPSC employees is evidenced by the fact the program is, as explained by CPSC, entirely voluntary and not required for the accomplishment of CPSC’s mission. That is, employees who were unable in the past to conduct CPSC business using anything other than CPSC-issued equipment would, should they choose to participate in the voluntary BYOD program, be able to do so using their own POE. In instances where CPSC has determined it necessary for the accomplishment of CPSC’s mission for a particular employee to have the ability to conduct official agency business on a portable electronic device, CPSC would continue to provide such an employee with a smartphone fully paid for and supported by CPSC through its appropriated funds. These employees would only participate in CPSC’s program should they choose to do so on their own volition, presumably because it would be more convenient or employees would prefer to use their own POE, as opposed to a CPSC‑issued smartphone, to conduct CPSC business.
We next consider whether the participation of CPSC’s employees in the voluntary BYOD program, whereby the employees would use their own POE and not be reimbursed by CPSC for any attendant expenses, would constitute a “gift” to the agency by the employees of the use of their POE and any attendant costs.
Gifts are transfers of ownership in property or gratuitous conveyances without any consideration. 63 Comp. Gen. at 461; B-195492, Mar. 18, 1980. As described by CPSC, the employees’ participation in CPSC’s proposed voluntary BYOD program would not constitute a gift from the employees. That is, CPSC’s voluntary BYOD program does not involve the transfer of ownership of the employees’ POE to CPSC. Nor does it involve a gratuitous conveyance without consideration, given the program’s benefit to CPSC employees of increased convenience in the employees’ conduct of official agency business. See 63 Comp. Gen. at 461.
As described, CPSC’s proposed voluntary BYOD program includes the use of appropriated funds to provide technical support services to CPSC employees participating in the program and using their own POE. This raises the issue as to whether CPSC’s appropriation is available for this purpose.
The general rule is that an appropriation is only available for the purpose for which it was appropriated. Where an appropriation is not specifically available for a particular item or service, the use of appropriated funds for the item or service may be authorized as a necessary expense if there is a reasonable relationship between the object of the expenditure and the general purpose for which the funds were appropriated, so long as the expenditure is not otherwise prohibited by law. B‑324588, June 7, 2013, at 4. This rule, known as the necessary expense rule, recognizes an agency’s discretion in using its appropriation to fulfill its purposes. Id.
By statute, federal agencies are responsible for providing information security protections and complying with security standards and guidelines. Federal Information Security Modernization Act of 2014 (FISMA), 44 U.S.C. § 3554. In this regard, federal agencies must, for example, provide “information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of . . . information collected or maintained by or on behalf of the agency.” Id. § 3554(a)(1). As recognized by the Federal Chief Information Officers Council, the implementation of a BYOD program will present an agency with security concerns, including, for example, threats to the security of the agency’s information from the compromise of an employee’s POE due to malware, misuse, or the interception of data as it is transmitted to or from the POE. Federal Chief Information Officers Council, Bring Your Own Device: A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs (Aug. 2012), at 7, available at www.whitehouse.gov/digitalgov/bring-your-own-device (last visited Feb. 17, 2016).
In light of these responsibilities and requirements, CPSC would have a reasonable basis for expending appropriated funds on technical support services for its proposed voluntary BYOD program, provided that such technical support services are directed at ensuring compliance with the statutory requirements regarding information security set forth in FISMA or other requirements. Providing such technical support services would directly relate to FISMA’s statutory requirements that each federal agency provide information security protections and comply with security standards and guidelines. 44 U.S.C. § 3554.
In sum, CPSC’s voluntary BYOD program is neither an augmentation of appropriations nor a gift, and CPSC may, within the parameters discussed above, use appropriated funds to support the program. As indicated, an agency’s compliance with the miscellaneous receipts statute is but one of the many relevant considerations applicable to a program such as that contemplated by CPSC. Agencies, including CPSC, should address other issues before implementation, including those posed by the NIST standards and guidelines on mobile devices, security and privacy controls, federal records management, and additional enterprise infrastructure costs. See B‑324214, Jan. 27, 2014, at 4.
CPSC’s proposed voluntary BYOD program would permit CPSC employees, without reimbursement for attendant costs, to use their POE to conduct official agency business. Such a program would not result in the improper augmentation of CPSC’s appropriation nor constitute a gift to CPSC from its employees. CPSC may use its appropriation to support the program.
Susan A. Poling
 The security threats posed by POE in a BYOD environment have also been recognized by NIST. See NIST, Guidelines for Managing the Security of Mobile Devices in the Enterprise, NIST Special Pub. 800‑124, Rev. 1 (June 2013), at 4, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf(last visited Feb. 17, 2016). Additionally, our office has recognized the threats to the security of mobile devices, such as smartphones and the information they store. GAO, Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged, GAO‑12‑757 (Washington, D.C.: Sept. 18, 2012).