Why We Did This Project
“We performed this audit to assess the U.S. Environmental Protection Agency’s compliance with the fiscal year 2019 Inspector General reporting instructions for the Federal Information Security Modernization Act of 2014…”
What We Found
“We assessed the maturity of the EPA’s information security program at Level 3, Consistently Implemented. A Level 3 designation means that the EPA’s policies, procedures, and strategies are consistently implemented but quantitative and qualitative effectiveness measures are lacking. To determine the EPA’s maturity level, we reviewed the five security function areas outlined in the FY 2019 IG FISMA Reporting Metrics: Identify, Protect, Detect, Respond, and Recover. We also reviewed the eight corresponding domains: Risk Management, Configuration Management, Identity and Access Management, Data Protection and Privacy, Security Training, Information Security Continuous Monitoring, Incident Response, and Contingency Planning.”
“While the EPA consistently implemented policies, procedures, and strategies for many of these function areas and domains, improvements are still needed:
- Risk Management: The EPA did not implement standard data elements for software and associated licenses used within the Agency’s information technology environment, and the plans of action and milestones were not consistently used to mitigate security weaknesses.
- Incident Response: The EPA did not implement prescribed technologies to support its incident response program.
Recommendations and Planned Agency Corrective Actions
“We recommend that the Assistant Administrator for Mission Support (1) develop and maintain an up-to-date inventory of Agency software and associated licenses, (2) establish a control to validate that Agency personnel are creating the required plans of action and milestones associated with vulnerability testing, and (3) implement prescribed technologies to support the EPA’s incident response program.”
“The Agency concurred with our recommendations and provided acceptable corrective actions. All recommendations are considered resolved with planned corrective actions pending.”
Source: EPA Needs to Improve Its Risk Management and Incident Response Information Security Functions – March 24, 2020. Oversight.gov.