EPA OIG: EPA Needs to Improve Its Risk Management and Incident Response Information Security Functions

Why We Did This Project

“We performed this audit to assess the U.S. Environmental Protection Agency’s compliance with the fiscal year 2019 Inspector General reporting instructions for the Federal Information Security Modernization Act of 2014…”

What We Found

“We assessed the maturity of the EPA’s information security program at Level 3, Consistently Implemented. A Level 3 designation means that the EPA’s policies, procedures, and strategies are consistently implemented but quantitative and qualitative effectiveness measures are lacking. To determine the EPA’s maturity level, we reviewed the five security function areas outlined in the FY 2019 IG FISMA Reporting Metrics: Identify, Protect, Detect, Respond, and Recover. We also reviewed the eight corresponding domains: Risk Management, Configuration Management, Identity and Access Management, Data Protection and Privacy, Security Training, Information Security Continuous Monitoring, Incident Response, and Contingency Planning.”

“While the EPA consistently implemented policies, procedures, and strategies for many of these function areas and domains, improvements are still needed:

  • Risk Management: The EPA did not implement standard data elements for software and associated licenses used within the Agency’s information technology environment, and the plans of action and milestones were not consistently used to mitigate security weaknesses.
  • Incident Response: The EPA did not implement prescribed technologies to support its incident response program.

Recommendations and Planned Agency Corrective Actions

“We recommend that the Assistant Administrator for Mission Support (1) develop and maintain an up-to-date inventory of Agency software and associated licenses, (2) establish a control to validate that Agency personnel are creating the required plans of action and milestones associated with vulnerability testing, and (3) implement prescribed technologies to support the EPA’s incident response program.”

“The Agency concurred with our recommendations and provided acceptable corrective actions. All recommendations are considered resolved with planned corrective actions pending.”

Access the full 40-page report here.

Source: EPA Needs to Improve Its Risk Management and Incident Response Information Security Functions – March 24, 2020. Oversight.gov.


This topic contains 0 replies, has 1 voice, and was last updated by  Jackie Gilbert 1 week, 1 day ago.

  • Author
  • #93109

    Replies viewable by members only


You must be logged in to reply to this topic.


Questions?. Send us an email and we'll get back to you, asap.


©2020 G2Xchange all rights reserved | Community and Member Guidelines | Privacy Policy | About G2Xchange FedCiv

Opportunities. Starting Points.

About our Data

The Vault is a listing of expiring contracts, task orders, etc. within a certain set of parameters, to include:

  • Have an initial total estimated contract value of $10 million or above
  • Federal Civilian Only – DHS, Transportation, Justice, Labor, Interior, Commerce, Energy, State, and Treasury Actions
  • NAICS codes include: 511210, 518210, 519130, 519190, 541511,
    541513, 541519, 541611, 541618,
    541690, 541720, 541990
  • Were modified within the last 12 calendar months
  • The data represented is based on information provided by the government

Who has access? Please note that ALL G2Xchange FedCiv Members will receive access to all basic and much of the advanced data. G2Xchange FedCiv Corporate Members will receive access to ALL Vault content (basic and advanced).

Feedback/Suggestions? Contact us at Vault@G2Xchange.com and let us know what you think. 

Log in with your credentials

Forgot your details?