EPA information systems vulnerable, IG says

Program officers at the Environmental Protection Agency have not complied with federal information security requirements and have left the agency's CIO without timely and accurate security data, according to EPA's Inspector General.

In a report, the IG found several major EPA applications that failed to meet standards outlined in the Federal Information Security Management Act and lacked adequate certification and accreditation, contingency planning and a process for monitoring security vulnerabilities.

'EPA could have discovered these inconsistencies if it had implemented verification and validation processes to review program offices' compliance with established federal and agency requirements,' the report said. 'Without these processes, EPA mission-critical information systems may not be adequately protected against known security vulnerabilities or be available in a timely manner in the event of an emergency or disaster.'

FISMA, part of the E-Government Act of 2002, requires agencies to develop policies and procedures that protect agency information assets.

The IG reviewed five major agency applications and found that none of their certification and accreditation packages complied with federal requirements. In particular, one application was operating with an expired security plan, another was operating with a security plan that was not updated, and two had security plans that did not reflect the current application status.

'Based on our findings, senior agency officials did not have a reasonable basis for accrediting the applications,' the report said. 'EPA places itself as greater risk because it could not be sure that adequate steps have been taken to eliminate or mitigate risks.'

EPA officials, the report said, agreed with the IG's conclusions.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected