EPA information systems vulnerable, IG says
- By Rob Thormeyer
- Oct 19, 2005
Program officers at the Environmental Protection Agency have not complied with federal information security requirements and have left the agency's CIO without timely and accurate security data, according to EPA's Inspector General.
In a report
, the IG found several major EPA applications that failed to meet standards outlined in the Federal Information Security Management Act and lacked adequate certification and accreditation, contingency planning and a process for monitoring security vulnerabilities.
'EPA could have discovered these inconsistencies if it had implemented verification and validation processes to review program offices' compliance with established federal and agency requirements,' the report said. 'Without these processes, EPA mission-critical information systems may not be adequately protected against known security vulnerabilities or be available in a timely manner in the event of an emergency or disaster.'
FISMA, part of the E-Government Act of 2002, requires agencies to develop policies and procedures that protect agency information assets.
The IG reviewed five major agency applications and found that none of their certification and accreditation packages complied with federal requirements. In particular, one application was operating with an expired security plan, another was operating with a security plan that was not updated, and two had security plans that did not reflect the current application status.
'Based on our findings, senior agency officials did not have a reasonable basis for accrediting the applications,' the report said. 'EPA places itself as greater risk because it could not be sure that adequate steps have been taken to eliminate or mitigate risks.'
EPA officials, the report said, agreed with the IG's conclusions.