IG: EPA contract management system needs better security

The Environmental Protection Agency should place greater emphasis on the security of its automated acquisition and contract management process, according to the agency's inspector general.

In a new report, IG investigators during a five-month review in mid-2005 found the Integrated Contract Management System was operating without up-to-date certification, accreditation and contingency plans.

'As a result, ICMS had security vulnerabilities which, if exploited, could have had a serious adverse effect on operations, assets and individuals,' the report said.

Particularly, the IG found that EPA's Office of Administration and Resources Management, which manages ICMS, did not update and approve key C&A package documents in a timely fashion, develop or test a contingency plan if the system crashed, or monitor production servers for vulnerabilities.

'Exploiting one of these vulnerabilities could result in reduced integrity of the data used by all EPA contracting offices for contract processing and degrade ICMS' availability, thereby hindering the contracting officers' ability to use the application to manage contractor tasking, allocation of funds and contractor efforts,' the report said.

OARM said it agreed with these conclusions, and has implemented a plan of actions and milestones to correct the flaws.

It also said many of the IG concerns will be resolved when it finalizes its server consolidation process.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.