Information Security:

Environmental Protection Agency Needs to Resolve Weaknesses

GAO-12-696: Published: Jul 19, 2012. Publicly Released: Aug 20, 2012.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Although the Environmental Protection Agency (EPA) has taken steps to safeguard the information and systems that support its mission, security control weaknesses pervaded its systems and networks, thereby jeopardizing the agency’s ability to sufficiently protect the confidentiality, integrity, and availability of its information and systems. The agency did not fully implement access controls, which are designed to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Specifically, the agency did not always (1) enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords; (2) limit users’ access to systems to what was required for them to perform their official duties; (3) ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals; (4) keep logs of network activity or monitor key parts of its networks for possible security incidents; and (5) control physical access to its systems and information, such as controlling visitor access to computing equipment. In addition to weaknesses in access controls, EPA had mixed results in implementing other security controls. For example, EPA conducted appropriate background investigations for employees and contractors to ensure sufficient clearance requirements had been met before permitting access to information and information systems. However,

  • EPA had not always securely configured network devices and updated operating system and database software with patches to protect against known vulnerabilities.
  • EPA had not always ensured equipment used for sanitization and disposal of media was tested to verify correct performance.

An underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program. Although EPA has established a framework for its security program, the agency has not yet fully implemented all elements of its program. Specifically, it did not always finalize policies and procedures to guide staff in effectively implementing controls; ensure that all personnel were given relevant security training to understand their roles and responsibilities; update system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implement a corrective action process to track and manage all weaknesses when remedial actions were necessary. Sustained management oversight and monitoring are necessary for EPA to implement these key information security practices and controls. Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.

Why GAO Did This Study

EPA is responsible for protecting human health and the environment by implementing and enforcing the laws and regulations intended to improve the quality of the nation’s air, water, and lands. The agency’s policies and programs affect virtually all segments of the economy, society, and government. In addition, it relies extensively on networked computer systems to collect a wealth of environmental data and to disseminate much of this information while also protecting other forms of sensitive or confidential information.

Because of the importance of the security of EPA’s information systems, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over EPA’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at EPA headquarters and two field offices.

What GAO Recommends

GAO is making 12 recommendations to the Administrator of EPA to fully implement elements of EPA’s comprehensive information security program. In commenting on a draft of this report, EPA’s Assistant Administrator generally agreed with GAO’s recommendations. Two of GAO’s recommendations were revised to incorporate EPA’s comments. In a separate report with limited distribution, GAO is also making 94 recommendations to EPA to enhance access and other information security controls over its systems.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, has issued Agency Change Management Process and Procedures, version 4.5, which defines the required steps for change management, including how approved changes are documented.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update configuration management procedures to ensure they include guidance for documenting records of approved changes.

    Agency Affected: Environmental Protection Agency

  2. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to finalize the 17 agencywide interim information security policies and draft procedures.

    Agency Affected: Environmental Protection Agency

  3. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update system security plans to reflect current policies and procedures.

    Agency Affected: Environmental Protection Agency

  4. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include current National Institute of Standards and Technology (NIST) Special Publication 800-53 guidance in system security plans.

    Agency Affected: Environmental Protection Agency

  5. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, issued training procedures that describe the steps the agency will take each fiscal year to ensure that role-based security training topics meet the agency's needs. These procedures also include tracking employees with significant security responsibilities to determine whether they complete their training requirements. When employees do not complete training on time their accounts are deactivated.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and finalize a role-based security training procedure that tailors specific training requirements to EPA users' role/position descriptions and details the actions information security officers must take when users do not complete the training.

    Agency Affected: Environmental Protection Agency

  6. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to conduct testing of management, operational, and technical controls, based on risks, to occur no less than annually, for the clean air markets division system identified.

    Agency Affected: Environmental Protection Agency

  7. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, implemented a plan of action and milestones (POA&M) tracking tool that contains fields for all of the eight POA&M elements described in OMB policy. The agency is using this tracking tool to capture required information for each POA&M, including a description of the weakness and the audit report or other source document that identified it.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that will require users to enter all information required by OMB policy, including descriptions of each weakness and the source of the finding.

    Agency Affected: Environmental Protection Agency

  8. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, has implemented a tracking application for plans of action and milestones (POA&M) that includes a feature to prevent deletions and other inappropriate alterations of data in POA&M records.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that block inappropriate alteration of data.

    Agency Affected: Environmental Protection Agency

  9. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement an agencywide, uniform method for approving contingency plans.

    Agency Affected: Environmental Protection Agency

  10. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, developed and issued interim contingency planning procedures. The procedures state that contingency plans must be tested at least annually and must address information system, environment of operations, and organizational changes and problems. In addition to EPA's general procedures for testing contingency plans, detailed procedures in NIST 800-84 must be followed.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to annually test the viability of contingency plans for agency systems.

    Agency Affected: Environmental Protection Agency

  11. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that EPA, in response to our recommendation, issued interim contingency planning procedures specifying that individuals' contact information, including home and mobile numbers, must be included in contingency plans.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to ensure that both work and home contact information are included for each individual in a contingency plan's emergency contact list.

    Agency Affected: Environmental Protection Agency

  12. Status: Open

    Comments: EPA's actions on this recommendation are ongoing.

    Recommendation: To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement procedures to verify the accuracy of system inventory information.

    Agency Affected: Environmental Protection Agency

 

Explore the full database of GAO's Open Recommendations »

Nov 20, 2014

Nov 17, 2014

Oct 16, 2014

Oct 14, 2014

Sep 23, 2014

Sep 22, 2014

Sep 19, 2014

Sep 15, 2014

Sep 12, 2014

Sep 9, 2014

Looking for more? Browse all our products here