Information Security:

Environmental Protection Agency Needs to Resolve Weaknesses

GAO-12-696, Jul 19, 2012

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Although the Environmental Protection Agency (EPA) has taken steps to safeguard the information and systems that support its mission, security control weaknesses pervaded its systems and networks, thereby jeopardizing the agency’s ability to sufficiently protect the confidentiality, integrity, and availability of its information and systems. The agency did not fully implement access controls, which are designed to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Specifically, the agency did not always (1) enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords; (2) limit users’ access to systems to what was required for them to perform their official duties; (3) ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals; (4) keep logs of network activity or monitor key parts of its networks for possible security incidents; and (5) control physical access to its systems and information, such as controlling visitor access to computing equipment. In addition to weaknesses in access controls, EPA had mixed results in implementing other security controls. For example, EPA conducted appropriate background investigations for employees and contractors to ensure sufficient clearance requirements had been met before permitting access to information and information systems. However,

  • EPA had not always securely configured network devices and updated operating system and database software with patches to protect against known vulnerabilities.
  • EPA had not always ensured equipment used for sanitization and disposal of media was tested to verify correct performance.

An underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program. Although EPA has established a framework for its security program, the agency has not yet fully implemented all elements of its program. Specifically, it did not always finalize policies and procedures to guide staff in effectively implementing controls; ensure that all personnel were given relevant security training to understand their roles and responsibilities; update system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implement a corrective action process to track and manage all weaknesses when remedial actions were necessary. Sustained management oversight and monitoring are necessary for EPA to implement these key information security practices and controls. Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.

Why GAO Did This Study

EPA is responsible for protecting human health and the environment by implementing and enforcing the laws and regulations intended to improve the quality of the nation’s air, water, and lands. The agency’s policies and programs affect virtually all segments of the economy, society, and government. In addition, it relies extensively on networked computer systems to collect a wealth of environmental data and to disseminate much of this information while also protecting other forms of sensitive or confidential information.

Because of the importance of the security of EPA’s information systems, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over EPA’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at EPA headquarters and two field offices.

What GAO Recommends

GAO is making 12 recommendations to the Administrator of EPA to fully implement elements of EPA’s comprehensive information security program. In commenting on a draft of this report, EPA’s Assistant Administrator generally agreed with GAO’s recommendations. Two of GAO’s recommendations were revised to incorporate EPA’s comments. In a separate report with limited distribution, GAO is also making 94 recommendations to EPA to enhance access and other information security controls over its systems.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to finalize the 17 agencywide interim information security policies and draft procedures.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update system security plans to reflect current policies and procedures.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include current National Institute of Standards and Technology (NIST) Special Publication 800-53 guidance in system security plans.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and finalize a role-based security training procedure that tailors specific training requirements to EPA users’ role/position descriptions and details the actions information security officers must take when users do not complete the training.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to conduct testing of management, operational, and technical controls, based on risks, to occur no less than annually, for the clean air markets division system identified.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that will require users to enter all information required by OMB policy, including descriptions of each weakness and the source of the finding.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that block inappropriate alteration of data.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement an agencywide, uniform method for approving contingency plans.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to annually test the viability of contingency plans for agency systems.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to ensure that both work and home contact information are included for each individual in a contingency plan’s emergency contact list.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement procedures to verify the accuracy of system inventory information.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help establish an effective and comprehensive information security program for EPA’s information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update configuration management procedures to ensure they include guidance for documenting records of approved changes.

    Agency Affected: Environmental Protection Agency

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Aug 20, 2012

    Jul 17, 2012

    Jun 28, 2012

    Apr 24, 2012

    Feb 28, 2012

    Nov 8, 2011

    Looking for more? Browse all our products here