Skip to main content

Information Security: Environmental Protection Agency Needs to Resolve Weaknesses

GAO-12-696 Published: Jul 19, 2012. Publicly Released: Aug 20, 2012.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Although the Environmental Protection Agency (EPA) has taken steps to safeguard the information and systems that support its mission, security control weaknesses pervaded its systems and networks, thereby jeopardizing the agency’s ability to sufficiently protect the confidentiality, integrity, and availability of its information and systems. The agency did not fully implement access controls, which are designed to prevent, limit, and detect unauthorized access to computing resources, programs, information, and facilities. Specifically, the agency did not always (1) enforce strong policies for identifying and authenticating users by, for example, requiring the use of complex (i.e., not easily guessed) passwords; (2) limit users’ access to systems to what was required for them to perform their official duties; (3) ensure that sensitive information, such as passwords for system administration, was encrypted so as not to be easily readable by unauthorized individuals; (4) keep logs of network activity or monitor key parts of its networks for possible security incidents; and (5) control physical access to its systems and information, such as controlling visitor access to computing equipment. In addition to weaknesses in access controls, EPA had mixed results in implementing other security controls. For example, EPA conducted appropriate background investigations for employees and contractors to ensure sufficient clearance requirements had been met before permitting access to information and information systems. However,

  • EPA had not always securely configured network devices and updated operating system and database software with patches to protect against known vulnerabilities.
  • EPA had not always ensured equipment used for sanitization and disposal of media was tested to verify correct performance.

An underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program. Although EPA has established a framework for its security program, the agency has not yet fully implemented all elements of its program. Specifically, it did not always finalize policies and procedures to guide staff in effectively implementing controls; ensure that all personnel were given relevant security training to understand their roles and responsibilities; update system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implement a corrective action process to track and manage all weaknesses when remedial actions were necessary. Sustained management oversight and monitoring are necessary for EPA to implement these key information security practices and controls. Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.

Why GAO Did This Study

EPA is responsible for protecting human health and the environment by implementing and enforcing the laws and regulations intended to improve the quality of the nation’s air, water, and lands. The agency’s policies and programs affect virtually all segments of the economy, society, and government. In addition, it relies extensively on networked computer systems to collect a wealth of environmental data and to disseminate much of this information while also protecting other forms of sensitive or confidential information.

Because of the importance of the security of EPA’s information systems, GAO was asked to determine whether the agency has effectively implemented appropriate information security controls to protect the confidentiality, integrity, and availability of the information and systems that support its mission. To do this, GAO tested security controls over EPA’s key networks and systems; reviewed policies, plans, and reports; and interviewed officials at EPA headquarters and two field offices.

Recommendations

GAO is making 12 recommendations to the Administrator of EPA to fully implement elements of EPA’s comprehensive information security program. In commenting on a draft of this report, EPA’s Assistant Administrator generally agreed with GAO’s recommendations. Two of GAO’s recommendations were revised to incorporate EPA’s comments. In a separate report with limited distribution, GAO is also making 94 recommendations to EPA to enhance access and other information security controls over its systems.

Recommendations for Executive Action

Agency Affected Recommendation Status
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update configuration management procedures to ensure they include guidance for documenting records of approved changes.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, has issued Agency Change Management Process and Procedures, version 4.5, which defines the required steps for change management, including how approved changes are documented.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to finalize the 17 agencywide interim information security policies and draft procedures.
Closed – Not Implemented
Although EPA concurred with the recommendation in 2012 and has finalized some of the policies and procedures, after 4 years others have not been finalized.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to update system security plans to reflect current policies and procedures.
Closed – Implemented
In fiscal year 2015 we verified that EPA, in response to our recommendation, has implemented a software tool to help produce system security plans. The software references policies, guidance, and procedures. The agency also has a group that reviews the software tool to ensure that information in it is accurate, including the policies and procedures listed in the system security plans. When this group finds inaccurate information, it creates plans of action and milestones (POA&Ms) to correct the problems.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include current National Institute of Standards and Technology (NIST) Special Publication 800-53 guidance in system security plans.
Closed – Implemented
In fiscal year 2015 we verified that EPA, in response to our recommendation, has implemented a software tool to help produce system security plans. The software references guidance, including NIST Special Publication 800-53, revision 4, which is the current version. The agency also reviews the software tool to ensure that information in it is accurate, including the policies and procedures listed in the system security plans.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and finalize a role-based security training procedure that tailors specific training requirements to EPA users' role/position descriptions and details the actions information security officers must take when users do not complete the training.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, issued training procedures that describe the steps the agency will take each fiscal year to ensure that role-based security training topics meet the agency's needs. These procedures also include tracking employees with significant security responsibilities to determine whether they complete their training requirements. When employees do not complete training on time their accounts are deactivated.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to conduct testing of management, operational, and technical controls, based on risks, to occur no less than annually, for the clean air markets division system identified.
Closed – Implemented
EPA concurred with the recommendation. In 2013 EPA, in response to our recommendation, issued a memorandum informing senior information officials that systems would receive annual security assessments. A subsequent security assessment report states that EPA intends to review select controls for this system annually and ensure that within each 3-year period all controls have been reviewed at least once. In fiscal year 2017, we verified that the agency performed security assessments in fiscal years 2015 and 2016, but will not perform an assessment in fiscal year 2017. According to an EPA official, this system is undergoing significant changes and as a result the assessment will be postponed until fiscal year 2018. These actions increase assurance that controls over this information system are being adequately monitored.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that will require users to enter all information required by OMB policy, including descriptions of each weakness and the source of the finding.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, implemented a plan of action and milestones (POA&M) tracking tool that contains fields for all of the eight POA&M elements described in OMB policy. The agency is using this tracking tool to capture required information for each POA&M, including a description of the weakness and the audit report or other source document that identified it.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to include features in the planned remedial action tracking tool that block inappropriate alteration of data.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, has implemented a tracking application for plans of action and milestones (POA&M) that includes a feature to prevent deletions and other inappropriate alterations of data in POA&M records.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement an agencywide, uniform method for approving contingency plans.
Closed – Implemented
EPA partially concurred with the recommendation, agreeing to implement an agencywide, uniform method for approving contingency plans, but disagreeing on details of the method to be implemented. In fiscal year 2016 we verified that the agency, in response to our recommendation, finalized a policy specifying an agencywide, uniform method for approving these plans. The policy requires that contingency plans be included in authority to operate (ATO) packages and reviewed and approved as part of the ATO process.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to annually test the viability of contingency plans for agency systems.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, developed and issued interim contingency planning procedures. The procedures state that contingency plans must be tested at least annually and must address information system, environment of operations, and organizational changes and problems. In addition to EPA's general procedures for testing contingency plans, detailed procedures in NIST 800-84 must be followed.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to develop and implement procedures to ensure that both work and home contact information are included for each individual in a contingency plan's emergency contact list.
Closed – Implemented
In fiscal year 2014 we verified that EPA, in response to our recommendation, issued interim contingency planning procedures specifying that individuals' contact information, including home and mobile numbers, must be included in contingency plans.
Environmental Protection Agency To help establish an effective and comprehensive information security program for EPA's information and information systems, the Administrator of EPA should direct the Assistant Administrator for the Office of Environmental Information to implement procedures to verify the accuracy of system inventory information.
Closed – Implemented
EPA concurred with the recommendation. In fiscal year 2016 we verified that the Environmental Protection Agency, in response to our recommendation, produces monthly reports listing EPA's systems. The chief information officer and relevant managers review these reports for accuracy, and make corrections as needed.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Information securityCommerceInformation systemsEnvironmental protectionUnauthorized accessConfidential communicationsSecurity incidentsSensitive dataSystem security plansInformation access