- EPA had not always securely configured network devices and updated operating system and database software with patches to protect against known vulnerabilities.
- EPA had not always ensured equipment used for sanitization and disposal of media was tested to verify correct performance.
GAO indicated that an underlying reason for the control weaknesses is that EPA has not fully implemented a comprehensive information security program. Although EPA has established a framework for its security program, the Agency has not yet fully implemented all elements of its program. Specifically, it did not always finalize policies and procedures to guide staff in effectively implementing controls; ensure that all personnel were given relevant security training to understand their roles and responsibilities; update system security plans to reflect current agency security control requirements; assess management, operational, and technical controls for agency systems at least annually and based on risk; and implement a corrective action process to track and manage all weaknesses when remedial actions were necessary. Sustained management oversight and monitoring are necessary for EPA to implement these key information security practices and controls. Until EPA fully implements a comprehensive security program, it will have limited assurance that its information and information systems are adequately protected against unauthorized access, use, disclosure, modification, disruption, or loss.
GAO made 12 recommendations to the Administrator of EPA to fully implement elements of EPA's comprehensive information security program. In commenting on a draft of this report, EPA's Assistant Administrator generally agreed with GAO's recommendations. Two of GAO's recommendations were revised to incorporate EPA's comments. In a separate report with limited distribution, GAO also made 94 recommendations to EPA to enhance access and other information security controls over its systems.
Energy and Commerce Committee Chairman Fred Upton (R-MI) commented on the report saying, "Our oversight has shed much-needed light on the vulnerability of confidential information at federal agencies. This report raises serious questions about EPA's dedication to ensuring robust information protection and underscores the urgency for the agency to address security weaknesses. We will continue our oversight with a review of EPA's implementation of GAO's recommendations in the coming months."
32 Years of Environmental Reporting for serious Environmental Professionals