The Environmental Protection Agency (EPA) has failed to monitor plans of action and milestones (POA&Ms) for cybersecurity weaknesses as required by EPA policy, the agency’s Inspector General (IG) said.
According to an IG report, the EPA’s information security weakness tracking system “relies on other agency offices to enter POA&Ms in the tracking system to manage unremediated vulnerabilities.”
The IG found that one office within EPA was tracking vulnerabilities outside of the EPA’s tracking system,and another EPA office didn’t have formal processes for creating POA&Ms in the tracking system.
“The EPA’s information security weakness tracking system lacked controls to prevent unauthorized changes to key data fields and to record these changes in the system’s audit logs,” the report said. This, the IG said, could result in unauthorized changes to system data, and impede the EPA’s ability to remediate existing system weaknesses.
The IG made several recommendations for the agency including: establishing a control to confirm that required agency personnel create POA&Ms for vulnerability testing results; establishing a process to review the EPA’s tracking system security; and collaborating with the tracking system’s vendor to see if audit logging can capture all the data changes.
The EPA agreed to all the recommendations, and the IG said the issues are considered resolved with corrective actions pending.