The Environmental Protection Agency’s (EPA) Office of Inspector General has flagged cybersecurity and data management issues as top management challenges for the agency in FY2019 that need to be tackled.
In a Top Management Challenges report, OIG critiqued the EPA’s cybersecurity program, particularly for its internal control and contractor performance monitoring processes.
“The EPA’s current incident tracking system lacks the required security controls to protect the confidentiality of personally identifiable information (PII) and enforce password management requirements,” the report said. “In addition, EPA data is vulnerable to unauthorized access because there are no procedures to ensure that EPA security control requirements are implemented for file servers and share folders.”
OIG further said EPA has not fully addressed the role of its CIO in a way that’s consistent with Federal policy or guidance, and that that Office of Management and Budget risk management assessment ratings ranked the EPA as “at risk” – meaning that while it has some policies in place, the overall cybersecurity program still has significant gaps.
To improve cybersecurity management, OIG recommended that the EPA develop and implement a process to strengthen controls and operations, implement Continuous Monitoring Assessment recommendations into the agency’s system for information security action monitoring, and work with the Department of Homeland Security and the National Institute of Standards and Technology to understand data breach risk and reevaluate information categorization.
Further, OIG said the EPA should implement a strategy to protect PII confidentiality, address the role of the CIO, and act to consult with respective critical infrastructure sector partners to develop a cybersecurity framework. Finally, the EPA should create a control to validate and establish a series of key processes.
“[The EPA needs to] establish a control to validate that agency personnel create required plans of action and milestones for vulnerability testing results, establish a process to periodically review the agency’s tracking system’s security settings to validate that each setting meets the agency’s standards, and collaborate with the tracking system’s vendor to determine whether audit logging can capture all data changes,” OIG said.
Along with cybersecurity, OIG said that the EPA needs to improve its data quality and should fill data gaps to improve program performance and decision-making.
“Data quality and gaps matter because managers use data to manage the EPA’s programs to achieve the agency’s goals,” OIG said. “The EPA needs and expects high-quality, accurate, and complete data to support high-quality decisions.”
EPA has said it has begun moving to electronic reporting, which OIG said should simplify reporting and ease agency access to data. But OIG also added that the EPA still needs to verify and validate electronically reported data to ensure that it’s accurate, timely, and properly formatted.