\.
&
OFF
FFICE OF INSPECTOR GENERAL
Evaluation Report
Federal Information Security
Management Act
Fiscal Year 2004 Status of EPA's
Computer Security Program
Report NO. 2004-S-00007
September 30,2004
-------�
Report Contributors:
Ed Densmore
Anita Mooney
Vincent Campbell
Cheryl Reid
Abbreviations
EPA Environmental Protection Agency
C&A Certification and Accreditation
FISMA Federal Information Security Management Act
GAO Government Accountability Office
IFMS Integrated Financial Management System
IT Information Technology
OIG Office of Inspector General
OMB Office of Management and Budget
POA&M Plan of Action and Milestones
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
September 30, 2004
MEMORANDUM
SUBJECT: Federal Information Security Management Act:
Fiscal Year 2004 Status of EPA's Computer Security Program
Report No. 2004-S-00007
TO: Michael O. Leavitt
Administrator
Attached is our final report entitled Federal Information Security Management Act: Fiscal Year
2004 Status of EPA '.y Computer Security Program. This report synopsizes the results of
information technology security work the U.S. Environmental Protection Agency's Office of
Inspector General (OIG) performed during Fiscal Year (FY) 2004. This report includes the
OIG's completed FY 2004 FISMA Reporting Template, as prescribed by the Office of
Management and Budget (OMB).
In accordance with OMB reporting instructions, I am forwarding this report to you for
submission, along with the Agency's required information, to the Director, OMB.
Nikki L. Tinsley /s/
Attachment
cc:
K.. Nelson, Assistant Administrator for Environmental Information (OEI) (281OA)
M. Day, Director, Office of Technology Operations and Planning (OTOP) (2831T)
G. Bonina, Senior Agency Information Security Officer (283IT)
R. Gonzalez, Director, National Technology Services Division (NTSD) (N229-01)
M. Cody, Associate Director, Technical Information Security Staff (TISS) (283IT)
J. Gibson, Operations Security Manager, NTSD (N276-01)
J. Worthington, OEI Audit Coordinator (2812T)
R. Trent, OEI Audit Coordinator (283IT)
K. Farmer, TISS Audit Coordinator (283IT)
-------�
-------�
Fiscal Year 2004 Status of EPA's
Computer Security Program
The Federal Information Security Management Act (F1SMA) requires the Office of Inspector
General (OIG) to perform an independent evaluation of the Agency's information security
program and practices. We performed our work in accordance with Government Auditing
Standards, issued by the Comptroller General of the United States. The following summarizes
information security work we performed during fiscal 2004,
Information Technology Security Performance
In general, Agency officials have taken positive actions to secure EPA's information resources.
EPA has adequate physical security controls to protect its network firewalls, including
comprehensive continuity of operations plans. However, our audit entitled EPA's
Administration of Network Firewalls Needs Improvement, Report Number 2004-P-00013, dated
March 31, 2004, disclosed logical and configuration control weaknesses which need to be
improved to further secure information resources. We recommended several actions to the
Director, Office of Technology, Operations, and Planning, to improve EPA's firewall security,
including: establishing a standard configuration requirement for adequately securing
workstations used to remotely administer the network firewalls; modifying the change and patch
management processes to ensure that when firewall changes and patches are applied they do not
adversely affect previously applied fixes; and modifying the network vulnerability assessment
methodology to include scanning of all firewall components. Agency officials concurred with
our recommendations and reported that corrective actions were to be implemented by September
30, 2004.
We also evaluated the adequacy of policies, procedures, and practices for controlling financial
application development and software changes to EPA's Integrated Financial Management
System (IFMS). Our audit entitled EPA Needs to Improve Change Controls for Integrated
Financial Management System, Report Number 2004-P-00026, dated August 24, 2004, reported
a general breakdown of security controls that could undermine the integrity of IFMS software
libraries and financial system data. Duties had not been adequately segregated, individuals used
an inappropriate ID or continued to have system access after no longer needing it, and contractor
personnel were granted access to IFMS without a successful background security check.
Further, management had not instituted a formal, structured change control process for IFMS to
ensure software program modifications were properly authorized, tested, and approved. We
made various recommendations to the Chief Financial Officer and the Acting Assistant
Administrator for Administration and Resources Management to improve IFMS controls and
institutionalize security screening procedures. In commenting on the draft report, the Chief
Financial Officer concurred with our recommendations and generally outlined appropriate
corrective actions to improve security and change controls over IFMS. The Acting Assistant
Administrator for Administration and Resources Management did not concur with our
recommendations concerning contractor background investigations, asserting that "suitability"
background investigations of Federal contractors are not required. Management stated its
existing, interim procedures were sufficient to guide offices that chose to initiate background
-------�
investigations. However, current EPA policy and Federal guidance strongly recommend
screening comparable to that for Federal staff, and we strongly urge such screening. A response
to the final report is due by November 24,2004.
Plan of Action and Milestones
EPA has developed, implemented, and is managing an adequate, Agency-wide plan of action and
milestones (POA&M) process. We reviewed EPA's POA&M process, which included
validating a sample of "completed" POA&Ms from the Agency's December 2003 Quarterly
Report to the Office of Management and Budget Our validation methodology included
reviewing supporting documentation and interviewing appropriate personnel to determine if the
corrective actions taken adequately addressed the weakness and complied with applicable
Federal criteria
In general, EPA's POA&M process incorporates known Information Technology (IT) security
weaknesses, developed by both program officials and the Chief Information Officer. The Chief
Information Officer centrally tracks, maintains, and reviews POA&M activities. We found the
POA&M process does not currently prioritize security weaknesses; however Agency officials are
actively addressing this issue and expect to complete the first phase of a two-phased
prioritization development process by November 2004. We also identified some errors with the
data, but we did not consider them to be of a "material" nature and concluded that (1) most of the
inaccuracies stemmed from the newness of the tracking system and (2) these problems would be
rectified as soon as OEI issued additional administrative guidance. We made suggestions to
improve the quality of the data, and Agency officials discussed our concerns at the 2004
Information Security Officer training conference.
Certification and Accreditation
The Agency's Certification and Accreditation (C&A) process complies with Federal guidance.
In assessing the Agency's C&A process, we used the Government Accountability Office's
(GAO) report entitled Agencies Need to Implement Consistent Processes in Authorizing Systems
for Operation, Report Number GAO-04-376, dated June 2004. In a survey of 24 major
departments and agencies, GAO found that agencies need to implement consistent processes in
authorizing systems for operation. Based on its field work of six systems, GAO prepared a
statement of facts summarizing findings specific to EPA and indicated that the Agency's C&A
process and specific C&A packages generally complied with Federal C&A criteria. However,
GAO indicated that they found varying degrees of comprehensiveness at EPA and instances
where required steps were incomplete, such as missing and/or untested contingency plans and
missing risk assessments. In addition, although EPA's system self-assessments stated that
security controls had been "tested," GAO found limited documentation to support that these
controls had actually been tested on an annual basis. The only evidence GAO found was the
results of technical vulnerability assessments, which were conducted as part of periodic risk
assessments. Further, in some cases, GAO found it difficult to determine the actual risk being
accepted by EPA in the accreditation decision.
-------�
1
Incident Detection and Handling
The Agency's incident detection and handling practices comply with documented policies and
procedures. We reviewed the Agency's processes for incident handling by examining a sample
of security incidents taken from the Computer Security Incident Response Center's weekly
reports. We tracked these incidents through the process to determine how they were identified,
remedied, and reported internally, as well as externally, if applicable. We found the Agency
followed defined policies and procedures for reporting incidents internally, as well as externally
to law enforcement and the US Computer Emergency Readiness Team.
Security Training and Awareness
EPA continues to make improvements in providing and recording training to ensure security
training and awareness of all employees, including contractors and those employees with
significant IT security responsibilities. For example, EPA indicated that 49 percent of personnel
with significant IT responsibilities received training in fiscal 2004, up from 31 percent in fiscal
2003. During this past year, the Agency implemented an on-line IT Security training library
available through the Federal government's E-learning portal (i.e., GoLeam.gov). The
GoLeam.gov IT security library contains 13 role-based training plans. Agency officials
identified employees with significant security responsibilities by 1 of the 13 functional roles, and
pre-registered these employees into the Go-Learn training system. In addition, it was
recommended these employees take at least two of the Go-Learn courses by August 31,2004.
-------�
o
Q.
CD
01
o
o
CM
o
o
T
2
I ||S
f I*14*
-------�
I
1*
'p-
:g
81
I
O
*_
O
I, &
K-5 <
5^= 9.
its ->- '
;; n '' O.
- S* x1" w
fi 5 .- !ğ
? Si! O
S g * gj
/|| |
V S :- S.
-------�
'&
1
"S
i
i
g
s
§
1
Ğ
**
i
1
8
*
.£
y
O
&.
4
c
5
°
3?
E
i
.s
i
I
i
s
late the degree to which the Wowing si
Ğm1 area provided betow. ::.
11
tu s
-
f
*
^
""
,
1
,
; ' '
I
o
£
£
§
I
S
i
1
1
E
3
21
8 t
'5 0
'S 1
D i
it
?Ğ
if
-i
I i
S. S
II
cy CIO have used appi
their program and systi
irity policy, and agency
Agency program officials and the agen
*vices provided by another agency for
jlicy and NIST guidelines, national sect
Ğ S a.
1
o
6
"5
§
I
S
j*
1
1
E
'
f~
i-
z
9
01
C
1
1
i
i
s"
0
8
i
e
i
I
s
M
id contractor operation:
The reviews of programs, systems, ar
isessment guide, 800-26.
ja a
5
M
1
^
w
3
?
|
e
E
1
tfl
1
O
5
£
5
used to condl
o
c
o
1
O)
1
I
In instances where the NIST self-asse
1 elements of the NIST guide.
a "5
1
0)
£
"5
g
i
S
£
i
§
g
*
73
3
C
S
1
"5
^
a
.2
this inventory
o
S
CA
t-
t
The agency maintains an inventory of
D
1
e
£
"5
1
i
5
£
1
1
E
3
|
1
i
jjT
t
M
1
a
o
nent and verification of
8-
41
_c
i
1
o
5
1
c
f
1
o
£
"5
o
i
0
£
3
8
E
Ğ
|
45
1
O
1
1
systems, anc
al number of programs,
The OIG and he CIO agree on the tots
Ğ
1
e
£
"5
i
$
s
Sjf
§
3
8
5
£
.=
£
2
i
Q>
§
|
CD
1
5-
M
1
t
m
1
with the major IT inves
The agency CIO reviews and concurs
jency.
tib to
<
f f
Ğ
* '
at
>$
f*
,
x
s
H .
11
S
,
1
'- \
VI
c.
n
terns for e-authenticatii
IA
8
I
cc
°
|
1
f
o
j£.
1
d
D
£
S
f
=3
o
?
ity officer that
ency information secur
The agency has appointed a senior ag
1
8
D
:e
a
*)
2;
.
3.
Q.
i
E *>
5 Ğ
O <
-------�
fc
I"
Ğf
0)
:s
I
c
(B
8
§
1
I
o E
LL a
i
o
u
-------�
0)
J
0)
£
*
fe
in
o
0)
SO
0)
>
&
ft
I
if!
; ğ
,£.
0)
£
**~
o
ft
i
n
cr
~
To
"ES
fl. O)
O
0)
v
0)
*
fe
ft
§
1
9)
I
ft
i
|
I
C
n
0)
v
0)
£
5
ft
1
o>
c
4>
v
V
£
ft
I
1
Ğ
HI
£
5
ft
0
5
1
.fr
S
§
ti
ğ'g
ğ 2
Q
V)
IS
IA
O
CL
= i
at
en
C
O
I n
: .£
O 1
5.:
-------�
I
-..fi: :c ; :: : : : :
:'ğ: Igf!: w:-;'£:'^SS.: i .^-i J-S£' ^ ''::
:t&! £' 3-ja-!Ğ! Mb'$£: iisi! ':jj& :
:*&:S::'>':''2K:'~"fe '§ Si?:!1-
**: J^^*?C:K£ fl[' -Sf tftilJV':
u
JS
en
*3
CO
CO
-------�
b
I,
li
S
f.
II
II
a "5
i.
c
I
S.?1
-------�
fe
I ff
liu
-------�
-------�
1
-------�
-------� |