U.S. Environmental Protection Agency
                   Office of Inspector General

                   At  a   Glance
                                                            09-P-0097
                                                      February 23, 2009
                                                                Catalyst for Improving the Environment
Why We Did This Review

The Office of Inspector
General (OIG) contracted with
Williams, Adley & Company,
LLP to conduct the annual
audit of the U.S.
Environmental Protection
Agency's (EPA's) compliance
with the Federal Information
Security Management Act.
OIG contractors conducted
network vulnerability testing
of the Agency's local area
network located at EPA's
Headquarters in Washington,
DC.

Background

 The network vulnerability
 testing was conducted to
 identify any network risk
 vulnerabilities and present the
 results to the appropriate EPA
 officials to promptly
 remediate or document
 planned actions to resolve the
 vulnerability.
 Results of Technical Network Vulnerability
 Assessment:  EPA Headquarters
For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.
 What Williams, Adley & Company, LLP Found
Test results identified 391 Internet Protocol (IP) addresses that contained
vulnerabilities and EPA could only identify 118 of the IP addresses.  This
prevented EPA from taking immediate actions to address the identified
vulnerabilities. On September 23, 2008, the OIG issued Report No. 08-P-0273,
Management of EPA Headquarters Internet Protocol Addresses Needs
Improvement.

Field work disclosed weaknesses in the quality of information EPA uses to track
the ownership of IP addresses. Specifically, network administrators were not
updating the IP registry database with descriptive information to identify their
assigned IP addresses, nor were they adhering to EPA's naming convention policy
when describing the equipment or device in the database. Also, there is no
evidence that EPA conducted data quality reviews to ensure the IP address
database is accurate and complete.

This report summarizes discussions with EPA since the OIG issued report
08-P-0273, and transmits the full contents of the EPA Headquarters network
vulnerability test results. This report also forwards several medium-risk
vulnerabilities identified at the EPA Region 9 office that require action by
Headquarters personnel to remediate. Region 9 officials were unable to resolve
these weaknesses because the network assets in question are managed by EPA
Headquarters personnel.
                               What Williams, Adley & Company, LLP Recommends
Williams, Adley & Company, LLP recommends that EPA should:

•   Develop and implement procedures to update the IP registry database with
    information that identifies the owner of the network resource and review the
    database regularly for accuracy and completeness;
•   Take steps to remediate all unresolved security weaknesses at EPA
    Headquarters and Region 9 and created a Plan of Actions and Milestones; and
•   Perform a technical vulnerability assessment test of Headquarters network
    and managed assets at Region 9.

Due to the sensitive nature of this report's technical findings, the full report is not
available to the public.

-------