U.S. Environmental Protection Agency
                  Office of Inspector General

                  At   a  Glance
                                                         09-P-0186
                                                      June 30, 2009
                                                             Catalyst for Improving the Environment
Why We Did This Review

The Office of Inspector
General contracted with
Williams, Adley & Company,
LLP, to conduct the annual
audit of the U.S.
Environmental Protection
Agency's (EPA's) compliance
with the Federal Information
Security Management Act
(FISMA).  Williams, Adley &
Company, LLP, conducted the
network vulnerability testing
of the Agency's network
devices located at EPA's
National Computer Center in
Research Triangle Park, North
Carolina.
Background

The network vulnerability
testing was conducted to
identify any network risk
vulnerabilities and present the
results to the appropriate
EPA officials to promptly
remediate or document
planned actions to resolve the
vulnerability.



For further information,
contact our Office of
Congressional, Public Affairs
and Management at
(202)566-2391.

Results of Technical Network Vulnerability
Assessment: EPA's National Computer Center
 What Williams, Adley & Company, LLP, Found
Vulnerability testing conducted in April 2009 of EPA's National Computer Center
network devices indicated several high-risk vulnerabilities. Additionally, based
on the results from Region 8 network scans conducted in April 2009, Region 8
officials indicated that the National Computer Center manages several of those
network devices with high-risk vulnerabilities.  If not resolved, these
vulnerabilities could expose EPA's assets to unauthorized access and potential
harm to the Agency's network.
 What Williams, Adley & Company, LLP, Recommends
Williams, Adley & Company, LLP, recommends that the Director of the National
Computer Center:

•   Implement actions to resolve all high-risk vulnerability findings.
•   Update EPA's Automated Security Self Evaluation and Remediation
    Tracking (ASSERT) system.
•   Perform a technical  vulnerability assessment test of the National Computer
    Center devices and Region 8's network within 30 days to demonstrate and
    document corrective actions that have resolved the vulnerabilities.

Due to the sensitive nature of the report's technical findings, the full report is not
available to the public.

-------