U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Special Report Fiscal Year 2008 Federal Information Security Management Act Report Status of EPA's Computer Security Program Report No. 08-P-0280 September 26, 2008 ------- UNITED STATES ENVIRONMENTAL PROTECTION AGENCY WASHINGTON, D.C. 20460 OFFICE OF INSPECTOR GENERAL MEMORANDUM SUBJECT: FROM: TO: September 26, 2008 Fiscal Year 2008 Federal Information Security Management Act Report: Status of EPA's Computer Security Program Report No. 08-P- ! Patricia H. Hill Assistant Inspector General for Mission Systems Stephen L. Johnson Administrator Attached is the Office of Inspector General's Fiscal Year 2008 Federal Information Security Management Act Reporting Template, as prescribed by the Office of Management and Budget. This audit was performed by Williams, Adley and Company, LLP, under the direction of the U.S. Environmental Protection Agency's Office of Inspector General. In addition, Appendix A synopsizes the results of our significant Fiscal Year 2008 information security audits. The estimated cost for performing this audit, which includes contract costs and Office of Inspector General contract management oversight, is $388,135. In accordance with Office of Management and Budget reporting instructions, I am forwarding this report to you for submission, along with the Agency's required information, to the Director, Office of Management and Budget. ------- Section C - Inspector General: Questions 1 and 2 Agency Name: Environmental Protection Agency Submission date: September 25, 2008 Question 1 : FISMA Systems Inventory 1 . As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. In the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus. Agency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems. Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 2. For the Total Number of Systems n and percentage of systems which have contingency plan tested in accordance U.S. Environmental FIPS 199 System Protection Agency Impact Level OA OAR OARM OCFO OECA OEI OGC High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total 'viewed by Component/Bureau and FIPS System Impact Level in the table for Question 1 , identify the number >: a current certification and accreditation, security controls tested and reviewed within the past year, and a with policy. Question 1 a. Agency Systems Number 0 2 1 0 3 1 11 6 0 18 0 11 0 0 11 0 18 1 0 19 0 8 3 0 11 0 16 16 0 32 0 1 0 0 1 Number Reviewed 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 1 1 0 2 0 0 1 0 1 0 0 0 0 0 b. Contractor Systems Number 0 0 0 0 0 0 1 1 0 2 0 2 0 0 2 0 0 0 0 0 0 0 0 0 0 0 6 3 0 9 0 0 0 0 0 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 C. Total Number of Systems (Agency and Contractor systems) Total Number 0 2 1 0 3 1 12 7 0 20 0 13 0 0 13 0 18 1 0 19 0 8 3 0 11 0 22 19 0 41 0 1 0 0 1 Total Number Reviewed 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 1 0 2 0 1 1 0 2 0 0 0 0 0 Question 2 a. Number of systems certified and accredited Total Number 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 1 0 2 0 1 1 0 2 0 0 0 0 0 Percent of Total 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% b. Number of systems for which security controls have been tested and reviewed in the past year Total Number 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 0 0 0 0 Percent of Total 0% 0% 100% 100% 100% 100% 100% 0% 50% 0% 100% 50% c. Number of systems for which contingency plans have been tested in accordance with policy Total Number 0 0 0 0 0 0 1 0 0 1 0 1 0 0 1 0 1 0 0 1 0 1 1 0 2 0 1 1 0 2 0 0 0 0 0 Percent of Total 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% ------- Section C - Inspector General: Questions 1 and 2 Agency Name: Environmental Protection Agency Submission date: September 25, 2008 Question 1 : FISMA Systems Inventory 1 . As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. In the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus. Agency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems. Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 2. For the Total Number of Systems n and percentage of systems which have contingency plan tested in accordance U.S. Environmental FIPS 199 System Protection Agency Impact Level OIA OIG OPPTS ORD OSWER OW R01 High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total 'viewed by Component/Bureau and FIPS System Impact Level in the table for Question 1 , identify the number >: a current certification and accreditation, security controls tested and reviewed within the past year, and a with policy. Question 1 a. Agency Systems Number 0 0 0 0 0 0 7 0 0 7 0 6 1 0 7 0 7 8 0 15 0 4 4 0 8 0 8 0 0 8 0 1 0 0 1 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 b. Contractor Systems Number 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 1 0 2 0 0 0 0 0 0 0 0 0 0 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 C. Total Number of Systems (Agency and Contractor systems) Total Number 0 0 0 0 0 0 7 0 0 7 0 7 1 0 8 0 7 8 0 15 0 5 5 0 10 0 8 0 0 8 0 1 0 0 1 Total Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 Question 2 a. Number of systems certified and accredited Total Number 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 Percent of Total 100% 100% 100% 100% 100% 100% b. Number of systems for which security controls have been tested and reviewed in the past year Total Number 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 Percent of Total 100% 100% 100% 100% 0% 0% c. Number of systems for which contingency plans have been tested in accordance with policy Total Number 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 Percent of Total 100% 100% 100% 100% 100% 100% ------- Section C - Inspector General: Questions 1 and 2 Agency Name: Environmental Protection Agency Submission date: September 25, 2008 Question 1 : FISMA Systems Inventory 1 . As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. In the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus. Agency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems. Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 2. For the Total Number of Systems n and percentage of systems which have contingency plan tested in accordance U.S. Environmental FIPS 199 System Protection Agency Impact Level R02 R03 R04 R05 R06 R07 R08 High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total 'viewed by Component/Bureau and FIPS System Impact Level in the table for Question 1 , identify the number >: a current certification and accreditation, security controls tested and reviewed within the past year, and a with policy. Question 1 a. Agency Systems Number 0 2 0 0 2 0 1 0 0 1 0 1 0 0 1 0 2 1 0 3 0 1 0 0 1 0 1 0 0 1 0 1 1 0 2 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 b. Contractor Systems Number 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 C. Total Number of Systems (Agency and Contractor systems) Total Number 0 2 0 0 2 0 1 0 0 1 0 1 0 0 1 0 2 1 0 3 0 1 0 0 1 0 1 0 0 1 0 1 1 0 2 Total Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Question 2 a. Number of systems certified and accredited Total Number 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Percent of Total b. Number of systems for which security controls have been tested and reviewed in the past year Total Number 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Percent of Total c. Number of systems for which contingency plans have been tested in accordance with policy Total Number 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Percent of Total ------- Section C - Inspector General: Questions 1 and 2 Agency Name: Environmental Protection Agency Question 1 Submission date: September 25, 2008 : FISMA Systems Inventory 1 . As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. In the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all Component/Bureaus. Agency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems. Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing 2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1 , identify the number and percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy. U.S. Environmental Protection Agency R09 R10 Agency Totals FIPS 199 System Impact Level High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Sub-total High Moderate Low Not Categorized Total Question 1 a. Agency Systems Number 0 1 0 0 1 0 0 1 0 1 1 110 43 0 154 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 6 2 0 8 b. Contractor Systems Number 0 1 0 0 1 0 0 0 0 0 0 12 5 0 17 Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 2 0 0 2 c. Total Number of Systems (Agency and Contractor systems) Total Number 0 2 0 0 2 0 0 1 0 1 1 122 48 0 171 Total Number Reviewed 0 0 0 0 0 0 0 0 0 0 0 8 2 0 10 Question 2 a. Number of systems certified and accredited Total Number 0 0 0 0 0 0 0 0 0 0 0 8 2 0 10 Percent of Total 100% 100% 100% b. Number of systems for which security controls have been tested and reviewed in the past year Total Number 0 0 0 0 0 0 0 0 0 0 0 5 1 0 6 Percent of Total 63% 50% 60% c. Number of systems for which contingency plans have been tested in accordance with policy Total Number 0 0 0 0 0 0 0 0 0 0 0 8 2 0 10 Percent of Total 100% 100% 100% = Data Entry Cells = Editable Calculations (no Data Entry-ONLY edit Formulas when necessary) ------- Section C - Inspector General: Question 3 Agency Name: Environmental Protection Agency Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory 3 a The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy. Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance. Response Categories: - Rarely- for example, approximately 0-50% of the time - Sometimes- for example, approximately 51 -70% of the time - Frequently- for example, approximately 71-80% of the time - Mostly- for example, approximately 81-95% of the time - Almost Always- for example, approximately 96-100% of the time The agency has developed a complete inventory of major information systems (including major 3-b. national security systems) operated by or under the control of such agency, including an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency. Response Categories: - The inventory is approximately 0-50% complete - The inventory is approximately 51-70% complete - The inventory is approximately 71-80% complete - The inventory is approximately 81-95% complete - The inventory is approximately 96-100% complete 3.c. The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No. The IG generally agrees with the CIO on the number of information systems used or operated by a contractor of the agency or other organization on behalf of the agency. Yes or No. 3.e. The agency inventory is maintained and updated at least annually. Yes or No. 3.f. Mostly (81 -95% of the time) Inventory is 96-1 00% complete Yes Yes Yes If the Agency IG does not evaluate the Agency's inventory as 96-100% complete, please identify the known missing systems by Component/Bureau, the Unique Project Identifier (DPI) associated with the system as presented in your FY2008 Exhibit 53 (if known), and indicate if the system is an agency or contractor system. Component/Bureau System Name Number of known systems missing from inventory: 0 Exhibit 53 Unique Project Identifier (UPI) {must be 23-digits} Agency or Contractor system? 5 ------- Section C - Inspector General: Questions 4 and 5 Agency Name: Environmental Protection Agency Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process Assess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate the degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include comments in the area provided. For each statement in items 4.a. through 4.f., select the response category that best reflects the agency's status. Response Categories: - Rarely- for example, approximately 0-50% of the time - Sometimes- for example, approximately 51-70% of the time - Frequently- for example, approximately 71-80% of the time - Mostly- for example, approximately 81-95% of the time - Almost Always- for example, approximately 96-100% of the time The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information 4.a. systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency. When an IT security weakness is identified, program officials (including ClOs, if they own or operate a system) ' ' develop, implement, and manage POA&Ms for their system(s). Program officials and contractors report their progress on security weakness remediation to the CIO on a regular basis 'c' (at least quarterly). 4.d. Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis. 4.e. IG findings are incorporated into the POA&M process. POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a timely manner and receive appropriate resources. Almost Always (96- 100% of the time) Almost Always (96- 100% of the time) Almost Always (96- 100% of the time) Almost Always (96- 100% of the time) Almost Always (96- 100% of the time) Almost Always (96- 100% of the time) EPA has developed and implemented a POA&M program that ensures CIO reports on a regular basis the security weaknesses and remediation at least POA&M process quarterly. The processes and procedures ensures OEI tracks, maintains, and reviews POA&M activities on a quarterly basis for weaknesses reported by comments: EPA. Question 5: IG Assessment of the Certification and Accreditation Process Provide a qualitative assessment of the agency's certification and accreditation process, including adherence to existing policy, guidance, and standards. Provide narrative comments as appropriate. Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for certification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments and security plans. The IG rates the overall quality of the Agency's certification and accreditation process as: Response Categories: - Excellent 5'a- - Good - Satisfactory - Poor - Failing The IG's quality rating included or considered the following aspects of the Security plan C&A process: (check all that apply) System impgct |eye| System test and evaluation 5 . Security control testing Incident handling Security awareness training Configurations/patching Other: Good X X X C&A process From our sample of 10 systems all had C&A documents. However 4 out of 10 did not provide security test results. comments: ------- Section C - Inspector General: Questions 6, 7, and 8 Agency Name: Environmental Protection Agency Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process 6 Comments: 7 Comments: 8.a. Comments: 8.b. Provide a qualitative assessment of the agency's Privacy Impact Assessment (PIA) process, as discussed in Section D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and standards. Response Categories: - Response Categories: - Excellent - Good - Satisfactory - Poor - Failing Excellent Provide a qualitative assessment of the agency's progress to date in implementing the provisions of M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information. Response Categories: - Response Categories: - Excellent - Good - Satisfactory - Poor Excellent EPA is in the process of implementing program. Policies have been drafted. Procedures have been developed and implemented. Training is being provided. Question 8: Configuration Management Is there an agency-wide security configuration policy? Yes or No. Yes Approximate the extent to which applicable systems implement common security configurations, including use of common security configurations available from the National Institute of Standards and Technology's website at http://checklists.nist.gov. Response categories: Mostly (81 -95% of the time) - Rarely- for example, approximately 0-50% of the time - Sometimes- for example, approximately 51 -70% of the time - Frequently- for example, approximately 71-80% of the time - Mostly- for example, approximately 81 -95% of the time - Almost Always- for example, approximately 96-100% of the time Comments: 8.c. EPA should take additional steps to ensure that network configurations are maintained. Our tests disclosed security patches and updates on network resouces were not always timely installed. Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report: c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations. Yes or No. c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39— Acquisition of Information Technology", is included in all contracts related to common security settings. Yes or No. c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or No. Yes Yes No ------- Section C - Inspector General: Questions 9, 10 and 11 Agency Name: Environmental Protection Agency Question 9: Incident Reporting Indicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, anc If appropriate or necessary, include comments in the area provided below. The agency follows documented policies and procedures for identifying and reporting incidents internally. 9. 3. .. ., Yes or No. The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No. (http://www.us-cert.gov) 9.c. The agency follows documented policies and procedures for reporting to law enforcement. Yes or No. I to law enforcement. Yes Yes Yes Comments: Question 10: Security Awareness Training Has the agency ensured security awareness training of all employees, including contractors and those employees with significant IT security responsibilities? Response Categories: - Rarely- or approximately 0-50% of employees - Sometimes- or approximately 51-70% of employees - Frequently- or approximately 71-80% of employees - Mostly- or approximately 81-95% of employees - Almost Always- or approximately 96-100% of employees Almost Always (96- 1 00% of employees) Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing Does the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security awareness training, ethics training, or any other agency-wide training? Yes or No. Yes Question 12: E-Authentication Risk Assessments 12.a. Has the agency identified all e-authentication applications and validated that the applications have operationally achieved the required assurance level in accordance with the NIST Special Publication 800-63, "Electronic Authentication Guidelines"? Yes or No. Yes 12. b. If the response is "No", then please identify the systems in which the agency has not implemented the e-authentication guidance and indicate if the agency has a planned date of remediation. ------- Appendix A Summary of Significant Fiscal Year 2008 Security Control Audits During Fiscal Year 2008, the U.S. Environmental Protection Agency's (EPA's) Office of Inspector General (OIG) initiated the following audits of EPA's information technology security program and information systems. The following synopsizes key findings. 1. Supplemental Fiscal 2007 FISMA Audit Results: OIG Results of EPA's Efforts to Protect Pll and Contractor Results of EPA Standard Configuration Documents' Compliance with Federal Guidance or Industry Best Practices Assignment No. 2007-000802, December 20, 2007 EPA needs to (1) issue a memo to Senior Information Officers to remind them of the Agency's policy requirements for protecting personally identifiable information and the need to reiterate and reinforce compliance with the Agency policy, and (2) complete efforts to publish the Privacy Program procedures related to the Privacy Program policy. EPA concurred with the recommendations and subsequently implemented corrective actions to adequately address the report recommendations. 2. Review of the Quality of Self-Reported Security Information in EPA's Automated Security Self-Evaluation and Remediation Tracking (ASSERT) System, Assignment No. 2008-0003 The primary objective of this assignment is to determine whether EPA has implemented effective management control processes for maintaining the quality of the data in EPA's ASSERT system. The OIG plans to issue a final report by December 2008. ------- Appendix B Distribution Office of the Administrator Assistant Administrator for Environmental Information and Chief Information Officer Director, Office of Technology Operations and Planning, Office of Environmental Information Senior Agency Information Security Officer, Office of Environmental Information Agency Follow-up Official (the CFO) Agency Follow-up Coordinator Office of General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Deputy Inspector General 10 ------- |