U.S. Environmental Protection Agency
                   Office of Inspector General

                   At   a  Glance
                                                           08-P-0273
                                                    September 23, 2008
                                                               Catalyst for Improving the Environment
Why We Did This Review

The Office of Inspector
General contracted with
Williams, Adley & Company,
LLP to conduct the annual
audit of the U.S. Environ-
mental Protection Agency's
(EPA's) compliance with the
Federal Information Security
Management Act. Williams,
Adley & Company, LLP
conducted network
vulnerability testing of the
Agency's local area network
located at the EPA's Head-
quarters in Washington, DC.

Background

 The National Computer
 Center (NCC), located in
 Research Triangle Park,
 North Carolina, is responsible
 for managing the assignment
 of Internet Protocol (IP)
 addresses within EPA. The
 Enterprise Desktop Solutions
 Division (EDSD) is
 responsible  for the network
 infrastructure required to
 support end user
 requirements.

For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.

Management of EPA Headquarters Internet
Protocol Addresses Needs Improvement
 What Williams, Adley & Company, LLP Found
Processes used to assign and track IP addresses within EPA Headquarters in
Washington, DC, need strengthening to enforce accountability. Information
provided by EPA representatives to support vulnerability testing of the
Headquarters' network revealed that Agency personnel were not aware of the IP
addresses assigned to them.  This occurred because EPA needs a:

   •   Process to track the assignment of IP addresses
   •   Method to identify all active and assigned IP addresses

Vulnerability testing of the EPA Headquarters network identified 391 IP
addresses with high-risk and/or medium-risk vulnerabilities.  Although EDSD
personnel conducted research to identify the Program Offices responsible for the
IP addresses, EDSD could not identify the offices responsible for 273 of the IP
addresses.  As a result,  18 high-risk vulnerabilities exist where the responsible
EPA offices could not be contacted to remediate the risks. Furthermore, without a
full accounting of assigned IP addresses, EPA cannot be assured that its patch
management or incident response processes are effective.
 What Williams, Adley & Company, LLP Recommends
Williams, Adley & Company, LLP recommends that EPA:

 •   Take immediate action to address all identified network security weaknesses
    and start risk mitigation actions to reduce the risks from the remaining
    18 unidentified IP addresses.
 •   Develop and implement procedures to document and keep current a complete
    inventory of all IP addresses assigned to EPA Headquarters.
 •   Develop and implement a revised IP address allocation scheme to assign
    entire IP address blocks to Program Offices to eliminate fragmentation and
    improve security administration.
 •   Implement a process that augments the current vulnerability testing process
    used to identify active Headquarters IP address with the use of other network
    monitoring tools.
 •   Develop Plans of Actions and Milestones for each recommendation.

 Due to the sensitive nature of the report's technical findings, the full report is not
 available to the public.

-------