U.S. Environmental Protection Agency Office of Inspector General At a Glance 10-P-0028 November 16, 2009 Catalyst for Improving the Environmen Why We Did This Review W e sought to determine whether the U.S. Environmental Protection Agency (EPA) implemented oversight practices for the Customer Technology Solutions (CTS) contract. We are continuing our review and plan to issue a separate report on whether EPA has responded to resolve issues identified during CTS deployment, and implemented processes to eliminate recurring problems with deploying CTS. Background EPA indicates CTS is the Agency's Working Capital Fund service, providing and coordinating all information technology end user support and services for Headquarters program offices. EPA plans for CTS to be a one-stop shop for personal computing and information technology support services. EPA will deploy CTS equipment at 18 locations across the United States. For further information, contact our Office of Congressional, Public Affairs and Management at (202) 566-2391. To view the full report, click on the following link: www.epa.qov/oiq/reports/2010/ 20091116-10-P-0028.pdf Improved Security Planning Needed for the Customer Technology Solutions Project What We Found EPA lacks a process to routinely test CTS equipment for known vulnerabilities and to correct identified threats. Furthermore, EPA placed CTS equipment into production without fully assessing the risk the equipment poses to the Agency's network and authorizing the equipment for operations. The Office of Management and Budget requires federal agencies to create a security plan for each general support system and ensure the plan complies with guidance issued by the National Institute of Standards and Technology. Both vulnerability management and the preparation of critical security documents such as the Security Plan and the Authorization to Operate are paramount to fulfilling this requirement. These weaknesses exist because EPA undertook an aggressive schedule to install over 11,500 computers at 18 locations across the United States. As problems occurred during installation, management focused its attention on addressing these issues in order to meet the deployment schedule milestone. Given the widespread use of CTS equipment, thousands of information resources provide a path for potential unauthorized access to EPA's network. EPA lacks processes to identify these threats or the capability to lessen their impact. On November 9, 2009, management signed an authorization to operate for the CTS equipment and outlined key actions that needed to be completed. What We Recommend We recommend that the Director, Office of Technology Operations and Planning and Chief Technology Officer, Office of Environmental Information, direct the CTS contractor to develop and implement a vulnerability testing and remediation process for CTS equipment consistent with existing EPA security policies and procedures, and issue a memorandum to Agency Senior Information Officials requiring their program office to conduct vulnerability testing of CTS equipment until a formal vulnerability testing and management process with CTS has been established. Until this process is in place, we further recommend that the Director require the CTS contractor to remediate identified vulnerabilities in a timely manner and inform the respective Senior Information Official when they complete the corrective actions necessary to fix the vulnerabilities. We also recommend the Director ensure all key actions outlined in the November 9, 2009, CTS authorization to operate are completed by the defined milestone dates. ------- |