U.S. Environmental Protection Agency
                   Office of Inspector General

                   At  a   Glance
                                                                                              10-P-0028
                                                                                       November 16, 2009
                                                                    Catalyst for Improving the Environmen
Why We Did This Review
W
  e sought to determine
whether the U.S.
Environmental Protection
Agency (EPA) implemented
oversight practices for the
Customer Technology
Solutions (CTS) contract. We
are continuing our review and
plan to issue a separate report
on whether EPA has responded
to resolve issues identified
during CTS deployment, and
implemented processes to
eliminate recurring problems
with deploying CTS.

Background

EPA indicates CTS is the
Agency's Working Capital
Fund service, providing and
coordinating all information
technology end user support
and services for Headquarters
program offices. EPA plans for
CTS to be a one-stop shop for
personal computing and
information technology support
services. EPA will deploy CTS
equipment at 18 locations
across the United States.
For further information, contact
our Office of Congressional,
Public Affairs and Management
at (202) 566-2391.

To view the full report,
click on the following link:
www.epa.qov/oiq/reports/2010/
20091116-10-P-0028.pdf
Improved Security Planning Needed for the
Customer Technology Solutions Project
                                What We Found
                               EPA lacks a process to routinely test CTS equipment for known vulnerabilities and to
                               correct identified threats. Furthermore, EPA placed CTS equipment into production
                               without fully assessing the risk the equipment poses to the Agency's network and
                               authorizing the equipment for operations. The Office of Management and Budget
                               requires federal agencies to create a security plan for each general support system and
                               ensure the plan complies with guidance issued by the National Institute of Standards
                               and Technology. Both vulnerability management and the preparation of critical
                               security documents such as the Security Plan and the Authorization to Operate are
                               paramount to fulfilling this requirement. These weaknesses exist because EPA
                               undertook an aggressive schedule to install over 11,500 computers at 18 locations
                               across the United States. As problems occurred during installation, management
                               focused its attention on addressing these issues in order to meet the deployment
                               schedule milestone.

                               Given the widespread use of CTS equipment, thousands of information resources
                               provide a path for potential unauthorized access to EPA's network. EPA lacks
                               processes to identify these threats or the capability to lessen their impact.

                               On November 9, 2009, management signed an authorization to operate for the CTS
                               equipment and outlined key actions that needed to be completed.
                                What We Recommend
We recommend that the Director, Office of Technology Operations and Planning and
Chief Technology Officer, Office of Environmental Information, direct the CTS
contractor to develop and implement a vulnerability testing and remediation process
for CTS equipment consistent with existing EPA security policies and procedures,
and issue a memorandum to Agency Senior Information Officials requiring their
program office to conduct vulnerability testing of CTS equipment until a formal
vulnerability testing and management process with CTS has been established.

Until this process is in place, we further recommend that the Director require the CTS
contractor to remediate identified vulnerabilities in a timely manner and inform the
respective Senior Information Official when they complete the corrective actions
necessary to fix the vulnerabilities. We also recommend the Director ensure all key
actions outlined in the November 9, 2009, CTS authorization to operate are completed
by the defined milestone dates.

-------