^EDSX
* o \
VSE,'
""•t PRO"*fc
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
16-P-0259
August 10, 2016
Why We Did This Review
The Office of Inspector
General (OIG) of the
U.S. Environmental Protection
Agency (EPA) conducted this
audit to determine to what
extent the EPA implemented
information system security
policies and procedures to
protect agency systems that
provide access to national
security or Personally
Identifiable Information (Pll), as
outlined in Section 406 of the
Cybersecurity Act of 2015.
This report addresses the
following EPA goal or
cross-agency strategy:
• Embracing EPA as a high-
performing organization.
Cybersecurity Act of 2015 Report: EPA's
Policies and Procedures to Protect Systems
With Personally Identifiable Information
What We Found
Section 406 of the Cybersecurity Act of 2015
calls for Inspectors General of agencies with
covered systems to report on several aspects of
the covered systems' information system
security controls. The term "covered system"
means a national security system as defined in
40 U.S.C. § 11103 or a federal computer system
that provides access to Pll.
The EPA has 30 systems
that contain sensitive Pll.
Safeguarding information
and preventing system
breaches are essential for
ensuring the EPA retains
the trust of the American
public.
The EPA has 30 covered systems that contain sensitive Pll covered by
provisions of the act. Of the 30 covered systems, two were sampled for our audit.
Although the EPA has 30 systems that include sensitive Pll, the EPA does not
own any systems that include national security information.
The act requires Inspectors General to report on the areas identified in the bullets
below. We provided information in the following eight areas based on the
requirements outlined in the act for the EPA's covered systems.
•	Description of logical access policies and practices.
•	Description of the logical access controls and multifactor authentication
used to govern privileged users access.
•	Reasons for not using logical access controls and multifactor authentication
if applicable.
•	Policies and procedures used to conduct inventories of software and
licenses.
•	Capabilities utilized to monitor and detect exfiltration and other threats.
•	Description of how monitoring and detecting capabilities are utilized.
•	Reasons why monitoring and detecting capabilities are not used if applicable.
•	Description of policies and procedures used to ensure entities and
contractors providing services to the EPA are implementing the information
security management practices identified in the act.
We issued a draft report containing our conclusions and briefed EPA
representatives on the audit results. The EPA agreed with our results and
Send all inquiries to our public	emailed its responses, which were evaluated and incorporated into this report,
affairs office at (202) 566-2391
or visit www.epa.gov/oig.	jhe full version of this report contained controlled unclassified information. This is
a redacted version of that report, which means the controlled unclassified
Listing of OIG reports.	information has been removed. The redactions are clearly identified in the report.

-------