At a Glance, Briefing Report: Improvements Needed in EPA's Information Security Program


tfED ST*.
*.	U.S. Environmental Protection Agency	13-P-0257
f ftJL \	Office of Inspector General	May 13 2013
iSjSl
^	At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency's (EPA's)
Office of Inspector General
(OIG) prepared this
supplemental report to
document the details, and
make recommendations, for
weaknesses the OIG identified
during its review of the
Agency's information security
program and practices. That
review was conducted as
required by the Federal
Information Security
Management Act (FISMA),
which requires inspectors
general to prepare an annual
evaluation of their agencies'
information security programs
and practices. The Department
of Homeland Security issued
reporting guidelines
documenting 11 FISMA
reporting metrics to be
evaluated as part of the fiscal
year 2012 FISMA audit.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthen EPA's
Workforce and Capabilities.
Briefing Report: Improvements Needed in
EPA's Information Security Program
What We Found
We found weaknesses in the following Agency programs regarding its
information security program and practices:
•	Continuous monitoring management
•	Configuration management
•	Risk management
•	Plan of action and milestones
•	Contractor systems
This supplemental report to our previously issued report, Fiscal Year 2012
Federal Information Security Management Act Report: Status of EPA's Computer
Security Program (Report No. 13-P-0032), issued October 26, 2012, provides
additional detailed information for the above weaknesses.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Environmental Information
implement the continuous monitoring activities as specified in the Agency's
Continuous Monitoring Strategic Plan, document the remediation of
configuration-related vulnerabilities, and implement a strategic plan for EPA's risk
management framework.
The Agency concurred with the report's recommendations and provided high-
level planned corrective actions with completion dates. The Agency needs to
provide a completion date for one planned corrective action and additional
information on how the EPA will verify that offices remediate identified
weaknesses.
Noteworthy Achievements
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The Office of Environmental Information has developed a strategic plan for
continuous monitoring, approved the risk management framework, and created a
Risk Executive Group tasked with developing an Agency-wide risk management
strategy.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130513-13-P-0257.pdf

-------