July 31, 2017 x^fcD S?/w • U.S. Environmental Protection Agency 17-P-0344 % Office of Inspector General ® I At a Glance Why We Did This Review The U.S. Environmental Protection Agency (EPA), Office of Inspector General (OIG), conducted this audit to determine what processes the EPA uses to verify that agency contractors with significant information system security responsibilities meet established specialized training duties. Role-based training is continuous education that improves current knowledge, skills and abilities for particular job functions. Under the Chief Information Officer's Federal Information Security Modernization Act (FISMA) Metrics, agencies are responsible for identifying and reporting specialized security training, such as role-based training, for all personnel (including contractors) with significant information security responsibilities. This report addresses the following EPA goal or cross-agency strategy: • Embracing EPA as a high- performing organization. Send all inquiries to our public affairs office at (202) 566-2391 or visit www.epa.gov/oia. Listing of OIG reports. EPA Lacks Processes to Validate Whether Contractors Receive Specialized Role-Based Training for Network and Data Protection What We Found The EPA is unaware of the number of agency contractors who have significant information security responsibilities and require role-based training. This is attributed to the following factors: • EPA personnel overseeing contractors are not aware of contractor role-based training requirements. • The agency has not included role-based training requirements in all awarded contracts. The EPA is unaware whether information security contractors possess the skills and training needed to protect the agency's information, data and network from security breaches. • The EPA lacks a process to track and report contractors' role-based training. In addition, the EPA did not report contractor training status in its fiscal years 2015 and 2016 Chief Information Officer's Annual FISMA reports submitted to the Office of Management and Budget. FISMA guidance requires agencies to train and oversee personnel (including contractors) who have significant responsibilities for information security, and report on the effectiveness of the information security program. Insufficient awareness, contract requirements, and oversight of role-based training increase the risk that EPA contractors may lack the knowledge or skills necessary to protect the agency from cyberattacks. The agency also has insufficient information to manage risks to its data and network. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Administration and Resources Management update the EPA Acquisition Guide to include the newly developed cybersecurity contract clauses that agency personnel must include in all EPA contracts, and include the cybersecurity contract clauses in all existing and future information technology contracts. We also recommend that the Office of Environmental Information implement a process for agency personnel to maintain a listing of contractor personnel required to take role-based training and report this information in the Chief Information Officer's Annual FISMA reports. The agency concurred with our recommendations and provided planned corrective actions with estimated completion dates. One recommendation has been resolved with corrective action completed. All remaining recommendations are resolved with corrective actions pending. ------- |