s O \
! 32 *
Kry
PRO^
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Evaluation of the
U.S. Chemical Safety and
Hazard Investigation Board's
Compliance with the
Federal Information
Security Management Act
(Fiscal Year 2012)
Report No. 13-P-0307
June 28, 2013
Scan this mobile
code to learn more
about the EPA OIG.
-------�
Abbreviations
CIS
Center for Internet Security
CSB
U.S. Chemical Safety and Hazard Investigation Board
DISA
Defense Information Systems Agency
FIPS
Federal Information Processing Standards
FISMA
Federal Information Security Management Act of 2002
FY
Fiscal Year
IG
Inspector General
IT
Information Technology
NIST
National Institute of Standards and Technology
OMB
Office of Management and Budget
PP&E
Property, Plant, and Equipment
SP
Special Publication
STIG
Security Technical Implementation Guide
USB
Universal Serial Bus
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
email: OIG Hotline@epa.gov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue, NW
fax: 202-566-2599 Mailcode 2431T
online: http://www.epa.gov/oiq/hotline.htm Washington, DC 20460
-------�
tfED STAf.
*. U.S. Environmental Protection Agency 13-P-0307
Office of Inspector General June 28 2013
/ rn
\.o At a Glance
Why We Did This Review
This review was performed to
assess the U.S. Chemical
Safety and Hazard
Investigation Board's
compliance with the
Federal Information Security
Management Act of 2002.
FISMA requires federal
agencies to develop an
information security program
that protects the operations and
assets of the agency. An
annual independent evaluation
of the program must be
performed by the inspector
general or an independent
external auditor, who shall
report the results to the Office
of Management and Budget.
The U.S. Environmental
Protection Agency, Office of
Inspector General, which also
serves as the Inspector
General for the CSB,
contracted with KPMG LLP to
perform this fiscal year 2012
evaluation.
This report addresses the
following CSB goal:
• Preserve the public trust by
maintaining and improving
organizational excellence.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.qov/oiq/reports/2013/
20130628-13-P-0307.pdf
Evaluation of the U.S. Chemical Safety and Hazard
Investigation Board's Compliance with the Federal
Information Security Management Act (Fiscal Year 2012)
What KPMG Found
KPMG noted that the CSB has an information security program in place that
appears to be functioning as designed. KPMG also noted that the CSB takes
information security weaknesses seriously, as the CSB is performing vulnerability
assessments on its network devices and security configuration assessments on a
subset of its network devices. However, KPMG identified areas in which the CSB
could improve upon its vulnerability scanning, patch and configuration
management, device encryption, scanning software configuration, and inventory
of IT assets.
In addition to reviewing the CSB's information security practices, KPMG
conducted a security assessment of key CSB system and network devices. As a
result of this assessment, KPMG found un-patched network devices and mobile
devices that were not encrypted, which elevated the CSB's risk of system and
data compromise by unauthorized users. KPMG also identified that the scanning
tool used by the CSB for providing visibility into its network devices was not
providing adequate visibility for its IT devices included within its physical
inventory. KPMG also identified 130 personal computers for a staff of
44 members, six decommissioned Blackberries, two decommissioned servers,
and 57 obsolete assets identified in the prior year audit that were not retired,
which could allow for misuse or loss of IT devices or data.
KPMG is responsible for the content of the final audit report. The OIG performed
the procedures necessary to obtain reasonable assurance about KPMG's
independence, objectivity, qualifications, technical approach and audit results.
Recommendations and CSB Corrective Actions
KPMG recommends that the CSB take several actions to remediate the identified
weaknesses. These include:
• Patching network devices and implementing baseline configurations.
• Implementing encryption on mobile assets and completing plans to
implement tools for continuous monitoring of network devices.
The CSB agreed with the report's findings and recommendations. The CSB
asserted that it was in the process of implementing the baseline configurations
during the audit and will have the baseline configurations implemented by
September 30, 2013. The CSB provided agreed-upon corrective actions for all
the recommendations.
-------�
<
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
June 28, 2013
The Honorable Rafael Moure-Eraso, Ph.D.
Chairperson and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
2175 K. Street, NW, Suite 400
Washington, D.C. 20037-1809
Dear Dr. Moure-Eraso:
This is a final report on the Evaluation of the U.S. Chemical Safety and Hazard Investigation Board's
Compliance with the Federal Information Security Management Act (Fiscal Year 2012), conducted by
KPMG LLP on behalf of the Office of Inspector General of the U.S. Environmental Protection Agency
The audit was required to be conducted in accordance with Government Auditing Standards, issued by
the Comptroller General of the United States. KPMG is responsible for the final audit report and the
conclusions expressed in that report. The OIG performed the procedures necessary to obtain a
reasonable assurance about KPMG's independence, objectivity, qualifications, technical approach and
audit results in order to accept the conclusions and recommendations.
If you or your staff have any questions regarding the enclosed report, please contact
Richard Eyermann, acting assistant inspector general for the Office of Audit, at (202) 566-0565
or evermann.richard@epa.gov; or Rudolph M. Brevard, director, at (202) 566-0893 or
brevard.rudv@epa. gov.
Sincerely,
Arthur A. Elkins Jr.
-------�
June 28, 2013
SUBJECT: Evaluation of the U.S. Chemical Safety and Hazard Investigation Board's Compliance
with the Federal Information Security Management Act (Fiscal Year 2012)
THRU: Arthur A. Elkins Jr.
Inspector General
U.S. Environmental Protection Agency
Office of Inspector General
TO: The Honorable Rafael Moure-Eraso, Ph.D.
Chairperson and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
Attached is the KPMG LLP final evaluation report on the above subject audit. KPMG LLP performed
the Federal Information Security Management Act evaluation on behalf of the U.S. Environmental
Protection Agency, Office of Inspector General. This report includes the test results for selected
minimally required information security controls defined by the National Institute of Standards and
Technology.
If you or your staff have any questions regarding the enclosed report, please contact
Richard Eyermann, acting assistant inspector general for the Office of Audit, at (202) 566-0565 or
evermann.richard@epa.gov; or Rudolph M. Brevard, director, at (202) 566-0893 or
brevard. rudv@ epa. gov.
-------�
Evaluation of the U.S. Chemical Safety and Hazard
Investigation Board's Compliance with the Federal
Information Security Management Act (Fiscal Year 2012)
Report No. 13-P-0307
Table of C
Purpose 1
Background 1
Scope and Methodology 2
Findings 2
Patch and Configuration Management Need Improvement 2
Management of Encryption of USB-Connected Digital Media and
Mobile Computing Devices with Information Storage Capability
Needs Improvement 4
Scanning Application Needs to Be Updated and Configured to Provide
Continuous Monitoring of Network Devices and Operating System Visibility... 5
Management of Unused Information Technology Assets Needs
Improvement 6
Recommendations 7
CSB Response and KPMG Comments 7
Status of Recommendations and Potential Monetary Benefits 8
Appendices
A Microagency FISMA Reporting Template 9
B CSB Response to Draft Report 14
-------�
Purpose
The U.S. Environmental Protection Agency, Office of Inspector General, initiated
this evaluation to assess the U.S. Chemical Safety and Hazard Investigation
Board's (CSB's) compliance with the Federal Information Security Management
Act of 2002 (FISMA) for fiscal year (FY) 2012. The U.S. Environmental
Protection Agency's Office of Inspector General also serves as the Inspector
General for the CSB.
Background
On December 17, 2002, the President signed into law H.R. 2458, the
E-Government Act of 2002 (Public Law 107-347). Title III of the E-Government
Act of 2002, commonly referred to as FISMA, focuses on improving oversight of
federal information security programs and facilitating progress in correcting
agency information security weaknesses. FISMA requires federal agencies to
develop, document, and implement an agency-wide information security program
that provides security for the information and information systems that support
the operations and assets of the agency, including those provided or managed by
another agency, contractor, or other source. FISMA assigns specific
responsibilities to agency heads and inspectors general (IGs) and is supported by
security policy promulgated through the Office of Management and Budget
(OMB) and risk-based standards and guidelines published in the National Institute
of Standards and Technology (NIST) Federal Information Processing Standard
(FIPS) and Special Publication (SP) series.
Under FISMA, agency heads are responsible for providing information security
protections commensurate with the risk and magnitude of harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of
information and information systems. FISMA directs federal agencies to report
annually to the OMB Director, Comptroller General, and selected congressional
committees on the adequacy and effectiveness of agency information security
policies, procedures, and practices, and compliance with FISMA. In addition,
FISMA requires agencies to have an annual independent evaluation performed of
their information security programs and practices, and to report the evaluation
results to OMB. FISMA states that the independent evaluation is to be performed
by the agency IG or an independent external auditor as determined by the IG.
CSB management is responsible for making risk management decisions regarding
deficiencies, and their potential impact on controls and the confidentiality,
integrity, and availability of systems. CSB management is responsible, based on
its risk management decisions, to implement solutions that are appropriate for the
CSB's information technology (IT) environment.
13-P-0307
1
-------�
Scope and Methodology
The scope of our testing included the CSB Information Technology System, the
only CSB IT system subject to FISMA reporting requirements.
We conducted our testing by making inquiries of CSB personnel, inspecting
relevant documentation, and performing limited technical security testing. Some
examples of our inquiries of agency management and personnel included, but
were not limited to, the process for documenting audit log reviews and
vulnerability scanning. We inspected the training sign-off sheets for key CSB
staff, IT inventory listings, and the CSB-published information security policies
and procedures.
We performed this evaluation in accordance with generally accepted government
auditing standards, issued by the Comptroller General of the United States. Those
standards require that we plan and perform the evaluation to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our evaluation objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives. We conducted the evaluation from September through
November 2012.
Findings
During our evaluation for FY 2012, we noted that the CSB has an information
security program in place that appears to be functioning as designed. We also
noted that the CSB takes information security weaknesses seriously, as CSB is
performing vulnerability assessments on its network devices and security
configuration assessments on a subset of its network devices on a regular basis.
CSB has also taken steps to greatly reduce the number of excess IT devices by
recycling or transferring them to other government agencies. However, during this
year's assessment, we identified areas in which the CSB could improve its
vulnerability scanning, patch and configuration management process, encryption
of mobile devices including USB-connected devices such as removable hard
drives, automated scanning tool configuration, and IT inventory.
Patch and Configuration Management Need Improvement
We performed a security assessment of key CSB system and network devices.
During this assessment, we identified vulnerabilities related to un-patched
devices. We noted that the CSB has established procedures for performing
vulnerability scans of its network devices and remediating the results on a regular
basis. The CSB needs to remain vigilant in this area to ensure that vulnerabilities
are identified and remediated in a timely manner. We have provided the details to
CSB management separately and the CSB has taken actions to mitigate these
vulnerabilities by implementing our recommendations or plan to take action after
13-P-0307
2
-------�
performing some additional research. We also performed a configuration scan
using both the Center for Internet Security (CIS) benchmarks as well as Defense
Information Systems Agency (DISA) Security Technical Implementation Guides
(STIGs). We noted that the CSB has improved its management of system
configurations by performing configuration assessments on a subset of its network
devices using DISA STIGs. However, the CSB did not fully implement the
standard baseline configurations to which each of CSB's network devices are
required to adhere.
FISMA requires that federal agencies maintain information systems used or
operated by the agency, or by a contractor of an agency or other organization on
behalf of an agency, in accordance with information security guidance issued by
NIST.
NIST SP 800-40 Version 2.0, Procedures for Handling Security Patches states
that "timely patching of security issues is generally recognized as critical to
maintaining the operational availability, confidentiality, and integrity of
information technology (IT) systems."
NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information
Systems, states:
Control AC-6 Least Privilege - The organization employs the concept of
least privilege, allowing only authorized accesses for users (and processes
acting on behalf of users) which are necessary to accomplish assigned
tasks in accordance with organizational missions and business functions.
Control CM-2 Baseline Configuration - The organization develops,
documents, and maintains under configuration control, a current baseline
configuration of the information system.
Control CM-7 Least Functionality, Supplemental Guidance -
Organizations consider disabling unused or unnecessary physical and
logical ports and protocols.
CSB Board Order 034, Information Technology Security Program, states that:
Recognizing the systematic implementation of up-to-date system patches
and security updates is critical to the security of CSB information systems
and technology, it is the policy of the Board that such systems and
technology shall be maintained with current system patches .and security
updates. Such patches and updates shall be loaded on a regular basis using
a coordinated process, as described in this Appendix.
These system vulnerabilities were caused by the CSB not having fully
implemented standard configuration baselines for its network devices and not
13-P-0307
3
-------�
consistently following their policy, procedures, or NIST. Un-patched devices
significantly elevate the CSB's risk of system and data compromise by
unauthorized users, which could lead to the alteration or deletion of critical data
and a degradation of system performance. Further, by not having fully
implemented standard configuration baselines for all of its network devices and
not consistently adhering to the current standard configuration baselines being
used for testing configuration settings on the subset of network devices tested, the
risk is increased that the system could be exposed to malicious technical attacks
or unauthorized/unintentional changes.
Management of Encryption of USB-Connected Digital Media and
Mobile Computing Devices with Information Storage Capability Needs
Improvement
During our review of the inventory of connected IT assets for the CSB, we
identified 3 Apple laptops and 2 external hard drives that were not adequately
encrypted.
NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information
Systems, states in control MP-4 Media Storage:
The organization:
a. Physically controls and securely stores [.Assignment: organization-defined
types of digital and non-digital media] within [,Assignment: organization-
defined controlled areas] using [,Assignment: organization-defined security
measures];
b. Protects information system media until the media are destroyed or sanitized
using approved equipment, techniques, and procedures.
In OMB M-06-16, Protection of Sensitive Agency Information, the OMB Deputy
Director for Management states:
The National Institute of Standards and Technology (NIST) provided a
checklist for protection of remote information. (See attachment) The intent
of implementing the checklist is to compensate for the lack of physical
security controls when information is removed from, or accessed from
outside the agency location. In addition to using the NIST checklist, I am
recommending all departments and agencies take the following actions:
Encrypt all data on mobile computers/devices which carry agency
data unless the data is determined to be non-sensitive, in writing,
by your Deputy Secretary or an individual he/she may designate in
writing.
The CSB stated that they were in the process of procuring FlPS-compliant
encryption software for the Apple laptops and that the external hard drives were
13-P-0307
4
-------�
not allowed out of the office. Failure to appropriately encrypt USB-connected
storage media or mobile computing devices with information storage capability
increases the risk of disclosure of non-public and sensitive CSB information.
Scanning Application Needs to Be Updated and Configured to
Provide Continuous Monitoring of Network Devices and Operating
System Visibility
During our review of the scanning tool used by the CSB to provide an automated
capability for visibility into IT assets connected to the CSB network, we
determined that the CSB was not able to provide visibility for four classes of IT
assets identified in the 2012 CSB physical inventory or track the operating system
for each of the devices.
NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information
Systems, states:
Control CM-2, Baseline Configuration, Enhancement Supplemental
Guidance - Software inventory tools are examples of automated
mechanisms that help organizations maintain consistent baseline
configurations for information systems. Software inventory tools can be
deployed for each operating system in use within the organization (e.g., on
workstations, servers, network components, mobile devices) and used to
track operating system version numbers, applications and types of
software installed on the operating systems, and current patch levels.
Software inventory tools can also scan information systems for
unauthorized software to validate organization defined lists of authorized
and unauthorized software programs.
Control CM-8, Information System Component Inventory - The
organization employs automated mechanisms to help maintain an up-to-
date, complete, accurate, and readily available inventory of information
system components.
FISMA Reporting Metrics for Micro Agencies states that:
The Federal Continuous Monitoring Working Group has determined that
Asset Management is one of the first areas where continuous monitoring
needs to be developed. Organizations must first know about devices
(both authorized/managed and unauthorized/unmanaged) before they can
manage the devices for configuration, vulnerabilities, and reachability.
The version of the tool used by CSB during FY 2012 did not allow the CSB to
track asset operating systems or continuously monitor network devices. The CSB
stated that they were eligible for, and in the process of, implementing an upgrade
of the scanning tool that will provide the necessary visibility for all IT assets on
13-P-0307
5
-------�
the network and the ability to configure the scanning application to continuously
monitor for vulnerability weaknesses associated with the CSB's network assets.
The CSB indicated that this upgrade would take place in FY 2013. Subsequent to
our fieldwork, the CSB informed KPMG on November 7, 2012, they had
completed the upgrade of the scanning tool which would mitigate the issue that
was identified during fieldwork for FY 2012. Since the upgrade occurred in the
following fiscal year (2013), we did not perform any additional testing to validate
that the CSB has implemented the current version of the scanning tool or that the
new capabilities are operating effectively.
Failure to effectively deploy network scanning applications that can monitor
connected devices and their vulnerabilities could lead to unauthorized connections
to the network or risk the compromise of non-public and sensitive CSB
information.
Management of Unused Information Technology Assets Needs
Improvement
During our review of the 2012 Annual CSB Physical Inventory, we noted that
CSB has made significant progress in greatly reducing the number of excess IT
devices by recycling or transferring them to other government agencies. We found
that the CSB had reduced its obsolete inventory by using these means to dispose
of 343 of the 400 obsolete inventory items we found in our FY 2011 review.
However, continued vigilance is still needed to ensure that progress continues to
be made in this area. In FY 2012, in addition to the 57 obsolete devices remaining
that were identified in the prior year, we also identified 130 personal computers
(desktops and laptops) in inventory for a staff of 44 members, six
decommissioned Blackberries, and two decommissioned servers, that were not
retired out of 287 total IT devices (e.g., Blackberries and other smartphones,
desktops, laptops, netbooks, tablets, USB-connected devices, firewalls, switches,
routers, servers).
Statement of Federal Financial Accounting Standards 6, Accounting for Property,
Plant, and Equipment (PP&E), states:
General PP&E shall be removed from general PP&E accounts along with
associated accumulated depreciation/amortization, if prior to disposal,
retirement or removal from service, it no longer provides service in the
operations of the entity. This could be either because it has suffered
damage, becomes obsolete in advance of expectations, or is identified as
excess. It shall be recorded in an appropriate asset account at its expected
net realizable value. Any difference in the book value of the PP&E and its
expected net realizable value shall be recognized as a gain or a loss in the
period of adjustment. The expected net realizable value shall be adjusted
at the end of each accounting period and any further adjustments in value
recognized as a gain or a loss. However, no additional depreciation/
13-P-0307
6
-------�
amortization shall be taken once such assets are removed from general
PP&E in anticipation of disposal, retirement, or removal from service.
The CSB stated that staff members have requested multiple computer and mobile
devices to meet their needs, but did not document these justifications. Also, the
CSB has not had the resources or time to complete the activity of removing the
excess IT assets. Maintaining an inventory that contains a large number of excess
items can allow for the misuse or loss of devices if they are not accounted for.
Also, if the devices contain non-public and sensitive information that was not
degaussed and lost, this could lead to disclosure of non-public and sensitive
CSB information.
Recommendations
We recommend that the Chairperson, U.S. Chemical Safety and Hazard
Investigation Board:
1. Review and implement patches as required for the network devices.
2. Implement standard baseline configurations for all network devices.
3. Develop and implement a protocol to encrypt, with FlPS-compliant
encryption, all mobile devices with information storage capability and
USB-connected digital storage media, including Apple assets and USB-
connected removable hard drives.
4. Proceed with CSB's FY 2013 plans to implement the upgraded version of
the scanning tool used to track operating systems and continuously
monitor network devices.
5. Review the information technology inventory and remove the excess
inventory items through the General Services Administration.
6. Document management decisions for assigning multiple computers and
mobile devices to staff members.
CSB Response and KPMG Comments
The CSB concurred with the report's findings and recommendations and provided
planned actions to address each recommendation. We modified the finding on
baseline configurations to state that the CSB had not fully implemented them.
While the CSB had outlined its baseline configurations within its information
technology standard operating procedures for a subset of its network devices, the
CSB had yet to fully implement baseline configurations for all of its network
devices. The CSB plans to implement the baseline configurations by September
30, 2013. The CSB's complete response is in Appendix B.
13-P-0307
7
-------�
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
7 Review and implement patches as required for the
network devices.
Implement standard baseline configurations for all
network devices.
7 Develop and implement a protocol to encrypt, with
FlPS-compliant encryption, all mobile devices with
information storage capability and USB-connected
digital storage media, including Apple assets and
USB-connected removable hard drives.
7 Proceed with CSB's FY 2013 plans to implement
the upgraded version of the scanning tool used to
track operating systems and continuously monitor
network devices.
7 Review the information technology inventory and
remove the excess inventory items through the
General Services Administration.
7 Document management decisions for assigning
multiple computers and mobile devices to staff
members.
Chairperson, U.S. Chemical Ongoing
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 9/30/13
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 7/31/13
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 11/7/12
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 9/30/13
Safety and Hazard
Investigation Board
Chairperson, U.S. Chemical 9/30/13
Safety and Hazard
Investigation Board
1 0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
13-P-0307
8
-------�
Appendix A
Microagency FISMA Reporting Template
This appendix contains a printout of the information security data that the CSB submitted to
OMB in response to the annual FISMA reporting instructions. The following data were obtained
from OMB's CyberScope system.
1. System Inventory
1.1 For each of the FIPS 199 systems categorized impact levels (H = High, M = Moderate,
L = Low) in this question, provide the total number of Organization information systems
by Organization component (i.e. Bureau or Sub-Department Operating Element) in the
table below. (Organizations with below 5000 users may report as one unit.)
1.1A Organization Operated
Systems
1.1b Contractor Operated
Systems
1.1c Systems (from 1.1a and
1.1b) with Security ATO
FIPS
199
Category
H
M
L
H
M
L
H
M
L
CSB
0
1
0
0
0
0
0
1
0
1.2 For each of the FIPS 199 system categorized impact levels in this question, provide the
total number of Organization operational, information systems using cloud services by
Organization component (i.e. Bureau or Sub-Department Operating Element) in the table
below.
1.2a Systems utilizing cloud
computing resources
1.2b Systems utilizing cloud
computing resources (1.2a)
with a Security Assessment
and Authorization
1.2c Systems in 1.2a utilizing
a FedRAMP authorized
Cloud Service Provider
FIPS
199
Category
M
L
M
L
M
L
CSB
0
0
0
0
0
0
2. Asset Management
2.0 Provide the total number of organization hardware assets
connected to the organization's unclassified network
279
2.1 Provide the number of assets in 2.0, where an automated
capability (device discovery process) provides visibility at the
organization's enterprise level into asset inventory
information for all hardware assets.
198
2.2 Software Assets: Can the organization track the installed
operating system Vendor, Product, Version, and patch-level
combination(s) in use on the assets in 2.0.
Yes (6)
13-P-0307
9
-------�
2.2a Can the organization track (for each installed operating
system Vendor, Product, Version, and patch- level
combination in 2.4) the number of assets in 2.1 on which it is
installed in order to assess the number of operating system
vulnerabilities which are present without scanning?
No
As of FY 2013, CSB
made network updates
that allows it to track
(for each installed
operating system
Vendor, Version, and
patch level
combination in 2.2) the
number of assets in 2.1
on which it is installed
in order to assess the
number of operating
system vulnerabilities
which are present
without scanning
3. Configuration Management
3.1 For each operating system Vendor, Product, Version, and
patch-level combination referenced in 2.2, report the
following:
3. la Whether an adequately secure configuration
baseline has been defined.
Yes (4/6)
3. lb The number of hardware assets with this software
(which are covered by this baseline, if it exists).
109
3. lc For what percentage of the applicable hardware
assets (per question 2.0), of each kind of operating
system software in 3.1, has an automated capability to
identify deviations from the approved configuration
baselines identified in 3.1a and provide visibility at the
organization's enterprise level?
39%
4. Vulnerability Management
4. Provide the number of hardware assets identified in section
2.0 that are evaluated using an automated capability that
identifies NIST National Vulnerability Database
vulnerabilities (CVEs) present with visibility at the
organization's enterprise level.
13-P-0307
10
-------�
5. Identity and Access Management
5.1 Provide the number of Organization
unprivileged network user accounts? (Exclude
privileged network user accounts and non-user
accounts)
50
5.2 How many unprivileged network user
accounts are configured to:
5,2a. Require the
form of
identification
listed on the left?
5.2b. Allow, but
not require, the
form of
identification listed
on the left?
5.2a (1) (2) User-ID and Password
50
0
5.2b (1) (2) Two factor-PIV Card
0
0
5.2c (1) (2) Other two factor authentication
0
0
5.3 Provide the number of Organization
privileged network user accounts (Exclude
non-user accounts and unprivileged network user
accounts)?
3
5.4 How many privileged network user accounts
are configured to:
5,4a. Require the
form of
identification
listed on the left?
5.4b. Allow, but
not require, the
form of
identification listed
on the left?
5.4a (1) (2) User-ID and Password
3
0
5.4b (1) (2) Two factor-PIV Card
0
0
5.4c (1) (2) Other two factor authentication
0
0
13-P-0307
11
-------�
6. Data Protection
6. Provide the estimated number of hardware assets from Question 2.0 which have the
following characteristics. Enter responses in the table.
Mobile Assets Types (each
asset should be recorded no
more than once in each
column)
6.a. Estimated number of
mobile hardware assets of the
types indicated in each row
6.b. Estimated number assets
from column a with adequate
encryption of data on the
device.
6.a(l) / 6.b(l)Laptop
Computers, Netbooks, and
Tablet-Type Computers
103
100
6.a(2) / 6.b(2)Personal Digital
Assistant
0
0
6.a(3) / 6.b(3) BlackBerries
and Other Smartphones
42
42
6.a(4) / 6.b(4) USB
connected devices (e.g.,
Flashdrives and Removable
Hard Drives)
52
50
6.a(5) / 6.b(5) Other mobile
hardware assets
0
0
7. Boundary Protection
uiiurti y i imcttiuii
7. Provide the percentage of external connections passing through
TIC/MTIPS.
8. Training and Education
Provide the number of the Organization's network users that have
been given and successfully completed cybersecurity awareness
training in FY2012 (at least annually).
44
13-P-0307
12
-------�
9. Remote Access / Telework
9.1 Provide the estimated total number of annual remote connections the
5,550
Organization provides to allow users to connect to near-full access to the
Organization's normal desktop LAN/WAN resources/services.
9.1.a For those connections counted above in 9.1, provide the estimated number of those
connections that:
• REQUIRE the kind
9.a-l)
9.b-2)
9.c-3) ONLY
9.d-4)
9.e-5)
{and only the kind)
ONLY
ONLY
Other two
ONLY one
Connections
of authentication
User-ID
Two
factor
other
that may
indicated in 10.1a
and
factor-PIV
authentication
method.
have been
columns a-d. (List all
Password
Card (AP)
(Please
authenticated
other connections by
(KFM)
describe in
connection method in
the
10.1a column e)
• For each Type of
5,550
0
0
0
0
connection listed
below
9.a-la/lb/lc/ld/le
0
0
0
0
0
Dial-up
9.a-2a/2b/2c/2d/2e
5,550
0
0
0
0
Virtual Private
Network (not
clientless)
9.a-3a/3b/3c/3d/3e
0
0
0
0
0
£2
Virtual Private
Network
u
(clientless)
=
=
including SSL,
©
r j
TLS, etc.
w
9.a-4a/4b/4c/4d/4e
0
0
0
0
0
o
Citrix
a
9.a-5a/5b/5c/5d/5e
0
0
0
0
0
H
Other
13-P-0307
13
-------�
Appendix B
CSB Response to Draft Report
Chemical Safety and 2175 K Street, NW • Suite 650 • Washington, DC 20037-1809
Hazard Investigation Board Phone (202) 261-7600 • Fax: 12021261 -7650
www.csb.gov
Rafael Moure-Eraso, Ph.D.
Chairperson
May 29, 2013
Melissa Heist
Assistant Inspector General for Audit
U.S. Environmental Protection Agency
Office of Inspector General
1200 Pennsylvania Ave
Washington, DC 20460
Dear Ms. Heist:
We have reviewed your draft report on the independent evaluation of the Chemical Safety and Hazard
Investigation Board's (CSB) compliance with the Federal Information Security Management Act
(FISMA).
As reported, the CSB takes information security weaknesses seriously and works diligently each year to
address the recommendations from the FISMA audits. Consequently, the agency made significant
progress in completing actions on FISMA findings from prior years. For instance, in response to the
OIG's recommendation FY 1 l-OIG-IT-02 on removing excess IT equipment inventory, the CSB launched
an initiative that successfully deinventoried 343 of 400 obsolete IT equipment items. This represents over
85 percent of the items identified during the FY 2011 FISMA audit and was a considerable undertaking
by my staff.
With regard to the most recent audit, the agency has one clarification to make regarding the audit's
finding on baseline configurations. The report states that "the CSB did not document the standard
baseline configurations to which each of CSB's network devices are required to adhere." In response to
FY 2012 audit request number five, which explored this issue, the CSB provided section eight of its IT
Standard Operating Procedure, which was developed pursuant to the FY 2012 FISMA audit
recommendation and details the baseline configurations for its various operating systems. This procedure
outlines the baseline configuration for the CSB devices. We would therefore request that the language be
clarified to state that the CSB has not yet fully implemented the standard baseline configurations. Our
intention is to complete this by the end of the fiscal year.
With the exception of this finding on baseline configurations, the CSB agrees with the FY 2012 findings
and recommendations of your draft report. Attached is a table with our planned actions to address each
finding and targeted completion dates. Please contact Allen Smith at 202-261-7638, or Charlie Bryant at
202-261-7666 for further information on any of these items.
Sincerely,
Rafael Moure-Eraso, Ph.D.
Chairperson & CEO
Enclosure
13-P-0307
14
-------�
l-'Y 2<)|2 I'ISMA Recommendation
(\>m pi elect or Planned Actions
1. Review and implement patches as
required for the network devices.
Ongoing
The CSB installed or completed the
installation of the missing patches
identified in the scan and will continue to
actively review and patch network
devices.
2. Develop and implement standard
baseline configurations for all
network devices.
By September 30, 2013, the CSB will:
Implement its standard baseline
configuration as documented in section
eight its SOP.
3. Develop and implement a protocol to
encrypt, with FIPS compliant
encryption, all mobile devices with
information storage capability and
USB connected digital storage media,
including Apple assets and USB
connected removable hard drives.
By July 31, 2013, the CSB will:
Encrypt the identified Apple and network
storage devices using FIPS 140-2
validated encryption software.
4. Proceed with CSB's FY 2013 plans to
implement the upgraded version of
the scanning tool used to track
operating systems and continuously
monitor network devices.
Completed.
5. Review the information technology
inventory and remove the excess
inventory items through the General
Services Administration.
By September 30, 2013, the CSB will:
Continue the de-inventory program to
remove the remaining obsolete items
from the IT inventory.
6. Document management decisions for
assigning multiple computers and
mobile devices to staff members.
By September 30, 2013, the CSB will:
Document the justifications for additional
IT computing devices.
13-P-0307
15
-------� |