sr^
* g% \
ISI
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Evaluation of
U.S. Chemical Safety and
Hazard Investigation Board's
Compliance With the
Federal Information Security
Management Act
(Fiscal Year 2011)
Report No. 12-P-0363
March 21,2012
Scan this mobile
code to learn more
about the EPA OIG.
-------�
Abbreviations
CSB U.S. Chemical Safety and Hazard Investigation Board
FISMA Federal Information Security Management Act of 2002
IG Inspector General
NIST National Institute of Standards and Technology
OMB Office of Management and Budget
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
e-mail: OIG Hotiirie@epa.aov write: EPA Inspector General Hotline
phone: 1-888-546-8740 1200 Pennsylvania Avenue NW
fax: 202-566-2599 Mailcode 2431T
online: http://www.epa.aov/oig/hotline.htm Washington, DC 20460
-------�
^tDsrx
* O \
\jSkj
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
12-P-0363
March 21, 2012
Why We Did This Review
The review was performed to
assess the U.S. Chemical
Safety and Hazard
Investigation Board's (CSB's)
compliance with the Federal
Information Security
Management Act of 2002
(FISMA).
Background
FISMA requires federal
agencies to develop an
information security program
that protects the operations and
assets of the agency. An annual
independent evaluation of the
program must be performed by
the Inspector General or an
independent external auditor,
who shall report the results to
the Office of Management and
Budget. The U.S.
Environmental Protection
Agency's Office of Inspector
General, which also serves as
the Inspector General for CSB,
contracted with KPMG LLP to
perform the fiscal year 2011
evaluation.
Evaluation of U.S. Chemical Safety and Hazard
Investigation Board's Compliance With the
Federal Information Security Management Act
(Fiscal Year 2011)
What KPMG Found
KPMG noted that CSB has an information security program in place that appears
to be functioning as designed. KPMG also noted that CSB takes information
security weaknesses seriously, as three of the four prior-year recommendations
were resolved. However, KPMG identified areas in which CSB could improve
upon its vulnerability scanning and patch management process, and inventory of
information technology assets.
In addition to reviewing CSB's information security practices, KPMG conducted
a security assessment of key CSB system and network devices. This assessment
disclosed several challenges CSB faces in securing its main information
technology system. KPMG found unpatched network devices, which elevated
CSB's risk of system and data compromise by unauthorized users. KPMG
provided detailed results of its assessment to CSB officials. KPMG also
identified 199 excess information technology devices, of a total of 408, which
could allow for misuse or loss of information technology devices or data.
What KPMG Recommends
KPMG recommends that CSB review and implement patches for network devices
as required, develop and implement standard baseline configurations for network
devices, and review the information technology inventory and remove the excess
inventory devices through appropriate means.
CSB agreed with the recommendations and provided agreed-upon corrective
actions.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.gov/oiq/reports/2012!
20120321 -12-P-0363. pdf
-------�
\
__ • -
SZZj
*1 PrO*^
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
March 21, 2012
MEMORANDUM
SUBJECT:
FROM:
TO:
Evaluation of U.S. Chemical Safety and Hazard Investigations Board's
Compliance With the Federal Information Security Management Act
(Fiscal Year 2011)
Report No. 12-P-0363
Arthur A. Elkins, Jr.
Inspector General
The Honorable Rafael Moure-Eraso, Ph.D.
Chairman and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
This final report on the above subject area summarizes the results of information security work
performed by KPMG LLP on behalf of the Office of Inspector General of the U.S.
Environmental Protection Agency. This report also includes the U.S. Chemical Safety and
Hazard Investigations Board's completed Fiscal Year 2011 Federal Information Security
Management Report Template, as prescribed by the Department of Homeland Security.
If you or your staff have questions regarding this report, please contact Patricia H. Hill, Assistant
Inspector General for Mission Systems, at (202) 566-0894 or hill.patricia@,epa.gov: or Rudolph
M. Brevard, Director for Information Resources Management Assessments, at (202) 566-0893 or
brevard.rudv@,epa. gov.
-------�
March 21, 2012
SUBJECT: Evaluation of U.S. Chemical Safety and Hazard Investigation Board's
Compliance With the Federal Information Security Management Act
(Fiscal Year 2011)
THRU: Rudolph Brevard
Director, Information Resources Management Assessments
U.S. Environmental Protection Agency
Office of Inspector General
TO: The Honorable Rafael Moure-Eraso, Ph.D.
Chairman and Chief Executive Officer
U.S. Chemical Safety and Hazard Investigation Board
Attached is the KPMG LLP final report on the above subject audit. KPMG LLP performed the
Federal Information Security Management Act (FISMA) evaluation on behalf of the U.S.
Environmental Protection Agency, Office of Inspector General. This report includes the test
results for selected minimally required information security controls defined by the National
Institute of Standards and Technology and the Department of Homeland Security.
If you or your staff have any questions regarding this report, please contact Patricia H. Hill,
Assistant Inspector General for Mission Systems, at (202) 566-0894 or hill. patricia@,epa. gov: or
Rudolph M. Brevard at (202) 566-0893 or brevard.rudv@,et)a. gov.
-------�
Evaluation of U.S. Chemical Safety and Hazard 12-P-0363
Investigation Board's Compliance With the
Federal Information Security Management Act
(Fiscal Year 2011)
Table of Contents
Purpose 1
Background 1
Scope and Methodology 2
Findings 2
Vulnerability Scanning 2
Large Number of Unused Information Technology Assets 3
Recommendations 3
CSB Response and KPMG Comments 3
Status of Recommendations and Potential Monetary Benefits 4
Appendices
A Microagency FISMA Reporting Template 5
B CSB Response to Draft Report 11
-------�
Purpose
The U.S. Environmental Protection Agency, Office of Inspector General, initiated
this evaluation to assess the U.S. Chemical Safety and Hazard Investigation
Board's (CSB's) compliance with the Federal Information Security Management
Act of 2002 (FISMA) for fiscal year 2011. The U.S. Environmental Protection
Agency's Office of Inspector General also serves as the Inspector General for CSB.
Background
On December 17, 2002, the President signed into law H.R. 2458, the
E-Government Act of 2002 (Public Law 107-347). Title III of the E-Government
Act of 2002, commonly referred to as FISMA, focuses on improving oversight of
federal information security programs and facilitating progress in correcting
agency information security weaknesses. FISMA requires federal agencies to
develop, document, and implement an agency-wide information security program
that provides security for the information and information systems that support
the operations and assets of the agency, including those provided or managed by
another agency, contractor, or other source. FISMA assigns specific
responsibilities to agency heads and inspectors general (IGs) and is supported by
security policy promulgated through Office of Management and Budget (OMB)
and risk-based standards and guidelines published in the National Institute of
Standards and Technology (NIST) Special Publication series.
Under FISMA, agency heads are responsible for providing information security
protections commensurate with the risk and magnitude of harm resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of
information and information systems. FISMA directs federal agencies to report
annually to the OMB Director, Comptroller General, and selected congressional
committees on the adequacy and effectiveness of agency information security
policies, procedures, and practices, and compliance with FISMA. In addition,
FISMA requires agencies to have an annual independent evaluation performed of
their information security programs and practices, and to report the evaluation
results to OMB. FISMA states that the independent evaluation is to be performed
by the agency IG or an independent external auditor as determined by the IG.
CSB management is responsible for making risk management decisions regarding
deficiencies, and their realizable/potentially realizable impacts on controls and the
confidentiality, integrity, and availability of systems. CSB management is
responsible, based on its risk management decisions, to implement solutions that
are appropriate for CSB's information technology environment. Conditions may
exist that mitigate the risk of an identified deficiency, but they were not identified
during our testing.
12-P-0363
1
-------�
Scope and Methodology
The scope of our testing included the CSB Information Technology System, the
only CSB information technology system subject to FISMA reporting
requirements.
We conducted our testing by making inquiries of CSB personnel, inspecting
relevant documentation, and performing limited technical security testing. Some
examples of our inquiries of agency management and personnel included, but
were not limited to, the process for documenting audit log reviews and
vulnerability scanning. We inspected the training sign-off sheets for key CSB
staff and CSB-published information security policies and procedures.
We performed this evaluation in accordance with generally accepted government
auditing standards, issued by the Comptroller General of the United States. Those
standards require that we plan and perform the evaluation to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our evaluation objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives. We conducted the evaluation from September through
November 2011.
Findings
During our evaluation for fiscal year 2011, we noted that CSB has an information
security program in place that appears to be functioning as designed. We also
noted that CSB takes information security weaknesses seriously, as CSB has
addressed three of the four recommendations made in our report for fiscal year
2010. However, during this year's assessment, we identified areas in which CSB
could improve its vulnerability scanning and patch management process, and
inventory of information technology assets.
Vulnerability Scanning
Our security assessment of key CSB system and network devices disclosed
vulnerabilities related to unpatched devices. We have provided the details to CSB
management separately. While CBS Board Order 034 provides policies and
procedures for maintaining device security, and CSB drafted and implemented
additional supplemental standard operating procedures, CSB personnel did not
always follow this guidance to ensure that network devices were appropriately
secured. Unpatched devices significantly elevate CSB's risk of system and data
compromise by unauthorized users, which could lead to the alteration or deletion
of critical data and a degradation of system performance.
12-P-0363
2
-------�
Large Number of Unused Information Technology Assets
Our review of the information technology asset listing identified 199 excess
devices out of 408 total devices (e.g., Blackberries, laptops, servers). CSB stated
that they have not had the resources or time to undertake the activity of removing
the excess information technology assets. Maintaining an inventory that contains
a large number of excess items can allow for the misuse or loss of devices if they
are not accounted for. Also, if the devices contain non-public and sensitive
information that was not degaussed and lost, this could lead to disclosure of
non-public and sensitive CSB information.
Recommendations
We recommend that the Chairman, U.S. Chemical Safety and Hazard
Investigation Board:
1. Review and implement patches as required for the network devices.
2. Develop and implement standard baseline configurations for the network
devices.
3. Review the information technology inventory and remove the excess
inventory items by using the appropriate means through the General
Services Administration.
CSB Response and KPMG Comments
CSB concurred with the report findings and recommendations, and provided
planned actions to address each finding and milestones for completion. KPMG
considers all recommendations open and will review CSB's actions during the
fiscal year 2012 audit.
12-P-0363
3
-------�
Status of Recommendations and
Potential Monetary Benefits
POTENTIAL MONETARY
RECOMMENDATIONS BENEFITS (in $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Claimed Agreed-To
Amount Amount
1
3
Review and implement patches as required for the
network devices.
0
Chairman, U.S. Chemical
Safety and Hazard
Investigation Board
Ongoing
2
3
Develop and implement standard baseline
configurations for the network devices.
0
Chairman, U.S. Chemical
Safety and Hazard
Investigation Board
07/31/12
3
3
Review the information technology inventory and
remove the excess inventory items by using the
appropriate means through the General Services
0
Chairman, U.S. Chemical
Safety and Hazard
Investigation Board
09/30/12
Administration.
1 0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
12-P-0363
4
-------�
Appendix A
Microagency FISMA Reporting Template
This appendix contains a printout of the information security data that CBS submitted to OMB in
response to the annual FISMA reporting instructions. The following data were obtained from
OMB's CyberScope system.
12-P-0363
5
-------�
Micro Agency Report
¦ 2011
Annual FISMA
Section Repoit
Repoit
Chemical Safety Board
12-P-0363
6
-------�
Section 1: Svstem Inventory
1. For each of die FTPS 199 system categorized impact levels in this question, provide the total number of Agency operational, F1SMA
reportable, systems by Agency component (Le. Bureau or Sub-Department Operating Element).
Agency/ Component
1a.
Agency
Operated
Systems
1b.
Contractor
Operated
Systems on
Behalf of the
Agency.
Total Systems
1c.
Number of systems in
1a. and 1b.
combined with
security
authorization to
operate.
1d.
Systems or
Services
leveraging a
public cloud
1e.
Number of Systems
and Services in 1d.
with a Security
Assessment and
Authorization to
utilize.
CSB
High
0
0
0
0
0
0
Moderate
1
0
1
1
0
0
Low
0
0
0
0
0
0
Not Categorized
0
0
0
0
0
0
Sub-Toal
1
0
1
1
0
0
I
!
High
0
0
0
0
0
0
Moderate
1
0
1
1
0
0
Low
0
0
0
0
0
0
Not Categorized
0
0
0
0
0
0
Sub-Toal
1
0
1
1
0
0
12-P-0363
7
-------�
Section 2: Asset Management
2. Provide the total number of Agency Information Technology assets (e.g. router, server, workstation, laptop, blackberry, etc.).
(Responses to this question will be used as a denominator in calculating agency benchmarks as a percentage)
408
-a. Provide the number of Agency information technology assets, connected to the network, (e.g. router, server,
workstation, laptop, etc.) where an automated capability provides visibility at the Agency level into asset inventory
information.
209
[section 3; Vulnerability Management
3. Provide the number of Agency information technology assets where an automated capability provides visibility at the Agency-
level into detailed vulnerability information (e.g. Common Vulnerabilities and Exposures - CVE).
99
[section 4: Identity and Access Management
4. Provide a working URL to the Agency's progress update for HSPD-12 implementation.
http:''www.csb.gov'T*serFiles.file'HSPD-12%20Reporting0/o20Template%20and%20Instnictions*/fc2(hipd
ated%2009012011.pdf
5. What is the number of Agency network user accounts? (Exclude system and application accounts utilized by processes)
51
6. How many network user accounts are configured to require PR* to authenticate to the Agency networks)?
0
12-P-0363
8
-------�
[Section 5: Data Protection
7. Provide the lolal number of:
7.1. Mobile computers and device" (excluding laptops)
7.1(a). Netbooks
4
7.1(b). Tablet-type computers
2
7.1(c). Blackberries
117
7.1(d). Smartphones
0
7.1(e). USB devices (Flash drives and external hard drives)
52
7.1(f). Other
0
7.2. Laptops Only
122
7.3. Mobile computers and derices (excluding laptops)
7.3(a). Netbooks
0
7.3(b). Tablet-type computers
0
7.3(c). Blackberries
0
7.3(d). Smartphones
0
12-P-0363
9
-------�
[Section 5: Data Protection
7.3(e). USB device- (Flash drives and external hard drives)
0
7.3(f). Other
0
7.4. Laptops only
2?
Section 6: Boundary Protection
8. Provide the percentage of external connections passing through a TICVMlIFS. (Applies to all Federal Civilian Agencies. All
others shonld respond N/A.)
0%
[Section 7: Training and Edncation
Provide the number of Agency users with network access privileges that have been given security awareness training annually.
55
[section
8: Remote Access and Telework
10. Provide the number of remote access connection methods (e.g. Dial-up, YPN, C'liendess-\TN or SSL, etc.) the Agency offers to
allow users to connect remotely to full access of normal desktop Agency LAN/WAN resources'services. Connection methords
refer to options the Agency offers to users allowing them to connect remotely.
3
12-P-0363
10
-------�
Appendix B
CSB Response to Draft Report
Chemical Safety and
Hazard Investigation Board
2175 K Street, NW • Suite 650 • Washington, DC 20037-1809
Phone: (202) 261-7600 • Fax: (202) 261-7650
www.csb.gov
Hon. Rafael Moure-Eraso
Chairperson
Hon. John S. Bresland
Board Member
Hon. Mark Griffon
Board Member
March 2,2012
Rudolph Brevard
Director, Information Resource Management Assessments
U.S. Environmental Protection Agency
Office of Inspector General
1200 Pennsylvania Ave
Washington, DC 20460
Dear Mr. Brevard:
We have reviewed your draft report on the independent evaluation of the Chemical Safety and
Hazard Investigation Board's (CSB) compliance with the Federal Information Security
Management Act (FISMA).
As reported, the CSB takes information security weaknesses seriously and made significant
progress in completing actions on FISMA findings from prior years. Specifically, the CSB took
the necessary steps to close three of four FY 2010 findings. The remaining recommendation,
FY10-OIG-IT-02, is on schedule to meet a target completion date of My 31,2012. This action
will also satisfy the requirements to close one of the FY2011 findings, FY11-OIG-IT-02, to
develop and implement standard baseline configurations for agency network devices.
We also agree with the FY 2011 findings and recommendations listed on page 3 of your draft
report. Attached is table with our planned actions to address each finding and milestones for
completion. Please contact Allen Smith at 202-261-7638, or Charlie Bryant at 202-261-7666 for
further information on any of these items.
Sincerely.
Enclosure
Rafael Moure-Eraso. Ph.D.
Chairperson & CEO
12-P-0363
11
-------�
FY 2011 FISMA Recommendation
Completed or Planned Actions
1. Review and implement patches as
required for the network devices.
Ongoing
The CSB installed or completed the
installation of the four missing patches
identified in the scan and will continue to
actively review and patch network
devices.
2. Develop and implement standard
baseline configurations for the
network devices.
By July 31, 2012, the CSB will:
Develop and implement standard baseline
configurations.
3. Review the information technology
inventory and remove the excess
inventory items by using the
appropriate means through the
General Services Administration.
By September 30,2012, the CSB will:
Reduce excess information technology
items inventory by 75%.
12-P-0363
12
-------� |