* £% *
% PR0^°
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Compliance with the law
Operating efficiently and effectively
EPA's Information Security
Program Is Established, but
Improvements Are Needed to
Strengthen Its Processes
Report No. 18-P-0031
October 30, 2017
-------�
Report Contributors:
Rudolph M. Brevard
Vincent Campbell
Nancy Dao
Eric K. Jackson Jr.
Scott Sammons
Tessa Waters
Ben Beeson
Abbreviations
EPA U.S. Environmental Protection Agency
FISMA Federal Information Security Modernization Act of 2014
FY Fiscal Year
IG Inspector General
OIG Office of Inspector General
U.S.C. United States Code
Cover image: Cybersecurity Framework. (EPA OIG graphic)
Are you aware of fraud, waste or abuse in an
EPA program?
EPA Inspector General Hotline
1200 Pennsylvania Avenue, NW (2431T)
Washington, DC 20460
(888) 546-8740
(202) 566-2599 (fax)
OIG Hotline@epa.gov
Learn more about our OIG Hotline.
EPA Office of Inspector General
1200 Pennsylvania Avenue, NW (2410T)
Washington, DC 20460
(202) 566-2391
www.epa.gov/oiq
Subscribe to our Email Updates
Follow us on Twitter @EPAoig
Send us your Project Suggestions
-------�
tftD STAf.
* U.S. Environmental Protection Agency 18-P-0031
£ A_B rO nf Incna^nr October 30, 2017
| \ Office of Inspector General
I® i
At a Glance
% PRO^
Why We Did This Review
The Office of Inspector General
conducted this audit to assess
the U.S. Environmental
Protection Agency's (EPA's)
compliance with the Federal
Information Security
Modernization Act of 2014
(FISMA) during fiscal year
(FY) 2017.
The Inspector General (IG)
FISMA reporting metrics outline
five maturity levels for IGs to
rate their agency's information
security programs:
Level 1 - Ad-Hoc
Level 2 - Defined
Level 3 - Consistently
Implemented
Level 4 - Managed and
Measurable
Level 5 - Optimized
The maturity model is a tool
that summarizes an agency's
information security program
and outlines activities to
improve the program.
We reported our audit results
using the CyberScope system
developed by the U.S.
Department of Homeland
Security.
This report addresses the
following:
• Compliance with the law.
• Operating efficiently and
effectively.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oiq.
EPA's Information Security Program Is
Established, but Improvements Are Needed
to Strengthen Its Processes
What We Found
The EPA has an effective information
security program and has completed all
the requirements to achieve a Level 3
(Consistently Implemented) maturity level
for the five security functions and related
domains defined within the FY 2017 IG
FISMA reporting metrics:
Although the EPA has an
effective information security
program, management emphasis
is needed to achieve a higher
level of maturity for the agency's
information security program.
1. Identify - Risk Management.
2. Protect - Configuration Management, Identity and Access Management,
and Security Training.
3. Detect - Information Security Continuous Monitoring.
4. Respond - Incident Response.
5. Recover - Contingency Planning.
We tested whether the EPA developed policies, procedures and strategies for
each area within the IG FISMA reporting metrics. We also analyzed EPA
management's self-assessments that contained assertions and additional
information on whether the agency implemented processes and practices
consistent with the specified security functions and related domains. In addition,
we evaluated prior audit work to determine whether the self-assessments were
consistent with our audit findings.
We concluded that the EPA defined policies, procedures and strategies for each
security function and related domains. EPA management also provided sufficient
evidence that the agency implemented a majority of processes and practices
consistent with maturity model Level 3 (Consistently Implemented). However, we
found substantial weaknesses in the EPA's information security training program
related to how the agency verifies whether contractor personnel with significant
information security responsibilities comply with specialized security training
requirements.
Appendix A documents the results for the FY 2017 IG FISMA reporting metrics.
We worked closely with EPA officials and briefed them on the results. We made
no recommendations based on our analysis. The EPA agreed with our
conclusions.
Listing of OIG reports.
-------�
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
October 30, 2017
MEMORANDUM
SUBJECT: EPA's Information Security Program Is Established,
but Improvements Are Needed to Strengthen Its Processes
Report No. 18-P-0031
FROM: Arthur A. Elkins Jr.
TO:
Scott Pruitt, Administrator
This is our final report on the subject audit conducted by the Office of Inspector General (OIG) of the
U.S. Environmental Protection Agency (EPA). The project number for this audit was OA-FY17-0204.
This report contains conclusions that meet the Federal Information Security Modernization Act of 2014
reporting requirements as prescribed by the Office of Management and Budget and U.S. Department of
Homeland Security. This report represents the opinion of the OIG and does not necessarily represent the
final EPA position.
The EPA office having the primary oversight for the areas evaluated in this report is the Office of
Environmental Information.
Action Required
You are not required to provide a written response to this final report. In accordance with the Office of
Management and Budget Federal Information Security Modernization Act reporting instructions, we are
forwarding this report, along with the agency's required information, to the Director of the Office of
Management and Budget.
We will post this report to our website at www.epa.gov/oig.
-------�
EPA's Information Security Program Is
Established, but Improvements Are Needed
to Strengthen Its Processes
18-P-0031
Table of C
Purpose 1
Background 1
Responsible Office 2
Scope and Methodology 3
Results of Review 4
Conclusion 6
Appendices
A Department of Homeland Security CyberScope Template
B Information Security Reports Issued in FY 2017
C Distribution
-------�
Purpose
The U.S. Environmental Protection Agency (EPA) Office of Inspector General
(OIG) conducted this audit to evaluate the EPA's compliance with the Federal
Information Security Modernization Act of 2014 (FISMA) during fiscal year (FY)
2017.
Background
Under FISMA (44 U.S.C. §3554 (a)(l)(A)(i) and (ii)), agency heads are
responsible for providing information security protections commensurate with the
risk and magnitude of harm resulting from the unauthorized access, use,
disclosure, disruption, modification or destruction of information and information
systems.
The FY 2017 Inspector General (IG) FISMA reporting metrics identified seven
domains within the five security functions defined in the National Institute of
Standards and Technology Framework for Improving Critical Infrastructure
Cybersecurity. Each security function contains at least one corresponding domain
of an agency's information security program, as shown in Figure 1. The National
Institute of Standards and Technology cybersecurity framework provides agencies
with a common structure for identifying and managing cybersecurity risks across
the enterprise.
Figure 1: Cybersecurity framework security functions and domains
Identify
•Risk
Management
•Configuration
Management
• Identity and
Access
Management
•Security
Training
Detect
•Information
Security
Continuous
Monitoring
Respond
•Incident
Response
•Contingency
Planning
Source: FY 2017 IG FISMA of 2014 reporting metrics.
The IG FISMA reporting metrics provide guidance for assessing the maturity of
controls to address those risks. This year's FISMA metrics represents a significant
departure from prior year's reporting metrics. This year, the Office of
Management and Budget introduced a new maturity model rating system for three
of the five functions (Identify, Protect, and Recover). The Office of Management
and Budget also reorganized the model itself to make it more intuitive. This
eliminates our ability to compare this year's results to prior ratings of the security
functions. The effectiveness of the information security program is based on a
maturity model spectrum, in which levels 1 and 2 describe whether agencies have
developed policies and procedures and levels 3 to 5 describe the extent to which
the agencies have institutionalized those policies and procedures. Figure 2 details
18-P-0031
-------�
the five maturity model levels, with Level 5 - "Optimized" being the highest
maturity level an organization can achieve.
Figure 2: Maturity model levels
Maturity Level Maturity Level Description
Level 5: Optimized
•Policies, procedures and strategy are fully
institutionalized, repeatable, self-
generating, consistently implemented and
regularly updated based on a changing
threat and technology landscape and
business/mission needs.
Level 4: Managed
and Measureable
•Quantitative and qualitative measures on
the effectiveness of policies, procedures
and strategy are collected across the
organization and used to assess them and
make necessary changes.
Level 3: Consistently
Implemented
•Policies, procedures and strategy are
consistently implemented, but quantitative and
qualitative effectiveness measures are lacking.
r "
Level 2: Defined
•Policies, procedures and strategy are
formalized and documented but not consistently
implemented.
Level 1: Ad Hoc
•Policies, procedures, and strategy are not
formalized; activities are performed in an
ad-hoc, reactive manner.
Source: FY 2017 IG FISMA of 2014 reporting metrics.
Within the context of the maturity model, Level 4 - "Managed and Measurable"
represents an effective level of security at the domain, function and overall
program level. In addition, the FY 2017 IG FISMA reporting metrics grant IGs
the discretion to rate the agency's information security program at a different
maturity level than what has been calculated by the CyberScope system. The
reporting metrics stated that the rationale is to provide greater flexibility when
assessing the agency's information security program.
Responsible Office
The Office of Environmental Information leads the EPA's information
management and information technology programs to provide the information,
technology and services necessary to advance the protection of human health and
the environment. Within the Office of Environmental Information, the EPA's
Chief Information Security Officer is responsible for the EPA's information
security program. Additionally, the Chief Information Security Officer is
responsible for developing an agencywide information security program that
18-P-0031
2
-------�
complies with FISMA and related information security laws, regulations,
directives, policies and guidelines.
Scope and Methodology
We conducted our performance audit from May to October 2017 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient and
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our conclusions based on our audit objectives.
We conducted our testing through inquiries of agency personnel, inspection of
relevant documentation and leveraging of current OIG information security audit
work related to the Cybersecurity Framework Security Functions and domains.
We also reviewed FY 2017 audit reports issued by the U.S. Government
Accountability Office and the EPA OIG to identify any issues related to the
security function areas.
The FY 2017 IG FISMA reporting metrics require IGs to provide three separate
assessments of their agency's information security program. The first assessment
requires IGs to evaluate their agency's information security program with respect
to 54 questions related to the five security functions and related domains defined
within the IG FISMA reporting metrics. The CyberScope system, which is used to
report our assessment results, calculates a maturity model level for each security
function based on the IG responses to the 54 questions. The second assessment
requires IGs to provide additional information about the effectiveness of their
agency's information security program that was not asked by the questions
contained in the IG FISMA reporting metrics. The third assessment requires IGs
to provide an overall self-assessment rating of Effective or Not Effective for its
agency's information security program. In providing these three assessments, we
conducted the following audit work to reach our conclusions for each required
assessment:
• IG FISMA Reporting Metrics Questions: For each security function and
related domain, we evaluated whether the EPA took the necessary action
to complete Level 1 (Ad-Hoc) of the IG FISMA reporting metrics
maturity model. For each level, agencies are required to meet specific
steps to achieve that level and be considered reaching the next level within
the maturity model. As such, we evaluated whether EPA policies,
procedures and strategies met the Level 1 requirements for each security
function and related domain. If the policies, procedures and strategies
were formalized and documented, we rated the EPA at Level 2 (Defined).
If the EPA did not meet all the requirements, we rated the agency at
Level 1 (Ad Hoc) because that is the minimum level.
18-P-0031
3
-------�
• Additional Information About the EPA's Security Program: For each
security function and related domain, we used the control self-assessment
methodology1 to collect and evaluate EPA management's information on
the effectiveness of the agency's information security program. We
reviewed the provided information to determine whether the documents
were relevant and reasonably supported the agency's assertions. We also
relied upon audit work performed from FYs 2015 through 2017 to further
assess whether management's assertions were consistent with our
conclusions.
• Overall Self-Assessment Rating: We based our overall conclusion on the
analysis of the collected audit documentation and whether the EPA:
o Documented that policies, procedures and strategies were
consistent with the IG FISMA reporting metrics questions.
o Provided documentation of its information security practices and
that activities met requirements consistent with the security
functions and related domains outlined within the IG FISMA
reporting metrics.
o Implemented processes and activities, based on prior audit work,
that were consistent with the security functions and related
domains specified within the IG FISMA reporting metrics, even
though weaknesses may have existed and the OIG made
recommendations for management to improve controls.
Results of Review
The EPA has an effective information security program. Based on our analysis of
EPA material and the additional documentation provided by EPA representatives,
we concluded that the EPA took sufficient steps to complete the requirements
specified within the FY 2017 IG FISMA reporting metrics to reach Level 3
(Consistently Implemented) of the FISMA maturity model.
We concluded that the EPA fully defined its policies, procedures and strategies and
met the requirements of the security functions and related security domains
outlined within the IG FISMA reporting metrics. The EPA asserted that it has fully
implemented processes and activities consistent with the security functions and
related domains specified within the IG FISMA reporting metrics, and provided
artifacts and other documentation to support their assertions. Based on our analysis
of this documentation and comparison of management's assertions against prior
audit work, we concluded that the evidence supported management's assertions.
1 According to the Institute of Internal Auditors, control self-assessment is a technique that allows personnel directly
involved in the business process to participate in assessing the organization's risk management and control
processes. Audit teams can use control self-assessment results to gather relevant information about risk and controls.
18-P-0031
4
-------�
EPA management provided sufficient evidence that the agency implemented a
majority of processes and practices consistent with the 54 questions outlined in
the FY 2017 IG FISMA reporting metrics. We rated the EPA's information
security function areas at maturity Level 3 on the IG FISMA reporting metrics
maturity model, as shown in Table 1.
Table 1: Maturity level of EPA's information security function areas
Security Function
Maturity Level
1. Identify
Level 3: Consistently Implemented
2. Protect
Level 3: Consistently Implemented
3. Detect
Level 3: Consistently Implemented
4. Respond
Level 3: Consistently Implemented
5. Recover
Level 3: Consistently Implemented
Source: Results of OIG analyses of EPA's self-assessments.
However, the EPA indicated that it has not implemented some activities
associated with the security functions. For example:
• Risk Management: The EPA has not consistently implemented a process
for using standard data elements/taxonomy to develop and maintain an
up-to-date inventory of hardware assets connected to the organization's
network with the detailed information necessary for tracking and
reporting.
• Identity and Access Management: EPA has not fully implemented an
Identity, Credential and Access Management strategy to guide its Identity,
Credential and Access Management processes and activities.
We also found substantial weaknesses in the EPA's information security training
program related to how the agency verifies that contractor personnel with
significant information security responsibilities comply with specialized security
training requirements. The OIG issued Report No. 17-P-0344. EPA Lacks
Processes to Validate Whether Contractors Receive Specialized Role-Based
Training for Network and Data Protection, which noted that the EPA is unaware
as to whether information security contractors possess the skills and training
needed to protect the agency's information, data and network from security
breaches. As such, we rated a question within the Protect security function in the
IG FISMA reporting metrics on specialized training for personnel with significant
information security responsibilities at Level - 1 (Ad-hoc).
We worked closely with the agency representatives and briefed them on each
portion of the IG FISMA reporting metrics as the results were completed. We
collected management's feedback on our analysis either verbally or through
email. Where appropriate, we updated our analysis and incorporated
management's feedback. Appendix A contains the detailed results of our analysis.
18-P-0031
5
-------�
Management agreed with our conclusions. Appendix B contains a listing of
significant information security audit reports published in FY 2017.
Conclusion
Although the EPA has an effective information security program, management
emphasis is needed to achieve a higher level of maturity for the agency's
information security program.
18-P-0031
6
-------�
Appendix A
Department of Homeland Security
CyberScope Template
18-P-0031
-------�
Inspector General
2017
Section Report
Environmental Protection Agency
18-P-0031
-------�
Function 1: Identify - Risk Management
Does the organization maintain a comprehensive and accurate inventory of its information systems (including cloud systems, public facing websites, and third
party systems), and system interconnections (NIST SP 800-53: CA-3 and PM-5; OMB M-04-25; NIST Cybersecurity Framework (CSF): ID.AM-1 -
4)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent does the organization use standard data elements/taxonomy to develop and maintain an up-to-date inventory of hardware assets connected to
the organization's network with the detailed information necessary for tracking and reporting (NIST SP 800-53: CA-7 and CM-8; NIST SP 800-137;
Federal Enterprise Architecture (FEA) Framework, v2)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent does the organization use standard data elements/taxonomy to develop and maintain an up-to-date inventory of the software and associated
licenses used within the organization with the detailed information necessary for tracking and reporting (NIST SP 800-53: CA-7, CM-8, and CM-10; NIST
SP 800-137; FEA Framework, v2)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent has the organization categorized and communicated the importance/priority of information systems in enabling its missions and business
functions (NIST SP 800-53: RA-2, PM-7, and PM-11; NIST SP 800-60; CSF: ID.BE-3; and FIPS 199)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent has the organization established, communicated, and implemented its risk management policies, procedures, and strategy that include the
organization's processes and methodologies for categorizing risk, developing a risk profile, assessing risk, risk appetite/tolerance levels, responding to risk,
and monitoring risk (NIST 800-39; NIST 800-53: PM-8, PM-9; CSF: ID RM-1 - ID.RM-3; OMB A-123; CFO Council ERM Playbook)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 1 of 22
-------�
Function 1: Identify - Risk Management
Has the organization defined an information security architecture and described how that architecture is integrated into and supports the organization's
enterprise architecture to provide a disciplined and structured methodology for managing risk (NIST 800-39; FEA; NIST 800-53: PL-8, SA-3, and SA-8)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what degree have roles and responsibilities of stakeholders involved in risk management, including the risk executive function/Chief Risk Officer, Chief
Information Officer, Chief Information Security Officer, and other internal and external stakeholders and mission specific resources been defined and
communicated across the organization (NIST 800-39: Section 2.3.1 and 2.3.2; NIST 800-53: RA-1; CSF: ID.RM-1 - ID.GV-2, OMB A-123, CFO
Council ERM Playbook)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent has the organization ensured that plans of action and milestones (POA&Ms) are utilized for effectively mitigating security weaknesses (NIST
SP 800-53: CA-5; OMB M-04-25)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
To what extent has the organization defined, communicated, and implemented its policies and procedures for conducting system level risk assessments,
including for identifying and prioritizing
(i) internal and external threats, including through use of the common vulnerability scoring system, or other equivalent framework
(ii) internal and external asset vulnerabilities, including through vulnerability scanning,
(iii) the potential likelihoods and business impacts/consequences of threats exploiting vulnerabilities, and
(iv) selecting and implementing security controls to mitigate system-level risks (NIST 800—37; NIST 800-39; NIST 800—53: PL-2, RA-1; NIST 800-30;
CSF:ID.RA-1 - 6)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
10 To what extent does the organization ensure that information about risks are communicated in a timely manner to all necessary internal and external
stakeholders (CFO Council ERM Playbook; OMB A-123)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
EPA OIG Report - Annual 2017 Page 2 of 22
18-P-0031
-------�
Function 1: Identify - Risk Management
11 To what extent does the organization ensure that specific contracting language (such as appropriate information security and privacy requirements and
material disclosures, FAR clauses, and clauses on protection, detection, and reporting of information) and SLAs are included in appropriate contracts to
mitigate and monitor the risks related to contractor systems and services (FAR Case 2007—004; Common Security Configurations; FAR Sections: 24.104,
39.101, 39.105, 39.106, 52.239-1; President's Management Council; NIST 800-53: SA-4; FedRAMP standard contract clauses; Cloud Computing
Contract Best Practices; FY 2017 CIO FISMA Metrics: 1.7, 1.8)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
12 To what extent does the organization utilize technology (such as a governance, risk management, and compliance tool) to provide a centralized, enterprise
wide (portfolio) view of risks across the organization, including risk control and remediation activities, dependencies, risk scores/levels, and management
dashboards (NIST SP 800-39; OMB A-123; CFO Council ERM Playbook)?
Defined (Level 2)
Comments:
See comment for Question 13.2.
13.1 Please provide the assessed maturity level for the agency's Identify - Risk Management function.
Consistently Implemented (Level 3)
Comments:
See comment for Question 13.2
EPA OIG Report - Annual 2017
18-P-0031
Page 3 of 22
-------�
Function 1: Identify - Risk Management
13 .2 Provide any additional information on the effectiveness (positive or negative) of the organization's risk management program that was not noted in the
questions above. Taking into consideration the overall maturity level generated from the questions above and based on all testing performed, is the risk
management program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
However, the EPA indicated that it has not implemented some activities associated with the security functions. For example:
The EPA has not consistently implemented a process for using standard data elements/taxonomy to develop and maintain an up-to-date
inventory of hardware
Comments:
assets connected to the organization s network with the detailed information necessary for tracking and reporting.
We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Function 2A: Protect - Configuration Management
14 To what degree have the roles and responsibilities of configuration management stakeholders been defined, communicated across the agency, and
appropriately resourced (NIST SP 800- 53: CM-1; SP 800-128: Section 2.4)?
Defined (Level 2)
Comments:
See comment in Question 22.
15 To what extent does the organization utilize an enterprise wide configuration management plan that includes, at a minimum, the following components: roles
and responsibilities, including establishment of a Change Control Board (CCB) or related body; configuration management processes, including processes
for: identifying and managing configuration items during the appropriate location within an organization's SDLC; configuration monitoring; and applying
configuration management requirements to contracted systems (NIST 800-128: Section 2.3.2; NIST 800-53: CM-9)?
Defined (Level 2)
Comments:
EPA OIG Report - Annual 2017
See comment in Question 22.
Page 4 of 22
18-P-0031
-------�
Function 2A: Protect - Configuration Management
16 To what degree have information system configuration management policies and procedures been defined and implemented across the organization ? (Note:
the maturity level should take into consideration the maturity of questions 17, 18, 19, and 21) (NIST SP 800-53: CM-1; NIST 800-128: 2.2.1)
Defined (Level 2)
Comments:
See comment in Question 22.
17 To what extent does the organization utilize baseline configurations for its information systems and maintain inventories of related components at a level of
granularity necessary for tracking and reporting (NIST SP 800-53: CM-2, CM-8; FY 2017 CIO FISMA Metrics: 1.4, 1.5, and 2.1; CSF: ID.DE.CM-7)?
Defined (Level 2)
Comments:
See comment in Question 22.
18 To what extent does the organization utilize configuration settings/common secure configurations for its information systems (NIST SP 800-53: CM-6,
CM-7, and SI-2; FY 2017 CIO FISMA Metrics: 2.2; SANS/CIS Top 20 Security Controls 3.7)?
Defined (Level 2)
Comments:
See comment in Question 22.
19 To what extent does the organization utilize flaw remediation processes, including patch management, to manage software vulnerabilities (NIST SP 800-53:
CM-3, SI-2; NIST 800-40, Rev. 3; OMB M-16-04; SANS/CIS Top 20 Control 4.5; and DHS Binding Operational Directive 15-01)?
Defined (Level 2)
Comments:
See comment in Question 22.
20 To what extent has the organization adopted the Trusted Internet Connection (TIC) program to assist in protecting its network (FY 2017 CIO Metrics: 2.26,
2.27, 2.29; OMB M-08-05)?
Defined (Level 2)
Comments:
See comment in Question 22.
21 To what extent has the organization defined and implemented configuration change control activities including: determination of the types of changes that are
configuration controlled; review and approval/disapproval of proposed changes with explicit consideration of security impacts and security classification of
the system; documentation of configuration change decisions; implementation of approved configuration changes; retaining records of implemented changes;
auditing and review of configuration changes; and coordination and oversight of changes by the CCB, as appropriate (NIST 800-53: CM--2, CM-3)?
Defined (Level 2)
Comments:
See comment in Question 22.
EPA OIG Report - Annual 2017 Page 5 of 22
18-P-0031
-------�
Function 2A: Protect - Configuration Management
22 Provide any additional information on the effectiveness (positive or negative) of the organization's configuration management program that was not noted in
the questions above. Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the configuration
management program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
(a)Stakeholders have adequate resources (people, processes and technology) to consistently implement information system configuration
management activities.
(b) The EPA has developed a Configuration Management Policy to establish an Agency-wide Configuration Management Program.
(c) The EPA consistently implements its policies and procedures for managing the configurations of its information systems. Further, the
organization utilizes lessons learned sessions to make improvements to its policies and procedures.
(d) The EPA consistently records, implements and maintains baseline configurations of its information systems and an inventory of related
components in accordance with the organization's policies and procedures.
(e) The EPA consistently implements, assesses and maintains secure configuration settings for its information systems based on least
functionality.
(f) The EPA consistently implements its flaw remediation policies, procedures and processes and ensures that patches, hotfixes, service packs
and anti-virus/malware software updates are identified and installed.
Comments:
We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Function 2B: Protect - Identity and Access Management
EPA OIG Report - Annual 2017 Page 6 of 22
18-P-0031
-------�
Function 2B: Protect - Identity and Access Management
23 To what degree have the roles and responsibilities of identity, credential, and access management (ICAM) stakeholders been defined, communicated across
the agency, and appropriately resourced (NIST 800-53: AC-1, IA-1, PS-1; and the Federal Identity, Credential, and Access Management Roadmap and
Implementation Guidance (FICAM))?
Defined (Level 2)
Comments:
See comment for Question 32.
24 To what degree does the organization utilize an ICAM strategy to guide its ICAM processes and activities (FICAM)?
Defined (Level 2)
Comments:
See comment for Question 32.
25 To what degree have ICAM policies and procedures been defined and implemented? (Note: the maturity level should take into consideration the maturity of
questions 27 through 31) (NIST 800-53: AC-1 and IA—1; Cybersecurity Strategy and Implementation Plan (CSIP); and SANS/CIS Top 20: 14.1)?
Defined (Level 2)
Comments:
See comment for Question 32.
26 To what extent has the organization developed and implemented processes for assigning personnel risk designations and performing appropriate screening
prior to granting access to its systems (NIST SP 800-53: PS-2, PS- 3; and National Insider Threat Policy)?
Defined (Level 2)
Comments:
See comment for Question 32.
27 To what extent does the organization ensure that access agreements, including nondisclosure agreements, acceptable use agreements, and rules of behavior,
as appropriate, for individuals (both privileged and non- privileged users) that access its systems are completed and maintained (NIST SP 800—53: AC-8,
PL-4, and PS-6)?
Defined (Level 2)
Comments:
See comment for Question 32.
28 To what extent has the organization implemented strong authentication mechanisms (PIV or Level of Assurance 4 credential) for non-privileged users to
access the organization's facilities, networks, and systems, including for remote access (CSIP; HSPD-12; NIST SP 800-53: AC-17; NIST SP 800-128;
FIPS 201-2; NIST SP 800-63; and Cybersecurity Sprint)?
Defined (Level 2)
Comments:
See comment for Question 32.
EPA OIG Report - Annual 2017 Page 7 of 22
18-P-0031
-------�
Function 2B: Protect - Identity and Access Management
29 To what extent has the organization implemented strong authentication mechanisms (PIV or Level of Assurance 4 credential) for privileged users to access
the organization's facilities, networks, and systems, including for remote access (CSIP; HSPD-12; NIST SP 800—53: AC-17; NIST SP 800-128; FIPS
201-2; NIST SP 800-63; and Cybersecurity Sprint)?
Defined (Level 2)
Comments:
See comment for Question 32.
30 To what extent does the organization ensure that privileged accounts are provisioned, managed, and reviewed in accordance with the principles of least
privilege and separation of duties? Specifically, this includes processes for periodic review and adjustment of privileged user accounts and permissions,
inventorying and validating the scope and number of privileged accounts, and ensuring that privileged user account activities are logged and periodically
reviewed (FY 2017 CIO FISMAmetrics: Section 2; NIST SP 800-53: AC-1, AC-2 (2), AC-17; CSIP)?
Defined (Level 2)
Comments:
See comment for Question 32.
31 To what extent does the organization ensure that appropriate configuration/connection requirements are maintained for remote access connections? This
includes the use of appropriate cryptographic modules, system time-outs, and the monitoring and control of remote access sessions (NIST SP 800-53:
AC-17, SI-4; and FY 2017 CIO FISMA Metrics: Section 2)?
Defined (Level 2)
Comments:
See comment for Question 32.
EPA OIG Report - Annual 2017
18-P-0031
Page 8 of 22
-------�
Function 2B: Protect - Identity and Access Management
32 Provide any additional information on the effectiveness (positive or negative) of the organization's identity and access management program that was not
noted in the questions above. Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the
identity and access management program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
However, the EPA indicated that it has not implemented some activities associated with the security functions. For example:
The EPA has not fully implemented an Identity, Credential and Access Management strategy to guide its Identity, Credential and Access
Management processes
Comments:
and activities.
We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Function 2C: Protect - Security Training
33 To what degree have the roles and responsibilities of security awareness and training program stakeholders been defined, communicated across the agency,
and appropriately resourced? (Note: this includes the roles and responsibilities for the effective establishment and maintenance of an organization wide
security awareness and training program as well as the awareness and training related roles and responsibilities of system users and those with significant
security responsibilities (NIST 800-53: AT-1; and NIST SP 800-50)?
Defined (Level 2)
Comments:
See comment for Question 39.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 9 of 22
-------�
Function 2C: Protect - Security Training
34 To what extent does the organization utilize an assessment of the skills, knowledge, and abilities of its workforce to provide tailored awareness and
specialized security training within the functional areas of: identify, protect, detect, respond, and recover (NIST 800-53: AT-2 and AT-3; NIST 800-50:
Section 3.2; Federal Cybersecurity Workforce Assessment Act of 2015; National Cybersecurity Workforce Framework v 1.0; NIST SP 800-181 (Draft);
and CIS/SANS Top 20: 17.1)?
Defined (Level 2)
Comments:
See comment for Question 39.2.
35 To what extent does the organization utilize a security awareness and training strategy/plan that leverages its organizational skills assessment and is adapted to
its culture? (Note: the strategy/plan should include the following components: the structure of the awareness and training program, priorities, funding, the goals
of the program, target audiences, types of courses/material for each audience, use of technologies (such as email advisories, intranet updates/wiki
pages/social media, web based training, phishing simulation tools), frequency of training, and deployment methods (NIST 800—53: AT-1; NIST 800-50:
Section 3))
Defined (Level 2)
Comments:
See comment for Question 39.2.
36 To what degree have security awareness and specialized security training policies and procedures been defined and implemented? (Note: the maturity level
should take into consideration the maturity questions 37 and 38 below) (NIST 800-53: AT-1 through AT-4; and NIST 800-50)
Defined (Level 2)
Comments:
See comment for Question 39.2.
3V To what degree does the organization ensure that security awareness training is provided to all system users and is tailored based on its organizational
requirements, culture, and types of information systems? (Note: Awareness training topics should include, as appropriate: consideration of organizational
policies, roles and responsibilities, secure e-mail, browsing, and remote access practices, mobile device security, secure use of social media, phishing,
malware, physical security, and security incident reporting (NIST 800-53: AT-2; FY 17 CIO FISMA Metrics: 2.23; NIST 800-50: 6.2; SANS Top 20:
17.4)
Defined (Level 2)
Comments:
See comment for Question 39.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 10 of 22
-------�
Function 2C: Protect - Security Training
38 To what degree does the organization ensure that specialized security training is provided to all individuals with significant security responsibilities (as defined
in the organization's security policies and procedures) (NIST 800-53: AT-3 and AT-4; FY 17 CIO FISMA Metrics: 2.23)?
Ad Hoc (Level 1)
Comments:
The OIG issued a report on July 31, 2017, that documented that the EPA has not developed processes to validate that contractors
have completed specialized (role-based) training.
39.1 Please provide the assessed maturity level for the agency's Protect - Configuration Management/Identity and Access Management/Security Training
(Functions 2A - 2C).
Consistently Implemented (Level 3)
Comments:
See comments for Questions 22, 32 and 39.2
39.2 Provide any additional information on the effectiveness (positive or negative) of the organization's security training program that was not noted in the
questions above. Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the security training
program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
However, we also found weaknesses in the EPA's information security training program related to how the agency verifies contractor
personnel with significant information security responsibilities comply with specialized security training requirements.
Calculated Maturity Level - Defined (Level 2)
Function 3: Detect - ISCM
We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
EPA OIG Report - Annual 2017
18-P-0031
Page 11 of 22
-------�
Function 3: Detect - ISCM
40 To what extent does the organization utilize an information security continuous monitoring (ISCM) strategy that addresses ISCM requirements and activities
at each organizational tier and helps ensure an organization-wide approach to ISCM (NIST SP 800-137: Sections 3.1 and 3.6)?
Defined (Level 2)
Comments:
See comment for Question 45.2.
41 To what extent does the organization utilize ISCM policies and procedures to facilitate organization-wide, standardized processes in support of the ISCM
strategy? ISCM policies and procedures address, at a minimum, the following areas: ongoing assessments and monitoring of security controls; collecting
security related information required for metrics, assessments, and reporting; analyzing ISCM data, reporting findings, and reviewing and updating the ISCM
strategy (NIST SP 800-53: CA-7). (Note: The overall maturity level should take into consideration the maturity of question 43)
Defined (Level 2)
Comments:
See comment for Question 45.2.
42 To what extent have ISCM stakeholders and their roles, responsibilities, levels of authority, and dependencies been defined and communicated across the
organization (NIST SP 800-53: CA-1; NIST SP 800-137; and FY 2017 CIO FISMAMetrics)?
Defined (Level 2)
Comments:
See comment for Question 45.2.
43 How mature are the organization's processes for performing ongoing assessments, granting system authorizations, and monitoring security controls (NIST SP
800-137: Section 2.2; NIST SP 800-53: CA-2, CA-6, and CA-7; NIST Supplemental Guidance on Ongoing Authorization; OMB M-14-03)?
Defined (Level 2)
Comments:
See comment for Question 45.2.
44 How mature is the organization's process for collecting and analyzing ISCM performance measures and reporting findings (NIST SP 800-137)?
Defined (Level 2)
Comments:
See comment for Question 45.2.
45.1 Please provide the assessed maturity level for the agency's Detect - ISCM function.
Consistently Implemented (Level 3)
Comments:
See comment for Question 45.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 12 of 22
-------�
Function 3: Detect - ISCM
45.2 Provide any additional information on the effectiveness (positive or negative) of the organization's ISCM program that was not noted in the questions above.
Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the ISCM program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
(a) The EPA's information security continuous monitoring policies and procedures have been consistently implemented for the specified areas.
The EPA also consistently captures lessons learned to make improvements to the information security continuous monitoring policies and
procedures. The EPA has ensured continuous monitoring is consistently implemented by using the authorization-to-operate package review
process to provide oversight of the assessment process. This process ensures system control effectiveness is documented in the Agency's
repository system and plan of action and milestones are created to track unmitigated weaknesses.
(b) The EPA has consistently implemented its processes for performing ongoing security control assessments, granting system authorizations
and monitoring security controls. All security control classes (management, operational, technical) and types (common, hybrid and
system-specific) are monitored and assessed on a three-year cycle.
Comments: We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Function 4: Respond - Incident Response
46 To what extent has the organization defined and implemented its incident response policies, procedures, plans, and strategies, as appropriate, to respond to
cybersecurity events (NIST SP 800-53: IR-1; NIST 800-61 Rev. 2; FY 2017 CIO FISMA Metrics: 4.1, 4.3, and 4.6)? (Note: The overall maturity level
should take into consideration the maturity of questions 48 - -52)
Defined (Level 2)
Comments:
See comment for Questions 53.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 13 of 22
-------�
Function 4: Respond - Incident Response
47 To what extent have incident response team structures/models, stakeholders, and their roles, responsibilities, levels of authority, and dependencies been
defined and communicated across the organization (NIST SP 800-53; NIST SP 800-83; NIST SP 800-61 Rev. 2; OMB M-16-03; OMB M-16-04; FY
2017 CIO FISMA Metrics: 1.6 and 4.5; and US-CERT Federal Incident Notification Guidelines)?
Defined (Level 2)
Comments:
See comment for Questions 53.2.
48 How mature are the organization's processes for incident detection and analysis (NIST 800-53: IR-4 and IR-6; NIST SP 800-61 Rev. 2; US- CERT
Incident Response Guidelines)?
Defined (Level 2)
Comments:
See comment for Questions 53.2.
49 How mature are the organization's processes for incident handling (NIST 800-53: IR-4)?
Defined (Level 2)
Comments:
See comment for Questions 53.2.
50 To what extent does the organization ensure that incident response information is shared with individuals with significant security responsibilities and reported
to external stakeholders in a timely manner (FISMA; OMB M-16-03; NIST 800-53: IR-6; US-CERT Incident Notification Guidelines)?
Defined (Level 2)
Comments:
See comment for Questions 53.2.
51 To what extent does the organization collaborate with stakeholders to ensure on-site, technical assistance/surge capabilities can be leveraged for quickly
responding to incidents and enter into contracts, as appropriate, for incident response support (FY 2017 CIO FISMA Metrics: 4.4; NIST SP 800-86)?
Defined (Level 2)
Comments:
See comment for Questions 53.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 14 of 22
-------�
Function 4: Respond - Incident Response
52 To what degree does the organization utilize the following technology to support its incident response program ?
- Web application protections, such as web application firewalls
- Event and incident management, such as intrusion detection and prevention tools, and incident tracking and reporting tools
- Aggregation and analysis, such as security information and event management (SIEM) products
- Malware detection, such as antivirus and antispam software technologies
- Information management, such as data loss prevention
- File integrity and endpoint and server security tools (NIST SP 800-137; NIST SP 800-61, Rev. 2)
Defined (Level 2)
Comments:
See comment for Questions 53.2.
53.1 Please provide the assessed maturity level for the agency's Respond - Incident Response function.
Consistently Implemented (Level 3)
Comments:
See comment for Questions 53.2.
EPA OIG Report - Annual 2017
18-P-0031
Page 15 of 22
-------�
Function 4: Respond - Incident Response
53 .2 Provide any additional information on the effectiveness (positive or negative) of the organization's incident response program that was not noted in the
questions above. Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the incident response
program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
(a) The EPA consistently utilizes its threat vector taxonomy to classify incidents and consistently implements its processes for incident
detection, analysis and prioritization. In addition, the organization consistently implements and analyzes precursors and indicators generated
by the following technologies: intrusion detection/prevention, security information and event management, antivirus and antispam software,
and file integrity checking software.
(b) The EPA consistently implements its containment strategies, incident eradication processes, processes to remediate vulnerabilities,
and recovers system operations.
Comments:
We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Function 5: Recover - Contingency Planning
54 To what extent have roles and responsibilities of stakeholders involved in information systems contingency planning been defined and communicated across
the organization, including appropriate delegations of authority (NIST 800-53: CP-1 and CP-2; NIST 800-34; NIST 800-84; FCD-1: Annex B)?
Defined (Level 2)
Comments:
EPA OIG Report - Annual 2017
See comment for Question 61.2.
Page 16 of 22
18-P-0031
-------�
Function 5: Recover - Contingency Planning
55 To what extent has the organization defined and implemented its information system contingency planning program through policies, procedures, and
strategies, as appropriate? (Note: Assignment of an overall maturity level should take into consideration the maturity of questions 56-60) (NIST SP 800-34;
NIST SP 800-161).
Defined (Level 2)
Comments:
See comment for Question 61.2.
56 To what degree does the organization ensure that the results of business impact analyses are used to guide contingency planning efforts (NIST 800-53:
CP-2; NIST 800-34, Rev. 1, 3.2, FIPS 199, FCD-1, OMB M-17-09)?
Defined (Level 2)
Comments:
See comment for Question 61.2.
5V To what extent does the organization ensure that information system contingency plans are developed, maintained, and integrated with other continuity plans
(NIST 800-53: CP-2; NIST 800-34)?
Defined (Level 2)
Comments:
See comment for Question 61.2.
58 To what extent does the organization perform tests/exercises of its information system contingency planning processes (NIST 800-34; NIST 800-53: CP-3,
CP-4)?
Defined (Level 2)
Comments:
See comment for Question 61.2.
59 To what extent does the organization perform information system backup and storage, including use of alternate storage and processing sites, as appropriate
(NIST 800-53: CP-6, CP-7, CP-8, and CP-9; NIST SP 800-34: 3.4.1, 3.4.2, 3.4.3; FCD1; NIST CSF: PR.IP- 4; and NARAguidance on information
systems security records)?
Defined (Level 2)
Comments:
See comment for Question 61.2.
60 To what level does the organization ensure that information on the planning and performance of recovery activities is communicated to internal stakeholders
and executive management teams and used to make risk based decisions (CSF: RC.CO-3; NIST 800-53: CP-2, IR-4)?
Defined (Level 2)
Comments:
See comment for Question 61.2.
EPA OIG Report - Annual 2017 Page 17 of 22
18-P-0031
-------�
Function 5: Recover - Contingency Planning
611 Please provide the assessed maturity level for the agency's Recover - Contingency Planning function.
Consistently Implemented (Level 3)
Comments:
See comment for Question 61.2.
61.2 Provide any additional information on the effectiveness (positive or negative) of the organization's contingency planning program that was not noted in the
questions above. Taking into consideration the maturity level generated from the questions above and based on all testing performed, is the contingency
program effective?
The EPA has an effective information security program. Based on our analysis of EPA material and the additional documentation provided by
EPA representatives, we concluded that the EPA took sufficient steps to complete the requirements specified within the FY 2017 IG FISMA
reporting metrics to reach Level 3 (Consistently Implemented) of the FISMA maturity model.
(a) The EPA has established appropriate teams that are ready to implement their information system contingency planning strategies.
Stakeholders and teams have adequate resources (people, processes and technology) to effectively implement system contingency planning
activities. The EPA mandates each system must have a contingency plan which goes through an annual review/update process.
(b) The EPA incorporates the results of organizational and system level business impact analyses into strategy and plan development efforts
consistently. System level business impact analyses are integrated with the organizational level business impact analysis and include: (1)
characterization of all system components, determination of missions/business processes and recovery criticality, (2) identification of resource
requirements, and (3) identification of recovery priorities for system resources.
Comments: We limited our testing to determine whether the agency possessed the noted policies, procedures and strategies required for each
metric under the function area. If the policies, procedures and strategies were formalized and documented we rated the agency at level
2 (Defined). If not, we rated the agency at level 1 (Ad Hoc). However, we did not conduct additional testing to determine whether the
agency implemented the noted policies, procedures and strategies and we did not test to determine what additional steps the agency
needs to complete to achieve a higher maturity level.
Calculated Maturity Level - Defined (Level 2)
Comments:
See comment for F.02.
Function 0: Overall
EPA OIG Report - Annual 2017
18-P-0031
Page 18 of 22
-------�
Function 0: Overall
0.1 Please provide an overalllG self-assessment rating (Effective/Not Effective)
Effective
0 2 Please provide an overall assessment of the agency's information security program. The narrative should include a description of the assessment scope, a
summary on why the information security program was deemed effective/ineffective and any recommendations on next steps. Please note that OMB will
include this information in the publicly available Annual FISMA Report to Congress to provide additional context for the Inspector General's effectiveness
rating of the agency's information security program. OMB may modify the response to conform with the grammatical and narrative structure of the Annual
Report.
The EPA has an effective information security program. We concluded that the EPA fully defined its policies, procedures and strategies to
meet the requirements of the security functions and related domains outlined in the IG FISMA reporting metrics. The EPA asserted that it has
fully implemented processes and activities consistent with the IG FISMA reporting metrics and provided artifacts and other documentation to
support their assertions. Based on our analysis of this documentation and comparison of management's assertions against prior audit work,
we concluded the evidence supported management's assertions. We worked closely with EPA representatives and briefed them on each
portion of the IG FISMA reporting metrics as the results were completed; collected management's feedback on our analysis; and, where
appropriate, updated our analysis to incorporate management's feedback. We concluded that the EPA took sufficient steps to complete the
requirements in order to reach Level 3 (Consistently Implemented) of the FISMA maturity model. Management agreed with our conclusions.
APPENDIX A: Maturity Model Scoring
Function 1: Identify - Risk Management
Function
Count
Ad-Hoc
0
Defined
12
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
EPA OIG Report - Annual 2017
18-P-0031
Page 19 of 22
-------�
Function 2A: Protect - Configuration Management
Function
Count
Ad-Hoc
0
Defined
8
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
Function 2B: Protect - Identity and Access Management
Function
Count
Ad-Hoc
0
Defined
9
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
Function 2C: Protect - Security Training
Function
Count
Ad-Hoc
1
Defined
5
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
EPA OIG Report - Annual 2017
18-P-0031
Page 20 of 22
-------�
Function 3: Detect - ISCM
Function
Count
Ad-Hoc
0
Defined
5
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
Function 4: Respond - Incident Response
Function
Count
Ad-Hoc
0
Defined
7
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
Function 5: Recover
- Contingency Planning
Function
Count
Ad-Hoc
0
Defined
7
Consistently Implemented
0
Managed and Measurable
0
Optimized
0
Function Rating: Defined (Level 2)
0
EPA OIG Report - Annual 2017
18-P-0031
Page 21 of 22
-------�
Function
Defined (Level 2)
Assessed Maturity Level
Explanation
Function 1: Identify - Risk Management
Consistently Implemented (Level 3)
See comment for Question 13.2
Function 2: Protect - Configuration Management
/ Identity Management / Security Training
Defined (Level 2)
Consistently Implemented (Level 3)
See comments for Questions 22, 32 and
39.2
Function 3: Detect - ISCM
Defined (Level 2)
Consistently Implemented (Level 3)
See comment for Question 45.2.
Function 4: Respond - Incident Response
Defined (Level 2)
Consistently Implemented (Level 3)
See comment for Questions 53.2.
Function 5: Recover - Contingency Planning
Defined (Level 2)
Consistently Implemented (Level 3)
See comment for Question 61.2.
Overall
Not Effective
Effective
See comment for F.02.
EPA OIG Report - Annual 2017
18-P-0031
Page 22 of 22
-------�
Appendix B
Information Security Reports Issued
in FY 2017
The EPA OIG issued the following reports in FY 2017 that included recommendations regarding
different areas within the EPA's information security program:
• Report No. 17-P-0344. EPA Lacks Processes to Validate Whether Contractors Receive
Specialized Role-Based Training for Network and Data Protection, dated July 31, 2017.
We reported that the EPA is unaware as to whether information security contractors
possess the skills and training needed to protect the agency's information, data and
network from security breaches. In addition, the EPA did not report contractor training
status in its FYs 2015 and 2016 Chief Information Officer's Annual FISMA reports
submitted to the Office of Management and Budget. The agency also has insufficient
information to manage risks to its data and network. We made four recommendations, and
EPA officials agreed with the final recommendations along with completing one of the
four recommendations. The EPA indicated in the agency's Management Audit Tracking
System that it plans to complete all corrective actions for the remaining recommendations
by October 31, 2019.
• Report No. 17-P-0205. Controls Needed to Track Changes to EPA '.s Compass
Financials Data, dated May 8, 2017. We reported that the Office of the Chief Financial
Officer needed to strengthen internal controls to certify that any changes made to the
Compass Financials application are implemented based on management approval.
Specifically, the Office of the Chief Financial Officer lacked documentation that supports
the approval and verification of direct modifications made to the Compass database. The
Office of the Chief Financial Officer also lacked procedures for handling emergency or
unscheduled configuration changes made to financial information systems. We made
three recommendations, and the EPA took actions to address the identified weaknesses.
All three recommendations are closed with corrective actions completed.
• Report No. 17-P-0062, Congressionally Requested Audit: EPA Needs to Improve
Processes for Preserving Text Messages as Federal Records, dated December 21, 2016.
We reported that we did not find instances where the EPA used text messaging to
intentionally circumvent the Federal Records Act. We found that the EPA implemented
policies and procedures for preserving text messages, and took steps to make employees
aware of the updated records management policy. However, management attention is still
needed for the EPA's records management and Freedom of Information Act practices.
Additionally, the EPA's mobile device management processes do not prevent employees
from changing a device's configuration settings for retaining text messages on all
government-issued mobile devices. We made six recommendations. The EPA indicated it
completed corrective actions for two of the six recommendations and will implement the
remaining four corrective actions by September 30, 2018.
18-P-0031
-------�
• Report No. 17-P-0029. Acquisition Certifications Needed for Managers Overseeing
Development of EPA '.s Electronic Manifest System, dated November 7, 2016. We
reported that program and project managers responsible for overseeing development of
the Electronic Manifest system did not obtain the required federal certification necessary
to oversee a major acquisition. The EPA's February 2009 interim policy was outdated
and did not reflect the December 2013 revisions made to the Federal Acquisition
Certification for Program and Project Managers by the Office of Management and
Budget. The EPA agreed with our two recommendations. The agency indicated that it
completed corrective actions for the recommendations as of February 22, 2017.
18-P-0031
-------�
Appendix C
Distribution
The Administrator
Chief of Staff
Chief of Staff for Operations
Deputy Chief of Staff for Operations
Assistant Administrator for Environmental Information and Chief Information Officer
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for Public Affairs
Principal Deputy Assistant Administrator and Deputy Chief Information Officer,
Office of Environmental Information
Chief Information Security Officer, Office of Environmental Information
Director, Office of Information Technology Operations, Office of Environmental Information
Audit Follow-Up Coordinator, Office of the Administrator
Audit Follow-Up Coordinator, Office of Environmental Information
18-P-0031
-------� |