At a Glance: EPA’s Information Security Program Is Established, but Improvements Are Needed to Strengthen Its Processes


tftD STAf.
*	U.S. Environmental Protection Agency	18-P-0031
£ A_B rO	nf Incna^nr	October 30, 2017
|	\ Office of Inspector General
I® i
At a Glance
% PRO^
Why We Did This Review
The Office of Inspector General
conducted this audit to assess
the U.S. Environmental
Protection Agency's (EPA's)
compliance with the Federal
Information Security
Modernization Act of 2014
(FISMA) during fiscal year
(FY) 2017.
The Inspector General (IG)
FISMA reporting metrics outline
five maturity levels for IGs to
rate their agency's information
security programs:
Level 1 - Ad-Hoc
Level 2 - Defined
Level 3 - Consistently
Implemented
Level 4 - Managed and
Measurable
Level 5 - Optimized
The maturity model is a tool
that summarizes an agency's
information security program
and outlines activities to
improve the program.
We reported our audit results
using the CyberScope system
developed by the U.S.
Department of Homeland
Security.
This report addresses the
following:
•	Compliance with the law.
•	Operating efficiently and
effectively.
Send all inquiries to our public
affairs office at (202) 566-2391
or visit www.epa.gov/oiq.
EPA's Information Security Program Is
Established, but Improvements Are Needed
to Strengthen Its Processes
What We Found
The EPA has an effective information
security program and has completed all
the requirements to achieve a Level 3
(Consistently Implemented) maturity level
for the five security functions and related
domains defined within the FY 2017 IG
FISMA reporting metrics:
Although the EPA has an
effective information security
program, management emphasis
is needed to achieve a higher
level of maturity for the agency's
information security program.
1.	Identify - Risk Management.
2.	Protect - Configuration Management, Identity and Access Management,
and Security Training.
3.	Detect - Information Security Continuous Monitoring.
4.	Respond - Incident Response.
5.	Recover - Contingency Planning.
We tested whether the EPA developed policies, procedures and strategies for
each area within the IG FISMA reporting metrics. We also analyzed EPA
management's self-assessments that contained assertions and additional
information on whether the agency implemented processes and practices
consistent with the specified security functions and related domains. In addition,
we evaluated prior audit work to determine whether the self-assessments were
consistent with our audit findings.
We concluded that the EPA defined policies, procedures and strategies for each
security function and related domains. EPA management also provided sufficient
evidence that the agency implemented a majority of processes and practices
consistent with maturity model Level 3 (Consistently Implemented). However, we
found substantial weaknesses in the EPA's information security training program
related to how the agency verifies whether contractor personnel with significant
information security responsibilities comply with specialized security training
requirements.
Appendix A documents the results for the FY 2017 IG FISMA reporting metrics.
We worked closely with EPA officials and briefed them on the results. We made
no recommendations based on our analysis. The EPA agreed with our
conclusions.
Listing of OIG reports.

-------