At a Glance: EPA's Radiation and Indoor Environments National Laboratory Should Improve Its Computer Room Security Controls


S74^v
*. U.S. Environmental Protection Agency	12-P-0847

|	\ Office of Inspector General	September 21, 2012
s
—'—'J"
I w/ °
At a Glance
Why We Did This Review
The U.S. Environmental
Protection Agency (EPA) Office
of Inspector General (OIG)
conducted this audit to assess
the security posture and
in-place environmental controls
of EPA's Radiation and Indoor
Environments National
Laboratory computer room in
Las Vegas, Nevada. This audit
was conducted in support of
the audit of EPA's directory
service system authentication
and authorization servers.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
workforce and capabilities.
EPA's Radiation and indoor Environments
Nationai Laboratory Shouid Improve its
Computer Room Security Controls
What We Found
Our review of the security posture and in-place environmental controls of EPA's
Radiation and Indoor Environments National Laboratory computer room
disclosed an array of security and environmental control deficiencies. These
deficiencies greatly hinder the ability of the Office of Air and Radiation (OAR) to
safeguard critical information technology assets and associated data from the
risk of damage and/or loss.
Recommendations and Planned Agency Corrective Actions
We recommended in our draft report that OAR remediate physical and
environmental control deficiencies. In its response to the draft report, OAR
provided a corrective action plan with milestone dates to address agreed-upon
recommendations 1 through 5. OAR did not agree or disagree with
recommendation 6 because corrective actions required consultation with the
U.S. General Services Administration to identify a suitable resolution.
OAR subsequently submitted an updated status on agreed-upon corrective
actions. Based upon that status, corrective actions for recommendations 1
through 5 have been completed. In the updated status, OAR proposed an
alternative action of accepting the risks of not installing the emergency shut-off
valve for recommendation 6. OAR made this proposal because its initial
investigation suggested that compliance would be cost prohibitive and the local
fire code may make necessary modifications infeasible. OAR agreed to assume
the risks associated with that decision.
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2012/
20120921-12-P-0847.pdf
We consider recommendations 1 through 5 closed with agreed-upon corrective
actions complete. For recommendation 6, we accept OAR's proposal and have
updated it to reflect necessary steps OAR must undertake to implement the
proposed alternative action. Specifically, OAR management should update its
information security plan to formally accept the risks for not meeting minimum
information systems security controls required by federal guidance. OAR
concurred with the update to recommendation 6. Although OAR has concurred
with the recommendation change, we consider recommendation 6 unresolved
pending receipt of a corrective action plan with milestone completion dates.

-------