U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF INSPECTOR GENERAL
Results of Technical Network
Vulnerability Assessment:
EPA's National Vehicle and
Fuel Emissions Laboratory
Report No. 12-P-0900
September 27, 2012

-------
Report Contributors:
Rudolph M. Brevard
Warren Brooks
Scott Sammons
Hotline
To report fraud, waste, or abuse, contact us through one of the following methods:
e-mail:	OIG Hotline@epa.gov	write: EPA Inspector General Hotline
phone:	1-888-546-8740	1200 Pennsylvania Avenue NW
fax:	202-566-2599	Mailcode 2431T
online:	http://www.epa.gov/oiq/hotline.htm	Washington, DC 20460

-------
S74^v
*. U.S. Environmental Protection Agency	12-P-0900

|	\ Office of Inspector General	September 27, 2012
s
"V—'—J"
s v\|/v S
At a Glance
Why We Did This Review
We sought to conduct network
vulnerability testing of the
U.S. Environmental Protection
Agency's (EPA's) National
Vehicle and Fuel Emissions
Laboratory (NVFEL) Local Area
Network to identify resources
that contained commonly
known high-risk and medium-
risk vulnerabilities. We also
sought to assess the physical
controls and environmental
controls around critical
information technology assets
located in the NVFEL. We
conducted this audit as part of
the annual review of EPA's
information security program as
required by the Federal
Information Security
Management Act.
This report addresses the
following EPA Goal or
Cross-Cutting Strategy:
• Strengthening EPA's
Workforce and Capabilities
Results of Technical Network Vulnerability
Assessment: EPA's National Vehicle and Fuel
Emissions Laboratory
For further information, contact
our Office of Congressional and
Public Affairs at (202) 566-2391.
The full report is at:
www.epa.aov/oia/reports/2012/
20120927-12-P-0900.pdf
What We Found
While our assessments of EPA's NVFEL server room found no weaknesses with
physical controls and environmental controls, vulnerability testing of networked
resources located in the NVFEL identified Internet Protocol addresses with
potentially 9 critical-risk, 70 high-risk, and 297 medium-risk vulnerabilities.
If not resolved, these vulnerabilities could expose EPA's assets to unauthorized
access and potentially harm the Agency's network. The laboratory and the Office
of Environmental Information manage the resources located in NVFEL that
contained these weaknesses. We found a discrepancy between the offices
concerning responsibility for certain equipment located in the NVFEL. However,
NVFEL provided documentation which placed ownership responsibility with the
Office of Environmental Information and Customer Technology Solutions for the
devices in question.
Recommendations and Agency Corrective Actions
We recommend that the Senior Information Official within the Office of Air and
Radiation and the Office of Environmental Information:
•	Provide the OIG a status update for every critical-risk, high-risk and
medium-risk vulnerability identified by the technical scanning tool within
30 days of this report.
•	Create plans of action and milestones in the Agency's Automated Security
Self-Evaluation and Remediation Tracking system for all vulnerabilities
according to Agency procedures within 30 days of this report.
•	Perform a technical vulnerability assessment test of assigned networked
resources within 60 days to confirm completion of remediation activities.
We also recommend that the Senior Information Official within the Office of
Environmental Information:
•	Disconnect any networked resources without documented ownership
responsibility.
•	Complete an inventory of all Customer Technology Solutions equipment
prior to implementation of EPA's new managed desktop support system.
Representatives from both offices acknowledged the existence of the
vulnerabilities and stated they have begun developing corrective actions to
address the risks related to these weaknesses. NVFEL reported it remediated all
high-risk vulnerabilities under its responsibility prior to the issuance of this report.
The detailed testing results have already been provided to Agency
representatives. Due to the sensitive nature of the report's technical findings, the
technical details will not be made available to the public.

-------
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
WASHINGTON, D.C. 20460
THE INSPECTOR GENERAL
September 27, 2012
MEMORANDUM
SUBJECT: Results of Technical Network Vulnerability Assessment:
EPA's National Vehicle and Fuel Emissions Laboratory
Report No. 12-P-0900
FROM: Arthur A. Elkins, Jr.
TO:
Betsy Shaw
Senior Information Official
Office of Air and Radiation
Renee Wynn
Principal Deputy Assistant Administrator and Senior Information Official
Office of Environmental Information
This is our quick reaction report on the subject audit conducted by the Office of Inspector
General (OIG) of the U.S. Environmental Protection Agency (EPA). Due to the sensitive nature
of the technical findings, we are issuing this report for urgent management remediation. The site
assessment was conducted in conjunction with our annual audit of EPA's information security
program as required by the Federal Information Security Management Act. This report provides
the summary of our security assessment of networked resources located at EPA's National
Vehicle and Fuel Emissions Laboratory (NVFEL) in Ann Arbor, Michigan.
Our tests disclosed that networked resources at NVFEL contained potentially 9 critical-risk,
70 high-risk, and 297 medium-risk vulnerabilities. The laboratory and Office of Environmental
Information (OEI) are responsible for managing resources located in NVFEL. To facilitate
immediate remediation actions, we provided your offices' representatives with the technical
results during our site visit. Upon receipt of the results, NVFEL representatives identified OEI
owned devices located on site. After providing OEI with a list of these devices, OEI stated that
some of the devices were not under its responsibility. However, NVFEL provided documentation
which placed ownership responsibility with OEI and Customer Technology Solutions for the
devices in question. Ultimately, NVFEL representatives plan to take responsibility for remediating
the vulnerabilities existing on the OEI devices in dispute. The NVFEL reported that it remediated
all high-risk vulnerabilities under its responsibility prior to the issuance of this report.
12-P-0900	1

-------
We reported similar concerns about computer equipment accountability in EPA OIG Report No.
1 l-P-0705, EPA 's Contract Oversight and Controls Over Personal Computers Need Improvement,
September 26, 2011. Discrepancies in ownership responsibilities of networked resources can
potentially lead to untimely vulnerability remediation or unresolved vulnerabilities that could
expose EPA's assets to unauthorized access and potentially harm the Agency's network. As EPA
moves from Customer Technology Solutions to a new contract for its managed desktop support
system, it is important to resolve any discrepancies resulting from accountability for EPA assets
that may be included in this new contract.
We performed this audit work from February through September 2012 at EPA's NVFEL in Ann
Arbor, Michigan. We performed this audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient and appropriate evidence to provide a reasonable basis for our findings and
conclusions based on the audit objectives. We believe the evidence obtained provides a
reasonable basis for our findings and conclusions.
We conducted testing to identify the existence of commonly known vulnerabilities using a
commercially available network vulnerability assessment tool recognized by the National
Institute of Standards and Technology (NIST). We interviewed EPA personnel responsible for
managing the networked resources located in NVFEL. We reviewed relevant EPA interim
procedures to obtain an understanding of the Agency's Automated Security Self-Evaluation and
Remediation Tracking system used for recording identified weaknesses. We tested the Internet
Protocol addresses associated with networked resources located in NVFEL. We used the risk
ratings provided by the vulnerability software to determine the level of harm a risk could pose to
a networked resource due to the vulnerability and accepted the results from the software tool as
the level of risk to EPA's network. Upon follow-up with your offices' representatives, they
acknowledged the existence of the vulnerabilities and stated that some mitigation activities had
already begun related to these risks.
We performed an inspection of EPA's NVFEL server room with key information technology
(IT) personnel to assess the physical controls and environmental controls around IT assets. We
interviewed Agency IT staff to determine the extent to which IT equipment is protected from
physical, environmental, and human threats. We used NIST Special Publication 800-53,
Recommended Security Controls for Federal Information Systems and Organizations, as the
template for evaluating IT security controls for the server rooms. We found no weaknesses
during the assessment.
Recommendations
We recommend that the Senior Information Official within the Office of Air and Radiation
and the Office of Environmental Information:
1. Provide the OIG a status update for every critical-risk, high-risk, and medium-risk
vulnerability identified by the technical scanning tool within 30 days of this report.
12-P-0900
2

-------
2.	Create plans of action and milestones in the Agency's Automated Security Self-
Evaluation and Remediation Tracking system for all vulnerabilities according to Agency
procedures within 30 days of this report.
3.	Perform a technical vulnerability assessment test of assigned networked resources within
60 days to confirm completion of remediation activities.
We also recommend that the Senior Information Official within the Office of Environmental
Information:
4.	Disconnect any networked resources without documented ownership responsibility.
5.	Complete an inventory of all Customer Technology Solutions equipment prior to the
implementation of EPA's new managed desktop support system.
Action Required
Please provide written responses to this report within 30 calendar days. You should include a
corrective action plan for agreed-upon actions, including milestone dates.
Due to the sensitive nature of the report's technical findings, the technical details are not
included in this report and will not be made available to the public. The OIG plans to post on the
OIG's public website the corrective action plans that you provide to us that do not contain
sensitive information. Therefore, we request that you provide the response to recommendation 1
in a separate document; we will not make that response available to the public if it contains
sensitive information.
Your responses should be provided as Adobe PDF files that comply with the accessibility
requirements of Section 508 of the Rehabilitation Act of 1973, as amended. Except for your
response to recommendation 1, which will not be posted if it contains sensitive information, your
responses should not contain data that you do not want to be released to the public; if those
responses contain such data, you should identify the data for redaction or removal.
If you or your staff have any questions regarding this report, please contact Patricia H. Hill,
Assistant Inspector General for Mission Systems, at (202) 566-0894 or hill,patricia@epa.gov; or
Rudolph M. Brevard, Product Line Director, Information Resources Management Assessments,
at (202) 566-0893 or brevard.rudv@epa.gov.
12-P-0900
3

-------
Status of Recommendations and
Potential Monetary Benefits
RECOMMENDATIONS
POTENTIAL MONETARY
BENEFITS (In $000s)
Rec.
No.
Page
No.
Subject
Status1
Action Official
Planned
Completion
Date
Claimed
Amount
Ag reed-To
Amount
Provide the OIG a status update for every critical-
risk, high-risk, and medium-risk vulnerability
identified by the technical scanning tool within
30 days of this report.
Create plans of action and milestones in the
Agency's Automated Security Self-Evaluation and
Remediation Tracking system for all vulnerabilities
according to Agency procedures within 30 days of
this report.
Perform a technical vulnerability assessment test of
assigned networked resources within 60 days to
confirm completion of remediation activities.
3 Disconnect any networked resources without
documented ownership responsibility.
Complete an inventory of all Customer Technology
Solutions equipment prior to the implementation of
EPA's new managed desktop support system.
Senior Information Official,
Office of Air and Radiation
and Office of Environmental
Information
Senior Information Official,
Office of Air and Radiation
and Office of Environmental
Information
Senior Information Official,
Office of Air and Radiation
and Office of Environmental
Information
Senior Information Official,
Office of Environmental
Information
Senior Information Official,
Office of Environmental
Information
1 0 = recommendation is open with agreed-to corrective actions pending
C = recommendation is closed with all agreed-to actions completed
U = recommendation is unresolved with resolution efforts in progress
12-P-0900
4

-------
Appendix A
Distribution
Office of the Administrator
Assistant Administrator for Environmental Information and Chief Information Officer
Assistant Administrator for Air and Radiation
Principal Deputy Assistant Administrator for Environmental Information and
Senior Information Official
Senior Information Official, Office of Air and Radiation
Agency Follow-Up Official (the CFO)
Agency Follow-Up Coordinator
General Counsel
Associate Administrator for Congressional and Intergovernmental Relations
Associate Administrator for External Affairs and Environmental Education
Senior Agency Information Security Officer
Audit Follow-Up Coordinator, Office of Air and Radiation
Audit Follow-Up Coordinator, Office of Environmental Information
12-P-0900
5

-------