^tDsrx * Q \ U8&J U.S. Environmental Protection Agency Office of Inspector General At a Glance 19-P-0058 January 30, 2019 Why We Did This Project We conducted this audit to assess the U.S. Environmental Protection Agency's (EPA's) compliance with the Federal Information Security Modernization Act of 2014 (FISMA) during fiscal year (FY) 2018. The Inspector General (IG) FISMA Reporting Metrics document outlines five maturity levels for IGs to rate their agency's information security program: • Level 1—Ad-Hoc. • Level 2—Defined. • Level 3—Consistently Implemented. • Level 4—Managed and Measurable. • Level 5—Optimized. We reported our audit results to the Office of Management and Budget (OMB). The OMB then calculates the overall maturity model level for each cybersecurity function within an agency's information security program. This report addresses the following: • Compliance with the law. • Operating efficiently and effectively. Send all inquiries to our public affairs office at (202) 566-2391 or visit www.epa.gov/oia. Listing of OIG reports. EPA Consistently Implements Processes Within Its Information Security Program, but Opportunities for Improvement Exist What We Found The EPA has established an effective Further improvements are information security program for the five needed to strengthen internal security functions and related domains processes to better protect defined in the FY 2018 IG FISMA Reporting human health and environmental Metrics and shown in the table below. data from cybersecurity threats. Security functions Domains Identify Risk management Protect Configuration management, identity and access management, data protection and privacy, and security training Detect Information security continuous monitoring Respond Incident response Recover Contingency planning Source: FY 2018 IG FISMA Reporting Metrics. We concluded that the EPA has achieved an overall assessment of Maturity Level 3, which denotes that the agency consistently implements its policies, procedures and strategies within its information security program. However, the EPA can further improve its processes in the following domains to strengthen its information security posture: • Risk Management—Implement standard data elements for hardware assets connected to the network and for software and associated licenses used within the agency's environment. • Security Training—Implement a process for reporting on contractors' completion of role-based training. • Incident Response—Implement certain technologies to support the incident response program. • Contingency Planning—Implement a process to ensure that the results of business impact analyses are used to guide contingency planning efforts. Appendix A contains the results of our assessments for the FY 2018 IG FISMA Reporting Metrics. We worked closely with EPA officials and, where appropriate, revised our assessments. We briefed the EPA on the results of our analyses. We made no recommendations based on our analyses, and the EPA agreed with our conclusions. ------- |