^£DS7X • JL v I®/ U.S. Environmental Protection Agency Office of Inspector General At a Glance 19-P-0195 June 21, 2019 Why We Did This Project The Office of Inspector General (OIG) conducted this audit of the information technology security controls for the U.S. Environmental Protection Agency (EPA) systems and servers hosting Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) and Pesticide Registration Improvement Act (PRIA) data. Our audit objectives specifically addressed controls relating to registration fees, the testing and correction of system vulnerabilities, and database security. Under FIFRA, as amended by PRIA, the EPA regulates the distribution, sale and use of all pesticides in the United States and establishes maximum allowable levels of pesticide residues in food, thereby safeguarding the nation's food supply. This report addresses the following: • Ensuring the safety of chemicals. • Operating efficiently and effectively. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.oia. List of OIG reports. Pesticide Registration Fee, Vulnerability Mitigation and Database Security Controls for EPA's FIFRA and PRIA Systems Need Improvement What We Found Proper vulnerability testing, fee registration and database controls are essential to the security of the EPA's FIFRA and PRIA systems. The EPA has adequate controls over the posting of FIFRA and PRIA financial transactions into the agency's accounting system (Compass Financials). However, the EPA's FIFRA and PRIA systems have internal control deficiencies relating to the fee registration process, system vulnerability mitigation and database security. We tested controls in these areas to verify their compliance with federal standards and guidance, as well as with EPA policies and procedures. We noted the following conditions: • There were inconsistencies and errors related to transactions in the FIFRA and PRIA fee data posted between the Office of Pesticide Programs' pesticide registration system and Compass Financials. • Twenty of the 29 high-level vulnerabilities identified by the agency in 2015 and 2016 remained uncorrected after the allotted remediation time frame. In addition, we tested 10 of the 20 uncorrected vulnerabilities and found that required plans of action and milestones for remediation were not created for any of them. • The Office of Pesticide Programs needs to improve the security for one of the FIFRA and PRIA databases, including password controls, timely installation of security updates and restriction of administrative privileges. Recommendations and Planned Agency Corrective Actions We recommend that the Assistant Administrator for Chemical Safety and Pollution Prevention implement the following: • Internal controls for the fee posting and refund processes. • Corrective actions identified in the agency's risk assessment of those processes. • A formal process for creating plans of action and milestones, and tracking vulnerability mitigation. • Controls related to database security. We met with agency representatives about our draft report. The agency agreed with all seven of our recommendations. The agency completed or provided acceptable corrective actions and milestones for all recommendations. The agency completed corrective actions for Recommendations 1,3,6 and 7. Recommendations 2, 4 and 5 are resolved with corrective actions pending. ------- |