^£DS7X
• JL v
I®/
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
19-P-0195
June 21, 2019
Why We Did This Project
The Office of Inspector General
(OIG) conducted this audit of
the information technology
security controls for the
U.S. Environmental Protection
Agency (EPA) systems and
servers hosting Federal
Insecticide, Fungicide, and
Rodenticide Act (FIFRA) and
Pesticide Registration
Improvement Act (PRIA) data.
Our audit objectives specifically
addressed controls relating to
registration fees, the testing
and correction of system
vulnerabilities, and database
security.
Under FIFRA, as amended by
PRIA, the EPA regulates the
distribution, sale and use of all
pesticides in the United States
and establishes maximum
allowable levels of pesticide
residues in food, thereby
safeguarding the nation's food
supply.
This report addresses the
following:
•	Ensuring the safety of
chemicals.
•	Operating efficiently and
effectively.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.oia.
List of OIG reports.
Pesticide Registration Fee, Vulnerability Mitigation
and Database Security Controls for EPA's FIFRA and
PRIA Systems Need Improvement
What We Found
Proper vulnerability
testing, fee registration
and database controls
are essential to the
security of the EPA's
FIFRA and PRIA systems.
The EPA has adequate controls over the posting of
FIFRA and PRIA financial transactions into the
agency's accounting system (Compass Financials).
However, the EPA's FIFRA and PRIA systems
have internal control deficiencies relating to the fee
registration process, system vulnerability mitigation
and database security. We tested controls in these areas to verify their
compliance with federal standards and guidance, as well as with EPA policies
and procedures. We noted the following conditions:
•	There were inconsistencies and errors related to transactions in the FIFRA
and PRIA fee data posted between the Office of Pesticide Programs'
pesticide registration system and Compass Financials.
•	Twenty of the 29 high-level vulnerabilities identified by the agency in 2015
and 2016 remained uncorrected after the allotted remediation time frame. In
addition, we tested 10 of the 20 uncorrected vulnerabilities and found that
required plans of action and milestones for remediation were not created for
any of them.
• The Office of Pesticide Programs needs to improve the security for one of the
FIFRA and PRIA databases, including password controls, timely installation
of security updates and restriction of administrative privileges.
Recommendations and Planned Agency Corrective Actions
We recommend that the Assistant Administrator for Chemical Safety and
Pollution Prevention implement the following:
•	Internal controls for the fee posting and refund processes.
•	Corrective actions identified in the agency's risk assessment of those
processes.
•	A formal process for creating plans of action and milestones, and tracking
vulnerability mitigation.
•	Controls related to database security.
We met with agency representatives about our draft report. The agency agreed
with all seven of our recommendations. The agency completed or provided
acceptable corrective actions and milestones for all recommendations. The
agency completed corrective actions for Recommendations 1,3,6 and 7.
Recommendations 2, 4 and 5 are resolved with corrective actions pending.

-------