o**eDsrx
• JL v
I®/
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
20-P-0015
November 1, 2019
Why We Did This Project
The Office of Inspector General
(OIG) conducted this audit to
determine whether the Office of
the Chief Financial Officer
(OCFO) identified and tested all
required security controls for
the U.S. Environmental
Protection Agency's (EPA's)
legacy budget system—called
the Budget Automation System
(BAS). We also sought to
determine whether the EPA
required the cloud service
provider for the agency's
replacement budget system—
called the Budget Formulation
System (BFS)—to comply with
National Institute of Standards
and Technology requirements
for testing information system
security controls.
The OCFO's Office of Budget
is responsible for the BAS and
BFS. The OCFO relies on
service providers to support
and host the systems. An EPA
data center hosts the BAS,
while a contractor hosts the
BFS in a cloud environment.
Various entities within and
outside the EPA provide
security controls for the BAS
and BFS.
This report addresses the
following:
• Operating efficiently and
effectively.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
EPA Budget Systems Need Improved
Oversight of Security Controls Testing
What We Found
The OCFO identified the required security controls
needed for the agency's budget systems.
For the BAS, the OCFO and its service providers
tested 100 percent of the security controls in our
fiscal year 2016 sample. However, the OCFO and
its service providers did not test all of the security
controls in our fiscal year 2017 sample.
The OCFO lacks internal
controls needed to
make informed,
risk-based decisions
regarding the security of
the agency's budget
systems.
For the BFS, the OCFO required the cloud service provider to comply with
National Institute of Standards and Technology testing requirements. However,
the OCFO did not maintain documentation to substantiate whether (1) the BFS
cloud service provider tested and implemented the required security controls or
(2) the controls were working as intended to protect the BFS and its data.
Additionally, we found that the OCFO:
• Did not correctly assign and document responsibility for testing BAS security
controls.
• Did not review BFS security reports in a timely manner or document the
results of these reviews.
Testing security controls enables organizations to identify vulnerabilities in their
systems. Finding these vulnerabilities in a timely manner would allow the EPA to
promptly remediate any weaknesses that impact the safety of its systems.
Likewise, a lack of internal controls means vulnerabilities are found late or not at
all, and prevents the EPA from protecting its budget data from unauthorized
disclosures or modifications.
Recommendations and Planned Agency Corrective Actions
We recommend that the Chief Financial Officer update the BAS security planning
documents to specify who is responsible for testing information system security
controls, as required by the National Institute of Standards and Technology. We
also recommend that the Chief Financial Officer implement a process for
obtaining and documenting the timely review of all BAS and BFS security reports.
The EPA agreed with our recommendations. The agency provided sufficient
evidence that it completed corrective actions for Recommendation 1 and the
recommendation is resolved. The agency did not provide a milestone date or
acceptable documentation to support that it completed corrective actions for
Recommendation 2, and that recommendation is, thus, unresolved.
-------� |