x^fcD ST/if.
U.S. Environmental Protection Agency	21-E-0016
Office of Inspector General	November 18,2020
* O
kSBz.!
At a Glance
Why We Did This Evaluation
This report results from work
performed for the Office of
Inspector General to assess
the U.S. Chemical Safety and
Hazard Investigation Board's
compliance with performance
measures outlined in the fiscal
year 2020 Inspector General
reporting instructions for the
Federal Information Security
Modernization Act of 2014,
commonly referred to as
FISMA.
We contracted with the
SB & Company, referred to as
SB&C, to complete the FISMA
work and to report separately
on concerns that related to the
impact of the coronavirus
pandemic—that is, the
SARS-CoV-2 virus and
resultant COVID-19 disease—
on the CSB's backup process
and disaster recovery testing.
This report addresses the
following:
•	Preserve the public trust by
maintaining and improving
organizational excellence.
This report addresses a top
CSB management challenge:
•	Continue operations during
the coronavirus pandemic.
CSB Discontinued Information Recovery Testing
and Off-Site Backup Storage During the
Coronavirus Pandemic
Findings
The CSB was at risk of
not being able to readily
restore information
technology operations if
they were disrupted
during the coronavirus
pandemic.
The SB&C found that the CSB did not perform
disaster recovery testing on major information
systems during FY 2020 and did not store copies of
backup media at an off-site location. The National
Institute of Standards and Technology's guidance
indicates that contingency plans should be tested to
determine the effectiveness and readiness of the
plans, that the test results should be reviewed, and that necessary corrective
actions should be taken. The guidance also specifies that system backups
should be stored securely at an off-site location.
The CSB indicated that the coronavirus pandemic impeded its disaster recovery
testing and exercises, as well as its ability to move backup media to an off-site
location. As a result, in the event of a disaster or isolated incident, the CSB may
not be readily able to recover its systems' operations.
Recommendations and Planned or Completed Corrective Actions
We concur with the recommendations in the attached report from the SB&C and
recommend that the CSB:
1.	Test its disaster recovery plan at least annually.
2.	Evaluate alternate methods to store backup media off-site.
The CSB concurred with these recommendations and provided acceptable
corrective actions and milestone dates. The CSB indicated that a disaster
recovery test will be performed and documented by December 31, 2020. We
consider Recommendation 1 resolved with corrective action pending. Also,
subsequent to the SB&C's report, the CSB reinstated its off-site backups. We
consider Recommendation 2 completed.
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.

-------