x^fcD ST/if. U.S. Environmental Protection Agency 21-E-0016 Office of Inspector General November 18,2020 * O kSBz.! At a Glance Why We Did This Evaluation This report results from work performed for the Office of Inspector General to assess the U.S. Chemical Safety and Hazard Investigation Board's compliance with performance measures outlined in the fiscal year 2020 Inspector General reporting instructions for the Federal Information Security Modernization Act of 2014, commonly referred to as FISMA. We contracted with the SB & Company, referred to as SB&C, to complete the FISMA work and to report separately on concerns that related to the impact of the coronavirus pandemic—that is, the SARS-CoV-2 virus and resultant COVID-19 disease— on the CSB's backup process and disaster recovery testing. This report addresses the following: • Preserve the public trust by maintaining and improving organizational excellence. This report addresses a top CSB management challenge: • Continue operations during the coronavirus pandemic. CSB Discontinued Information Recovery Testing and Off-Site Backup Storage During the Coronavirus Pandemic Findings The CSB was at risk of not being able to readily restore information technology operations if they were disrupted during the coronavirus pandemic. The SB&C found that the CSB did not perform disaster recovery testing on major information systems during FY 2020 and did not store copies of backup media at an off-site location. The National Institute of Standards and Technology's guidance indicates that contingency plans should be tested to determine the effectiveness and readiness of the plans, that the test results should be reviewed, and that necessary corrective actions should be taken. The guidance also specifies that system backups should be stored securely at an off-site location. The CSB indicated that the coronavirus pandemic impeded its disaster recovery testing and exercises, as well as its ability to move backup media to an off-site location. As a result, in the event of a disaster or isolated incident, the CSB may not be readily able to recover its systems' operations. Recommendations and Planned or Completed Corrective Actions We concur with the recommendations in the attached report from the SB&C and recommend that the CSB: 1. Test its disaster recovery plan at least annually. 2. Evaluate alternate methods to store backup media off-site. The CSB concurred with these recommendations and provided acceptable corrective actions and milestone dates. The CSB indicated that a disaster recovery test will be performed and documented by December 31, 2020. We consider Recommendation 1 resolved with corrective action pending. Also, subsequent to the SB&C's report, the CSB reinstated its off-site backups. We consider Recommendation 2 completed. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. ------- |