,^ed STAf. 21-E-0124 01 U.S. Environmental Protection Agency April 16,2021 \ Office of Inspector General $ 5 73 O' At a Glance Why We Did This Evaluation We performed this evaluation to assess the U.S. Environmental Protection Agency's compliance with the FY 2020 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics. The fiscal year 2020 IG FISMA Reporting Metrics outlines five security function areas and eight corresponding domains to help federal agencies manage cybersecurity risks. The document also outlines five maturity levels by which IGs should rate agency information security programs: • Level 1, Ad Hoc. • Level 2, Defined. • Level 3, Consistently Implemented. • Level 4, Managed and Measurable. • Level 5, Optimized. This evaluation addresses the following: • Compliance with the law. • Operating efficiently and effectively. This evaluation addresses top EPA management challenges: • Enhancing information technology security. • Complying with key internal control requirements (data quality). Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. EPA Needs to Improve Processes for Updating Guidance, Monitoring Corrective Actions, and Managing Remote Access for External Users What We Found We concluded that the EPA achieved an overall maturity level of Level 3 (Consistently Implemented) for the five security functions and eight domains outlined in the FY 2020 IG FISMA Reporting Metrics. This means that the EPA consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking. We found that the EPA has deficiencies in the following areas: Deficiencies in the EPA's information technology internal controls could be used to exploit weaknesses in Agency applications and hinder the EPA's ability to prevent, detect, and respond to emerging cyberthreats. • Completing reviews of its outdated information security procedures by the established deadlines or making plans to complete a review at a later date. • Verifying corrective actions are completed as represented by the Agency and not falsely reporting related resolutions. • Enforcing established information system control requirements for the Agency's web application directory system that allows external users access to EPA applications, including the grants and Superfund management systems. Recommendations and Planned Agency Corrective Actions We recommend that the assistant administrator for Mission Support (1) establish a control to update information technology procedures to make them consistent with current federal directives, (2) take steps to require that the audit follow-up coordinator has the capability to verify when corrective actions are completed before the action official closes audit reports in the Agency's audit tracking system, (3) implement a control for authorization and recertifying users' access for the web application directory system, (4) implement procedures to monitor privileged users' activities for unusual or suspicious activity, and (5) establish a governance structure to support the Agency's identity, credential, and access management program efforts as required by the Office of Management and Budget. The EPA agreed with our five recommendations; completed corrective actions for two of them; and provided acceptable planned corrective actions and estimated milestone dates for the remaining three, which we consider resolved with corrective actions pending. List of OIG reports. ------- |