Office of Inspector General U.S. Environmental Protection Agency At a Glance 21-E-0226 September 13, 2021 Why We Did This Evaluation We performed this evaluation to determine whether the system security plans in the Office of the Chief Financial Officer, the Office of Land and Emergency Management, and the Office of Research and Development are developed and updated in accordance with National Institute of Standards and Technology guidance. System security plans are required for all information systems. The National Institute of Standards and Technology states that major applications require "special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application." The plans should document an information system's security categorization and include an inventory of the system's minor applications, which are similar to major applications but do not require "special attention." This evaluation supports an U.S. Environmental Protection Agency mission-related effort: • Operating efficiently and effectively. This evaluation addresses top EPA management challenges: • Complying with key internal control requirements (data quality). • Enhancing information technology security. Address inquiries to our public affairs office at (202) 566-2391 or OIG WEBCOMMENTS@epa.gov. List of OIG reports. EPA's Emergency Response Systems at Risk of Having Inadequate Security Controls What We Found The EPA did not follow the National Institute of Standards and Technology guidance in determining and documenting the justification for the security categorizations of five emergency response systems. Further, the EPA's security categorization process did not include key participants, as recommended by NIST. In addition, security documentation for some of the EPA's minor applications did not exist. If the availability and integrity of emergency response system data are jeopardized, it could harm the EPA's ability to coordinate response efforts to protect the public from environmental disasters. NIST requires that agencies develop system security plans for all information systems, including major applications and general support systems, and tailor the systems' security controls based on the systems' security categorization. A system with a high-security categorization would require greater security controls than a system with a moderate- or low-security categorization. NIST guidance provides that security controls specific to minor applications should be documented in a system security plan as an appendix or in a paragraph. NIST also provides that all applications be secure and free of vulnerabilities. The EPA's staff and managers may not fully understand NIST requirements because the Agency's security training does not cover the NIST security categorization process. The EPA's security categorization guidance referenced NIST but did not describe the steps EPA personnel should take to implement NIST guidance. Additionally, the EPA has not implemented controls or oversight to assure that NIST guidance was followed. EPA systems are more vulnerable to security threats if the Agency does not follow NIST guidance when categorizing security levels for systems or documenting system security. Such threats could compromise a system's data and negatively impact the EPA's ability to respond to emergencies. Recommendations and Planned Agency Corrective Actions We recommend that the assistant administrator for Land and Emergency Management implement controls to follow NIST guidance when conducting system categorizations. We recommend that the assistant administrator for Research and Development implement a process to list and describe all minor applications in the appropriate system security plan. We also recommend that the assistant administrator for Mission Support provide role-based training that covers system security categorizations and implement a process to document that tools and models are secure. The Agency concurred with five of the seven recommendations and provided acceptable corrective actions and estimated milestone dates. Two recommendations remain unresolved with resolution efforts in progress. ------- |