Contractor-Produced Report: CSB Is at Increased Risk of Losing Significant Data and Is Vulnerable


Office of Inspector General

U.S. Environmental Protection Agency

At a Glance

22-E-0025
March 29, 2022

Why This Evaluation Was
Done

This evaluation was performed to
assess the U.S. Chemical Safety
and Hazard Investigation Board's
compliance with performance
measures outlined in the fiscal
year 2021 inspector general
reporting instructions for the
Federal Information Security
Modernization Act of 2014.

SB & Company was contracted
to perform this evaluation under
the direction and oversight of the
U.S. Environmental Protection
Agency's Office of Inspector
General.

The performance measures
outline and provide potential
ratings for security function areas
to help federal agencies manage
cybersecurity risks.

This evaluation supports the CSB
mission-related effort:

• Preventing recurrence of
significant chemical incidents
through independent
investigations.

Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.

List of OIG reports.

Contractor-Produced Report: CSB Is at
Increased Risk of Losing Significant Data and
Is Vulnerable to Exploitation

What SB & Company Found

SB & Company assessed the effectiveness of the
CSB's information security program at "Level 2,
Defined," which means that the CSB's policies,
procedures, and strategies for its information
security program are formalized and that its
strategies are documented but not consistently
implemented.

SB & Company found
that the lack of off-site
data backups
increases the CSB's
risk of losing
significant data.

While the CSB has policies, procedures, and strategies in place for the
information security program, SB & Company identified that the CSB lacks a
Vulnerability Disclosure Policy to protect its public website. This increases the
risk that vulnerabilities identified by external stakeholders are not being
reported in a timely manner to CSB management. A delay in reporting identified
vulnerabilities may increase the risk of exploitation of those vulnerabilities and
lead to the disruption of operations.

SB & Company also identified that the CSB discontinued the off-site storage of
tape backups, which increases the risk of losing data and disrupting operations.
This issue was previously identified in OIG Report No. 21-E-0071, CSB's
Information Security Program Is Not Consistently Implemented; Improvements Are
Needed to Address Four Weaknesses, issued February 9, 2021. The CSB
concurred with the recommendation in that report, implemented a corrective
action, and restarted off-site backups. The CSB provided supporting documents
for the corrective action taken, and we considered the corrective action for that
recommendation completed. However, with the lack of on-site staff during the
coronavirus pandemic, the CSB once again did not store backup tapes off-site.
As a result, if the CSB headquarters loses data during an incident, those data
could be permanently lost and impact the CSB's ability to fulfill its mission.

Recommendations and Planned Agency Corrective Actions

SB & Company made two recommendations to the CSB, and the OIG agrees
with and adopts these recommendations. The CSB agreed with the
recommendations and provided acceptable corrective actions. The OIG
considers Recommendation 1 to be resolved with corrective action completed,
and Recommendation 2 to be resolved with corrective action pending.

-------