The EPA Needs to Better Implement Internal Access Control Procedures for Its Integrated Risk Information System Database October 31, 2023 | Report No. 24-P-0005 ------- Report Contributors Tertia Allen Yoon An LaSharn Barnes LaVonda Harris-Claggett Eric Jackson Jr. Alonzo Munyeneh Sabrena Richardson Jeremy Sigel Abbreviations CIO Chief Information Officer EPA U.S. Environmental Protection Agency GSS General Support System IRIS Integrated Risk Information System IT Information Technology NHS National Computer Center Hosting System OIG Office of Inspector General OMS Office of Mission Support ORD Office of Research and Development Key Definitions Please see Appendix A for key definitions. Cover Image The EPA lacks consistent implementation of required information technology access controls for its Integrated Risk Information System. (EPA OIG image) Are you aware of fraud, waste, or abuse in an EPA program? EPA Inspector General Hotline 1200 Pennsylvania Avenue, NW (2431T) Washington, D.C. 20460 (888) 546-8740 (202) 566-2599 (fax) OIG.Hotline@epa.qov Learn more about our OIG Hotline. EPA Office of Inspector General 1200 Pennsylvania Avenue, NW (2410T) Washington, D.C. 20460 (202) 566-2391 www.epaoiq.gov Subscribe to our Email Updates. Follow us on X (formerly Twitter) @EPAoiq. Send us your Project Suggestions. ------- At a Gla 24-P-0005 October 31, 2023 The EPA Needs to Better Implement Internal Access Control Procedures for Its Integrated Risk Information System Database Why We Did This Audit To accomplish this objective: The U.S. Environmental Protection Agency Office of Inspector General conducted this audit to determine whether the EPA's Integrated Risk Information System database adheres to federal and Agency access control requirements. The Integrated Risk Information System Program is a chemical evaluation program under the Office of Research and Development and is a critical component of the EPA's capacity to support scientifically sound environmental regulations and policies. The program supports the EPA's mission to protect human health and the environment by identifying and characterizing the health hazards of chemicals found in the environment. The Office of Research and Development operated with a $574.4 million budget in fiscal year 2023 with an estimated $11.3 million allocated to the program. Agency personnel estimated $127,000 of the program's budget was used for its database application. This audit supports EPA mission- related efforts: • Compliance with the law. • Operating efficiently and effectively. This audit addresses this top EPA management challenge: • Protecting EPA systems and other critical infrastructure against cyberthreats. Address inquiries to our public affairs office at (202) 566-2391 or OIG.PublicAffairs@epa.gov. List of OIG reports. What We Found We found that information technology access management for the EPA's Integrated Risk Information System database did not adhere to federal and Agency IT access control requirements. Specifically, our analysis identified significant deficiencies including the following: • Sixty-four percent of IRIS Database Application general user accounts had access to the application without a legitimate business need, allowing two users to remain active for eight months after they separated from the Agency. • On the application's database server, privileged user accounts remained in an active status without adhering to access control requirements, resulting in the use of a generic shared administrator account for over 11 years, an active account for an employee separated from the Agency for over two years, and a privileged account with unnecessary elevated privileges. • The EPA failed to implement password configurations for IRIS database server accounts, which caused inactive accounts to remain in an active status for an unlimited time frame, use the same password an unlimited amount of time, and reuse a password sooner than allowed. • The Agency ran the database without being included or identified in a system security plan that would ensure that the system's security met federal standards. These issues occurred because the EPA did not perform regular reviews or monitor privileged or application user accounts for the IRIS Database Application. Additionally, password settings for the IRIS database server were implemented at the time the database was created with no monitoring in place to ensure ongoing compliance as requirements changed. Finally, Agency personnel assumed IRIS was included in the National Computer Center's Hosting System's system security plan, but no mention of the application is documented in that plan. Without enforcing established access control requirements, the EPA puts the chemical data, which IRIS users rely upon to inform scientifically sound environmental regulations and policies, at risk of unauthorized changes. Recommendations and Planned Agency Corrective Actions We recommend that the assistant administrator for Research and Development develop processes and assign responsibilities for the approval, review, and monitoring of user access of the IRIS Database Application. Additionally, we recommend that the assistant administrator for Mission Support implement and document password configurations for the IRIS database server to comply with federal and Agency requirements. We also recommend that the Office of Research and Development work with the Office of Mission Support to ensure security control implementation is documented for the IRIS Database Application. The Agency agreed with our recommendations, completed corrective actions for one recommendation, and provided acceptable planned corrective actions with estimated milestone dates for the remaining recommendations. We consider the recommendations resolved with corrective actions pending. ------- U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL October 31, 2023 MEMORANDUM SUBJECT: The EPA Needs to Better Implement Internal Access Control Procedures for Its Integrated Risk Information System Database Report No. 24-P-0005 FROM: Sean W. O'Donnell, Inspector General /OTfim J TO: Kimberly Patrick, Principal Deputy Assistant Administrator Office of Mission Support Dr. Chris Frey, Assistant Administrator and EPA Science Advisor Office of Research and Development This is our report on the subject audit conducted by the U.S. Environmental Protection Agency Office of Inspector General. The project number for this audit was QA-FY22-0071. This report contains findings that describe the problems the OIG has identified and corrective actions the OIG recommends. Final determinations on matters in this report will be made by EPA managers in accordance with established audit resolution procedures. The Office of Mission Support and the Office of Research and Development are responsible for the issues discussed in this report. In accordance with EPA Manual 2750, your offices provided acceptable planned corrective actions and estimated milestone dates in response to OIG recommendations. All recommendations are resolved, and no final response to this report is required. If you submit a response, however, it will be posted on the OIG's website, along with our memorandum commenting on your response. Your response should be provided as an Adobe PDF file that complies with the accessibility requirements of section 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data that you do not want to be released to the public; if your response contains such data, you should identify the data for redaction or removal along with corresponding justification. We will post this report to our website at www.epaoig.gov. To report potential fraud, waste, abuse, misconduct, or mismanagement, contact the OIG Hotline at (888) 546-8740 or OIG.Hotline@epa.gov. ------- Table of Con Chapters 1 Introduction 1 Purpose 1 Background 1 Responsible Offices 3 Scope and Methodology 4 Prior Reports 4 2 IRIS Database Application's IT Environments Includes Unused, Duplicate, Shared, and Generic Accounts 5 Recommendations 7 Agency Response and OIG Assessment 7 3 IRIS Database Server Password Configurations Do Not Comply with Agency Requirements 9 Recommendations 10 Agency Response and OIG Assessment 10 4 IRIS Database Application Lacks Required System Documentation for Operating in the Agency's Production Environment 12 Recommendations 13 Agency Response and OIG Assessment 13 5 Status of Recommendations 14 A Key Definitions 15 B Agency's Response to the Draft Report 16 C Distribution 21 ------- Chapter 1 Introduction Purpose The U.S. Environmental Protection Agency Office of Inspector General initiated this audit to determine whether the EPA's Integrated Risk Information System database adheres to federal and Agency access control requirements. Top management challenge addressed This audit addresses the following top management challenge for the Agency, as identified in the OIG's U.S. Environmental Protection Agency Fiscal Year 2023 Top Management Challenges report, issued October 28, 2022: • Protecting EPA systems and other critical infrastructure against cyberthreats. Background The EPA's Integrated Risk Information System Program is a chemical evaluation program under the Office of Research and Development that the Agency considers to be a critical component of its capacity to support scientifically sound environmental regulations and policies. The IRIS Program supports the EPA's mission to protect human health and the environment by identifying and characterizing the health hazards of chemicals found in the environment. The IRIS database presents toxicity information on more than 540 chemicals to the public through its website. The various information technology environments that make up the IRIS database's operating structure include the database tables, which store and manage application user data and configurations. Additionally, the front- end, which is the part of an information system that is directly accessed and interacted by the ORD's Application Management Team, interfaces to the database tables. The IRIS database's web content management system is used to link and release IRIS content on its website. The application piece of the IRIS database, referred to as the IRIS Database Application and does not include general users of its public website, consists of two modules: (1) a data entry module to create and update chemical landing webpages that provide the final IRIS assessments and (2) a tracking module to update the schedule of chemical assessments under development. The focus of our audit was on access to these modules of the IRIS Database Application, its underlying database server, and its web 24-P-0005 1 ------- content management system administrators, and did not include review of scientific content, assessment process, or evaluation of the scientific conclusions presented by the IRIS Program. General Support System Interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. Major Application An application that requires special management attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor Applications An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system. During the pertinent time frame of our audit, the Agency's Information Security - Access Control Procedure, CIO Directive 2150-P-01.2, required owners of all EPA information and information systems to comply with the user access controls, including review of active user accounts, in accordance with the National Institute of Standards and Technology Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Similarly, the Agency's CIO Directive Information Security—Identification and Authentication Procedure, CIO Directive 2120-P-07.2, provided requirements for user password settings.1 The IRIS Database Application was implemented in 2001, according to ORD personnel,2 and is hosted within the Agency's National Computer Center in Research Triangle Park, North Carolina. While the IRIS Program is located within the ORD, its database development is performed by the ORD and the EPA's Office of Mission Support, or the OMS, contractors. EPA personnel who interact with the IRIS database includes ORD database and application developers, known as the ORD's Application Management Team; OMS server administrators; and an OMS database administrator. The OMS provides operational support for the underlying infrastructure running the servers on which the IRIS Database Application resides. This support consists of managing the operating system; deploying patches, which is the distribution and application of updates to software; and implementing updates the ORD's Application Management Team sent in production, but not running the application itself. ORD personnel, including the Application Management Team and the IRIS application owner, manage access to the IRIS Database Application. Requests for new accounts would be routed to the Application 1 Version 2 (2150-P-01.2) of the Access Control Procedure was in effect during the primary time period of this audit. On June 8, 2023, version 3 (2150-P-01.3) was issued to implement the National Institute of Standards and Technology Special Publication 800-53 Revision 5 requirements. Similarly, version 2 (2120-P-07.2) of the Identification and Authentication Procedure was in effect during the time period of this audit; on January 1, 2023, version 3 (2120-P-07.3) was issued to update for the National Institute of Standards and Technology requirements. Accordingly, this report references the prior versions of both procedures. 2 As shown in Chapter 4, a system security plan that would support this implementation date was not documented for the IRIS database due to the Agency's assumption that it was included as a minor application under the National Computer Center Hosting System general support system's security plan. 24-P-0005 2 ------- Management Team, who creates the accounts. However, ORD personnel stated that they have not received requests for IRIS access in several years. The ORD Application Management Team only uses these accounts to display chemical managers' names with their associated public draft assessment on the IRIS website. Only the ORD Application Management Team has direct access to the IRIS Database Application. System security plan A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. The ORD classifies its IRIS Database Application as a minor application under the National Computer Center Hosting System general support system, or NHS GSS, owned by OMS's Enterprise Hosting Division. The NHS supports large-scale data processing and provides a national data repository for Agency environmental and administrative systems. NHS also provides dedicated, shared, and virtualized computing resources running multiple various operating systems. While all EPA information systems are required to follow Agency IT procedures, a system security plan detailing the controls planned or implemented to meet security control requirements is required for the GSS and major applications. Since most of the security controls are provided by the GSS, security controls specific to the minor application, including access controls, should be documented as part of the GSS system security plan. Additionally, the National Institute of Standards and Technology's Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, issued February 2006, states that minor applications that are not connected to a major application should be briefly described in their general support system plans. Responsible Offices The IRIS Program, which has an estimated fiscal year 2023 budget of $11.3 million and owns the IRIS Database Application, is located within the EPA's Center for Public Health and Environmental Assessment in the ORD. The ORD is responsible for providing the data, tools, and information that form the scientific foundation the Agency relies on to fulfill its mission to protect the environment and safeguard public health. The Center for Public Health and Environmental Assessment is responsible for providing the science needed to support assessments and policies to protect human health and ecological integrity. The ORD's Application Management Team is responsible for the access management and administration of the IRIS Database Application, which has an estimated fiscal year 2023 budget of $127,000. The OMS leads the EPA's information management and information technology programs. Within the OMS, the Office of Information Technology Operations implements and manages the Agency's information technology services and solutions, including computers, servers, software, and networks. Its Enterprise Hosting Division personnel at the National Computer Center provide system administration for the NHS GSS, under which the IRIS Database Application is a minor application. The Enterprise Hosting Division also administers the production server on which the IRIS Database Application resides. 24-P-0005 3 ------- Scope and Methodology We conducted this performance audit from February 2022 to April 2023 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. We assessed the internal controls necessary to satisfy our audit objectives.3 In particular, we assessed internal control components—as outlined in the U.S. Government Accountability Office's Standards for Internal Control in the Federal Government—significant to our audit objectives. Any internal control deficiencies we found are discussed in this report. Because our audit was limited to the internal control components deemed significant to our audit objective, it may not have disclosed all internal control deficiencies that may have existed at the time of the audit. We gained an understanding of the IRIS Database Application's IT access control processes through interviews with the ORD's Application Management Team and the OMS's database server administration personnel. We requested and analyzed documentation and system-generated evidence to corroborate statements from the ORD and the OMS and identified vulnerabilities or IT access security control weaknesses. This evidence consisted of system security documentation as well as database tables containing IRIS Database Application user listings, system and administration accounts, and password configurations for the database server. To verify system data, we performed virtual walkthroughs with IRIS IT operations personnel. The scope of our audit was limited to IT access for the IRIS Database Application and did not include review of scientific content, assessment process, or evaluation of the scientific conclusions presented by the IRIS Program. Prior Reports OIG Report No. 21-E-0226. EPA's Emergency Response Systems at Risk of Having Inadequate Security Controls, issued September 13, 2021, evaluated whether the system security plans in the ORD, among other offices, were developed and updated in accordance with the National Institute of Standards and Technology standards and guidance. We recommended that the assistant administrator for Research and Development "develop and implement a process to list and describe all minor applications in the appropriate system security plan." The ORD concurred with this recommendation and provided acceptable corrective actions that were completed by May 4, 2022. 3 An entity designs, implements, and operates internal controls to achieve its objectives related to operations, reporting, and compliance. The U.S. Government Accountability Office sets internal control standards for federal entities in GAO-14-704G, Standards for Internal Control in the Federal Government (also known as the "Green Book"), issued September 10, 2014. 24-P-0005 4 ------- Chapter 2 IRIS Database Application's IT Environments Includes Unused, Duplicate, Shared, and Generic Accounts The EPA's account management for the IRIS Database Application failed to adhere to federal and Agency IT access control requirements. Among the IRIS Database Application's 163 user accounts, we found that the EPA did not manage and monitor privilege and general user accounts with active access to the IRIS Database Application, resulting in 104 general user accounts (64 percent) with active access to the application without having a business or mission need. Specifically, we found two privilege user accounts in an active status using a generic shared administrator account and one account for an employee who separated from the Agency. Additionally, for the database server hosting IRIS, we found shared and open accounts with elevated privileges that allows unauthorized updates or the ability to lock data. Finally, for IRIS's web content management system responsible for publishing and editing content on IRIS's chemical risk assessment website, two of the five administrators (40 percent) had more than one account with administrator privileges. Specifically, for the IRIS Database Application general user accounts, we found that: • 104 of 163 (64 percent) IRIS Database Application user accounts did not require access to the IRIS Database Application for their business or mission functions as confirmed by ORD personnel. • Two IRIS Database Application user accounts remained in an active status for eight months after the employees assigned to these accounts separated from the Agency. • An IRIS Database Application user account was created during this audit without formal or documented approval. Following a March 2022 inquiry from us on the identified findings, the ORD reviewed, disabled, and locked most of these accounts. However, as of August 2022, the ORD still had 18 active IRIS Database Application user accounts that required review to determine whether those users need access to the IRIS Database Application. Additionally, in the database server hosting IRIS we found that: • The Agency did not restrict the use of a generic administrator account, which was active for more than 11 years. Lack of restrictions such as this exposes the Agency to an internal threat of a bad actor using the account to perform unauthorized transactions without accountability. J Approval? ~ 24-P-0005 ------- • The Agency allowed the account for an administrator responsible for monitoring IRIS Database Application user IT access and account management to remain active for more than two years after the I'Slllil 2+ years employee retired from the Agency. Leaving a separated employee's account active, especially an administrator account, exposes the database to internal threats such as the account being used for unauthorized activity. • An active IRIS Database administrator account to which multiple people have access and should be reviewed for business function and JL restricted accordingly, provided users with unnecessary elevated account privileges that could allow them to make changes to the IRIS Database Application tables. While the OMS is aware of the account's assigned roles, it was unaware of who uses the account and why. • The IRIS Database Application's Object Owner Account was not disabled and locked when it was not performing installation and maintenance actions. This account is the user who creates database objects such as tables and necessitates special precautions against unauthorized access when not in use since the account owns all objects of the application. In addition to its elevated privileges for database installation and maintenance, this account is designed for infrequent use, meaning that unauthorized access to the account could go undetected. ~m Application Object Owner Finally, in its web content management system, we found that the Agency did not disable and lock two duplicate administrator accounts. These accounts allow users to edit, publish, and delete content on the IRIS website. The Agency's Information Security - Access Control Procedure, CIO Directive 2150-P-01.2, required owners of EPA-operated systems to "review users' activities to enforce use of information system access controls." Additionally, CIO Directive 2150-P-01.2 requires immediately disabling all accounts that are not accessed by the user for more than 30 days and when a user is no longer associated with the EPA. In addition, the National Institute of Standards and Technology Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, requires agencies to "[rejview accounts for compliance with account management requirements," as well as to disable accounts in accordance with organizational policy and procedures. Additionally, CIO Directive 2150-P-01.2 stated that the Agency's procedures "cover all EPA information and information systems" and it does not exempt minor applications from its requirements. These oversights occurred because the EPA failed to conduct periodic reviews of whether users were granted access to the IRIS Database Application's IT environments in accordance with federal and Agency IT access control requirements. This was exacerbated by the lack of monitoring of privileged user accounts and activity to identify suspicious activity and mitigate the associated risks. The ORD stated 24-P-0005 6 ------- that the application owner who performed the account reviews retired in January 2018, and that the ORD no longer reviewed these accounts because it transitioned away from using the IRIS Database Application to track assessment milestones and instead uses IRIS Program Outlook documents, which are updated three times a year. IRIS Program Outlook documents track the status of assessments and forecast future milestones, such as finalizing chemical assessment plans, public comment deadlines, and external peer reviews. However, the IRIS Database Application is still used to display milestone information on the IRIS website and the ORD Application Management Team updates the assessment milestones in the IRIS Database Application when necessary. Without enforcing federal and Agency access control requirements, the EPA risks exposing its chemical risk data, which IRIS users rely upon to inform environmental regulations and policies, to unauthorized access and changes. This could allow a threat actor to perform unauthorized system changes that may negatively affect the operation of the Agency system and integrity of its data. Because the EPA does not review these accounts or monitor their activity, malicious acts could go undetected. Recommendations We recommend that the assistant administrator for Research and Development: 1. Develop a process and assign responsibility for periodic review of application user information technology access for the Integrated Risk Information System database and perform the necessary updates to adhere to federal and Agency information technology access controls requirements including identifying and deactivating any unused accounts. 2. Develop a process and assign responsibility for application user information technology access approval to the Integrated Risk Information System database. 3. Instruct staff responsible for Integrated Risk Information System account management of the federal and Agency information technology access control requirements related to access approval, review, monitoring, and removal. 4. Discontinue use of IRIS Database Application accounts for database administration activities without a business justification or develop a process to track privileged user activity on these accounts. Agency Response and OIG Assessment The ORD agreed with our four recommendations and provided acceptable planned corrective actions and estimated milestone dates. We consider these recommendations resolved with corrective action pending. For Recommendations 1 and 2, the ORD stated that it would develop and implement a user account management procedure for internal access to the database that would include periodic review of 24-P-0005 7 ------- application user access. Additionally, this procedure would include a process for identifying, approving, and deactivating unused accounts in accordance with federal and Agency access control requirements. For Recommendation 3, the ORD stated that it would add the ORD Application Management Team to the ORD Significant Information Security Responsibility list, which will require it to complete five additional security related training credits managed by the ORD information security officer, who certifies completion annually. For Recommendation 4, the ORD stated that it is in the process of reviewing and disabling IRIS Database Application user accounts and will include a process to track privileged user activity on IRIS Database Application accounts for database administration in the user account management procedure. Appendix B contains the Agency's response to the draft report. 24-P-0005 8 ------- Chapter 3 IRIS Database Server Password Configurations Do Not Comply with Agency Requirements The EPA did not implement compliant password configurations to secure the IRIS database, which allowed for inactive accounts to remain active for an unlimited time, unlimited use of the same password, and password reuse sooner than required, as well as jeopardized the confidentiality, reliability, and integrity of IRIS's chemical risk data, as shown in Table 1. Inactive account time The number of days an inactive account can remain active. Password lifetime The number of days a password remains valid. Password reuse maximum The number of different passwords that must be used before the user is allowed to reuse a password. Specifically, we found that: • Inactive account time password settings for the default and system database server profiles allow inactive accounts to remain active for an unlimited time instead of adhering to the 30-day Agency requirement. • Password lifetime settings for the default database server profile allows 90 days of use and the system database server profiles allows unlimited use of the same password instead of adhering to the 60-day Agency requirement. • Password reuse maximum settings allow passwords to be reused sooner than required, specifically after five password changes instead of 24, or four years, as required in Agency procedures. Table 1: Noncompliant password settings implemented on the IRIS database server Password Setting Associated IRIS database server profile Current Setting Directive Requirement Directive Inactive Account Time Default Unlimited 30 days CIO-2150-p-01.2 Password Lifetime Default 90 days 60 days CIO-2120-p-07.2 Password Reuse Max Default Five cycles 24 cycles CIO-2120-p-07.2 Inactive Account Time System Unlimited 30 days CIO-2150-p-01.2 Password Lifetime System Unlimited 60 days CIO-2120-P-07.2 Source: OIG analysis of IRIS database server configurations. (EPA OIG table) 24-P-0005 9 ------- CIO Directive 2150-P-01.2, Information Security - Access Control Procedure, required deactivating accounts for EPA-operated systems after 30 days of nonuse. CIO Directive 2120-P-07.2, Information Security - Identification and Authentication Procedure, restricted password lifetime for all information systems to 60 days and the reuse of passwords within 24 cycles or four years. Additionally, CIO Directive 2150-P-01.2 required owners of all information systems to review system accounts and access at least monthly to ensure that only the appropriate levels of access are allowed.4 These instances occurred because the EPA did not monitor password settings to ensure compliance with Agency requirements. Specifically, the OMS implemented these settings at the time the database was created and did not update the database's password settings as policy requirements changed. The Office of Information Technology Operations reviews compliance with issued policy by validating the database's password settings against the policy in place during the annual review of system security plans. According to Office of Information Technology Operations personnel, updates and changes resulting from this review are disseminated to the technical teams; however, no updates were communicated or tracked as part of this review. Without controls in place to monitor and verify compliance with Agency requirements, the EPA hinders its ability to enforce its password policies to protect the confidentiality, reliability, and integrity of IRIS's chemical risk data. Additionally, weak password settings could be used to exploit weaknesses in the IRIS database and leave them vulnerable to emerging threats. Recommendations We recommend that the assistant administrator for Mission Support: 5. Configure password settings to comply with Agency access control requirements for the password expiration, password reuse maximum, and inactive account time password settings. 6. Document the Integrated Risk Information System database's security controls, including password configuration settings, in a system security plan and work with the Office of Information Technology Operations to confirm those settings are reviewed as part of its annual security plan review process. Agency Response and OIG Assessment The OMS agreed with our recommendations; completed corrective actions for Recommendation 5; and provided acceptable planned corrective actions and estimated milestone dates for Recommendation 6, which we consider resolved with corrective action pending. 4 Version 3 of CIO Directive 2150-P-01 now requires reviewing accounts for compliance every 60 days, and the time frame for disabling accounts afer periods of inactivity was also changed based on whether the information system is classified as a low, moderate, or high security system. The applicable requirements in Version 3 of CIO Directive 2120-P-07 did not change. 24-P-0005 10 ------- The OMS stated that a compensating control, in the form of a daily automated tracking process, is in place for the inactive account time password settings for the default and system database server profiles. This daily process checks for accounts past 30 days of inactivity and locks those accounts. This is done to prevent the database from locking accounts critical to the operations of the application which has the potential to negatively impact its ability to support Agency missions. The OMS provided acceptable corrective actions for Recommendation 5, which it completed on August 12, 2022. We consider this recommendation complete. For Recommendation 6, the OMS stated that it would document the IRIS database's internal security controls, including password configuration settings, in a system security plan and work with the Office of Information Technology Operations to confirm those settings are reviewed as part of its annual security plan review process. Recommendation 6 is resolved with planned corrective action pending. The Agency's response to the draft report is in Appendix B. 24-P-0005 11 ------- Chapter 4 IRIS Database Application Lacks Required System Documentation for Operating in the Agency's Production Environment The EPA operated the IRIS Database Application in the production environment without the required system security documentation. Specifically, it was not included in a system security plan. Federal standards require all information systems to be covered by a system security plan. While the EPA documented a system security plan for the NHS GSS, the plan does not identify the IRIS Database Application as its minor application or address IRIS's inherited or system level security controls. This oversight can result noncompliance issues, such as the findings detailed in Chapter 3, in that, validating a system's compliance with public policy would not occur without a system security plan to review them against. Production environment Where the latest versions of software, products, or updates are pushed live to the intended users. This is the environment where the end user can see, experience, and interact with the new product. The National Institute of Standards and Technology's Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, issued February 2006, states that: Specific system security plans for minor applications are not required because the security controls for those applications are typically provided by the general support system or major application in which they operate. In those cases where the minor application is not connected to a major application or general support system, the minor application should be briefly described in a general support system plan that has either a common physical location or is supported by the same organization. This oversight occurred because ORD and National Computer Center personnel wrongly assumed IRIS was incorporated in the NHS SSP; however, our audit found no specific mention of the IRIS Database Application in the system security plan. While the NHS system security plan was created in 2010, the IRIS Database Application has been in operation since 2001, according to ORD personnel. It should be part of the NHS plan. Without the required system documentation, the EPA cannot ensure that the security of its systems meet federal standards to operate in a production environment. The system security plan is designed to improve protection of information system resources and prevent noncompliance issues such as the password findings detailed in Chapter 3. 24-P-0005 12 ------- Recommendation We recommend that the assistant administrator for Research and Development: 7. Work with the Office of Mission Support to incorporate the Integrated Risk Information System database into the National Computer Center's Hosting System's security plan. Agency Response and OIG Assessment The ORD agreed with Recommendation 7 and provided acceptable planned corrective actions. The ORD stated that it would work with the OMS to obtain an Authorization to Use approval, the management decision given to authorize the use of an information system, via the Application Characterization Document review process, which should result in the incorporation of the IRIS database into the National Computer Center's Hosting System's security plan. The Application Characterization Document contains relevant application description information to include in the security plan. We consider this recommendation resolved with corrective action pending. 24-P-0005 13 ------- Status of Recommendations Planned Rec. Page Completion No. No. Recommendation Status* Action Official Date Develop a process and assign responsibility for periodic review of application user information technology access for the Integrated Risk Information System database and perform the necessary updates to adhere to federal and Agency information technology access controls requirements including identifying and deactivating any unused accounts. Assistant Administrator for Research and Development 12/31/24 Develop a process and assign responsibility for application user information technology access approval to the Integrated Risk Information System database. Assistant Administrator for Research and Development 12/31/24 Instruct staff responsible for Integrated Risk Information System account management of the federal and Agency information technology access control requirements related to access approval, review, monitoring, and removal. Assistant Administrator for Research and Development 12/31/24 Discontinue use of IRIS Database Application accounts for database administration activities without a business justification or develop a process to track privileged user activity on these accounts. Assistant Administrator for Research and Development 12/30/24 10 Configure password settings to comply with Agency access control requirements for the password expiration, password reuse maximum, and inactive account time password settings. Assistant Administrator for Mission Support 10 Document the Integrated Risk Information System database's security controls, including password configuration settings, in a system security plan and work with the Office of Information Technology Operations to confirm those settings are reviewed as part of its annual security plan review process. 13 Work with the Office of Mission Support to incorporate the Integrated Risk Information System database into the National Computer Center's Hosting System's security plan. Assistant Administrator for 12/30/24 Mission Support Assistant Administrator for 12/30/25 Research and Development * C = Corrective action completed. R = Recommendation resolved with corrective action pending. U = Recommendation unresolved with resolution efforts in progress. 24-P-0005 14 ------- Appendix A Key Definitions General Support System: Interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. Major Application: An application that requires special management attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor Applications: An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system. Production environment: The environment where the latest versions of software, products, or updates are pushed live to the intended users. The end user can see, experience, and interact with the new product. System Security Plan: A formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. 24-P-0005 15 ------- Appendix B Agency's Response to the Draft Report «E0 S7*, ^ UNITED STATES ENVIRONMENTAL PROTECTION AGENCY USE WASHINGTON, D.C. 20460 September 19. 2023 OFFICE OF RESEARCH AND DEVELOPMENT MEMORANDUM SUBJECT: Response to Office of Inspector General (OIG) Draft Report, "The EPA Needs to Better Implement Access Control Procedures for Its Integrated Risk Information System" (Report No. OA-FY22-0071. dated August 15. 2023) FROM: H. Christopher Frey Digitally signed by h. Assistant Administrator and EPA Science Advisor CHRISTOPHER Christopher frey Office of Research and Development FREY ^^ss^oo'9 Vaughn Noga Cliief Information Officer and Deputy Assistant.Administrator for Environmental Information V A U G H N Office of Mission Support NOGA TO: Sean W. O'Donnell Inspector General Office of Inspector General Digitally signed by VAUGHN NOGA Date: 2023.09.21 08:39:27 -04'00' The EPA's Office of Research and Development (ORD) and Office of Mission Support (OMS) appreciates the opportunity to review and comment on the OIG's Draft Report titled "The EPA Needs to Better Implement Access Control Procedures for Its Integrated Risk Information System" (Report No. OA-FY22-0071). EPA's Program for the Integrated Risk Information System (IRIS) develops scientific assessments that provide an important source of toxicity information used by EPA, state and local health agencies, other federal agencies, and international health organizations. These assessments, in the form of reports, associated materials, and general information, are made available to the public via several webpages and applications commonly referred to as the IRIS database. The IRIS database serves as an information technology platform for EPA to conveniently share Agency IRIS assessment related information. IRIS assessments are separately and independently developed, reviewed, and completed in the form of written EPA documentation. This OIG review and associated recommendations are focused on the internal information security procedures for accessing the IRIS database (i.e., internal access to the technology application). The internal access control procedures highlighted in this draft report are not related 24-P-0005 16 ------- to, and have no impact on, the scientific activities, assessment development and review, assessment content, and communications generated by the IRIS Program. In light of the OIG recommendations in the draft report, EPA understands that improvements can be made to underlying security procedures associated with internal access controls to the IRIS database. EPA is committed to ensuring the information technology aspect of the IRIS database remains secure. EPA intends to take steps indicated by the OIG to improve the security procedures associated with the internal controls of the IRIS database and to ensure that best practices are maintained and followed. Immediately below are EPA's responses to the OIG's recommendations. Recommendation 1: Develop a process and assign responsibility for periodic review of application user information technology access for the Integrated Risk Information System database and perform the necessary updates to adhere to federal and Agency information technology access controls requirements including identifying and deactivating any unused accounts. ORD Response: ORD concurs with this recommendation and proposes the following corrective action and completion date. Corrective Action 1: ORD will develop and implement a User Account Management Procedure for internal access to the database. This procedure will include the following: • A process, including assigned responsibility, for periodic review of application user technology access. • A process for identifying and deactivating unused accounts in accordance with federal and Agency information technology access control requirements. • A process, including assigned responsibility, for application user information technology access approval. • Instructions for staff responsible for IRIS account management of the federal and Agency information technology access control requirements related to access approval, review, monitoring, and removal. • A process to track privileged user activity on IRIS Database Application accounts for database administration. Planned Completion Date: December 31, 2024 Recommendation 2: Develop a process and assign responsibility for application user information technology access approval to the Integrated Risk Information System database. ORD Response: ORD concurs with this recommendation and proposes the following corrective action and completion date. Corrective Action 2: ORD will develop and implement a User Account Management Procedure for internal access to the database. As outlined in the response to recommendation one, this procedure will include a process for assigned responsibility for application user information technology access approval. 24-P-0005 17 ------- Planned Completion Date: December 31, 2024 Recommendation 3: Instruct staff responsible for Integrated Risk Information System account management of the federal and Agency information technology access control requirements related to access approval, review, monitoring, and removal. ORD Response: ORD concurs with this recommendation and proposes the following corrective actions and corresponding completion dates. Corrective Action 3a: The ORD Information Security Officer (ISO) will add the Application Management Team to the ORD Significant Information Security Responsibility (SISR) list. Individuals who are designated with this requirement must complete five additional security related training Continuing Professional Education (CPE) credits in addition to completing the agency's Annual Information Security and Privacy (ISPAT) course. The security training is managed by the ORD ISO, who certifies ORD completion annually to the Office of Information Security and Privacy (OISP). Planned Completion Date: December 31, 2023 Corrective Action 3b: ORD will develop and implement a User Account Management Procedure for internal access to the database. As outlined in the response to recommendation one, this procedure will include instructions for staff responsible for IRIS database account management of the federal and Agency information technology access control requirements related to access approval, review, monitoring, and removal. Planned Completion Date: December 31, 2024 Recommendation 4: Discontinue use of IRIS Database Application accounts for database administration activities without a business justification or develop a process to track privileged user activity on these accounts. ORD Response: ORD concurs with this recommendation and proposes the following corrective actions and completion dates. Corrective Action 4a: The Application Management Team is in the process of reviewing and disabling, as appropriate, the IRIS Database Application user accounts that were previously used to display the point(s) of contact on the various assessments in development. Planned Completion Date: December 31, 2023 Corrective Action 4b: Additionally, ORD will develop and implement a User Account Management Procedure for internal access to the database. As outlined in the response to recommendation one, this procedure will include a process to track privileged user activity on IRIS Database Application accounts for database administration. 24-P-0005 18 ------- Planned Completion Date: December 30, 2024 Recommendation 5: Configure password settings to comply with Agency access control requirements for the password expiration, password reuse maximum, and inactive account time password settings. OMS Response: OMS agrees with this recommendation for account settings that do not have compensating controls and has resolved this issue. OITO has implemented updates to the daily monitoring script to verify Password Lifetime, Password Reuse Max settings are complying with policy. This script notifies appropriate personnel of non-compliant settings and updates are implemented during weekly change windows to ensure no negative impact to applications. Setting updates are verified the following day by the monitoring script to ensure updates are in place. Script variables associated with duration and cycle settings will be adjusted per the security plan annual review to ensure compliance with published policy. Corrective Action 5: OMS will configure password settings to comply with Agency access control requirements for the password expiration, password reuse maximum, and inactive account time password settings. Planned Completion Date: Completed. See attached for documentation. Recommendation 6: Document the Integrated Risk Information System database's security controls, including password configuration settings, in a system security plan and work with the Office of Information Technology Operations to confirm those settings are reviewed as part of its annual security plan review process. OMS Response: OMS agrees with this recommendation and will work with the ORD application owners to ensure documentation is updated in compliance with the Authorization to Use (ATU) process supporting the GSS. OITO reviews compliance with current published policy by validating settings against the policy during the annual review of security plans. Updates and changes resulting from this review are disseminated to the technical teams. OITO will review and improve communications between the security plan review teams and the technical teams following those reviews to ensure updates and changes are communicated properly and implemented in compliance with published policy. Corrective Action 6: OMS will document the Integrated Risk Information System database's internal security controls, including password configuration settings, in a system security plan and work with the Office of Information Technology Operations to confirm those settings are reviewed as part of its annual security plan review process. Planned Completion Date: December 30, 2024 24-P-0005 19 ------- Recommendation 7: Work with the Office of Mission Support to incorporate the Integrated Risk Information System database into the National Computer Center's Hosting System's security plan. ORD Response: ORD concurs with this recommendation and proposes the following corrective action and completion date. Corrective Action 7: ORD will work with OMS to obtain an Authorization to Use (ATU) approval via the Application Characterization Document (ACD) review process that is managed by OMS. This will incorporate the IRIS database into the National Computer Center's Hosting System's security plan. Planned Completion Date: December 30, 2025 Attached please find specific comments on the Draft Report. If you have any questions regarding this response, please contact Caitlin Schneider, Office of Research and Development, Office of Resource Management, at ORD_AuditTeam@epa.gov or Afreeka Wilson, Office of Mission Support, at OMS Audit Coordination@epa.gov. Attachment cc: Wayne Cascio, ORD/CPHEA Kay Holt, ORD/CPHEA Kris Thayer, ORD/CPHEA Samantha Jones, ORD/CPHEA Vique Caro, ORD/OSIM John Sykes, ORD/OSIM John Steenbock, ORD/ORM Heather Cursio, ORD/ORM Caitlin Schneider, ORD/ORM Afreeka Wilson, OMS Darryl Perez, OMS Marilyn Armstrong, OMS OM SAuditC oordinati on Sue Perkins, OCFO Lasharn Barnes, OIG Jeremy Sigel, OIG Tertia Allen, OIG Eric Lewis, OIG 24-P-0005 20 ------- Appendix C Distribution The Administrator Deputy Administrator Chief of Staff, Office of the Administrator Deputy Chief of Staff for Management, Office of the Administrator Agency Follow-Up Official (the CFO) Assistant Administrator for Mission Support Assistant Administrator and EPA Science Advisor for Research and Development Principal Deputy Assistant Administrator for Mission Support Principal Deputy Assistant Administrator and EPA's Chief Scientist for Research and Development Agency Follow-Up Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Deputy Assistant Administrator for Mission Support Deputy Assistant Administrator for Research and Development Chief Information Officer and Deputy Assistant Administrator for Environmental Information, Office of Mission Support Deputy Assistant Administrator for Administration and Resources Management, Office of Mission Support Director, Office of Continuous Improvement, Office of the Chief Financial Officer Director, Office of Resources and Business Operations, Office of Mission Support Office of Policy OIG Liaison Office of Policy GAO Liaison Audit Follow-Up Coordinator, Office of the Administrator Audit Follow-Up Coordinator, Office of Mission Support Audit Follow-Up Coordinator, Office of Research and Development 24-P-0005 21 ------- Whistleblower Protection U.S. Environmental Protection Agency The whistleblower protection coordinator's role is to educate Agency employees about prohibitions against retaliation for protected disclosures and the rights and remedies against retaliation. For more information, please visit the OIG's whistleblower protectior webpage Contact us: Congressional Inquiries: OIG.CongressionalAffairsffiepa.gov Media Inquiries: OIG.PublicAffairs(5)epa.gov line EPA OIG Hotline: QIG.Hotline(5)epa.gov -jig- Web: epaoig.gov Follow us: ^ X (formerly Twitter): (5)epaoig Linkedln: linkedin.com/company/epa-oig YouTube: /outube.com/epaoig [SI Instagram: 5)epa.ig.on.ig ------- |