EPA Needs to Develop and Implement Information Technology Processes to Comply with the Federal Information Security Modernization Act for Fiscal Year 2023

At a Gla

24-P-0052
August 5, 2024

The EPA Needs to Develop and Implement Information Technology
Processes to Comply with the Federal Information Security
Modernization Act for Fiscal Year 2023

Why We Did This Audit

To accomplish this objective:

The U.S. Environmental Protection
Agency Office of Inspector General
conducted this audit to assess the
EPA's compliance with the fiscal
year 2023 Inspector General Federal
Information Security Modernization Act
of 2014 reporting metrics.

The reporting metrics outline
five security function areas and
nine corresponding domains to help
federal agencies manage cybersecurity
risks. The document also outlines
five maturity levels by which inspectors
general should assess their agencies'
information security programs. The
Office of Information Security and
Privacy, which defines information
security and privacy strategies, is a
subset of the Office of Mission
Support's Information Technology
Security and Privacy Program that
operated with a budget of $25 million in
fiscal year 2023.

To support these EPA mission-
related efforts:

• Compliance with the law.

• Operating efficiently and effectively.

Address inquiries to our public
affairs office at (202) 566-2391 or
OIG.PublicAffairs@epa.gov.

What We Found

We concluded that the EPA achieved an overall maturity level of Level 3, Consistently
Implemented, for the five security functions and nine domains outlined in the Office of
Management and Budget's FY 2023 - 2024 Inspector General Federal Information Security
Modernization Act of 2014 (FISMA) Reporting Metrics. This means that the EPA
consistently implemented its information security policies and procedures, but quantitative
and qualitative effectiveness measures are lacking. We identified that the EPA had
deficiencies in the following areas:

• Establishing the information security documentation related to supply chain risk
management procedures, finalizing a security training and awareness plan, updating
the Information Security Continuous Monitoring Strategic Plan, and ensuring that all
documents and procedures comply with the latest federal guidance issued by the
National Institute of Standards and Technology.

• Implementing information technology, or IT, processes to comply with event logging
requirements for the detection of incidents and discovery of unauthorized hardware on
the Agency's network.

• Developing internal controls to verify the completeness and accuracy of the Agency's
IT asset inventory, remediating information systems' configuration compliance findings,
and ensuring the accuracy of the information systems' security objective risk levels in
the Agency's Risk Management Framework tool.

Without fully documented, implemented, and compliant IT procedures,
the Agency cannot ensure that its information security program is
protecting EPA systems and data to adhere to the National Institute of
Standards and Technology standards.

Recommendations and Planned Agency Corrective Actions

We made nine recommendations to the assistant administrator for Mission Support. The
Agency concurred with our recommendations, completed corrective actions for
five recommendations, and provided acceptable planned corrective actions with estimated
milestone dates for the remaining four recommendations. We also made revisions to
Recommendation 8 in response to Agency comments to the draft report which the Agency
agreed with and provided acceptable planned corrective actions with estimated milestone
dates. We consider the remaining four recommendations resolved with corrective actions
pending.

List of OIG reports.

-------