The Environmental Protection Agency isnāt doing enough to get its arms around security weaknesses, which could hamper its ability to foil cyber threats, warns an inspector general.
In a May 21 report, the OIG found EPA personnel didnāt manage plans of action and milestones for fixing security vulnerabilities within the agencyās information security weakness tracking system.
The IG said this happened because the office charged with identifying vulnerabilities relies on other agency offices to enter the POA&Ms in the tracking system to manage unfixed vulnerabilities.
One EPA office was found to be tracking vulnerabilities outside the tracking system, while another office said it did lacked a formal process to create POA&Ms in the system.
āWithout accessible and consistent information about unremediated weaknesses, senior EPA managers cannot make risk-based decisions on how to protect the agencyās network against cyber-security threats,ā according to the report.
The IG also found EPAās information security weakness tracking system didnāt have controls to prevent unauthorized changes to key data fields and to record these changes in the systemās audit logs.
The IG recommend EPA create a control to ensure personnel create required POA&Ms for vulnerability testing results. The agency should also establish a process to occasionally review its tracking systemās security settings to confirm each setting meets certain standards.