The Environmental Protection Agency isn’t doing enough to get its arms around security weaknesses, which could hamper its ability to foil cyber threats, warns an inspector general.
In a May 21 report, the OIG found EPA personnel didn’t manage plans of action and milestones for fixing security vulnerabilities within the agency’s information security weakness tracking system.
The IG said this happened because the office charged with identifying vulnerabilities relies on other agency offices to enter the POA&Ms in the tracking system to manage unfixed vulnerabilities.
One EPA office was found to be tracking vulnerabilities outside the tracking system, while another office said it did lacked a formal process to create POA&Ms in the system.
“Without accessible and consistent information about unremediated weaknesses, senior EPA managers cannot make risk-based decisions on how to protect the agency’s network against cyber-security threats,” according to the report.
The IG also found EPA’s information security weakness tracking system didn’t have controls to prevent unauthorized changes to key data fields and to record these changes in the system’s audit logs.
The IG recommend EPA create a control to ensure personnel create required POA&Ms for vulnerability testing results. The agency should also establish a process to occasionally review its tracking system’s security settings to confirm each setting meets certain standards.