IG: EPA needs better contractor security controls

The Environmental Protection Agency has defined security requirements for its contractors’ information technology systems, but the agency’s method of identifying those systems does not consider the type and sensitivity of the data needing protection, according to the agency's Office of Inspector General.

In a report titled “EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents,” the IG details its findings, including a conclusion that the agency’s current guidance for identifying contractor IT systems limits its scope to those systems installed at an EPA facility or connected to the agency's network.

The IG said EPA therefore does not know whether contractors outside EPA offices or its network know the mandated standards and whether the contractors are applying the security controls necessary to protect data they collect for the agency.

The report said EPA’s Office of Acquisition Management has not established formal procedures for agency offices to regularly review and update EPA-specific contract clauses. The current informal process means that contractors may not get guidance about new security requirements in time to put it to use.

The IG also noted that although agency offices knew of EPA’s computer security incident response policy, many of them “lacked local reporting procedures, had not fully implemented automated monitoring tools, and did not provide sufficient training on local procedures.”

The report added that “EPA offices also did not have access to network attack trend information necessary to implement proactive defensive measures. As a result, there was no consistency in how, what, and when EPA offices reported computer security incidents.”

Without such relevant security data, it added, “EPA may not accurately inform senior agency officials regarding the performance and security of the agency’s network.”

The IG recommended that EPA assign duties and responsibilities for maintaining and updating information posted on EPA’s Web site, update its guidance for identifying contractor systems and establish formal procedures to ensure that all program offices update and maintain their EPA-specific contract clauses on a regular basis.

The IG had several recommendations also for addressing the computer security incident reporting weaknesses. They included having EPA update its computer security incident guide to cover reporting instructions for all locations, establishing a target date for configuring the agency’s antivirus software to use the central reporting feature, training information security officers on new procedures, and providing them with computer security incident reports.

The IG’s office said EPA officials generally agreed with the recommendations. “In many cases, management provided milestone dates and planned actions to address the report’s findings,” it stated.


About the Author

David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.