EPA should extend its oversight to include contractors located outside its offices and its network, according to the agency's IG.
The Environmental Protection Agency has defined security requirements for its contractors’ information technology systems, but the agency’s method of identifying those systems does not consider the type and sensitivity of the data needing protection, according to the agency's Office of Inspector General.
In a report titled “EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents,” the IG details its findings, including a conclusion that the agency’s current guidance for identifying contractor IT systems limits its scope to those systems installed at an EPA facility or connected to the agency's network.
The IG said EPA therefore does not know whether contractors outside EPA offices or its network know the mandated standards and whether the contractors are applying the security controls necessary to protect data they collect for the agency.
The report said EPA’s Office of Acquisition Management has not established formal procedures for agency offices to regularly review and update EPA-specific contract clauses. The current informal process means that contractors may not get guidance about new security requirements in time to put it to use.
The IG also noted that although agency offices knew of EPA’s computer security incident response policy, many of them “lacked local reporting procedures, had not fully implemented automated monitoring tools, and did not provide sufficient training on local procedures.”
The report added that “EPA offices also did not have access to network attack trend information necessary to implement proactive defensive measures. As a result, there was no consistency in how, what, and when EPA offices reported computer security incidents.”
Without such relevant security data, it added, “EPA may not accurately inform senior agency officials regarding the performance and security of the agency’s network.”
The IG recommended that EPA assign duties and responsibilities for maintaining and updating information posted on EPA’s Web site, update its guidance for identifying contractor systems and establish formal procedures to ensure that all program offices update and maintain their EPA-specific contract clauses on a regular basis.
The IG had several recommendations also for addressing the computer security incident reporting weaknesses. They included having EPA update its computer security incident guide to cover reporting instructions for all locations, establishing a target date for configuring the agency’s antivirus software to use the central reporting feature, training information security officers on new procedures, and providing them with computer security incident reports.
The IG’s office said EPA officials generally agreed with the recommendations. “In many cases, management provided milestone dates and planned actions to address the report’s findings,” it stated.