The Environmental Protection Agency (EPA) security posture needs improved resiliency in areas such as risk management and incident response to “preserve the integrity of EPA data,” according to a March 24 Office of the Inspector General (OIG) report.
Overall, OIG rated the EPA’s security maturity level “consistently implemented,” but key improvements to its ability to identify and respond to security incidents would improve its overall rating.
At the time of the May to December 2019 audit, EPA had not implemented necessary data elements to develop and maintain an inventory of software and licenses within the agency. Its risk management plans of action were not consistently utilized to mitigate security weakness and the agency lacked tech to support its incident response program.
OIG made three recommendations to the assistant administrator for mission support at EPA:
- Develop and maintain an up-to-date inventory of the software and associated licenses;
- Ensure that personnel are creating required plans of action and milestones for security weaknesses identified by vulnerability testing; and
- Implement prescribed tech to support incident response.
“Improvements in risk management and incident response would allow the agency to preserve the integrity of EPA data; keep the data available for end users; and protect the data from unauthorized changes, loss, and destruction,” OIG concluded in the report. “Improvements in these areas should also help the agency increase the maturity level for these critical elements of information security.”
EPA plans to complete the first two recommendations in 2021 but said that it would complete the third recommendation by July 2020.