EPA struggles with FISMA compliance


The Environmental Protection Agency fell short of its major cybersecurity responsibilities in fiscal 2012 through poor security log management and not resolving known security failures, writes the agency's office of inspector general.

In a report (.pdf) dated Oct. 26, EPA's OIG says the agency Security Incident and Event Management tool lacks a comprehensive deployment strategy and the agency failed to formalize a training program for it. While the agency finalized a continuous monitoring  strategy in June, it has not yet implemented a plan for application of its monitoring strategy.

In addition, the agency lacks a security log management policy consistent with federal requirements, says the OIG. EPA also "had not taken steps to address weaknesses identified from internal reviews as required" by FISMA.

One of the weaknesses in question is the use of mobile devices by Office of Environmental Information, which OIG says has five key concerns: issuance, disconnection, multiple devices, inappropriate use and tracking and recovery. OEI has no guidelines for when to disconnect devices, which OIG says contributed to 68 mobile devices having zero usage but incurring costs of about $29,360 in 2011.

It wasn't all shortfalls, as OIG says EPA did establish a FISMA-compliant incident reporting system, and gave the agency high marks on its remote access management. EPA's identity and access management program was also FISMA-compliant but OIG says it can be strengthened.

For more:
- download the report, 13-P-0032 (.pdf)

Related Articles:
EPA to migrate 25,000 users to email cloud
Lawsuits could force EPA to enforce costly, ineffective rules on greenhouse gases
EPA promotes federal data center cost savings through energy reduction