The IG’s office at the EPA has issued a management alert regarding the agency’s security practices for contractor personnel, saying it is sometimes failing to initiate a background investigation prior to granting access to agency networks, systems and data.
“This failure to appropriately vet personnel leaves the agency vulnerable to a cyberattack,” and contractor personnel “with potentially questionable backgrounds who access sensitive agency data could cause harm,” said the interim report on an audit that is ongoing.
Further, the agency has not identified all high-risk IT positions, has not assigned a risk determination for information security contractor personnel, and does not have an accurate number of how many such personnel require high-risk background investigations, it said. Further, EPA system owners, service managers and contracting officer’s representatives did not verify whether contractor personnel possessed the required background investigations, it said.
The IG said it has briefed management and that the agency agreed with its findings and recommendations.