The EPA is not following its own procedures for addressing known weaknesses in its cyber protections and as a result, “senior EPA managers cannot make risk-based decisions on how to protect the agency’s network against cyber-security threats,” an IG report has said.
Agency policies require personnel to create plans of action and milestones, or POA&Ms, in the agency’s information security weakness tracking system for those weaknesses that cannot be remediated within a specified timeframe.
However, the audit found that agency personnel were not managing POA&Ms within the agency’s tracking system. “This happened because the office responsible for identifying vulnerabilities relies on other agency offices to enter the POA&Ms in the tracking system to manage un-remediated vulnerabilities. We identified one EPA office that was tracking vulnerabilities outside the tracking system, while another office indicated that it did not have a formal process to create POA&Ms in the system,” it said.
It also found that the EPA’s information security weakness tracking system lacked controls to prevent unauthorized changes to key data fields and to record these changes in the system’s audit logs, and “as a result, unauthorized changes to the system’s data could occur and hamper the agency’s ability to remediate existing system weaknesses.”