An incomplete inventory of contractor systems and lack of visibility over their effectiveness puts the EPA’s information resources and data at risk, the agency’s inspector general has said.
It said agency officials were unaware of which systems or services are required by the System Life Cycle Management Procedure to be included in the EPA’s authoritative information system database known as the Registry of EPA Applications, Models and Databases – READ.
Confusion exists as to which program office is responsible for updating READ for various contractor system components, resulting in an incomplete inventory for both external and internal contractor supported systems, the IG said.
It said EPA contractors also did not conduct required annual security assessments, did not provide security assessment results to the agency for review, and did not establish required incident response capability – risking data breaches with a cost of up to $12 million if all systems and files were compromised.
The agency agreed with recommendations to update the 2015 READ data call, make certain individuals responsible for READ data on the HR line of business, and to implement previously approved EPA Information Security Task Force recommendations for implementing a role-based training program, and for managing the annual security assessments and vulnerability management
