Auditor: EPA’s Not Securing Its Systems or Keeping Tabs on Contractors

The Environmental Protection Agency has historically failed to secure its networks and data against hackers or to ensure contractors that manage EPA data are following the agency’s information security requirements, according to an auditor’s report released Tuesday.

The report from EPA’s inspector general listed susceptibility to cyber threats as one of the agency’s top management challenges in 2018.

The EPA has improved its information security in response to the 2015 Office of Personnel Management data breach and a parade of private-sector breaches but is still falling far short of where it should be, the inspector general found.

For example, the agency developed a framework for how EPA technology systems should adhere to federal security standards but has managed it in a decentralized way and can’t ensure all its divisions are complying.

The auditor gave EPA a grade of “ineffective” on all aspects of the cybersecurity framework developed by the Commerce Department’s National Institute of Standards and Technology in a 2017 audit. Specifically, the agency didn’t know all the hardware and software that was running on its networks and didn’t have a unified system for who could access those networks and data and when.

In an earlier audit from 2015, the inspector general found EPA contractors weren’t conducting required cybersecurity assessments and that, if the systems they managed were breached, it could cost taxpayers over $12 million.

The EPA has taken some steps to address that shortfall but was still not adequately vetting contractors or training them in cybersecurity requirements as recently as 2017, auditors found.