Chemical Safety Board Needs to Consistently Follow Its Cyber Rules, Watchdog Says

U.S. Chemical Safety and Hazard Investigation Board, or CSB, needs to better define its policies and procedures around data, access and incident response to toughen its cybersecurity program, the Environmental Protection Agency’s Office of Inspector General recommends.

The IG audited the agency, which is responsible for determining the circumstances around industrial chemical accidents, between July 2018 and March 2019 to assess the maturity of CSB’s information security program.

“CSB lacks established procedures for automated processes and authentication technologies, which could permit unauthorized access to agency systems,” the IG said in a report on its findings.

The watchdog used the fiscal 2018 reporting metrics document for the Federal Information Security Modernization Act, which rates entities between maturity levels one through five—the lowest level is labeled “Ad Hoc,” meaning there are no formalized policies, procedures or strategies, the highest level five is “Optimized,” or fully institutionalized and self-generating policies and practices. The IG rated CSB’s information security program to be at maturity level two, “Defined,” which means that the agency doesn’t consistently implement its policies.    

“Failure to define and implement processes to address cybersecurity controls leaves the CSB susceptible to loss of data, security breaches and excessive incident handling time frames in the

event of a security incident,” the report said.

The IG made several recommendations, including that the agency implements the use of Personal Identity Verification card technology, as required by a directive from the Homeland Security Department or obtain a waiver from the Office of Management and Budget. The IG noted that it made the recommendation for PIV cards in two prior audits.

Under data protection and privacy, the IG said CSB must better document policies and procedures for data exfiltration and enhanced network defenses as required by the National Institute of Standards and Technology.

CSB should also define its response processes for handling incidents that involve containing, eradicating, or recovering systems and document its rationale for not having an automated system that can detect potential incidents, the IG said.

The IG also recommended that the agency documents its established procedures around generating alerts to record pertinent data for suspicious activities.

“The CSB would greatly improve and strengthen its cybersecurity program by fully defining the policies, procedures and strategies [outlined in the report],” the IG said.  

CSB accepted the recommendations and provided the watchdog with corrective actions and milestone dates aimed at mitigating the issues.