One EPA employee said their office was tracking vulnerabilities on their own to avoid oversight from other agency components.
The Environmental Protection Agency has a detailed process for dealing with new cybersecurity weaknesses: develop a plan to remediate with clear goals and milestones, then attack the problem. The only issue: Those plans aren’t being logged, managed or tracked, according to the agency inspector general.
The agency created an automated tool for logging vulnerabilities that will take time to remediate and track progress through official plans of action and milestones. According to an inspector general report released Tuesday, many of those plans were never entered into the system, meaning they were never tracked and, in some cases, the vulnerabilities were never patched.
Auditors from the Office of the Inspector General found disparate levels of participation from EPA offices. The IG interviewed employees who said their office either doesn’t have a formal process for using the system—despite it being an agencywide requirement—and others who developed independent methods of tracking patching progress.
“One information security person indicated that their office … [is] tracking and managing the reported weaknesses on a spreadsheet,” the report states. “The person indicated their office took this action to prevent external parties within the EPA from having oversight of their office’s remediation activities.”
Another office identified 10 high-risk weaknesses but never developed action plans for remediation. Those vulnerabilities remained on EPA systems for more than 30 days, in direct violation of EPA and Homeland Security Department policy.
“This happened because the office responsible for identifying vulnerabilities relies on other agency offices to enter the [plans of action and milestones] in the tracking system to manage unremediated vulnerabilities,” auditors wrote.
This has been a consistent problem for the agency for the last decade, according to the IG.
“The OIG has consistently identified managing information security weaknesses with POA&Ms as a deficiency within the EPA’s information security program,” they wrote. “Without documenting this essential information as required, the EPA’s network and systems are at risk of exploitation by cyber techniques.”
Auditors also discovered plans that were logged properly were themselves at risk.
The system that houses the remediation plans does not have proper access controls, enabling unauthorized users to go in and make changes to the system’s audit logs, the IG found.
“This occurred because the EPA neither enabled the feature within the tracking system to prevent unauthorized modifications to key data nor configured the system’s logging feature to capture information on the modification of key data fields,” the IG wrote. “As a result, unauthorized changes to the system’s data could occur and hamper the agency’s ability to remediate existing system weaknesses.”
The IG recommended EPA assistant administrator for mission support develop “a control to validate that agency personnel are creating the required plans of action and milestones” and increase the security settings on the system to prevent and track unauthorized changes.
The agency sent the IG a corrective action plan that addresses these issues in full, prompting EPA to close the recommendation pending those actions being taken.