Destroyed Notes and a Nondisclosure Agreement Gum Up an EPA Cloud Security Assessment

The Environmental Protection Agency’s Office of Inspector General believes the agency “acted incorrectly” and may have violated the Federal Records Act when it destroyed notes written by an employee documenting the analysis of a security report of its cloud-hosting environment.

The allegations and others are detailed in a memo sent by EPA Assistant Inspector General Kevin Christensen to EPA Chief Financial Officer Holly Greaves on March 8.

According to the letter, the EPA OIG requested a security assessment report for the agency’s cloud-hosting environment and the OCFO’s analysis of the report while conducting an audit of EPA’s budget systems—specifically its information system security controls. The security assessment report allegedly documents 180 identified security vulnerabilities within the cloud environment.

The letter states EPA officials within OCFO denied the requests due to a nondisclosure agreement with the General Services Administration’s Federal Risk and Authorization Management Program office. The FedRAMP office vets vendor’s cloud solutions to ensure they meet various federal security requirements.

OCFO personnel said they “were prohibited from sharing any documents associated with the agency’s review with third parties, including the OIG. OCFO personnel said that, because of the NDA they had signed, they destroyed the notes documenting their analysis of the security assessment report,” according to the letter.

The letter states the employee’s notes on the review of the cloud security controls—taken while the employee knew the controls were under audit—“put the document squarely in the realm of information subject to disclosure in the court of the OIG audit.”

“We are concerned that the OCFO acted incorrectly. The OCFO potentially overlooked compliance with the Federal Records Act and the agency’s Interim Records Management Policy. Furthermore, by subordinating the Inspector General Act to an NDA, the OCFO did not provide the OIG timely access to all documents relating to the subject audit,” the letter states.

In the letter, Christensen requests a response within 15 days. An EPA OIG spokesperson told Nextgov it cannot comment due to the ongoing audit.

In a statement, an EPA spokesperson said the agency has not yet determined whether the OIG’s findings are correct.

“We are looking into the IG’s report to see if their findings are correct. EPA is highly supportive of records management policies and strives for full compliance,” the EPA spokesperson said.

Questions from Nextgov to GSA were not answered by publication time.

EPA has been in hot water over cloud computing before. In 2014, an OIG audit found the agency was “not fully aware of the extent of its use of cloud services.”