By David Hubler
Jan. 22, 2007
The Environmental Protection Agency has defined security requirements
for its contractors information technology systems, but the agencys
method of identifying those systems does not consider the type and
sensitivity of the data needing protection, according to the agency's
Office of Inspector General.
In a report titled EPA Could Improve Processes for Managing Contractor
Systems and Reporting Incidents, the IG details its findings, including
a conclusion that the agencys current guidance for identifying
contractor IT systems limits its scope to those systems installed at an
EPA facility or connected to the agency's network.
The IG said EPA therefore does not know whether contractors outside EPA
offices or its network know the mandated standards and whether the
contractors are applying the security controls necessary to protect data
they collect for the agency.
The report said EPAs Office of Acquisition Management has not
established formal procedures for agency offices to regularly review and
update EPA-specific contract clauses. The current informal process means
that contractors may not get guidance about new security requirements in
time to put it to use.
The IG also noted that although agency offices knew of EPAs computer
security incident response policy, many of them lacked local reporting
procedures, had not fully implemented automated monitoring tools, and
did not provide sufficient training on local procedures.
The report added that EPA offices also did not have access to network
attack trend information necessary to implement proactive defensive
measures. As a result, there was no consistency in how, what, and when
EPA offices reported computer security incidents.
Without such relevant security data, it added, EPA may not accurately
inform senior agency officials regarding the performance and security of
the agencys network.
The IG recommended that EPA assign duties and responsibilities for
maintaining and updating information posted on EPAs Web site, update its
guidance for identifying contractor systems and establish formal
procedures to ensure that all program offices update and maintain their
EPA-specific contract clauses on a regular basis.
The IG had several recommendations also for addressing the computer
security incident reporting weaknesses. They included having EPA update
its computer security incident guide to cover reporting instructions for
all locations, establishing a target date for configuring the agencys
antivirus software to use the central reporting feature, training
information security officers on new procedures, and providing them with
computer security incident reports.
The IGs office said EPA officials generally agreed with the
recommendations. In many cases, management provided milestone dates and
planned actions to address the reports findings, it stated.
Subscribe to InfoSec News