Home / Blogs

FISMA Failings: Could EPA’s IT Defense Deficiencies Silence the Agency?

“EPA’s deployment of a SIEM tool did not comply with Agency requirements for deploying IT investments.”

“EPA does not have a computer security log management policy that complies with federal requirements.”

“EPA did not follow up with staff to confirm that corrective actions were taken to address known information security weaknesses. ... Office of Management and Budget Circular A-123, ‘Management Accountability and Control,’ states managers are responsible for taking timely and effective actions to correct identified deficiencies.”

— EPA, Office of Inspector General, “Improvements Needed in EPA’s Network Security Monitoring Program,” Report No. 12-P-0899, September 27, 2012

A report from EPA’s Office of Inspector General found serious deficiencies in EPA’s network security. These shortcoming raise concern about the integrity of agency data. Specifically, the report states that EPA’s Office of Environmental Information

“which is responsible for securing EPA’s network from internal and external exploits, has not developed a process to verify that known weaknesses have been addressed. As a result, known vulnerabilities remained unremediated and key steps to resolve those weaknesses remain unaddressed, which

could leave EPA information exposed to unauthorized access

.” [Emphasis added]

The Harms From Unauthorized Access to EPA Data

The possibility of unauthorized access to EPA information raises an array of concerns since EPA-held data includes various types of Confidential Business Information, scientific research data, environmental databases, agency plans for responding to “incidents of national significance” and other security-related matters, and environmental monitoring data used in regulatory enforcement actions. Thus, the dangers from unauthorized access to EPA data range from disclosure of sensitive business information to the alteration/manipulation of environmental data so as to trigger, or not trigger, an investigation or enforcement action.

EPA has been warned before about their security shortcomings. One section of the OIG report is titled, “EPA Did Not Address Recommendations From Internal Reviews.” The OIG found that EPA did not act on three separate analyses of the agency’s information security, including one by Carnegie Mellon’s Computer Emergency Response Team (CERT) Program and one by Booze Allen Hamilton that provided recommended steps for cyber security improvements. One of the Booze Allen recommendations noted by the OIG was that “EPA must adopt automated tools to achieve continuous monitoring for threats.”

It is worth noting that EPA’s continuous monitoring practices are at sharp variance with the Best Practice Principles developed by the Center for Regulatory Effectiveness (CRE). In its study of Information Security Continuous Monitoring Best Practices, CRE found that agencies need security professionals who are trained to take advantage of the capabilities of advanced software tools.

The OIG, however, found that EPA’s Technology and Information Security Staff “did not develop a structured training plan to use with the SIEM tool” and “Without a structured training curriculum, users’ needs are not being met and the continued use of the SIEM tool by EPA’s information security staff will be of limited value in performing information security activities.”

The importance of continuous monitoring to agency cybersecurity should not be underestimated. As the report succinctly states, “Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential.”

Information Security: A Data Quality Act Requirement

The Data Quality Act (DQA) sets quality standards for virtually all information disseminated by Executive Branch agencies. The Office of Management and Budget’s government-wide Information Quality Guidelines state, “Agencies are directed to develop information resources management procedures for reviewing and substantiating (by documentation or other means selected by the agency) the quality (including the objectivity, utility, and integrity) of information

before

it is disseminated.” [Emphasis added]

OMB’s binding guidelines define “integrity” as referring “to the security of information—protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification.” The guidelines state that “agencies may rely on their implementation of the Federal Government’s computer security laws…to establish appropriate security safeguards for ensuring the ‘integrity’ of the information that the agencies disseminate.”

In EPA’s case, however, the OIG report makes clear that the agency is not in compliance with essential elements of the federal security requirements and these lapses “could leave EPA information exposed to unauthorized access.”

The question becomes, how can EPA continue to substantiate the integrity of its information under the DQA given the serious problems with its intrusion detection capabilities and non-compliance with federal IT security requirements?

The question is not a trivial one. If the agency cannot substantiate the integrity—the cybersecurity—of data in its possession, it can’t by law disseminate that data or information based on that data. EPA could find itself silenced on key issues where its voice is needed.

It is important to recognize that the DQA requirements are not minor technicalities that can be ignored. Instead, the statue establishes the right of affected persons the right to “seek and obtain” correction of information not meeting quality standards—including the integrity standard. Thus, an agency study or report could be subject to challenge under the DQA on the grounds that the underlying data may have been corrupted.

Agency reports, studies and other information disseminations may be used in rulemakings, act as warnings regarding certain types of products, and/or be used in litigation. Thus, affected persons have a significant incentive to seek and obtain retraction of any study based on altered/tampered data. They also have the legal tools.

The concept of “informational standing,” i.e., the right of affected persons to seek judicial review of a harmful, non-regulatory federal information disseminations, is well established in case law.

Moreover, the US Court of Appeals for the DC Circuit has explained that OMB’s guidelines implementing the DQA are “binding” and in doing so cited the Supreme Court’s Mead decision regarding rules carrying the force of law. It is noteworthy that the DC Circuit refused to modify their Opinion even after its primary implication, that DQA decisions are subject to judicial review, became clear and the subject of a Justice Department petition.

Thus, the cyberinsecurities identified by the EPA OIG have wide ranging environmental and legal ramifications. The most important lesson that can be drawn from the OIG report, however, a lesson applicable to all federal organizations, is that cybersecurity is not merely an internal housekeeping matter, it is the underpinning of every agency’s ability to carry out their mission.

Filed Under

Comments

Recent DOE OIG Also Raises Concern About Integrity of Agency Information Bruce Levinson  –  Nov 14, 2012 6:45 PM

A recent OIG report on the Department of Energy’s unclassified systems cyber security highlight cyber defense weaknesses, including in continuous monitoting, that could allow for unauthorized access to and manipulation of Departmental data. 

As the report explains, without “implementation of effective continuous monitoring practices and adopting processes to ensure security controls are in place and operating as intended, there is an increased

risk of compromise and/or loss, modification

and non-availability of the Department’s systems

and the information

.”

The complete DOE report is available here on the Center for Regulatory Effectiveness’ FISMA Focus IPD.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign