Home / Blogs

FISMA Failings: Could EPA's IT Defense Deficiencies Silence the Agency?

"EPA's deployment of a SIEM tool did not comply with Agency requirements for deploying IT investments."

"EPA does not have a computer security log management policy that complies with federal requirements."

"EPA did not follow up with staff to confirm that corrective actions were taken to address known information security weaknesses. ... Office of Management and Budget Circular A-123, 'Management Accountability and Control,' states managers are responsible for taking timely and effective actions to correct identified deficiencies."

— EPA, Office of Inspector General, "Improvements Needed in EPA's Network Security Monitoring Program," Report No. 12-P-0899, September 27, 2012

A report from EPA's Office of Inspector General found serious deficiencies in EPA's network security. These shortcoming raise concern about the integrity of agency data. Specifically, the report states that EPA's Office of Environmental Information

"which is responsible for securing EPA's network from internal and external exploits, has not developed a process to verify that known weaknesses have been addressed. As a result, known vulnerabilities remained unremediated and key steps to resolve those weaknesses remain unaddressed, which could leave EPA information exposed to unauthorized access.” [Emphasis added]

The Harms From Unauthorized Access to EPA Data

The possibility of unauthorized access to EPA information raises an array of concerns since EPA-held data includes various types of Confidential Business Information, scientific research data, environmental databases, agency plans for responding to "incidents of national significance” and other security-related matters, and environmental monitoring data used in regulatory enforcement actions. Thus, the dangers from unauthorized access to EPA data range from disclosure of sensitive business information to the alteration/manipulation of environmental data so as to trigger, or not trigger, an investigation or enforcement action.

EPA has been warned before about their security shortcomings. One section of the OIG report is titled, "EPA Did Not Address Recommendations From Internal Reviews." The OIG found that EPA did not act on three separate analyses of the agency's information security, including one by Carnegie Mellon's Computer Emergency Response Team (CERT) Program and one by Booze Allen Hamilton that provided recommended steps for cyber security improvements. One of the Booze Allen recommendations noted by the OIG was that "EPA must adopt automated tools to achieve continuous monitoring for threats."

It is worth noting that EPA's continuous monitoring practices are at sharp variance with the Best Practice Principles developed by the Center for Regulatory Effectiveness (CRE). In its study of Information Security Continuous Monitoring Best Practices, CRE found that agencies need security professionals who are trained to take advantage of the capabilities of advanced software tools.

The OIG, however, found that EPA's Technology and Information Security Staff "did not develop a structured training plan to use with the SIEM tool" and "Without a structured training curriculum, users' needs are not being met and the continued use of the SIEM tool by EPA's information security staff will be of limited value in performing information security activities."

The importance of continuous monitoring to agency cybersecurity should not be underestimated. As the report succinctly states, "Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential."

Information Security: A Data Quality Act Requirement

The Data Quality Act (DQA) sets quality standards for virtually all information disseminated by Executive Branch agencies. The Office of Management and Budget's government-wide Information Quality Guidelines state, "Agencies are directed to develop information resources management procedures for reviewing and substantiating (by documentation or other means selected by the agency) the quality (including the objectivity, utility, and integrity) of information before it is disseminated." [Emphasis added]

OMB's binding guidelines define "integrity" as referring "to the security of information — protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification." The guidelines state that "agencies may rely on their implementation of the Federal Government's computer security laws...to establish appropriate security safeguards for ensuring the 'integrity' of the information that the agencies disseminate."

In EPA's case, however, the OIG report makes clear that the agency is not in compliance with essential elements of the federal security requirements and these lapses "could leave EPA information exposed to unauthorized access."

The question becomes, how can EPA continue to substantiate the integrity of its information under the DQA given the serious problems with its intrusion detection capabilities and non-compliance with federal IT security requirements?

The question is not a trivial one. If the agency cannot substantiate the integrity — the cybersecurity — of data in its possession, it can't by law disseminate that data or information based on that data. EPA could find itself silenced on key issues where its voice is needed.

It is important to recognize that the DQA requirements are not minor technicalities that can be ignored. Instead, the statue establishes the right of affected persons the right to "seek and obtain" correction of information not meeting quality standards — including the integrity standard. Thus, an agency study or report could be subject to challenge under the DQA on the grounds that the underlying data may have been corrupted.

Agency reports, studies and other information disseminations may be used in rulemakings, act as warnings regarding certain types of products, and/or be used in litigation. Thus, affected persons have a significant incentive to seek and obtain retraction of any study based on altered/tampered data. They also have the legal tools.

The concept of "informational standing," i.e., the right of affected persons to seek judicial review of a harmful, non-regulatory federal information disseminations, is well established in case law.

Moreover, the US Court of Appeals for the DC Circuit has explained that OMB's guidelines implementing the DQA are "binding" and in doing so cited the Supreme Court's Mead decision regarding rules carrying the force of law. It is noteworthy that the DC Circuit refused to modify their Opinion even after its primary implication, that DQA decisions are subject to judicial review, became clear and the subject of a Justice Department petition.

Thus, the cyberinsecurities identified by the EPA OIG have wide ranging environmental and legal ramifications. The most important lesson that can be drawn from the OIG report, however, a lesson applicable to all federal organizations, is that cybersecurity is not merely an internal housekeeping matter, it is the underpinning of every agency's ability to carry out their mission.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Cybersecurity, Data Center, Law, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Recent DOE OIG Also Raises Concern About Integrity of Agency Information Bruce Levinson  –  Nov 14, 2012 11:45 AM PDT

A recent OIG report on the Department of Energy's unclassified systems cyber security highlight cyber defense weaknesses, including in continuous monitoting, that could allow for unauthorized access to and manipulation of Departmental data. 

As the report explains, without "implementation of effective continuous monitoring practices and adopting processes to ensure security controls are in place and operating as intended, there is an increased risk of compromise and/or loss, modification and non-availability of the Department's systems and the information."

The complete DOE report is available here on the Center for Regulatory Effectiveness' FISMA Focus IPD.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals