Home / Blogs

FISMA Failings: Could EPA's IT Defense Deficiencies Silence the Agency?

"EPA's deployment of a SIEM tool did not comply with Agency requirements for deploying IT investments."

"EPA does not have a computer security log management policy that complies with federal requirements."

"EPA did not follow up with staff to confirm that corrective actions were taken to address known information security weaknesses. ... Office of Management and Budget Circular A-123, 'Management Accountability and Control,' states managers are responsible for taking timely and effective actions to correct identified deficiencies."

— EPA, Office of Inspector General, "Improvements Needed in EPA's Network Security Monitoring Program," Report No. 12-P-0899, September 27, 2012

A report from EPA's Office of Inspector General found serious deficiencies in EPA's network security. These shortcoming raise concern about the integrity of agency data. Specifically, the report states that EPA's Office of Environmental Information

"which is responsible for securing EPA's network from internal and external exploits, has not developed a process to verify that known weaknesses have been addressed. As a result, known vulnerabilities remained unremediated and key steps to resolve those weaknesses remain unaddressed, which could leave EPA information exposed to unauthorized access.” [Emphasis added]

The Harms From Unauthorized Access to EPA Data

The possibility of unauthorized access to EPA information raises an array of concerns since EPA-held data includes various types of Confidential Business Information, scientific research data, environmental databases, agency plans for responding to "incidents of national significance” and other security-related matters, and environmental monitoring data used in regulatory enforcement actions. Thus, the dangers from unauthorized access to EPA data range from disclosure of sensitive business information to the alteration/manipulation of environmental data so as to trigger, or not trigger, an investigation or enforcement action.

EPA has been warned before about their security shortcomings. One section of the OIG report is titled, "EPA Did Not Address Recommendations From Internal Reviews." The OIG found that EPA did not act on three separate analyses of the agency's information security, including one by Carnegie Mellon's Computer Emergency Response Team (CERT) Program and one by Booze Allen Hamilton that provided recommended steps for cyber security improvements. One of the Booze Allen recommendations noted by the OIG was that "EPA must adopt automated tools to achieve continuous monitoring for threats."

It is worth noting that EPA's continuous monitoring practices are at sharp variance with the Best Practice Principles developed by the Center for Regulatory Effectiveness (CRE). In its study of Information Security Continuous Monitoring Best Practices, CRE found that agencies need security professionals who are trained to take advantage of the capabilities of advanced software tools.

The OIG, however, found that EPA's Technology and Information Security Staff "did not develop a structured training plan to use with the SIEM tool" and "Without a structured training curriculum, users' needs are not being met and the continued use of the SIEM tool by EPA's information security staff will be of limited value in performing information security activities."

The importance of continuous monitoring to agency cybersecurity should not be underestimated. As the report succinctly states, "Continually monitoring network threats through intrusion detection and prevention systems and other mechanisms is essential."

Information Security: A Data Quality Act Requirement

The Data Quality Act (DQA) sets quality standards for virtually all information disseminated by Executive Branch agencies. The Office of Management and Budget's government-wide Information Quality Guidelines state, "Agencies are directed to develop information resources management procedures for reviewing and substantiating (by documentation or other means selected by the agency) the quality (including the objectivity, utility, and integrity) of information before it is disseminated." [Emphasis added]

OMB's binding guidelines define "integrity" as referring "to the security of information — protection of the information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification." The guidelines state that "agencies may rely on their implementation of the Federal Government's computer security laws...to establish appropriate security safeguards for ensuring the 'integrity' of the information that the agencies disseminate."

In EPA's case, however, the OIG report makes clear that the agency is not in compliance with essential elements of the federal security requirements and these lapses "could leave EPA information exposed to unauthorized access."

The question becomes, how can EPA continue to substantiate the integrity of its information under the DQA given the serious problems with its intrusion detection capabilities and non-compliance with federal IT security requirements?

The question is not a trivial one. If the agency cannot substantiate the integrity — the cybersecurity — of data in its possession, it can't by law disseminate that data or information based on that data. EPA could find itself silenced on key issues where its voice is needed.

It is important to recognize that the DQA requirements are not minor technicalities that can be ignored. Instead, the statue establishes the right of affected persons the right to "seek and obtain" correction of information not meeting quality standards — including the integrity standard. Thus, an agency study or report could be subject to challenge under the DQA on the grounds that the underlying data may have been corrupted.

Agency reports, studies and other information disseminations may be used in rulemakings, act as warnings regarding certain types of products, and/or be used in litigation. Thus, affected persons have a significant incentive to seek and obtain retraction of any study based on altered/tampered data. They also have the legal tools.

The concept of "informational standing," i.e., the right of affected persons to seek judicial review of a harmful, non-regulatory federal information disseminations, is well established in case law.

Moreover, the US Court of Appeals for the DC Circuit has explained that OMB's guidelines implementing the DQA are "binding" and in doing so cited the Supreme Court's Mead decision regarding rules carrying the force of law. It is noteworthy that the DC Circuit refused to modify their Opinion even after its primary implication, that DQA decisions are subject to judicial review, became clear and the subject of a Justice Department petition.

Thus, the cyberinsecurities identified by the EPA OIG have wide ranging environmental and legal ramifications. The most important lesson that can be drawn from the OIG report, however, a lesson applicable to all federal organizations, is that cybersecurity is not merely an internal housekeeping matter, it is the underpinning of every agency's ability to carry out their mission.

By Bruce Levinson, SVP, Regulatory Intervention - Center for Regulatory Effectiveness

Related topics: Data Center, Law, Policy & Regulation, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Recent DOE OIG Also Raises Concern About Integrity of Agency Information Bruce Levinson  –  Nov 14, 2012 10:45 AM PST

A recent OIG report on the Department of Energy's unclassified systems cyber security highlight cyber defense weaknesses, including in continuous monitoting, that could allow for unauthorized access to and manipulation of Departmental data. 

As the report explains, without "implementation of effective continuous monitoring practices and adopting processes to ensure security controls are in place and operating as intended, there is an increased risk of compromise and/or loss, modification and non-availability of the Department's systems and the information."

The complete DOE report is available here on the Center for Regulatory Effectiveness' FISMA Focus IPD.

To post comments, please login or create an account.

Related Blogs

Did the DPRK Hack Sony?

Can Big Companies Stop Being Hacked?

One Year Later: Lessons Learned from the Target Breach

Wait and See Approach on Abuse

Business Model Canvas for SaaS Providers

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Sponsored Topics

Afilias

DNSSEC

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign